1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
86 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
87 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
88 #define Undefined (1<<25) /* No Such Instruction */
89 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
90 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
92 /* Source 2 operand type */
93 #define Src2None (0<<29)
94 #define Src2CL (1<<29)
95 #define Src2ImmByte (2<<29)
96 #define Src2One (3<<29)
97 #define Src2Mask (7<<29)
100 #define X3(x...) X2(x), x
101 #define X4(x...) X2(x), X2(x)
102 #define X5(x...) X4(x), x
103 #define X6(x...) X4(x), X2(x)
104 #define X7(x...) X4(x), X3(x)
105 #define X8(x...) X4(x), X4(x)
106 #define X16(x...) X8(x), X8(x)
111 int (*execute)(struct x86_emulate_ctxt *ctxt);
112 struct opcode *group;
113 struct group_dual *gdual;
118 struct opcode mod012[8];
119 struct opcode mod3[8];
122 /* EFLAGS bit definitions. */
123 #define EFLG_ID (1<<21)
124 #define EFLG_VIP (1<<20)
125 #define EFLG_VIF (1<<19)
126 #define EFLG_AC (1<<18)
127 #define EFLG_VM (1<<17)
128 #define EFLG_RF (1<<16)
129 #define EFLG_IOPL (3<<12)
130 #define EFLG_NT (1<<14)
131 #define EFLG_OF (1<<11)
132 #define EFLG_DF (1<<10)
133 #define EFLG_IF (1<<9)
134 #define EFLG_TF (1<<8)
135 #define EFLG_SF (1<<7)
136 #define EFLG_ZF (1<<6)
137 #define EFLG_AF (1<<4)
138 #define EFLG_PF (1<<2)
139 #define EFLG_CF (1<<0)
141 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
142 #define EFLG_RESERVED_ONE_MASK 2
145 * Instruction emulation:
146 * Most instructions are emulated directly via a fragment of inline assembly
147 * code. This allows us to save/restore EFLAGS and thus very easily pick up
148 * any modified flags.
151 #if defined(CONFIG_X86_64)
152 #define _LO32 "k" /* force 32-bit operand */
153 #define _STK "%%rsp" /* stack pointer */
154 #elif defined(__i386__)
155 #define _LO32 "" /* force 32-bit operand */
156 #define _STK "%%esp" /* stack pointer */
160 * These EFLAGS bits are restored from saved value during emulation, and
161 * any changes are written back to the saved value after emulation.
163 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
165 /* Before executing instruction: restore necessary bits in EFLAGS. */
166 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
167 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
168 "movl %"_sav",%"_LO32 _tmp"; " \
171 "movl %"_msk",%"_LO32 _tmp"; " \
172 "andl %"_LO32 _tmp",("_STK"); " \
174 "notl %"_LO32 _tmp"; " \
175 "andl %"_LO32 _tmp",("_STK"); " \
176 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
178 "orl %"_LO32 _tmp",("_STK"); " \
182 /* After executing instruction: write-back necessary bits in EFLAGS. */
183 #define _POST_EFLAGS(_sav, _msk, _tmp) \
184 /* _sav |= EFLAGS & _msk; */ \
187 "andl %"_msk",%"_LO32 _tmp"; " \
188 "orl %"_LO32 _tmp",%"_sav"; "
196 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
198 __asm__ __volatile__ ( \
199 _PRE_EFLAGS("0", "4", "2") \
200 _op _suffix " %"_x"3,%1; " \
201 _POST_EFLAGS("0", "4", "2") \
202 : "=m" (_eflags), "=m" ((_dst).val), \
204 : _y ((_src).val), "i" (EFLAGS_MASK)); \
208 /* Raw emulation: instruction has two explicit operands. */
209 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
211 unsigned long _tmp; \
213 switch ((_dst).bytes) { \
215 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
218 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
221 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
226 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
228 unsigned long _tmp; \
229 switch ((_dst).bytes) { \
231 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
234 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
235 _wx, _wy, _lx, _ly, _qx, _qy); \
240 /* Source operand is byte-sized and may be restricted to just %cl. */
241 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
242 __emulate_2op(_op, _src, _dst, _eflags, \
243 "b", "c", "b", "c", "b", "c", "b", "c")
245 /* Source operand is byte, word, long or quad sized. */
246 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
247 __emulate_2op(_op, _src, _dst, _eflags, \
248 "b", "q", "w", "r", _LO32, "r", "", "r")
250 /* Source operand is word, long or quad sized. */
251 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
252 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
253 "w", "r", _LO32, "r", "", "r")
255 /* Instruction has three operands and one operand is stored in ECX register */
256 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
258 unsigned long _tmp; \
259 _type _clv = (_cl).val; \
260 _type _srcv = (_src).val; \
261 _type _dstv = (_dst).val; \
263 __asm__ __volatile__ ( \
264 _PRE_EFLAGS("0", "5", "2") \
265 _op _suffix " %4,%1 \n" \
266 _POST_EFLAGS("0", "5", "2") \
267 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
268 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
271 (_cl).val = (unsigned long) _clv; \
272 (_src).val = (unsigned long) _srcv; \
273 (_dst).val = (unsigned long) _dstv; \
276 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
278 switch ((_dst).bytes) { \
280 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
281 "w", unsigned short); \
284 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
285 "l", unsigned int); \
288 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
289 "q", unsigned long)); \
294 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
296 unsigned long _tmp; \
298 __asm__ __volatile__ ( \
299 _PRE_EFLAGS("0", "3", "2") \
300 _op _suffix " %1; " \
301 _POST_EFLAGS("0", "3", "2") \
302 : "=m" (_eflags), "+m" ((_dst).val), \
304 : "i" (EFLAGS_MASK)); \
307 /* Instruction has only one explicit operand (no source operand). */
308 #define emulate_1op(_op, _dst, _eflags) \
310 switch ((_dst).bytes) { \
311 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
312 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
313 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
314 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
318 /* Fetch next part of the instruction being emulated. */
319 #define insn_fetch(_type, _size, _eip) \
320 ({ unsigned long _x; \
321 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
322 if (rc != X86EMUL_CONTINUE) \
328 #define insn_fetch_arr(_arr, _size, _eip) \
329 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
330 if (rc != X86EMUL_CONTINUE) \
335 static inline unsigned long ad_mask(struct decode_cache *c)
337 return (1UL << (c->ad_bytes << 3)) - 1;
340 /* Access/update address held in a register, based on addressing mode. */
341 static inline unsigned long
342 address_mask(struct decode_cache *c, unsigned long reg)
344 if (c->ad_bytes == sizeof(unsigned long))
347 return reg & ad_mask(c);
350 static inline unsigned long
351 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
353 return base + address_mask(c, reg);
357 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
359 if (c->ad_bytes == sizeof(unsigned long))
362 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
365 static inline void jmp_rel(struct decode_cache *c, int rel)
367 register_address_increment(c, &c->eip, rel);
370 static void set_seg_override(struct decode_cache *c, int seg)
372 c->has_seg_override = true;
373 c->seg_override = seg;
376 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
377 struct x86_emulate_ops *ops, int seg)
379 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
382 return ops->get_cached_segment_base(seg, ctxt->vcpu);
385 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
386 struct x86_emulate_ops *ops,
387 struct decode_cache *c)
389 if (!c->has_seg_override)
392 return seg_base(ctxt, ops, c->seg_override);
395 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
396 struct x86_emulate_ops *ops)
398 return seg_base(ctxt, ops, VCPU_SREG_ES);
401 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
402 struct x86_emulate_ops *ops)
404 return seg_base(ctxt, ops, VCPU_SREG_SS);
407 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
408 u32 error, bool valid)
410 ctxt->exception = vec;
411 ctxt->error_code = error;
412 ctxt->error_code_valid = valid;
413 ctxt->restart = false;
416 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
418 emulate_exception(ctxt, GP_VECTOR, err, true);
421 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
425 emulate_exception(ctxt, PF_VECTOR, err, true);
428 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
430 emulate_exception(ctxt, UD_VECTOR, 0, false);
433 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
435 emulate_exception(ctxt, TS_VECTOR, err, true);
438 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
439 struct x86_emulate_ops *ops,
440 unsigned long eip, u8 *dest)
442 struct fetch_cache *fc = &ctxt->decode.fetch;
446 if (eip == fc->end) {
447 cur_size = fc->end - fc->start;
448 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
449 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
450 size, ctxt->vcpu, NULL);
451 if (rc != X86EMUL_CONTINUE)
455 *dest = fc->data[eip - fc->start];
456 return X86EMUL_CONTINUE;
459 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
460 struct x86_emulate_ops *ops,
461 unsigned long eip, void *dest, unsigned size)
465 /* x86 instructions are limited to 15 bytes. */
466 if (eip + size - ctxt->eip > 15)
467 return X86EMUL_UNHANDLEABLE;
469 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
470 if (rc != X86EMUL_CONTINUE)
473 return X86EMUL_CONTINUE;
477 * Given the 'reg' portion of a ModRM byte, and a register block, return a
478 * pointer into the block that addresses the relevant register.
