1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
35 #define OpImplicit 1ull /* No generic decode */
36 #define OpReg 2ull /* Register */
37 #define OpMem 3ull /* Memory */
38 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
39 #define OpDI 5ull /* ES:DI/EDI/RDI */
40 #define OpMem64 6ull /* Memory, 64-bit */
41 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
42 #define OpDX 8ull /* DX register */
43 #define OpCL 9ull /* CL register (for shifts) */
44 #define OpImmByte 10ull /* 8-bit sign extended immediate */
45 #define OpOne 11ull /* Implied 1 */
46 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
47 #define OpMem16 13ull /* Memory operand (16-bit). */
48 #define OpMem32 14ull /* Memory operand (32-bit). */
49 #define OpImmU 15ull /* Immediate operand, zero extended */
50 #define OpSI 16ull /* SI/ESI/RSI */
51 #define OpImmFAddr 17ull /* Immediate far address */
52 #define OpMemFAddr 18ull /* Far address in memory */
53 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
54 #define OpES 20ull /* ES */
55 #define OpCS 21ull /* CS */
56 #define OpSS 22ull /* SS */
57 #define OpDS 23ull /* DS */
58 #define OpFS 24ull /* FS */
59 #define OpGS 25ull /* GS */
60 #define OpMem8 26ull /* 8-bit zero extended memory operand */
61 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpBits 5 /* Width of operand field */
64 #define OpMask ((1ull << OpBits) - 1)
67 * Opcode effective-address decode tables.
68 * Note that we only emulate instructions that have at least one memory
69 * operand (excluding implicit stack references). We assume that stack
70 * references and instruction fetches will never occur in special memory
71 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
75 /* Operand sizes: 8-bit operands or specified/overridden size. */
76 #define ByteOp (1<<0) /* 8-bit operands. */
77 /* Destination operand type. */
79 #define ImplicitOps (OpImplicit << DstShift)
80 #define DstReg (OpReg << DstShift)
81 #define DstMem (OpMem << DstShift)
82 #define DstAcc (OpAcc << DstShift)
83 #define DstDI (OpDI << DstShift)
84 #define DstMem64 (OpMem64 << DstShift)
85 #define DstImmUByte (OpImmUByte << DstShift)
86 #define DstDX (OpDX << DstShift)
87 #define DstMask (OpMask << DstShift)
88 /* Source operand type. */
90 #define SrcNone (OpNone << SrcShift)
91 #define SrcReg (OpReg << SrcShift)
92 #define SrcMem (OpMem << SrcShift)
93 #define SrcMem16 (OpMem16 << SrcShift)
94 #define SrcMem32 (OpMem32 << SrcShift)
95 #define SrcImm (OpImm << SrcShift)
96 #define SrcImmByte (OpImmByte << SrcShift)
97 #define SrcOne (OpOne << SrcShift)
98 #define SrcImmUByte (OpImmUByte << SrcShift)
99 #define SrcImmU (OpImmU << SrcShift)
100 #define SrcSI (OpSI << SrcShift)
101 #define SrcImmFAddr (OpImmFAddr << SrcShift)
102 #define SrcMemFAddr (OpMemFAddr << SrcShift)
103 #define SrcAcc (OpAcc << SrcShift)
104 #define SrcImmU16 (OpImmU16 << SrcShift)
105 #define SrcImm64 (OpImm64 << SrcShift)
106 #define SrcDX (OpDX << SrcShift)
107 #define SrcMem8 (OpMem8 << SrcShift)
108 #define SrcMask (OpMask << SrcShift)
109 #define BitOp (1<<11)
110 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
111 #define String (1<<13) /* String instruction (rep capable) */
112 #define Stack (1<<14) /* Stack instruction (push/pop) */
113 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
114 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
115 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
116 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
117 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
118 #define Sse (1<<18) /* SSE Vector instruction */
119 /* Generic ModRM decode. */
120 #define ModRM (1<<19)
121 /* Destination is only written; never read. */
124 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
125 #define VendorSpecific (1<<22) /* Vendor specific instruction */
126 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
127 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
128 #define Undefined (1<<25) /* No Such Instruction */
129 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
130 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
132 #define PageTable (1 << 29) /* instruction used to write page table */
133 /* Source 2 operand type */
134 #define Src2Shift (30)
135 #define Src2None (OpNone << Src2Shift)
136 #define Src2CL (OpCL << Src2Shift)
137 #define Src2ImmByte (OpImmByte << Src2Shift)
138 #define Src2One (OpOne << Src2Shift)
139 #define Src2Imm (OpImm << Src2Shift)
140 #define Src2ES (OpES << Src2Shift)
141 #define Src2CS (OpCS << Src2Shift)
142 #define Src2SS (OpSS << Src2Shift)
143 #define Src2DS (OpDS << Src2Shift)
144 #define Src2FS (OpFS << Src2Shift)
145 #define Src2GS (OpGS << Src2Shift)
146 #define Src2Mask (OpMask << Src2Shift)
147 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
148 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
149 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
150 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
152 #define X2(x...) x, x
153 #define X3(x...) X2(x), x
154 #define X4(x...) X2(x), X2(x)
155 #define X5(x...) X4(x), x
156 #define X6(x...) X4(x), X2(x)
157 #define X7(x...) X4(x), X3(x)
158 #define X8(x...) X4(x), X4(x)
159 #define X16(x...) X8(x), X8(x)
165 int (*execute)(struct x86_emulate_ctxt *ctxt);
166 const struct opcode *group;
167 const struct group_dual *gdual;
168 const struct gprefix *gprefix;
170 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
174 struct opcode mod012[8];
175 struct opcode mod3[8];
179 struct opcode pfx_no;
180 struct opcode pfx_66;
181 struct opcode pfx_f2;
182 struct opcode pfx_f3;
185 /* EFLAGS bit definitions. */
186 #define EFLG_ID (1<<21)
187 #define EFLG_VIP (1<<20)
188 #define EFLG_VIF (1<<19)
189 #define EFLG_AC (1<<18)
190 #define EFLG_VM (1<<17)
191 #define EFLG_RF (1<<16)
192 #define EFLG_IOPL (3<<12)
193 #define EFLG_NT (1<<14)
194 #define EFLG_OF (1<<11)
195 #define EFLG_DF (1<<10)
196 #define EFLG_IF (1<<9)
197 #define EFLG_TF (1<<8)
198 #define EFLG_SF (1<<7)
199 #define EFLG_ZF (1<<6)
200 #define EFLG_AF (1<<4)
201 #define EFLG_PF (1<<2)
202 #define EFLG_CF (1<<0)
204 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
205 #define EFLG_RESERVED_ONE_MASK 2
207 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
209 if (!(ctxt->regs_valid & (1 << nr))) {
210 ctxt->regs_valid |= 1 << nr;
211 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
213 return ctxt->_regs[nr];
216 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
218 ctxt->regs_valid |= 1 << nr;
219 ctxt->regs_dirty |= 1 << nr;
220 return &ctxt->_regs[nr];
223 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
226 return reg_write(ctxt, nr);
229 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
233 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
234 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
237 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
239 ctxt->regs_dirty = 0;
240 ctxt->regs_valid = 0;
244 * Instruction emulation:
245 * Most instructions are emulated directly via a fragment of inline assembly
246 * code. This allows us to save/restore EFLAGS and thus very easily pick up
247 * any modified flags.
250 #if defined(CONFIG_X86_64)
251 #define _LO32 "k" /* force 32-bit operand */
252 #define _STK "%%rsp" /* stack pointer */
253 #elif defined(__i386__)
254 #define _LO32 "" /* force 32-bit operand */
255 #define _STK "%%esp" /* stack pointer */
259 * These EFLAGS bits are restored from saved value during emulation, and
260 * any changes are written back to the saved value after emulation.
