1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
35 #define OpImplicit 1ull /* No generic decode */
36 #define OpReg 2ull /* Register */
37 #define OpMem 3ull /* Memory */
38 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
39 #define OpDI 5ull /* ES:DI/EDI/RDI */
40 #define OpMem64 6ull /* Memory, 64-bit */
41 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
42 #define OpDX 8ull /* DX register */
43 #define OpCL 9ull /* CL register (for shifts) */
44 #define OpImmByte 10ull /* 8-bit sign extended immediate */
45 #define OpOne 11ull /* Implied 1 */
46 #define OpImm 12ull /* Sign extended immediate */
47 #define OpMem16 13ull /* Memory operand (16-bit). */
48 #define OpMem32 14ull /* Memory operand (32-bit). */
49 #define OpImmU 15ull /* Immediate operand, zero extended */
50 #define OpSI 16ull /* SI/ESI/RSI */
51 #define OpImmFAddr 17ull /* Immediate far address */
52 #define OpMemFAddr 18ull /* Far address in memory */
53 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
54 #define OpES 20ull /* ES */
55 #define OpCS 21ull /* CS */
56 #define OpSS 22ull /* SS */
57 #define OpDS 23ull /* DS */
58 #define OpFS 24ull /* FS */
59 #define OpGS 25ull /* GS */
60 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpBits 5 /* Width of operand field */
63 #define OpMask ((1ull << OpBits) - 1)
66 * Opcode effective-address decode tables.
67 * Note that we only emulate instructions that have at least one memory
68 * operand (excluding implicit stack references). We assume that stack
69 * references and instruction fetches will never occur in special memory
70 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
74 /* Operand sizes: 8-bit operands or specified/overridden size. */
75 #define ByteOp (1<<0) /* 8-bit operands. */
76 /* Destination operand type. */
78 #define ImplicitOps (OpImplicit << DstShift)
79 #define DstReg (OpReg << DstShift)
80 #define DstMem (OpMem << DstShift)
81 #define DstAcc (OpAcc << DstShift)
82 #define DstDI (OpDI << DstShift)
83 #define DstMem64 (OpMem64 << DstShift)
84 #define DstImmUByte (OpImmUByte << DstShift)
85 #define DstDX (OpDX << DstShift)
86 #define DstMask (OpMask << DstShift)
87 /* Source operand type. */
89 #define SrcNone (OpNone << SrcShift)
90 #define SrcReg (OpReg << SrcShift)
91 #define SrcMem (OpMem << SrcShift)
92 #define SrcMem16 (OpMem16 << SrcShift)
93 #define SrcMem32 (OpMem32 << SrcShift)
94 #define SrcImm (OpImm << SrcShift)
95 #define SrcImmByte (OpImmByte << SrcShift)
96 #define SrcOne (OpOne << SrcShift)
97 #define SrcImmUByte (OpImmUByte << SrcShift)
98 #define SrcImmU (OpImmU << SrcShift)
99 #define SrcSI (OpSI << SrcShift)
100 #define SrcImmFAddr (OpImmFAddr << SrcShift)
101 #define SrcMemFAddr (OpMemFAddr << SrcShift)
102 #define SrcAcc (OpAcc << SrcShift)
103 #define SrcImmU16 (OpImmU16 << SrcShift)
104 #define SrcDX (OpDX << SrcShift)
105 #define SrcMem8 (OpMem8 << SrcShift)
106 #define SrcMask (OpMask << SrcShift)
107 #define BitOp (1<<11)
108 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
109 #define String (1<<13) /* String instruction (rep capable) */
110 #define Stack (1<<14) /* Stack instruction (push/pop) */
111 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
112 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
113 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
114 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
115 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
116 #define Sse (1<<18) /* SSE Vector instruction */
117 /* Generic ModRM decode. */
118 #define ModRM (1<<19)
119 /* Destination is only written; never read. */
122 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
123 #define VendorSpecific (1<<22) /* Vendor specific instruction */
124 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
125 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
126 #define Undefined (1<<25) /* No Such Instruction */
127 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
128 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
130 #define PageTable (1 << 29) /* instruction used to write page table */
131 /* Source 2 operand type */
132 #define Src2Shift (30)
133 #define Src2None (OpNone << Src2Shift)
134 #define Src2CL (OpCL << Src2Shift)
135 #define Src2ImmByte (OpImmByte << Src2Shift)
136 #define Src2One (OpOne << Src2Shift)
137 #define Src2Imm (OpImm << Src2Shift)
138 #define Src2ES (OpES << Src2Shift)
139 #define Src2CS (OpCS << Src2Shift)
140 #define Src2SS (OpSS << Src2Shift)
141 #define Src2DS (OpDS << Src2Shift)
142 #define Src2FS (OpFS << Src2Shift)
143 #define Src2GS (OpGS << Src2Shift)
144 #define Src2Mask (OpMask << Src2Shift)
145 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
146 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
147 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
148 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
150 #define X2(x...) x, x
151 #define X3(x...) X2(x), x
152 #define X4(x...) X2(x), X2(x)
153 #define X5(x...) X4(x), x
154 #define X6(x...) X4(x), X2(x)
155 #define X7(x...) X4(x), X3(x)
156 #define X8(x...) X4(x), X4(x)
157 #define X16(x...) X8(x), X8(x)
163 int (*execute)(struct x86_emulate_ctxt *ctxt);
164 struct opcode *group;
165 struct group_dual *gdual;
166 struct gprefix *gprefix;
168 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
172 struct opcode mod012[8];
173 struct opcode mod3[8];
177 struct opcode pfx_no;
178 struct opcode pfx_66;
179 struct opcode pfx_f2;
180 struct opcode pfx_f3;
183 /* EFLAGS bit definitions. */
184 #define EFLG_ID (1<<21)
185 #define EFLG_VIP (1<<20)
186 #define EFLG_VIF (1<<19)
187 #define EFLG_AC (1<<18)
188 #define EFLG_VM (1<<17)
189 #define EFLG_RF (1<<16)
190 #define EFLG_IOPL (3<<12)
191 #define EFLG_NT (1<<14)
192 #define EFLG_OF (1<<11)
193 #define EFLG_DF (1<<10)
194 #define EFLG_IF (1<<9)
195 #define EFLG_TF (1<<8)
196 #define EFLG_SF (1<<7)
197 #define EFLG_ZF (1<<6)
198 #define EFLG_AF (1<<4)
199 #define EFLG_PF (1<<2)
200 #define EFLG_CF (1<<0)
202 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
203 #define EFLG_RESERVED_ONE_MASK 2
206 * Instruction emulation:
207 * Most instructions are emulated directly via a fragment of inline assembly
208 * code. This allows us to save/restore EFLAGS and thus very easily pick up
209 * any modified flags.
212 #if defined(CONFIG_X86_64)
213 #define _LO32 "k" /* force 32-bit operand */
214 #define _STK "%%rsp" /* stack pointer */
215 #elif defined(__i386__)
216 #define _LO32 "" /* force 32-bit operand */
217 #define _STK "%%esp" /* stack pointer */
221 * These EFLAGS bits are restored from saved value during emulation, and
222 * any changes are written back to the saved value after emulation.
224 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
226 /* Before executing instruction: restore necessary bits in EFLAGS. */
227 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
228 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
229 "movl %"_sav",%"_LO32 _tmp"; " \
232 "movl %"_msk",%"_LO32 _tmp"; " \
233 "andl %"_LO32 _tmp",("_STK"); " \
235 "notl %"_LO32 _tmp"; " \
236 "andl %"_LO32 _tmp",("_STK"); " \
237 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
239 "orl %"_LO32 _tmp",("_STK"); " \
243 /* After executing instruction: write-back necessary bits in EFLAGS. */
244 #define _POST_EFLAGS(_sav, _msk, _tmp) \
245 /* _sav |= EFLAGS & _msk; */ \
248 "andl %"_msk",%"_LO32 _tmp"; " \
249 "orl %"_LO32 _tmp",%"_sav"; "
257 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
259 __asm__ __volatile__ ( \
260 _PRE_EFLAGS("0", "4", "2") \
261 _op _suffix " %"_x"3,%1; " \
262 _POST_EFLAGS("0", "4", "2") \
263 : "=m" ((ctxt)->eflags), \
264 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
266 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
270 /* Raw emulation: instruction has two explicit operands. */
271 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
273 unsigned long _tmp; \
275 switch ((ctxt)->dst.bytes) { \
277 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
280 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
283 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
288 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
290 unsigned long _tmp; \
291 switch ((ctxt)->dst.bytes) { \
293 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
296 __emulate_2op_nobyte(ctxt, _op, \
297 _wx, _wy, _lx, _ly, _qx, _qy); \
302 /* Source operand is byte-sized and may be restricted to just %cl. */
303 #define emulate_2op_SrcB(ctxt, _op) \
304 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
306 /* Source operand is byte, word, long or quad sized. */
307 #define emulate_2op_SrcV(ctxt, _op) \
308 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
310 /* Source operand is word, long or quad sized. */
311 #define emulate_2op_SrcV_nobyte(ctxt, _op) \
312 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
314 /* Instruction has three operands and one operand is stored in ECX register */
315 #define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
317 unsigned long _tmp; \
318 _type _clv = (ctxt)->src2.val; \
319 _type _srcv = (ctxt)->src.val; \
320 _type _dstv = (ctxt)->dst.val; \
322 __asm__ __volatile__ ( \
323 _PRE_EFLAGS("0", "5", "2") \
324 _op _suffix " %4,%1 \n" \
325 _POST_EFLAGS("0", "5", "2") \
326 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
327 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
330 (ctxt)->src2.val = (unsigned long) _clv; \
331 (ctxt)->src2.val = (unsigned long) _srcv; \
332 (ctxt)->dst.val = (unsigned long) _dstv; \
335 #define emulate_2op_cl(ctxt, _op) \
337 switch ((ctxt)->dst.bytes) { \
339 __emulate_2op_cl(ctxt, _op, "w", u16); \
342 __emulate_2op_cl(ctxt, _op, "l", u32); \
345 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
350 #define __emulate_1op(ctxt, _op, _suffix) \
352 unsigned long _tmp; \
354 __asm__ __volatile__ ( \
355 _PRE_EFLAGS("0", "3", "2") \
356 _op _suffix " %1; " \
357 _POST_EFLAGS("0", "3", "2") \
358 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
360 : "i" (EFLAGS_MASK)); \
363 /* Instruction has only one explicit operand (no source operand). */
364 #define emulate_1op(ctxt, _op) \
366 switch ((ctxt)->dst.bytes) { \
367 case 1: __emulate_1op(ctxt, _op, "b"); break; \
368 case 2: __emulate_1op(ctxt, _op, "w"); break; \
369 case 4: __emulate_1op(ctxt, _op, "l"); break; \
370 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
374 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
376 unsigned long _tmp; \
377 ulong *rax = &(ctxt)->regs[VCPU_REGS_RAX]; \
378 ulong *rdx = &(ctxt)->regs[VCPU_REGS_RDX]; \
380 __asm__ __volatile__ ( \
381 _PRE_EFLAGS("0", "5", "1") \
383 _op _suffix " %6; " \
385 _POST_EFLAGS("0", "5", "1") \
386 ".pushsection .fixup,\"ax\" \n\t" \
387 "3: movb $1, %4 \n\t" \
390 _ASM_EXTABLE(1b, 3b) \
391 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
392 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
393 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \
394 "a" (*rax), "d" (*rdx)); \
397 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
398 #define emulate_1op_rax_rdx(ctxt, _op, _ex) \
400 switch((ctxt)->src.bytes) { \
402 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
405 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
408 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
411 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
416 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
417 enum x86_intercept intercept,
418 enum x86_intercept_stage stage)
420 struct x86_instruction_info info = {
421 .intercept = intercept,
422 .rep_prefix = ctxt->rep_prefix,
423 .modrm_mod = ctxt->modrm_mod,
424 .modrm_reg = ctxt->modrm_reg,
425 .modrm_rm = ctxt->modrm_rm,
426 .src_val = ctxt->src.val64,
427 .src_bytes = ctxt->src.bytes,
428 .dst_bytes = ctxt->dst.bytes,
429 .ad_bytes = ctxt->ad_bytes,
430 .next_rip = ctxt->eip,
433 return ctxt->ops->intercept(ctxt, &info, stage);
436 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
438 return (1UL << (ctxt->ad_bytes << 3)) - 1;
441 /* Access/update address held in a register, based on addressing mode. */
442 static inline unsigned long
443 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
445 if (ctxt->ad_bytes == sizeof(unsigned long))
448 return reg & ad_mask(ctxt);
451 static inline unsigned long
452 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
454 return address_mask(ctxt, reg);
458 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
460 if (ctxt->ad_bytes == sizeof(unsigned long))
463 *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
466 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
468 register_address_increment(ctxt, &ctxt->_eip, rel);
471 static u32 desc_limit_scaled(struct desc_struct *desc)
473 u32 limit = get_desc_limit(desc);
475 return desc->g ? (limit << 12) | 0xfff : limit;
478 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
480 ctxt->has_seg_override = true;
481 ctxt->seg_override = seg;
484 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
486 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
489 return ctxt->ops->get_cached_segment_base(ctxt, seg);
492 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
494 if (!ctxt->has_seg_override)
497 return ctxt->seg_override;
500 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
501 u32 error, bool valid)
503 ctxt->exception.vector = vec;
504 ctxt->exception.error_code = error;
505 ctxt->exception.error_code_valid = valid;
506 return X86EMUL_PROPAGATE_FAULT;
509 static int emulate_db(struct x86_emulate_ctxt *ctxt)
511 return emulate_exception(ctxt, DB_VECTOR, 0, false);
514 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
516 return emulate_exception(ctxt, GP_VECTOR, err, true);
519 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
521 return emulate_exception(ctxt, SS_VECTOR, err, true);
524 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
526 return emulate_exception(ctxt, UD_VECTOR, 0, false);
529 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
531 return emulate_exception(ctxt, TS_VECTOR, err, true);
534 static int emulate_de(struct x86_emulate_ctxt *ctxt)
536 return emulate_exception(ctxt, DE_VECTOR, 0, false);
539 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
541 return emulate_exception(ctxt, NM_VECTOR, 0, false);
544 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
547 struct desc_struct desc;
549 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
553 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
558 struct desc_struct desc;
560 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
561 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
565 * x86 defines three classes of vector instructions: explicitly
566 * aligned, explicitly unaligned, and the rest, which change behaviour
567 * depending on whether they're AVX encoded or not.
