1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
32 * Opcode effective-address decode tables.
33 * Note that we only emulate instructions that have at least one memory
34 * operand (excluding implicit stack references). We assume that stack
35 * references and instruction fetches will never occur in special memory
36 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 /* Operand sizes: 8-bit operands or specified/overridden size. */
41 #define ByteOp (1<<0) /* 8-bit operands. */
42 /* Destination operand type. */
43 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
44 #define DstReg (2<<1) /* Register operand. */
45 #define DstMem (3<<1) /* Memory operand. */
46 #define DstAcc (4<<1) /* Destination Accumulator */
47 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
48 #define DstMem64 (6<<1) /* 64bit memory operand */
49 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
50 #define DstDX (8<<1) /* Destination is in DX register */
51 #define DstMask (0xf<<1)
52 /* Source operand type. */
53 #define SrcNone (0<<5) /* No source operand. */
54 #define SrcReg (1<<5) /* Register operand. */
55 #define SrcMem (2<<5) /* Memory operand. */
56 #define SrcMem16 (3<<5) /* Memory operand (16-bit). */
57 #define SrcMem32 (4<<5) /* Memory operand (32-bit). */
58 #define SrcImm (5<<5) /* Immediate operand. */
59 #define SrcImmByte (6<<5) /* 8-bit sign-extended immediate operand. */
60 #define SrcOne (7<<5) /* Implied '1' */
61 #define SrcImmUByte (8<<5) /* 8-bit unsigned immediate operand. */
62 #define SrcImmU (9<<5) /* Immediate operand, unsigned */
63 #define SrcSI (0xa<<5) /* Source is in the DS:RSI */
64 #define SrcImmFAddr (0xb<<5) /* Source is immediate far address */
65 #define SrcMemFAddr (0xc<<5) /* Source is far address in memory */
66 #define SrcAcc (0xd<<5) /* Source Accumulator */
67 #define SrcImmU16 (0xe<<5) /* Immediate operand, unsigned, 16 bits */
68 #define SrcDX (0xf<<5) /* Source is in DX register */
69 #define SrcMask (0xf<<5)
70 /* Generic ModRM decode. */
72 /* Destination is only written; never read. */
75 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
76 #define String (1<<13) /* String instruction (rep capable) */
77 #define Stack (1<<14) /* Stack instruction (push/pop) */
78 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
79 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
80 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
81 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
82 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
83 #define Sse (1<<18) /* SSE Vector instruction */
85 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
86 #define VendorSpecific (1<<22) /* Vendor specific instruction */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Imm (4<<29)
99 #define Src2Mask (7<<29)
101 #define X2(x...) x, x
102 #define X3(x...) X2(x), x
103 #define X4(x...) X2(x), X2(x)
104 #define X5(x...) X4(x), x
105 #define X6(x...) X4(x), X2(x)
106 #define X7(x...) X4(x), X3(x)
107 #define X8(x...) X4(x), X4(x)
108 #define X16(x...) X8(x), X8(x)
114 int (*execute)(struct x86_emulate_ctxt *ctxt);
115 struct opcode *group;
116 struct group_dual *gdual;
117 struct gprefix *gprefix;
119 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
123 struct opcode mod012[8];
124 struct opcode mod3[8];
128 struct opcode pfx_no;
129 struct opcode pfx_66;
130 struct opcode pfx_f2;
131 struct opcode pfx_f3;
134 /* EFLAGS bit definitions. */
135 #define EFLG_ID (1<<21)
136 #define EFLG_VIP (1<<20)
137 #define EFLG_VIF (1<<19)
138 #define EFLG_AC (1<<18)
139 #define EFLG_VM (1<<17)
140 #define EFLG_RF (1<<16)
141 #define EFLG_IOPL (3<<12)
142 #define EFLG_NT (1<<14)
143 #define EFLG_OF (1<<11)
144 #define EFLG_DF (1<<10)
145 #define EFLG_IF (1<<9)
146 #define EFLG_TF (1<<8)
147 #define EFLG_SF (1<<7)
148 #define EFLG_ZF (1<<6)
149 #define EFLG_AF (1<<4)
150 #define EFLG_PF (1<<2)
151 #define EFLG_CF (1<<0)
153 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
154 #define EFLG_RESERVED_ONE_MASK 2
157 * Instruction emulation:
158 * Most instructions are emulated directly via a fragment of inline assembly
159 * code. This allows us to save/restore EFLAGS and thus very easily pick up
160 * any modified flags.
163 #if defined(CONFIG_X86_64)
164 #define _LO32 "k" /* force 32-bit operand */
165 #define _STK "%%rsp" /* stack pointer */
166 #elif defined(__i386__)
167 #define _LO32 "" /* force 32-bit operand */
168 #define _STK "%%esp" /* stack pointer */
172 * These EFLAGS bits are restored from saved value during emulation, and
173 * any changes are written back to the saved value after emulation.
175 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
177 /* Before executing instruction: restore necessary bits in EFLAGS. */
178 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
179 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
180 "movl %"_sav",%"_LO32 _tmp"; " \
183 "movl %"_msk",%"_LO32 _tmp"; " \
184 "andl %"_LO32 _tmp",("_STK"); " \
186 "notl %"_LO32 _tmp"; " \
187 "andl %"_LO32 _tmp",("_STK"); " \
188 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
190 "orl %"_LO32 _tmp",("_STK"); " \
194 /* After executing instruction: write-back necessary bits in EFLAGS. */
195 #define _POST_EFLAGS(_sav, _msk, _tmp) \
196 /* _sav |= EFLAGS & _msk; */ \
199 "andl %"_msk",%"_LO32 _tmp"; " \
200 "orl %"_LO32 _tmp",%"_sav"; "
208 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
210 __asm__ __volatile__ ( \
211 _PRE_EFLAGS("0", "4", "2") \
212 _op _suffix " %"_x"3,%1; " \
213 _POST_EFLAGS("0", "4", "2") \
214 : "=m" ((ctxt)->eflags), \
215 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
217 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
221 /* Raw emulation: instruction has two explicit operands. */
222 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
224 unsigned long _tmp; \
226 switch ((ctxt)->dst.bytes) { \
228 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
231 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
234 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
239 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
241 unsigned long _tmp; \
242 switch ((ctxt)->dst.bytes) { \
244 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
247 __emulate_2op_nobyte(ctxt, _op, \
248 _wx, _wy, _lx, _ly, _qx, _qy); \
253 /* Source operand is byte-sized and may be restricted to just %cl. */
254 #define emulate_2op_SrcB(ctxt, _op) \
255 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
257 /* Source operand is byte, word, long or quad sized. */
258 #define emulate_2op_SrcV(ctxt, _op) \
259 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
261 /* Source operand is word, long or quad sized. */
262 #define emulate_2op_SrcV_nobyte(ctxt, _op) \
263 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
265 /* Instruction has three operands and one operand is stored in ECX register */
266 #define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
268 unsigned long _tmp; \
269 _type _clv = (ctxt)->src2.val; \
270 _type _srcv = (ctxt)->src.val; \
271 _type _dstv = (ctxt)->dst.val; \
273 __asm__ __volatile__ ( \
274 _PRE_EFLAGS("0", "5", "2") \
275 _op _suffix " %4,%1 \n" \
276 _POST_EFLAGS("0", "5", "2") \
277 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
278 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
281 (ctxt)->src2.val = (unsigned long) _clv; \
282 (ctxt)->src2.val = (unsigned long) _srcv; \
283 (ctxt)->dst.val = (unsigned long) _dstv; \
286 #define emulate_2op_cl(ctxt, _op) \
288 switch ((ctxt)->dst.bytes) { \
290 __emulate_2op_cl(ctxt, _op, "w", u16); \
293 __emulate_2op_cl(ctxt, _op, "l", u32); \
296 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
301 #define __emulate_1op(ctxt, _op, _suffix) \
303 unsigned long _tmp; \
305 __asm__ __volatile__ ( \
306 _PRE_EFLAGS("0", "3", "2") \
307 _op _suffix " %1; " \
308 _POST_EFLAGS("0", "3", "2") \
309 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
311 : "i" (EFLAGS_MASK)); \
314 /* Instruction has only one explicit operand (no source operand). */
315 #define emulate_1op(ctxt, _op) \
317 switch ((ctxt)->dst.bytes) { \
318 case 1: __emulate_1op(ctxt, _op, "b"); break; \
319 case 2: __emulate_1op(ctxt, _op, "w"); break; \
320 case 4: __emulate_1op(ctxt, _op, "l"); break; \
321 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
325 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
327 unsigned long _tmp; \
328 ulong *rax = &(ctxt)->regs[VCPU_REGS_RAX]; \
329 ulong *rdx = &(ctxt)->regs[VCPU_REGS_RDX]; \
331 __asm__ __volatile__ ( \
332 _PRE_EFLAGS("0", "5", "1") \
334 _op _suffix " %6; " \
336 _POST_EFLAGS("0", "5", "1") \
337 ".pushsection .fixup,\"ax\" \n\t" \
338 "3: movb $1, %4 \n\t" \
341 _ASM_EXTABLE(1b, 3b) \
342 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
343 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
344 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \
345 "a" (*rax), "d" (*rdx)); \
348 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
349 #define emulate_1op_rax_rdx(ctxt, _op, _ex) \
351 switch((ctxt)->src.bytes) { \
353 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
356 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
359 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
362 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
367 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
368 enum x86_intercept intercept,
369 enum x86_intercept_stage stage)
371 struct x86_instruction_info info = {
372 .intercept = intercept,
373 .rep_prefix = ctxt->rep_prefix,
374 .modrm_mod = ctxt->modrm_mod,
375 .modrm_reg = ctxt->modrm_reg,
376 .modrm_rm = ctxt->modrm_rm,
377 .src_val = ctxt->src.val64,
378 .src_bytes = ctxt->src.bytes,
379 .dst_bytes = ctxt->dst.bytes,
380 .ad_bytes = ctxt->ad_bytes,
381 .next_rip = ctxt->eip,
384 return ctxt->ops->intercept(ctxt, &info, stage);
387 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
389 return (1UL << (ctxt->ad_bytes << 3)) - 1;
392 /* Access/update address held in a register, based on addressing mode. */
393 static inline unsigned long
394 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
396 if (ctxt->ad_bytes == sizeof(unsigned long))
399 return reg & ad_mask(ctxt);
402 static inline unsigned long
403 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
405 return address_mask(ctxt, reg);
409 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
411 if (ctxt->ad_bytes == sizeof(unsigned long))
414 *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
417 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
419 register_address_increment(ctxt, &ctxt->_eip, rel);
422 static u32 desc_limit_scaled(struct desc_struct *desc)
424 u32 limit = get_desc_limit(desc);
426 return desc->g ? (limit << 12) | 0xfff : limit;
429 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
431 ctxt->has_seg_override = true;
432 ctxt->seg_override = seg;
435 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
437 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
440 return ctxt->ops->get_cached_segment_base(ctxt, seg);
443 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
445 if (!ctxt->has_seg_override)
448 return ctxt->seg_override;
451 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
452 u32 error, bool valid)
454 ctxt->exception.vector = vec;
455 ctxt->exception.error_code = error;
456 ctxt->exception.error_code_valid = valid;
457 return X86EMUL_PROPAGATE_FAULT;
460 static int emulate_db(struct x86_emulate_ctxt *ctxt)
462 return emulate_exception(ctxt, DB_VECTOR, 0, false);
465 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
467 return emulate_exception(ctxt, GP_VECTOR, err, true);
470 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
472 return emulate_exception(ctxt, SS_VECTOR, err, true);
475 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
477 return emulate_exception(ctxt, UD_VECTOR, 0, false);
480 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
482 return emulate_exception(ctxt, TS_VECTOR, err, true);
485 static int emulate_de(struct x86_emulate_ctxt *ctxt)
487 return emulate_exception(ctxt, DE_VECTOR, 0, false);
490 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
492 return emulate_exception(ctxt, NM_VECTOR, 0, false);
495 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
498 struct desc_struct desc;
500 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
504 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
509 struct desc_struct desc;
511 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
512 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
515 static int __linearize(struct x86_emulate_ctxt *ctxt,
516 struct segmented_address addr,
517 unsigned size, bool write, bool fetch,
520 struct desc_struct desc;
527 la = seg_base(ctxt, addr.seg) + addr.ea;
528 switch (ctxt->mode) {
529 case X86EMUL_MODE_REAL:
531 case X86EMUL_MODE_PROT64:
532 if (((signed long)la << 16) >> 16 != la)
533 return emulate_gp(ctxt, 0);
536 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
540 /* code segment or read-only data segment */
541 if (((desc.type & 8) || !(desc.type & 2)) && write)
543 /* unreadable code segment */
544 if (!fetch && (desc.type & 8) && !(desc.type & 2))
546 lim = desc_limit_scaled(&desc);
547 if ((desc.type & 8) || !(desc.type & 4)) {
548 /* expand-up segment */
549 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
552 /* exapand-down segment */
553 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
555 lim = desc.d ? 0xffffffff : 0xffff;
556 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
559 cpl = ctxt->ops->cpl(ctxt);
562 if (!(desc.type & 8)) {
566 } else if ((desc.type & 8) && !(desc.type & 4)) {
567 /* nonconforming code segment */
570 } else if ((desc.type & 8) && (desc.type & 4)) {
571 /* conforming code segment */
577 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
580 return X86EMUL_CONTINUE;
582 if (addr.seg == VCPU_SREG_SS)
583 return emulate_ss(ctxt, addr.seg);
585 return emulate_gp(ctxt, addr.seg);
588 static int linearize(struct x86_emulate_ctxt *ctxt,
589 struct segmented_address addr,
590 unsigned size, bool write,
593 return __linearize(ctxt, addr, size, write, false, linear);
597 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
598 struct segmented_address addr,
605 rc = linearize(ctxt, addr, size, false, &linear);
606 if (rc != X86EMUL_CONTINUE)
608 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
612 * Fetch the next byte of the instruction being emulated which is pointed to
613 * by ctxt->_eip, then increment ctxt->_eip.