479 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
481 static void *decode_register(u8 modrm_reg, unsigned long *regs,
486 p = ®s[modrm_reg];
487 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
488 p = (unsigned char *)®s[modrm_reg & 3] + 1;
492 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
493 struct x86_emulate_ops *ops,
495 u16 *size, unsigned long *address, int op_bytes)
502 rc = ops->read_std(addr, (unsigned long *)size, 2, ctxt->vcpu, NULL);
503 if (rc != X86EMUL_CONTINUE)
505 rc = ops->read_std(addr + 2, address, op_bytes, ctxt->vcpu, NULL);
509 static int test_cc(unsigned int condition, unsigned int flags)
513 switch ((condition & 15) >> 1) {
515 rc |= (flags & EFLG_OF);
517 case 1: /* b/c/nae */
518 rc |= (flags & EFLG_CF);
521 rc |= (flags & EFLG_ZF);
524 rc |= (flags & (EFLG_CF|EFLG_ZF));
527 rc |= (flags & EFLG_SF);
530 rc |= (flags & EFLG_PF);
533 rc |= (flags & EFLG_ZF);
536 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
540 /* Odd condition identifiers (lsb == 1) have inverted sense. */
541 return (!!rc ^ (condition & 1));
544 static void fetch_register_operand(struct operand *op)
548 op->val = *(u8 *)op->addr.reg;
551 op->val = *(u16 *)op->addr.reg;
554 op->val = *(u32 *)op->addr.reg;
557 op->val = *(u64 *)op->addr.reg;
562 static void decode_register_operand(struct operand *op,
563 struct decode_cache *c,
566 unsigned reg = c->modrm_reg;
567 int highbyte_regs = c->rex_prefix == 0;
570 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
572 if ((c->d & ByteOp) && !inhibit_bytereg) {
573 op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
576 op->addr.reg = decode_register(reg, c->regs, 0);
577 op->bytes = c->op_bytes;
579 fetch_register_operand(op);
580 op->orig_val = op->val;
583 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
584 struct x86_emulate_ops *ops)
586 struct decode_cache *c = &ctxt->decode;
588 int index_reg = 0, base_reg = 0, scale;
589 int rc = X86EMUL_CONTINUE;
592 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
593 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
594 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
597 c->modrm = insn_fetch(u8, 1, c->eip);
598 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
599 c->modrm_reg |= (c->modrm & 0x38) >> 3;
600 c->modrm_rm |= (c->modrm & 0x07);
602 c->modrm_seg = VCPU_SREG_DS;
604 if (c->modrm_mod == 3) {
605 c->modrm_ptr = decode_register(c->modrm_rm,
606 c->regs, c->d & ByteOp);
607 c->modrm_val = *(unsigned long *)c->modrm_ptr;
611 if (c->ad_bytes == 2) {
612 unsigned bx = c->regs[VCPU_REGS_RBX];
613 unsigned bp = c->regs[VCPU_REGS_RBP];
614 unsigned si = c->regs[VCPU_REGS_RSI];
615 unsigned di = c->regs[VCPU_REGS_RDI];
617 /* 16-bit ModR/M decode. */
618 switch (c->modrm_mod) {
620 if (c->modrm_rm == 6)
621 c->modrm_ea += insn_fetch(u16, 2, c->eip);
624 c->modrm_ea += insn_fetch(s8, 1, c->eip);
627 c->modrm_ea += insn_fetch(u16, 2, c->eip);
630 switch (c->modrm_rm) {
632 c->modrm_ea += bx + si;
635 c->modrm_ea += bx + di;
638 c->modrm_ea += bp + si;
641 c->modrm_ea += bp + di;
650 if (c->modrm_mod != 0)
657 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
658 (c->modrm_rm == 6 && c->modrm_mod != 0))
659 c->modrm_seg = VCPU_SREG_SS;
660 c->modrm_ea = (u16)c->modrm_ea;
662 /* 32/64-bit ModR/M decode. */
663 if ((c->modrm_rm & 7) == 4) {
664 sib = insn_fetch(u8, 1, c->eip);
665 index_reg |= (sib >> 3) & 7;
669 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
670 c->modrm_ea += insn_fetch(s32, 4, c->eip);
672 c->modrm_ea += c->regs[base_reg];
674 c->modrm_ea += c->regs[index_reg] << scale;
675 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
676 if (ctxt->mode == X86EMUL_MODE_PROT64)
679 c->modrm_ea += c->regs[c->modrm_rm];
680 switch (c->modrm_mod) {
682 if (c->modrm_rm == 5)
683 c->modrm_ea += insn_fetch(s32, 4, c->eip);
686 c->modrm_ea += insn_fetch(s8, 1, c->eip);
689 c->modrm_ea += insn_fetch(s32, 4, c->eip);
697 static int decode_abs(struct x86_emulate_ctxt *ctxt,
698 struct x86_emulate_ops *ops)
700 struct decode_cache *c = &ctxt->decode;
701 int rc = X86EMUL_CONTINUE;
703 switch (c->ad_bytes) {
705 c->modrm_ea = insn_fetch(u16, 2, c->eip);
708 c->modrm_ea = insn_fetch(u32, 4, c->eip);
711 c->modrm_ea = insn_fetch(u64, 8, c->eip);
718 static int read_emulated(struct x86_emulate_ctxt *ctxt,
719 struct x86_emulate_ops *ops,
720 unsigned long addr, void *dest, unsigned size)
723 struct read_cache *mc = &ctxt->decode.mem_read;
727 int n = min(size, 8u);
729 if (mc->pos < mc->end)
732 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
734 if (rc == X86EMUL_PROPAGATE_FAULT)
735 emulate_pf(ctxt, addr, err);
736 if (rc != X86EMUL_CONTINUE)
741 memcpy(dest, mc->data + mc->pos, n);
746 return X86EMUL_CONTINUE;
749 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
750 struct x86_emulate_ops *ops,
751 unsigned int size, unsigned short port,
754 struct read_cache *rc = &ctxt->decode.io_read;
756 if (rc->pos == rc->end) { /* refill pio read ahead */
757 struct decode_cache *c = &ctxt->decode;
758 unsigned int in_page, n;
759 unsigned int count = c->rep_prefix ?
760 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
761 in_page = (ctxt->eflags & EFLG_DF) ?
762 offset_in_page(c->regs[VCPU_REGS_RDI]) :
763 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
764 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
768 rc->pos = rc->end = 0;
769 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
774 memcpy(dest, rc->data + rc->pos, size);
779 static u32 desc_limit_scaled(struct desc_struct *desc)
781 u32 limit = get_desc_limit(desc);
783 return desc->g ? (limit << 12) | 0xfff : limit;
786 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
787 struct x86_emulate_ops *ops,
788 u16 selector, struct desc_ptr *dt)
790 if (selector & 1 << 2) {
791 struct desc_struct desc;
792 memset (dt, 0, sizeof *dt);
793 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
796 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
797 dt->address = get_desc_base(&desc);
799 ops->get_gdt(dt, ctxt->vcpu);
802 /* allowed just for 8 bytes segments */
803 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
804 struct x86_emulate_ops *ops,
805 u16 selector, struct desc_struct *desc)
808 u16 index = selector >> 3;
813 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
815 if (dt.size < index * 8 + 7) {
816 emulate_gp(ctxt, selector & 0xfffc);
817 return X86EMUL_PROPAGATE_FAULT;
819 addr = dt.address + index * 8;
820 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
821 if (ret == X86EMUL_PROPAGATE_FAULT)
822 emulate_pf(ctxt, addr, err);
827 /* allowed just for 8 bytes segments */
828 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
829 struct x86_emulate_ops *ops,
830 u16 selector, struct desc_struct *desc)
833 u16 index = selector >> 3;
838 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
840 if (dt.size < index * 8 + 7) {
841 emulate_gp(ctxt, selector & 0xfffc);
842 return X86EMUL_PROPAGATE_FAULT;
845 addr = dt.address + index * 8;
846 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
847 if (ret == X86EMUL_PROPAGATE_FAULT)
848 emulate_pf(ctxt, addr, err);
853 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
854 struct x86_emulate_ops *ops,
855 u16 selector, int seg)
857 struct desc_struct seg_desc;
859 unsigned err_vec = GP_VECTOR;
861 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
864 memset(&seg_desc, 0, sizeof seg_desc);
866 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
867 || ctxt->mode == X86EMUL_MODE_REAL) {
868 /* set real mode segment descriptor */
869 set_desc_base(&seg_desc, selector << 4);
870 set_desc_limit(&seg_desc, 0xffff);
877 /* NULL selector is not valid for TR, CS and SS */
878 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
882 /* TR should be in GDT only */
883 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
886 if (null_selector) /* for NULL selector skip all following checks */
889 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
890 if (ret != X86EMUL_CONTINUE)
893 err_code = selector & 0xfffc;
896 /* can't load system descriptor into segment selecor */
897 if (seg <= VCPU_SREG_GS && !seg_desc.s)
901 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
907 cpl = ops->cpl(ctxt->vcpu);
912 * segment is not a writable data segment or segment
913 * selector's RPL != CPL or segment selector's RPL != CPL
915 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
919 if (!(seg_desc.type & 8))
922 if (seg_desc.type & 4) {
928 if (rpl > cpl || dpl != cpl)
932 selector = (selector & 0xfffc) | cpl;
935 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
939 if (seg_desc.s || seg_desc.type != 2)
942 default: /* DS, ES, FS, or GS */
944 * segment is not a data or readable code segment or
945 * ((segment is a data or nonconforming code segment)
946 * and (both RPL and CPL > DPL))
948 if ((seg_desc.type & 0xa) == 0x8 ||
949 (((seg_desc.type & 0xc) != 0xc) &&
950 (rpl > dpl && cpl > dpl)))
956 /* mark segment as accessed */
958 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
959 if (ret != X86EMUL_CONTINUE)
963 ops->set_segment_selector(selector, seg, ctxt->vcpu);
964 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
965 return X86EMUL_CONTINUE;
967 emulate_exception(ctxt, err_vec, err_code, true);
968 return X86EMUL_PROPAGATE_FAULT;
971 static inline int writeback(struct x86_emulate_ctxt *ctxt,
972 struct x86_emulate_ops *ops)
975 struct decode_cache *c = &ctxt->decode;
978 switch (c->dst.type) {
980 /* The 4-byte case *is* correct:
981 * in 64-bit mode we zero-extend.