569 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
570 * subject to the same check.
572 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
574 if (likely(size < 16))
577 if (ctxt->d & Aligned)
579 else if (ctxt->d & Unaligned)
581 else if (ctxt->d & Avx)
587 static int __linearize(struct x86_emulate_ctxt *ctxt,
588 struct segmented_address addr,
589 unsigned size, bool write, bool fetch,
592 struct desc_struct desc;
599 la = seg_base(ctxt, addr.seg) + addr.ea;
600 switch (ctxt->mode) {
601 case X86EMUL_MODE_REAL:
603 case X86EMUL_MODE_PROT64:
604 if (((signed long)la << 16) >> 16 != la)
605 return emulate_gp(ctxt, 0);
608 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
612 /* code segment or read-only data segment */
613 if (((desc.type & 8) || !(desc.type & 2)) && write)
615 /* unreadable code segment */
616 if (!fetch && (desc.type & 8) && !(desc.type & 2))
618 lim = desc_limit_scaled(&desc);
619 if ((desc.type & 8) || !(desc.type & 4)) {
620 /* expand-up segment */
621 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
624 /* exapand-down segment */
625 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
627 lim = desc.d ? 0xffffffff : 0xffff;
628 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
631 cpl = ctxt->ops->cpl(ctxt);
634 if (!(desc.type & 8)) {
638 } else if ((desc.type & 8) && !(desc.type & 4)) {
639 /* nonconforming code segment */
642 } else if ((desc.type & 8) && (desc.type & 4)) {
643 /* conforming code segment */
649 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
651 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
652 return emulate_gp(ctxt, 0);
654 return X86EMUL_CONTINUE;
656 if (addr.seg == VCPU_SREG_SS)
657 return emulate_ss(ctxt, addr.seg);
659 return emulate_gp(ctxt, addr.seg);
662 static int linearize(struct x86_emulate_ctxt *ctxt,
663 struct segmented_address addr,
664 unsigned size, bool write,
667 return __linearize(ctxt, addr, size, write, false, linear);
671 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
672 struct segmented_address addr,
679 rc = linearize(ctxt, addr, size, false, &linear);
680 if (rc != X86EMUL_CONTINUE)
682 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
686 * Fetch the next byte of the instruction being emulated which is pointed to
687 * by ctxt->_eip, then increment ctxt->_eip.
689 * Also prefetch the remaining bytes of the instruction without crossing page
690 * boundary if they are not in fetch_cache yet.
692 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
694 struct fetch_cache *fc = &ctxt->fetch;
698 if (ctxt->_eip == fc->end) {
699 unsigned long linear;
700 struct segmented_address addr = { .seg = VCPU_SREG_CS,
702 cur_size = fc->end - fc->start;
703 size = min(15UL - cur_size,
704 PAGE_SIZE - offset_in_page(ctxt->_eip));
705 rc = __linearize(ctxt, addr, size, false, true, &linear);
706 if (unlikely(rc != X86EMUL_CONTINUE))
708 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
709 size, &ctxt->exception);
710 if (unlikely(rc != X86EMUL_CONTINUE))
714 *dest = fc->data[ctxt->_eip - fc->start];
716 return X86EMUL_CONTINUE;
719 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
720 void *dest, unsigned size)
724 /* x86 instructions are limited to 15 bytes. */
725 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
726 return X86EMUL_UNHANDLEABLE;
728 rc = do_insn_fetch_byte(ctxt, dest++);
729 if (rc != X86EMUL_CONTINUE)
732 return X86EMUL_CONTINUE;
735 /* Fetch next part of the instruction being emulated. */
736 #define insn_fetch(_type, _ctxt) \
737 ({ unsigned long _x; \
738 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
739 if (rc != X86EMUL_CONTINUE) \
744 #define insn_fetch_arr(_arr, _size, _ctxt) \
745 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
746 if (rc != X86EMUL_CONTINUE) \
751 * Given the 'reg' portion of a ModRM byte, and a register block, return a
752 * pointer into the block that addresses the relevant register.
753 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
755 static void *decode_register(u8 modrm_reg, unsigned long *regs,
760 p = ®s[modrm_reg];
761 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
762 p = (unsigned char *)®s[modrm_reg & 3] + 1;
766 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
767 struct segmented_address addr,
768 u16 *size, unsigned long *address, int op_bytes)
775 rc = segmented_read_std(ctxt, addr, size, 2);
776 if (rc != X86EMUL_CONTINUE)
779 rc = segmented_read_std(ctxt, addr, address, op_bytes);
783 static int test_cc(unsigned int condition, unsigned int flags)
787 switch ((condition & 15) >> 1) {
789 rc |= (flags & EFLG_OF);
791 case 1: /* b/c/nae */
792 rc |= (flags & EFLG_CF);
795 rc |= (flags & EFLG_ZF);
798 rc |= (flags & (EFLG_CF|EFLG_ZF));
801 rc |= (flags & EFLG_SF);
804 rc |= (flags & EFLG_PF);
807 rc |= (flags & EFLG_ZF);
810 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
814 /* Odd condition identifiers (lsb == 1) have inverted sense. */
815 return (!!rc ^ (condition & 1));
818 static void fetch_register_operand(struct operand *op)
822 op->val = *(u8 *)op->addr.reg;
825 op->val = *(u16 *)op->addr.reg;
828 op->val = *(u32 *)op->addr.reg;
831 op->val = *(u64 *)op->addr.reg;
836 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
838 ctxt->ops->get_fpu(ctxt);
840 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
841 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
842 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
843 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
844 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
845 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
846 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
847 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
849 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
850 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
851 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
852 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
853 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
854 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
855 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
856 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
860 ctxt->ops->put_fpu(ctxt);
863 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
866 ctxt->ops->get_fpu(ctxt);
868 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
869 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
870 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
871 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
872 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
873 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
874 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
875 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
877 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
878 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
879 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
880 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
881 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
882 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
883 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
884 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
888 ctxt->ops->put_fpu(ctxt);
891 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
893 ctxt->ops->get_fpu(ctxt);
895 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
896 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
897 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
898 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
899 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
900 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
901 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
902 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
905 ctxt->ops->put_fpu(ctxt);
908 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
910 ctxt->ops->get_fpu(ctxt);
912 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
913 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
914 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
915 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
916 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
917 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
918 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
919 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
922 ctxt->ops->put_fpu(ctxt);
925 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
928 unsigned reg = ctxt->modrm_reg;
929 int highbyte_regs = ctxt->rex_prefix == 0;
931 if (!(ctxt->d & ModRM))
932 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
938 read_sse_reg(ctxt, &op->vec_val, reg);
950 if (ctxt->d & ByteOp) {
951 op->addr.reg = decode_register(reg, ctxt->regs, highbyte_regs);
954 op->addr.reg = decode_register(reg, ctxt->regs, 0);
955 op->bytes = ctxt->op_bytes;
957 fetch_register_operand(op);
958 op->orig_val = op->val;
961 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
965 int index_reg = 0, base_reg = 0, scale;
966 int rc = X86EMUL_CONTINUE;
969 if (ctxt->rex_prefix) {
970 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
971 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
972 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
975 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
976 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
977 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
978 ctxt->modrm_seg = VCPU_SREG_DS;
980 if (ctxt->modrm_mod == 3) {
982 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
983 op->addr.reg = decode_register(ctxt->modrm_rm,
984 ctxt->regs, ctxt->d & ByteOp);
988 op->addr.xmm = ctxt->modrm_rm;
989 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
995 op->addr.xmm = ctxt->modrm_rm & 7;
998 fetch_register_operand(op);
1004 if (ctxt->ad_bytes == 2) {
1005 unsigned bx = ctxt->regs[VCPU_REGS_RBX];
1006 unsigned bp = ctxt->regs[VCPU_REGS_RBP];
1007 unsigned si = ctxt->regs[VCPU_REGS_RSI];
1008 unsigned di = ctxt->regs[VCPU_REGS_RDI];
1010 /* 16-bit ModR/M decode. */
1011 switch (ctxt->modrm_mod) {
1013 if (ctxt->modrm_rm == 6)
1014 modrm_ea += insn_fetch(u16, ctxt);
1017 modrm_ea += insn_fetch(s8, ctxt);
1020 modrm_ea += insn_fetch(u16, ctxt);
1023 switch (ctxt->modrm_rm) {
1025 modrm_ea += bx + si;
1028 modrm_ea += bx + di;
1031 modrm_ea += bp + si;
1034 modrm_ea += bp + di;
1043 if (ctxt->modrm_mod != 0)
1050 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1051 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1052 ctxt->modrm_seg = VCPU_SREG_SS;
1053 modrm_ea = (u16)modrm_ea;
1055 /* 32/64-bit ModR/M decode. */
1056 if ((ctxt->modrm_rm & 7) == 4) {
1057 sib = insn_fetch(u8, ctxt);
1058 index_reg |= (sib >> 3) & 7;
1059 base_reg |= sib & 7;
1062 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1063 modrm_ea += insn_fetch(s32, ctxt);
1065 modrm_ea += ctxt->regs[base_reg];
1067 modrm_ea += ctxt->regs[index_reg] << scale;
1068 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1069 if (ctxt->mode == X86EMUL_MODE_PROT64)
1070 ctxt->rip_relative = 1;
1072 modrm_ea += ctxt->regs[ctxt->modrm_rm];
1073 switch (ctxt->modrm_mod) {
1075 if (ctxt->modrm_rm == 5)
1076 modrm_ea += insn_fetch(s32, ctxt);
1079 modrm_ea += insn_fetch(s8, ctxt);
1082 modrm_ea += insn_fetch(s32, ctxt);
1086 op->addr.mem.ea = modrm_ea;
1091 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1094 int rc = X86EMUL_CONTINUE;
1097 switch (ctxt->ad_bytes) {
1099 op->addr.mem.ea = insn_fetch(u16, ctxt);
1102 op->addr.mem.ea = insn_fetch(u32, ctxt);
1105 op->addr.mem.ea = insn_fetch(u64, ctxt);
1112 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1116 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1117 mask = ~(ctxt->dst.bytes * 8 - 1);
1119 if (ctxt->src.bytes == 2)
1120 sv = (s16)ctxt->src.val & (s16)mask;
1121 else if (ctxt->src.bytes == 4)
1122 sv = (s32)ctxt->src.val & (s32)mask;
1124 ctxt->dst.addr.mem.ea += (sv >> 3);
1127 /* only subword offset */
1128 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1131 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1132 unsigned long addr, void *dest, unsigned size)
1135 struct read_cache *mc = &ctxt->mem_read;
1138 int n = min(size, 8u);
1140 if (mc->pos < mc->end)
1143 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
1145 if (rc != X86EMUL_CONTINUE)
1150 memcpy(dest, mc->data + mc->pos, n);
1155 return X86EMUL_CONTINUE;
1158 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1159 struct segmented_address addr,
1166 rc = linearize(ctxt, addr, size, false, &linear);
1167 if (rc != X86EMUL_CONTINUE)
1169 return read_emulated(ctxt, linear, data, size);
1172 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1173 struct segmented_address addr,
1180 rc = linearize(ctxt, addr, size, true, &linear);
1181 if (rc != X86EMUL_CONTINUE)
1183 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1187 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1188 struct segmented_address addr,
1189 const void *orig_data, const void *data,
1195 rc = linearize(ctxt, addr, size, true, &linear);
1196 if (rc != X86EMUL_CONTINUE)
1198 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1199 size, &ctxt->exception);
1202 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1203 unsigned int size, unsigned short port,
1206 struct read_cache *rc = &ctxt->io_read;
1208 if (rc->pos == rc->end) { /* refill pio read ahead */
1209 unsigned int in_page, n;
1210 unsigned int count = ctxt->rep_prefix ?