615 * Also prefetch the remaining bytes of the instruction without crossing page
616 * boundary if they are not in fetch_cache yet.
618 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
620 struct fetch_cache *fc = &ctxt->fetch;
624 if (ctxt->_eip == fc->end) {
625 unsigned long linear;
626 struct segmented_address addr = { .seg = VCPU_SREG_CS,
628 cur_size = fc->end - fc->start;
629 size = min(15UL - cur_size,
630 PAGE_SIZE - offset_in_page(ctxt->_eip));
631 rc = __linearize(ctxt, addr, size, false, true, &linear);
632 if (unlikely(rc != X86EMUL_CONTINUE))
634 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
635 size, &ctxt->exception);
636 if (unlikely(rc != X86EMUL_CONTINUE))
640 *dest = fc->data[ctxt->_eip - fc->start];
642 return X86EMUL_CONTINUE;
645 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
646 void *dest, unsigned size)
650 /* x86 instructions are limited to 15 bytes. */
651 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
652 return X86EMUL_UNHANDLEABLE;
654 rc = do_insn_fetch_byte(ctxt, dest++);
655 if (rc != X86EMUL_CONTINUE)
658 return X86EMUL_CONTINUE;
661 /* Fetch next part of the instruction being emulated. */
662 #define insn_fetch(_type, _ctxt) \
663 ({ unsigned long _x; \
664 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
665 if (rc != X86EMUL_CONTINUE) \
670 #define insn_fetch_arr(_arr, _size, _ctxt) \
671 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
672 if (rc != X86EMUL_CONTINUE) \
677 * Given the 'reg' portion of a ModRM byte, and a register block, return a
678 * pointer into the block that addresses the relevant register.
679 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
681 static void *decode_register(u8 modrm_reg, unsigned long *regs,
686 p = ®s[modrm_reg];
687 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
688 p = (unsigned char *)®s[modrm_reg & 3] + 1;
692 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
693 struct segmented_address addr,
694 u16 *size, unsigned long *address, int op_bytes)
701 rc = segmented_read_std(ctxt, addr, size, 2);
702 if (rc != X86EMUL_CONTINUE)
705 rc = segmented_read_std(ctxt, addr, address, op_bytes);
709 static int test_cc(unsigned int condition, unsigned int flags)
713 switch ((condition & 15) >> 1) {
715 rc |= (flags & EFLG_OF);
717 case 1: /* b/c/nae */
718 rc |= (flags & EFLG_CF);
721 rc |= (flags & EFLG_ZF);
724 rc |= (flags & (EFLG_CF|EFLG_ZF));
727 rc |= (flags & EFLG_SF);
730 rc |= (flags & EFLG_PF);
733 rc |= (flags & EFLG_ZF);
736 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
740 /* Odd condition identifiers (lsb == 1) have inverted sense. */
741 return (!!rc ^ (condition & 1));
744 static void fetch_register_operand(struct operand *op)
748 op->val = *(u8 *)op->addr.reg;
751 op->val = *(u16 *)op->addr.reg;
754 op->val = *(u32 *)op->addr.reg;
757 op->val = *(u64 *)op->addr.reg;
762 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
764 ctxt->ops->get_fpu(ctxt);
766 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
767 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
768 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
769 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
770 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
771 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
772 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
773 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
775 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
776 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
777 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
778 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
779 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
780 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
781 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
782 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
786 ctxt->ops->put_fpu(ctxt);
789 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
792 ctxt->ops->get_fpu(ctxt);
794 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
795 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
796 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
797 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
798 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
799 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
800 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
801 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
803 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
804 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
805 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
806 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
807 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
808 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
809 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
810 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
814 ctxt->ops->put_fpu(ctxt);
817 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
821 unsigned reg = ctxt->modrm_reg;
822 int highbyte_regs = ctxt->rex_prefix == 0;
824 if (!(ctxt->d & ModRM))
825 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
831 read_sse_reg(ctxt, &op->vec_val, reg);
836 if ((ctxt->d & ByteOp) && !inhibit_bytereg) {
837 op->addr.reg = decode_register(reg, ctxt->regs, highbyte_regs);
840 op->addr.reg = decode_register(reg, ctxt->regs, 0);
841 op->bytes = ctxt->op_bytes;
843 fetch_register_operand(op);
844 op->orig_val = op->val;
847 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
851 int index_reg = 0, base_reg = 0, scale;
852 int rc = X86EMUL_CONTINUE;
855 if (ctxt->rex_prefix) {
856 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
857 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
858 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
861 ctxt->modrm = insn_fetch(u8, ctxt);
862 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
863 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
864 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
865 ctxt->modrm_seg = VCPU_SREG_DS;
867 if (ctxt->modrm_mod == 3) {
869 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
870 op->addr.reg = decode_register(ctxt->modrm_rm,
871 ctxt->regs, ctxt->d & ByteOp);
875 op->addr.xmm = ctxt->modrm_rm;
876 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
879 fetch_register_operand(op);
885 if (ctxt->ad_bytes == 2) {
886 unsigned bx = ctxt->regs[VCPU_REGS_RBX];
887 unsigned bp = ctxt->regs[VCPU_REGS_RBP];
888 unsigned si = ctxt->regs[VCPU_REGS_RSI];
889 unsigned di = ctxt->regs[VCPU_REGS_RDI];
891 /* 16-bit ModR/M decode. */
892 switch (ctxt->modrm_mod) {
894 if (ctxt->modrm_rm == 6)
895 modrm_ea += insn_fetch(u16, ctxt);
898 modrm_ea += insn_fetch(s8, ctxt);
901 modrm_ea += insn_fetch(u16, ctxt);
904 switch (ctxt->modrm_rm) {
924 if (ctxt->modrm_mod != 0)
931 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
932 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
933 ctxt->modrm_seg = VCPU_SREG_SS;
934 modrm_ea = (u16)modrm_ea;
936 /* 32/64-bit ModR/M decode. */
937 if ((ctxt->modrm_rm & 7) == 4) {
938 sib = insn_fetch(u8, ctxt);
939 index_reg |= (sib >> 3) & 7;
943 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
944 modrm_ea += insn_fetch(s32, ctxt);
946 modrm_ea += ctxt->regs[base_reg];
948 modrm_ea += ctxt->regs[index_reg] << scale;
949 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
950 if (ctxt->mode == X86EMUL_MODE_PROT64)
951 ctxt->rip_relative = 1;
953 modrm_ea += ctxt->regs[ctxt->modrm_rm];
954 switch (ctxt->modrm_mod) {
956 if (ctxt->modrm_rm == 5)
957 modrm_ea += insn_fetch(s32, ctxt);
960 modrm_ea += insn_fetch(s8, ctxt);
963 modrm_ea += insn_fetch(s32, ctxt);
967 op->addr.mem.ea = modrm_ea;
972 static int decode_abs(struct x86_emulate_ctxt *ctxt,
975 int rc = X86EMUL_CONTINUE;
978 switch (ctxt->ad_bytes) {
980 op->addr.mem.ea = insn_fetch(u16, ctxt);
983 op->addr.mem.ea = insn_fetch(u32, ctxt);
986 op->addr.mem.ea = insn_fetch(u64, ctxt);
993 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
997 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
998 mask = ~(ctxt->dst.bytes * 8 - 1);
1000 if (ctxt->src.bytes == 2)
1001 sv = (s16)ctxt->src.val & (s16)mask;
1002 else if (ctxt->src.bytes == 4)
1003 sv = (s32)ctxt->src.val & (s32)mask;
1005 ctxt->dst.addr.mem.ea += (sv >> 3);
1008 /* only subword offset */
1009 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1012 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1013 unsigned long addr, void *dest, unsigned size)
1016 struct read_cache *mc = &ctxt->mem_read;
1019 int n = min(size, 8u);
1021 if (mc->pos < mc->end)
1024 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
1026 if (rc != X86EMUL_CONTINUE)
1031 memcpy(dest, mc->data + mc->pos, n);
1036 return X86EMUL_CONTINUE;
1039 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1040 struct segmented_address addr,
1047 rc = linearize(ctxt, addr, size, false, &linear);
1048 if (rc != X86EMUL_CONTINUE)
1050 return read_emulated(ctxt, linear, data, size);
1053 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1054 struct segmented_address addr,
1061 rc = linearize(ctxt, addr, size, true, &linear);
1062 if (rc != X86EMUL_CONTINUE)
1064 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1068 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1069 struct segmented_address addr,
1070 const void *orig_data, const void *data,
1076 rc = linearize(ctxt, addr, size, true, &linear);
1077 if (rc != X86EMUL_CONTINUE)
1079 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1080 size, &ctxt->exception);
1083 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1084 unsigned int size, unsigned short port,
1087 struct read_cache *rc = &ctxt->io_read;
1089 if (rc->pos == rc->end) { /* refill pio read ahead */
1090 unsigned int in_page, n;
1091 unsigned int count = ctxt->rep_prefix ?
1092 address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) : 1;
1093 in_page = (ctxt->eflags & EFLG_DF) ?