983 switch (c->dst.bytes) {
985 *(u8 *)c->dst.addr.reg = (u8)c->dst.val;
988 *(u16 *)c->dst.addr.reg = (u16)c->dst.val;
991 *c->dst.addr.reg = (u32)c->dst.val;
992 break; /* 64b: zero-ext */
994 *c->dst.addr.reg = c->dst.val;
1000 rc = ops->cmpxchg_emulated(
1008 rc = ops->write_emulated(
1014 if (rc == X86EMUL_PROPAGATE_FAULT)
1015 emulate_pf(ctxt, c->dst.addr.mem, err);
1016 if (rc != X86EMUL_CONTINUE)
1025 return X86EMUL_CONTINUE;
1028 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1029 struct x86_emulate_ops *ops)
1031 struct decode_cache *c = &ctxt->decode;
1033 c->dst.type = OP_MEM;
1034 c->dst.bytes = c->op_bytes;
1035 c->dst.val = c->src.val;
1036 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1037 c->dst.addr.mem = register_address(c, ss_base(ctxt, ops),
1038 c->regs[VCPU_REGS_RSP]);
1041 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1042 struct x86_emulate_ops *ops,
1043 void *dest, int len)
1045 struct decode_cache *c = &ctxt->decode;
1048 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1049 c->regs[VCPU_REGS_RSP]),
1051 if (rc != X86EMUL_CONTINUE)
1054 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1058 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1059 struct x86_emulate_ops *ops,
1060 void *dest, int len)
1063 unsigned long val, change_mask;
1064 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1065 int cpl = ops->cpl(ctxt->vcpu);
1067 rc = emulate_pop(ctxt, ops, &val, len);
1068 if (rc != X86EMUL_CONTINUE)
1071 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1072 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1074 switch(ctxt->mode) {
1075 case X86EMUL_MODE_PROT64:
1076 case X86EMUL_MODE_PROT32:
1077 case X86EMUL_MODE_PROT16:
1079 change_mask |= EFLG_IOPL;
1081 change_mask |= EFLG_IF;
1083 case X86EMUL_MODE_VM86:
1085 emulate_gp(ctxt, 0);
1086 return X86EMUL_PROPAGATE_FAULT;
1088 change_mask |= EFLG_IF;
1090 default: /* real mode */
1091 change_mask |= (EFLG_IOPL | EFLG_IF);
1095 *(unsigned long *)dest =
1096 (ctxt->eflags & ~change_mask) | (val & change_mask);
1101 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1102 struct x86_emulate_ops *ops, int seg)
1104 struct decode_cache *c = &ctxt->decode;
1106 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1108 emulate_push(ctxt, ops);
1111 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1112 struct x86_emulate_ops *ops, int seg)
1114 struct decode_cache *c = &ctxt->decode;
1115 unsigned long selector;
1118 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1119 if (rc != X86EMUL_CONTINUE)
1122 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1126 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1127 struct x86_emulate_ops *ops)
1129 struct decode_cache *c = &ctxt->decode;
1130 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1131 int rc = X86EMUL_CONTINUE;
1132 int reg = VCPU_REGS_RAX;
1134 while (reg <= VCPU_REGS_RDI) {
1135 (reg == VCPU_REGS_RSP) ?
1136 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1138 emulate_push(ctxt, ops);
1140 rc = writeback(ctxt, ops);
1141 if (rc != X86EMUL_CONTINUE)
1147 /* Disable writeback. */
1148 c->dst.type = OP_NONE;
1153 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1154 struct x86_emulate_ops *ops)
1156 struct decode_cache *c = &ctxt->decode;
1157 int rc = X86EMUL_CONTINUE;
1158 int reg = VCPU_REGS_RDI;
1160 while (reg >= VCPU_REGS_RAX) {
1161 if (reg == VCPU_REGS_RSP) {
1162 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1167 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1168 if (rc != X86EMUL_CONTINUE)
1175 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
1176 struct x86_emulate_ops *ops)
1178 struct decode_cache *c = &ctxt->decode;
1179 int rc = X86EMUL_CONTINUE;
1180 unsigned long temp_eip = 0;
1181 unsigned long temp_eflags = 0;
1182 unsigned long cs = 0;
1183 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1184 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1185 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1186 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1188 /* TODO: Add stack limit check */
1190 rc = emulate_pop(ctxt, ops, &temp_eip, c->op_bytes);
1192 if (rc != X86EMUL_CONTINUE)
1195 if (temp_eip & ~0xffff) {
1196 emulate_gp(ctxt, 0);
1197 return X86EMUL_PROPAGATE_FAULT;
1200 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1202 if (rc != X86EMUL_CONTINUE)
1205 rc = emulate_pop(ctxt, ops, &temp_eflags, c->op_bytes);
1207 if (rc != X86EMUL_CONTINUE)
1210 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1212 if (rc != X86EMUL_CONTINUE)
1218 if (c->op_bytes == 4)
1219 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1220 else if (c->op_bytes == 2) {
1221 ctxt->eflags &= ~0xffff;
1222 ctxt->eflags |= temp_eflags;
1225 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1226 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1231 static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
1232 struct x86_emulate_ops* ops)
1234 switch(ctxt->mode) {
1235 case X86EMUL_MODE_REAL:
1236 return emulate_iret_real(ctxt, ops);
1237 case X86EMUL_MODE_VM86:
1238 case X86EMUL_MODE_PROT16:
1239 case X86EMUL_MODE_PROT32:
1240 case X86EMUL_MODE_PROT64:
1242 /* iret from protected mode unimplemented yet */
1243 return X86EMUL_UNHANDLEABLE;
1247 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1248 struct x86_emulate_ops *ops)
1250 struct decode_cache *c = &ctxt->decode;
1252 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1255 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1257 struct decode_cache *c = &ctxt->decode;
1258 switch (c->modrm_reg) {
1260 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1263 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1266 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1269 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1271 case 4: /* sal/shl */
1272 case 6: /* sal/shl */
1273 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1276 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1279 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1284 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1285 struct x86_emulate_ops *ops)
1287 struct decode_cache *c = &ctxt->decode;
1289 switch (c->modrm_reg) {
1290 case 0 ... 1: /* test */
1291 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1294 c->dst.val = ~c->dst.val;
1297 emulate_1op("neg", c->dst, ctxt->eflags);
1305 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1306 struct x86_emulate_ops *ops)
1308 struct decode_cache *c = &ctxt->decode;
1310 switch (c->modrm_reg) {
1312 emulate_1op("inc", c->dst, ctxt->eflags);
1315 emulate_1op("dec", c->dst, ctxt->eflags);
1317 case 2: /* call near abs */ {
1320 c->eip = c->src.val;
1321 c->src.val = old_eip;
1322 emulate_push(ctxt, ops);
1325 case 4: /* jmp abs */
1326 c->eip = c->src.val;
1329 emulate_push(ctxt, ops);
1332 return X86EMUL_CONTINUE;
1335 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1336 struct x86_emulate_ops *ops)
1338 struct decode_cache *c = &ctxt->decode;
1339 u64 old = c->dst.orig_val64;
1341 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1342 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1343 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1344 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1345 ctxt->eflags &= ~EFLG_ZF;
1347 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1348 (u32) c->regs[VCPU_REGS_RBX];
1350 ctxt->eflags |= EFLG_ZF;
1352 return X86EMUL_CONTINUE;
1355 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1356 struct x86_emulate_ops *ops)
1358 struct decode_cache *c = &ctxt->decode;
1362 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1363 if (rc != X86EMUL_CONTINUE)
1365 if (c->op_bytes == 4)
1366 c->eip = (u32)c->eip;
1367 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1368 if (rc != X86EMUL_CONTINUE)
1370 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1375 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1376 struct x86_emulate_ops *ops, struct desc_struct *cs,
1377 struct desc_struct *ss)
1379 memset(cs, 0, sizeof(struct desc_struct));
1380 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1381 memset(ss, 0, sizeof(struct desc_struct));
1383 cs->l = 0; /* will be adjusted later */
1384 set_desc_base(cs, 0); /* flat segment */
1385 cs->g = 1; /* 4kb granularity */
1386 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1387 cs->type = 0x0b; /* Read, Execute, Accessed */
1389 cs->dpl = 0; /* will be adjusted later */
1393 set_desc_base(ss, 0); /* flat segment */
1394 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1395 ss->g = 1; /* 4kb granularity */
1397 ss->type = 0x03; /* Read/Write, Accessed */
1398 ss->d = 1; /* 32bit stack segment */
1404 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1406 struct decode_cache *c = &ctxt->decode;
1407 struct desc_struct cs, ss;
1411 /* syscall is not available in real mode */
1412 if (ctxt->mode == X86EMUL_MODE_REAL ||
1413 ctxt->mode == X86EMUL_MODE_VM86) {
1415 return X86EMUL_PROPAGATE_FAULT;
1418 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1420 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1422 cs_sel = (u16)(msr_data & 0xfffc);
1423 ss_sel = (u16)(msr_data + 8);
1425 if (is_long_mode(ctxt->vcpu)) {
1429 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1430 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1431 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1432 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1434 c->regs[VCPU_REGS_RCX] = c->eip;
1435 if (is_long_mode(ctxt->vcpu)) {
1436 #ifdef CONFIG_X86_64
1437 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1439 ops->get_msr(ctxt->vcpu,
1440 ctxt->mode == X86EMUL_MODE_PROT64 ?
1441 MSR_LSTAR : MSR_CSTAR, &msr_data);
1444 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1445 ctxt->eflags &= ~(msr_data | EFLG_RF);
1449 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1450 c->eip = (u32)msr_data;
1452 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1455 return X86EMUL_CONTINUE;
1459 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1461 struct decode_cache *c = &ctxt->decode;
1462 struct desc_struct cs, ss;
1466 /* inject #GP if in real mode */
1467 if (ctxt->mode == X86EMUL_MODE_REAL) {
1468 emulate_gp(ctxt, 0);
1469 return X86EMUL_PROPAGATE_FAULT;
1472 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1473 * Therefore, we inject an #UD.