1211 address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) : 1;
1212 in_page = (ctxt->eflags & EFLG_DF) ?
1213 offset_in_page(ctxt->regs[VCPU_REGS_RDI]) :
1214 PAGE_SIZE - offset_in_page(ctxt->regs[VCPU_REGS_RDI]);
1215 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1219 rc->pos = rc->end = 0;
1220 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1225 memcpy(dest, rc->data + rc->pos, size);
1230 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1231 u16 index, struct desc_struct *desc)
1236 ctxt->ops->get_idt(ctxt, &dt);
1238 if (dt.size < index * 8 + 7)
1239 return emulate_gp(ctxt, index << 3 | 0x2);
1241 addr = dt.address + index * 8;
1242 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1246 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1247 u16 selector, struct desc_ptr *dt)
1249 struct x86_emulate_ops *ops = ctxt->ops;
1251 if (selector & 1 << 2) {
1252 struct desc_struct desc;
1255 memset (dt, 0, sizeof *dt);
1256 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1259 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1260 dt->address = get_desc_base(&desc);
1262 ops->get_gdt(ctxt, dt);
1265 /* allowed just for 8 bytes segments */
1266 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1267 u16 selector, struct desc_struct *desc)
1270 u16 index = selector >> 3;
1273 get_descriptor_table_ptr(ctxt, selector, &dt);
1275 if (dt.size < index * 8 + 7)
1276 return emulate_gp(ctxt, selector & 0xfffc);
1278 addr = dt.address + index * 8;
1279 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1283 /* allowed just for 8 bytes segments */
1284 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1285 u16 selector, struct desc_struct *desc)
1288 u16 index = selector >> 3;
1291 get_descriptor_table_ptr(ctxt, selector, &dt);
1293 if (dt.size < index * 8 + 7)
1294 return emulate_gp(ctxt, selector & 0xfffc);
1296 addr = dt.address + index * 8;
1297 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1301 /* Does not support long mode */
1302 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1303 u16 selector, int seg)
1305 struct desc_struct seg_desc;
1307 unsigned err_vec = GP_VECTOR;
1309 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1312 memset(&seg_desc, 0, sizeof seg_desc);
1314 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1315 || ctxt->mode == X86EMUL_MODE_REAL) {
1316 /* set real mode segment descriptor */
1317 set_desc_base(&seg_desc, selector << 4);
1318 set_desc_limit(&seg_desc, 0xffff);
1322 if (ctxt->mode == X86EMUL_MODE_VM86)
1327 /* NULL selector is not valid for TR, CS and SS */
1328 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1332 /* TR should be in GDT only */
1333 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1336 if (null_selector) /* for NULL selector skip all following checks */
1339 ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1340 if (ret != X86EMUL_CONTINUE)
1343 err_code = selector & 0xfffc;
1344 err_vec = GP_VECTOR;
1346 /* can't load system descriptor into segment selecor */
1347 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1351 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1357 cpl = ctxt->ops->cpl(ctxt);
1362 * segment is not a writable data segment or segment
1363 * selector's RPL != CPL or segment selector's RPL != CPL
1365 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1369 if (!(seg_desc.type & 8))
1372 if (seg_desc.type & 4) {
1378 if (rpl > cpl || dpl != cpl)
1381 /* CS(RPL) <- CPL */
1382 selector = (selector & 0xfffc) | cpl;
1385 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1388 case VCPU_SREG_LDTR:
1389 if (seg_desc.s || seg_desc.type != 2)
1392 default: /* DS, ES, FS, or GS */
1394 * segment is not a data or readable code segment or
1395 * ((segment is a data or nonconforming code segment)
1396 * and (both RPL and CPL > DPL))
1398 if ((seg_desc.type & 0xa) == 0x8 ||
1399 (((seg_desc.type & 0xc) != 0xc) &&
1400 (rpl > dpl && cpl > dpl)))
1406 /* mark segment as accessed */
1408 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1409 if (ret != X86EMUL_CONTINUE)
1413 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1414 return X86EMUL_CONTINUE;
1416 emulate_exception(ctxt, err_vec, err_code, true);
1417 return X86EMUL_PROPAGATE_FAULT;
1420 static void write_register_operand(struct operand *op)
1422 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1423 switch (op->bytes) {
1425 *(u8 *)op->addr.reg = (u8)op->val;
1428 *(u16 *)op->addr.reg = (u16)op->val;
1431 *op->addr.reg = (u32)op->val;
1432 break; /* 64b: zero-extend */
1434 *op->addr.reg = op->val;
1439 static int writeback(struct x86_emulate_ctxt *ctxt)
1443 switch (ctxt->dst.type) {
1445 write_register_operand(&ctxt->dst);
1448 if (ctxt->lock_prefix)
1449 rc = segmented_cmpxchg(ctxt,
1451 &ctxt->dst.orig_val,
1455 rc = segmented_write(ctxt,
1459 if (rc != X86EMUL_CONTINUE)
1463 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1466 write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
1474 return X86EMUL_CONTINUE;
1477 static int em_push(struct x86_emulate_ctxt *ctxt)
1479 struct segmented_address addr;
1481 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], -ctxt->op_bytes);
1482 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1483 addr.seg = VCPU_SREG_SS;
1485 /* Disable writeback. */
1486 ctxt->dst.type = OP_NONE;
1487 return segmented_write(ctxt, addr, &ctxt->src.val, ctxt->op_bytes);
1490 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1491 void *dest, int len)
1494 struct segmented_address addr;
1496 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1497 addr.seg = VCPU_SREG_SS;
1498 rc = segmented_read(ctxt, addr, dest, len);
1499 if (rc != X86EMUL_CONTINUE)
1502 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], len);
1506 static int em_pop(struct x86_emulate_ctxt *ctxt)
1508 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1511 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1512 void *dest, int len)
1515 unsigned long val, change_mask;
1516 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1517 int cpl = ctxt->ops->cpl(ctxt);
1519 rc = emulate_pop(ctxt, &val, len);
1520 if (rc != X86EMUL_CONTINUE)
1523 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1524 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1526 switch(ctxt->mode) {
1527 case X86EMUL_MODE_PROT64:
1528 case X86EMUL_MODE_PROT32:
1529 case X86EMUL_MODE_PROT16:
1531 change_mask |= EFLG_IOPL;
1533 change_mask |= EFLG_IF;
1535 case X86EMUL_MODE_VM86:
1537 return emulate_gp(ctxt, 0);
1538 change_mask |= EFLG_IF;
1540 default: /* real mode */
1541 change_mask |= (EFLG_IOPL | EFLG_IF);
1545 *(unsigned long *)dest =
1546 (ctxt->eflags & ~change_mask) | (val & change_mask);
1551 static int em_popf(struct x86_emulate_ctxt *ctxt)
1553 ctxt->dst.type = OP_REG;
1554 ctxt->dst.addr.reg = &ctxt->eflags;
1555 ctxt->dst.bytes = ctxt->op_bytes;
1556 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1559 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1561 int seg = ctxt->src2.val;
1563 ctxt->src.val = get_segment_selector(ctxt, seg);
1565 return em_push(ctxt);
1568 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1570 int seg = ctxt->src2.val;
1571 unsigned long selector;
1574 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1575 if (rc != X86EMUL_CONTINUE)
1578 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1582 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1584 unsigned long old_esp = ctxt->regs[VCPU_REGS_RSP];
1585 int rc = X86EMUL_CONTINUE;
1586 int reg = VCPU_REGS_RAX;
1588 while (reg <= VCPU_REGS_RDI) {
1589 (reg == VCPU_REGS_RSP) ?
1590 (ctxt->src.val = old_esp) : (ctxt->src.val = ctxt->regs[reg]);
1593 if (rc != X86EMUL_CONTINUE)
1602 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1604 ctxt->src.val = (unsigned long)ctxt->eflags;
1605 return em_push(ctxt);
1608 static int em_popa(struct x86_emulate_ctxt *ctxt)
1610 int rc = X86EMUL_CONTINUE;
1611 int reg = VCPU_REGS_RDI;
1613 while (reg >= VCPU_REGS_RAX) {
1614 if (reg == VCPU_REGS_RSP) {
1615 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP],
1620 rc = emulate_pop(ctxt, &ctxt->regs[reg], ctxt->op_bytes);
1621 if (rc != X86EMUL_CONTINUE)
1628 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1630 struct x86_emulate_ops *ops = ctxt->ops;
1637 /* TODO: Add limit checks */
1638 ctxt->src.val = ctxt->eflags;
1640 if (rc != X86EMUL_CONTINUE)
1643 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1645 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1647 if (rc != X86EMUL_CONTINUE)
1650 ctxt->src.val = ctxt->_eip;
1652 if (rc != X86EMUL_CONTINUE)
1655 ops->get_idt(ctxt, &dt);
1657 eip_addr = dt.address + (irq << 2);
1658 cs_addr = dt.address + (irq << 2) + 2;
1660 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1661 if (rc != X86EMUL_CONTINUE)
1664 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1665 if (rc != X86EMUL_CONTINUE)
1668 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1669 if (rc != X86EMUL_CONTINUE)
1677 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1679 switch(ctxt->mode) {
1680 case X86EMUL_MODE_REAL:
1681 return emulate_int_real(ctxt, irq);
1682 case X86EMUL_MODE_VM86:
1683 case X86EMUL_MODE_PROT16:
1684 case X86EMUL_MODE_PROT32:
1685 case X86EMUL_MODE_PROT64:
1687 /* Protected mode interrupts unimplemented yet */
1688 return X86EMUL_UNHANDLEABLE;
1692 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1694 int rc = X86EMUL_CONTINUE;
1695 unsigned long temp_eip = 0;
1696 unsigned long temp_eflags = 0;
1697 unsigned long cs = 0;
1698 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1699 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1700 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1701 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1703 /* TODO: Add stack limit check */
1705 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1707 if (rc != X86EMUL_CONTINUE)
1710 if (temp_eip & ~0xffff)
1711 return emulate_gp(ctxt, 0);
1713 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1715 if (rc != X86EMUL_CONTINUE)
1718 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1720 if (rc != X86EMUL_CONTINUE)
1723 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1725 if (rc != X86EMUL_CONTINUE)
1728 ctxt->_eip = temp_eip;
1731 if (ctxt->op_bytes == 4)
1732 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1733 else if (ctxt->op_bytes == 2) {
1734 ctxt->eflags &= ~0xffff;
1735 ctxt->eflags |= temp_eflags;
1738 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1739 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1744 static int em_iret(struct x86_emulate_ctxt *ctxt)
1746 switch(ctxt->mode) {
1747 case X86EMUL_MODE_REAL:
1748 return emulate_iret_real(ctxt);
1749 case X86EMUL_MODE_VM86:
1750 case X86EMUL_MODE_PROT16:
1751 case X86EMUL_MODE_PROT32:
1752 case X86EMUL_MODE_PROT64:
1754 /* iret from protected mode unimplemented yet */
1755 return X86EMUL_UNHANDLEABLE;
1759 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1764 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1766 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1767 if (rc != X86EMUL_CONTINUE)
1771 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1772 return X86EMUL_CONTINUE;
1775 static int em_grp2(struct x86_emulate_ctxt *ctxt)
1777 switch (ctxt->modrm_reg) {
1779 emulate_2op_SrcB(ctxt, "rol");
1782 emulate_2op_SrcB(ctxt, "ror");
1785 emulate_2op_SrcB(ctxt, "rcl");
1788 emulate_2op_SrcB(ctxt, "rcr");
1790 case 4: /* sal/shl */
1791 case 6: /* sal/shl */
1792 emulate_2op_SrcB(ctxt, "sal");
1795 emulate_2op_SrcB(ctxt, "shr");
1798 emulate_2op_SrcB(ctxt, "sar");
1801 return X86EMUL_CONTINUE;
1804 static int em_not(struct x86_emulate_ctxt *ctxt)
1806 ctxt->dst.val = ~ctxt->dst.val;
1807 return X86EMUL_CONTINUE;
1810 static int em_neg(struct x86_emulate_ctxt *ctxt)
1812 emulate_1op(ctxt, "neg");
1813 return X86EMUL_CONTINUE;
1816 static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
1820 emulate_1op_rax_rdx(ctxt, "mul", ex);
1821 return X86EMUL_CONTINUE;
1824 static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
1828 emulate_1op_rax_rdx(ctxt, "imul", ex);
1829 return X86EMUL_CONTINUE;
1832 static int em_div_ex(struct x86_emulate_ctxt *ctxt)
1836 emulate_1op_rax_rdx(ctxt, "div", de);
1838 return emulate_de(ctxt);
1839 return X86EMUL_CONTINUE;
1842 static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
1846 emulate_1op_rax_rdx(ctxt, "idiv", de);
1848 return emulate_de(ctxt);
1849 return X86EMUL_CONTINUE;
1852 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1854 int rc = X86EMUL_CONTINUE;
1856 switch (ctxt->modrm_reg) {
1858 emulate_1op(ctxt, "inc");
1861 emulate_1op(ctxt, "dec");
1863 case 2: /* call near abs */ {
1865 old_eip = ctxt->_eip;
1866 ctxt->_eip = ctxt->src.val;
1867 ctxt->src.val = old_eip;
1871 case 4: /* jmp abs */
1872 ctxt->_eip = ctxt->src.val;
1874 case 5: /* jmp far */
1875 rc = em_jmp_far(ctxt);
1884 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1886 u64 old = ctxt->dst.orig_val64;
1888 if (((u32) (old >> 0) != (u32) ctxt->regs[VCPU_REGS_RAX]) ||
1889 ((u32) (old >> 32) != (u32) ctxt->regs[VCPU_REGS_RDX])) {
1890 ctxt->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1891 ctxt->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1892 ctxt->eflags &= ~EFLG_ZF;
1894 ctxt->dst.val64 = ((u64)ctxt->regs[VCPU_REGS_RCX] << 32) |
1895 (u32) ctxt->regs[VCPU_REGS_RBX];
1897 ctxt->eflags |= EFLG_ZF;
1899 return X86EMUL_CONTINUE;
1902 static int em_ret(struct x86_emulate_ctxt *ctxt)
1904 ctxt->dst.type = OP_REG;
1905 ctxt->dst.addr.reg = &ctxt->_eip;
1906 ctxt->dst.bytes = ctxt->op_bytes;
1907 return em_pop(ctxt);
1910 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1915 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1916 if (rc != X86EMUL_CONTINUE)
1918 if (ctxt->op_bytes == 4)
1919 ctxt->_eip = (u32)ctxt->_eip;
1920 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1921 if (rc != X86EMUL_CONTINUE)
1923 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1927 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