1094 offset_in_page(ctxt->regs[VCPU_REGS_RDI]) :
1095 PAGE_SIZE - offset_in_page(ctxt->regs[VCPU_REGS_RDI]);
1096 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1100 rc->pos = rc->end = 0;
1101 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1106 memcpy(dest, rc->data + rc->pos, size);
1111 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1112 u16 selector, struct desc_ptr *dt)
1114 struct x86_emulate_ops *ops = ctxt->ops;
1116 if (selector & 1 << 2) {
1117 struct desc_struct desc;
1120 memset (dt, 0, sizeof *dt);
1121 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1124 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1125 dt->address = get_desc_base(&desc);
1127 ops->get_gdt(ctxt, dt);
1130 /* allowed just for 8 bytes segments */
1131 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1132 u16 selector, struct desc_struct *desc)
1135 u16 index = selector >> 3;
1138 get_descriptor_table_ptr(ctxt, selector, &dt);
1140 if (dt.size < index * 8 + 7)
1141 return emulate_gp(ctxt, selector & 0xfffc);
1143 addr = dt.address + index * 8;
1144 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1148 /* allowed just for 8 bytes segments */
1149 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1150 u16 selector, struct desc_struct *desc)
1153 u16 index = selector >> 3;
1156 get_descriptor_table_ptr(ctxt, selector, &dt);
1158 if (dt.size < index * 8 + 7)
1159 return emulate_gp(ctxt, selector & 0xfffc);
1161 addr = dt.address + index * 8;
1162 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1166 /* Does not support long mode */
1167 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1168 u16 selector, int seg)
1170 struct desc_struct seg_desc;
1172 unsigned err_vec = GP_VECTOR;
1174 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1177 memset(&seg_desc, 0, sizeof seg_desc);
1179 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1180 || ctxt->mode == X86EMUL_MODE_REAL) {
1181 /* set real mode segment descriptor */
1182 set_desc_base(&seg_desc, selector << 4);
1183 set_desc_limit(&seg_desc, 0xffff);
1190 /* NULL selector is not valid for TR, CS and SS */
1191 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1195 /* TR should be in GDT only */
1196 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1199 if (null_selector) /* for NULL selector skip all following checks */
1202 ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1203 if (ret != X86EMUL_CONTINUE)
1206 err_code = selector & 0xfffc;
1207 err_vec = GP_VECTOR;
1209 /* can't load system descriptor into segment selecor */
1210 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1214 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1220 cpl = ctxt->ops->cpl(ctxt);
1225 * segment is not a writable data segment or segment
1226 * selector's RPL != CPL or segment selector's RPL != CPL
1228 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1232 if (!(seg_desc.type & 8))
1235 if (seg_desc.type & 4) {
1241 if (rpl > cpl || dpl != cpl)
1244 /* CS(RPL) <- CPL */
1245 selector = (selector & 0xfffc) | cpl;
1248 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1251 case VCPU_SREG_LDTR:
1252 if (seg_desc.s || seg_desc.type != 2)
1255 default: /* DS, ES, FS, or GS */
1257 * segment is not a data or readable code segment or
1258 * ((segment is a data or nonconforming code segment)
1259 * and (both RPL and CPL > DPL))
1261 if ((seg_desc.type & 0xa) == 0x8 ||
1262 (((seg_desc.type & 0xc) != 0xc) &&
1263 (rpl > dpl && cpl > dpl)))
1269 /* mark segment as accessed */
1271 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1272 if (ret != X86EMUL_CONTINUE)
1276 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1277 return X86EMUL_CONTINUE;
1279 emulate_exception(ctxt, err_vec, err_code, true);
1280 return X86EMUL_PROPAGATE_FAULT;
1283 static void write_register_operand(struct operand *op)
1285 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1286 switch (op->bytes) {
1288 *(u8 *)op->addr.reg = (u8)op->val;
1291 *(u16 *)op->addr.reg = (u16)op->val;
1294 *op->addr.reg = (u32)op->val;
1295 break; /* 64b: zero-extend */
1297 *op->addr.reg = op->val;
1302 static int writeback(struct x86_emulate_ctxt *ctxt)
1306 switch (ctxt->dst.type) {
1308 write_register_operand(&ctxt->dst);
1311 if (ctxt->lock_prefix)
1312 rc = segmented_cmpxchg(ctxt,
1314 &ctxt->dst.orig_val,
1318 rc = segmented_write(ctxt,
1322 if (rc != X86EMUL_CONTINUE)
1326 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1334 return X86EMUL_CONTINUE;
1337 static int em_push(struct x86_emulate_ctxt *ctxt)
1339 struct segmented_address addr;
1341 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], -ctxt->op_bytes);
1342 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1343 addr.seg = VCPU_SREG_SS;
1345 /* Disable writeback. */
1346 ctxt->dst.type = OP_NONE;
1347 return segmented_write(ctxt, addr, &ctxt->src.val, ctxt->op_bytes);
1350 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1351 void *dest, int len)
1354 struct segmented_address addr;
1356 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1357 addr.seg = VCPU_SREG_SS;
1358 rc = segmented_read(ctxt, addr, dest, len);
1359 if (rc != X86EMUL_CONTINUE)
1362 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], len);
1366 static int em_pop(struct x86_emulate_ctxt *ctxt)
1368 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1371 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1372 void *dest, int len)
1375 unsigned long val, change_mask;
1376 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1377 int cpl = ctxt->ops->cpl(ctxt);
1379 rc = emulate_pop(ctxt, &val, len);
1380 if (rc != X86EMUL_CONTINUE)
1383 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1384 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1386 switch(ctxt->mode) {
1387 case X86EMUL_MODE_PROT64:
1388 case X86EMUL_MODE_PROT32:
1389 case X86EMUL_MODE_PROT16:
1391 change_mask |= EFLG_IOPL;
1393 change_mask |= EFLG_IF;
1395 case X86EMUL_MODE_VM86:
1397 return emulate_gp(ctxt, 0);
1398 change_mask |= EFLG_IF;
1400 default: /* real mode */
1401 change_mask |= (EFLG_IOPL | EFLG_IF);
1405 *(unsigned long *)dest =
1406 (ctxt->eflags & ~change_mask) | (val & change_mask);
1411 static int em_popf(struct x86_emulate_ctxt *ctxt)
1413 ctxt->dst.type = OP_REG;
1414 ctxt->dst.addr.reg = &ctxt->eflags;
1415 ctxt->dst.bytes = ctxt->op_bytes;
1416 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1419 static int emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1421 ctxt->src.val = get_segment_selector(ctxt, seg);
1423 return em_push(ctxt);
1426 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1428 unsigned long selector;
1431 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1432 if (rc != X86EMUL_CONTINUE)
1435 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1439 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1441 unsigned long old_esp = ctxt->regs[VCPU_REGS_RSP];
1442 int rc = X86EMUL_CONTINUE;
1443 int reg = VCPU_REGS_RAX;
1445 while (reg <= VCPU_REGS_RDI) {
1446 (reg == VCPU_REGS_RSP) ?
1447 (ctxt->src.val = old_esp) : (ctxt->src.val = ctxt->regs[reg]);
1450 if (rc != X86EMUL_CONTINUE)
1459 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1461 ctxt->src.val = (unsigned long)ctxt->eflags;
1462 return em_push(ctxt);
1465 static int em_popa(struct x86_emulate_ctxt *ctxt)
1467 int rc = X86EMUL_CONTINUE;
1468 int reg = VCPU_REGS_RDI;
1470 while (reg >= VCPU_REGS_RAX) {
1471 if (reg == VCPU_REGS_RSP) {
1472 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP],
1477 rc = emulate_pop(ctxt, &ctxt->regs[reg], ctxt->op_bytes);
1478 if (rc != X86EMUL_CONTINUE)
1485 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1487 struct x86_emulate_ops *ops = ctxt->ops;
1494 /* TODO: Add limit checks */
1495 ctxt->src.val = ctxt->eflags;
1497 if (rc != X86EMUL_CONTINUE)
1500 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1502 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1504 if (rc != X86EMUL_CONTINUE)
1507 ctxt->src.val = ctxt->_eip;
1509 if (rc != X86EMUL_CONTINUE)
1512 ops->get_idt(ctxt, &dt);
1514 eip_addr = dt.address + (irq << 2);
1515 cs_addr = dt.address + (irq << 2) + 2;
1517 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1518 if (rc != X86EMUL_CONTINUE)
1521 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1522 if (rc != X86EMUL_CONTINUE)
1525 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1526 if (rc != X86EMUL_CONTINUE)
1534 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1536 switch(ctxt->mode) {
1537 case X86EMUL_MODE_REAL:
1538 return emulate_int_real(ctxt, irq);
1539 case X86EMUL_MODE_VM86:
1540 case X86EMUL_MODE_PROT16:
1541 case X86EMUL_MODE_PROT32:
1542 case X86EMUL_MODE_PROT64:
1544 /* Protected mode interrupts unimplemented yet */
1545 return X86EMUL_UNHANDLEABLE;
1549 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1551 int rc = X86EMUL_CONTINUE;
1552 unsigned long temp_eip = 0;
1553 unsigned long temp_eflags = 0;
1554 unsigned long cs = 0;
1555 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1556 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1557 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1558 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1560 /* TODO: Add stack limit check */
1562 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1564 if (rc != X86EMUL_CONTINUE)
1567 if (temp_eip & ~0xffff)
1568 return emulate_gp(ctxt, 0);
1570 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1572 if (rc != X86EMUL_CONTINUE)
1575 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1577 if (rc != X86EMUL_CONTINUE)
1580 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1582 if (rc != X86EMUL_CONTINUE)
1585 ctxt->_eip = temp_eip;
1588 if (ctxt->op_bytes == 4)
1589 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1590 else if (ctxt->op_bytes == 2) {
1591 ctxt->eflags &= ~0xffff;
1592 ctxt->eflags |= temp_eflags;
1595 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1596 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1601 static int em_iret(struct x86_emulate_ctxt *ctxt)
1603 switch(ctxt->mode) {
1604 case X86EMUL_MODE_REAL:
1605 return emulate_iret_real(ctxt);
1606 case X86EMUL_MODE_VM86:
1607 case X86EMUL_MODE_PROT16:
1608 case X86EMUL_MODE_PROT32:
1609 case X86EMUL_MODE_PROT64:
1611 /* iret from protected mode unimplemented yet */
1612 return X86EMUL_UNHANDLEABLE;
1616 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1621 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1623 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1624 if (rc != X86EMUL_CONTINUE)
1628 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1629 return X86EMUL_CONTINUE;
1632 static int em_grp1a(struct x86_emulate_ctxt *ctxt)
1634 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->dst.bytes);
1637 static int em_grp2(struct x86_emulate_ctxt *ctxt)
1639 switch (ctxt->modrm_reg) {
1641 emulate_2op_SrcB(ctxt, "rol");
1644 emulate_2op_SrcB(ctxt, "ror");
1647 emulate_2op_SrcB(ctxt, "rcl");
1650 emulate_2op_SrcB(ctxt, "rcr");
1652 case 4: /* sal/shl */
1653 case 6: /* sal/shl */
1654 emulate_2op_SrcB(ctxt, "sal");
1657 emulate_2op_SrcB(ctxt, "shr");
1660 emulate_2op_SrcB(ctxt, "sar");
1663 return X86EMUL_CONTINUE;
1666 static int em_grp3(struct x86_emulate_ctxt *ctxt)
1670 switch (ctxt->modrm_reg) {
1671 case 0 ... 1: /* test */
1672 emulate_2op_SrcV(ctxt, "test");
1675 ctxt->dst.val = ~ctxt->dst.val;
1678 emulate_1op(ctxt, "neg");
1681 emulate_1op_rax_rdx(ctxt, "mul", de);
1684 emulate_1op_rax_rdx(ctxt, "imul", de);
1687 emulate_1op_rax_rdx(ctxt, "div", de);
1690 emulate_1op_rax_rdx(ctxt, "idiv", de);
1693 return X86EMUL_UNHANDLEABLE;
1696 return emulate_de(ctxt);
1697 return X86EMUL_CONTINUE;
1700 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1702 int rc = X86EMUL_CONTINUE;
1704 switch (ctxt->modrm_reg) {
1706 emulate_1op(ctxt, "inc");
1709 emulate_1op(ctxt, "dec");
1711 case 2: /* call near abs */ {
1713 old_eip = ctxt->_eip;
1714 ctxt->_eip = ctxt->src.val;
1715 ctxt->src.val = old_eip;
1719 case 4: /* jmp abs */
1720 ctxt->_eip = ctxt->src.val;
1722 case 5: /* jmp far */
1723 rc = em_jmp_far(ctxt);
1732 static int em_grp9(struct x86_emulate_ctxt *ctxt)
1734 u64 old = ctxt->dst.orig_val64;
1736 if (((u32) (old >> 0) != (u32) ctxt->regs[VCPU_REGS_RAX]) ||
1737 ((u32) (old >> 32) != (u32) ctxt->regs[VCPU_REGS_RDX])) {
1738 ctxt->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1739 ctxt->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1740 ctxt->eflags &= ~EFLG_ZF;
1742 ctxt->dst.val64 = ((u64)ctxt->regs[VCPU_REGS_RCX] << 32) |
1743 (u32) ctxt->regs[VCPU_REGS_RBX];
1745 ctxt->eflags |= EFLG_ZF;
1747 return X86EMUL_CONTINUE;
1750 static int em_ret(struct x86_emulate_ctxt *ctxt)
1752 ctxt->dst.type = OP_REG;
1753 ctxt->dst.addr.reg = &ctxt->_eip;
1754 ctxt->dst.bytes = ctxt->op_bytes;
1755 return em_pop(ctxt);
1758 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1763 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1764 if (rc != X86EMUL_CONTINUE)
1766 if (ctxt->op_bytes == 4)
1767 ctxt->_eip = (u32)ctxt->_eip;
1768 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1769 if (rc != X86EMUL_CONTINUE)
1771 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1775 static int emulate_load_segment(struct x86_emulate_ctxt *ctxt, int seg)
1780 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1782 rc = load_segment_descriptor(ctxt, sel, seg);
1783 if (rc != X86EMUL_CONTINUE)
1786 ctxt->dst.val = ctxt->src.val;
1791 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1792 struct desc_struct *cs, struct desc_struct *ss)
1796 memset(cs, 0, sizeof(struct desc_struct));
1797 ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1798 memset(ss, 0, sizeof(struct desc_struct));
1800 cs->l = 0; /* will be adjusted later */
1801 set_desc_base(cs, 0); /* flat segment */
1802 cs->g = 1; /* 4kb granularity */
1803 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1804 cs->type = 0x0b; /* Read, Execute, Accessed */
1806 cs->dpl = 0; /* will be adjusted later */
1810 set_desc_base(ss, 0); /* flat segment */
1811 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1812 ss->g = 1; /* 4kb granularity */
1814 ss->type = 0x03; /* Read/Write, Accessed */
1815 ss->d = 1; /* 32bit stack segment */
1820 static int em_syscall(struct x86_emulate_ctxt *ctxt)
1822 struct x86_emulate_ops *ops = ctxt->ops;
1823 struct desc_struct cs, ss;
1828 /* syscall is not available in real mode */
1829 if (ctxt->mode == X86EMUL_MODE_REAL ||
1830 ctxt->mode == X86EMUL_MODE_VM86)
1831 return emulate_ud(ctxt);
1833 ops->get_msr(ctxt, MSR_EFER, &efer);
1834 setup_syscalls_segments(ctxt, &cs, &ss);
1836 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1838 cs_sel = (u16)(msr_data & 0xfffc);
1839 ss_sel = (u16)(msr_data + 8);
1841 if (efer & EFER_LMA) {
1845 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1846 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1848 ctxt->regs[VCPU_REGS_RCX] = ctxt->_eip;
1849 if (efer & EFER_LMA) {
1850 #ifdef CONFIG_X86_64
1851 ctxt->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1854 ctxt->mode == X86EMUL_MODE_PROT64 ?