1475 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1477 return X86EMUL_PROPAGATE_FAULT;
1480 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1482 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1483 switch (ctxt->mode) {
1484 case X86EMUL_MODE_PROT32:
1485 if ((msr_data & 0xfffc) == 0x0) {
1486 emulate_gp(ctxt, 0);
1487 return X86EMUL_PROPAGATE_FAULT;
1490 case X86EMUL_MODE_PROT64:
1491 if (msr_data == 0x0) {
1492 emulate_gp(ctxt, 0);
1493 return X86EMUL_PROPAGATE_FAULT;
1498 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1499 cs_sel = (u16)msr_data;
1500 cs_sel &= ~SELECTOR_RPL_MASK;
1501 ss_sel = cs_sel + 8;
1502 ss_sel &= ~SELECTOR_RPL_MASK;
1503 if (ctxt->mode == X86EMUL_MODE_PROT64
1504 || is_long_mode(ctxt->vcpu)) {
1509 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1510 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1511 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1512 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1514 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1517 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1518 c->regs[VCPU_REGS_RSP] = msr_data;
1520 return X86EMUL_CONTINUE;
1524 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1526 struct decode_cache *c = &ctxt->decode;
1527 struct desc_struct cs, ss;
1532 /* inject #GP if in real mode or Virtual 8086 mode */
1533 if (ctxt->mode == X86EMUL_MODE_REAL ||
1534 ctxt->mode == X86EMUL_MODE_VM86) {
1535 emulate_gp(ctxt, 0);
1536 return X86EMUL_PROPAGATE_FAULT;
1539 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1541 if ((c->rex_prefix & 0x8) != 0x0)
1542 usermode = X86EMUL_MODE_PROT64;
1544 usermode = X86EMUL_MODE_PROT32;
1548 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1550 case X86EMUL_MODE_PROT32:
1551 cs_sel = (u16)(msr_data + 16);
1552 if ((msr_data & 0xfffc) == 0x0) {
1553 emulate_gp(ctxt, 0);
1554 return X86EMUL_PROPAGATE_FAULT;
1556 ss_sel = (u16)(msr_data + 24);
1558 case X86EMUL_MODE_PROT64:
1559 cs_sel = (u16)(msr_data + 32);
1560 if (msr_data == 0x0) {
1561 emulate_gp(ctxt, 0);
1562 return X86EMUL_PROPAGATE_FAULT;
1564 ss_sel = cs_sel + 8;
1569 cs_sel |= SELECTOR_RPL_MASK;
1570 ss_sel |= SELECTOR_RPL_MASK;
1572 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1573 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1574 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1575 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1577 c->eip = c->regs[VCPU_REGS_RDX];
1578 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
1580 return X86EMUL_CONTINUE;
1583 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1584 struct x86_emulate_ops *ops)
1587 if (ctxt->mode == X86EMUL_MODE_REAL)
1589 if (ctxt->mode == X86EMUL_MODE_VM86)
1591 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1592 return ops->cpl(ctxt->vcpu) > iopl;
1595 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1596 struct x86_emulate_ops *ops,
1599 struct desc_struct tr_seg;
1602 u8 perm, bit_idx = port & 0x7;
1603 unsigned mask = (1 << len) - 1;
1605 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
1608 if (desc_limit_scaled(&tr_seg) < 103)
1610 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
1612 if (r != X86EMUL_CONTINUE)
1614 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
1616 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
1617 &perm, 1, ctxt->vcpu, NULL);
1618 if (r != X86EMUL_CONTINUE)
1620 if ((perm >> bit_idx) & mask)
1625 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1626 struct x86_emulate_ops *ops,
1632 if (emulator_bad_iopl(ctxt, ops))
1633 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1636 ctxt->perm_ok = true;
1641 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
1642 struct x86_emulate_ops *ops,
1643 struct tss_segment_16 *tss)
1645 struct decode_cache *c = &ctxt->decode;
1648 tss->flag = ctxt->eflags;
1649 tss->ax = c->regs[VCPU_REGS_RAX];
1650 tss->cx = c->regs[VCPU_REGS_RCX];
1651 tss->dx = c->regs[VCPU_REGS_RDX];
1652 tss->bx = c->regs[VCPU_REGS_RBX];
1653 tss->sp = c->regs[VCPU_REGS_RSP];
1654 tss->bp = c->regs[VCPU_REGS_RBP];
1655 tss->si = c->regs[VCPU_REGS_RSI];
1656 tss->di = c->regs[VCPU_REGS_RDI];
1658 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1659 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1660 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1661 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1662 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1665 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1666 struct x86_emulate_ops *ops,
1667 struct tss_segment_16 *tss)
1669 struct decode_cache *c = &ctxt->decode;
1673 ctxt->eflags = tss->flag | 2;
1674 c->regs[VCPU_REGS_RAX] = tss->ax;
1675 c->regs[VCPU_REGS_RCX] = tss->cx;
1676 c->regs[VCPU_REGS_RDX] = tss->dx;
1677 c->regs[VCPU_REGS_RBX] = tss->bx;
1678 c->regs[VCPU_REGS_RSP] = tss->sp;
1679 c->regs[VCPU_REGS_RBP] = tss->bp;
1680 c->regs[VCPU_REGS_RSI] = tss->si;
1681 c->regs[VCPU_REGS_RDI] = tss->di;
1684 * SDM says that segment selectors are loaded before segment
1687 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
1688 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1689 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1690 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1691 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1694 * Now load segment descriptors. If fault happenes at this stage
1695 * it is handled in a context of new task
1697 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
1698 if (ret != X86EMUL_CONTINUE)
1700 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1701 if (ret != X86EMUL_CONTINUE)
1703 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1704 if (ret != X86EMUL_CONTINUE)
1706 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1707 if (ret != X86EMUL_CONTINUE)
1709 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1710 if (ret != X86EMUL_CONTINUE)
1713 return X86EMUL_CONTINUE;
1716 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
1717 struct x86_emulate_ops *ops,
1718 u16 tss_selector, u16 old_tss_sel,
1719 ulong old_tss_base, struct desc_struct *new_desc)
1721 struct tss_segment_16 tss_seg;
1723 u32 err, new_tss_base = get_desc_base(new_desc);
1725 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1727 if (ret == X86EMUL_PROPAGATE_FAULT) {
1728 /* FIXME: need to provide precise fault address */
1729 emulate_pf(ctxt, old_tss_base, err);
1733 save_state_to_tss16(ctxt, ops, &tss_seg);
1735 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1737 if (ret == X86EMUL_PROPAGATE_FAULT) {
1738 /* FIXME: need to provide precise fault address */
1739 emulate_pf(ctxt, old_tss_base, err);
1743 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1745 if (ret == X86EMUL_PROPAGATE_FAULT) {
1746 /* FIXME: need to provide precise fault address */
1747 emulate_pf(ctxt, new_tss_base, err);
1751 if (old_tss_sel != 0xffff) {
1752 tss_seg.prev_task_link = old_tss_sel;
1754 ret = ops->write_std(new_tss_base,
1755 &tss_seg.prev_task_link,
1756 sizeof tss_seg.prev_task_link,
1758 if (ret == X86EMUL_PROPAGATE_FAULT) {
1759 /* FIXME: need to provide precise fault address */
1760 emulate_pf(ctxt, new_tss_base, err);
1765 return load_state_from_tss16(ctxt, ops, &tss_seg);
1768 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
1769 struct x86_emulate_ops *ops,
1770 struct tss_segment_32 *tss)
1772 struct decode_cache *c = &ctxt->decode;
1774 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
1776 tss->eflags = ctxt->eflags;
1777 tss->eax = c->regs[VCPU_REGS_RAX];
1778 tss->ecx = c->regs[VCPU_REGS_RCX];
1779 tss->edx = c->regs[VCPU_REGS_RDX];
1780 tss->ebx = c->regs[VCPU_REGS_RBX];
1781 tss->esp = c->regs[VCPU_REGS_RSP];
1782 tss->ebp = c->regs[VCPU_REGS_RBP];
1783 tss->esi = c->regs[VCPU_REGS_RSI];
1784 tss->edi = c->regs[VCPU_REGS_RDI];
1786 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
1787 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
1788 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
1789 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
1790 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
1791 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
1792 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
1795 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1796 struct x86_emulate_ops *ops,
1797 struct tss_segment_32 *tss)
1799 struct decode_cache *c = &ctxt->decode;
1802 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
1803 emulate_gp(ctxt, 0);
1804 return X86EMUL_PROPAGATE_FAULT;
1807 ctxt->eflags = tss->eflags | 2;
1808 c->regs[VCPU_REGS_RAX] = tss->eax;
1809 c->regs[VCPU_REGS_RCX] = tss->ecx;
1810 c->regs[VCPU_REGS_RDX] = tss->edx;
1811 c->regs[VCPU_REGS_RBX] = tss->ebx;
1812 c->regs[VCPU_REGS_RSP] = tss->esp;
1813 c->regs[VCPU_REGS_RBP] = tss->ebp;
1814 c->regs[VCPU_REGS_RSI] = tss->esi;
1815 c->regs[VCPU_REGS_RDI] = tss->edi;
