1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstImmUByte (7<<1) /* 8-bit unsigned immediate operand */
58 #define DstMask (7<<1)
59 /* Source operand type. */
60 #define SrcNone (0<<4) /* No source operand. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcImmU16 (0xe<<4) /* Immediate operand, unsigned, 16 bits */
75 #define SrcMask (0xf<<4)
76 /* Generic ModRM decode. */
78 /* Destination is only written; never read. */
81 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
82 #define String (1<<12) /* String instruction (rep capable) */
83 #define Stack (1<<13) /* Stack instruction (push/pop) */
84 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
85 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
87 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
88 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
89 #define Undefined (1<<25) /* No Such Instruction */
90 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
91 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
93 /* Source 2 operand type */
94 #define Src2None (0<<29)
95 #define Src2CL (1<<29)
96 #define Src2ImmByte (2<<29)
97 #define Src2One (3<<29)
98 #define Src2Mask (7<<29)
100 #define X2(x...) x, x
101 #define X3(x...) X2(x), x
102 #define X4(x...) X2(x), X2(x)
103 #define X5(x...) X4(x), x
104 #define X6(x...) X4(x), X2(x)
105 #define X7(x...) X4(x), X3(x)
106 #define X8(x...) X4(x), X4(x)
107 #define X16(x...) X8(x), X8(x)
112 int (*execute)(struct x86_emulate_ctxt *ctxt);
113 struct opcode *group;
114 struct group_dual *gdual;
119 struct opcode mod012[8];
120 struct opcode mod3[8];
123 /* EFLAGS bit definitions. */
124 #define EFLG_ID (1<<21)
125 #define EFLG_VIP (1<<20)
126 #define EFLG_VIF (1<<19)
127 #define EFLG_AC (1<<18)
128 #define EFLG_VM (1<<17)
129 #define EFLG_RF (1<<16)
130 #define EFLG_IOPL (3<<12)
131 #define EFLG_NT (1<<14)
132 #define EFLG_OF (1<<11)
133 #define EFLG_DF (1<<10)
134 #define EFLG_IF (1<<9)
135 #define EFLG_TF (1<<8)
136 #define EFLG_SF (1<<7)
137 #define EFLG_ZF (1<<6)
138 #define EFLG_AF (1<<4)
139 #define EFLG_PF (1<<2)
140 #define EFLG_CF (1<<0)
142 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
143 #define EFLG_RESERVED_ONE_MASK 2
146 * Instruction emulation:
147 * Most instructions are emulated directly via a fragment of inline assembly
148 * code. This allows us to save/restore EFLAGS and thus very easily pick up
149 * any modified flags.
152 #if defined(CONFIG_X86_64)
153 #define _LO32 "k" /* force 32-bit operand */
154 #define _STK "%%rsp" /* stack pointer */
155 #elif defined(__i386__)
156 #define _LO32 "" /* force 32-bit operand */
157 #define _STK "%%esp" /* stack pointer */
161 * These EFLAGS bits are restored from saved value during emulation, and
162 * any changes are written back to the saved value after emulation.
164 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
166 /* Before executing instruction: restore necessary bits in EFLAGS. */
167 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
168 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
169 "movl %"_sav",%"_LO32 _tmp"; " \
172 "movl %"_msk",%"_LO32 _tmp"; " \
173 "andl %"_LO32 _tmp",("_STK"); " \
175 "notl %"_LO32 _tmp"; " \
176 "andl %"_LO32 _tmp",("_STK"); " \
177 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
179 "orl %"_LO32 _tmp",("_STK"); " \
183 /* After executing instruction: write-back necessary bits in EFLAGS. */
184 #define _POST_EFLAGS(_sav, _msk, _tmp) \
185 /* _sav |= EFLAGS & _msk; */ \
188 "andl %"_msk",%"_LO32 _tmp"; " \
189 "orl %"_LO32 _tmp",%"_sav"; "
197 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
199 __asm__ __volatile__ ( \
200 _PRE_EFLAGS("0", "4", "2") \
201 _op _suffix " %"_x"3,%1; " \
202 _POST_EFLAGS("0", "4", "2") \
203 : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
205 : _y ((_src).val), "i" (EFLAGS_MASK)); \
209 /* Raw emulation: instruction has two explicit operands. */
210 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
212 unsigned long _tmp; \
214 switch ((_dst).bytes) { \
216 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
219 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
222 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
227 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
229 unsigned long _tmp; \
230 switch ((_dst).bytes) { \
232 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
235 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
236 _wx, _wy, _lx, _ly, _qx, _qy); \
241 /* Source operand is byte-sized and may be restricted to just %cl. */
242 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
243 __emulate_2op(_op, _src, _dst, _eflags, \
244 "b", "c", "b", "c", "b", "c", "b", "c")
246 /* Source operand is byte, word, long or quad sized. */
247 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
248 __emulate_2op(_op, _src, _dst, _eflags, \
249 "b", "q", "w", "r", _LO32, "r", "", "r")
251 /* Source operand is word, long or quad sized. */
252 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
253 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
254 "w", "r", _LO32, "r", "", "r")
256 /* Instruction has three operands and one operand is stored in ECX register */
257 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
259 unsigned long _tmp; \
260 _type _clv = (_cl).val; \
261 _type _srcv = (_src).val; \
262 _type _dstv = (_dst).val; \
264 __asm__ __volatile__ ( \
265 _PRE_EFLAGS("0", "5", "2") \
266 _op _suffix " %4,%1 \n" \
267 _POST_EFLAGS("0", "5", "2") \
268 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
269 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
272 (_cl).val = (unsigned long) _clv; \
273 (_src).val = (unsigned long) _srcv; \
274 (_dst).val = (unsigned long) _dstv; \
277 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
279 switch ((_dst).bytes) { \
281 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
282 "w", unsigned short); \
285 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
286 "l", unsigned int); \
289 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
290 "q", unsigned long)); \
295 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
297 unsigned long _tmp; \
299 __asm__ __volatile__ ( \
300 _PRE_EFLAGS("0", "3", "2") \
301 _op _suffix " %1; " \
302 _POST_EFLAGS("0", "3", "2") \
303 : "=m" (_eflags), "+m" ((_dst).val), \
305 : "i" (EFLAGS_MASK)); \
308 /* Instruction has only one explicit operand (no source operand). */
309 #define emulate_1op(_op, _dst, _eflags) \
311 switch ((_dst).bytes) { \
312 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
313 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
314 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
315 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
319 #define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix) \
321 unsigned long _tmp; \
323 __asm__ __volatile__ ( \
324 _PRE_EFLAGS("0", "4", "1") \
325 _op _suffix " %5; " \
326 _POST_EFLAGS("0", "4", "1") \
327 : "=m" (_eflags), "=&r" (_tmp), \
328 "+a" (_rax), "+d" (_rdx) \
329 : "i" (EFLAGS_MASK), "m" ((_src).val), \
330 "a" (_rax), "d" (_rdx)); \
333 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
334 #define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags) \
336 switch((_src).bytes) { \
337 case 1: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "b"); break; \
338 case 2: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "w"); break; \
339 case 4: __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "l"); break; \
340 case 8: ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, "q")); break; \
344 /* Fetch next part of the instruction being emulated. */
345 #define insn_fetch(_type, _size, _eip) \
346 ({ unsigned long _x; \
347 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
348 if (rc != X86EMUL_CONTINUE) \
354 #define insn_fetch_arr(_arr, _size, _eip) \
355 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
356 if (rc != X86EMUL_CONTINUE) \
361 static inline unsigned long ad_mask(struct decode_cache *c)
363 return (1UL << (c->ad_bytes << 3)) - 1;
366 /* Access/update address held in a register, based on addressing mode. */
367 static inline unsigned long
368 address_mask(struct decode_cache *c, unsigned long reg)
370 if (c->ad_bytes == sizeof(unsigned long))
373 return reg & ad_mask(c);
376 static inline unsigned long
377 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
379 return base + address_mask(c, reg);
383 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
385 if (c->ad_bytes == sizeof(unsigned long))
388 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
391 static inline void jmp_rel(struct decode_cache *c, int rel)
393 register_address_increment(c, &c->eip, rel);
396 static void set_seg_override(struct decode_cache *c, int seg)
398 c->has_seg_override = true;
399 c->seg_override = seg;
402 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
403 struct x86_emulate_ops *ops, int seg)
405 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
408 return ops->get_cached_segment_base(seg, ctxt->vcpu);
411 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
412 struct x86_emulate_ops *ops,
413 struct decode_cache *c)
415 if (!c->has_seg_override)
418 return seg_base(ctxt, ops, c->seg_override);
421 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
422 struct x86_emulate_ops *ops)
424 return seg_base(ctxt, ops, VCPU_SREG_ES);
427 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
428 struct x86_emulate_ops *ops)
430 return seg_base(ctxt, ops, VCPU_SREG_SS);
433 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
434 u32 error, bool valid)
436 ctxt->exception = vec;
437 ctxt->error_code = error;
438 ctxt->error_code_valid = valid;
439 ctxt->restart = false;
442 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
444 emulate_exception(ctxt, GP_VECTOR, err, true);
447 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
451 emulate_exception(ctxt, PF_VECTOR, err, true);
454 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
456 emulate_exception(ctxt, UD_VECTOR, 0, false);
459 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
461 emulate_exception(ctxt, TS_VECTOR, err, true);
464 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
465 struct x86_emulate_ops *ops,
466 unsigned long eip, u8 *dest)
468 struct fetch_cache *fc = &ctxt->decode.fetch;
472 if (eip == fc->end) {
473 cur_size = fc->end - fc->start;
474 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
475 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
476 size, ctxt->vcpu, NULL);
477 if (rc != X86EMUL_CONTINUE)
481 *dest = fc->data[eip - fc->start];
482 return X86EMUL_CONTINUE;
485 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
486 struct x86_emulate_ops *ops,
487 unsigned long eip, void *dest, unsigned size)
491 /* x86 instructions are limited to 15 bytes. */
492 if (eip + size - ctxt->eip > 15)
493 return X86EMUL_UNHANDLEABLE;
495 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
496 if (rc != X86EMUL_CONTINUE)
499 return X86EMUL_CONTINUE;
503 * Given the 'reg' portion of a ModRM byte, and a register block, return a
504 * pointer into the block that addresses the relevant register.