1855 MSR_LSTAR : MSR_CSTAR, &msr_data);
1856 ctxt->_eip = msr_data;
1858 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
1859 ctxt->eflags &= ~(msr_data | EFLG_RF);
1863 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1864 ctxt->_eip = (u32)msr_data;
1866 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1869 return X86EMUL_CONTINUE;
1872 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1874 struct x86_emulate_ops *ops = ctxt->ops;
1875 struct desc_struct cs, ss;
1880 ops->get_msr(ctxt, MSR_EFER, &efer);
1881 /* inject #GP if in real mode */
1882 if (ctxt->mode == X86EMUL_MODE_REAL)
1883 return emulate_gp(ctxt, 0);
1885 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1886 * Therefore, we inject an #UD.
1888 if (ctxt->mode == X86EMUL_MODE_PROT64)
1889 return emulate_ud(ctxt);
1891 setup_syscalls_segments(ctxt, &cs, &ss);
1893 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
1894 switch (ctxt->mode) {
1895 case X86EMUL_MODE_PROT32:
1896 if ((msr_data & 0xfffc) == 0x0)
1897 return emulate_gp(ctxt, 0);
1899 case X86EMUL_MODE_PROT64:
1900 if (msr_data == 0x0)
1901 return emulate_gp(ctxt, 0);
1905 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1906 cs_sel = (u16)msr_data;
1907 cs_sel &= ~SELECTOR_RPL_MASK;
1908 ss_sel = cs_sel + 8;
1909 ss_sel &= ~SELECTOR_RPL_MASK;
1910 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
1915 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1916 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1918 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
1919 ctxt->_eip = msr_data;
1921 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
1922 ctxt->regs[VCPU_REGS_RSP] = msr_data;
1924 return X86EMUL_CONTINUE;
1927 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1929 struct x86_emulate_ops *ops = ctxt->ops;
1930 struct desc_struct cs, ss;
1933 u16 cs_sel = 0, ss_sel = 0;
1935 /* inject #GP if in real mode or Virtual 8086 mode */
1936 if (ctxt->mode == X86EMUL_MODE_REAL ||
1937 ctxt->mode == X86EMUL_MODE_VM86)
1938 return emulate_gp(ctxt, 0);
1940 setup_syscalls_segments(ctxt, &cs, &ss);
1942 if ((ctxt->rex_prefix & 0x8) != 0x0)
1943 usermode = X86EMUL_MODE_PROT64;
1945 usermode = X86EMUL_MODE_PROT32;
1949 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
1951 case X86EMUL_MODE_PROT32:
1952 cs_sel = (u16)(msr_data + 16);
1953 if ((msr_data & 0xfffc) == 0x0)
1954 return emulate_gp(ctxt, 0);
1955 ss_sel = (u16)(msr_data + 24);
1957 case X86EMUL_MODE_PROT64:
1958 cs_sel = (u16)(msr_data + 32);
1959 if (msr_data == 0x0)
1960 return emulate_gp(ctxt, 0);
1961 ss_sel = cs_sel + 8;
1966 cs_sel |= SELECTOR_RPL_MASK;
1967 ss_sel |= SELECTOR_RPL_MASK;
1969 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1970 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1972 ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
1973 ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
1975 return X86EMUL_CONTINUE;
1978 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
1981 if (ctxt->mode == X86EMUL_MODE_REAL)
1983 if (ctxt->mode == X86EMUL_MODE_VM86)
1985 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1986 return ctxt->ops->cpl(ctxt) > iopl;
1989 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1992 struct x86_emulate_ops *ops = ctxt->ops;
1993 struct desc_struct tr_seg;
1996 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
1997 unsigned mask = (1 << len) - 1;
2000 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2003 if (desc_limit_scaled(&tr_seg) < 103)
2005 base = get_desc_base(&tr_seg);
2006 #ifdef CONFIG_X86_64
2007 base |= ((u64)base3) << 32;
2009 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2010 if (r != X86EMUL_CONTINUE)
2012 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2014 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2015 if (r != X86EMUL_CONTINUE)
2017 if ((perm >> bit_idx) & mask)
2022 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2028 if (emulator_bad_iopl(ctxt))
2029 if (!emulator_io_port_access_allowed(ctxt, port, len))
2032 ctxt->perm_ok = true;
2037 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2038 struct tss_segment_16 *tss)
2040 tss->ip = ctxt->_eip;
2041 tss->flag = ctxt->eflags;
2042 tss->ax = ctxt->regs[VCPU_REGS_RAX];
2043 tss->cx = ctxt->regs[VCPU_REGS_RCX];
2044 tss->dx = ctxt->regs[VCPU_REGS_RDX];
2045 tss->bx = ctxt->regs[VCPU_REGS_RBX];
2046 tss->sp = ctxt->regs[VCPU_REGS_RSP];
2047 tss->bp = ctxt->regs[VCPU_REGS_RBP];
2048 tss->si = ctxt->regs[VCPU_REGS_RSI];
2049 tss->di = ctxt->regs[VCPU_REGS_RDI];
2051 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2052 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2053 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2054 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2055 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2058 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2059 struct tss_segment_16 *tss)
2063 ctxt->_eip = tss->ip;
2064 ctxt->eflags = tss->flag | 2;
2065 ctxt->regs[VCPU_REGS_RAX] = tss->ax;
2066 ctxt->regs[VCPU_REGS_RCX] = tss->cx;
2067 ctxt->regs[VCPU_REGS_RDX] = tss->dx;
2068 ctxt->regs[VCPU_REGS_RBX] = tss->bx;
2069 ctxt->regs[VCPU_REGS_RSP] = tss->sp;
2070 ctxt->regs[VCPU_REGS_RBP] = tss->bp;
2071 ctxt->regs[VCPU_REGS_RSI] = tss->si;
2072 ctxt->regs[VCPU_REGS_RDI] = tss->di;
2075 * SDM says that segment selectors are loaded before segment
2078 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2079 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2080 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2081 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2082 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2085 * Now load segment descriptors. If fault happenes at this stage
2086 * it is handled in a context of new task
2088 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2089 if (ret != X86EMUL_CONTINUE)
2091 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2092 if (ret != X86EMUL_CONTINUE)
2094 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2095 if (ret != X86EMUL_CONTINUE)
2097 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2098 if (ret != X86EMUL_CONTINUE)
2100 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2101 if (ret != X86EMUL_CONTINUE)
2104 return X86EMUL_CONTINUE;
2107 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2108 u16 tss_selector, u16 old_tss_sel,
2109 ulong old_tss_base, struct desc_struct *new_desc)
2111 struct x86_emulate_ops *ops = ctxt->ops;
2112 struct tss_segment_16 tss_seg;
2114 u32 new_tss_base = get_desc_base(new_desc);
2116 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2118 if (ret != X86EMUL_CONTINUE)
2119 /* FIXME: need to provide precise fault address */
2122 save_state_to_tss16(ctxt, &tss_seg);
2124 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2126 if (ret != X86EMUL_CONTINUE)
2127 /* FIXME: need to provide precise fault address */
2130 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2132 if (ret != X86EMUL_CONTINUE)
2133 /* FIXME: need to provide precise fault address */
2136 if (old_tss_sel != 0xffff) {
2137 tss_seg.prev_task_link = old_tss_sel;
2139 ret = ops->write_std(ctxt, new_tss_base,
2140 &tss_seg.prev_task_link,
2141 sizeof tss_seg.prev_task_link,
2143 if (ret != X86EMUL_CONTINUE)
2144 /* FIXME: need to provide precise fault address */
2148 return load_state_from_tss16(ctxt, &tss_seg);
2151 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2152 struct tss_segment_32 *tss)
2154 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2155 tss->eip = ctxt->_eip;
2156 tss->eflags = ctxt->eflags;
2157 tss->eax = ctxt->regs[VCPU_REGS_RAX];
2158 tss->ecx = ctxt->regs[VCPU_REGS_RCX];
2159 tss->edx = ctxt->regs[VCPU_REGS_RDX];
2160 tss->ebx = ctxt->regs[VCPU_REGS_RBX];
2161 tss->esp = ctxt->regs[VCPU_REGS_RSP];
2162 tss->ebp = ctxt->regs[VCPU_REGS_RBP];
2163 tss->esi = ctxt->regs[VCPU_REGS_RSI];
2164 tss->edi = ctxt->regs[VCPU_REGS_RDI];
2166 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2167 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2168 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2169 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2170 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2171 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2172 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2175 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2176 struct tss_segment_32 *tss)
2180 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2181 return emulate_gp(ctxt, 0);
2182 ctxt->_eip = tss->eip;
2183 ctxt->eflags = tss->eflags | 2;
2184 ctxt->regs[VCPU_REGS_RAX] = tss->eax;
2185 ctxt->regs[VCPU_REGS_RCX] = tss->ecx;
2186 ctxt->regs[VCPU_REGS_RDX] = tss->edx;
2187 ctxt->regs[VCPU_REGS_RBX] = tss->ebx;
2188 ctxt->regs[VCPU_REGS_RSP] = tss->esp;
2189 ctxt->regs[VCPU_REGS_RBP] = tss->ebp;
2190 ctxt->regs[VCPU_REGS_RSI] = tss->esi;
2191 ctxt->regs[VCPU_REGS_RDI] = tss->edi;
2194 * SDM says that segment selectors are loaded before segment
2197 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2198 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2199 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2200 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2201 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2202 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2203 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2206 * Now load segment descriptors. If fault happenes at this stage
2207 * it is handled in a context of new task
2209 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2210 if (ret != X86EMUL_CONTINUE)
2212 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2213 if (ret != X86EMUL_CONTINUE)
2215 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2216 if (ret != X86EMUL_CONTINUE)
2218 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2219 if (ret != X86EMUL_CONTINUE)
2221 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2222 if (ret != X86EMUL_CONTINUE)
2224 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2225 if (ret != X86EMUL_CONTINUE)
2227 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2228 if (ret != X86EMUL_CONTINUE)
2231 return X86EMUL_CONTINUE;
2234 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2235 u16 tss_selector, u16 old_tss_sel,
2236 ulong old_tss_base, struct desc_struct *new_desc)
2238 struct x86_emulate_ops *ops = ctxt->ops;
2239 struct tss_segment_32 tss_seg;
2241 u32 new_tss_base = get_desc_base(new_desc);
2243 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2245 if (ret != X86EMUL_CONTINUE)
2246 /* FIXME: need to provide precise fault address */
2249 save_state_to_tss32(ctxt, &tss_seg);
2251 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2253 if (ret != X86EMUL_CONTINUE)
2254 /* FIXME: need to provide precise fault address */
2257 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2259 if (ret != X86EMUL_CONTINUE)
2260 /* FIXME: need to provide precise fault address */
2263 if (old_tss_sel != 0xffff) {
2264 tss_seg.prev_task_link = old_tss_sel;
2266 ret = ops->write_std(ctxt, new_tss_base,
2267 &tss_seg.prev_task_link,
2268 sizeof tss_seg.prev_task_link,
2270 if (ret != X86EMUL_CONTINUE)
2271 /* FIXME: need to provide precise fault address */
2275 return load_state_from_tss32(ctxt, &tss_seg);