1818 * SDM says that segment selectors are loaded before segment
1821 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
1822 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
1823 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
1824 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
1825 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
1826 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
1827 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
1830 * Now load segment descriptors. If fault happenes at this stage
1831 * it is handled in a context of new task
1833 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
1834 if (ret != X86EMUL_CONTINUE)
1836 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
1837 if (ret != X86EMUL_CONTINUE)
1839 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
1840 if (ret != X86EMUL_CONTINUE)
1842 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
1843 if (ret != X86EMUL_CONTINUE)
1845 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
1846 if (ret != X86EMUL_CONTINUE)
1848 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
1849 if (ret != X86EMUL_CONTINUE)
1851 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
1852 if (ret != X86EMUL_CONTINUE)
1855 return X86EMUL_CONTINUE;
1858 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
1859 struct x86_emulate_ops *ops,
1860 u16 tss_selector, u16 old_tss_sel,
1861 ulong old_tss_base, struct desc_struct *new_desc)
1863 struct tss_segment_32 tss_seg;
1865 u32 err, new_tss_base = get_desc_base(new_desc);
1867 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1869 if (ret == X86EMUL_PROPAGATE_FAULT) {
1870 /* FIXME: need to provide precise fault address */
1871 emulate_pf(ctxt, old_tss_base, err);
1875 save_state_to_tss32(ctxt, ops, &tss_seg);
1877 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1879 if (ret == X86EMUL_PROPAGATE_FAULT) {
1880 /* FIXME: need to provide precise fault address */
1881 emulate_pf(ctxt, old_tss_base, err);
1885 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
1887 if (ret == X86EMUL_PROPAGATE_FAULT) {
1888 /* FIXME: need to provide precise fault address */
1889 emulate_pf(ctxt, new_tss_base, err);
1893 if (old_tss_sel != 0xffff) {
1894 tss_seg.prev_task_link = old_tss_sel;
1896 ret = ops->write_std(new_tss_base,
1897 &tss_seg.prev_task_link,
1898 sizeof tss_seg.prev_task_link,
1900 if (ret == X86EMUL_PROPAGATE_FAULT) {
1901 /* FIXME: need to provide precise fault address */
1902 emulate_pf(ctxt, new_tss_base, err);
1907 return load_state_from_tss32(ctxt, ops, &tss_seg);
1910 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
1911 struct x86_emulate_ops *ops,
1912 u16 tss_selector, int reason,
1913 bool has_error_code, u32 error_code)
1915 struct desc_struct curr_tss_desc, next_tss_desc;
1917 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
1918 ulong old_tss_base =
1919 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
1922 /* FIXME: old_tss_base == ~0 ? */
1924 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
1925 if (ret != X86EMUL_CONTINUE)
1927 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
1928 if (ret != X86EMUL_CONTINUE)
1931 /* FIXME: check that next_tss_desc is tss */
1933 if (reason != TASK_SWITCH_IRET) {
1934 if ((tss_selector & 3) > next_tss_desc.dpl ||
1935 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
1936 emulate_gp(ctxt, 0);
1937 return X86EMUL_PROPAGATE_FAULT;
1941 desc_limit = desc_limit_scaled(&next_tss_desc);
1942 if (!next_tss_desc.p ||
1943 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
1944 desc_limit < 0x2b)) {
1945 emulate_ts(ctxt, tss_selector & 0xfffc);
1946 return X86EMUL_PROPAGATE_FAULT;
1949 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
1950 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
1951 write_segment_descriptor(ctxt, ops, old_tss_sel,
1955 if (reason == TASK_SWITCH_IRET)
1956 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
1958 /* set back link to prev task only if NT bit is set in eflags
1959 note that old_tss_sel is not used afetr this point */
1960 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
1961 old_tss_sel = 0xffff;
1963 if (next_tss_desc.type & 8)
1964 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
1965 old_tss_base, &next_tss_desc);
1967 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
1968 old_tss_base, &next_tss_desc);
1969 if (ret != X86EMUL_CONTINUE)
1972 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
1973 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
1975 if (reason != TASK_SWITCH_IRET) {
1976 next_tss_desc.type |= (1 << 1); /* set busy flag */
1977 write_segment_descriptor(ctxt, ops, tss_selector,
1981 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
1982 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
1983 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
1985 if (has_error_code) {
1986 struct decode_cache *c = &ctxt->decode;
1988 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
1990 c->src.val = (unsigned long) error_code;
1991 emulate_push(ctxt, ops);
1997 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
1998 u16 tss_selector, int reason,
1999 bool has_error_code, u32 error_code)
2001 struct x86_emulate_ops *ops = ctxt->ops;
2002 struct decode_cache *c = &ctxt->decode;
2006 c->dst.type = OP_NONE;
2008 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2009 has_error_code, error_code);
2011 if (rc == X86EMUL_CONTINUE) {
2012 rc = writeback(ctxt, ops);
2013 if (rc == X86EMUL_CONTINUE)
2017 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2020 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2021 int reg, struct operand *op)
2023 struct decode_cache *c = &ctxt->decode;
2024 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2026 register_address_increment(c, &c->regs[reg], df * op->bytes);
2027 op->addr.mem = register_address(c, base, c->regs[reg]);
2030 static int em_push(struct x86_emulate_ctxt *ctxt)
2032 emulate_push(ctxt, ctxt->ops);
2033 return X86EMUL_CONTINUE;
2036 #define D(_y) { .flags = (_y) }
2038 #define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
2039 #define GD(_f, _g) { .flags = ((_f) | Group | GroupDual), .u.gdual = (_g) }
2040 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
2042 static struct opcode group1[] = {
2046 static struct opcode group1A[] = {
2047 D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
2050 static struct opcode group3[] = {
2051 D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
2052 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2056 static struct opcode group4[] = {
2057 D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
2061 static struct opcode group5[] = {
2062 D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
2063 D(SrcMem | ModRM | Stack), N,
2064 D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
2065 D(SrcMem | ModRM | Stack), N,
2068 static struct group_dual group7 = { {
2069 N, N, D(ModRM | SrcMem | Priv), D(ModRM | SrcMem | Priv),
2070 D(SrcNone | ModRM | DstMem | Mov), N,
2071 D(SrcMem16 | ModRM | Mov | Priv),
2072 D(SrcMem | ModRM | ByteOp | Priv | NoAccess),
2074 D(SrcNone | ModRM | Priv), N, N, D(SrcNone | ModRM | Priv),
2075 D(SrcNone | ModRM | DstMem | Mov), N,
2076 D(SrcMem16 | ModRM | Mov | Priv), N,
2079 static struct opcode group8[] = {
2081 D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
2082 D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
2085 static struct group_dual group9 = { {
2086 N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
2088 N, N, N, N, N, N, N, N,
2091 static struct opcode opcode_table[256] = {
2093 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2094 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2095 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2096 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2098 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2099 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2100 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2101 D(ImplicitOps | Stack | No64), N,
2103 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2104 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2105 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2106 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2108 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2109 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2110 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2111 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2113 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2114 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2115 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2117 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2118 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2119 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2121 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2122 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2123 D(ByteOp | DstAcc | SrcImmByte), D(DstAcc | SrcImm), N, N,