262 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
264 /* Before executing instruction: restore necessary bits in EFLAGS. */
265 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
266 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
267 "movl %"_sav",%"_LO32 _tmp"; " \
270 "movl %"_msk",%"_LO32 _tmp"; " \
271 "andl %"_LO32 _tmp",("_STK"); " \
273 "notl %"_LO32 _tmp"; " \
274 "andl %"_LO32 _tmp",("_STK"); " \
275 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
277 "orl %"_LO32 _tmp",("_STK"); " \
281 /* After executing instruction: write-back necessary bits in EFLAGS. */
282 #define _POST_EFLAGS(_sav, _msk, _tmp) \
283 /* _sav |= EFLAGS & _msk; */ \
286 "andl %"_msk",%"_LO32 _tmp"; " \
287 "orl %"_LO32 _tmp",%"_sav"; "
295 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
297 __asm__ __volatile__ ( \
298 _PRE_EFLAGS("0", "4", "2") \
299 _op _suffix " %"_x"3,%1; " \
300 _POST_EFLAGS("0", "4", "2") \
301 : "=m" ((ctxt)->eflags), \
302 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
304 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
308 /* Raw emulation: instruction has two explicit operands. */
309 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
311 unsigned long _tmp; \
313 switch ((ctxt)->dst.bytes) { \
315 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
318 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
321 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
326 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
328 unsigned long _tmp; \
329 switch ((ctxt)->dst.bytes) { \
331 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
334 __emulate_2op_nobyte(ctxt, _op, \
335 _wx, _wy, _lx, _ly, _qx, _qy); \
340 /* Source operand is byte-sized and may be restricted to just %cl. */
341 #define emulate_2op_SrcB(ctxt, _op) \
342 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
344 /* Source operand is byte, word, long or quad sized. */
345 #define emulate_2op_SrcV(ctxt, _op) \
346 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
348 /* Source operand is word, long or quad sized. */
349 #define emulate_2op_SrcV_nobyte(ctxt, _op) \
350 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
352 /* Instruction has three operands and one operand is stored in ECX register */
353 #define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
355 unsigned long _tmp; \
356 _type _clv = (ctxt)->src2.val; \
357 _type _srcv = (ctxt)->src.val; \
358 _type _dstv = (ctxt)->dst.val; \
360 __asm__ __volatile__ ( \
361 _PRE_EFLAGS("0", "5", "2") \
362 _op _suffix " %4,%1 \n" \
363 _POST_EFLAGS("0", "5", "2") \
364 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
365 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
368 (ctxt)->src2.val = (unsigned long) _clv; \
369 (ctxt)->src2.val = (unsigned long) _srcv; \
370 (ctxt)->dst.val = (unsigned long) _dstv; \
373 #define emulate_2op_cl(ctxt, _op) \
375 switch ((ctxt)->dst.bytes) { \
377 __emulate_2op_cl(ctxt, _op, "w", u16); \
380 __emulate_2op_cl(ctxt, _op, "l", u32); \
383 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
388 #define __emulate_1op(ctxt, _op, _suffix) \
390 unsigned long _tmp; \
392 __asm__ __volatile__ ( \
393 _PRE_EFLAGS("0", "3", "2") \
394 _op _suffix " %1; " \
395 _POST_EFLAGS("0", "3", "2") \
396 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
398 : "i" (EFLAGS_MASK)); \
401 /* Instruction has only one explicit operand (no source operand). */
402 #define emulate_1op(ctxt, _op) \
404 switch ((ctxt)->dst.bytes) { \
405 case 1: __emulate_1op(ctxt, _op, "b"); break; \
406 case 2: __emulate_1op(ctxt, _op, "w"); break; \
407 case 4: __emulate_1op(ctxt, _op, "l"); break; \
408 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
412 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
414 unsigned long _tmp; \
415 ulong *rax = reg_rmw((ctxt), VCPU_REGS_RAX); \
416 ulong *rdx = reg_rmw((ctxt), VCPU_REGS_RDX); \
418 __asm__ __volatile__ ( \
419 _PRE_EFLAGS("0", "5", "1") \
421 _op _suffix " %6; " \
423 _POST_EFLAGS("0", "5", "1") \
424 ".pushsection .fixup,\"ax\" \n\t" \
425 "3: movb $1, %4 \n\t" \
428 _ASM_EXTABLE(1b, 3b) \
429 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
430 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
431 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val)); \
434 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
435 #define emulate_1op_rax_rdx(ctxt, _op, _ex) \
437 switch((ctxt)->src.bytes) { \
439 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
442 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
445 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
448 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
453 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
454 enum x86_intercept intercept,
455 enum x86_intercept_stage stage)
457 struct x86_instruction_info info = {
458 .intercept = intercept,
459 .rep_prefix = ctxt->rep_prefix,
460 .modrm_mod = ctxt->modrm_mod,
461 .modrm_reg = ctxt->modrm_reg,
462 .modrm_rm = ctxt->modrm_rm,
463 .src_val = ctxt->src.val64,
464 .src_bytes = ctxt->src.bytes,
465 .dst_bytes = ctxt->dst.bytes,
466 .ad_bytes = ctxt->ad_bytes,
467 .next_rip = ctxt->eip,
470 return ctxt->ops->intercept(ctxt, &info, stage);
473 static void assign_masked(ulong *dest, ulong src, ulong mask)
475 *dest = (*dest & ~mask) | (src & mask);
478 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
480 return (1UL << (ctxt->ad_bytes << 3)) - 1;
483 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
486 struct desc_struct ss;
488 if (ctxt->mode == X86EMUL_MODE_PROT64)
490 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
491 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
494 static int stack_size(struct x86_emulate_ctxt *ctxt)
496 return (__fls(stack_mask(ctxt)) + 1) >> 3;
499 /* Access/update address held in a register, based on addressing mode. */
500 static inline unsigned long
501 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
503 if (ctxt->ad_bytes == sizeof(unsigned long))
506 return reg & ad_mask(ctxt);
509 static inline unsigned long
510 register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
512 return address_mask(ctxt, reg);
515 static void masked_increment(ulong *reg, ulong mask, int inc)
517 assign_masked(reg, *reg + inc, mask);
521 register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
525 if (ctxt->ad_bytes == sizeof(unsigned long))
528 mask = ad_mask(ctxt);
529 masked_increment(reg, mask, inc);
532 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
534 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
537 static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
539 register_address_increment(ctxt, &ctxt->_eip, rel);
542 static u32 desc_limit_scaled(struct desc_struct *desc)
544 u32 limit = get_desc_limit(desc);
546 return desc->g ? (limit << 12) | 0xfff : limit;
549 static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
551 ctxt->has_seg_override = true;
552 ctxt->seg_override = seg;
555 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
557 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
560 return ctxt->ops->get_cached_segment_base(ctxt, seg);
563 static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
565 if (!ctxt->has_seg_override)
568 return ctxt->seg_override;
571 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
572 u32 error, bool valid)
574 ctxt->exception.vector = vec;
575 ctxt->exception.error_code = error;
576 ctxt->exception.error_code_valid = valid;
577 return X86EMUL_PROPAGATE_FAULT;
580 static int emulate_db(struct x86_emulate_ctxt *ctxt)
582 return emulate_exception(ctxt, DB_VECTOR, 0, false);
585 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
587 return emulate_exception(ctxt, GP_VECTOR, err, true);
590 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
592 return emulate_exception(ctxt, SS_VECTOR, err, true);
595 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
597 return emulate_exception(ctxt, UD_VECTOR, 0, false);
600 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
602 return emulate_exception(ctxt, TS_VECTOR, err, true);
605 static int emulate_de(struct x86_emulate_ctxt *ctxt)
607 return emulate_exception(ctxt, DE_VECTOR, 0, false);
610 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
612 return emulate_exception(ctxt, NM_VECTOR, 0, false);
615 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
618 struct desc_struct desc;
620 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
624 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
629 struct desc_struct desc;
631 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
632 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
636 * x86 defines three classes of vector instructions: explicitly
637 * aligned, explicitly unaligned, and the rest, which change behaviour
638 * depending on whether they're AVX encoded or not.
640 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
641 * subject to the same check.
643 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
645 if (likely(size < 16))
648 if (ctxt->d & Aligned)
650 else if (ctxt->d & Unaligned)
652 else if (ctxt->d & Avx)
658 static int __linearize(struct x86_emulate_ctxt *ctxt,
659 struct segmented_address addr,
660 unsigned size, bool write, bool fetch,
663 struct desc_struct desc;
670 la = seg_base(ctxt, addr.seg) + addr.ea;
671 switch (ctxt->mode) {
672 case X86EMUL_MODE_PROT64:
673 if (((signed long)la << 16) >> 16 != la)
674 return emulate_gp(ctxt, 0);
677 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
681 /* code segment in protected mode or read-only data segment */
682 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
683 || !(desc.type & 2)) && write)
685 /* unreadable code segment */
686 if (!fetch && (desc.type & 8) && !(desc.type & 2))
688 lim = desc_limit_scaled(&desc);
689 if ((desc.type & 8) || !(desc.type & 4)) {
690 /* expand-up segment */
691 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
694 /* expand-down segment */
695 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
697 lim = desc.d ? 0xffffffff : 0xffff;
698 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
701 cpl = ctxt->ops->cpl(ctxt);
702 if (!(desc.type & 8)) {
706 } else if ((desc.type & 8) && !(desc.type & 4)) {
707 /* nonconforming code segment */
710 } else if ((desc.type & 8) && (desc.type & 4)) {
711 /* conforming code segment */
717 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
719 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
720 return emulate_gp(ctxt, 0);
722 return X86EMUL_CONTINUE;
724 if (addr.seg == VCPU_SREG_SS)
725 return emulate_ss(ctxt, sel);
727 return emulate_gp(ctxt, sel);
730 static int linearize(struct x86_emulate_ctxt *ctxt,
731 struct segmented_address addr,
732 unsigned size, bool write,
735 return __linearize(ctxt, addr, size, write, false, linear);
739 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
740 struct segmented_address addr,
747 rc = linearize(ctxt, addr, size, false, &linear);
748 if (rc != X86EMUL_CONTINUE)
750 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
754 * Fetch the next byte of the instruction being emulated which is pointed to
755 * by ctxt->_eip, then increment ctxt->_eip.
757 * Also prefetch the remaining bytes of the instruction without crossing page
758 * boundary if they are not in fetch_cache yet.
760 static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
762 struct fetch_cache *fc = &ctxt->fetch;
766 if (ctxt->_eip == fc->end) {
767 unsigned long linear;
768 struct segmented_address addr = { .seg = VCPU_SREG_CS,
770 cur_size = fc->end - fc->start;
771 size = min(15UL - cur_size,
772 PAGE_SIZE - offset_in_page(ctxt->_eip));
773 rc = __linearize(ctxt, addr, size, false, true, &linear);
774 if (unlikely(rc != X86EMUL_CONTINUE))
776 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
777 size, &ctxt->exception);
778 if (unlikely(rc != X86EMUL_CONTINUE))
782 *dest = fc->data[ctxt->_eip - fc->start];
784 return X86EMUL_CONTINUE;
787 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
788 void *dest, unsigned size)
792 /* x86 instructions are limited to 15 bytes. */
793 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
794 return X86EMUL_UNHANDLEABLE;
796 rc = do_insn_fetch_byte(ctxt, dest++);
797 if (rc != X86EMUL_CONTINUE)
800 return X86EMUL_CONTINUE;
803 /* Fetch next part of the instruction being emulated. */
804 #define insn_fetch(_type, _ctxt) \
805 ({ unsigned long _x; \
806 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
807 if (rc != X86EMUL_CONTINUE) \
812 #define insn_fetch_arr(_arr, _size, _ctxt) \
813 ({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
814 if (rc != X86EMUL_CONTINUE) \
819 * Given the 'reg' portion of a ModRM byte, and a register block, return a
820 * pointer into the block that addresses the relevant register.