505 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
507 static void *decode_register(u8 modrm_reg, unsigned long *regs,
512 p = ®s[modrm_reg];
513 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
514 p = (unsigned char *)®s[modrm_reg & 3] + 1;
518 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
519 struct x86_emulate_ops *ops,
521 u16 *size, unsigned long *address, int op_bytes)
528 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
529 if (rc != X86EMUL_CONTINUE)
531 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
535 static int test_cc(unsigned int condition, unsigned int flags)
539 switch ((condition & 15) >> 1) {
541 rc |= (flags & EFLG_OF);
543 case 1: /* b/c/nae */
544 rc |= (flags & EFLG_CF);
547 rc |= (flags & EFLG_ZF);
550 rc |= (flags & (EFLG_CF|EFLG_ZF));
553 rc |= (flags & EFLG_SF);
556 rc |= (flags & EFLG_PF);
559 rc |= (flags & EFLG_ZF);
562 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
566 /* Odd condition identifiers (lsb == 1) have inverted sense. */
567 return (!!rc ^ (condition & 1));
570 static void fetch_register_operand(struct operand *op)
574 op->val = *(u8 *)op->addr.reg;
577 op->val = *(u16 *)op->addr.reg;
580 op->val = *(u32 *)op->addr.reg;
583 op->val = *(u64 *)op->addr.reg;
588 static void decode_register_operand(struct operand *op,
589 struct decode_cache *c,
592 unsigned reg = c->modrm_reg;
593 int highbyte_regs = c->rex_prefix == 0;
596 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
598 if ((c->d & ByteOp) && !inhibit_bytereg) {
599 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
602 op->addr.reg = decode_register(reg, c->regs, 0);
603 op->bytes = c->op_bytes;
605 fetch_register_operand(op);
606 op->orig_val = op->val;
609 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
610 struct x86_emulate_ops *ops,
613 struct decode_cache *c = &ctxt->decode;
615 int index_reg = 0, base_reg = 0, scale;
616 int rc = X86EMUL_CONTINUE;
620 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
621 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
622 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
625 c->modrm = insn_fetch(u8, 1, c->eip);
626 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
627 c->modrm_reg |= (c->modrm & 0x38) >> 3;
628 c->modrm_rm |= (c->modrm & 0x07);
629 c->modrm_seg = VCPU_SREG_DS;
631 if (c->modrm_mod == 3) {
633 op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
634 op->addr.reg = decode_register(c->modrm_rm,
635 c->regs, c->d & ByteOp);
636 fetch_register_operand(op);
642 if (c->ad_bytes == 2) {
643 unsigned bx = c->regs[VCPU_REGS_RBX];
644 unsigned bp = c->regs[VCPU_REGS_RBP];
645 unsigned si = c->regs[VCPU_REGS_RSI];
646 unsigned di = c->regs[VCPU_REGS_RDI];
648 /* 16-bit ModR/M decode. */
649 switch (c->modrm_mod) {
651 if (c->modrm_rm == 6)
652 modrm_ea += insn_fetch(u16, 2, c->eip);
655 modrm_ea += insn_fetch(s8, 1, c->eip);
658 modrm_ea += insn_fetch(u16, 2, c->eip);
661 switch (c->modrm_rm) {
681 if (c->modrm_mod != 0)
688 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
689 (c->modrm_rm == 6 && c->modrm_mod != 0))
690 c->modrm_seg = VCPU_SREG_SS;
691 modrm_ea = (u16)modrm_ea;
693 /* 32/64-bit ModR/M decode. */
694 if ((c->modrm_rm & 7) == 4) {
695 sib = insn_fetch(u8, 1, c->eip);
696 index_reg |= (sib >> 3) & 7;
700 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
701 modrm_ea += insn_fetch(s32, 4, c->eip);
703 modrm_ea += c->regs[base_reg];
705 modrm_ea += c->regs[index_reg] << scale;
706 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
707 if (ctxt->mode == X86EMUL_MODE_PROT64)
710 modrm_ea += c->regs[c->modrm_rm];
711 switch (c->modrm_mod) {
713 if (c->modrm_rm == 5)
714 modrm_ea += insn_fetch(s32, 4, c->eip);
717 modrm_ea += insn_fetch(s8, 1, c->eip);
720 modrm_ea += insn_fetch(s32, 4, c->eip);
724 op->addr.mem = modrm_ea;
729 static int decode_abs(struct x86_emulate_ctxt *ctxt,
730 struct x86_emulate_ops *ops,
733 struct decode_cache *c = &ctxt->decode;
734 int rc = X86EMUL_CONTINUE;
737 switch (c->ad_bytes) {
739 op->addr.mem = insn_fetch(u16, 2, c->eip);
742 op->addr.mem = insn_fetch(u32, 4, c->eip);
745 op->addr.mem = insn_fetch(u64, 8, c->eip);
752 static void fetch_bit_operand(struct decode_cache *c)
756 if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
757 mask = ~(c->dst.bytes * 8 - 1);
759 if (c->src.bytes == 2)
760 sv = (s16)c->src.val & (s16)mask;
761 else if (c->src.bytes == 4)
762 sv = (s32)c->src.val & (s32)mask;
764 c->dst.addr.mem += (sv >> 3);
767 /* only subword offset */
768 c->src.val &= (c->dst.bytes << 3) - 1;
771 static int read_emulated(struct x86_emulate_ctxt *ctxt,
772 struct x86_emulate_ops *ops,
773 unsigned long addr, void *dest, unsigned size)
776 struct read_cache *mc = &ctxt->decode.mem_read;
780 int n = min(size, 8u);
782 if (mc->pos < mc->end)
785 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
787 if (rc == X86EMUL_PROPAGATE_FAULT)
788 emulate_pf(ctxt, addr, err);
789 if (rc != X86EMUL_CONTINUE)
794 memcpy(dest, mc->data + mc->pos, n);
799 return X86EMUL_CONTINUE;
802 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
803 struct x86_emulate_ops *ops,
804 unsigned int size, unsigned short port,
807 struct read_cache *rc = &ctxt->decode.io_read;
809 if (rc->pos == rc->end) { /* refill pio read ahead */
810 struct decode_cache *c = &ctxt->decode;
811 unsigned int in_page, n;
812 unsigned int count = c->rep_prefix ?
813 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
814 in_page = (ctxt->eflags & EFLG_DF) ?
815 offset_in_page(c->regs[VCPU_REGS_RDI]) :
816 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
817 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
821 rc->pos = rc->end = 0;
822 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
827 memcpy(dest, rc->data + rc->pos, size);
832 static u32 desc_limit_scaled(struct desc_struct *desc)
834 u32 limit = get_desc_limit(desc);
836 return desc->g ? (limit << 12) | 0xfff : limit;
839 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
840 struct x86_emulate_ops *ops,
841 u16 selector, struct desc_ptr *dt)
843 if (selector & 1 << 2) {
844 struct desc_struct desc;
845 memset (dt, 0, sizeof *dt);
846 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
849 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
850 dt->address = get_desc_base(&desc);
852 ops->get_gdt(dt, ctxt->vcpu);
855 /* allowed just for 8 bytes segments */
856 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
857 struct x86_emulate_ops *ops,
858 u16 selector, struct desc_struct *desc)
861 u16 index = selector >> 3;
866 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
868 if (dt.size < index * 8 + 7) {
869 emulate_gp(ctxt, selector & 0xfffc);
870 return X86EMUL_PROPAGATE_FAULT;
872 addr = dt.address + index * 8;
873 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
874 if (ret == X86EMUL_PROPAGATE_FAULT)
875 emulate_pf(ctxt, addr, err);
880 /* allowed just for 8 bytes segments */
881 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
882 struct x86_emulate_ops *ops,
883 u16 selector, struct desc_struct *desc)
886 u16 index = selector >> 3;
891 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
893 if (dt.size < index * 8 + 7) {
894 emulate_gp(ctxt, selector & 0xfffc);
895 return X86EMUL_PROPAGATE_FAULT;
898 addr = dt.address + index * 8;
899 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
900 if (ret == X86EMUL_PROPAGATE_FAULT)
901 emulate_pf(ctxt, addr, err);
906 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
907 struct x86_emulate_ops *ops,
908 u16 selector, int seg)
910 struct desc_struct seg_desc;
912 unsigned err_vec = GP_VECTOR;
914 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
917 memset(&seg_desc, 0, sizeof seg_desc);
919 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
920 || ctxt->mode == X86EMUL_MODE_REAL) {
921 /* set real mode segment descriptor */
922 set_desc_base(&seg_desc, selector << 4);
923 set_desc_limit(&seg_desc, 0xffff);
930 /* NULL selector is not valid for TR, CS and SS */
931 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
935 /* TR should be in GDT only */
936 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
939 if (null_selector) /* for NULL selector skip all following checks */
942 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
943 if (ret != X86EMUL_CONTINUE)
946 err_code = selector & 0xfffc;
949 /* can't load system descriptor into segment selecor */
950 if (seg <= VCPU_SREG_GS && !seg_desc.s)
954 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
960 cpl = ops->cpl(ctxt->vcpu);
965 * segment is not a writable data segment or segment
966 * selector's RPL != CPL or segment selector's RPL != CPL
968 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
972 if (!(seg_desc.type & 8))
975 if (seg_desc.type & 4) {
981 if (rpl > cpl || dpl != cpl)
985 selector = (selector & 0xfffc) | cpl;
988 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
992 if (seg_desc.s || seg_desc.type != 2)
995 default: /* DS, ES, FS, or GS */
997 * segment is not a data or readable code segment or
998 * ((segment is a data or nonconforming code segment)
999 * and (both RPL and CPL > DPL))
1001 if ((seg_desc.type & 0xa) == 0x8 ||
1002 (((seg_desc.type & 0xc) != 0xc) &&
1003 (rpl > dpl && cpl > dpl)))
1009 /* mark segment as accessed */
1011 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1012 if (ret != X86EMUL_CONTINUE)
1016 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1017 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1018 return X86EMUL_CONTINUE;
1020 emulate_exception(ctxt, err_vec, err_code, true);
1021 return X86EMUL_PROPAGATE_FAULT;
1024 static void write_register_operand(struct operand *op)
1026 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1027 switch (op->bytes) {
1029 *(u8 *)op->addr.reg = (u8)op->val;
1032 *(u16 *)op->addr.reg = (u16)op->val;
1035 *op->addr.reg = (u32)op->val;
1036 break; /* 64b: zero-extend */
1038 *op->addr.reg = op->val;
1043 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1044 struct x86_emulate_ops *ops)
1047 struct decode_cache *c = &ctxt->decode;
1050 switch (c->dst.type) {
1052 write_register_operand(&c->dst);
1056 rc = ops->cmpxchg_emulated(
1064 rc = ops->write_emulated(
1070 if (rc == X86EMUL_PROPAGATE_FAULT)
1071 emulate_pf(ctxt, c->dst.addr.mem, err);
1072 if (rc != X86EMUL_CONTINUE)
1081 return X86EMUL_CONTINUE;
1084 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1085 struct x86_emulate_ops *ops)
1087 struct decode_cache *c = &ctxt->decode;
1089 c->dst.type = OP_MEM;
1090 c->dst.bytes = c->op_bytes;
1091 c->dst.val = c->src.val;
1092 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1093 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1094 c->regs[VCPU_REGS_RSP]);