2125 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2126 D(ByteOp | DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
2127 D(ByteOp | DstAcc | SrcImm), D(DstAcc | SrcImm),
2132 X8(I(SrcReg | Stack, em_push)),
2134 X8(D(DstReg | Stack)),
2136 D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
2137 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
2140 I(SrcImm | Mov | Stack, em_push), N,
2141 I(SrcImmByte | Mov | Stack, em_push), N,
2142 D(DstDI | ByteOp | Mov | String), D(DstDI | Mov | String), /* insb, insw/insd */
2143 D(SrcSI | ByteOp | ImplicitOps | String), D(SrcSI | ImplicitOps | String), /* outsb, outsw/outsd */
2147 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
2148 G(DstMem | SrcImm | ModRM | Group, group1),
2149 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
2150 G(DstMem | SrcImmByte | ModRM | Group, group1),
2151 D(ByteOp | DstMem | SrcReg | ModRM), D(DstMem | SrcReg | ModRM),
2152 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2154 D(ByteOp | DstMem | SrcReg | ModRM | Mov), D(DstMem | SrcReg | ModRM | Mov),
2155 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem | ModRM | Mov),
2156 D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
2157 D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
2159 X8(D(SrcAcc | DstReg)),
2161 N, N, D(SrcImmFAddr | No64), N,
2162 D(ImplicitOps | Stack), D(ImplicitOps | Stack), N, N,
2164 D(ByteOp | DstAcc | SrcMem | Mov | MemAbs), D(DstAcc | SrcMem | Mov | MemAbs),
2165 D(ByteOp | DstMem | SrcAcc | Mov | MemAbs), D(DstMem | SrcAcc | Mov | MemAbs),
2166 D(ByteOp | SrcSI | DstDI | Mov | String), D(SrcSI | DstDI | Mov | String),
2167 D(ByteOp | SrcSI | DstDI | String), D(SrcSI | DstDI | String),
2169 D(DstAcc | SrcImmByte | ByteOp), D(DstAcc | SrcImm), D(ByteOp | DstDI | Mov | String), D(DstDI | Mov | String),
2170 D(ByteOp | SrcSI | DstAcc | Mov | String), D(SrcSI | DstAcc | Mov | String),
2171 D(ByteOp | DstDI | String), D(DstDI | String),
2173 X8(D(ByteOp | DstReg | SrcImm | Mov)),
2175 X8(D(DstReg | SrcImm | Mov)),
2177 D(ByteOp | DstMem | SrcImm | ModRM), D(DstMem | SrcImmByte | ModRM),
2178 N, D(ImplicitOps | Stack), N, N,
2179 D(ByteOp | DstMem | SrcImm | ModRM | Mov), D(DstMem | SrcImm | ModRM | Mov),
2181 N, N, N, D(ImplicitOps | Stack),
2182 D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64), D(ImplicitOps),
2184 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2185 D(ByteOp | DstMem | SrcImplicit | ModRM), D(DstMem | SrcImplicit | ModRM),
2188 N, N, N, N, N, N, N, N,
2191 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2192 D(ByteOp | SrcImmUByte | DstAcc), D(SrcImmUByte | DstAcc),
2194 D(SrcImm | Stack), D(SrcImm | ImplicitOps),
2195 D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
2196 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2197 D(SrcNone | ByteOp | DstAcc), D(SrcNone | DstAcc),
2200 D(ImplicitOps | Priv), D(ImplicitOps), G(ByteOp, group3), G(0, group3),
2202 D(ImplicitOps), N, D(ImplicitOps), D(ImplicitOps),
2203 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
2206 static struct opcode twobyte_table[256] = {
2208 N, GD(0, &group7), N, N,
2209 N, D(ImplicitOps), D(ImplicitOps | Priv), N,
2210 D(ImplicitOps | Priv), D(ImplicitOps | Priv), N, N,
2211 N, D(ImplicitOps | ModRM), N, N,
2213 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
2215 D(ModRM | DstMem | Priv | Op3264), D(ModRM | DstMem | Priv | Op3264),
2216 D(ModRM | SrcMem | Priv | Op3264), D(ModRM | SrcMem | Priv | Op3264),
2218 N, N, N, N, N, N, N, N,
2220 D(ImplicitOps | Priv), N, D(ImplicitOps | Priv), N,
2221 D(ImplicitOps), D(ImplicitOps | Priv), N, N,
2222 N, N, N, N, N, N, N, N,
2224 X16(D(DstReg | SrcMem | ModRM | Mov)),
2226 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2228 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2230 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2234 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2236 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2237 N, D(DstMem | SrcReg | ModRM | BitOp),
2238 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2239 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
2241 D(ImplicitOps | Stack), D(ImplicitOps | Stack),
2242 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2243 D(DstMem | SrcReg | Src2ImmByte | ModRM),
2244 D(DstMem | SrcReg | Src2CL | ModRM),
2247 D(ByteOp | DstMem | SrcReg | ModRM | Lock), D(DstMem | SrcReg | ModRM | Lock),
2248 N, D(DstMem | SrcReg | ModRM | BitOp | Lock),
2249 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2250 D(DstReg | SrcMem16 | ModRM | Mov),
2253 G(0, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
2254 N, N, D(ByteOp | DstReg | SrcMem | ModRM | Mov),
2255 D(DstReg | SrcMem16 | ModRM | Mov),
2257 N, N, N, D(DstMem | SrcReg | ModRM | Mov),
2258 N, N, N, GD(0, &group9),
2259 N, N, N, N, N, N, N, N,
2261 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2263 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
2265 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
2275 x86_decode_insn(struct x86_emulate_ctxt *ctxt)
2277 struct x86_emulate_ops *ops = ctxt->ops;
2278 struct decode_cache *c = &ctxt->decode;
2279 int rc = X86EMUL_CONTINUE;
2280 int mode = ctxt->mode;
2281 int def_op_bytes, def_ad_bytes, dual, goffset;
2282 struct opcode opcode, *g_mod012, *g_mod3;
2284 /* we cannot decode insn before we complete previous rep insn */
2285 WARN_ON(ctxt->restart);
2288 c->fetch.start = c->fetch.end = c->eip;
2289 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
2292 case X86EMUL_MODE_REAL:
2293 case X86EMUL_MODE_VM86:
2294 case X86EMUL_MODE_PROT16:
2295 def_op_bytes = def_ad_bytes = 2;
2297 case X86EMUL_MODE_PROT32:
2298 def_op_bytes = def_ad_bytes = 4;
2300 #ifdef CONFIG_X86_64
2301 case X86EMUL_MODE_PROT64:
2310 c->op_bytes = def_op_bytes;
2311 c->ad_bytes = def_ad_bytes;
2313 /* Legacy prefixes. */
2315 switch (c->b = insn_fetch(u8, 1, c->eip)) {
2316 case 0x66: /* operand-size override */
2317 /* switch between 2/4 bytes */
2318 c->op_bytes = def_op_bytes ^ 6;
2320 case 0x67: /* address-size override */
2321 if (mode == X86EMUL_MODE_PROT64)
2322 /* switch between 4/8 bytes */
2323 c->ad_bytes = def_ad_bytes ^ 12;
2325 /* switch between 2/4 bytes */
2326 c->ad_bytes = def_ad_bytes ^ 6;
2328 case 0x26: /* ES override */
2329 case 0x2e: /* CS override */
2330 case 0x36: /* SS override */
2331 case 0x3e: /* DS override */
2332 set_seg_override(c, (c->b >> 3) & 3);
2334 case 0x64: /* FS override */
2335 case 0x65: /* GS override */
2336 set_seg_override(c, c->b & 7);
2338 case 0x40 ... 0x4f: /* REX */
2339 if (mode != X86EMUL_MODE_PROT64)
2341 c->rex_prefix = c->b;
2343 case 0xf0: /* LOCK */
2346 case 0xf2: /* REPNE/REPNZ */
2347 c->rep_prefix = REPNE_PREFIX;
2349 case 0xf3: /* REP/REPE/REPZ */
2350 c->rep_prefix = REPE_PREFIX;
2356 /* Any legacy prefix after a REX prefix nullifies its effect. */
2364 if (c->rex_prefix & 8)
2365 c->op_bytes = 8; /* REX.W */
2367 /* Opcode byte(s). */
2368 opcode = opcode_table[c->b];
2369 if (opcode.flags == 0) {
2370 /* Two-byte opcode? */
2373 c->b = insn_fetch(u8, 1, c->eip);
2374 opcode = twobyte_table[c->b];
2377 c->d = opcode.flags;
2380 dual = c->d & GroupDual;
2381 c->modrm = insn_fetch(u8, 1, c->eip);
2384 if (c->d & GroupDual) {
2385 g_mod012 = opcode.u.gdual->mod012;
2386 g_mod3 = opcode.u.gdual->mod3;
2388 g_mod012 = g_mod3 = opcode.u.group;
2390 c->d &= ~(Group | GroupDual);
2392 goffset = (c->modrm >> 3) & 7;
2394 if ((c->modrm >> 6) == 3)
2395 opcode = g_mod3[goffset];
2397 opcode = g_mod012[goffset];
2398 c->d |= opcode.flags;
2401 c->execute = opcode.u.execute;
2404 if (c->d == 0 || (c->d & Undefined)) {
2405 DPRINTF("Cannot emulate %02x\n", c->b);
2409 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
2412 if (c->d & Op3264) {
2413 if (mode == X86EMUL_MODE_PROT64)
2419 /* ModRM and SIB bytes. */
2421 rc = decode_modrm(ctxt, ops);
2422 if (!c->has_seg_override)
2423 set_seg_override(c, c->modrm_seg);
2424 } else if (c->d & MemAbs)
2425 rc = decode_abs(ctxt, ops);
2426 if (rc != X86EMUL_CONTINUE)
2429 if (!c->has_seg_override)
2430 set_seg_override(c, VCPU_SREG_DS);
2432 if (!(!c->twobyte && c->b == 0x8d))
2433 c->modrm_ea += seg_override_base(ctxt, ops, c);
2435 if (c->ad_bytes != 8)
2436 c->modrm_ea = (u32)c->modrm_ea;
2438 if (c->rip_relative)
2439 c->modrm_ea += c->eip;
2442 * Decode and fetch the source operand: register, memory
2445 switch (c->d & SrcMask) {
2449 decode_register_operand(&c->src, c, 0);
2458 c->src.bytes = (c->d & ByteOp) ? 1 :
2460 /* Don't fetch the address for invlpg: it could be unmapped. */
2461 if (c->d & NoAccess)
2465 * For instructions with a ModR/M byte, switch to register
2466 * access if Mod = 3.