821 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
823 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
828 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
829 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
831 p = reg_rmw(ctxt, modrm_reg);
835 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
836 struct segmented_address addr,
837 u16 *size, unsigned long *address, int op_bytes)
844 rc = segmented_read_std(ctxt, addr, size, 2);
845 if (rc != X86EMUL_CONTINUE)
848 rc = segmented_read_std(ctxt, addr, address, op_bytes);
852 static int test_cc(unsigned int condition, unsigned int flags)
856 switch ((condition & 15) >> 1) {
858 rc |= (flags & EFLG_OF);
860 case 1: /* b/c/nae */
861 rc |= (flags & EFLG_CF);
864 rc |= (flags & EFLG_ZF);
867 rc |= (flags & (EFLG_CF|EFLG_ZF));
870 rc |= (flags & EFLG_SF);
873 rc |= (flags & EFLG_PF);
876 rc |= (flags & EFLG_ZF);
879 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
883 /* Odd condition identifiers (lsb == 1) have inverted sense. */
884 return (!!rc ^ (condition & 1));
887 static void fetch_register_operand(struct operand *op)
891 op->val = *(u8 *)op->addr.reg;
894 op->val = *(u16 *)op->addr.reg;
897 op->val = *(u32 *)op->addr.reg;
900 op->val = *(u64 *)op->addr.reg;
905 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
907 ctxt->ops->get_fpu(ctxt);
909 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
910 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
911 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
912 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
913 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
914 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
915 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
916 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
918 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
919 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
920 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
921 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
922 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
923 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
924 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
925 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
929 ctxt->ops->put_fpu(ctxt);
932 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
935 ctxt->ops->get_fpu(ctxt);
937 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
938 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
939 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
940 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
941 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
942 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
943 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
944 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
946 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
947 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
948 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
949 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
950 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
951 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
952 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
953 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
957 ctxt->ops->put_fpu(ctxt);
960 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
962 ctxt->ops->get_fpu(ctxt);
964 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
965 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
966 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
967 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
968 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
969 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
970 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
971 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
974 ctxt->ops->put_fpu(ctxt);
977 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
979 ctxt->ops->get_fpu(ctxt);
981 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
982 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
983 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
984 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
985 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
986 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
987 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
988 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
991 ctxt->ops->put_fpu(ctxt);
994 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
997 unsigned reg = ctxt->modrm_reg;
998 int highbyte_regs = ctxt->rex_prefix == 0;
1000 if (!(ctxt->d & ModRM))
1001 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1003 if (ctxt->d & Sse) {
1007 read_sse_reg(ctxt, &op->vec_val, reg);
1010 if (ctxt->d & Mmx) {
1019 if (ctxt->d & ByteOp) {
1020 op->addr.reg = decode_register(ctxt, reg, highbyte_regs);
1023 op->addr.reg = decode_register(ctxt, reg, 0);
1024 op->bytes = ctxt->op_bytes;
1026 fetch_register_operand(op);
1027 op->orig_val = op->val;
1030 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1032 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1033 ctxt->modrm_seg = VCPU_SREG_SS;
1036 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1040 int index_reg = 0, base_reg = 0, scale;
1041 int rc = X86EMUL_CONTINUE;
1044 if (ctxt->rex_prefix) {
1045 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1; /* REX.R */
1046 index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
1047 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
1050 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
1051 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1052 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
1053 ctxt->modrm_seg = VCPU_SREG_DS;
1055 if (ctxt->modrm_mod == 3) {
1057 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1058 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm, ctxt->d & ByteOp);
1059 if (ctxt->d & Sse) {
1062 op->addr.xmm = ctxt->modrm_rm;
1063 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1066 if (ctxt->d & Mmx) {
1069 op->addr.xmm = ctxt->modrm_rm & 7;
1072 fetch_register_operand(op);
1078 if (ctxt->ad_bytes == 2) {
1079 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1080 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1081 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1082 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1084 /* 16-bit ModR/M decode. */
1085 switch (ctxt->modrm_mod) {
1087 if (ctxt->modrm_rm == 6)
1088 modrm_ea += insn_fetch(u16, ctxt);
1091 modrm_ea += insn_fetch(s8, ctxt);
1094 modrm_ea += insn_fetch(u16, ctxt);
1097 switch (ctxt->modrm_rm) {
1099 modrm_ea += bx + si;
1102 modrm_ea += bx + di;
1105 modrm_ea += bp + si;
1108 modrm_ea += bp + di;
1117 if (ctxt->modrm_mod != 0)
1124 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1125 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1126 ctxt->modrm_seg = VCPU_SREG_SS;
1127 modrm_ea = (u16)modrm_ea;
1129 /* 32/64-bit ModR/M decode. */
1130 if ((ctxt->modrm_rm & 7) == 4) {
1131 sib = insn_fetch(u8, ctxt);
1132 index_reg |= (sib >> 3) & 7;
1133 base_reg |= sib & 7;
1136 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1137 modrm_ea += insn_fetch(s32, ctxt);
1139 modrm_ea += reg_read(ctxt, base_reg);
1140 adjust_modrm_seg(ctxt, base_reg);
1143 modrm_ea += reg_read(ctxt, index_reg) << scale;
1144 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1145 if (ctxt->mode == X86EMUL_MODE_PROT64)
1146 ctxt->rip_relative = 1;
1148 base_reg = ctxt->modrm_rm;
1149 modrm_ea += reg_read(ctxt, base_reg);
1150 adjust_modrm_seg(ctxt, base_reg);
1152 switch (ctxt->modrm_mod) {
1154 if (ctxt->modrm_rm == 5)
1155 modrm_ea += insn_fetch(s32, ctxt);
1158 modrm_ea += insn_fetch(s8, ctxt);
1161 modrm_ea += insn_fetch(s32, ctxt);
1165 op->addr.mem.ea = modrm_ea;
1170 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1173 int rc = X86EMUL_CONTINUE;
1176 switch (ctxt->ad_bytes) {
1178 op->addr.mem.ea = insn_fetch(u16, ctxt);
1181 op->addr.mem.ea = insn_fetch(u32, ctxt);
1184 op->addr.mem.ea = insn_fetch(u64, ctxt);
1191 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1195 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1196 mask = ~(ctxt->dst.bytes * 8 - 1);
1198 if (ctxt->src.bytes == 2)
1199 sv = (s16)ctxt->src.val & (s16)mask;
1200 else if (ctxt->src.bytes == 4)
1201 sv = (s32)ctxt->src.val & (s32)mask;
1203 ctxt->dst.addr.mem.ea += (sv >> 3);
1206 /* only subword offset */
1207 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1210 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1211 unsigned long addr, void *dest, unsigned size)
1214 struct read_cache *mc = &ctxt->mem_read;
1216 if (mc->pos < mc->end)
1219 WARN_ON((mc->end + size) >= sizeof(mc->data));
1221 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1223 if (rc != X86EMUL_CONTINUE)
1229 memcpy(dest, mc->data + mc->pos, size);
1231 return X86EMUL_CONTINUE;
1234 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1235 struct segmented_address addr,
1242 rc = linearize(ctxt, addr, size, false, &linear);
1243 if (rc != X86EMUL_CONTINUE)
1245 return read_emulated(ctxt, linear, data, size);
1248 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1249 struct segmented_address addr,
1256 rc = linearize(ctxt, addr, size, true, &linear);
1257 if (rc != X86EMUL_CONTINUE)
1259 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1263 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1264 struct segmented_address addr,
1265 const void *orig_data, const void *data,
1271 rc = linearize(ctxt, addr, size, true, &linear);
1272 if (rc != X86EMUL_CONTINUE)
1274 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1275 size, &ctxt->exception);
1278 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1279 unsigned int size, unsigned short port,
1282 struct read_cache *rc = &ctxt->io_read;
1284 if (rc->pos == rc->end) { /* refill pio read ahead */
1285 unsigned int in_page, n;
1286 unsigned int count = ctxt->rep_prefix ?
1287 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1288 in_page = (ctxt->eflags & EFLG_DF) ?
1289 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1290 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1291 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1295 rc->pos = rc->end = 0;
1296 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1301 if (ctxt->rep_prefix && !(ctxt->eflags & EFLG_DF)) {
1302 ctxt->dst.data = rc->data + rc->pos;
1303 ctxt->dst.type = OP_MEM_STR;
1304 ctxt->dst.count = (rc->end - rc->pos) / size;
1307 memcpy(dest, rc->data + rc->pos, size);
1313 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1314 u16 index, struct desc_struct *desc)
1319 ctxt->ops->get_idt(ctxt, &dt);
1321 if (dt.size < index * 8 + 7)
1322 return emulate_gp(ctxt, index << 3 | 0x2);
1324 addr = dt.address + index * 8;
1325 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1329 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1330 u16 selector, struct desc_ptr *dt)
1332 const struct x86_emulate_ops *ops = ctxt->ops;
1334 if (selector & 1 << 2) {
1335 struct desc_struct desc;
1338 memset (dt, 0, sizeof *dt);
1339 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1342 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1343 dt->address = get_desc_base(&desc);
1345 ops->get_gdt(ctxt, dt);
1348 /* allowed just for 8 bytes segments */
1349 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1350 u16 selector, struct desc_struct *desc,
1354 u16 index = selector >> 3;
1357 get_descriptor_table_ptr(ctxt, selector, &dt);
1359 if (dt.size < index * 8 + 7)
1360 return emulate_gp(ctxt, selector & 0xfffc);
1362 *desc_addr_p = addr = dt.address + index * 8;
1363 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1367 /* allowed just for 8 bytes segments */
1368 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1369 u16 selector, struct desc_struct *desc)
1372 u16 index = selector >> 3;
1375 get_descriptor_table_ptr(ctxt, selector, &dt);
1377 if (dt.size < index * 8 + 7)
1378 return emulate_gp(ctxt, selector & 0xfffc);
1380 addr = dt.address + index * 8;
1381 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1385 /* Does not support long mode */
1386 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1387 u16 selector, int seg)
1389 struct desc_struct seg_desc, old_desc;
1391 unsigned err_vec = GP_VECTOR;
1393 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1398 memset(&seg_desc, 0, sizeof seg_desc);
1400 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1401 || ctxt->mode == X86EMUL_MODE_REAL) {
1402 /* set real mode segment descriptor */
1403 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1404 set_desc_base(&seg_desc, selector << 4);
1409 cpl = ctxt->ops->cpl(ctxt);
1411 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1412 if ((seg == VCPU_SREG_CS
1413 || (seg == VCPU_SREG_SS
1414 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1415 || seg == VCPU_SREG_TR)
1419 /* TR should be in GDT only */
1420 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1423 if (null_selector) /* for NULL selector skip all following checks */
1426 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1427 if (ret != X86EMUL_CONTINUE)
1430 err_code = selector & 0xfffc;
1431 err_vec = GP_VECTOR;
1433 /* can't load system descriptor into segment selector */
1434 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1438 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1447 * segment is not a writable data segment or segment
1448 * selector's RPL != CPL or segment selector's RPL != CPL
1450 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1454 if (!(seg_desc.type & 8))
1457 if (seg_desc.type & 4) {
1463 if (rpl > cpl || dpl != cpl)