1097 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1098 struct x86_emulate_ops *ops,
1099 void *dest, int len)
1101 struct decode_cache *c = &ctxt->decode;
1104 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1105 c->regs[VCPU_REGS_RSP]),
1107 if (rc != X86EMUL_CONTINUE)
1110 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1114 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1115 struct x86_emulate_ops *ops,
1116 void *dest, int len)
1119 unsigned long val, change_mask;
1120 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1121 int cpl = ops->cpl(ctxt->vcpu);
1123 rc = emulate_pop(ctxt, ops, &val, len);
1124 if (rc != X86EMUL_CONTINUE)
1127 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1128 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1130 switch(ctxt->mode) {
1131 case X86EMUL_MODE_PROT64:
1132 case X86EMUL_MODE_PROT32:
1133 case X86EMUL_MODE_PROT16:
1135 change_mask |= EFLG_IOPL;
1137 change_mask |= EFLG_IF;
1139 case X86EMUL_MODE_VM86:
1141 emulate_gp(ctxt, 0);
1142 return X86EMUL_PROPAGATE_FAULT;
1144 change_mask |= EFLG_IF;
1146 default: /* real mode */
1147 change_mask |= (EFLG_IOPL | EFLG_IF);
1151 *(unsigned long *)dest =
1152 (ctxt->eflags & ~change_mask) | (val & change_mask);
1157 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1158 struct x86_emulate_ops *ops, int seg)
1160 struct decode_cache *c = &ctxt->decode;
1162 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1164 emulate_push(ctxt, ops);
1167 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1168 struct x86_emulate_ops *ops, int seg)
1170 struct decode_cache *c = &ctxt->decode;
1171 unsigned long selector;
1174 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1175 if (rc != X86EMUL_CONTINUE)
1178 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1182 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1183 struct x86_emulate_ops *ops)
1185 struct decode_cache *c = &ctxt->decode;
1186 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1187 int rc = X86EMUL_CONTINUE;
1188 int reg = VCPU_REGS_RAX;
1190 while (reg <= VCPU_REGS_RDI) {
1191 (reg == VCPU_REGS_RSP) ?
1192 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1194 emulate_push(ctxt, ops);
1196 rc = writeback(ctxt, ops);
1197 if (rc != X86EMUL_CONTINUE)
1203 /* Disable writeback. */
1204 c->dst.type = OP_NONE;
1209 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1210 struct x86_emulate_ops *ops)
1212 struct decode_cache *c = &ctxt->decode;
1213 int rc = X86EMUL_CONTINUE;
1214 int reg = VCPU_REGS_RDI;
1216 while (reg >= VCPU_REGS_RAX) {
1217 if (reg == VCPU_REGS_RSP) {
1218 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1223 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1224 if (rc != X86EMUL_CONTINUE)
1231 int emulate_int_real(struct x86_emulate_ctxt *ctxt,
1232 struct x86_emulate_ops *ops, int irq)
1234 struct decode_cache *c = &ctxt->decode;
1242 /* TODO: Add limit checks */
1243 c->src.val = ctxt->eflags;
1244 emulate_push(ctxt, ops);
1245 rc = writeback(ctxt, ops);
1246 if (rc != X86EMUL_CONTINUE)
1249 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1251 c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1252 emulate_push(ctxt, ops);
1253 rc = writeback(ctxt, ops);
1254 if (rc != X86EMUL_CONTINUE)
1257 c->src.val = c->eip;
1258 emulate_push(ctxt, ops);
1259 rc = writeback(ctxt, ops);
1260 if (rc != X86EMUL_CONTINUE)
1263 c->dst.type = OP_NONE;
1265 ops->get_idt(&dt, ctxt->vcpu);
1267 eip_addr = dt.address + (irq << 2);
1268 cs_addr = dt.address + (irq << 2) + 2;
1270 rc = ops->read_std(cs_addr, &cs, 2, ctxt->vcpu, &err);
1271 if (rc != X86EMUL_CONTINUE)
1274 rc = ops->read_std(eip_addr, &eip, 2, ctxt->vcpu, &err);
1275 if (rc != X86EMUL_CONTINUE)
1278 rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
1279 if (rc != X86EMUL_CONTINUE)
1287 static int emulate_int(struct x86_emulate_ctxt *ctxt,
1288 struct x86_emulate_ops *ops, int irq)
1290 switch(ctxt->mode) {
1291 case X86EMUL_MODE_REAL:
1292 return emulate_int_real(ctxt, ops, irq);
1293 case X86EMUL_MODE_VM86:
1294 case X86EMUL_MODE_PROT16:
1295 case X86EMUL_MODE_PROT32:
1296 case X86EMUL_MODE_PROT64:
1298 /* Protected mode interrupts unimplemented yet */
1299 return X86EMUL_UNHANDLEABLE;
1303 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1304 struct x86_emulate_ops *ops)
1306 struct decode_cache *c = &ctxt->decode;
1307 int rc = X86EMUL_CONTINUE;
1308 unsigned long temp_eip = 0;
1309 unsigned long temp_eflags = 0;
1310 unsigned long cs = 0;
1311 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1312 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1313 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1314 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1316 /* TODO: Add stack limit check */
1318 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1320 if (rc != X86EMUL_CONTINUE)
1323 if (temp_eip & ~0xffff) {
1324 emulate_gp(ctxt, 0);
1325 return X86EMUL_PROPAGATE_FAULT;
1328 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1330 if (rc != X86EMUL_CONTINUE)
1333 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1335 if (rc != X86EMUL_CONTINUE)
1338 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1340 if (rc != X86EMUL_CONTINUE)
1346 if (c->op_bytes == 4)
1347 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1348 else if (c->op_bytes == 2) {
1349 ctxt->eflags &= ~0xffff;
1350 ctxt->eflags |= temp_eflags;
1353 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1354 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1359 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1360 struct x86_emulate_ops* ops)
1362 switch(ctxt->mode) {
1363 case X86EMUL_MODE_REAL:
1364 return emulate_iret_real(ctxt, ops);
1365 case X86EMUL_MODE_VM86:
1366 case X86EMUL_MODE_PROT16:
1367 case X86EMUL_MODE_PROT32:
1368 case X86EMUL_MODE_PROT64:
1370 /* iret from protected mode unimplemented yet */
1371 return X86EMUL_UNHANDLEABLE;
1375 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1376 struct x86_emulate_ops *ops)
1378 struct decode_cache *c = &ctxt->decode;
1380 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1383 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1385 struct decode_cache *c = &ctxt->decode;
1386 switch (c->modrm_reg) {
1388 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1391 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1394 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1397 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1399 case 4: /* sal/shl */
1400 case 6: /* sal/shl */
1401 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1404 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1407 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1412 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1413 struct x86_emulate_ops *ops)
1415 struct decode_cache *c = &ctxt->decode;
1416 unsigned long *rax = &c->regs[VCPU_REGS_RAX];
1417 unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
1419 switch (c->modrm_reg) {
1420 case 0 ... 1: /* test */
1421 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1424 c->dst.val = ~c->dst.val;
1427 emulate_1op("neg", c->dst, ctxt->eflags);
1430 emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
1433 emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
1436 emulate_1op_rax_rdx("div", c->src, *rax, *rdx, ctxt->eflags);
1439 emulate_1op_rax_rdx("idiv", c->src, *rax, *rdx, ctxt->eflags);
1442 return X86EMUL_UNHANDLEABLE;
1444 return X86EMUL_CONTINUE;
1447 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1448 struct x86_emulate_ops *ops)
1450 struct decode_cache *c = &ctxt->decode;
1452 switch (c->modrm_reg) {
1454 emulate_1op("inc", c->dst, ctxt->eflags);
1457 emulate_1op("dec", c->dst, ctxt->eflags);
1459 case 2: /* call near abs */ {
1462 c->eip = c->src.val;
1463 c->src.val = old_eip;
1464 emulate_push(ctxt, ops);
1467 case 4: /* jmp abs */
1468 c->eip = c->src.val;
1471 emulate_push(ctxt, ops);
1474 return X86EMUL_CONTINUE;
1477 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1478 struct x86_emulate_ops *ops)
1480 struct decode_cache *c = &ctxt->decode;
1481 u64 old = c->dst.orig_val64;
1483 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1484 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1485 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1486 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1487 ctxt->eflags &= ~EFLG_ZF;
1489 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1490 (u32) c->regs[VCPU_REGS_RBX];
1492 ctxt->eflags |= EFLG_ZF;
1494 return X86EMUL_CONTINUE;
1497 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1498 struct x86_emulate_ops *ops)
1500 struct decode_cache *c = &ctxt->decode;
1504 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1505 if (rc != X86EMUL_CONTINUE)
1507 if (c->op_bytes == 4)
1508 c->eip = (u32)c->eip;
1509 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1510 if (rc != X86EMUL_CONTINUE)
1512 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1517 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1518 struct x86_emulate_ops *ops, struct desc_struct *cs,
1519 struct desc_struct *ss)
1521 memset(cs, 0, sizeof(struct desc_struct));
1522 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1523 memset(ss, 0, sizeof(struct desc_struct));
1525 cs->l = 0; /* will be adjusted later */
1526 set_desc_base(cs, 0); /* flat segment */
1527 cs->g = 1; /* 4kb granularity */
1528 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1529 cs->type = 0x0b; /* Read, Execute, Accessed */
1531 cs->dpl = 0; /* will be adjusted later */
1535 set_desc_base(ss, 0); /* flat segment */
1536 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1537 ss->g = 1; /* 4kb granularity */
1539 ss->type = 0x03; /* Read/Write, Accessed */
1540 ss->d = 1; /* 32bit stack segment */
1546 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1548 struct decode_cache *c = &ctxt->decode;
1549 struct desc_struct cs, ss;
1553 /* syscall is not available in real mode */
1554 if (ctxt->mode == X86EMUL_MODE_REAL ||
1555 ctxt->mode == X86EMUL_MODE_VM86) {
1557 return X86EMUL_PROPAGATE_FAULT;
1560 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1562 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1564 cs_sel = (u16)(msr_data & 0xfffc);
1565 ss_sel = (u16)(msr_data + 8);
1567 if (is_long_mode(ctxt->vcpu)) {
1571 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1572 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1573 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1574 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1576 c->regs[VCPU_REGS_RCX] = c->eip;
1577 if (is_long_mode(ctxt->vcpu)) {
1578 #ifdef CONFIG_X86_64
1579 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1581 ops->get_msr(ctxt->vcpu,
1582 ctxt->mode == X86EMUL_MODE_PROT64 ?