2278 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2279 u16 tss_selector, int reason,
2280 bool has_error_code, u32 error_code)
2282 struct x86_emulate_ops *ops = ctxt->ops;
2283 struct desc_struct curr_tss_desc, next_tss_desc;
2285 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2286 ulong old_tss_base =
2287 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2290 /* FIXME: old_tss_base == ~0 ? */
2292 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2293 if (ret != X86EMUL_CONTINUE)
2295 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2296 if (ret != X86EMUL_CONTINUE)
2299 /* FIXME: check that next_tss_desc is tss */
2301 if (reason != TASK_SWITCH_IRET) {
2302 if ((tss_selector & 3) > next_tss_desc.dpl ||
2303 ops->cpl(ctxt) > next_tss_desc.dpl)
2304 return emulate_gp(ctxt, 0);
2307 desc_limit = desc_limit_scaled(&next_tss_desc);
2308 if (!next_tss_desc.p ||
2309 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2310 desc_limit < 0x2b)) {
2311 emulate_ts(ctxt, tss_selector & 0xfffc);
2312 return X86EMUL_PROPAGATE_FAULT;
2315 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2316 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2317 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2320 if (reason == TASK_SWITCH_IRET)
2321 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2323 /* set back link to prev task only if NT bit is set in eflags
2324 note that old_tss_sel is not used afetr this point */
2325 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2326 old_tss_sel = 0xffff;
2328 if (next_tss_desc.type & 8)
2329 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2330 old_tss_base, &next_tss_desc);
2332 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2333 old_tss_base, &next_tss_desc);
2334 if (ret != X86EMUL_CONTINUE)
2337 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2338 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2340 if (reason != TASK_SWITCH_IRET) {
2341 next_tss_desc.type |= (1 << 1); /* set busy flag */
2342 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2345 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2346 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2348 if (has_error_code) {
2349 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2350 ctxt->lock_prefix = 0;
2351 ctxt->src.val = (unsigned long) error_code;
2352 ret = em_push(ctxt);
2358 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2359 u16 tss_selector, int reason,
2360 bool has_error_code, u32 error_code)
2364 ctxt->_eip = ctxt->eip;
2365 ctxt->dst.type = OP_NONE;
2367 rc = emulator_do_task_switch(ctxt, tss_selector, reason,
2368 has_error_code, error_code);
2370 if (rc == X86EMUL_CONTINUE)
2371 ctxt->eip = ctxt->_eip;
2373 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2376 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2377 int reg, struct operand *op)
2379 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2381 register_address_increment(ctxt, &ctxt->regs[reg], df * op->bytes);
2382 op->addr.mem.ea = register_address(ctxt, ctxt->regs[reg]);
2383 op->addr.mem.seg = seg;
2386 static int em_das(struct x86_emulate_ctxt *ctxt)
2389 bool af, cf, old_cf;
2391 cf = ctxt->eflags & X86_EFLAGS_CF;
2397 af = ctxt->eflags & X86_EFLAGS_AF;
2398 if ((al & 0x0f) > 9 || af) {
2400 cf = old_cf | (al >= 250);
2405 if (old_al > 0x99 || old_cf) {
2411 /* Set PF, ZF, SF */
2412 ctxt->src.type = OP_IMM;
2414 ctxt->src.bytes = 1;
2415 emulate_2op_SrcV(ctxt, "or");
2416 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2418 ctxt->eflags |= X86_EFLAGS_CF;
2420 ctxt->eflags |= X86_EFLAGS_AF;
2421 return X86EMUL_CONTINUE;
2424 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2430 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2431 old_eip = ctxt->_eip;
2433 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2434 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2435 return X86EMUL_CONTINUE;
2438 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2440 ctxt->src.val = old_cs;
2442 if (rc != X86EMUL_CONTINUE)
2445 ctxt->src.val = old_eip;
2446 return em_push(ctxt);
2449 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2453 ctxt->dst.type = OP_REG;
2454 ctxt->dst.addr.reg = &ctxt->_eip;
2455 ctxt->dst.bytes = ctxt->op_bytes;
2456 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2457 if (rc != X86EMUL_CONTINUE)
2459 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
2460 return X86EMUL_CONTINUE;
2463 static int em_add(struct x86_emulate_ctxt *ctxt)
2465 emulate_2op_SrcV(ctxt, "add");
2466 return X86EMUL_CONTINUE;
2469 static int em_or(struct x86_emulate_ctxt *ctxt)
2471 emulate_2op_SrcV(ctxt, "or");
2472 return X86EMUL_CONTINUE;
2475 static int em_adc(struct x86_emulate_ctxt *ctxt)
2477 emulate_2op_SrcV(ctxt, "adc");
2478 return X86EMUL_CONTINUE;
2481 static int em_sbb(struct x86_emulate_ctxt *ctxt)
2483 emulate_2op_SrcV(ctxt, "sbb");
2484 return X86EMUL_CONTINUE;
2487 static int em_and(struct x86_emulate_ctxt *ctxt)
2489 emulate_2op_SrcV(ctxt, "and");
2490 return X86EMUL_CONTINUE;
2493 static int em_sub(struct x86_emulate_ctxt *ctxt)
2495 emulate_2op_SrcV(ctxt, "sub");
2496 return X86EMUL_CONTINUE;
2499 static int em_xor(struct x86_emulate_ctxt *ctxt)
2501 emulate_2op_SrcV(ctxt, "xor");
2502 return X86EMUL_CONTINUE;
2505 static int em_cmp(struct x86_emulate_ctxt *ctxt)
2507 emulate_2op_SrcV(ctxt, "cmp");
2508 /* Disable writeback. */
2509 ctxt->dst.type = OP_NONE;
2510 return X86EMUL_CONTINUE;
2513 static int em_test(struct x86_emulate_ctxt *ctxt)
2515 emulate_2op_SrcV(ctxt, "test");
2516 return X86EMUL_CONTINUE;
2519 static int em_xchg(struct x86_emulate_ctxt *ctxt)
2521 /* Write back the register source. */
2522 ctxt->src.val = ctxt->dst.val;
2523 write_register_operand(&ctxt->src);
2525 /* Write back the memory destination with implicit LOCK prefix. */
2526 ctxt->dst.val = ctxt->src.orig_val;
2527 ctxt->lock_prefix = 1;
2528 return X86EMUL_CONTINUE;
2531 static int em_imul(struct x86_emulate_ctxt *ctxt)
2533 emulate_2op_SrcV_nobyte(ctxt, "imul");
2534 return X86EMUL_CONTINUE;
2537 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2539 ctxt->dst.val = ctxt->src2.val;
2540 return em_imul(ctxt);
2543 static int em_cwd(struct x86_emulate_ctxt *ctxt)
2545 ctxt->dst.type = OP_REG;
2546 ctxt->dst.bytes = ctxt->src.bytes;
2547 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
2548 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2550 return X86EMUL_CONTINUE;
2553 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2557 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2558 ctxt->regs[VCPU_REGS_RAX] = (u32)tsc;
2559 ctxt->regs[VCPU_REGS_RDX] = tsc >> 32;
2560 return X86EMUL_CONTINUE;
2563 static int em_mov(struct x86_emulate_ctxt *ctxt)
2565 ctxt->dst.val = ctxt->src.val;
2566 return X86EMUL_CONTINUE;
2569 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
2571 if (ctxt->modrm_reg > VCPU_SREG_GS)
2572 return emulate_ud(ctxt);
2574 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
2575 return X86EMUL_CONTINUE;
2578 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
2580 u16 sel = ctxt->src.val;
2582 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
2583 return emulate_ud(ctxt);
2585 if (ctxt->modrm_reg == VCPU_SREG_SS)
2586 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2588 /* Disable writeback. */
2589 ctxt->dst.type = OP_NONE;
2590 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
2593 static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2595 memcpy(&ctxt->dst.vec_val, &ctxt->src.vec_val, ctxt->op_bytes);
2596 return X86EMUL_CONTINUE;
2599 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
2604 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
2605 if (rc == X86EMUL_CONTINUE)
2606 ctxt->ops->invlpg(ctxt, linear);
2607 /* Disable writeback. */
2608 ctxt->dst.type = OP_NONE;
2609 return X86EMUL_CONTINUE;
2612 static int em_clts(struct x86_emulate_ctxt *ctxt)
2616 cr0 = ctxt->ops->get_cr(ctxt, 0);
2618 ctxt->ops->set_cr(ctxt, 0, cr0);
2619 return X86EMUL_CONTINUE;
2622 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
2626 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
2627 return X86EMUL_UNHANDLEABLE;
2629 rc = ctxt->ops->fix_hypercall(ctxt);
2630 if (rc != X86EMUL_CONTINUE)
2633 /* Let the processor re-execute the fixed hypercall */
2634 ctxt->_eip = ctxt->eip;
2635 /* Disable writeback. */
2636 ctxt->dst.type = OP_NONE;
2637 return X86EMUL_CONTINUE;
2640 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
2642 struct desc_ptr desc_ptr;
2645 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2646 &desc_ptr.size, &desc_ptr.address,
2648 if (rc != X86EMUL_CONTINUE)
2650 ctxt->ops->set_gdt(ctxt, &desc_ptr);
2651 /* Disable writeback. */
2652 ctxt->dst.type = OP_NONE;
2653 return X86EMUL_CONTINUE;
2656 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
2660 rc = ctxt->ops->fix_hypercall(ctxt);
2662 /* Disable writeback. */
2663 ctxt->dst.type = OP_NONE;
2667 static int em_lidt(struct x86_emulate_ctxt *ctxt)
2669 struct desc_ptr desc_ptr;
2672 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2673 &desc_ptr.size, &desc_ptr.address,
2675 if (rc != X86EMUL_CONTINUE)
2677 ctxt->ops->set_idt(ctxt, &desc_ptr);
2678 /* Disable writeback. */
2679 ctxt->dst.type = OP_NONE;
2680 return X86EMUL_CONTINUE;
2683 static int em_smsw(struct x86_emulate_ctxt *ctxt)
2685 ctxt->dst.bytes = 2;
2686 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
2687 return X86EMUL_CONTINUE;
2690 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
2692 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
2693 | (ctxt->src.val & 0x0f));
2694 ctxt->dst.type = OP_NONE;
2695 return X86EMUL_CONTINUE;
2698 static int em_loop(struct x86_emulate_ctxt *ctxt)
2700 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
2701 if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
2702 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
2703 jmp_rel(ctxt, ctxt->src.val);
2705 return X86EMUL_CONTINUE;
2708 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
2710 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
2711 jmp_rel(ctxt, ctxt->src.val);
2713 return X86EMUL_CONTINUE;
2716 static int em_cli(struct x86_emulate_ctxt *ctxt)
2718 if (emulator_bad_iopl(ctxt))
2719 return emulate_gp(ctxt, 0);
2721 ctxt->eflags &= ~X86_EFLAGS_IF;
2722 return X86EMUL_CONTINUE;
2725 static int em_sti(struct x86_emulate_ctxt *ctxt)
2727 if (emulator_bad_iopl(ctxt))
2728 return emulate_gp(ctxt, 0);
2730 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2731 ctxt->eflags |= X86_EFLAGS_IF;
2732 return X86EMUL_CONTINUE;
2735 static bool valid_cr(int nr)
2747 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
2749 if (!valid_cr(ctxt->modrm_reg))
2750 return emulate_ud(ctxt);
2752 return X86EMUL_CONTINUE;
2755 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2757 u64 new_val = ctxt->src.val64;
2758 int cr = ctxt->modrm_reg;
2761 static u64 cr_reserved_bits[] = {
2762 0xffffffff00000000ULL,
2763 0, 0, 0, /* CR3 checked later */
2770 return emulate_ud(ctxt);
2772 if (new_val & cr_reserved_bits[cr])
2773 return emulate_gp(ctxt, 0);
2778 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
2779 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
2780 return emulate_gp(ctxt, 0);