1466 /* CS(RPL) <- CPL */
1467 selector = (selector & 0xfffc) | cpl;
1470 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1472 old_desc = seg_desc;
1473 seg_desc.type |= 2; /* busy */
1474 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1475 sizeof(seg_desc), &ctxt->exception);
1476 if (ret != X86EMUL_CONTINUE)
1479 case VCPU_SREG_LDTR:
1480 if (seg_desc.s || seg_desc.type != 2)
1483 default: /* DS, ES, FS, or GS */
1485 * segment is not a data or readable code segment or
1486 * ((segment is a data or nonconforming code segment)
1487 * and (both RPL and CPL > DPL))
1489 if ((seg_desc.type & 0xa) == 0x8 ||
1490 (((seg_desc.type & 0xc) != 0xc) &&
1491 (rpl > dpl && cpl > dpl)))
1497 /* mark segment as accessed */
1499 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1500 if (ret != X86EMUL_CONTINUE)
1504 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1505 return X86EMUL_CONTINUE;
1507 emulate_exception(ctxt, err_vec, err_code, true);
1508 return X86EMUL_PROPAGATE_FAULT;
1511 static void write_register_operand(struct operand *op)
1513 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1514 switch (op->bytes) {
1516 *(u8 *)op->addr.reg = (u8)op->val;
1519 *(u16 *)op->addr.reg = (u16)op->val;
1522 *op->addr.reg = (u32)op->val;
1523 break; /* 64b: zero-extend */
1525 *op->addr.reg = op->val;
1530 static int writeback(struct x86_emulate_ctxt *ctxt)
1534 switch (ctxt->dst.type) {
1536 write_register_operand(&ctxt->dst);
1539 if (ctxt->lock_prefix)
1540 rc = segmented_cmpxchg(ctxt,
1542 &ctxt->dst.orig_val,
1546 rc = segmented_write(ctxt,
1550 if (rc != X86EMUL_CONTINUE)
1554 rc = segmented_write(ctxt,
1557 ctxt->dst.bytes * ctxt->dst.count);
1558 if (rc != X86EMUL_CONTINUE)
1562 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1565 write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
1573 return X86EMUL_CONTINUE;
1576 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1578 struct segmented_address addr;
1580 rsp_increment(ctxt, -bytes);
1581 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1582 addr.seg = VCPU_SREG_SS;
1584 return segmented_write(ctxt, addr, data, bytes);
1587 static int em_push(struct x86_emulate_ctxt *ctxt)
1589 /* Disable writeback. */
1590 ctxt->dst.type = OP_NONE;
1591 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1594 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1595 void *dest, int len)
1598 struct segmented_address addr;
1600 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1601 addr.seg = VCPU_SREG_SS;
1602 rc = segmented_read(ctxt, addr, dest, len);
1603 if (rc != X86EMUL_CONTINUE)
1606 rsp_increment(ctxt, len);
1610 static int em_pop(struct x86_emulate_ctxt *ctxt)
1612 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1615 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1616 void *dest, int len)
1619 unsigned long val, change_mask;
1620 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1621 int cpl = ctxt->ops->cpl(ctxt);
1623 rc = emulate_pop(ctxt, &val, len);
1624 if (rc != X86EMUL_CONTINUE)
1627 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1628 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1630 switch(ctxt->mode) {
1631 case X86EMUL_MODE_PROT64:
1632 case X86EMUL_MODE_PROT32:
1633 case X86EMUL_MODE_PROT16:
1635 change_mask |= EFLG_IOPL;
1637 change_mask |= EFLG_IF;
1639 case X86EMUL_MODE_VM86:
1641 return emulate_gp(ctxt, 0);
1642 change_mask |= EFLG_IF;
1644 default: /* real mode */
1645 change_mask |= (EFLG_IOPL | EFLG_IF);
1649 *(unsigned long *)dest =
1650 (ctxt->eflags & ~change_mask) | (val & change_mask);
1655 static int em_popf(struct x86_emulate_ctxt *ctxt)
1657 ctxt->dst.type = OP_REG;
1658 ctxt->dst.addr.reg = &ctxt->eflags;
1659 ctxt->dst.bytes = ctxt->op_bytes;
1660 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1663 static int em_enter(struct x86_emulate_ctxt *ctxt)
1666 unsigned frame_size = ctxt->src.val;
1667 unsigned nesting_level = ctxt->src2.val & 31;
1671 return X86EMUL_UNHANDLEABLE;
1673 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1674 rc = push(ctxt, &rbp, stack_size(ctxt));
1675 if (rc != X86EMUL_CONTINUE)
1677 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1679 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1680 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1682 return X86EMUL_CONTINUE;
1685 static int em_leave(struct x86_emulate_ctxt *ctxt)
1687 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1689 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1692 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1694 int seg = ctxt->src2.val;
1696 ctxt->src.val = get_segment_selector(ctxt, seg);
1698 return em_push(ctxt);
1701 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1703 int seg = ctxt->src2.val;
1704 unsigned long selector;
1707 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1708 if (rc != X86EMUL_CONTINUE)
1711 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1715 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1717 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1718 int rc = X86EMUL_CONTINUE;
1719 int reg = VCPU_REGS_RAX;
1721 while (reg <= VCPU_REGS_RDI) {
1722 (reg == VCPU_REGS_RSP) ?
1723 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1726 if (rc != X86EMUL_CONTINUE)
1735 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1737 ctxt->src.val = (unsigned long)ctxt->eflags;
1738 return em_push(ctxt);
1741 static int em_popa(struct x86_emulate_ctxt *ctxt)
1743 int rc = X86EMUL_CONTINUE;
1744 int reg = VCPU_REGS_RDI;
1746 while (reg >= VCPU_REGS_RAX) {
1747 if (reg == VCPU_REGS_RSP) {
1748 rsp_increment(ctxt, ctxt->op_bytes);
1752 rc = emulate_pop(ctxt, reg_rmw(ctxt, reg), ctxt->op_bytes);
1753 if (rc != X86EMUL_CONTINUE)
1760 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1762 const struct x86_emulate_ops *ops = ctxt->ops;
1769 /* TODO: Add limit checks */
1770 ctxt->src.val = ctxt->eflags;
1772 if (rc != X86EMUL_CONTINUE)
1775 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1777 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1779 if (rc != X86EMUL_CONTINUE)
1782 ctxt->src.val = ctxt->_eip;
1784 if (rc != X86EMUL_CONTINUE)
1787 ops->get_idt(ctxt, &dt);
1789 eip_addr = dt.address + (irq << 2);
1790 cs_addr = dt.address + (irq << 2) + 2;
1792 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1793 if (rc != X86EMUL_CONTINUE)
1796 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1797 if (rc != X86EMUL_CONTINUE)
1800 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1801 if (rc != X86EMUL_CONTINUE)
1809 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1813 invalidate_registers(ctxt);
1814 rc = __emulate_int_real(ctxt, irq);
1815 if (rc == X86EMUL_CONTINUE)
1816 writeback_registers(ctxt);
1820 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1822 switch(ctxt->mode) {
1823 case X86EMUL_MODE_REAL:
1824 return __emulate_int_real(ctxt, irq);
1825 case X86EMUL_MODE_VM86:
1826 case X86EMUL_MODE_PROT16:
1827 case X86EMUL_MODE_PROT32:
1828 case X86EMUL_MODE_PROT64:
1830 /* Protected mode interrupts unimplemented yet */
1831 return X86EMUL_UNHANDLEABLE;
1835 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1837 int rc = X86EMUL_CONTINUE;
1838 unsigned long temp_eip = 0;
1839 unsigned long temp_eflags = 0;
1840 unsigned long cs = 0;
1841 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1842 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1843 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
1844 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1846 /* TODO: Add stack limit check */
1848 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1850 if (rc != X86EMUL_CONTINUE)
1853 if (temp_eip & ~0xffff)
1854 return emulate_gp(ctxt, 0);
1856 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1858 if (rc != X86EMUL_CONTINUE)
1861 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1863 if (rc != X86EMUL_CONTINUE)
1866 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1868 if (rc != X86EMUL_CONTINUE)
1871 ctxt->_eip = temp_eip;
1874 if (ctxt->op_bytes == 4)
1875 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1876 else if (ctxt->op_bytes == 2) {
1877 ctxt->eflags &= ~0xffff;
1878 ctxt->eflags |= temp_eflags;
1881 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
1882 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1887 static int em_iret(struct x86_emulate_ctxt *ctxt)
1889 switch(ctxt->mode) {
1890 case X86EMUL_MODE_REAL:
1891 return emulate_iret_real(ctxt);
1892 case X86EMUL_MODE_VM86:
1893 case X86EMUL_MODE_PROT16:
1894 case X86EMUL_MODE_PROT32:
1895 case X86EMUL_MODE_PROT64:
1897 /* iret from protected mode unimplemented yet */
1898 return X86EMUL_UNHANDLEABLE;
1902 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1907 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1909 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1910 if (rc != X86EMUL_CONTINUE)
1914 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1915 return X86EMUL_CONTINUE;
1918 static int em_grp2(struct x86_emulate_ctxt *ctxt)
1920 switch (ctxt->modrm_reg) {
1922 emulate_2op_SrcB(ctxt, "rol");
1925 emulate_2op_SrcB(ctxt, "ror");
1928 emulate_2op_SrcB(ctxt, "rcl");
1931 emulate_2op_SrcB(ctxt, "rcr");
1933 case 4: /* sal/shl */
1934 case 6: /* sal/shl */
1935 emulate_2op_SrcB(ctxt, "sal");
1938 emulate_2op_SrcB(ctxt, "shr");
1941 emulate_2op_SrcB(ctxt, "sar");
1944 return X86EMUL_CONTINUE;
1947 static int em_not(struct x86_emulate_ctxt *ctxt)
1949 ctxt->dst.val = ~ctxt->dst.val;
1950 return X86EMUL_CONTINUE;
1953 static int em_neg(struct x86_emulate_ctxt *ctxt)
1955 emulate_1op(ctxt, "neg");
1956 return X86EMUL_CONTINUE;
1959 static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
1963 emulate_1op_rax_rdx(ctxt, "mul", ex);
1964 return X86EMUL_CONTINUE;
1967 static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
1971 emulate_1op_rax_rdx(ctxt, "imul", ex);
1972 return X86EMUL_CONTINUE;
1975 static int em_div_ex(struct x86_emulate_ctxt *ctxt)
1979 emulate_1op_rax_rdx(ctxt, "div", de);
1981 return emulate_de(ctxt);
1982 return X86EMUL_CONTINUE;
1985 static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
1989 emulate_1op_rax_rdx(ctxt, "idiv", de);
1991 return emulate_de(ctxt);
1992 return X86EMUL_CONTINUE;
1995 static int em_grp45(struct x86_emulate_ctxt *ctxt)
1997 int rc = X86EMUL_CONTINUE;
1999 switch (ctxt->modrm_reg) {
2001 emulate_1op(ctxt, "inc");
2004 emulate_1op(ctxt, "dec");
2006 case 2: /* call near abs */ {
2008 old_eip = ctxt->_eip;
2009 ctxt->_eip = ctxt->src.val;
2010 ctxt->src.val = old_eip;
2014 case 4: /* jmp abs */
2015 ctxt->_eip = ctxt->src.val;
2017 case 5: /* jmp far */
2018 rc = em_jmp_far(ctxt);
2027 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2029 u64 old = ctxt->dst.orig_val64;
2031 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2032 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2033 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2034 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2035 ctxt->eflags &= ~EFLG_ZF;
2037 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2038 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2040 ctxt->eflags |= EFLG_ZF;
2042 return X86EMUL_CONTINUE;
2045 static int em_ret(struct x86_emulate_ctxt *ctxt)
2047 ctxt->dst.type = OP_REG;
2048 ctxt->dst.addr.reg = &ctxt->_eip;
2049 ctxt->dst.bytes = ctxt->op_bytes;
2050 return em_pop(ctxt);
2053 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2058 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
2059 if (rc != X86EMUL_CONTINUE)
2061 if (ctxt->op_bytes == 4)
2062 ctxt->_eip = (u32)ctxt->_eip;
2063 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2064 if (rc != X86EMUL_CONTINUE)
2066 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2070 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2072 /* Save real source value, then compare EAX against destination. */
2073 ctxt->src.orig_val = ctxt->src.val;
2074 ctxt->src.val = reg_read(ctxt, VCPU_REGS_RAX);
2075 emulate_2op_SrcV(ctxt, "cmp");
2077 if (ctxt->eflags & EFLG_ZF) {
2078 /* Success: write back to memory. */
2079 ctxt->dst.val = ctxt->src.orig_val;
2081 /* Failure: write the value we saw to EAX. */
2082 ctxt->dst.type = OP_REG;
2083 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2085 return X86EMUL_CONTINUE;
2088 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2090 int seg = ctxt->src2.val;
2094 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2096 rc = load_segment_descriptor(ctxt, sel, seg);
2097 if (rc != X86EMUL_CONTINUE)
2100 ctxt->dst.val = ctxt->src.val;
2105 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2106 struct desc_struct *cs, struct desc_struct *ss)
2108 cs->l = 0; /* will be adjusted later */
2109 set_desc_base(cs, 0); /* flat segment */
2110 cs->g = 1; /* 4kb granularity */
2111 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2112 cs->type = 0x0b; /* Read, Execute, Accessed */
2114 cs->dpl = 0; /* will be adjusted later */
2119 set_desc_base(ss, 0); /* flat segment */
2120 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2121 ss->g = 1; /* 4kb granularity */
2123 ss->type = 0x03; /* Read/Write, Accessed */
2124 ss->d = 1; /* 32bit stack segment */
2131 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2133 u32 eax, ebx, ecx, edx;
2136 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2137 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2138 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2139 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2142 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2144 const struct x86_emulate_ops *ops = ctxt->ops;
2145 u32 eax, ebx, ecx, edx;
2148 * syscall should always be enabled in longmode - so only become
2149 * vendor specific (cpuid) if other modes are active...