1583 MSR_LSTAR : MSR_CSTAR, &msr_data);
1586 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1587 ctxt->eflags &= ~(msr_data | EFLG_RF);
1591 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1592 c->eip = (u32)msr_data;
1594 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1597 return X86EMUL_CONTINUE;
1601 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1603 struct decode_cache *c = &ctxt->decode;
1604 struct desc_struct cs, ss;
1608 /* inject #GP if in real mode */
1609 if (ctxt->mode == X86EMUL_MODE_REAL) {
1610 emulate_gp(ctxt, 0);
1611 return X86EMUL_PROPAGATE_FAULT;
1614 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1615 * Therefore, we inject an #UD.
1617 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1619 return X86EMUL_PROPAGATE_FAULT;
1622 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1624 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1625 switch (ctxt->mode) {
1626 case X86EMUL_MODE_PROT32:
1627 if ((msr_data & 0xfffc) == 0x0) {
1628 emulate_gp(ctxt, 0);
1629 return X86EMUL_PROPAGATE_FAULT;
1632 case X86EMUL_MODE_PROT64:
1633 if (msr_data == 0x0) {
1634 emulate_gp(ctxt, 0);
1635 return X86EMUL_PROPAGATE_FAULT;
1640 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1641 cs_sel = (u16)msr_data;
1642 cs_sel &= ~SELECTOR_RPL_MASK;
1643 ss_sel = cs_sel + 8;
1644 ss_sel &= ~SELECTOR_RPL_MASK;
1645 if (ctxt->mode == X86EMUL_MODE_PROT64
1646 || is_long_mode(ctxt->vcpu)) {
1651 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1652 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1653 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1654 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1656 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1659 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1660 c->regs[VCPU_REGS_RSP] = msr_data;
1662 return X86EMUL_CONTINUE;
1666 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1668 struct decode_cache *c = &ctxt->decode;
1669 struct desc_struct cs, ss;
1674 /* inject #GP if in real mode or Virtual 8086 mode */
1675 if (ctxt->mode == X86EMUL_MODE_REAL ||
1676 ctxt->mode == X86EMUL_MODE_VM86) {
1677 emulate_gp(ctxt, 0);
1678 return X86EMUL_PROPAGATE_FAULT;
1681 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1683 if ((c->rex_prefix & 0x8) != 0x0)
1684 usermode = X86EMUL_MODE_PROT64;
1686 usermode = X86EMUL_MODE_PROT32;
1690 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1692 case X86EMUL_MODE_PROT32:
1693 cs_sel = (u16)(msr_data + 16);
1694 if ((msr_data & 0xfffc) == 0x0) {
1695 emulate_gp(ctxt, 0);
1696 return X86EMUL_PROPAGATE_FAULT;
1698 ss_sel = (u16)(msr_data + 24);
1700 case X86EMUL_MODE_PROT64:
1701 cs_sel = (u16)(msr_data + 32);
1702 if (msr_data == 0x0) {
1703 emulate_gp(ctxt, 0);
1704 return X86EMUL_PROPAGATE_FAULT;
1706 ss_sel = cs_sel + 8;
1711 cs_sel |= SELECTOR_RPL_MASK;
1712 ss_sel |= SELECTOR_RPL_MASK;
1714 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1715 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1716 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1717 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1719 c->eip = c->regs[VCPU_REGS_RDX];
1720 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1722 return X86EMUL_CONTINUE;
1725 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1726 struct x86_emulate_ops *ops)
1729 if (ctxt->mode == X86EMUL_MODE_REAL)
1731 if (ctxt->mode == X86EMUL_MODE_VM86)
1733 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1734 return ops->cpl(ctxt->vcpu) > iopl;
1737 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1738 struct x86_emulate_ops *ops,
1741 struct desc_struct tr_seg;
1744 u8 perm, bit_idx = port & 0x7;
1745 unsigned mask = (1 << len) - 1;
1747 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1750 if (desc_limit_scaled(&tr_seg) < 103)
1752 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1754 if (r != X86EMUL_CONTINUE)
1756 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1758 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1759 &perm, 1, ctxt->vcpu, NULL);
1760 if (r != X86EMUL_CONTINUE)
1762 if ((perm >> bit_idx) & mask)
1767 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1768 struct x86_emulate_ops *ops,
1774 if (emulator_bad_iopl(ctxt, ops))
1775 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1778 ctxt->perm_ok = true;
1783 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1784 struct x86_emulate_ops *ops,
1785 struct tss_segment_16 *tss)
1787 struct decode_cache *c = &ctxt->decode;
1790 tss->flag = ctxt->eflags;
1791 tss->ax = c->regs[VCPU_REGS_RAX];
1792 tss->cx = c->regs[VCPU_REGS_RCX];
1793 tss->dx = c->regs[VCPU_REGS_RDX];
1794 tss->bx = c->regs[VCPU_REGS_RBX];
1795 tss->sp = c->regs[VCPU_REGS_RSP];
1796 tss->bp = c->regs[VCPU_REGS_RBP];
1797 tss->si = c->regs[VCPU_REGS_RSI];
1798 tss->di = c->regs[VCPU_REGS_RDI];
1800 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1801 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1802 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1803 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1804 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1807 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1808 struct x86_emulate_ops *ops,
1809 struct tss_segment_16 *tss)
1811 struct decode_cache *c = &ctxt->decode;
1815 ctxt->eflags = tss->flag | 2;
1816 c->regs[VCPU_REGS_RAX] = tss->ax;
1817 c->regs[VCPU_REGS_RCX] = tss->cx;
1818 c->regs[VCPU_REGS_RDX] = tss->dx;
1819 c->regs[VCPU_REGS_RBX] = tss->bx;
1820 c->regs[VCPU_REGS_RSP] = tss->sp;
1821 c->regs[VCPU_REGS_RBP] = tss->bp;
1822 c->regs[VCPU_REGS_RSI] = tss->si;
1823 c->regs[VCPU_REGS_RDI] = tss->di;
1826 * SDM says that segment selectors are loaded before segment
1829 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1830 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1831 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1832 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1833 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1836 * Now load segment descriptors. If fault happenes at this stage
1837 * it is handled in a context of new task
1839 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1840 if (ret != X86EMUL_CONTINUE)
1842 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1843 if (ret != X86EMUL_CONTINUE)
1845 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1846 if (ret != X86EMUL_CONTINUE)
1848 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1849 if (ret != X86EMUL_CONTINUE)
1851 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1852 if (ret != X86EMUL_CONTINUE)
1855 return X86EMUL_CONTINUE;
1858 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1859 struct x86_emulate_ops *ops,
1860 u16 tss_selector, u16 old_tss_sel,
1861 ulong old_tss_base, struct desc_struct *new_desc)
1863 struct tss_segment_16 tss_seg;
1865 u32 err, new_tss_base = get_desc_base(new_desc);
1867 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1869 if (ret == X86EMUL_PROPAGATE_FAULT) {
1870 /* FIXME: need to provide precise fault address */
1871 emulate_pf(ctxt, old_tss_base, err);
1875 save_state_to_tss16(ctxt, ops, &tss_seg);
1877 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1879 if (ret == X86EMUL_PROPAGATE_FAULT) {
1880 /* FIXME: need to provide precise fault address */
1881 emulate_pf(ctxt, old_tss_base, err);
1885 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1887 if (ret == X86EMUL_PROPAGATE_FAULT) {
1888 /* FIXME: need to provide precise fault address */
1889 emulate_pf(ctxt, new_tss_base, err);
1893 if (old_tss_sel != 0xffff) {
1894 tss_seg.prev_task_link = old_tss_sel;
1896 ret = ops->write_std(new_tss_base,
1897 &tss_seg.prev_task_link,
1898 sizeof tss_seg.prev_task_link,
1900 if (ret == X86EMUL_PROPAGATE_FAULT) {
1901 /* FIXME: need to provide precise fault address */
1902 emulate_pf(ctxt, new_tss_base, err);
1907 return load_state_from_tss16(ctxt, ops, &tss_seg);
1910 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1911 struct x86_emulate_ops *ops,
1912 struct tss_segment_32 *tss)
1914 struct decode_cache *c = &ctxt->decode;
1916 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1918 tss->eflags = ctxt->eflags;
1919 tss->eax = c->regs[VCPU_REGS_RAX];
1920 tss->ecx = c->regs[VCPU_REGS_RCX];
1921 tss->edx = c->regs[VCPU_REGS_RDX];
1922 tss->ebx = c->regs[VCPU_REGS_RBX];
1923 tss->esp = c->regs[VCPU_REGS_RSP];
1924 tss->ebp = c->regs[VCPU_REGS_RBP];
1925 tss->esi = c->regs[VCPU_REGS_RSI];
1926 tss->edi = c->regs[VCPU_REGS_RDI];
1928 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1929 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1930 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1931 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1932 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1933 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1934 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1937 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1938 struct x86_emulate_ops *ops,
1939 struct tss_segment_32 *tss)
1941 struct decode_cache *c = &ctxt->decode;
1944 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1945 emulate_gp(ctxt, 0);
1946 return X86EMUL_PROPAGATE_FAULT;
1949 ctxt->eflags = tss->eflags | 2;
1950 c->regs[VCPU_REGS_RAX] = tss->eax;
1951 c->regs[VCPU_REGS_RCX] = tss->ecx;
1952 c->regs[VCPU_REGS_RDX] = tss->edx;
1953 c->regs[VCPU_REGS_RBX] = tss->ebx;
1954 c->regs[VCPU_REGS_RSP] = tss->esp;
1955 c->regs[VCPU_REGS_RBP] = tss->ebp;
1956 c->regs[VCPU_REGS_RSI] = tss->esi;
1957 c->regs[VCPU_REGS_RDI] = tss->edi;
1960 * SDM says that segment selectors are loaded before segment
1963 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1964 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1965 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1966 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1967 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1968 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1969 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1972 * Now load segment descriptors. If fault happenes at this stage