1929 /* Save real source value, then compare EAX against destination. */
1930 ctxt->src.orig_val = ctxt->src.val;
1931 ctxt->src.val = ctxt->regs[VCPU_REGS_RAX];
1932 emulate_2op_SrcV(ctxt, "cmp");
1934 if (ctxt->eflags & EFLG_ZF) {
1935 /* Success: write back to memory. */
1936 ctxt->dst.val = ctxt->src.orig_val;
1938 /* Failure: write the value we saw to EAX. */
1939 ctxt->dst.type = OP_REG;
1940 ctxt->dst.addr.reg = (unsigned long *)&ctxt->regs[VCPU_REGS_RAX];
1942 return X86EMUL_CONTINUE;
1945 static int em_lseg(struct x86_emulate_ctxt *ctxt)
1947 int seg = ctxt->src2.val;
1951 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1953 rc = load_segment_descriptor(ctxt, sel, seg);
1954 if (rc != X86EMUL_CONTINUE)
1957 ctxt->dst.val = ctxt->src.val;
1962 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1963 struct desc_struct *cs, struct desc_struct *ss)
1967 memset(cs, 0, sizeof(struct desc_struct));
1968 ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1969 memset(ss, 0, sizeof(struct desc_struct));
1971 cs->l = 0; /* will be adjusted later */
1972 set_desc_base(cs, 0); /* flat segment */
1973 cs->g = 1; /* 4kb granularity */
1974 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1975 cs->type = 0x0b; /* Read, Execute, Accessed */
1977 cs->dpl = 0; /* will be adjusted later */
1981 set_desc_base(ss, 0); /* flat segment */
1982 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1983 ss->g = 1; /* 4kb granularity */
1985 ss->type = 0x03; /* Read/Write, Accessed */
1986 ss->d = 1; /* 32bit stack segment */
1991 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
1993 u32 eax, ebx, ecx, edx;
1996 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
1997 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
1998 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
1999 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2002 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2004 struct x86_emulate_ops *ops = ctxt->ops;
2005 u32 eax, ebx, ecx, edx;
2008 * syscall should always be enabled in longmode - so only become
2009 * vendor specific (cpuid) if other modes are active...
2011 if (ctxt->mode == X86EMUL_MODE_PROT64)
2016 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2018 * Intel ("GenuineIntel")
2019 * remark: Intel CPUs only support "syscall" in 64bit
2020 * longmode. Also an 64bit guest with a
2021 * 32bit compat-app running will #UD !! While this
2022 * behaviour can be fixed (by emulating) into AMD
2023 * response - CPUs of AMD can't behave like Intel.
2025 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2026 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2027 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2030 /* AMD ("AuthenticAMD") */
2031 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2032 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2033 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2036 /* AMD ("AMDisbetter!") */
2037 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2038 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2039 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2042 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2046 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2048 struct x86_emulate_ops *ops = ctxt->ops;
2049 struct desc_struct cs, ss;
2054 /* syscall is not available in real mode */
2055 if (ctxt->mode == X86EMUL_MODE_REAL ||
2056 ctxt->mode == X86EMUL_MODE_VM86)
2057 return emulate_ud(ctxt);
2059 if (!(em_syscall_is_enabled(ctxt)))
2060 return emulate_ud(ctxt);
2062 ops->get_msr(ctxt, MSR_EFER, &efer);
2063 setup_syscalls_segments(ctxt, &cs, &ss);
2065 if (!(efer & EFER_SCE))
2066 return emulate_ud(ctxt);
2068 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2070 cs_sel = (u16)(msr_data & 0xfffc);
2071 ss_sel = (u16)(msr_data + 8);
2073 if (efer & EFER_LMA) {
2077 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2078 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2080 ctxt->regs[VCPU_REGS_RCX] = ctxt->_eip;
2081 if (efer & EFER_LMA) {
2082 #ifdef CONFIG_X86_64
2083 ctxt->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
2086 ctxt->mode == X86EMUL_MODE_PROT64 ?
2087 MSR_LSTAR : MSR_CSTAR, &msr_data);
2088 ctxt->_eip = msr_data;
2090 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2091 ctxt->eflags &= ~(msr_data | EFLG_RF);
2095 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2096 ctxt->_eip = (u32)msr_data;
2098 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2101 return X86EMUL_CONTINUE;
2104 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2106 struct x86_emulate_ops *ops = ctxt->ops;
2107 struct desc_struct cs, ss;
2112 ops->get_msr(ctxt, MSR_EFER, &efer);
2113 /* inject #GP if in real mode */
2114 if (ctxt->mode == X86EMUL_MODE_REAL)
2115 return emulate_gp(ctxt, 0);
2118 * Not recognized on AMD in compat mode (but is recognized in legacy
2121 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2122 && !vendor_intel(ctxt))
2123 return emulate_ud(ctxt);
2125 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2126 * Therefore, we inject an #UD.
2128 if (ctxt->mode == X86EMUL_MODE_PROT64)
2129 return emulate_ud(ctxt);
2131 setup_syscalls_segments(ctxt, &cs, &ss);
2133 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2134 switch (ctxt->mode) {
2135 case X86EMUL_MODE_PROT32:
2136 if ((msr_data & 0xfffc) == 0x0)
2137 return emulate_gp(ctxt, 0);
2139 case X86EMUL_MODE_PROT64:
2140 if (msr_data == 0x0)
2141 return emulate_gp(ctxt, 0);
2145 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2146 cs_sel = (u16)msr_data;
2147 cs_sel &= ~SELECTOR_RPL_MASK;
2148 ss_sel = cs_sel + 8;
2149 ss_sel &= ~SELECTOR_RPL_MASK;
2150 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2155 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2156 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2158 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2159 ctxt->_eip = msr_data;
2161 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2162 ctxt->regs[VCPU_REGS_RSP] = msr_data;
2164 return X86EMUL_CONTINUE;
2167 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2169 struct x86_emulate_ops *ops = ctxt->ops;
2170 struct desc_struct cs, ss;
2173 u16 cs_sel = 0, ss_sel = 0;
2175 /* inject #GP if in real mode or Virtual 8086 mode */
2176 if (ctxt->mode == X86EMUL_MODE_REAL ||
2177 ctxt->mode == X86EMUL_MODE_VM86)
2178 return emulate_gp(ctxt, 0);
2180 setup_syscalls_segments(ctxt, &cs, &ss);
2182 if ((ctxt->rex_prefix & 0x8) != 0x0)
2183 usermode = X86EMUL_MODE_PROT64;
2185 usermode = X86EMUL_MODE_PROT32;
2189 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2191 case X86EMUL_MODE_PROT32:
2192 cs_sel = (u16)(msr_data + 16);
2193 if ((msr_data & 0xfffc) == 0x0)
2194 return emulate_gp(ctxt, 0);
2195 ss_sel = (u16)(msr_data + 24);
2197 case X86EMUL_MODE_PROT64:
2198 cs_sel = (u16)(msr_data + 32);
2199 if (msr_data == 0x0)
2200 return emulate_gp(ctxt, 0);
2201 ss_sel = cs_sel + 8;
2206 cs_sel |= SELECTOR_RPL_MASK;
2207 ss_sel |= SELECTOR_RPL_MASK;
2209 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2210 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2212 ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
2213 ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
2215 return X86EMUL_CONTINUE;
2218 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2221 if (ctxt->mode == X86EMUL_MODE_REAL)
2223 if (ctxt->mode == X86EMUL_MODE_VM86)
2225 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2226 return ctxt->ops->cpl(ctxt) > iopl;
2229 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2232 struct x86_emulate_ops *ops = ctxt->ops;
2233 struct desc_struct tr_seg;
2236 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2237 unsigned mask = (1 << len) - 1;
2240 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2243 if (desc_limit_scaled(&tr_seg) < 103)
2245 base = get_desc_base(&tr_seg);
2246 #ifdef CONFIG_X86_64
2247 base |= ((u64)base3) << 32;
2249 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2250 if (r != X86EMUL_CONTINUE)
2252 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2254 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2255 if (r != X86EMUL_CONTINUE)
2257 if ((perm >> bit_idx) & mask)
2262 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2268 if (emulator_bad_iopl(ctxt))
2269 if (!emulator_io_port_access_allowed(ctxt, port, len))
2272 ctxt->perm_ok = true;
2277 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2278 struct tss_segment_16 *tss)
2280 tss->ip = ctxt->_eip;
2281 tss->flag = ctxt->eflags;
2282 tss->ax = ctxt->regs[VCPU_REGS_RAX];
2283 tss->cx = ctxt->regs[VCPU_REGS_RCX];
2284 tss->dx = ctxt->regs[VCPU_REGS_RDX];
2285 tss->bx = ctxt->regs[VCPU_REGS_RBX];
2286 tss->sp = ctxt->regs[VCPU_REGS_RSP];
2287 tss->bp = ctxt->regs[VCPU_REGS_RBP];
2288 tss->si = ctxt->regs[VCPU_REGS_RSI];
2289 tss->di = ctxt->regs[VCPU_REGS_RDI];
2291 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2292 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2293 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2294 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2295 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2298 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2299 struct tss_segment_16 *tss)
2303 ctxt->_eip = tss->ip;
2304 ctxt->eflags = tss->flag | 2;
2305 ctxt->regs[VCPU_REGS_RAX] = tss->ax;
2306 ctxt->regs[VCPU_REGS_RCX] = tss->cx;
2307 ctxt->regs[VCPU_REGS_RDX] = tss->dx;
2308 ctxt->regs[VCPU_REGS_RBX] = tss->bx;
2309 ctxt->regs[VCPU_REGS_RSP] = tss->sp;
2310 ctxt->regs[VCPU_REGS_RBP] = tss->bp;
2311 ctxt->regs[VCPU_REGS_RSI] = tss->si;
2312 ctxt->regs[VCPU_REGS_RDI] = tss->di;
2315 * SDM says that segment selectors are loaded before segment
2318 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2319 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2320 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2321 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2322 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2325 * Now load segment descriptors. If fault happenes at this stage
2326 * it is handled in a context of new task
2328 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2329 if (ret != X86EMUL_CONTINUE)
2331 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2332 if (ret != X86EMUL_CONTINUE)
2334 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2335 if (ret != X86EMUL_CONTINUE)
2337 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2338 if (ret != X86EMUL_CONTINUE)
2340 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2341 if (ret != X86EMUL_CONTINUE)
2344 return X86EMUL_CONTINUE;
2347 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2348 u16 tss_selector, u16 old_tss_sel,
2349 ulong old_tss_base, struct desc_struct *new_desc)
2351 struct x86_emulate_ops *ops = ctxt->ops;
2352 struct tss_segment_16 tss_seg;
2354 u32 new_tss_base = get_desc_base(new_desc);
2356 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2358 if (ret != X86EMUL_CONTINUE)
2359 /* FIXME: need to provide precise fault address */
2362 save_state_to_tss16(ctxt, &tss_seg);
2364 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2366 if (ret != X86EMUL_CONTINUE)
2367 /* FIXME: need to provide precise fault address */
2370 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2372 if (ret != X86EMUL_CONTINUE)
2373 /* FIXME: need to provide precise fault address */
2376 if (old_tss_sel != 0xffff) {
2377 tss_seg.prev_task_link = old_tss_sel;
2379 ret = ops->write_std(ctxt, new_tss_base,
2380 &tss_seg.prev_task_link,
2381 sizeof tss_seg.prev_task_link,
2383 if (ret != X86EMUL_CONTINUE)
2384 /* FIXME: need to provide precise fault address */
2388 return load_state_from_tss16(ctxt, &tss_seg);
2391 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2392 struct tss_segment_32 *tss)
2394 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2395 tss->eip = ctxt->_eip;
2396 tss->eflags = ctxt->eflags;
2397 tss->eax = ctxt->regs[VCPU_REGS_RAX];
2398 tss->ecx = ctxt->regs[VCPU_REGS_RCX];
2399 tss->edx = ctxt->regs[VCPU_REGS_RDX];
2400 tss->ebx = ctxt->regs[VCPU_REGS_RBX];
2401 tss->esp = ctxt->regs[VCPU_REGS_RSP];
2402 tss->ebp = ctxt->regs[VCPU_REGS_RBP];
2403 tss->esi = ctxt->regs[VCPU_REGS_RSI];
2404 tss->edi = ctxt->regs[VCPU_REGS_RDI];
2406 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2407 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2408 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2409 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2410 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2411 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2412 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2415 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2416 struct tss_segment_32 *tss)
2420 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2421 return emulate_gp(ctxt, 0);
2422 ctxt->_eip = tss->eip;
2423 ctxt->eflags = tss->eflags | 2;
2425 /* General purpose registers */
2426 ctxt->regs[VCPU_REGS_RAX] = tss->eax;
2427 ctxt->regs[VCPU_REGS_RCX] = tss->ecx;
2428 ctxt->regs[VCPU_REGS_RDX] = tss->edx;
2429 ctxt->regs[VCPU_REGS_RBX] = tss->ebx;
2430 ctxt->regs[VCPU_REGS_RSP] = tss->esp;
2431 ctxt->regs[VCPU_REGS_RBP] = tss->ebp;
2432 ctxt->regs[VCPU_REGS_RSI] = tss->esi;
2433 ctxt->regs[VCPU_REGS_RDI] = tss->edi;
2436 * SDM says that segment selectors are loaded before segment
2439 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2440 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2441 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2442 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2443 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2444 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2445 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2448 * If we're switching between Protected Mode and VM86, we need to make
2449 * sure to update the mode before loading the segment descriptors so
2450 * that the selectors are interpreted correctly.