2151 if (ctxt->mode == X86EMUL_MODE_PROT64)
2156 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2158 * Intel ("GenuineIntel")
2159 * remark: Intel CPUs only support "syscall" in 64bit
2160 * longmode. Also an 64bit guest with a
2161 * 32bit compat-app running will #UD !! While this
2162 * behaviour can be fixed (by emulating) into AMD
2163 * response - CPUs of AMD can't behave like Intel.
2165 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2166 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2167 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2170 /* AMD ("AuthenticAMD") */
2171 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2172 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2173 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2176 /* AMD ("AMDisbetter!") */
2177 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2178 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2179 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2182 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2186 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2188 const struct x86_emulate_ops *ops = ctxt->ops;
2189 struct desc_struct cs, ss;
2194 /* syscall is not available in real mode */
2195 if (ctxt->mode == X86EMUL_MODE_REAL ||
2196 ctxt->mode == X86EMUL_MODE_VM86)
2197 return emulate_ud(ctxt);
2199 if (!(em_syscall_is_enabled(ctxt)))
2200 return emulate_ud(ctxt);
2202 ops->get_msr(ctxt, MSR_EFER, &efer);
2203 setup_syscalls_segments(ctxt, &cs, &ss);
2205 if (!(efer & EFER_SCE))
2206 return emulate_ud(ctxt);
2208 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2210 cs_sel = (u16)(msr_data & 0xfffc);
2211 ss_sel = (u16)(msr_data + 8);
2213 if (efer & EFER_LMA) {
2217 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2218 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2220 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2221 if (efer & EFER_LMA) {
2222 #ifdef CONFIG_X86_64
2223 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags & ~EFLG_RF;
2226 ctxt->mode == X86EMUL_MODE_PROT64 ?
2227 MSR_LSTAR : MSR_CSTAR, &msr_data);
2228 ctxt->_eip = msr_data;
2230 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2231 ctxt->eflags &= ~(msr_data | EFLG_RF);
2235 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2236 ctxt->_eip = (u32)msr_data;
2238 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2241 return X86EMUL_CONTINUE;
2244 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2246 const struct x86_emulate_ops *ops = ctxt->ops;
2247 struct desc_struct cs, ss;
2252 ops->get_msr(ctxt, MSR_EFER, &efer);
2253 /* inject #GP if in real mode */
2254 if (ctxt->mode == X86EMUL_MODE_REAL)
2255 return emulate_gp(ctxt, 0);
2258 * Not recognized on AMD in compat mode (but is recognized in legacy
2261 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2262 && !vendor_intel(ctxt))
2263 return emulate_ud(ctxt);
2265 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2266 * Therefore, we inject an #UD.
2268 if (ctxt->mode == X86EMUL_MODE_PROT64)
2269 return emulate_ud(ctxt);
2271 setup_syscalls_segments(ctxt, &cs, &ss);
2273 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2274 switch (ctxt->mode) {
2275 case X86EMUL_MODE_PROT32:
2276 if ((msr_data & 0xfffc) == 0x0)
2277 return emulate_gp(ctxt, 0);
2279 case X86EMUL_MODE_PROT64:
2280 if (msr_data == 0x0)
2281 return emulate_gp(ctxt, 0);
2287 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2288 cs_sel = (u16)msr_data;
2289 cs_sel &= ~SELECTOR_RPL_MASK;
2290 ss_sel = cs_sel + 8;
2291 ss_sel &= ~SELECTOR_RPL_MASK;
2292 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2297 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2298 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2300 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2301 ctxt->_eip = msr_data;
2303 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2304 *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
2306 return X86EMUL_CONTINUE;
2309 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2311 const struct x86_emulate_ops *ops = ctxt->ops;
2312 struct desc_struct cs, ss;
2315 u16 cs_sel = 0, ss_sel = 0;
2317 /* inject #GP if in real mode or Virtual 8086 mode */
2318 if (ctxt->mode == X86EMUL_MODE_REAL ||
2319 ctxt->mode == X86EMUL_MODE_VM86)
2320 return emulate_gp(ctxt, 0);
2322 setup_syscalls_segments(ctxt, &cs, &ss);
2324 if ((ctxt->rex_prefix & 0x8) != 0x0)
2325 usermode = X86EMUL_MODE_PROT64;
2327 usermode = X86EMUL_MODE_PROT32;
2331 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2333 case X86EMUL_MODE_PROT32:
2334 cs_sel = (u16)(msr_data + 16);
2335 if ((msr_data & 0xfffc) == 0x0)
2336 return emulate_gp(ctxt, 0);
2337 ss_sel = (u16)(msr_data + 24);
2339 case X86EMUL_MODE_PROT64:
2340 cs_sel = (u16)(msr_data + 32);
2341 if (msr_data == 0x0)
2342 return emulate_gp(ctxt, 0);
2343 ss_sel = cs_sel + 8;
2348 cs_sel |= SELECTOR_RPL_MASK;
2349 ss_sel |= SELECTOR_RPL_MASK;
2351 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2352 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2354 ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
2355 *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
2357 return X86EMUL_CONTINUE;
2360 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2363 if (ctxt->mode == X86EMUL_MODE_REAL)
2365 if (ctxt->mode == X86EMUL_MODE_VM86)
2367 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2368 return ctxt->ops->cpl(ctxt) > iopl;
2371 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2374 const struct x86_emulate_ops *ops = ctxt->ops;
2375 struct desc_struct tr_seg;
2378 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2379 unsigned mask = (1 << len) - 1;
2382 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2385 if (desc_limit_scaled(&tr_seg) < 103)
2387 base = get_desc_base(&tr_seg);
2388 #ifdef CONFIG_X86_64
2389 base |= ((u64)base3) << 32;
2391 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2392 if (r != X86EMUL_CONTINUE)
2394 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2396 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2397 if (r != X86EMUL_CONTINUE)
2399 if ((perm >> bit_idx) & mask)
2404 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2410 if (emulator_bad_iopl(ctxt))
2411 if (!emulator_io_port_access_allowed(ctxt, port, len))
2414 ctxt->perm_ok = true;
2419 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2420 struct tss_segment_16 *tss)
2422 tss->ip = ctxt->_eip;
2423 tss->flag = ctxt->eflags;
2424 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2425 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2426 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2427 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2428 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2429 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2430 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2431 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2433 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2434 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2435 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2436 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2437 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2440 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2441 struct tss_segment_16 *tss)
2445 ctxt->_eip = tss->ip;
2446 ctxt->eflags = tss->flag | 2;
2447 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2448 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2449 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2450 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2451 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2452 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2453 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2454 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2457 * SDM says that segment selectors are loaded before segment
2460 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2461 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2462 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2463 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2464 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2467 * Now load segment descriptors. If fault happens at this stage
2468 * it is handled in a context of new task
2470 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2471 if (ret != X86EMUL_CONTINUE)
2473 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2474 if (ret != X86EMUL_CONTINUE)
2476 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2477 if (ret != X86EMUL_CONTINUE)
2479 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2480 if (ret != X86EMUL_CONTINUE)
2482 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2483 if (ret != X86EMUL_CONTINUE)
2486 return X86EMUL_CONTINUE;
2489 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2490 u16 tss_selector, u16 old_tss_sel,
2491 ulong old_tss_base, struct desc_struct *new_desc)
2493 const struct x86_emulate_ops *ops = ctxt->ops;
2494 struct tss_segment_16 tss_seg;
2496 u32 new_tss_base = get_desc_base(new_desc);
2498 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2500 if (ret != X86EMUL_CONTINUE)
2501 /* FIXME: need to provide precise fault address */
2504 save_state_to_tss16(ctxt, &tss_seg);
2506 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2508 if (ret != X86EMUL_CONTINUE)
2509 /* FIXME: need to provide precise fault address */
2512 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2514 if (ret != X86EMUL_CONTINUE)
2515 /* FIXME: need to provide precise fault address */
2518 if (old_tss_sel != 0xffff) {
2519 tss_seg.prev_task_link = old_tss_sel;
2521 ret = ops->write_std(ctxt, new_tss_base,
2522 &tss_seg.prev_task_link,
2523 sizeof tss_seg.prev_task_link,
2525 if (ret != X86EMUL_CONTINUE)
2526 /* FIXME: need to provide precise fault address */
2530 return load_state_from_tss16(ctxt, &tss_seg);
2533 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2534 struct tss_segment_32 *tss)
2536 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2537 tss->eip = ctxt->_eip;
2538 tss->eflags = ctxt->eflags;
2539 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2540 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2541 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2542 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2543 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2544 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2545 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2546 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2548 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2549 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2550 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2551 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2552 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2553 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2554 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2557 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2558 struct tss_segment_32 *tss)
2562 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2563 return emulate_gp(ctxt, 0);
2564 ctxt->_eip = tss->eip;
2565 ctxt->eflags = tss->eflags | 2;
2567 /* General purpose registers */
2568 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2569 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2570 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2571 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2572 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2573 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2574 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2575 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2578 * SDM says that segment selectors are loaded before segment
2581 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2582 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2583 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2584 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2585 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2586 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2587 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2590 * If we're switching between Protected Mode and VM86, we need to make
2591 * sure to update the mode before loading the segment descriptors so
2592 * that the selectors are interpreted correctly.
2594 * Need to get rflags to the vcpu struct immediately because it
2595 * influences the CPL which is checked at least when loading the segment
2596 * descriptors and when pushing an error code to the new kernel stack.