1973 * it is handled in a context of new task
1975 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1976 if (ret != X86EMUL_CONTINUE)
1978 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1979 if (ret != X86EMUL_CONTINUE)
1981 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1982 if (ret != X86EMUL_CONTINUE)
1984 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1985 if (ret != X86EMUL_CONTINUE)
1987 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1988 if (ret != X86EMUL_CONTINUE)
1990 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1991 if (ret != X86EMUL_CONTINUE)
1993 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1994 if (ret != X86EMUL_CONTINUE)
1997 return X86EMUL_CONTINUE;
2000 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2001 struct x86_emulate_ops *ops,
2002 u16 tss_selector, u16 old_tss_sel,
2003 ulong old_tss_base, struct desc_struct *new_desc)
2005 struct tss_segment_32 tss_seg;
2007 u32 err, new_tss_base = get_desc_base(new_desc);
2009 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2011 if (ret == X86EMUL_PROPAGATE_FAULT) {
2012 /* FIXME: need to provide precise fault address */
2013 emulate_pf(ctxt, old_tss_base, err);
2017 save_state_to_tss32(ctxt, ops, &tss_seg);
2019 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2021 if (ret == X86EMUL_PROPAGATE_FAULT) {
2022 /* FIXME: need to provide precise fault address */
2023 emulate_pf(ctxt, old_tss_base, err);
2027 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2029 if (ret == X86EMUL_PROPAGATE_FAULT) {
2030 /* FIXME: need to provide precise fault address */
2031 emulate_pf(ctxt, new_tss_base, err);
2035 if (old_tss_sel != 0xffff) {
2036 tss_seg.prev_task_link = old_tss_sel;
2038 ret = ops->write_std(new_tss_base,
2039 &tss_seg.prev_task_link,
2040 sizeof tss_seg.prev_task_link,
2042 if (ret == X86EMUL_PROPAGATE_FAULT) {
2043 /* FIXME: need to provide precise fault address */
2044 emulate_pf(ctxt, new_tss_base, err);
2049 return load_state_from_tss32(ctxt, ops, &tss_seg);
2052 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2053 struct x86_emulate_ops *ops,
2054 u16 tss_selector, int reason,
2055 bool has_error_code, u32 error_code)
2057 struct desc_struct curr_tss_desc, next_tss_desc;
2059 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2060 ulong old_tss_base =
2061 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2064 /* FIXME: old_tss_base == ~0 ? */
2066 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2067 if (ret != X86EMUL_CONTINUE)
2069 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2070 if (ret != X86EMUL_CONTINUE)
2073 /* FIXME: check that next_tss_desc is tss */
2075 if (reason != TASK_SWITCH_IRET) {
2076 if ((tss_selector & 3) > next_tss_desc.dpl ||
2077 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2078 emulate_gp(ctxt, 0);
2079 return X86EMUL_PROPAGATE_FAULT;
2083 desc_limit = desc_limit_scaled(&next_tss_desc);
2084 if (!next_tss_desc.p ||
2085 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2086 desc_limit < 0x2b)) {
2087 emulate_ts(ctxt, tss_selector & 0xfffc);
2088 return X86EMUL_PROPAGATE_FAULT;
2091 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2092 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2093 write_segment_descriptor(ctxt, ops, old_tss_sel,
2097 if (reason == TASK_SWITCH_IRET)
2098 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2100 /* set back link to prev task only if NT bit is set in eflags
2101 note that old_tss_sel is not used afetr this point */
2102 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2103 old_tss_sel = 0xffff;
2105 if (next_tss_desc.type & 8)
2106 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2107 old_tss_base, &next_tss_desc);
2109 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2110 old_tss_base, &next_tss_desc);
2111 if (ret != X86EMUL_CONTINUE)
2114 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2115 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2117 if (reason != TASK_SWITCH_IRET) {
2118 next_tss_desc.type |= (1 << 1); /* set busy flag */
2119 write_segment_descriptor(ctxt, ops, tss_selector,
2123 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2124 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2125 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2127 if (has_error_code) {
2128 struct decode_cache *c = &ctxt->decode;
2130 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2132 c->src.val = (unsigned long) error_code;
2133 emulate_push(ctxt, ops);
2139 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2140 u16 tss_selector, int reason,
2141 bool has_error_code, u32 error_code)
2143 struct x86_emulate_ops *ops = ctxt->ops;
2144 struct decode_cache *c = &ctxt->decode;
2148 c->dst.type = OP_NONE;
2150 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2151 has_error_code, error_code);
2153 if (rc == X86EMUL_CONTINUE) {
2154 rc = writeback(ctxt, ops);
2155 if (rc == X86EMUL_CONTINUE)
2159 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2162 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2163 int reg, struct operand *op)
2165 struct decode_cache *c = &ctxt->decode;
2166 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2168 register_address_increment(c, &c->regs[reg], df * op->bytes);
2169 op->addr.mem = register_address(c, base, c->regs[reg]);
2172 static int em_push(struct x86_emulate_ctxt *ctxt)
2174 emulate_push(ctxt, ctxt->ops);
2175 return X86EMUL_CONTINUE;
2178 static int em_das(struct x86_emulate_ctxt *ctxt)
2180 struct decode_cache *c = &ctxt->decode;
2182 bool af, cf, old_cf;
2184 cf = ctxt->eflags & X86_EFLAGS_CF;
2190 af = ctxt->eflags & X86_EFLAGS_AF;
2191 if ((al & 0x0f) > 9 || af) {
2193 cf = old_cf | (al >= 250);
2198 if (old_al > 0x99 || old_cf) {
2204 /* Set PF, ZF, SF */
2205 c->src.type = OP_IMM;
2208 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2209 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2211 ctxt->eflags |= X86_EFLAGS_CF;
2213 ctxt->eflags |= X86_EFLAGS_AF;
2214 return X86EMUL_CONTINUE;
2217 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2219 struct decode_cache *c = &ctxt->decode;
2224 old_cs = ctxt->ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2227 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2228 if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
2229 return X86EMUL_CONTINUE;
2232 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2234 c->src.val = old_cs;
2235 emulate_push(ctxt, ctxt->ops);
2236 rc = writeback(ctxt, ctxt->ops);
2237 if (rc != X86EMUL_CONTINUE)
2240 c->src.val = old_eip;
2241 emulate_push(ctxt, ctxt->ops);
2242 rc = writeback(ctxt, ctxt->ops);
2243 if (rc != X86EMUL_CONTINUE)
2246 c->dst.type = OP_NONE;
2248 return X86EMUL_CONTINUE;
2251 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2253 struct decode_cache *c = &ctxt->decode;
2256 c->dst.type = OP_REG;
2257 c->dst.addr.reg = &c->eip;
2258 c->dst.bytes = c->op_bytes;
2259 rc = emulate_pop(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
2260 if (rc != X86EMUL_CONTINUE)
2262 register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
2263 return X86EMUL_CONTINUE;
2266 static int em_imul(struct x86_emulate_ctxt *ctxt)
2268 struct decode_cache *c = &ctxt->decode;
2270 emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
2271 return X86EMUL_CONTINUE;
2274 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2276 struct decode_cache *c = &ctxt->decode;
2278 c->dst.val = c->src2.val;
2279 return em_imul(ctxt);
2282 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2284 unsigned cpl = ctxt->ops->cpl(ctxt->vcpu);
2285 struct decode_cache *c = &ctxt->decode;
2288 if (cpl > 0 && (ctxt->ops->get_cr(4, ctxt->vcpu) & X86_CR4_TSD)) {
2289 emulate_gp(ctxt, 0);
2290 return X86EMUL_PROPAGATE_FAULT;
2292 ctxt->ops->get_msr(ctxt->vcpu, MSR_IA32_TSC, &tsc);
2293 c->regs[VCPU_REGS_RAX] = (u32)tsc;
2294 c->regs[VCPU_REGS_RDX] = tsc >> 32;
2295 return X86EMUL_CONTINUE;
2298 #define D(_y) { .flags = (_y) }
2300 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2301 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2302 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2304 static struct opcode group1[] = {
2308 static struct opcode group1A[] = {
2309 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2312 static struct opcode group3[] = {
2313 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2314 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2315 X4(D(SrcMem | ModRM)),
2318 static struct opcode group4[] = {
2319 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2323 static struct opcode group5[] = {
2324 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2325 D(SrcMem | ModRM | Stack),
2326 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
2327 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2328 D(SrcMem | ModRM | Stack), N,
2331 static struct group_dual group7 = { {
2332 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2333 D(SrcNone | ModRM | DstMem | Mov), N,
2334 D(SrcMem16 | ModRM | Mov | Priv),
2335 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2337 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2338 D(SrcNone | ModRM | DstMem | Mov), N,
2339 D(SrcMem16 | ModRM | Mov | Priv), N,
2342 static struct opcode group8[] = {
2344 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2345 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2348 static struct group_dual group9 = { {
2349 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2351 N, N, N, N, N, N, N, N,
2354 static struct opcode opcode_table[256] = {