2452 * Need to get rflags to the vcpu struct immediately because it
2453 * influences the CPL which is checked at least when loading the segment
2454 * descriptors and when pushing an error code to the new kernel stack.
2456 * TODO Introduce a separate ctxt->ops->set_cpl callback
2458 if (ctxt->eflags & X86_EFLAGS_VM)
2459 ctxt->mode = X86EMUL_MODE_VM86;
2461 ctxt->mode = X86EMUL_MODE_PROT32;
2463 ctxt->ops->set_rflags(ctxt, ctxt->eflags);
2466 * Now load segment descriptors. If fault happenes at this stage
2467 * it is handled in a context of new task
2469 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2470 if (ret != X86EMUL_CONTINUE)
2472 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2473 if (ret != X86EMUL_CONTINUE)
2475 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2476 if (ret != X86EMUL_CONTINUE)
2478 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2479 if (ret != X86EMUL_CONTINUE)
2481 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2482 if (ret != X86EMUL_CONTINUE)
2484 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2485 if (ret != X86EMUL_CONTINUE)
2487 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2488 if (ret != X86EMUL_CONTINUE)
2491 return X86EMUL_CONTINUE;
2494 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2495 u16 tss_selector, u16 old_tss_sel,
2496 ulong old_tss_base, struct desc_struct *new_desc)
2498 struct x86_emulate_ops *ops = ctxt->ops;
2499 struct tss_segment_32 tss_seg;
2501 u32 new_tss_base = get_desc_base(new_desc);
2503 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2505 if (ret != X86EMUL_CONTINUE)
2506 /* FIXME: need to provide precise fault address */
2509 save_state_to_tss32(ctxt, &tss_seg);
2511 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2513 if (ret != X86EMUL_CONTINUE)
2514 /* FIXME: need to provide precise fault address */
2517 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2519 if (ret != X86EMUL_CONTINUE)
2520 /* FIXME: need to provide precise fault address */
2523 if (old_tss_sel != 0xffff) {
2524 tss_seg.prev_task_link = old_tss_sel;
2526 ret = ops->write_std(ctxt, new_tss_base,
2527 &tss_seg.prev_task_link,
2528 sizeof tss_seg.prev_task_link,
2530 if (ret != X86EMUL_CONTINUE)
2531 /* FIXME: need to provide precise fault address */
2535 return load_state_from_tss32(ctxt, &tss_seg);
2538 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2539 u16 tss_selector, int idt_index, int reason,
2540 bool has_error_code, u32 error_code)
2542 struct x86_emulate_ops *ops = ctxt->ops;
2543 struct desc_struct curr_tss_desc, next_tss_desc;
2545 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2546 ulong old_tss_base =
2547 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2550 /* FIXME: old_tss_base == ~0 ? */
2552 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2553 if (ret != X86EMUL_CONTINUE)
2555 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2556 if (ret != X86EMUL_CONTINUE)
2559 /* FIXME: check that next_tss_desc is tss */
2562 * Check privileges. The three cases are task switch caused by...
2564 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2565 * 2. Exception/IRQ/iret: No check is performed
2566 * 3. jmp/call to TSS: Check agains DPL of the TSS
2568 if (reason == TASK_SWITCH_GATE) {
2569 if (idt_index != -1) {
2570 /* Software interrupts */
2571 struct desc_struct task_gate_desc;
2574 ret = read_interrupt_descriptor(ctxt, idt_index,
2576 if (ret != X86EMUL_CONTINUE)
2579 dpl = task_gate_desc.dpl;
2580 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2581 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2583 } else if (reason != TASK_SWITCH_IRET) {
2584 int dpl = next_tss_desc.dpl;
2585 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2586 return emulate_gp(ctxt, tss_selector);
2590 desc_limit = desc_limit_scaled(&next_tss_desc);
2591 if (!next_tss_desc.p ||
2592 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2593 desc_limit < 0x2b)) {
2594 emulate_ts(ctxt, tss_selector & 0xfffc);
2595 return X86EMUL_PROPAGATE_FAULT;
2598 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2599 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2600 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2603 if (reason == TASK_SWITCH_IRET)
2604 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2606 /* set back link to prev task only if NT bit is set in eflags
2607 note that old_tss_sel is not used afetr this point */
2608 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2609 old_tss_sel = 0xffff;
2611 if (next_tss_desc.type & 8)
2612 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2613 old_tss_base, &next_tss_desc);
2615 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2616 old_tss_base, &next_tss_desc);
2617 if (ret != X86EMUL_CONTINUE)
2620 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2621 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2623 if (reason != TASK_SWITCH_IRET) {
2624 next_tss_desc.type |= (1 << 1); /* set busy flag */
2625 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2628 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2629 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2631 if (has_error_code) {
2632 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2633 ctxt->lock_prefix = 0;
2634 ctxt->src.val = (unsigned long) error_code;
2635 ret = em_push(ctxt);
2641 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2642 u16 tss_selector, int idt_index, int reason,
2643 bool has_error_code, u32 error_code)
2647 ctxt->_eip = ctxt->eip;
2648 ctxt->dst.type = OP_NONE;
2650 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2651 has_error_code, error_code);
2653 if (rc == X86EMUL_CONTINUE)
2654 ctxt->eip = ctxt->_eip;
2656 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2659 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2660 int reg, struct operand *op)
2662 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2664 register_address_increment(ctxt, &ctxt->regs[reg], df * op->bytes);
2665 op->addr.mem.ea = register_address(ctxt, ctxt->regs[reg]);
2666 op->addr.mem.seg = seg;
2669 static int em_das(struct x86_emulate_ctxt *ctxt)
2672 bool af, cf, old_cf;
2674 cf = ctxt->eflags & X86_EFLAGS_CF;
2680 af = ctxt->eflags & X86_EFLAGS_AF;
2681 if ((al & 0x0f) > 9 || af) {
2683 cf = old_cf | (al >= 250);
2688 if (old_al > 0x99 || old_cf) {
2694 /* Set PF, ZF, SF */
2695 ctxt->src.type = OP_IMM;
2697 ctxt->src.bytes = 1;
2698 emulate_2op_SrcV(ctxt, "or");
2699 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2701 ctxt->eflags |= X86_EFLAGS_CF;
2703 ctxt->eflags |= X86_EFLAGS_AF;
2704 return X86EMUL_CONTINUE;
2707 static int em_call(struct x86_emulate_ctxt *ctxt)
2709 long rel = ctxt->src.val;
2711 ctxt->src.val = (unsigned long)ctxt->_eip;
2713 return em_push(ctxt);
2716 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2722 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2723 old_eip = ctxt->_eip;
2725 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2726 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2727 return X86EMUL_CONTINUE;
2730 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2732 ctxt->src.val = old_cs;
2734 if (rc != X86EMUL_CONTINUE)
2737 ctxt->src.val = old_eip;
2738 return em_push(ctxt);
2741 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2745 ctxt->dst.type = OP_REG;
2746 ctxt->dst.addr.reg = &ctxt->_eip;
2747 ctxt->dst.bytes = ctxt->op_bytes;
2748 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2749 if (rc != X86EMUL_CONTINUE)
2751 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
2752 return X86EMUL_CONTINUE;
2755 static int em_add(struct x86_emulate_ctxt *ctxt)
2757 emulate_2op_SrcV(ctxt, "add");
2758 return X86EMUL_CONTINUE;
2761 static int em_or(struct x86_emulate_ctxt *ctxt)
2763 emulate_2op_SrcV(ctxt, "or");
2764 return X86EMUL_CONTINUE;
2767 static int em_adc(struct x86_emulate_ctxt *ctxt)
2769 emulate_2op_SrcV(ctxt, "adc");
2770 return X86EMUL_CONTINUE;
2773 static int em_sbb(struct x86_emulate_ctxt *ctxt)
2775 emulate_2op_SrcV(ctxt, "sbb");
2776 return X86EMUL_CONTINUE;
2779 static int em_and(struct x86_emulate_ctxt *ctxt)
2781 emulate_2op_SrcV(ctxt, "and");
2782 return X86EMUL_CONTINUE;
2785 static int em_sub(struct x86_emulate_ctxt *ctxt)
2787 emulate_2op_SrcV(ctxt, "sub");
2788 return X86EMUL_CONTINUE;
2791 static int em_xor(struct x86_emulate_ctxt *ctxt)
2793 emulate_2op_SrcV(ctxt, "xor");
2794 return X86EMUL_CONTINUE;
2797 static int em_cmp(struct x86_emulate_ctxt *ctxt)
2799 emulate_2op_SrcV(ctxt, "cmp");
2800 /* Disable writeback. */
2801 ctxt->dst.type = OP_NONE;
2802 return X86EMUL_CONTINUE;
2805 static int em_test(struct x86_emulate_ctxt *ctxt)
2807 emulate_2op_SrcV(ctxt, "test");
2808 /* Disable writeback. */
2809 ctxt->dst.type = OP_NONE;
2810 return X86EMUL_CONTINUE;
2813 static int em_xchg(struct x86_emulate_ctxt *ctxt)
2815 /* Write back the register source. */
2816 ctxt->src.val = ctxt->dst.val;
2817 write_register_operand(&ctxt->src);
2819 /* Write back the memory destination with implicit LOCK prefix. */
2820 ctxt->dst.val = ctxt->src.orig_val;
2821 ctxt->lock_prefix = 1;
2822 return X86EMUL_CONTINUE;
2825 static int em_imul(struct x86_emulate_ctxt *ctxt)
2827 emulate_2op_SrcV_nobyte(ctxt, "imul");
2828 return X86EMUL_CONTINUE;
2831 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2833 ctxt->dst.val = ctxt->src2.val;
2834 return em_imul(ctxt);
2837 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2839 ctxt->dst.type = OP_REG;
2840 ctxt->dst.bytes = ctxt->src.bytes;
2841 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
2842 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2844 return X86EMUL_CONTINUE;
2847 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2851 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2852 ctxt->regs[VCPU_REGS_RAX] = (u32)tsc;
2853 ctxt->regs[VCPU_REGS_RDX] = tsc >> 32;
2854 return X86EMUL_CONTINUE;
2857 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
2861 if (ctxt->ops->read_pmc(ctxt, ctxt->regs[VCPU_REGS_RCX], &pmc))
2862 return emulate_gp(ctxt, 0);
2863 ctxt->regs[VCPU_REGS_RAX] = (u32)pmc;
2864 ctxt->regs[VCPU_REGS_RDX] = pmc >> 32;
2865 return X86EMUL_CONTINUE;
2868 static int em_mov(struct x86_emulate_ctxt *ctxt)
2870 memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
2871 return X86EMUL_CONTINUE;
2874 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
2876 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
2877 return emulate_gp(ctxt, 0);
2879 /* Disable writeback. */
2880 ctxt->dst.type = OP_NONE;
2881 return X86EMUL_CONTINUE;
2884 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
2888 if (ctxt->mode == X86EMUL_MODE_PROT64)
2889 val = ctxt->src.val & ~0ULL;
2891 val = ctxt->src.val & ~0U;
2893 /* #UD condition is already handled. */
2894 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
2895 return emulate_gp(ctxt, 0);
2897 /* Disable writeback. */
2898 ctxt->dst.type = OP_NONE;
2899 return X86EMUL_CONTINUE;
2902 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
2906 msr_data = (u32)ctxt->regs[VCPU_REGS_RAX]
2907 | ((u64)ctxt->regs[VCPU_REGS_RDX] << 32);
2908 if (ctxt->ops->set_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], msr_data))
2909 return emulate_gp(ctxt, 0);
2911 return X86EMUL_CONTINUE;
2914 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
2918 if (ctxt->ops->get_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], &msr_data))
2919 return emulate_gp(ctxt, 0);
2921 ctxt->regs[VCPU_REGS_RAX] = (u32)msr_data;
2922 ctxt->regs[VCPU_REGS_RDX] = msr_data >> 32;
2923 return X86EMUL_CONTINUE;
2926 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
2928 if (ctxt->modrm_reg > VCPU_SREG_GS)
2929 return emulate_ud(ctxt);
2931 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
2932 return X86EMUL_CONTINUE;
2935 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
2937 u16 sel = ctxt->src.val;