2598 * TODO Introduce a separate ctxt->ops->set_cpl callback
2600 if (ctxt->eflags & X86_EFLAGS_VM)
2601 ctxt->mode = X86EMUL_MODE_VM86;
2603 ctxt->mode = X86EMUL_MODE_PROT32;
2605 ctxt->ops->set_rflags(ctxt, ctxt->eflags);
2608 * Now load segment descriptors. If fault happenes at this stage
2609 * it is handled in a context of new task
2611 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2612 if (ret != X86EMUL_CONTINUE)
2614 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2615 if (ret != X86EMUL_CONTINUE)
2617 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2618 if (ret != X86EMUL_CONTINUE)
2620 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2621 if (ret != X86EMUL_CONTINUE)
2623 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2624 if (ret != X86EMUL_CONTINUE)
2626 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2627 if (ret != X86EMUL_CONTINUE)
2629 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2630 if (ret != X86EMUL_CONTINUE)
2633 return X86EMUL_CONTINUE;
2636 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2637 u16 tss_selector, u16 old_tss_sel,
2638 ulong old_tss_base, struct desc_struct *new_desc)
2640 const struct x86_emulate_ops *ops = ctxt->ops;
2641 struct tss_segment_32 tss_seg;
2643 u32 new_tss_base = get_desc_base(new_desc);
2645 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2647 if (ret != X86EMUL_CONTINUE)
2648 /* FIXME: need to provide precise fault address */
2651 save_state_to_tss32(ctxt, &tss_seg);
2653 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2655 if (ret != X86EMUL_CONTINUE)
2656 /* FIXME: need to provide precise fault address */
2659 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2661 if (ret != X86EMUL_CONTINUE)
2662 /* FIXME: need to provide precise fault address */
2665 if (old_tss_sel != 0xffff) {
2666 tss_seg.prev_task_link = old_tss_sel;
2668 ret = ops->write_std(ctxt, new_tss_base,
2669 &tss_seg.prev_task_link,
2670 sizeof tss_seg.prev_task_link,
2672 if (ret != X86EMUL_CONTINUE)
2673 /* FIXME: need to provide precise fault address */
2677 return load_state_from_tss32(ctxt, &tss_seg);
2680 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2681 u16 tss_selector, int idt_index, int reason,
2682 bool has_error_code, u32 error_code)
2684 const struct x86_emulate_ops *ops = ctxt->ops;
2685 struct desc_struct curr_tss_desc, next_tss_desc;
2687 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2688 ulong old_tss_base =
2689 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2693 /* FIXME: old_tss_base == ~0 ? */
2695 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2696 if (ret != X86EMUL_CONTINUE)
2698 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2699 if (ret != X86EMUL_CONTINUE)
2702 /* FIXME: check that next_tss_desc is tss */
2705 * Check privileges. The three cases are task switch caused by...
2707 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2708 * 2. Exception/IRQ/iret: No check is performed
2709 * 3. jmp/call to TSS: Check against DPL of the TSS
2711 if (reason == TASK_SWITCH_GATE) {
2712 if (idt_index != -1) {
2713 /* Software interrupts */
2714 struct desc_struct task_gate_desc;
2717 ret = read_interrupt_descriptor(ctxt, idt_index,
2719 if (ret != X86EMUL_CONTINUE)
2722 dpl = task_gate_desc.dpl;
2723 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2724 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2726 } else if (reason != TASK_SWITCH_IRET) {
2727 int dpl = next_tss_desc.dpl;
2728 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2729 return emulate_gp(ctxt, tss_selector);
2733 desc_limit = desc_limit_scaled(&next_tss_desc);
2734 if (!next_tss_desc.p ||
2735 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2736 desc_limit < 0x2b)) {
2737 emulate_ts(ctxt, tss_selector & 0xfffc);
2738 return X86EMUL_PROPAGATE_FAULT;
2741 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2742 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2743 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2746 if (reason == TASK_SWITCH_IRET)
2747 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2749 /* set back link to prev task only if NT bit is set in eflags
2750 note that old_tss_sel is not used after this point */
2751 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2752 old_tss_sel = 0xffff;
2754 if (next_tss_desc.type & 8)
2755 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2756 old_tss_base, &next_tss_desc);
2758 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2759 old_tss_base, &next_tss_desc);
2760 if (ret != X86EMUL_CONTINUE)
2763 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2764 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2766 if (reason != TASK_SWITCH_IRET) {
2767 next_tss_desc.type |= (1 << 1); /* set busy flag */
2768 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2771 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2772 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2774 if (has_error_code) {
2775 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2776 ctxt->lock_prefix = 0;
2777 ctxt->src.val = (unsigned long) error_code;
2778 ret = em_push(ctxt);
2784 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2785 u16 tss_selector, int idt_index, int reason,
2786 bool has_error_code, u32 error_code)
2790 invalidate_registers(ctxt);
2791 ctxt->_eip = ctxt->eip;
2792 ctxt->dst.type = OP_NONE;
2794 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2795 has_error_code, error_code);
2797 if (rc == X86EMUL_CONTINUE) {
2798 ctxt->eip = ctxt->_eip;
2799 writeback_registers(ctxt);
2802 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2805 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
2808 int df = (ctxt->eflags & EFLG_DF) ? -op->count : op->count;
2810 register_address_increment(ctxt, reg_rmw(ctxt, reg), df * op->bytes);
2811 op->addr.mem.ea = register_address(ctxt, reg_read(ctxt, reg));
2814 static int em_das(struct x86_emulate_ctxt *ctxt)
2817 bool af, cf, old_cf;
2819 cf = ctxt->eflags & X86_EFLAGS_CF;
2825 af = ctxt->eflags & X86_EFLAGS_AF;
2826 if ((al & 0x0f) > 9 || af) {
2828 cf = old_cf | (al >= 250);
2833 if (old_al > 0x99 || old_cf) {
2839 /* Set PF, ZF, SF */
2840 ctxt->src.type = OP_IMM;
2842 ctxt->src.bytes = 1;
2843 emulate_2op_SrcV(ctxt, "or");
2844 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2846 ctxt->eflags |= X86_EFLAGS_CF;
2848 ctxt->eflags |= X86_EFLAGS_AF;
2849 return X86EMUL_CONTINUE;
2852 static int em_aad(struct x86_emulate_ctxt *ctxt)
2854 u8 al = ctxt->dst.val & 0xff;
2855 u8 ah = (ctxt->dst.val >> 8) & 0xff;
2857 al = (al + (ah * ctxt->src.val)) & 0xff;
2859 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
2861 ctxt->eflags &= ~(X86_EFLAGS_PF | X86_EFLAGS_SF | X86_EFLAGS_ZF);
2864 ctxt->eflags |= X86_EFLAGS_ZF;
2866 ctxt->eflags |= X86_EFLAGS_PF;
2868 ctxt->eflags |= X86_EFLAGS_SF;
2870 return X86EMUL_CONTINUE;
2873 static int em_call(struct x86_emulate_ctxt *ctxt)
2875 long rel = ctxt->src.val;
2877 ctxt->src.val = (unsigned long)ctxt->_eip;
2879 return em_push(ctxt);
2882 static int em_call_far(struct x86_emulate_ctxt *ctxt)
2888 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2889 old_eip = ctxt->_eip;
2891 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2892 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2893 return X86EMUL_CONTINUE;
2896 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2898 ctxt->src.val = old_cs;
2900 if (rc != X86EMUL_CONTINUE)
2903 ctxt->src.val = old_eip;
2904 return em_push(ctxt);
2907 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2911 ctxt->dst.type = OP_REG;
2912 ctxt->dst.addr.reg = &ctxt->_eip;
2913 ctxt->dst.bytes = ctxt->op_bytes;
2914 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2915 if (rc != X86EMUL_CONTINUE)
2917 rsp_increment(ctxt, ctxt->src.val);
2918 return X86EMUL_CONTINUE;
2921 static int em_add(struct x86_emulate_ctxt *ctxt)
2923 emulate_2op_SrcV(ctxt, "add");
2924 return X86EMUL_CONTINUE;
2927 static int em_or(struct x86_emulate_ctxt *ctxt)
2929 emulate_2op_SrcV(ctxt, "or");
2930 return X86EMUL_CONTINUE;
2933 static int em_adc(struct x86_emulate_ctxt *ctxt)
2935 emulate_2op_SrcV(ctxt, "adc");
2936 return X86EMUL_CONTINUE;
2939 static int em_sbb(struct x86_emulate_ctxt *ctxt)
2941 emulate_2op_SrcV(ctxt, "sbb");
2942 return X86EMUL_CONTINUE;
2945 static int em_and(struct x86_emulate_ctxt *ctxt)
2947 emulate_2op_SrcV(ctxt, "and");
2948 return X86EMUL_CONTINUE;
2951 static int em_sub(struct x86_emulate_ctxt *ctxt)
2953 emulate_2op_SrcV(ctxt, "sub");
2954 return X86EMUL_CONTINUE;
2957 static int em_xor(struct x86_emulate_ctxt *ctxt)
2959 emulate_2op_SrcV(ctxt, "xor");
2960 return X86EMUL_CONTINUE;
2963 static int em_cmp(struct x86_emulate_ctxt *ctxt)
2965 emulate_2op_SrcV(ctxt, "cmp");
2966 /* Disable writeback. */
2967 ctxt->dst.type = OP_NONE;
2968 return X86EMUL_CONTINUE;
2971 static int em_test(struct x86_emulate_ctxt *ctxt)
2973 emulate_2op_SrcV(ctxt, "test");
2974 /* Disable writeback. */
2975 ctxt->dst.type = OP_NONE;
2976 return X86EMUL_CONTINUE;
2979 static int em_xchg(struct x86_emulate_ctxt *ctxt)
2981 /* Write back the register source. */
2982 ctxt->src.val = ctxt->dst.val;
2983 write_register_operand(&ctxt->src);
2985 /* Write back the memory destination with implicit LOCK prefix. */
2986 ctxt->dst.val = ctxt->src.orig_val;
2987 ctxt->lock_prefix = 1;
2988 return X86EMUL_CONTINUE;
2991 static int em_imul(struct x86_emulate_ctxt *ctxt)
2993 emulate_2op_SrcV_nobyte(ctxt, "imul");
2994 return X86EMUL_CONTINUE;
2997 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2999 ctxt->dst.val = ctxt->src2.val;
3000 return em_imul(ctxt);
3003 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3005 ctxt->dst.type = OP_REG;
3006 ctxt->dst.bytes = ctxt->src.bytes;
3007 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3008 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3010 return X86EMUL_CONTINUE;
3013 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3017 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3018 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3019 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3020 return X86EMUL_CONTINUE;
3023 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3027 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3028 return emulate_gp(ctxt, 0);
3029 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3030 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3031 return X86EMUL_CONTINUE;
3034 static int em_mov(struct x86_emulate_ctxt *ctxt)
3036 memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
3037 return X86EMUL_CONTINUE;
3040 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3042 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3043 return emulate_gp(ctxt, 0);
3045 /* Disable writeback. */
3046 ctxt->dst.type = OP_NONE;
3047 return X86EMUL_CONTINUE;
3050 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3054 if (ctxt->mode == X86EMUL_MODE_PROT64)
3055 val = ctxt->src.val & ~0ULL;
3057 val = ctxt->src.val & ~0U;
3059 /* #UD condition is already handled. */
3060 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3061 return emulate_gp(ctxt, 0);
3063 /* Disable writeback. */
3064 ctxt->dst.type = OP_NONE;
3065 return X86EMUL_CONTINUE;
3068 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3072 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3073 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3074 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3075 return emulate_gp(ctxt, 0);
3077 return X86EMUL_CONTINUE;
3080 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3084 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3085 return emulate_gp(ctxt, 0);
3087 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3088 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3089 return X86EMUL_CONTINUE;
3092 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3094 if (ctxt->modrm_reg > VCPU_SREG_GS)
3095 return emulate_ud(ctxt);
3097 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3098 return X86EMUL_CONTINUE;
3101 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3103 u16 sel = ctxt->src.val;