2468 if ((c->d & ModRM) && c->modrm_mod == 3) {
2469 c->src.type = OP_REG;
2470 c->src.val = c->modrm_val;
2471 c->src.addr.reg = c->modrm_ptr;
2474 c->src.type = OP_MEM;
2475 c->src.addr.mem = c->modrm_ea;
2480 c->src.type = OP_IMM;
2481 c->src.addr.mem = c->eip;
2482 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2483 if (c->src.bytes == 8)
2485 /* NB. Immediates are sign-extended as necessary. */
2486 switch (c->src.bytes) {
2488 c->src.val = insn_fetch(s8, 1, c->eip);
2491 c->src.val = insn_fetch(s16, 2, c->eip);
2494 c->src.val = insn_fetch(s32, 4, c->eip);
2497 if ((c->d & SrcMask) == SrcImmU) {
2498 switch (c->src.bytes) {
2503 c->src.val &= 0xffff;
2506 c->src.val &= 0xffffffff;
2513 c->src.type = OP_IMM;
2514 c->src.addr.mem = c->eip;
2516 if ((c->d & SrcMask) == SrcImmByte)
2517 c->src.val = insn_fetch(s8, 1, c->eip);
2519 c->src.val = insn_fetch(u8, 1, c->eip);
2522 c->src.type = OP_REG;
2523 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2524 c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
2525 fetch_register_operand(&c->src);
2532 c->src.type = OP_MEM;
2533 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2535 register_address(c, seg_override_base(ctxt, ops, c),
2536 c->regs[VCPU_REGS_RSI]);
2540 c->src.type = OP_IMM;
2541 c->src.addr.mem = c->eip;
2542 c->src.bytes = c->op_bytes + 2;
2543 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
2546 c->src.type = OP_MEM;
2547 c->src.addr.mem = c->modrm_ea;
2548 c->src.bytes = c->op_bytes + 2;
2553 * Decode and fetch the second source operand: register, memory
2556 switch (c->d & Src2Mask) {
2561 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
2564 c->src2.type = OP_IMM;
2565 c->src2.addr.mem = c->eip;
2567 c->src2.val = insn_fetch(u8, 1, c->eip);
2575 /* Decode and fetch the destination operand: register or memory. */
2576 switch (c->d & DstMask) {
2578 /* Special instructions do their own operand decoding. */
2581 decode_register_operand(&c->dst, c,
2582 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
2586 if ((c->d & ModRM) && c->modrm_mod == 3) {
2587 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2588 c->dst.type = OP_REG;
2589 c->dst.val = c->dst.orig_val = c->modrm_val;
2590 c->dst.addr.reg = c->modrm_ptr;
2593 c->dst.type = OP_MEM;
2594 c->dst.addr.mem = c->modrm_ea;
2595 if ((c->d & DstMask) == DstMem64)
2598 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2601 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2603 c->dst.addr.mem = c->dst.addr.mem +
2604 (c->src.val & mask) / 8;
2608 c->dst.type = OP_REG;
2609 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2610 c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
2611 fetch_register_operand(&c->dst);
2612 c->dst.orig_val = c->dst.val;
2615 c->dst.type = OP_MEM;
2616 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2618 register_address(c, es_base(ctxt, ops),
2619 c->regs[VCPU_REGS_RDI]);
2625 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2629 x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
2631 struct x86_emulate_ops *ops = ctxt->ops;
2633 struct decode_cache *c = &ctxt->decode;
2634 int rc = X86EMUL_CONTINUE;
2635 int saved_dst_type = c->dst.type;
2637 ctxt->decode.mem_read.pos = 0;
2639 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2644 /* LOCK prefix is allowed only with some instructions */
2645 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2650 /* Privileged instruction can be executed only in CPL=0 */
2651 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2652 emulate_gp(ctxt, 0);
2656 if (c->rep_prefix && (c->d & String)) {
2657 ctxt->restart = true;
2658 /* All REP prefixes have the same first termination condition */
2659 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2661 ctxt->restart = false;
2665 /* The second termination condition only applies for REPE
2666 * and REPNE. Test if the repeat string operation prefix is
2667 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2668 * corresponding termination condition according to:
2669 * - if REPE/REPZ and ZF = 0 then done
2670 * - if REPNE/REPNZ and ZF = 1 then done
2672 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2673 (c->b == 0xae) || (c->b == 0xaf)) {
2674 if ((c->rep_prefix == REPE_PREFIX) &&
2675 ((ctxt->eflags & EFLG_ZF) == 0))
2677 if ((c->rep_prefix == REPNE_PREFIX) &&
2678 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2684 if (c->src.type == OP_MEM) {
2685 rc = read_emulated(ctxt, ops, c->src.addr.mem,
2686 c->src.valptr, c->src.bytes);
2687 if (rc != X86EMUL_CONTINUE)
2689 c->src.orig_val64 = c->src.val64;
2692 if (c->src2.type == OP_MEM) {
2693 rc = read_emulated(ctxt, ops, c->src2.addr.mem,
2694 &c->src2.val, c->src2.bytes);
2695 if (rc != X86EMUL_CONTINUE)
2699 if ((c->d & DstMask) == ImplicitOps)
2703 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2704 /* optimisation - avoid slow emulated read if Mov */
2705 rc = read_emulated(ctxt, ops, c->dst.addr.mem,
2706 &c->dst.val, c->dst.bytes);
2707 if (rc != X86EMUL_CONTINUE)
2710 c->dst.orig_val = c->dst.val;
2715 rc = c->execute(ctxt);
2716 if (rc != X86EMUL_CONTINUE)
2727 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2729 case 0x06: /* push es */
2730 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2732 case 0x07: /* pop es */
2733 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2734 if (rc != X86EMUL_CONTINUE)
2739 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2741 case 0x0e: /* push cs */
2742 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2746 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2748 case 0x16: /* push ss */
2749 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2751 case 0x17: /* pop ss */
2752 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2753 if (rc != X86EMUL_CONTINUE)
2758 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2760 case 0x1e: /* push ds */
2761 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2763 case 0x1f: /* pop ds */
2764 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2765 if (rc != X86EMUL_CONTINUE)
2770 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2774 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2778 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2782 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2784 case 0x40 ... 0x47: /* inc r16/r32 */
2785 emulate_1op("inc", c->dst, ctxt->eflags);
2787 case 0x48 ... 0x4f: /* dec r16/r32 */
2788 emulate_1op("dec", c->dst, ctxt->eflags);
2790 case 0x58 ... 0x5f: /* pop reg */
2792 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2793 if (rc != X86EMUL_CONTINUE)
2796 case 0x60: /* pusha */
2797 rc = emulate_pusha(ctxt, ops);
2798 if (rc != X86EMUL_CONTINUE)
2801 case 0x61: /* popa */
2802 rc = emulate_popa(ctxt, ops);
2803 if (rc != X86EMUL_CONTINUE)
2806 case 0x63: /* movsxd */
2807 if (ctxt->mode != X86EMUL_MODE_PROT64)
2808 goto cannot_emulate;
2809 c->dst.val = (s32) c->src.val;
2811 case 0x6c: /* insb */
2812 case 0x6d: /* insw/insd */
2813 c->dst.bytes = min(c->dst.bytes, 4u);
2814 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2816 emulate_gp(ctxt, 0);
2819 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2820 c->regs[VCPU_REGS_RDX], &c->dst.val))
2821 goto done; /* IO is needed, skip writeback */
2823 case 0x6e: /* outsb */
2824 case 0x6f: /* outsw/outsd */
2825 c->src.bytes = min(c->src.bytes, 4u);
2826 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2828 emulate_gp(ctxt, 0);
2831 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2832 &c->src.val, 1, ctxt->vcpu);
2834 c->dst.type = OP_NONE; /* nothing to writeback */
2836 case 0x70 ... 0x7f: /* jcc (short) */
2837 if (test_cc(c->b, ctxt->eflags))
2838 jmp_rel(c, c->src.val);
2840 case 0x80 ... 0x83: /* Grp1 */
2841 switch (c->modrm_reg) {
2862 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2864 case 0x86 ... 0x87: /* xchg */
2866 /* Write back the register source. */
2867 switch (c->dst.bytes) {
2869 *(u8 *) c->src.addr.reg = (u8) c->dst.val;
2872 *(u16 *) c->src.addr.reg = (u16) c->dst.val;
2875 *c->src.addr.reg = (u32) c->dst.val;
2876 break; /* 64b reg: zero-extend */
2878 *c->src.addr.reg = c->dst.val;
2882 * Write back the memory destination with implicit LOCK
2885 c->dst.val = c->src.val;
2888 case 0x88 ... 0x8b: /* mov */
2890 case 0x8c: /* mov r/m, sreg */
2891 if (c->modrm_reg > VCPU_SREG_GS) {
2895 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2897 case 0x8d: /* lea r16/r32, m */
2898 c->dst.val = c->src.addr.mem;
2900 case 0x8e: { /* mov seg, r/m16 */
2905 if (c->modrm_reg == VCPU_SREG_CS ||
2906 c->modrm_reg > VCPU_SREG_GS) {
2911 if (c->modrm_reg == VCPU_SREG_SS)
2912 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2914 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2916 c->dst.type = OP_NONE; /* Disable writeback. */
2919 case 0x8f: /* pop (sole member of Grp1a) */
2920 rc = emulate_grp1a(ctxt, ops);
2921 if (rc != X86EMUL_CONTINUE)
2924 case 0x90 ... 0x97: /* nop / xchg reg, rax */
2925 if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
2928 case 0x9c: /* pushf */
2929 c->src.val = (unsigned long) ctxt->eflags;
2930 emulate_push(ctxt, ops);
2932 case 0x9d: /* popf */
2933 c->dst.type = OP_REG;
2934 c->dst.addr.reg = &ctxt->eflags;
2935 c->dst.bytes = c->op_bytes;
2936 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2937 if (rc != X86EMUL_CONTINUE)
2940 case 0xa0 ... 0xa3: /* mov */
2941 case 0xa4 ... 0xa5: /* movs */
2943 case 0xa6 ... 0xa7: /* cmps */
2944 c->dst.type = OP_NONE; /* Disable writeback. */
2945 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.addr.mem, c->dst.addr.mem);
2947 case 0xa8 ... 0xa9: /* test ax, imm */
2949 case 0xaa ... 0xab: /* stos */
2950 c->dst.val = c->regs[VCPU_REGS_RAX];
2952 case 0xac ... 0xad: /* lods */
2954 case 0xae ... 0xaf: /* scas */
2955 DPRINTF("Urk! I don't handle SCAS.\n");
2956 goto cannot_emulate;
2957 case 0xb0 ... 0xbf: /* mov r, imm */
2962 case 0xc3: /* ret */
2963 c->dst.type = OP_REG;
2964 c->dst.addr.reg = &c->eip;