2356 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2357 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2358 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2359 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2361 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2362 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2363 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2364 D(ImplicitOps | Stack | No64), N,
2366 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2367 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2368 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2369 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2371 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2372 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2373 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2374 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2376 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2377 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2378 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2380 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2381 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2382 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm),
2383 N, I(ByteOp | DstAcc | No64, em_das),
2385 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2386 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2387 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2389 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2390 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2391 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2396 X8(I(SrcReg | Stack, em_push)),
2398 X8(D(DstReg | Stack)),
2400 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2401 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2404 I(SrcImm | Mov | Stack, em_push), N,
2405 I(SrcImmByte | Mov | Stack, em_push),
2406 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
2407 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2408 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2412 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2413 G(DstMem | SrcImm | ModRM | Group, group1),
2414 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2415 G(DstMem | SrcImmByte | ModRM | Group, group1),
2416 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2417 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2419 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2420 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2421 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2422 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2424 X8(D(SrcAcc | DstReg)),
2426 D(DstAcc | SrcNone), N, D(SrcImmFAddr | No64), N,
2427 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2429 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2430 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2431 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2432 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2434 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm),
2435 D(ByteOp | SrcAcc | DstDI | Mov | String), D(SrcAcc | DstDI | Mov | String),
2436 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2437 D(ByteOp | SrcAcc | DstDI | String), D(SrcAcc | DstDI | String),
2439 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2441 X8(D(DstReg | SrcImm | Mov)),
2443 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2444 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
2445 D(ImplicitOps | Stack),
2447 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2449 N, N, N, D(ImplicitOps | Stack),
2450 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2452 D(ByteOp | DstMem | SrcOne | ModRM), D(DstMem | SrcOne | ModRM),
2453 D(ByteOp | DstMem | ModRM), D(DstMem | ModRM),
2456 N, N, N, N, N, N, N, N,
2458 X3(D(SrcImmByte)), N,
2459 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2460 D(ByteOp | SrcAcc | DstImmUByte), D(SrcAcc | DstImmUByte),
2462 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2463 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2464 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2465 D(ByteOp | SrcAcc | ImplicitOps), D(SrcAcc | ImplicitOps),
2468 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2470 D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
2471 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2474 static struct opcode twobyte_table[256] = {
2476 N, GD(0, &group7), N, N,
2477 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2478 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2479 N, D(ImplicitOps | ModRM), N, N,
2481 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2483 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2484 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2486 N, N, N, N, N, N, N, N,
2488 D(ImplicitOps | Priv), I(ImplicitOps, em_rdtsc),
2489 D(ImplicitOps | Priv), N,
2490 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2491 N, N, N, N, N, N, N, N,
2493 X16(D(DstReg | SrcMem | ModRM | Mov)),
2495 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2497 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2499 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2503 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
2505 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2506 N, D(DstMem | SrcReg | ModRM | BitOp),
2507 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2508 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2510 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2511 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2512 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2513 D(DstMem | SrcReg | Src2CL | ModRM),
2514 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
2516 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2517 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2518 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2519 D(DstReg | SrcMem16 | ModRM | Mov),
2522 G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2523 D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2524 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
2526 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2527 N, D(DstMem | SrcReg | ModRM | Mov),
2528 N, N, N, GD(0, &group9),
2529 N, N, N, N, N, N, N, N,
2531 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2533 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2535 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2545 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2547 struct x86_emulate_ops *ops = ctxt->ops;
2548 struct decode_cache *c = &ctxt->decode;
2549 int rc = X86EMUL_CONTINUE;
2550 int mode = ctxt->mode;
2551 int def_op_bytes, def_ad_bytes, dual, goffset;
2552 struct opcode opcode, *g_mod012, *g_mod3;
2553 struct operand memop = { .type = OP_NONE };
2555 /* we cannot decode insn before we complete previous rep insn */
2556 WARN_ON(ctxt->restart);
2559 c->fetch.start = c->fetch.end = c->eip;
2560 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2563 case X86EMUL_MODE_REAL:
2564 case X86EMUL_MODE_VM86:
2565 case X86EMUL_MODE_PROT16:
2566 def_op_bytes = def_ad_bytes = 2;
2568 case X86EMUL_MODE_PROT32:
2569 def_op_bytes = def_ad_bytes = 4;
2571 #ifdef CONFIG_X86_64
2572 case X86EMUL_MODE_PROT64:
2581 c->op_bytes = def_op_bytes;
2582 c->ad_bytes = def_ad_bytes;
2584 /* Legacy prefixes. */
2586 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2587 case 0x66: /* operand-size override */
2588 /* switch between 2/4 bytes */
2589 c->op_bytes = def_op_bytes ^ 6;
2591 case 0x67: /* address-size override */
2592 if (mode == X86EMUL_MODE_PROT64)
2593 /* switch between 4/8 bytes */
2594 c->ad_bytes = def_ad_bytes ^ 12;
2596 /* switch between 2/4 bytes */
2597 c->ad_bytes = def_ad_bytes ^ 6;
2599 case 0x26: /* ES override */
2600 case 0x2e: /* CS override */
2601 case 0x36: /* SS override */
2602 case 0x3e: /* DS override */
2603 set_seg_override(c, (c->b >> 3) & 3);
2605 case 0x64: /* FS override */
2606 case 0x65: /* GS override */
2607 set_seg_override(c, c->b & 7);
2609 case 0x40 ... 0x4f: /* REX */
2610 if (mode != X86EMUL_MODE_PROT64)
2612 c->rex_prefix = c->b;
2614 case 0xf0: /* LOCK */
2617 case 0xf2: /* REPNE/REPNZ */
2618 c->rep_prefix = REPNE_PREFIX;
2620 case 0xf3: /* REP/REPE/REPZ */
2621 c->rep_prefix = REPE_PREFIX;
2627 /* Any legacy prefix after a REX prefix nullifies its effect. */
2635 if (c->rex_prefix & 8)
2636 c->op_bytes = 8; /* REX.W */
2638 /* Opcode byte(s). */
2639 opcode = opcode_table[c->b];
2640 /* Two-byte opcode? */
2643 c->b = insn_fetch(u8, 1, c->eip);
2644 opcode = twobyte_table[c->b];
2646 c->d = opcode.flags;
2649 dual = c->d & GroupDual;
2650 c->modrm = insn_fetch(u8, 1, c->eip);
2653 if (c->d & GroupDual) {
2654 g_mod012 = opcode.u.gdual->mod012;
2655 g_mod3 = opcode.u.gdual->mod3;
2657 g_mod012 = g_mod3 = opcode.u.group;
2659 c->d &= ~(Group | GroupDual);
2661 goffset = (c->modrm >> 3) & 7;
2663 if ((c->modrm >> 6) == 3)
2664 opcode = g_mod3[goffset];
2666 opcode = g_mod012[goffset];
2667 c->d |= opcode.flags;
2670 c->execute = opcode.u.execute;
2673 if (c->d == 0 || (c->d & Undefined)) {
2674 DPRINTF("Cannot emulate %02x\n", c->b);
2678 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2681 if (c->d & Op3264) {
2682 if (mode == X86EMUL_MODE_PROT64)
2688 /* ModRM and SIB bytes. */
2690 rc = decode_modrm(ctxt, ops, &memop);
2691 if (!c->has_seg_override)
2692 set_seg_override(c, c->modrm_seg);
2693 } else if (c->d & MemAbs)
2694 rc = decode_abs(ctxt, ops, &memop);
2695 if (rc != X86EMUL_CONTINUE)
2698 if (!c->has_seg_override)
2699 set_seg_override(c, VCPU_SREG_DS);
2701 if (memop.type == OP_MEM && !(!c->twobyte && c->b == 0x8d))
2702 memop.addr.mem += seg_override_base(ctxt, ops, c);
2704 if (memop.type == OP_MEM && c->ad_bytes != 8)
2705 memop.addr.mem = (u32)memop.addr.mem;
2707 if (memop.type == OP_MEM && c->rip_relative)
2708 memop.addr.mem += c->eip;
2711 * Decode and fetch the source operand: register, memory
2714 switch (c->d & SrcMask) {