3105 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3106 return emulate_ud(ctxt);
3108 if (ctxt->modrm_reg == VCPU_SREG_SS)
3109 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3111 /* Disable writeback. */
3112 ctxt->dst.type = OP_NONE;
3113 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3116 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3118 u16 sel = ctxt->src.val;
3120 /* Disable writeback. */
3121 ctxt->dst.type = OP_NONE;
3122 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3125 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3127 u16 sel = ctxt->src.val;
3129 /* Disable writeback. */
3130 ctxt->dst.type = OP_NONE;
3131 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3134 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3139 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3140 if (rc == X86EMUL_CONTINUE)
3141 ctxt->ops->invlpg(ctxt, linear);
3142 /* Disable writeback. */
3143 ctxt->dst.type = OP_NONE;
3144 return X86EMUL_CONTINUE;
3147 static int em_clts(struct x86_emulate_ctxt *ctxt)
3151 cr0 = ctxt->ops->get_cr(ctxt, 0);
3153 ctxt->ops->set_cr(ctxt, 0, cr0);
3154 return X86EMUL_CONTINUE;
3157 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
3161 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
3162 return X86EMUL_UNHANDLEABLE;
3164 rc = ctxt->ops->fix_hypercall(ctxt);
3165 if (rc != X86EMUL_CONTINUE)
3168 /* Let the processor re-execute the fixed hypercall */
3169 ctxt->_eip = ctxt->eip;
3170 /* Disable writeback. */
3171 ctxt->dst.type = OP_NONE;
3172 return X86EMUL_CONTINUE;
3175 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3176 void (*get)(struct x86_emulate_ctxt *ctxt,
3177 struct desc_ptr *ptr))
3179 struct desc_ptr desc_ptr;
3181 if (ctxt->mode == X86EMUL_MODE_PROT64)
3183 get(ctxt, &desc_ptr);
3184 if (ctxt->op_bytes == 2) {
3186 desc_ptr.address &= 0x00ffffff;
3188 /* Disable writeback. */
3189 ctxt->dst.type = OP_NONE;
3190 return segmented_write(ctxt, ctxt->dst.addr.mem,
3191 &desc_ptr, 2 + ctxt->op_bytes);
3194 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3196 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3199 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3201 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3204 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3206 struct desc_ptr desc_ptr;
3209 if (ctxt->mode == X86EMUL_MODE_PROT64)
3211 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3212 &desc_ptr.size, &desc_ptr.address,
3214 if (rc != X86EMUL_CONTINUE)
3216 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3217 /* Disable writeback. */
3218 ctxt->dst.type = OP_NONE;
3219 return X86EMUL_CONTINUE;
3222 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3226 rc = ctxt->ops->fix_hypercall(ctxt);
3228 /* Disable writeback. */
3229 ctxt->dst.type = OP_NONE;
3233 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3235 struct desc_ptr desc_ptr;
3238 if (ctxt->mode == X86EMUL_MODE_PROT64)
3240 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3241 &desc_ptr.size, &desc_ptr.address,
3243 if (rc != X86EMUL_CONTINUE)
3245 ctxt->ops->set_idt(ctxt, &desc_ptr);
3246 /* Disable writeback. */
3247 ctxt->dst.type = OP_NONE;
3248 return X86EMUL_CONTINUE;
3251 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3253 ctxt->dst.bytes = 2;
3254 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3255 return X86EMUL_CONTINUE;
3258 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3260 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3261 | (ctxt->src.val & 0x0f));
3262 ctxt->dst.type = OP_NONE;
3263 return X86EMUL_CONTINUE;
3266 static int em_loop(struct x86_emulate_ctxt *ctxt)
3268 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
3269 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3270 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3271 jmp_rel(ctxt, ctxt->src.val);
3273 return X86EMUL_CONTINUE;
3276 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3278 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3279 jmp_rel(ctxt, ctxt->src.val);
3281 return X86EMUL_CONTINUE;
3284 static int em_in(struct x86_emulate_ctxt *ctxt)
3286 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3288 return X86EMUL_IO_NEEDED;
3290 return X86EMUL_CONTINUE;
3293 static int em_out(struct x86_emulate_ctxt *ctxt)
3295 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3297 /* Disable writeback. */
3298 ctxt->dst.type = OP_NONE;
3299 return X86EMUL_CONTINUE;
3302 static int em_cli(struct x86_emulate_ctxt *ctxt)
3304 if (emulator_bad_iopl(ctxt))
3305 return emulate_gp(ctxt, 0);
3307 ctxt->eflags &= ~X86_EFLAGS_IF;
3308 return X86EMUL_CONTINUE;
3311 static int em_sti(struct x86_emulate_ctxt *ctxt)
3313 if (emulator_bad_iopl(ctxt))
3314 return emulate_gp(ctxt, 0);
3316 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3317 ctxt->eflags |= X86_EFLAGS_IF;
3318 return X86EMUL_CONTINUE;
3321 static int em_bt(struct x86_emulate_ctxt *ctxt)
3323 /* Disable writeback. */
3324 ctxt->dst.type = OP_NONE;
3325 /* only subword offset */
3326 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
3328 emulate_2op_SrcV_nobyte(ctxt, "bt");
3329 return X86EMUL_CONTINUE;
3332 static int em_bts(struct x86_emulate_ctxt *ctxt)
3334 emulate_2op_SrcV_nobyte(ctxt, "bts");
3335 return X86EMUL_CONTINUE;
3338 static int em_btr(struct x86_emulate_ctxt *ctxt)
3340 emulate_2op_SrcV_nobyte(ctxt, "btr");
3341 return X86EMUL_CONTINUE;
3344 static int em_btc(struct x86_emulate_ctxt *ctxt)
3346 emulate_2op_SrcV_nobyte(ctxt, "btc");
3347 return X86EMUL_CONTINUE;
3350 static int em_bsf(struct x86_emulate_ctxt *ctxt)
3352 emulate_2op_SrcV_nobyte(ctxt, "bsf");
3353 return X86EMUL_CONTINUE;
3356 static int em_bsr(struct x86_emulate_ctxt *ctxt)
3358 emulate_2op_SrcV_nobyte(ctxt, "bsr");
3359 return X86EMUL_CONTINUE;
3362 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3364 u32 eax, ebx, ecx, edx;
3366 eax = reg_read(ctxt, VCPU_REGS_RAX);
3367 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3368 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3369 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3370 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3371 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3372 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3373 return X86EMUL_CONTINUE;
3376 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3378 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3379 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3380 return X86EMUL_CONTINUE;
3383 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3385 switch (ctxt->op_bytes) {
3386 #ifdef CONFIG_X86_64
3388 asm("bswap %0" : "+r"(ctxt->dst.val));
3392 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3395 return X86EMUL_CONTINUE;
3398 static bool valid_cr(int nr)
3410 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3412 if (!valid_cr(ctxt->modrm_reg))
3413 return emulate_ud(ctxt);
3415 return X86EMUL_CONTINUE;
3418 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3420 u64 new_val = ctxt->src.val64;
3421 int cr = ctxt->modrm_reg;
3424 static u64 cr_reserved_bits[] = {
3425 0xffffffff00000000ULL,
3426 0, 0, 0, /* CR3 checked later */
3433 return emulate_ud(ctxt);
3435 if (new_val & cr_reserved_bits[cr])
3436 return emulate_gp(ctxt, 0);
3441 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3442 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3443 return emulate_gp(ctxt, 0);
3445 cr4 = ctxt->ops->get_cr(ctxt, 4);
3446 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3448 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3449 !(cr4 & X86_CR4_PAE))
3450 return emulate_gp(ctxt, 0);
3457 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3458 if (efer & EFER_LMA)
3459 rsvd = CR3_L_MODE_RESERVED_BITS;
3460 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3461 rsvd = CR3_PAE_RESERVED_BITS;
3462 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3463 rsvd = CR3_NONPAE_RESERVED_BITS;
3466 return emulate_gp(ctxt, 0);
3471 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3473 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3474 return emulate_gp(ctxt, 0);
3480 return X86EMUL_CONTINUE;
3483 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3487 ctxt->ops->get_dr(ctxt, 7, &dr7);
3489 /* Check if DR7.Global_Enable is set */
3490 return dr7 & (1 << 13);
3493 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3495 int dr = ctxt->modrm_reg;
3499 return emulate_ud(ctxt);
3501 cr4 = ctxt->ops->get_cr(ctxt, 4);
3502 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3503 return emulate_ud(ctxt);
3505 if (check_dr7_gd(ctxt))
3506 return emulate_db(ctxt);
3508 return X86EMUL_CONTINUE;
3511 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3513 u64 new_val = ctxt->src.val64;
3514 int dr = ctxt->modrm_reg;
3516 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3517 return emulate_gp(ctxt, 0);
3519 return check_dr_read(ctxt);
3522 static int check_svme(struct x86_emulate_ctxt *ctxt)
3526 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3528 if (!(efer & EFER_SVME))
3529 return emulate_ud(ctxt);
3531 return X86EMUL_CONTINUE;
3534 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3536 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3538 /* Valid physical address? */
3539 if (rax & 0xffff000000000000ULL)
3540 return emulate_gp(ctxt, 0);
3542 return check_svme(ctxt);
3545 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3547 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3549 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3550 return emulate_ud(ctxt);
3552 return X86EMUL_CONTINUE;
3555 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3557 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3558 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3560 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3562 return emulate_gp(ctxt, 0);
3564 return X86EMUL_CONTINUE;
3567 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3569 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3570 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3571 return emulate_gp(ctxt, 0);
3573 return X86EMUL_CONTINUE;
3576 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3578 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3579 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3580 return emulate_gp(ctxt, 0);
3582 return X86EMUL_CONTINUE;
3585 #define D(_y) { .flags = (_y) }
3586 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3587 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3588 .check_perm = (_p) }
3590 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3591 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3592 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3593 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3594 #define II(_f, _e, _i) \
3595 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3596 #define IIP(_f, _e, _i, _p) \
3597 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3598 .check_perm = (_p) }
3599 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3601 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3602 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3603 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3604 #define I2bvIP(_f, _e, _i, _p) \
3605 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3607 #define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3608 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3609 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3611 static const struct opcode group7_rm1[] = {
3612 DI(SrcNone | Priv, monitor),
3613 DI(SrcNone | Priv, mwait),
3617 static const struct opcode group7_rm3[] = {
3618 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
3619 II(SrcNone | Prot | VendorSpecific, em_vmmcall, vmmcall),
3620 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
3621 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
3622 DIP(SrcNone | Prot | Priv, stgi, check_svme),
3623 DIP(SrcNone | Prot | Priv, clgi, check_svme),
3624 DIP(SrcNone | Prot | Priv, skinit, check_svme),