2782 cr4 = ctxt->ops->get_cr(ctxt, 4);
2783 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2785 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
2786 !(cr4 & X86_CR4_PAE))
2787 return emulate_gp(ctxt, 0);
2794 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2795 if (efer & EFER_LMA)
2796 rsvd = CR3_L_MODE_RESERVED_BITS;
2797 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
2798 rsvd = CR3_PAE_RESERVED_BITS;
2799 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
2800 rsvd = CR3_NONPAE_RESERVED_BITS;
2803 return emulate_gp(ctxt, 0);
2810 cr4 = ctxt->ops->get_cr(ctxt, 4);
2811 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2813 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
2814 return emulate_gp(ctxt, 0);
2820 return X86EMUL_CONTINUE;
2823 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
2827 ctxt->ops->get_dr(ctxt, 7, &dr7);
2829 /* Check if DR7.Global_Enable is set */
2830 return dr7 & (1 << 13);
2833 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
2835 int dr = ctxt->modrm_reg;
2839 return emulate_ud(ctxt);
2841 cr4 = ctxt->ops->get_cr(ctxt, 4);
2842 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
2843 return emulate_ud(ctxt);
2845 if (check_dr7_gd(ctxt))
2846 return emulate_db(ctxt);
2848 return X86EMUL_CONTINUE;
2851 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
2853 u64 new_val = ctxt->src.val64;
2854 int dr = ctxt->modrm_reg;
2856 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
2857 return emulate_gp(ctxt, 0);
2859 return check_dr_read(ctxt);
2862 static int check_svme(struct x86_emulate_ctxt *ctxt)
2866 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2868 if (!(efer & EFER_SVME))
2869 return emulate_ud(ctxt);
2871 return X86EMUL_CONTINUE;
2874 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
2876 u64 rax = ctxt->regs[VCPU_REGS_RAX];
2878 /* Valid physical address? */
2879 if (rax & 0xffff000000000000ULL)
2880 return emulate_gp(ctxt, 0);
2882 return check_svme(ctxt);
2885 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
2887 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
2889 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
2890 return emulate_ud(ctxt);
2892 return X86EMUL_CONTINUE;
2895 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
2897 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
2898 u64 rcx = ctxt->regs[VCPU_REGS_RCX];
2900 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
2902 return emulate_gp(ctxt, 0);
2904 return X86EMUL_CONTINUE;
2907 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
2909 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
2910 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
2911 return emulate_gp(ctxt, 0);
2913 return X86EMUL_CONTINUE;
2916 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
2918 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
2919 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
2920 return emulate_gp(ctxt, 0);
2922 return X86EMUL_CONTINUE;
2925 #define D(_y) { .flags = (_y) }
2926 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
2927 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
2928 .check_perm = (_p) }
2930 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
2931 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2932 #define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
2933 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2934 #define II(_f, _e, _i) \
2935 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
2936 #define IIP(_f, _e, _i, _p) \
2937 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
2938 .check_perm = (_p) }
2939 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
2941 #define D2bv(_f) D((_f) | ByteOp), D(_f)
2942 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
2943 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
2945 #define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
2946 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
2947 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
2949 static struct opcode group7_rm1[] = {
2950 DI(SrcNone | ModRM | Priv, monitor),
2951 DI(SrcNone | ModRM | Priv, mwait),
2955 static struct opcode group7_rm3[] = {
2956 DIP(SrcNone | ModRM | Prot | Priv, vmrun, check_svme_pa),
2957 II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
2958 DIP(SrcNone | ModRM | Prot | Priv, vmload, check_svme_pa),
2959 DIP(SrcNone | ModRM | Prot | Priv, vmsave, check_svme_pa),
2960 DIP(SrcNone | ModRM | Prot | Priv, stgi, check_svme),
2961 DIP(SrcNone | ModRM | Prot | Priv, clgi, check_svme),
2962 DIP(SrcNone | ModRM | Prot | Priv, skinit, check_svme),
2963 DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
2966 static struct opcode group7_rm7[] = {
2968 DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
2972 static struct opcode group1[] = {
2983 static struct opcode group1A[] = {
2984 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2987 static struct opcode group3[] = {
2988 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2989 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2990 X4(D(SrcMem | ModRM)),
2993 static struct opcode group4[] = {
2994 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2998 static struct opcode group5[] = {
2999 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
3000 D(SrcMem | ModRM | Stack),
3001 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
3002 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
3003 D(SrcMem | ModRM | Stack), N,
3006 static struct opcode group6[] = {
3007 DI(ModRM | Prot, sldt),
3008 DI(ModRM | Prot, str),
3009 DI(ModRM | Prot | Priv, lldt),
3010 DI(ModRM | Prot | Priv, ltr),
3014 static struct group_dual group7 = { {
3015 DI(ModRM | Mov | DstMem | Priv, sgdt),
3016 DI(ModRM | Mov | DstMem | Priv, sidt),
3017 II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
3018 II(ModRM | SrcMem | Priv, em_lidt, lidt),
3019 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3020 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
3021 II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3023 I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
3025 N, EXT(0, group7_rm3),
3026 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3027 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
3030 static struct opcode group8[] = {
3032 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
3033 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
3036 static struct group_dual group9 = { {
3037 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
3039 N, N, N, N, N, N, N, N,
3042 static struct opcode group11[] = {
3043 I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
3046 static struct gprefix pfx_0f_6f_0f_7f = {
3047 N, N, N, I(Sse, em_movdqu),
3050 static struct opcode opcode_table[256] = {
3052 I6ALU(Lock, em_add),
3053 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3056 D(ImplicitOps | Stack | No64), N,
3058 I6ALU(Lock, em_adc),
3059 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3061 I6ALU(Lock, em_sbb),
3062 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
3064 I6ALU(Lock, em_and), N, N,
3066 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3068 I6ALU(Lock, em_xor), N, N,
3070 I6ALU(0, em_cmp), N, N,
3074 X8(I(SrcReg | Stack, em_push)),
3076 X8(I(DstReg | Stack, em_pop)),
3078 I(ImplicitOps | Stack | No64, em_pusha),
3079 I(ImplicitOps | Stack | No64, em_popa),
3080 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3083 I(SrcImm | Mov | Stack, em_push),
3084 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3085 I(SrcImmByte | Mov | Stack, em_push),
3086 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3087 D2bvIP(DstDI | SrcDX | Mov | String, ins, check_perm_in), /* insb, insw/insd */
3088 D2bvIP(SrcSI | DstDX | String, outs, check_perm_out), /* outsb, outsw/outsd */
3092 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
3093 G(DstMem | SrcImm | ModRM | Group, group1),
3094 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
3095 G(DstMem | SrcImmByte | ModRM | Group, group1),
3096 I2bv(DstMem | SrcReg | ModRM, em_test),
3097 I2bv(DstMem | SrcReg | ModRM | Lock, em_xchg),
3099 I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
3100 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3101 I(DstMem | SrcNone | ModRM | Mov, em_mov_rm_sreg),
3102 D(ModRM | SrcMem | NoAccess | DstReg),
3103 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3106 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3108 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3109 I(SrcImmFAddr | No64, em_call_far), N,
3110 II(ImplicitOps | Stack, em_pushf, pushf),
3111 II(ImplicitOps | Stack, em_popf, popf), N, N,
3113 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3114 I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
3115 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3116 I2bv(SrcSI | DstDI | String, em_cmp),
3118 I2bv(DstAcc | SrcImm, em_test),
3119 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3120 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3121 I2bv(SrcAcc | DstDI | String, em_cmp),
3123 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3125 X8(I(DstReg | SrcImm | Mov, em_mov)),
3127 D2bv(DstMem | SrcImmByte | ModRM),
3128 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3129 I(ImplicitOps | Stack, em_ret),
3130 D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
3131 G(ByteOp, group11), G(0, group11),
3133 N, N, N, I(ImplicitOps | Stack, em_ret_far),
3134 D(ImplicitOps), DI(SrcImmByte, intn),
3135 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3137 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3140 N, N, N, N, N, N, N, N,
3142 X3(I(SrcImmByte, em_loop)),
3143 I(SrcImmByte, em_jcxz),
3144 D2bvIP(SrcImmUByte | DstAcc, in, check_perm_in),
3145 D2bvIP(SrcAcc | DstImmUByte, out, check_perm_out),
3147 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
3148 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3149 D2bvIP(SrcDX | DstAcc, in, check_perm_in),
3150 D2bvIP(SrcAcc | DstDX, out, check_perm_out),
3152 N, DI(ImplicitOps, icebp), N, N,
3153 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3154 G(ByteOp, group3), G(0, group3),
3156 D(ImplicitOps), D(ImplicitOps),
3157 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3158 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3161 static struct opcode twobyte_table[256] = {
3163 G(0, group6), GD(0, &group7), N, N,
3164 N, I(ImplicitOps | VendorSpecific, em_syscall),
3165 II(ImplicitOps | Priv, em_clts, clts), N,
3166 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3167 N, D(ImplicitOps | ModRM), N, N,
3169 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3171 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3172 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3173 DIP(ModRM | SrcMem | Priv | Op3264, cr_write, check_cr_write),
3174 DIP(ModRM | SrcMem | Priv | Op3264, dr_write, check_dr_write),
3176 N, N, N, N, N, N, N, N,
3178 DI(ImplicitOps | Priv, wrmsr),
3179 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3180 DI(ImplicitOps | Priv, rdmsr),
3181 DIP(ImplicitOps | Priv, rdpmc, check_rdpmc),
3182 I(ImplicitOps | VendorSpecific, em_sysenter),
3183 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3185 N, N, N, N, N, N, N, N,