2939 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
2940 return emulate_ud(ctxt);
2942 if (ctxt->modrm_reg == VCPU_SREG_SS)
2943 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2945 /* Disable writeback. */
2946 ctxt->dst.type = OP_NONE;
2947 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
2950 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
2955 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
2956 if (rc == X86EMUL_CONTINUE)
2957 ctxt->ops->invlpg(ctxt, linear);
2958 /* Disable writeback. */
2959 ctxt->dst.type = OP_NONE;
2960 return X86EMUL_CONTINUE;
2963 static int em_clts(struct x86_emulate_ctxt *ctxt)
2967 cr0 = ctxt->ops->get_cr(ctxt, 0);
2969 ctxt->ops->set_cr(ctxt, 0, cr0);
2970 return X86EMUL_CONTINUE;
2973 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
2977 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
2978 return X86EMUL_UNHANDLEABLE;
2980 rc = ctxt->ops->fix_hypercall(ctxt);
2981 if (rc != X86EMUL_CONTINUE)
2984 /* Let the processor re-execute the fixed hypercall */
2985 ctxt->_eip = ctxt->eip;
2986 /* Disable writeback. */
2987 ctxt->dst.type = OP_NONE;
2988 return X86EMUL_CONTINUE;
2991 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
2993 struct desc_ptr desc_ptr;
2996 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2997 &desc_ptr.size, &desc_ptr.address,
2999 if (rc != X86EMUL_CONTINUE)
3001 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3002 /* Disable writeback. */
3003 ctxt->dst.type = OP_NONE;
3004 return X86EMUL_CONTINUE;
3007 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3011 rc = ctxt->ops->fix_hypercall(ctxt);
3013 /* Disable writeback. */
3014 ctxt->dst.type = OP_NONE;
3018 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3020 struct desc_ptr desc_ptr;
3023 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3024 &desc_ptr.size, &desc_ptr.address,
3026 if (rc != X86EMUL_CONTINUE)
3028 ctxt->ops->set_idt(ctxt, &desc_ptr);
3029 /* Disable writeback. */
3030 ctxt->dst.type = OP_NONE;
3031 return X86EMUL_CONTINUE;
3034 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3036 ctxt->dst.bytes = 2;
3037 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3038 return X86EMUL_CONTINUE;
3041 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3043 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3044 | (ctxt->src.val & 0x0f));
3045 ctxt->dst.type = OP_NONE;
3046 return X86EMUL_CONTINUE;
3049 static int em_loop(struct x86_emulate_ctxt *ctxt)
3051 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
3052 if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
3053 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3054 jmp_rel(ctxt, ctxt->src.val);
3056 return X86EMUL_CONTINUE;
3059 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3061 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
3062 jmp_rel(ctxt, ctxt->src.val);
3064 return X86EMUL_CONTINUE;
3067 static int em_in(struct x86_emulate_ctxt *ctxt)
3069 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3071 return X86EMUL_IO_NEEDED;
3073 return X86EMUL_CONTINUE;
3076 static int em_out(struct x86_emulate_ctxt *ctxt)
3078 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3080 /* Disable writeback. */
3081 ctxt->dst.type = OP_NONE;
3082 return X86EMUL_CONTINUE;
3085 static int em_cli(struct x86_emulate_ctxt *ctxt)
3087 if (emulator_bad_iopl(ctxt))
3088 return emulate_gp(ctxt, 0);
3090 ctxt->eflags &= ~X86_EFLAGS_IF;
3091 return X86EMUL_CONTINUE;
3094 static int em_sti(struct x86_emulate_ctxt *ctxt)
3096 if (emulator_bad_iopl(ctxt))
3097 return emulate_gp(ctxt, 0);
3099 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3100 ctxt->eflags |= X86_EFLAGS_IF;
3101 return X86EMUL_CONTINUE;
3104 static int em_bt(struct x86_emulate_ctxt *ctxt)
3106 /* Disable writeback. */
3107 ctxt->dst.type = OP_NONE;
3108 /* only subword offset */
3109 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
3111 emulate_2op_SrcV_nobyte(ctxt, "bt");
3112 return X86EMUL_CONTINUE;
3115 static int em_bts(struct x86_emulate_ctxt *ctxt)
3117 emulate_2op_SrcV_nobyte(ctxt, "bts");
3118 return X86EMUL_CONTINUE;
3121 static int em_btr(struct x86_emulate_ctxt *ctxt)
3123 emulate_2op_SrcV_nobyte(ctxt, "btr");
3124 return X86EMUL_CONTINUE;
3127 static int em_btc(struct x86_emulate_ctxt *ctxt)
3129 emulate_2op_SrcV_nobyte(ctxt, "btc");
3130 return X86EMUL_CONTINUE;
3133 static int em_bsf(struct x86_emulate_ctxt *ctxt)
3135 emulate_2op_SrcV_nobyte(ctxt, "bsf");
3136 return X86EMUL_CONTINUE;
3139 static int em_bsr(struct x86_emulate_ctxt *ctxt)
3141 emulate_2op_SrcV_nobyte(ctxt, "bsr");
3142 return X86EMUL_CONTINUE;
3145 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3147 u32 eax, ebx, ecx, edx;
3149 eax = ctxt->regs[VCPU_REGS_RAX];
3150 ecx = ctxt->regs[VCPU_REGS_RCX];
3151 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3152 ctxt->regs[VCPU_REGS_RAX] = eax;
3153 ctxt->regs[VCPU_REGS_RBX] = ebx;
3154 ctxt->regs[VCPU_REGS_RCX] = ecx;
3155 ctxt->regs[VCPU_REGS_RDX] = edx;
3156 return X86EMUL_CONTINUE;
3159 static bool valid_cr(int nr)
3171 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3173 if (!valid_cr(ctxt->modrm_reg))
3174 return emulate_ud(ctxt);
3176 return X86EMUL_CONTINUE;
3179 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3181 u64 new_val = ctxt->src.val64;
3182 int cr = ctxt->modrm_reg;
3185 static u64 cr_reserved_bits[] = {
3186 0xffffffff00000000ULL,
3187 0, 0, 0, /* CR3 checked later */
3194 return emulate_ud(ctxt);
3196 if (new_val & cr_reserved_bits[cr])
3197 return emulate_gp(ctxt, 0);
3202 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3203 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3204 return emulate_gp(ctxt, 0);
3206 cr4 = ctxt->ops->get_cr(ctxt, 4);
3207 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3209 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3210 !(cr4 & X86_CR4_PAE))
3211 return emulate_gp(ctxt, 0);
3218 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3219 if (efer & EFER_LMA)
3220 rsvd = CR3_L_MODE_RESERVED_BITS;
3221 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3222 rsvd = CR3_PAE_RESERVED_BITS;
3223 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3224 rsvd = CR3_NONPAE_RESERVED_BITS;
3227 return emulate_gp(ctxt, 0);
3232 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3234 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3235 return emulate_gp(ctxt, 0);
3241 return X86EMUL_CONTINUE;
3244 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3248 ctxt->ops->get_dr(ctxt, 7, &dr7);
3250 /* Check if DR7.Global_Enable is set */
3251 return dr7 & (1 << 13);
3254 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3256 int dr = ctxt->modrm_reg;
3260 return emulate_ud(ctxt);
3262 cr4 = ctxt->ops->get_cr(ctxt, 4);
3263 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3264 return emulate_ud(ctxt);
3266 if (check_dr7_gd(ctxt))
3267 return emulate_db(ctxt);
3269 return X86EMUL_CONTINUE;
3272 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3274 u64 new_val = ctxt->src.val64;
3275 int dr = ctxt->modrm_reg;
3277 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3278 return emulate_gp(ctxt, 0);
3280 return check_dr_read(ctxt);
3283 static int check_svme(struct x86_emulate_ctxt *ctxt)
3287 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3289 if (!(efer & EFER_SVME))
3290 return emulate_ud(ctxt);
3292 return X86EMUL_CONTINUE;
3295 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3297 u64 rax = ctxt->regs[VCPU_REGS_RAX];
3299 /* Valid physical address? */
3300 if (rax & 0xffff000000000000ULL)
3301 return emulate_gp(ctxt, 0);
3303 return check_svme(ctxt);
3306 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3308 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3310 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3311 return emulate_ud(ctxt);
3313 return X86EMUL_CONTINUE;
3316 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3318 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3319 u64 rcx = ctxt->regs[VCPU_REGS_RCX];
3321 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3323 return emulate_gp(ctxt, 0);
3325 return X86EMUL_CONTINUE;
3328 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3330 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3331 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3332 return emulate_gp(ctxt, 0);
3334 return X86EMUL_CONTINUE;
3337 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3339 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3340 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3341 return emulate_gp(ctxt, 0);
3343 return X86EMUL_CONTINUE;
3346 #define D(_y) { .flags = (_y) }
3347 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3348 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3349 .check_perm = (_p) }
3351 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3352 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3353 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3354 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3355 #define II(_f, _e, _i) \
3356 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3357 #define IIP(_f, _e, _i, _p) \
3358 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3359 .check_perm = (_p) }
3360 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3362 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3363 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3364 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3365 #define I2bvIP(_f, _e, _i, _p) \
3366 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3368 #define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3369 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3370 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3372 static struct opcode group7_rm1[] = {
3373 DI(SrcNone | Priv, monitor),
3374 DI(SrcNone | Priv, mwait),
3378 static struct opcode group7_rm3[] = {
3379 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
3380 II(SrcNone | Prot | VendorSpecific, em_vmmcall, vmmcall),
3381 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
3382 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
3383 DIP(SrcNone | Prot | Priv, stgi, check_svme),
3384 DIP(SrcNone | Prot | Priv, clgi, check_svme),
3385 DIP(SrcNone | Prot | Priv, skinit, check_svme),
3386 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
3389 static struct opcode group7_rm7[] = {
3391 DIP(SrcNone, rdtscp, check_rdtsc),
3395 static struct opcode group1[] = {
3397 I(Lock | PageTable, em_or),
3400 I(Lock | PageTable, em_and),
3406 static struct opcode group1A[] = {
3407 I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3410 static struct opcode group3[] = {
3411 I(DstMem | SrcImm, em_test),
3412 I(DstMem | SrcImm, em_test),
3413 I(DstMem | SrcNone | Lock, em_not),
3414 I(DstMem | SrcNone | Lock, em_neg),
3415 I(SrcMem, em_mul_ex),
3416 I(SrcMem, em_imul_ex),
3417 I(SrcMem, em_div_ex),
3418 I(SrcMem, em_idiv_ex),
3421 static struct opcode group4[] = {
3422 I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
3423 I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
3427 static struct opcode group5[] = {
3428 I(DstMem | SrcNone | Lock, em_grp45),
3429 I(DstMem | SrcNone | Lock, em_grp45),
3430 I(SrcMem | Stack, em_grp45),
3431 I(SrcMemFAddr | ImplicitOps | Stack, em_call_far),
3432 I(SrcMem | Stack, em_grp45),
3433 I(SrcMemFAddr | ImplicitOps, em_grp45),
3434 I(SrcMem | Stack, em_grp45), N,
3437 static struct opcode group6[] = {
3440 DI(Prot | Priv, lldt),
3441 DI(Prot | Priv, ltr),
3445 static struct group_dual group7 = { {
3446 DI(Mov | DstMem | Priv, sgdt),
3447 DI(Mov | DstMem | Priv, sidt),
3448 II(SrcMem | Priv, em_lgdt, lgdt),
3449 II(SrcMem | Priv, em_lidt, lidt),
3450 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3451 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3452 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3454 I(SrcNone | Priv | VendorSpecific, em_vmcall),