2718 decode_register_operand(&c->src, c, 0);
2727 memop.bytes = (c->d & ByteOp) ? 1 :
2737 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2738 if (c->src.bytes == 8)
2741 c->src.type = OP_IMM;
2742 c->src.addr.mem = c->eip;
2743 /* NB. Immediates are sign-extended as necessary. */
2744 switch (c->src.bytes) {
2746 c->src.val = insn_fetch(s8, 1, c->eip);
2749 c->src.val = insn_fetch(s16, 2, c->eip);
2752 c->src.val = insn_fetch(s32, 4, c->eip);
2755 if ((c->d & SrcMask) == SrcImmU
2756 || (c->d & SrcMask) == SrcImmU16) {
2757 switch (c->src.bytes) {
2762 c->src.val &= 0xffff;
2765 c->src.val &= 0xffffffff;
2772 c->src.type = OP_IMM;
2773 c->src.addr.mem = c->eip;
2775 if ((c->d & SrcMask) == SrcImmByte)
2776 c->src.val = insn_fetch(s8, 1, c->eip);
2778 c->src.val = insn_fetch(u8, 1, c->eip);
2781 c->src.type = OP_REG;
2782 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2783 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2784 fetch_register_operand(&c->src);
2791 c->src.type = OP_MEM;
2792 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2794 register_address(c, seg_override_base(ctxt, ops, c),
2795 c->regs[VCPU_REGS_RSI]);
2799 c->src.type = OP_IMM;
2800 c->src.addr.mem = c->eip;
2801 c->src.bytes = c->op_bytes + 2;
2802 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2805 memop.bytes = c->op_bytes + 2;
2811 * Decode and fetch the second source operand: register, memory
2814 switch (c->d & Src2Mask) {
2819 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2822 c->src2.type = OP_IMM;
2823 c->src2.addr.mem = c->eip;
2825 c->src2.val = insn_fetch(u8, 1, c->eip);
2833 /* Decode and fetch the destination operand: register or memory. */
2834 switch (c->d & DstMask) {
2836 decode_register_operand(&c->dst, c,
2837 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2840 c->dst.type = OP_IMM;
2841 c->dst.addr.mem = c->eip;
2843 c->dst.val = insn_fetch(u8, 1, c->eip);
2848 if ((c->d & DstMask) == DstMem64)
2851 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2853 fetch_bit_operand(c);
2854 c->dst.orig_val = c->dst.val;
2857 c->dst.type = OP_REG;
2858 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2859 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2860 fetch_register_operand(&c->dst);
2861 c->dst.orig_val = c->dst.val;
2864 c->dst.type = OP_MEM;
2865 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2867 register_address(c, es_base(ctxt, ops),
2868 c->regs[VCPU_REGS_RDI]);
2872 /* Special instructions do their own operand decoding. */
2874 c->dst.type = OP_NONE; /* Disable writeback. */
2879 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2883 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2885 struct x86_emulate_ops *ops = ctxt->ops;
2887 struct decode_cache *c = &ctxt->decode;
2888 int rc = X86EMUL_CONTINUE;
2889 int saved_dst_type = c->dst.type;
2890 int irq; /* Used for int 3, int, and into */
2892 ctxt->decode.mem_read.pos = 0;
2894 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2899 /* LOCK prefix is allowed only with some instructions */
2900 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2905 /* Privileged instruction can be executed only in CPL=0 */
2906 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2907 emulate_gp(ctxt, 0);
2911 if (c->rep_prefix && (c->d & String)) {
2912 ctxt->restart = true;
2913 /* All REP prefixes have the same first termination condition */
2914 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2915 ctxt->restart = false;
2921 if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
2922 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2923 c->src.valptr, c->src.bytes);
2924 if (rc != X86EMUL_CONTINUE)
2926 c->src.orig_val64 = c->src.val64;
2929 if (c->src2.type == OP_MEM) {
2930 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2931 &c->src2.val, c->src2.bytes);
2932 if (rc != X86EMUL_CONTINUE)
2936 if ((c->d & DstMask) == ImplicitOps)
2940 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2941 /* optimisation - avoid slow emulated read if Mov */
2942 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2943 &c->dst.val, c->dst.bytes);
2944 if (rc != X86EMUL_CONTINUE)
2947 c->dst.orig_val = c->dst.val;
2952 rc = c->execute(ctxt);
2953 if (rc != X86EMUL_CONTINUE)
2964 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2966 case 0x06: /* push es */
2967 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2969 case 0x07: /* pop es */
2970 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2971 if (rc != X86EMUL_CONTINUE)
2976 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2978 case 0x0e: /* push cs */
2979 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2983 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2985 case 0x16: /* push ss */
2986 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2988 case 0x17: /* pop ss */
2989 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2990 if (rc != X86EMUL_CONTINUE)
2995 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2997 case 0x1e: /* push ds */
2998 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
3000 case 0x1f: /* pop ds */
3001 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
3002 if (rc != X86EMUL_CONTINUE)
3007 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
3011 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
3015 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
3019 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3021 case 0x40 ... 0x47: /* inc r16/r32 */
3022 emulate_1op("inc", c->dst, ctxt->eflags);
3024 case 0x48 ... 0x4f: /* dec r16/r32 */
3025 emulate_1op("dec", c->dst, ctxt->eflags);
3027 case 0x58 ... 0x5f: /* pop reg */
3029 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
3030 if (rc != X86EMUL_CONTINUE)
3033 case 0x60: /* pusha */
3034 rc = emulate_pusha(ctxt, ops);
3035 if (rc != X86EMUL_CONTINUE)
3038 case 0x61: /* popa */
3039 rc = emulate_popa(ctxt, ops);
3040 if (rc != X86EMUL_CONTINUE)
3043 case 0x63: /* movsxd */
3044 if (ctxt->mode != X86EMUL_MODE_PROT64)
3045 goto cannot_emulate;
3046 c->dst.val = (s32) c->src.val;
3048 case 0x6c: /* insb */
3049 case 0x6d: /* insw/insd */
3050 c->src.val = c->regs[VCPU_REGS_RDX];
3052 case 0x6e: /* outsb */
3053 case 0x6f: /* outsw/outsd */
3054 c->dst.val = c->regs[VCPU_REGS_RDX];
3057 case 0x70 ... 0x7f: /* jcc (short) */
3058 if (test_cc(c->b, ctxt->eflags))
3059 jmp_rel(c, c->src.val);
3061 case 0x80 ... 0x83: /* Grp1 */
3062 switch (c->modrm_reg) {
3083 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
3085 case 0x86 ... 0x87: /* xchg */
3087 /* Write back the register source. */
3088 c->src.val = c->dst.val;
3089 write_register_operand(&c->src);
3091 * Write back the memory destination with implicit LOCK
3094 c->dst.val = c->src.orig_val;
3097 case 0x88 ... 0x8b: /* mov */
3099 case 0x8c: /* mov r/m, sreg */
3100 if (c->modrm_reg > VCPU_SREG_GS) {
3104 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
3106 case 0x8d: /* lea r16/r32, m */
3107 c->dst.val = c->src.addr.mem;
3109 case 0x8e: { /* mov seg, r/m16 */
3114 if (c->modrm_reg == VCPU_SREG_CS ||
3115 c->modrm_reg > VCPU_SREG_GS) {
3120 if (c->modrm_reg == VCPU_SREG_SS)
3121 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3123 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
3125 c->dst.type = OP_NONE; /* Disable writeback. */
3128 case 0x8f: /* pop (sole member of Grp1a) */
3129 rc = emulate_grp1a(ctxt, ops);
3130 if (rc != X86EMUL_CONTINUE)
3133 case 0x90 ... 0x97: /* nop / xchg reg, rax */
3134 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
3137 case 0x98: /* cbw/cwde/cdqe */
3138 switch (c->op_bytes) {
3139 case 2: c->dst.val = (s8)c->dst.val; break;
3140 case 4: c->dst.val = (s16)c->dst.val; break;
3141 case 8: c->dst.val = (s32)c->dst.val; break;
3144 case 0x9c: /* pushf */
3145 c->src.val = (unsigned long) ctxt->eflags;
3146 emulate_push(ctxt, ops);
3148 case 0x9d: /* popf */
3149 c->dst.type = OP_REG;
3150 c->dst.addr.reg = &ctxt->eflags;
3151 c->dst.bytes = c->op_bytes;
3152 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
3153 if (rc != X86EMUL_CONTINUE)
3156 case 0xa0 ... 0xa3: /* mov */
3157 case 0xa4 ... 0xa5: /* movs */
3159 case 0xa6 ... 0xa7: /* cmps */
3160 c->dst.type = OP_NONE; /* Disable writeback. */
3161 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
3163 case 0xa8 ... 0xa9: /* test ax, imm */
3165 case 0xaa ... 0xab: /* stos */
3166 case 0xac ... 0xad: /* lods */
3168 case 0xae ... 0xaf: /* scas */
3170 case 0xb0 ... 0xbf: /* mov r, imm */
3175 case 0xc3: /* ret */
3176 c->dst.type = OP_REG;
3177 c->dst.addr.reg = &c->eip;
3178 c->dst.bytes = c->op_bytes;
3179 goto pop_instruction;
3180 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
3182 c->dst.val = c->src.val;
3184 case 0xcb: /* ret far */
3185 rc = emulate_ret_far(ctxt, ops);
3186 if (rc != X86EMUL_CONTINUE)
3189 case 0xcc: /* int3 */
3192 case 0xcd: /* int n */
3195 rc = emulate_int(ctxt, ops, irq);
3196 if (rc != X86EMUL_CONTINUE)
3199 case 0xce: /* into */
3200 if (ctxt->eflags & EFLG_OF) {
3205 case 0xcf: /* iret */
3206 rc = emulate_iret(ctxt, ops);
3208 if (rc != X86EMUL_CONTINUE)
3211 case 0xd0 ... 0xd1: /* Grp2 */
3214 case 0xd2 ... 0xd3: /* Grp2 */
3215 c->src.val = c->regs[VCPU_REGS_RCX];
3218 case 0xe0 ... 0xe2: /* loop/loopz/loopnz */
3219 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3220 if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
3221 (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
3222 jmp_rel(c, c->src.val);
3224 case 0xe4: /* inb */
3227 case 0xe6: /* outb */
3228 case 0xe7: /* out */
3230 case 0xe8: /* call (near) */ {
3231 long int rel = c->src.val;
3232 c->src.val = (unsigned long) c->eip;
3234 emulate_push(ctxt, ops);
3237 case 0xe9: /* jmp rel */
3239 case 0xea: { /* jmp far */
3242 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3244 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3248 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3252 jmp: /* jmp rel short */