3187 X16(D(DstReg | SrcMem | ModRM | Mov)),
3189 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3194 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3199 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3203 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3205 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
3206 DI(ImplicitOps, cpuid), D(DstMem | SrcReg | ModRM | BitOp),
3207 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3208 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3210 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
3211 DI(ImplicitOps, rsm), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3212 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3213 D(DstMem | SrcReg | Src2CL | ModRM),
3214 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3216 D2bv(DstMem | SrcReg | ModRM | Lock),
3217 D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3218 D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
3219 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3222 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
3223 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
3224 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3226 D2bv(DstMem | SrcReg | ModRM | Lock),
3227 N, D(DstMem | SrcReg | ModRM | Mov),
3228 N, N, N, GD(0, &group9),
3229 N, N, N, N, N, N, N, N,
3231 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3233 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3235 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3251 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3255 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3261 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3262 unsigned size, bool sign_extension)
3264 int rc = X86EMUL_CONTINUE;
3268 op->addr.mem.ea = ctxt->_eip;
3269 /* NB. Immediates are sign-extended as necessary. */
3270 switch (op->bytes) {
3272 op->val = insn_fetch(s8, ctxt);
3275 op->val = insn_fetch(s16, ctxt);
3278 op->val = insn_fetch(s32, ctxt);
3281 if (!sign_extension) {
3282 switch (op->bytes) {
3290 op->val &= 0xffffffff;
3298 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3300 int rc = X86EMUL_CONTINUE;
3301 int mode = ctxt->mode;
3302 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3303 bool op_prefix = false;
3304 struct opcode opcode;
3305 struct operand memop = { .type = OP_NONE }, *memopp = NULL;
3307 ctxt->_eip = ctxt->eip;
3308 ctxt->fetch.start = ctxt->_eip;
3309 ctxt->fetch.end = ctxt->fetch.start + insn_len;
3311 memcpy(ctxt->fetch.data, insn, insn_len);
3314 case X86EMUL_MODE_REAL:
3315 case X86EMUL_MODE_VM86:
3316 case X86EMUL_MODE_PROT16:
3317 def_op_bytes = def_ad_bytes = 2;
3319 case X86EMUL_MODE_PROT32:
3320 def_op_bytes = def_ad_bytes = 4;
3322 #ifdef CONFIG_X86_64
3323 case X86EMUL_MODE_PROT64:
3329 return EMULATION_FAILED;
3332 ctxt->op_bytes = def_op_bytes;
3333 ctxt->ad_bytes = def_ad_bytes;
3335 /* Legacy prefixes. */
3337 switch (ctxt->b = insn_fetch(u8, ctxt)) {
3338 case 0x66: /* operand-size override */
3340 /* switch between 2/4 bytes */
3341 ctxt->op_bytes = def_op_bytes ^ 6;
3343 case 0x67: /* address-size override */
3344 if (mode == X86EMUL_MODE_PROT64)
3345 /* switch between 4/8 bytes */
3346 ctxt->ad_bytes = def_ad_bytes ^ 12;
3348 /* switch between 2/4 bytes */
3349 ctxt->ad_bytes = def_ad_bytes ^ 6;
3351 case 0x26: /* ES override */
3352 case 0x2e: /* CS override */
3353 case 0x36: /* SS override */
3354 case 0x3e: /* DS override */
3355 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
3357 case 0x64: /* FS override */
3358 case 0x65: /* GS override */
3359 set_seg_override(ctxt, ctxt->b & 7);
3361 case 0x40 ... 0x4f: /* REX */
3362 if (mode != X86EMUL_MODE_PROT64)
3364 ctxt->rex_prefix = ctxt->b;
3366 case 0xf0: /* LOCK */
3367 ctxt->lock_prefix = 1;
3369 case 0xf2: /* REPNE/REPNZ */
3370 case 0xf3: /* REP/REPE/REPZ */
3371 ctxt->rep_prefix = ctxt->b;
3377 /* Any legacy prefix after a REX prefix nullifies its effect. */
3379 ctxt->rex_prefix = 0;
3385 if (ctxt->rex_prefix & 8)
3386 ctxt->op_bytes = 8; /* REX.W */
3388 /* Opcode byte(s). */
3389 opcode = opcode_table[ctxt->b];
3390 /* Two-byte opcode? */
3391 if (ctxt->b == 0x0f) {
3393 ctxt->b = insn_fetch(u8, ctxt);
3394 opcode = twobyte_table[ctxt->b];
3396 ctxt->d = opcode.flags;
3398 while (ctxt->d & GroupMask) {
3399 switch (ctxt->d & GroupMask) {
3401 ctxt->modrm = insn_fetch(u8, ctxt);
3403 goffset = (ctxt->modrm >> 3) & 7;
3404 opcode = opcode.u.group[goffset];
3407 ctxt->modrm = insn_fetch(u8, ctxt);
3409 goffset = (ctxt->modrm >> 3) & 7;
3410 if ((ctxt->modrm >> 6) == 3)
3411 opcode = opcode.u.gdual->mod3[goffset];
3413 opcode = opcode.u.gdual->mod012[goffset];
3416 goffset = ctxt->modrm & 7;
3417 opcode = opcode.u.group[goffset];
3420 if (ctxt->rep_prefix && op_prefix)
3421 return EMULATION_FAILED;
3422 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
3423 switch (simd_prefix) {
3424 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
3425 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
3426 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
3427 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
3431 return EMULATION_FAILED;
3434 ctxt->d &= ~GroupMask;
3435 ctxt->d |= opcode.flags;
3438 ctxt->execute = opcode.u.execute;
3439 ctxt->check_perm = opcode.check_perm;
3440 ctxt->intercept = opcode.intercept;
3443 if (ctxt->d == 0 || (ctxt->d & Undefined))
3444 return EMULATION_FAILED;
3446 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
3447 return EMULATION_FAILED;
3449 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
3452 if (ctxt->d & Op3264) {
3453 if (mode == X86EMUL_MODE_PROT64)
3460 ctxt->op_bytes = 16;
3462 /* ModRM and SIB bytes. */
3463 if (ctxt->d & ModRM) {
3464 rc = decode_modrm(ctxt, &memop);
3465 if (!ctxt->has_seg_override)
3466 set_seg_override(ctxt, ctxt->modrm_seg);
3467 } else if (ctxt->d & MemAbs)
3468 rc = decode_abs(ctxt, &memop);
3469 if (rc != X86EMUL_CONTINUE)
3472 if (!ctxt->has_seg_override)
3473 set_seg_override(ctxt, VCPU_SREG_DS);
3475 memop.addr.mem.seg = seg_override(ctxt);
3477 if (memop.type == OP_MEM && ctxt->ad_bytes != 8)
3478 memop.addr.mem.ea = (u32)memop.addr.mem.ea;
3481 * Decode and fetch the source operand: register, memory
3484 switch (ctxt->d & SrcMask) {
3488 decode_register_operand(ctxt, &ctxt->src, 0);
3497 memop.bytes = (ctxt->d & ByteOp) ? 1 :
3501 memopp = &ctxt->src;
3504 rc = decode_imm(ctxt, &ctxt->src, 2, false);
3507 rc = decode_imm(ctxt, &ctxt->src, imm_size(ctxt), true);
3510 rc = decode_imm(ctxt, &ctxt->src, imm_size(ctxt), false);
3513 rc = decode_imm(ctxt, &ctxt->src, 1, true);
3516 rc = decode_imm(ctxt, &ctxt->src, 1, false);
3519 ctxt->src.type = OP_REG;
3520 ctxt->src.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3521 ctxt->src.addr.reg = &ctxt->regs[VCPU_REGS_RAX];
3522 fetch_register_operand(&ctxt->src);
3525 ctxt->src.bytes = 1;
3529 ctxt->src.type = OP_MEM;
3530 ctxt->src.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3531 ctxt->src.addr.mem.ea =
3532 register_address(ctxt, ctxt->regs[VCPU_REGS_RSI]);
3533 ctxt->src.addr.mem.seg = seg_override(ctxt);
3537 ctxt->src.type = OP_IMM;
3538 ctxt->src.addr.mem.ea = ctxt->_eip;
3539 ctxt->src.bytes = ctxt->op_bytes + 2;
3540 insn_fetch_arr(ctxt->src.valptr, ctxt->src.bytes, ctxt);
3543 memop.bytes = ctxt->op_bytes + 2;
3547 ctxt->src.type = OP_REG;
3548 ctxt->src.bytes = 2;
3549 ctxt->src.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
3550 fetch_register_operand(&ctxt->src);
3554 if (rc != X86EMUL_CONTINUE)
3558 * Decode and fetch the second source operand: register, memory
3561 switch (ctxt->d & Src2Mask) {
3565 ctxt->src2.bytes = 1;
3566 ctxt->src2.val = ctxt->regs[VCPU_REGS_RCX] & 0xff;
3569 rc = decode_imm(ctxt, &ctxt->src2, 1, true);
3572 ctxt->src2.bytes = 1;
3576 rc = decode_imm(ctxt, &ctxt->src2, imm_size(ctxt), true);
3580 if (rc != X86EMUL_CONTINUE)
3583 /* Decode and fetch the destination operand: register or memory. */
3584 switch (ctxt->d & DstMask) {
3586 decode_register_operand(ctxt, &ctxt->dst,
3587 ctxt->twobyte && (ctxt->b == 0xb6 || ctxt->b == 0xb7));
3590 ctxt->dst.type = OP_IMM;
3591 ctxt->dst.addr.mem.ea = ctxt->_eip;
3592 ctxt->dst.bytes = 1;
3593 ctxt->dst.val = insn_fetch(u8, ctxt);
3598 memopp = &ctxt->dst;
3599 if ((ctxt->d & DstMask) == DstMem64)
3600 ctxt->dst.bytes = 8;
3602 ctxt->dst.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3603 if (ctxt->d & BitOp)
3604 fetch_bit_operand(ctxt);
3605 ctxt->dst.orig_val = ctxt->dst.val;
3608 ctxt->dst.type = OP_REG;
3609 ctxt->dst.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3610 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RAX];
3611 fetch_register_operand(&ctxt->dst);
3612 ctxt->dst.orig_val = ctxt->dst.val;
3615 ctxt->dst.type = OP_MEM;
3616 ctxt->dst.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3617 ctxt->dst.addr.mem.ea =
3618 register_address(ctxt, ctxt->regs[VCPU_REGS_RDI]);
3619 ctxt->dst.addr.mem.seg = VCPU_SREG_ES;
3623 ctxt->dst.type = OP_REG;
3624 ctxt->dst.bytes = 2;
3625 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
3626 fetch_register_operand(&ctxt->dst);
3629 /* Special instructions do their own operand decoding. */
3631 ctxt->dst.type = OP_NONE; /* Disable writeback. */
3636 if (memopp && memopp->type == OP_MEM && ctxt->rip_relative)
3637 memopp->addr.mem.ea += ctxt->_eip;
3639 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
3642 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3644 /* The second termination condition only applies for REPE
3645 * and REPNE. Test if the repeat string operation prefix is
3646 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3647 * corresponding termination condition according to:
3648 * - if REPE/REPZ and ZF = 0 then done
3649 * - if REPNE/REPNZ and ZF = 1 then done
3651 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
3652 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
3653 && (((ctxt->rep_prefix == REPE_PREFIX) &&
3654 ((ctxt->eflags & EFLG_ZF) == 0))
3655 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
3656 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3662 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3664 struct x86_emulate_ops *ops = ctxt->ops;
3666 int rc = X86EMUL_CONTINUE;
3667 int saved_dst_type = ctxt->dst.type;
3669 ctxt->mem_read.pos = 0;
3671 if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
3672 rc = emulate_ud(ctxt);
3676 /* LOCK prefix is allowed only with some instructions */
3677 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
3678 rc = emulate_ud(ctxt);
3682 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
3683 rc = emulate_ud(ctxt);
3688 && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)
3689 || !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
3690 rc = emulate_ud(ctxt);
3694 if ((ctxt->d & Sse) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
3695 rc = emulate_nm(ctxt);
3699 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
3700 rc = emulator_check_intercept(ctxt, ctxt->intercept,
3701 X86_ICPT_PRE_EXCEPT);
3702 if (rc != X86EMUL_CONTINUE)
3706 /* Privileged instruction can be executed only in CPL=0 */
3707 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
3708 rc = emulate_gp(ctxt, 0);
3712 /* Instruction can only be executed in protected mode */