3456 N, EXT(0, group7_rm3),
3457 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3458 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3462 static struct opcode group8[] = {
3464 I(DstMem | SrcImmByte, em_bt),
3465 I(DstMem | SrcImmByte | Lock | PageTable, em_bts),
3466 I(DstMem | SrcImmByte | Lock, em_btr),
3467 I(DstMem | SrcImmByte | Lock | PageTable, em_btc),
3470 static struct group_dual group9 = { {
3471 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3473 N, N, N, N, N, N, N, N,
3476 static struct opcode group11[] = {
3477 I(DstMem | SrcImm | Mov | PageTable, em_mov),
3481 static struct gprefix pfx_0f_6f_0f_7f = {
3482 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3485 static struct gprefix pfx_vmovntpx = {
3486 I(0, em_mov), N, N, N,
3489 static struct opcode opcode_table[256] = {
3491 I6ALU(Lock, em_add),
3492 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3493 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3495 I6ALU(Lock | PageTable, em_or),
3496 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3499 I6ALU(Lock, em_adc),
3500 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3501 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3503 I6ALU(Lock, em_sbb),
3504 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3505 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3507 I6ALU(Lock | PageTable, em_and), N, N,
3509 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3511 I6ALU(Lock, em_xor), N, N,
3513 I6ALU(0, em_cmp), N, N,
3517 X8(I(SrcReg | Stack, em_push)),
3519 X8(I(DstReg | Stack, em_pop)),
3521 I(ImplicitOps | Stack | No64, em_pusha),
3522 I(ImplicitOps | Stack | No64, em_popa),
3523 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3526 I(SrcImm | Mov | Stack, em_push),
3527 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3528 I(SrcImmByte | Mov | Stack, em_push),
3529 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3530 I2bvIP(DstDI | SrcDX | Mov | String, em_in, ins, check_perm_in), /* insb, insw/insd */
3531 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3535 G(ByteOp | DstMem | SrcImm, group1),
3536 G(DstMem | SrcImm, group1),
3537 G(ByteOp | DstMem | SrcImm | No64, group1),
3538 G(DstMem | SrcImmByte, group1),
3539 I2bv(DstMem | SrcReg | ModRM, em_test),
3540 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3542 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3543 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3544 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3545 D(ModRM | SrcMem | NoAccess | DstReg),
3546 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3549 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3551 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3552 I(SrcImmFAddr | No64, em_call_far), N,
3553 II(ImplicitOps | Stack, em_pushf, pushf),
3554 II(ImplicitOps | Stack, em_popf, popf), N, N,
3556 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3557 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3558 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3559 I2bv(SrcSI | DstDI | String, em_cmp),
3561 I2bv(DstAcc | SrcImm, em_test),
3562 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3563 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3564 I2bv(SrcAcc | DstDI | String, em_cmp),
3566 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3568 X8(I(DstReg | SrcImm | Mov, em_mov)),
3570 D2bv(DstMem | SrcImmByte | ModRM),
3571 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3572 I(ImplicitOps | Stack, em_ret),
3573 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3574 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3575 G(ByteOp, group11), G(0, group11),
3577 N, N, N, I(ImplicitOps | Stack, em_ret_far),
3578 D(ImplicitOps), DI(SrcImmByte, intn),
3579 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3581 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3584 N, N, N, N, N, N, N, N,
3586 X3(I(SrcImmByte, em_loop)),
3587 I(SrcImmByte, em_jcxz),
3588 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3589 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3591 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3592 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3593 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3594 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3596 N, DI(ImplicitOps, icebp), N, N,
3597 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3598 G(ByteOp, group3), G(0, group3),
3600 D(ImplicitOps), D(ImplicitOps),
3601 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3602 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3605 static struct opcode twobyte_table[256] = {
3607 G(0, group6), GD(0, &group7), N, N,
3608 N, I(ImplicitOps | VendorSpecific, em_syscall),
3609 II(ImplicitOps | Priv, em_clts, clts), N,
3610 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3611 N, D(ImplicitOps | ModRM), N, N,
3613 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3615 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3616 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3617 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3618 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3620 N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
3623 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3624 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3625 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3626 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3627 I(ImplicitOps | VendorSpecific, em_sysenter),
3628 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3630 N, N, N, N, N, N, N, N,
3632 X16(D(DstReg | SrcMem | ModRM | Mov)),
3634 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3639 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3644 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3648 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3650 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
3651 II(ImplicitOps, em_cpuid, cpuid), I(DstMem | SrcReg | ModRM | BitOp, em_bt),
3652 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3653 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3655 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3656 DI(ImplicitOps, rsm),
3657 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3658 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3659 D(DstMem | SrcReg | Src2CL | ModRM),
3660 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3662 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3663 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3664 I(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3665 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
3666 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3667 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3671 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3672 I(DstReg | SrcMem | ModRM, em_bsf), I(DstReg | SrcMem | ModRM, em_bsr),
3673 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3675 D2bv(DstMem | SrcReg | ModRM | Lock),
3676 N, D(DstMem | SrcReg | ModRM | Mov),
3677 N, N, N, GD(0, &group9),
3678 N, N, N, N, N, N, N, N,
3680 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3682 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3684 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3701 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3705 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3711 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3712 unsigned size, bool sign_extension)
3714 int rc = X86EMUL_CONTINUE;
3718 op->addr.mem.ea = ctxt->_eip;
3719 /* NB. Immediates are sign-extended as necessary. */
3720 switch (op->bytes) {
3722 op->val = insn_fetch(s8, ctxt);
3725 op->val = insn_fetch(s16, ctxt);
3728 op->val = insn_fetch(s32, ctxt);
3731 if (!sign_extension) {
3732 switch (op->bytes) {
3740 op->val &= 0xffffffff;
3748 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
3751 int rc = X86EMUL_CONTINUE;
3755 decode_register_operand(ctxt, op);
3758 rc = decode_imm(ctxt, op, 1, false);
3761 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3765 if ((ctxt->d & BitOp) && op == &ctxt->dst)
3766 fetch_bit_operand(ctxt);
3767 op->orig_val = op->val;
3770 ctxt->memop.bytes = 8;
3774 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3775 op->addr.reg = &ctxt->regs[VCPU_REGS_RAX];
3776 fetch_register_operand(op);
3777 op->orig_val = op->val;
3781 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3783 register_address(ctxt, ctxt->regs[VCPU_REGS_RDI]);
3784 op->addr.mem.seg = VCPU_SREG_ES;
3790 op->addr.reg = &ctxt->regs[VCPU_REGS_RDX];
3791 fetch_register_operand(op);
3795 op->val = ctxt->regs[VCPU_REGS_RCX] & 0xff;
3798 rc = decode_imm(ctxt, op, 1, true);
3805 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
3808 ctxt->memop.bytes = 1;
3811 ctxt->memop.bytes = 2;
3814 ctxt->memop.bytes = 4;
3817 rc = decode_imm(ctxt, op, 2, false);
3820 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
3824 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3826 register_address(ctxt, ctxt->regs[VCPU_REGS_RSI]);
3827 op->addr.mem.seg = seg_override(ctxt);
3832 op->addr.mem.ea = ctxt->_eip;
3833 op->bytes = ctxt->op_bytes + 2;
3834 insn_fetch_arr(op->valptr, op->bytes, ctxt);
3837 ctxt->memop.bytes = ctxt->op_bytes + 2;
3840 op->val = VCPU_SREG_ES;
3843 op->val = VCPU_SREG_CS;
3846 op->val = VCPU_SREG_SS;
3849 op->val = VCPU_SREG_DS;
3852 op->val = VCPU_SREG_FS;
3855 op->val = VCPU_SREG_GS;
3858 /* Special instructions do their own operand decoding. */
3860 op->type = OP_NONE; /* Disable writeback. */
3868 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3870 int rc = X86EMUL_CONTINUE;
3871 int mode = ctxt->mode;
3872 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3873 bool op_prefix = false;
3874 struct opcode opcode;
3876 ctxt->memop.type = OP_NONE;
3877 ctxt->memopp = NULL;
3878 ctxt->_eip = ctxt->eip;
3879 ctxt->fetch.start = ctxt->_eip;
3880 ctxt->fetch.end = ctxt->fetch.start + insn_len;
3882 memcpy(ctxt->fetch.data, insn, insn_len);
3885 case X86EMUL_MODE_REAL:
3886 case X86EMUL_MODE_VM86:
3887 case X86EMUL_MODE_PROT16:
3888 def_op_bytes = def_ad_bytes = 2;
3890 case X86EMUL_MODE_PROT32:
3891 def_op_bytes = def_ad_bytes = 4;
3893 #ifdef CONFIG_X86_64
3894 case X86EMUL_MODE_PROT64:
3900 return EMULATION_FAILED;
3903 ctxt->op_bytes = def_op_bytes;
3904 ctxt->ad_bytes = def_ad_bytes;
3906 /* Legacy prefixes. */
3908 switch (ctxt->b = insn_fetch(u8, ctxt)) {
3909 case 0x66: /* operand-size override */
3911 /* switch between 2/4 bytes */
3912 ctxt->op_bytes = def_op_bytes ^ 6;
3914 case 0x67: /* address-size override */
3915 if (mode == X86EMUL_MODE_PROT64)
3916 /* switch between 4/8 bytes */
3917 ctxt->ad_bytes = def_ad_bytes ^ 12;
3919 /* switch between 2/4 bytes */
3920 ctxt->ad_bytes = def_ad_bytes ^ 6;
3922 case 0x26: /* ES override */
3923 case 0x2e: /* CS override */
3924 case 0x36: /* SS override */
3925 case 0x3e: /* DS override */
3926 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
3928 case 0x64: /* FS override */
3929 case 0x65: /* GS override */
3930 set_seg_override(ctxt, ctxt->b & 7);
3932 case 0x40 ... 0x4f: /* REX */
3933 if (mode != X86EMUL_MODE_PROT64)
3935 ctxt->rex_prefix = ctxt->b;
3937 case 0xf0: /* LOCK */
3938 ctxt->lock_prefix = 1;
3940 case 0xf2: /* REPNE/REPNZ */
3941 case 0xf3: /* REP/REPE/REPZ */
3942 ctxt->rep_prefix = ctxt->b;
3948 /* Any legacy prefix after a REX prefix nullifies its effect. */
3950 ctxt->rex_prefix = 0;
3956 if (ctxt->rex_prefix & 8)
3957 ctxt->op_bytes = 8; /* REX.W */
3959 /* Opcode byte(s). */
3960 opcode = opcode_table[ctxt->b];
3961 /* Two-byte opcode? */
3962 if (ctxt->b == 0x0f) {
3964 ctxt->b = insn_fetch(u8, ctxt);
3965 opcode = twobyte_table[ctxt->b];
3967 ctxt->d = opcode.flags;
3969 if (ctxt->d & ModRM)