3253 jmp_rel(c, c->src.val);
3254 c->dst.type = OP_NONE; /* Disable writeback. */
3256 case 0xec: /* in al,dx */
3257 case 0xed: /* in (e/r)ax,dx */
3258 c->src.val = c->regs[VCPU_REGS_RDX];
3260 c->dst.bytes = min(c->dst.bytes, 4u);
3261 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3262 emulate_gp(ctxt, 0);
3265 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3267 goto done; /* IO is needed */
3269 case 0xee: /* out dx,al */
3270 case 0xef: /* out dx,(e/r)ax */
3271 c->dst.val = c->regs[VCPU_REGS_RDX];
3273 c->src.bytes = min(c->src.bytes, 4u);
3274 if (!emulator_io_permited(ctxt, ops, c->dst.val,
3276 emulate_gp(ctxt, 0);
3279 ops->pio_out_emulated(c->src.bytes, c->dst.val,
3280 &c->src.val, 1, ctxt->vcpu);
3281 c->dst.type = OP_NONE; /* Disable writeback. */
3283 case 0xf4: /* hlt */
3284 ctxt->vcpu->arch.halt_request = 1;
3286 case 0xf5: /* cmc */
3287 /* complement carry flag from eflags reg */
3288 ctxt->eflags ^= EFLG_CF;
3290 case 0xf6 ... 0xf7: /* Grp3 */
3291 if (emulate_grp3(ctxt, ops) != X86EMUL_CONTINUE)
3292 goto cannot_emulate;
3294 case 0xf8: /* clc */
3295 ctxt->eflags &= ~EFLG_CF;
3297 case 0xf9: /* stc */
3298 ctxt->eflags |= EFLG_CF;
3300 case 0xfa: /* cli */
3301 if (emulator_bad_iopl(ctxt, ops)) {
3302 emulate_gp(ctxt, 0);
3305 ctxt->eflags &= ~X86_EFLAGS_IF;
3307 case 0xfb: /* sti */
3308 if (emulator_bad_iopl(ctxt, ops)) {
3309 emulate_gp(ctxt, 0);
3312 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3313 ctxt->eflags |= X86_EFLAGS_IF;
3316 case 0xfc: /* cld */
3317 ctxt->eflags &= ~EFLG_DF;
3319 case 0xfd: /* std */
3320 ctxt->eflags |= EFLG_DF;
3322 case 0xfe: /* Grp4 */
3324 rc = emulate_grp45(ctxt, ops);
3325 if (rc != X86EMUL_CONTINUE)
3328 case 0xff: /* Grp5 */
3329 if (c->modrm_reg == 5)
3333 goto cannot_emulate;
3337 rc = writeback(ctxt, ops);
3338 if (rc != X86EMUL_CONTINUE)
3342 * restore dst type in case the decoding will be reused
3343 * (happens for string instruction )
3345 c->dst.type = saved_dst_type;
3347 if ((c->d & SrcMask) == SrcSI)
3348 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3349 VCPU_REGS_RSI, &c->src);
3351 if ((c->d & DstMask) == DstDI)
3352 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3355 if (c->rep_prefix && (c->d & String)) {
3356 struct read_cache *rc = &ctxt->decode.io_read;
3357 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3358 /* The second termination condition only applies for REPE
3359 * and REPNE. Test if the repeat string operation prefix is
3360 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
3361 * corresponding termination condition according to:
3362 * - if REPE/REPZ and ZF = 0 then done
3363 * - if REPNE/REPNZ and ZF = 1 then done
3365 if (((c->b == 0xa6) || (c->b == 0xa7) ||
3366 (c->b == 0xae) || (c->b == 0xaf))
3367 && (((c->rep_prefix == REPE_PREFIX) &&
3368 ((ctxt->eflags & EFLG_ZF) == 0))
3369 || ((c->rep_prefix == REPNE_PREFIX) &&
3370 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3371 ctxt->restart = false;
3373 * Re-enter guest when pio read ahead buffer is empty or,
3374 * if it is not used, after each 1024 iteration.
3376 else if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3377 (rc->end != 0 && rc->end == rc->pos)) {
3378 ctxt->restart = false;
3383 * reset read cache here in case string instruction is restared
3386 ctxt->decode.mem_read.end = 0;
3391 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3395 case 0x01: /* lgdt, lidt, lmsw */
3396 switch (c->modrm_reg) {
3398 unsigned long address;
3400 case 0: /* vmcall */
3401 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3402 goto cannot_emulate;
3404 rc = kvm_fix_hypercall(ctxt->vcpu);
3405 if (rc != X86EMUL_CONTINUE)
3408 /* Let the processor re-execute the fixed hypercall */
3410 /* Disable writeback. */
3411 c->dst.type = OP_NONE;
3414 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3415 &size, &address, c->op_bytes);
3416 if (rc != X86EMUL_CONTINUE)
3418 realmode_lgdt(ctxt->vcpu, size, address);
3419 /* Disable writeback. */
3420 c->dst.type = OP_NONE;
3422 case 3: /* lidt/vmmcall */
3423 if (c->modrm_mod == 3) {
3424 switch (c->modrm_rm) {
3426 rc = kvm_fix_hypercall(ctxt->vcpu);
3427 if (rc != X86EMUL_CONTINUE)
3431 goto cannot_emulate;
3434 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3437 if (rc != X86EMUL_CONTINUE)
3439 realmode_lidt(ctxt->vcpu, size, address);
3441 /* Disable writeback. */
3442 c->dst.type = OP_NONE;
3446 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3449 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3450 (c->src.val & 0x0f), ctxt->vcpu);
3451 c->dst.type = OP_NONE;
3453 case 5: /* not defined */
3457 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3458 /* Disable writeback. */
3459 c->dst.type = OP_NONE;
3462 goto cannot_emulate;
3465 case 0x05: /* syscall */
3466 rc = emulate_syscall(ctxt, ops);
3467 if (rc != X86EMUL_CONTINUE)
3473 emulate_clts(ctxt->vcpu);
3475 case 0x09: /* wbinvd */
3476 kvm_emulate_wbinvd(ctxt->vcpu);
3478 case 0x08: /* invd */
3479 case 0x0d: /* GrpP (prefetch) */
3480 case 0x18: /* Grp16 (prefetch/nop) */
3482 case 0x20: /* mov cr, reg */
3483 switch (c->modrm_reg) {
3490 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3492 case 0x21: /* mov from dr to reg */
3493 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3494 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3498 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3500 case 0x22: /* mov reg, cr */
3501 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3502 emulate_gp(ctxt, 0);
3505 c->dst.type = OP_NONE;
3507 case 0x23: /* mov from reg to dr */
3508 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3509 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3514 if (ops->set_dr(c->modrm_reg, c->src.val &
3515 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3516 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3517 /* #UD condition is already handled by the code above */
3518 emulate_gp(ctxt, 0);
3522 c->dst.type = OP_NONE; /* no writeback */
3526 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3527 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3528 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3529 emulate_gp(ctxt, 0);
3532 rc = X86EMUL_CONTINUE;
3536 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3537 emulate_gp(ctxt, 0);
3540 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3541 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3543 rc = X86EMUL_CONTINUE;
3545 case 0x34: /* sysenter */
3546 rc = emulate_sysenter(ctxt, ops);
3547 if (rc != X86EMUL_CONTINUE)
3552 case 0x35: /* sysexit */
3553 rc = emulate_sysexit(ctxt, ops);
3554 if (rc != X86EMUL_CONTINUE)
3559 case 0x40 ... 0x4f: /* cmov */
3560 c->dst.val = c->dst.orig_val = c->src.val;
3561 if (!test_cc(c->b, ctxt->eflags))
3562 c->dst.type = OP_NONE; /* no writeback */
3564 case 0x80 ... 0x8f: /* jnz rel, etc*/
3565 if (test_cc(c->b, ctxt->eflags))
3566 jmp_rel(c, c->src.val);
3568 case 0x90 ... 0x9f: /* setcc r/m8 */
3569 c->dst.val = test_cc(c->b, ctxt->eflags);
3571 case 0xa0: /* push fs */
3572 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3574 case 0xa1: /* pop fs */
3575 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3576 if (rc != X86EMUL_CONTINUE)
3581 c->dst.type = OP_NONE;
3582 /* only subword offset */
3583 c->src.val &= (c->dst.bytes << 3) - 1;
3584 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3586 case 0xa4: /* shld imm8, r, r/m */
3587 case 0xa5: /* shld cl, r, r/m */
3588 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3590 case 0xa8: /* push gs */
3591 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3593 case 0xa9: /* pop gs */
3594 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3595 if (rc != X86EMUL_CONTINUE)
3600 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3602 case 0xac: /* shrd imm8, r, r/m */
3603 case 0xad: /* shrd cl, r, r/m */
3604 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3606 case 0xae: /* clflush */
3608 case 0xb0 ... 0xb1: /* cmpxchg */
3610 * Save real source value, then compare EAX against
3613 c->src.orig_val = c->src.val;
3614 c->src.val = c->regs[VCPU_REGS_RAX];
3615 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3616 if (ctxt->eflags & EFLG_ZF) {
3617 /* Success: write back to memory. */
3618 c->dst.val = c->src.orig_val;
3620 /* Failure: write the value we saw to EAX. */
3621 c->dst.type = OP_REG;
3622 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3627 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3629 case 0xb6 ... 0xb7: /* movzx */
3630 c->dst.bytes = c->op_bytes;
3631 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3634 case 0xba: /* Grp8 */
3635 switch (c->modrm_reg & 3) {
3648 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3650 case 0xbc: { /* bsf */
3652 __asm__ ("bsf %2, %0; setz %1"
3653 : "=r"(c->dst.val), "=q"(zf)
3655 ctxt->eflags &= ~X86_EFLAGS_ZF;
3657 ctxt->eflags |= X86_EFLAGS_ZF;
3658 c->dst.type = OP_NONE; /* Disable writeback. */
3662 case 0xbd: { /* bsr */
3664 __asm__ ("bsr %2, %0; setz %1"
3665 : "=r"(c->dst.val), "=q"(zf)
3667 ctxt->eflags &= ~X86_EFLAGS_ZF;
3669 ctxt->eflags |= X86_EFLAGS_ZF;
3670 c->dst.type = OP_NONE; /* Disable writeback. */
3674 case 0xbe ... 0xbf: /* movsx */
3675 c->dst.bytes = c->op_bytes;
3676 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3679 case 0xc0 ... 0xc1: /* xadd */
3680 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
3681 /* Write back the register source. */
3682 c->src.val = c->dst.orig_val;
3683 write_register_operand(&c->src);
3685 case 0xc3: /* movnti */
3686 c->dst.bytes = c->op_bytes;
3687 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3690 case 0xc7: /* Grp9 (cmpxchg8b) */
3691 rc = emulate_grp9(ctxt, ops);
3692 if (rc != X86EMUL_CONTINUE)
3696 goto cannot_emulate;
3701 DPRINTF("Cannot emulate %02x\n", c->b);