3713 if ((ctxt->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
3714 rc = emulate_ud(ctxt);
3718 /* Do instruction specific permission checks */
3719 if (ctxt->check_perm) {
3720 rc = ctxt->check_perm(ctxt);
3721 if (rc != X86EMUL_CONTINUE)
3725 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
3726 rc = emulator_check_intercept(ctxt, ctxt->intercept,
3727 X86_ICPT_POST_EXCEPT);
3728 if (rc != X86EMUL_CONTINUE)
3732 if (ctxt->rep_prefix && (ctxt->d & String)) {
3733 /* All REP prefixes have the same first termination condition */
3734 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) {
3735 ctxt->eip = ctxt->_eip;
3740 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
3741 rc = segmented_read(ctxt, ctxt->src.addr.mem,
3742 ctxt->src.valptr, ctxt->src.bytes);
3743 if (rc != X86EMUL_CONTINUE)
3745 ctxt->src.orig_val64 = ctxt->src.val64;
3748 if (ctxt->src2.type == OP_MEM) {
3749 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
3750 &ctxt->src2.val, ctxt->src2.bytes);
3751 if (rc != X86EMUL_CONTINUE)
3755 if ((ctxt->d & DstMask) == ImplicitOps)
3759 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
3760 /* optimisation - avoid slow emulated read if Mov */
3761 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
3762 &ctxt->dst.val, ctxt->dst.bytes);
3763 if (rc != X86EMUL_CONTINUE)
3766 ctxt->dst.orig_val = ctxt->dst.val;
3770 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
3771 rc = emulator_check_intercept(ctxt, ctxt->intercept,
3772 X86_ICPT_POST_MEMACCESS);
3773 if (rc != X86EMUL_CONTINUE)
3777 if (ctxt->execute) {
3778 rc = ctxt->execute(ctxt);
3779 if (rc != X86EMUL_CONTINUE)
3788 case 0x06: /* push es */
3789 rc = emulate_push_sreg(ctxt, VCPU_SREG_ES);
3791 case 0x07: /* pop es */
3792 rc = emulate_pop_sreg(ctxt, VCPU_SREG_ES);
3794 case 0x0e: /* push cs */
3795 rc = emulate_push_sreg(ctxt, VCPU_SREG_CS);
3797 case 0x16: /* push ss */
3798 rc = emulate_push_sreg(ctxt, VCPU_SREG_SS);
3800 case 0x17: /* pop ss */
3801 rc = emulate_pop_sreg(ctxt, VCPU_SREG_SS);
3803 case 0x1e: /* push ds */
3804 rc = emulate_push_sreg(ctxt, VCPU_SREG_DS);
3806 case 0x1f: /* pop ds */
3807 rc = emulate_pop_sreg(ctxt, VCPU_SREG_DS);
3809 case 0x40 ... 0x47: /* inc r16/r32 */
3810 emulate_1op(ctxt, "inc");
3812 case 0x48 ... 0x4f: /* dec r16/r32 */
3813 emulate_1op(ctxt, "dec");
3815 case 0x63: /* movsxd */
3816 if (ctxt->mode != X86EMUL_MODE_PROT64)
3817 goto cannot_emulate;
3818 ctxt->dst.val = (s32) ctxt->src.val;
3820 case 0x6c: /* insb */
3821 case 0x6d: /* insw/insd */
3822 ctxt->src.val = ctxt->regs[VCPU_REGS_RDX];
3824 case 0x6e: /* outsb */
3825 case 0x6f: /* outsw/outsd */
3826 ctxt->dst.val = ctxt->regs[VCPU_REGS_RDX];
3829 case 0x70 ... 0x7f: /* jcc (short) */
3830 if (test_cc(ctxt->b, ctxt->eflags))
3831 jmp_rel(ctxt, ctxt->src.val);
3833 case 0x8d: /* lea r16/r32, m */
3834 ctxt->dst.val = ctxt->src.addr.mem.ea;
3836 case 0x8f: /* pop (sole member of Grp1a) */
3837 rc = em_grp1a(ctxt);
3839 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3840 if (ctxt->dst.addr.reg == &ctxt->regs[VCPU_REGS_RAX])
3844 case 0x98: /* cbw/cwde/cdqe */
3845 switch (ctxt->op_bytes) {
3846 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
3847 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
3848 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
3854 case 0xc4: /* les */
3855 rc = emulate_load_segment(ctxt, VCPU_SREG_ES);
3857 case 0xc5: /* lds */
3858 rc = emulate_load_segment(ctxt, VCPU_SREG_DS);
3860 case 0xcc: /* int3 */
3861 rc = emulate_int(ctxt, 3);
3863 case 0xcd: /* int n */
3864 rc = emulate_int(ctxt, ctxt->src.val);
3866 case 0xce: /* into */
3867 if (ctxt->eflags & EFLG_OF)
3868 rc = emulate_int(ctxt, 4);
3870 case 0xd0 ... 0xd1: /* Grp2 */
3873 case 0xd2 ... 0xd3: /* Grp2 */
3874 ctxt->src.val = ctxt->regs[VCPU_REGS_RCX];
3877 case 0xe4: /* inb */
3880 case 0xe6: /* outb */
3881 case 0xe7: /* out */
3883 case 0xe8: /* call (near) */ {
3884 long int rel = ctxt->src.val;
3885 ctxt->src.val = (unsigned long) ctxt->_eip;
3890 case 0xe9: /* jmp rel */
3891 case 0xeb: /* jmp rel short */
3892 jmp_rel(ctxt, ctxt->src.val);
3893 ctxt->dst.type = OP_NONE; /* Disable writeback. */
3895 case 0xec: /* in al,dx */
3896 case 0xed: /* in (e/r)ax,dx */
3898 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3900 goto done; /* IO is needed */
3902 case 0xee: /* out dx,al */
3903 case 0xef: /* out dx,(e/r)ax */
3905 ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3907 ctxt->dst.type = OP_NONE; /* Disable writeback. */
3909 case 0xf4: /* hlt */
3910 ctxt->ops->halt(ctxt);
3912 case 0xf5: /* cmc */
3913 /* complement carry flag from eflags reg */
3914 ctxt->eflags ^= EFLG_CF;
3916 case 0xf6 ... 0xf7: /* Grp3 */
3919 case 0xf8: /* clc */
3920 ctxt->eflags &= ~EFLG_CF;
3922 case 0xf9: /* stc */
3923 ctxt->eflags |= EFLG_CF;
3925 case 0xfc: /* cld */
3926 ctxt->eflags &= ~EFLG_DF;
3928 case 0xfd: /* std */
3929 ctxt->eflags |= EFLG_DF;
3931 case 0xfe: /* Grp4 */
3932 rc = em_grp45(ctxt);
3934 case 0xff: /* Grp5 */
3935 rc = em_grp45(ctxt);
3938 goto cannot_emulate;
3941 if (rc != X86EMUL_CONTINUE)
3945 rc = writeback(ctxt);
3946 if (rc != X86EMUL_CONTINUE)
3950 * restore dst type in case the decoding will be reused
3951 * (happens for string instruction )
3953 ctxt->dst.type = saved_dst_type;
3955 if ((ctxt->d & SrcMask) == SrcSI)
3956 string_addr_inc(ctxt, seg_override(ctxt),
3957 VCPU_REGS_RSI, &ctxt->src);
3959 if ((ctxt->d & DstMask) == DstDI)
3960 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
3963 if (ctxt->rep_prefix && (ctxt->d & String)) {
3964 struct read_cache *r = &ctxt->io_read;
3965 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
3967 if (!string_insn_completed(ctxt)) {
3969 * Re-enter guest when pio read ahead buffer is empty
3970 * or, if it is not used, after each 1024 iteration.
3972 if ((r->end != 0 || ctxt->regs[VCPU_REGS_RCX] & 0x3ff) &&
3973 (r->end == 0 || r->end != r->pos)) {
3975 * Reset read cache. Usually happens before
3976 * decode, but since instruction is restarted
3977 * we have to do it here.
3979 ctxt->mem_read.end = 0;
3980 return EMULATION_RESTART;
3982 goto done; /* skip rip writeback */
3986 ctxt->eip = ctxt->_eip;
3989 if (rc == X86EMUL_PROPAGATE_FAULT)
3990 ctxt->have_exception = true;
3991 if (rc == X86EMUL_INTERCEPTED)
3992 return EMULATION_INTERCEPTED;
3994 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3998 case 0x09: /* wbinvd */
3999 (ctxt->ops->wbinvd)(ctxt);
4001 case 0x08: /* invd */
4002 case 0x0d: /* GrpP (prefetch) */
4003 case 0x18: /* Grp16 (prefetch/nop) */
4005 case 0x20: /* mov cr, reg */
4006 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4008 case 0x21: /* mov from dr to reg */
4009 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4011 case 0x22: /* mov reg, cr */
4012 if (ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val)) {
4013 emulate_gp(ctxt, 0);
4014 rc = X86EMUL_PROPAGATE_FAULT;
4017 ctxt->dst.type = OP_NONE;
4019 case 0x23: /* mov from reg to dr */
4020 if (ops->set_dr(ctxt, ctxt->modrm_reg, ctxt->src.val &
4021 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
4022 ~0ULL : ~0U)) < 0) {
4023 /* #UD condition is already handled by the code above */
4024 emulate_gp(ctxt, 0);
4025 rc = X86EMUL_PROPAGATE_FAULT;
4029 ctxt->dst.type = OP_NONE; /* no writeback */
4033 msr_data = (u32)ctxt->regs[VCPU_REGS_RAX]
4034 | ((u64)ctxt->regs[VCPU_REGS_RDX] << 32);
4035 if (ops->set_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], msr_data)) {
4036 emulate_gp(ctxt, 0);
4037 rc = X86EMUL_PROPAGATE_FAULT;
4040 rc = X86EMUL_CONTINUE;
4044 if (ops->get_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], &msr_data)) {
4045 emulate_gp(ctxt, 0);
4046 rc = X86EMUL_PROPAGATE_FAULT;
4049 ctxt->regs[VCPU_REGS_RAX] = (u32)msr_data;
4050 ctxt->regs[VCPU_REGS_RDX] = msr_data >> 32;
4052 rc = X86EMUL_CONTINUE;
4054 case 0x40 ... 0x4f: /* cmov */
4055 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4056 if (!test_cc(ctxt->b, ctxt->eflags))
4057 ctxt->dst.type = OP_NONE; /* no writeback */
4059 case 0x80 ... 0x8f: /* jnz rel, etc*/
4060 if (test_cc(ctxt->b, ctxt->eflags))
4061 jmp_rel(ctxt, ctxt->src.val);
4063 case 0x90 ... 0x9f: /* setcc r/m8 */
4064 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4066 case 0xa0: /* push fs */
4067 rc = emulate_push_sreg(ctxt, VCPU_SREG_FS);
4069 case 0xa1: /* pop fs */
4070 rc = emulate_pop_sreg(ctxt, VCPU_SREG_FS);
4074 ctxt->dst.type = OP_NONE;
4075 /* only subword offset */
4076 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
4077 emulate_2op_SrcV_nobyte(ctxt, "bt");
4079 case 0xa4: /* shld imm8, r, r/m */
4080 case 0xa5: /* shld cl, r, r/m */
4081 emulate_2op_cl(ctxt, "shld");
4083 case 0xa8: /* push gs */
4084 rc = emulate_push_sreg(ctxt, VCPU_SREG_GS);
4086 case 0xa9: /* pop gs */
4087 rc = emulate_pop_sreg(ctxt, VCPU_SREG_GS);
4091 emulate_2op_SrcV_nobyte(ctxt, "bts");
4093 case 0xac: /* shrd imm8, r, r/m */
4094 case 0xad: /* shrd cl, r, r/m */
4095 emulate_2op_cl(ctxt, "shrd");
4097 case 0xae: /* clflush */
4099 case 0xb0 ... 0xb1: /* cmpxchg */
4101 * Save real source value, then compare EAX against
4104 ctxt->src.orig_val = ctxt->src.val;
4105 ctxt->src.val = ctxt->regs[VCPU_REGS_RAX];
4106 emulate_2op_SrcV(ctxt, "cmp");
4107 if (ctxt->eflags & EFLG_ZF) {
4108 /* Success: write back to memory. */
4109 ctxt->dst.val = ctxt->src.orig_val;
4111 /* Failure: write the value we saw to EAX. */
4112 ctxt->dst.type = OP_REG;
4113 ctxt->dst.addr.reg = (unsigned long *)&ctxt->regs[VCPU_REGS_RAX];
4116 case 0xb2: /* lss */
4117 rc = emulate_load_segment(ctxt, VCPU_SREG_SS);
4121 emulate_2op_SrcV_nobyte(ctxt, "btr");
4123 case 0xb4: /* lfs */
4124 rc = emulate_load_segment(ctxt, VCPU_SREG_FS);
4126 case 0xb5: /* lgs */
4127 rc = emulate_load_segment(ctxt, VCPU_SREG_GS);
4129 case 0xb6 ... 0xb7: /* movzx */
4130 ctxt->dst.bytes = ctxt->op_bytes;
4131 ctxt->dst.val = (ctxt->d & ByteOp) ? (u8) ctxt->src.val
4132 : (u16) ctxt->src.val;
4134 case 0xba: /* Grp8 */
4135 switch (ctxt->modrm_reg & 3) {
4148 emulate_2op_SrcV_nobyte(ctxt, "btc");
4150 case 0xbc: { /* bsf */
4152 __asm__ ("bsf %2, %0; setz %1"
4153 : "=r"(ctxt->dst.val), "=q"(zf)
4154 : "r"(ctxt->src.val));
4155 ctxt->eflags &= ~X86_EFLAGS_ZF;
4157 ctxt->eflags |= X86_EFLAGS_ZF;
4158 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4162 case 0xbd: { /* bsr */
4164 __asm__ ("bsr %2, %0; setz %1"
4165 : "=r"(ctxt->dst.val), "=q"(zf)
4166 : "r"(ctxt->src.val));
4167 ctxt->eflags &= ~X86_EFLAGS_ZF;
4169 ctxt->eflags |= X86_EFLAGS_ZF;
4170 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4174 case 0xbe ... 0xbf: /* movsx */
4175 ctxt->dst.bytes = ctxt->op_bytes;
4176 ctxt->dst.val = (ctxt->d & ByteOp) ? (s8) ctxt->src.val :
4177 (s16) ctxt->src.val;
4179 case 0xc0 ... 0xc1: /* xadd */
4180 emulate_2op_SrcV(ctxt, "add");
4181 /* Write back the register source. */
4182 ctxt->src.val = ctxt->dst.orig_val;
4183 write_register_operand(&ctxt->src);
4185 case 0xc3: /* movnti */
4186 ctxt->dst.bytes = ctxt->op_bytes;
4187 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4188 (u64) ctxt->src.val;
4190 case 0xc7: /* Grp9 (cmpxchg8b) */
4194 goto cannot_emulate;
4197 if (rc != X86EMUL_CONTINUE)
4203 return EMULATION_FAILED;
projects / linux-2.6.git / blob