2965 c->dst.bytes = c->op_bytes;
2966 goto pop_instruction;
2967 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2969 c->dst.val = c->src.val;
2971 case 0xcb: /* ret far */
2972 rc = emulate_ret_far(ctxt, ops);
2973 if (rc != X86EMUL_CONTINUE)
2976 case 0xcf: /* iret */
2977 rc = emulate_iret(ctxt, ops);
2979 if (rc != X86EMUL_CONTINUE)
2982 case 0xd0 ... 0xd1: /* Grp2 */
2986 case 0xd2 ... 0xd3: /* Grp2 */
2987 c->src.val = c->regs[VCPU_REGS_RCX];
2990 case 0xe4: /* inb */
2993 case 0xe6: /* outb */
2994 case 0xe7: /* out */
2996 case 0xe8: /* call (near) */ {
2997 long int rel = c->src.val;
2998 c->src.val = (unsigned long) c->eip;
3000 emulate_push(ctxt, ops);
3003 case 0xe9: /* jmp rel */
3005 case 0xea: { /* jmp far */
3008 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
3010 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
3014 memcpy(&c->eip, c->src.valptr, c->op_bytes);
3018 jmp: /* jmp rel short */
3019 jmp_rel(c, c->src.val);
3020 c->dst.type = OP_NONE; /* Disable writeback. */
3022 case 0xec: /* in al,dx */
3023 case 0xed: /* in (e/r)ax,dx */
3024 c->src.val = c->regs[VCPU_REGS_RDX];
3026 c->dst.bytes = min(c->dst.bytes, 4u);
3027 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3028 emulate_gp(ctxt, 0);
3031 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
3033 goto done; /* IO is needed */
3035 case 0xee: /* out dx,al */
3036 case 0xef: /* out dx,(e/r)ax */
3037 c->src.val = c->regs[VCPU_REGS_RDX];
3039 c->dst.bytes = min(c->dst.bytes, 4u);
3040 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
3041 emulate_gp(ctxt, 0);
3044 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
3046 c->dst.type = OP_NONE; /* Disable writeback. */
3048 case 0xf4: /* hlt */
3049 ctxt->vcpu->arch.halt_request = 1;
3051 case 0xf5: /* cmc */
3052 /* complement carry flag from eflags reg */
3053 ctxt->eflags ^= EFLG_CF;
3054 c->dst.type = OP_NONE; /* Disable writeback. */
3056 case 0xf6 ... 0xf7: /* Grp3 */
3057 if (!emulate_grp3(ctxt, ops))
3058 goto cannot_emulate;
3060 case 0xf8: /* clc */
3061 ctxt->eflags &= ~EFLG_CF;
3062 c->dst.type = OP_NONE; /* Disable writeback. */
3064 case 0xfa: /* cli */
3065 if (emulator_bad_iopl(ctxt, ops)) {
3066 emulate_gp(ctxt, 0);
3069 ctxt->eflags &= ~X86_EFLAGS_IF;
3070 c->dst.type = OP_NONE; /* Disable writeback. */
3073 case 0xfb: /* sti */
3074 if (emulator_bad_iopl(ctxt, ops)) {
3075 emulate_gp(ctxt, 0);
3078 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3079 ctxt->eflags |= X86_EFLAGS_IF;
3080 c->dst.type = OP_NONE; /* Disable writeback. */
3083 case 0xfc: /* cld */
3084 ctxt->eflags &= ~EFLG_DF;
3085 c->dst.type = OP_NONE; /* Disable writeback. */
3087 case 0xfd: /* std */
3088 ctxt->eflags |= EFLG_DF;
3089 c->dst.type = OP_NONE; /* Disable writeback. */
3091 case 0xfe: /* Grp4 */
3093 rc = emulate_grp45(ctxt, ops);
3094 if (rc != X86EMUL_CONTINUE)
3097 case 0xff: /* Grp5 */
3098 if (c->modrm_reg == 5)
3102 goto cannot_emulate;
3106 rc = writeback(ctxt, ops);
3107 if (rc != X86EMUL_CONTINUE)
3111 * restore dst type in case the decoding will be reused
3112 * (happens for string instruction )
3114 c->dst.type = saved_dst_type;
3116 if ((c->d & SrcMask) == SrcSI)
3117 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3118 VCPU_REGS_RSI, &c->src);
3120 if ((c->d & DstMask) == DstDI)
3121 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3124 if (c->rep_prefix && (c->d & String)) {
3125 struct read_cache *rc = &ctxt->decode.io_read;
3126 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3128 * Re-enter guest when pio read ahead buffer is empty or,
3129 * if it is not used, after each 1024 iteration.
3131 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3132 (rc->end != 0 && rc->end == rc->pos))
3133 ctxt->restart = false;
3136 * reset read cache here in case string instruction is restared
3139 ctxt->decode.mem_read.end = 0;
3143 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3147 case 0x01: /* lgdt, lidt, lmsw */
3148 switch (c->modrm_reg) {
3150 unsigned long address;
3152 case 0: /* vmcall */
3153 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3154 goto cannot_emulate;
3156 rc = kvm_fix_hypercall(ctxt->vcpu);
3157 if (rc != X86EMUL_CONTINUE)
3160 /* Let the processor re-execute the fixed hypercall */
3162 /* Disable writeback. */
3163 c->dst.type = OP_NONE;
3166 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3167 &size, &address, c->op_bytes);
3168 if (rc != X86EMUL_CONTINUE)
3170 realmode_lgdt(ctxt->vcpu, size, address);
3171 /* Disable writeback. */
3172 c->dst.type = OP_NONE;
3174 case 3: /* lidt/vmmcall */
3175 if (c->modrm_mod == 3) {
3176 switch (c->modrm_rm) {
3178 rc = kvm_fix_hypercall(ctxt->vcpu);
3179 if (rc != X86EMUL_CONTINUE)
3183 goto cannot_emulate;
3186 rc = read_descriptor(ctxt, ops, c->src.addr.mem,
3189 if (rc != X86EMUL_CONTINUE)
3191 realmode_lidt(ctxt->vcpu, size, address);
3193 /* Disable writeback. */
3194 c->dst.type = OP_NONE;
3198 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3201 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0eul) |
3202 (c->src.val & 0x0f), ctxt->vcpu);
3203 c->dst.type = OP_NONE;
3205 case 5: /* not defined */
3209 emulate_invlpg(ctxt->vcpu, c->src.addr.mem);
3210 /* Disable writeback. */
3211 c->dst.type = OP_NONE;
3214 goto cannot_emulate;
3217 case 0x05: /* syscall */
3218 rc = emulate_syscall(ctxt, ops);
3219 if (rc != X86EMUL_CONTINUE)
3225 emulate_clts(ctxt->vcpu);
3226 c->dst.type = OP_NONE;
3228 case 0x09: /* wbinvd */
3229 kvm_emulate_wbinvd(ctxt->vcpu);
3230 c->dst.type = OP_NONE;
3232 case 0x08: /* invd */
3233 case 0x0d: /* GrpP (prefetch) */
3234 case 0x18: /* Grp16 (prefetch/nop) */
3235 c->dst.type = OP_NONE;
3237 case 0x20: /* mov cr, reg */
3238 switch (c->modrm_reg) {
3245 c->dst.val = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3247 case 0x21: /* mov from dr to reg */
3248 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3249 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3253 ops->get_dr(c->modrm_reg, &c->dst.val, ctxt->vcpu);
3255 case 0x22: /* mov reg, cr */
3256 if (ops->set_cr(c->modrm_reg, c->src.val, ctxt->vcpu)) {
3257 emulate_gp(ctxt, 0);
3260 c->dst.type = OP_NONE;
3262 case 0x23: /* mov from reg to dr */
3263 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3264 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3269 if (ops->set_dr(c->modrm_reg, c->src.val &
3270 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3271 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3272 /* #UD condition is already handled by the code above */
3273 emulate_gp(ctxt, 0);
3277 c->dst.type = OP_NONE; /* no writeback */
3281 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3282 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3283 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3284 emulate_gp(ctxt, 0);
3287 rc = X86EMUL_CONTINUE;
3288 c->dst.type = OP_NONE;
3292 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3293 emulate_gp(ctxt, 0);
3296 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3297 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3299 rc = X86EMUL_CONTINUE;
3300 c->dst.type = OP_NONE;
3302 case 0x34: /* sysenter */
3303 rc = emulate_sysenter(ctxt, ops);
3304 if (rc != X86EMUL_CONTINUE)
3309 case 0x35: /* sysexit */
3310 rc = emulate_sysexit(ctxt, ops);
3311 if (rc != X86EMUL_CONTINUE)
3316 case 0x40 ... 0x4f: /* cmov */
3317 c->dst.val = c->dst.orig_val = c->src.val;
3318 if (!test_cc(c->b, ctxt->eflags))
3319 c->dst.type = OP_NONE; /* no writeback */
3321 case 0x80 ... 0x8f: /* jnz rel, etc*/
3322 if (test_cc(c->b, ctxt->eflags))
3323 jmp_rel(c, c->src.val);
3324 c->dst.type = OP_NONE;
3326 case 0xa0: /* push fs */
3327 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3329 case 0xa1: /* pop fs */
3330 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3331 if (rc != X86EMUL_CONTINUE)
3336 c->dst.type = OP_NONE;
3337 /* only subword offset */
3338 c->src.val &= (c->dst.bytes << 3) - 1;
3339 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3341 case 0xa4: /* shld imm8, r, r/m */
3342 case 0xa5: /* shld cl, r, r/m */
3343 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3345 case 0xa8: /* push gs */
3346 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3348 case 0xa9: /* pop gs */
3349 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3350 if (rc != X86EMUL_CONTINUE)
3355 /* only subword offset */
3356 c->src.val &= (c->dst.bytes << 3) - 1;
3357 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3359 case 0xac: /* shrd imm8, r, r/m */
3360 case 0xad: /* shrd cl, r, r/m */
3361 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3363 case 0xae: /* clflush */
3365 case 0xb0 ... 0xb1: /* cmpxchg */
3367 * Save real source value, then compare EAX against
3370 c->src.orig_val = c->src.val;
3371 c->src.val = c->regs[VCPU_REGS_RAX];
3372 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3373 if (ctxt->eflags & EFLG_ZF) {
3374 /* Success: write back to memory. */
3375 c->dst.val = c->src.orig_val;
3377 /* Failure: write the value we saw to EAX. */
3378 c->dst.type = OP_REG;
3379 c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3384 /* only subword offset */
3385 c->src.val &= (c->dst.bytes << 3) - 1;
3386 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3388 case 0xb6 ... 0xb7: /* movzx */
3389 c->dst.bytes = c->op_bytes;
3390 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3393 case 0xba: /* Grp8 */
3394 switch (c->modrm_reg & 3) {
3407 /* only subword offset */
3408 c->src.val &= (c->dst.bytes << 3) - 1;
3409 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3411 case 0xbe ... 0xbf: /* movsx */
3412 c->dst.bytes = c->op_bytes;
3413 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3416 case 0xc3: /* movnti */
3417 c->dst.bytes = c->op_bytes;
3418 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3421 case 0xc7: /* Grp9 (cmpxchg8b) */
3422 rc = emulate_grp9(ctxt, ops);
3423 if (rc != X86EMUL_CONTINUE)
3427 goto cannot_emulate;
3432 DPRINTF("Cannot emulate %02x\n", c->b);