3970 ctxt->modrm = insn_fetch(u8, ctxt);
3972 while (ctxt->d & GroupMask) {
3973 switch (ctxt->d & GroupMask) {
3975 goffset = (ctxt->modrm >> 3) & 7;
3976 opcode = opcode.u.group[goffset];
3979 goffset = (ctxt->modrm >> 3) & 7;
3980 if ((ctxt->modrm >> 6) == 3)
3981 opcode = opcode.u.gdual->mod3[goffset];
3983 opcode = opcode.u.gdual->mod012[goffset];
3986 goffset = ctxt->modrm & 7;
3987 opcode = opcode.u.group[goffset];
3990 if (ctxt->rep_prefix && op_prefix)
3991 return EMULATION_FAILED;
3992 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
3993 switch (simd_prefix) {
3994 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
3995 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
3996 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
3997 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4001 return EMULATION_FAILED;
4004 ctxt->d &= ~(u64)GroupMask;
4005 ctxt->d |= opcode.flags;
4008 ctxt->execute = opcode.u.execute;
4009 ctxt->check_perm = opcode.check_perm;
4010 ctxt->intercept = opcode.intercept;
4013 if (ctxt->d == 0 || (ctxt->d & Undefined))
4014 return EMULATION_FAILED;
4016 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
4017 return EMULATION_FAILED;
4019 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
4022 if (ctxt->d & Op3264) {
4023 if (mode == X86EMUL_MODE_PROT64)
4030 ctxt->op_bytes = 16;
4031 else if (ctxt->d & Mmx)
4034 /* ModRM and SIB bytes. */
4035 if (ctxt->d & ModRM) {
4036 rc = decode_modrm(ctxt, &ctxt->memop);
4037 if (!ctxt->has_seg_override)
4038 set_seg_override(ctxt, ctxt->modrm_seg);
4039 } else if (ctxt->d & MemAbs)
4040 rc = decode_abs(ctxt, &ctxt->memop);
4041 if (rc != X86EMUL_CONTINUE)
4044 if (!ctxt->has_seg_override)
4045 set_seg_override(ctxt, VCPU_SREG_DS);
4047 ctxt->memop.addr.mem.seg = seg_override(ctxt);
4049 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
4050 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4053 * Decode and fetch the source operand: register, memory
4056 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4057 if (rc != X86EMUL_CONTINUE)
4061 * Decode and fetch the second source operand: register, memory
4064 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4065 if (rc != X86EMUL_CONTINUE)
4068 /* Decode and fetch the destination operand: register or memory. */
4069 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4072 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
4073 ctxt->memopp->addr.mem.ea += ctxt->_eip;
4075 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4078 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4080 return ctxt->d & PageTable;
4083 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4085 /* The second termination condition only applies for REPE
4086 * and REPNE. Test if the repeat string operation prefix is
4087 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4088 * corresponding termination condition according to:
4089 * - if REPE/REPZ and ZF = 0 then done
4090 * - if REPNE/REPNZ and ZF = 1 then done
4092 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4093 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4094 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4095 ((ctxt->eflags & EFLG_ZF) == 0))
4096 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4097 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4103 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4107 ctxt->ops->get_fpu(ctxt);
4108 asm volatile("1: fwait \n\t"
4110 ".pushsection .fixup,\"ax\" \n\t"
4112 "movb $1, %[fault] \n\t"
4115 _ASM_EXTABLE(1b, 3b)
4116 : [fault]"+qm"(fault));
4117 ctxt->ops->put_fpu(ctxt);
4119 if (unlikely(fault))
4120 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4122 return X86EMUL_CONTINUE;
4125 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4128 if (op->type == OP_MM)
4129 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4132 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4134 struct x86_emulate_ops *ops = ctxt->ops;
4135 int rc = X86EMUL_CONTINUE;
4136 int saved_dst_type = ctxt->dst.type;
4138 ctxt->mem_read.pos = 0;
4140 if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
4141 rc = emulate_ud(ctxt);
4145 /* LOCK prefix is allowed only with some instructions */
4146 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4147 rc = emulate_ud(ctxt);
4151 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4152 rc = emulate_ud(ctxt);
4156 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4157 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4158 rc = emulate_ud(ctxt);
4162 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4163 rc = emulate_nm(ctxt);
4167 if (ctxt->d & Mmx) {
4168 rc = flush_pending_x87_faults(ctxt);
4169 if (rc != X86EMUL_CONTINUE)
4172 * Now that we know the fpu is exception safe, we can fetch
4175 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4176 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4177 if (!(ctxt->d & Mov))
4178 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4181 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4182 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4183 X86_ICPT_PRE_EXCEPT);
4184 if (rc != X86EMUL_CONTINUE)
4188 /* Privileged instruction can be executed only in CPL=0 */
4189 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4190 rc = emulate_gp(ctxt, 0);
4194 /* Instruction can only be executed in protected mode */
4195 if ((ctxt->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
4196 rc = emulate_ud(ctxt);
4200 /* Do instruction specific permission checks */
4201 if (ctxt->check_perm) {
4202 rc = ctxt->check_perm(ctxt);
4203 if (rc != X86EMUL_CONTINUE)
4207 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4208 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4209 X86_ICPT_POST_EXCEPT);
4210 if (rc != X86EMUL_CONTINUE)
4214 if (ctxt->rep_prefix && (ctxt->d & String)) {
4215 /* All REP prefixes have the same first termination condition */
4216 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) {
4217 ctxt->eip = ctxt->_eip;
4222 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4223 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4224 ctxt->src.valptr, ctxt->src.bytes);
4225 if (rc != X86EMUL_CONTINUE)
4227 ctxt->src.orig_val64 = ctxt->src.val64;
4230 if (ctxt->src2.type == OP_MEM) {
4231 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4232 &ctxt->src2.val, ctxt->src2.bytes);
4233 if (rc != X86EMUL_CONTINUE)
4237 if ((ctxt->d & DstMask) == ImplicitOps)
4241 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4242 /* optimisation - avoid slow emulated read if Mov */
4243 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4244 &ctxt->dst.val, ctxt->dst.bytes);
4245 if (rc != X86EMUL_CONTINUE)
4248 ctxt->dst.orig_val = ctxt->dst.val;
4252 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4253 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4254 X86_ICPT_POST_MEMACCESS);
4255 if (rc != X86EMUL_CONTINUE)
4259 if (ctxt->execute) {
4260 rc = ctxt->execute(ctxt);
4261 if (rc != X86EMUL_CONTINUE)
4270 case 0x40 ... 0x47: /* inc r16/r32 */
4271 emulate_1op(ctxt, "inc");
4273 case 0x48 ... 0x4f: /* dec r16/r32 */
4274 emulate_1op(ctxt, "dec");
4276 case 0x63: /* movsxd */
4277 if (ctxt->mode != X86EMUL_MODE_PROT64)
4278 goto cannot_emulate;
4279 ctxt->dst.val = (s32) ctxt->src.val;
4281 case 0x70 ... 0x7f: /* jcc (short) */
4282 if (test_cc(ctxt->b, ctxt->eflags))
4283 jmp_rel(ctxt, ctxt->src.val);
4285 case 0x8d: /* lea r16/r32, m */
4286 ctxt->dst.val = ctxt->src.addr.mem.ea;
4288 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4289 if (ctxt->dst.addr.reg == &ctxt->regs[VCPU_REGS_RAX])
4293 case 0x98: /* cbw/cwde/cdqe */
4294 switch (ctxt->op_bytes) {
4295 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4296 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4297 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4303 case 0xcc: /* int3 */
4304 rc = emulate_int(ctxt, 3);
4306 case 0xcd: /* int n */
4307 rc = emulate_int(ctxt, ctxt->src.val);
4309 case 0xce: /* into */
4310 if (ctxt->eflags & EFLG_OF)
4311 rc = emulate_int(ctxt, 4);
4313 case 0xd0 ... 0xd1: /* Grp2 */
4316 case 0xd2 ... 0xd3: /* Grp2 */
4317 ctxt->src.val = ctxt->regs[VCPU_REGS_RCX];
4320 case 0xe9: /* jmp rel */
4321 case 0xeb: /* jmp rel short */
4322 jmp_rel(ctxt, ctxt->src.val);
4323 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4325 case 0xf4: /* hlt */
4326 ctxt->ops->halt(ctxt);
4328 case 0xf5: /* cmc */
4329 /* complement carry flag from eflags reg */
4330 ctxt->eflags ^= EFLG_CF;
4332 case 0xf8: /* clc */
4333 ctxt->eflags &= ~EFLG_CF;
4335 case 0xf9: /* stc */
4336 ctxt->eflags |= EFLG_CF;
4338 case 0xfc: /* cld */
4339 ctxt->eflags &= ~EFLG_DF;
4341 case 0xfd: /* std */
4342 ctxt->eflags |= EFLG_DF;
4345 goto cannot_emulate;
4348 if (rc != X86EMUL_CONTINUE)
4352 rc = writeback(ctxt);
4353 if (rc != X86EMUL_CONTINUE)
4357 * restore dst type in case the decoding will be reused
4358 * (happens for string instruction )
4360 ctxt->dst.type = saved_dst_type;
4362 if ((ctxt->d & SrcMask) == SrcSI)
4363 string_addr_inc(ctxt, seg_override(ctxt),
4364 VCPU_REGS_RSI, &ctxt->src);
4366 if ((ctxt->d & DstMask) == DstDI)
4367 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
4370 if (ctxt->rep_prefix && (ctxt->d & String)) {
4371 struct read_cache *r = &ctxt->io_read;
4372 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
4374 if (!string_insn_completed(ctxt)) {
4376 * Re-enter guest when pio read ahead buffer is empty
4377 * or, if it is not used, after each 1024 iteration.
4379 if ((r->end != 0 || ctxt->regs[VCPU_REGS_RCX] & 0x3ff) &&
4380 (r->end == 0 || r->end != r->pos)) {
4382 * Reset read cache. Usually happens before
4383 * decode, but since instruction is restarted
4384 * we have to do it here.
4386 ctxt->mem_read.end = 0;
4387 return EMULATION_RESTART;
4389 goto done; /* skip rip writeback */
4393 ctxt->eip = ctxt->_eip;
4396 if (rc == X86EMUL_PROPAGATE_FAULT)
4397 ctxt->have_exception = true;
4398 if (rc == X86EMUL_INTERCEPTED)
4399 return EMULATION_INTERCEPTED;
4401 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4405 case 0x09: /* wbinvd */
4406 (ctxt->ops->wbinvd)(ctxt);
4408 case 0x08: /* invd */
4409 case 0x0d: /* GrpP (prefetch) */
4410 case 0x18: /* Grp16 (prefetch/nop) */
4412 case 0x20: /* mov cr, reg */
4413 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4415 case 0x21: /* mov from dr to reg */
4416 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4418 case 0x40 ... 0x4f: /* cmov */
4419 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4420 if (!test_cc(ctxt->b, ctxt->eflags))
4421 ctxt->dst.type = OP_NONE; /* no writeback */
4423 case 0x80 ... 0x8f: /* jnz rel, etc*/
4424 if (test_cc(ctxt->b, ctxt->eflags))
4425 jmp_rel(ctxt, ctxt->src.val);
4427 case 0x90 ... 0x9f: /* setcc r/m8 */
4428 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4430 case 0xa4: /* shld imm8, r, r/m */
4431 case 0xa5: /* shld cl, r, r/m */
4432 emulate_2op_cl(ctxt, "shld");
4434 case 0xac: /* shrd imm8, r, r/m */
4435 case 0xad: /* shrd cl, r, r/m */
4436 emulate_2op_cl(ctxt, "shrd");
4438 case 0xae: /* clflush */
4440 case 0xb6 ... 0xb7: /* movzx */
4441 ctxt->dst.bytes = ctxt->op_bytes;
4442 ctxt->dst.val = (ctxt->d & ByteOp) ? (u8) ctxt->src.val
4443 : (u16) ctxt->src.val;
4445 case 0xbe ... 0xbf: /* movsx */
4446 ctxt->dst.bytes = ctxt->op_bytes;
4447 ctxt->dst.val = (ctxt->d & ByteOp) ? (s8) ctxt->src.val :
4448 (s16) ctxt->src.val;
4450 case 0xc0 ... 0xc1: /* xadd */
4451 emulate_2op_SrcV(ctxt, "add");
4452 /* Write back the register source. */
4453 ctxt->src.val = ctxt->dst.orig_val;
4454 write_register_operand(&ctxt->src);
4456 case 0xc3: /* movnti */
4457 ctxt->dst.bytes = ctxt->op_bytes;
4458 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4459 (u64) ctxt->src.val;
4462 goto cannot_emulate;
4465 if (rc != X86EMUL_CONTINUE)
4471 return EMULATION_FAILED;