3625 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
3628 static const struct opcode group7_rm7[] = {
3630 DIP(SrcNone, rdtscp, check_rdtsc),
3634 static const struct opcode group1[] = {
3636 I(Lock | PageTable, em_or),
3639 I(Lock | PageTable, em_and),
3645 static const struct opcode group1A[] = {
3646 I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3649 static const struct opcode group3[] = {
3650 I(DstMem | SrcImm, em_test),
3651 I(DstMem | SrcImm, em_test),
3652 I(DstMem | SrcNone | Lock, em_not),
3653 I(DstMem | SrcNone | Lock, em_neg),
3654 I(SrcMem, em_mul_ex),
3655 I(SrcMem, em_imul_ex),
3656 I(SrcMem, em_div_ex),
3657 I(SrcMem, em_idiv_ex),
3660 static const struct opcode group4[] = {
3661 I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
3662 I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
3666 static const struct opcode group5[] = {
3667 I(DstMem | SrcNone | Lock, em_grp45),
3668 I(DstMem | SrcNone | Lock, em_grp45),
3669 I(SrcMem | Stack, em_grp45),
3670 I(SrcMemFAddr | ImplicitOps | Stack, em_call_far),
3671 I(SrcMem | Stack, em_grp45),
3672 I(SrcMemFAddr | ImplicitOps, em_grp45),
3673 I(SrcMem | Stack, em_grp45), N,
3676 static const struct opcode group6[] = {
3679 II(Prot | Priv | SrcMem16, em_lldt, lldt),
3680 II(Prot | Priv | SrcMem16, em_ltr, ltr),
3684 static const struct group_dual group7 = { {
3685 II(Mov | DstMem | Priv, em_sgdt, sgdt),
3686 II(Mov | DstMem | Priv, em_sidt, sidt),
3687 II(SrcMem | Priv, em_lgdt, lgdt),
3688 II(SrcMem | Priv, em_lidt, lidt),
3689 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3690 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3691 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3693 I(SrcNone | Priv | VendorSpecific, em_vmcall),
3695 N, EXT(0, group7_rm3),
3696 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3697 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3701 static const struct opcode group8[] = {
3703 I(DstMem | SrcImmByte, em_bt),
3704 I(DstMem | SrcImmByte | Lock | PageTable, em_bts),
3705 I(DstMem | SrcImmByte | Lock, em_btr),
3706 I(DstMem | SrcImmByte | Lock | PageTable, em_btc),
3709 static const struct group_dual group9 = { {
3710 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3712 N, N, N, N, N, N, N, N,
3715 static const struct opcode group11[] = {
3716 I(DstMem | SrcImm | Mov | PageTable, em_mov),
3720 static const struct gprefix pfx_0f_6f_0f_7f = {
3721 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3724 static const struct gprefix pfx_vmovntpx = {
3725 I(0, em_mov), N, N, N,
3728 static const struct opcode opcode_table[256] = {
3730 I6ALU(Lock, em_add),
3731 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3732 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3734 I6ALU(Lock | PageTable, em_or),
3735 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3738 I6ALU(Lock, em_adc),
3739 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3740 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3742 I6ALU(Lock, em_sbb),
3743 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3744 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3746 I6ALU(Lock | PageTable, em_and), N, N,
3748 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3750 I6ALU(Lock, em_xor), N, N,
3752 I6ALU(0, em_cmp), N, N,
3756 X8(I(SrcReg | Stack, em_push)),
3758 X8(I(DstReg | Stack, em_pop)),
3760 I(ImplicitOps | Stack | No64, em_pusha),
3761 I(ImplicitOps | Stack | No64, em_popa),
3762 N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
3765 I(SrcImm | Mov | Stack, em_push),
3766 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3767 I(SrcImmByte | Mov | Stack, em_push),
3768 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3769 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
3770 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3774 G(ByteOp | DstMem | SrcImm, group1),
3775 G(DstMem | SrcImm, group1),
3776 G(ByteOp | DstMem | SrcImm | No64, group1),
3777 G(DstMem | SrcImmByte, group1),
3778 I2bv(DstMem | SrcReg | ModRM, em_test),
3779 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3781 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3782 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3783 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3784 D(ModRM | SrcMem | NoAccess | DstReg),
3785 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3788 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3790 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3791 I(SrcImmFAddr | No64, em_call_far), N,
3792 II(ImplicitOps | Stack, em_pushf, pushf),
3793 II(ImplicitOps | Stack, em_popf, popf), N, I(ImplicitOps, em_lahf),
3795 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3796 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3797 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3798 I2bv(SrcSI | DstDI | String, em_cmp),
3800 I2bv(DstAcc | SrcImm, em_test),
3801 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3802 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3803 I2bv(SrcAcc | DstDI | String, em_cmp),
3805 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3807 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
3809 D2bv(DstMem | SrcImmByte | ModRM),
3810 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3811 I(ImplicitOps | Stack, em_ret),
3812 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3813 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3814 G(ByteOp, group11), G(0, group11),
3816 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
3817 N, I(ImplicitOps | Stack, em_ret_far),
3818 D(ImplicitOps), DI(SrcImmByte, intn),
3819 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3821 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3822 N, I(DstAcc | SrcImmByte | No64, em_aad), N, N,
3824 N, N, N, N, N, N, N, N,
3826 X3(I(SrcImmByte, em_loop)),
3827 I(SrcImmByte, em_jcxz),
3828 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3829 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3831 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3832 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3833 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3834 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3836 N, DI(ImplicitOps, icebp), N, N,
3837 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3838 G(ByteOp, group3), G(0, group3),
3840 D(ImplicitOps), D(ImplicitOps),
3841 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3842 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3845 static const struct opcode twobyte_table[256] = {
3847 G(0, group6), GD(0, &group7), N, N,
3848 N, I(ImplicitOps | VendorSpecific, em_syscall),
3849 II(ImplicitOps | Priv, em_clts, clts), N,
3850 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3851 N, D(ImplicitOps | ModRM), N, N,
3853 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3855 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3856 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3857 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3858 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3860 N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
3863 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3864 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3865 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3866 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3867 I(ImplicitOps | VendorSpecific, em_sysenter),
3868 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3870 N, N, N, N, N, N, N, N,
3872 X16(D(DstReg | SrcMem | ModRM | Mov)),
3874 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3879 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3884 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3888 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3890 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
3891 II(ImplicitOps, em_cpuid, cpuid), I(DstMem | SrcReg | ModRM | BitOp, em_bt),
3892 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3893 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3895 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3896 DI(ImplicitOps, rsm),
3897 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3898 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3899 D(DstMem | SrcReg | Src2CL | ModRM),
3900 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3902 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3903 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3904 I(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3905 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
3906 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3907 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3911 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3912 I(DstReg | SrcMem | ModRM, em_bsf), I(DstReg | SrcMem | ModRM, em_bsr),
3913 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3915 D2bv(DstMem | SrcReg | ModRM | Lock),
3916 N, D(DstMem | SrcReg | ModRM | Mov),
3917 N, N, N, GD(0, &group9),
3919 X8(I(DstReg, em_bswap)),
3921 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3923 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3925 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3942 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3946 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3952 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3953 unsigned size, bool sign_extension)
3955 int rc = X86EMUL_CONTINUE;
3959 op->addr.mem.ea = ctxt->_eip;
3960 /* NB. Immediates are sign-extended as necessary. */
3961 switch (op->bytes) {
3963 op->val = insn_fetch(s8, ctxt);
3966 op->val = insn_fetch(s16, ctxt);
3969 op->val = insn_fetch(s32, ctxt);
3972 op->val = insn_fetch(s64, ctxt);
3975 if (!sign_extension) {
3976 switch (op->bytes) {
3984 op->val &= 0xffffffff;
3992 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
3995 int rc = X86EMUL_CONTINUE;
3999 decode_register_operand(ctxt, op);
4002 rc = decode_imm(ctxt, op, 1, false);
4005 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4009 if ((ctxt->d & BitOp) && op == &ctxt->dst)
4010 fetch_bit_operand(ctxt);
4011 op->orig_val = op->val;
4014 ctxt->memop.bytes = 8;
4018 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4019 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4020 fetch_register_operand(op);
4021 op->orig_val = op->val;
4025 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4027 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RDI));
4028 op->addr.mem.seg = VCPU_SREG_ES;
4035 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4036 fetch_register_operand(op);
4040 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4043 rc = decode_imm(ctxt, op, 1, true);
4050 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4053 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4056 ctxt->memop.bytes = 1;
4059 ctxt->memop.bytes = 2;
4062 ctxt->memop.bytes = 4;
4065 rc = decode_imm(ctxt, op, 2, false);
4068 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4072 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4074 register_address(ctxt, reg_read(ctxt, VCPU_REGS_RSI));
4075 op->addr.mem.seg = seg_override(ctxt);
4081 op->addr.mem.ea = ctxt->_eip;
4082 op->bytes = ctxt->op_bytes + 2;
4083 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4086 ctxt->memop.bytes = ctxt->op_bytes + 2;
4089 op->val = VCPU_SREG_ES;
4092 op->val = VCPU_SREG_CS;
4095 op->val = VCPU_SREG_SS;
4098 op->val = VCPU_SREG_DS;
4101 op->val = VCPU_SREG_FS;
4104 op->val = VCPU_SREG_GS;
4107 /* Special instructions do their own operand decoding. */
4109 op->type = OP_NONE; /* Disable writeback. */
4117 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4119 int rc = X86EMUL_CONTINUE;
4120 int mode = ctxt->mode;
4121 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4122 bool op_prefix = false;
4123 struct opcode opcode;
4125 ctxt->memop.type = OP_NONE;
4126 ctxt->memopp = NULL;
4127 ctxt->_eip = ctxt->eip;
4128 ctxt->fetch.start = ctxt->_eip;
4129 ctxt->fetch.end = ctxt->fetch.start + insn_len;
4131 memcpy(ctxt->fetch.data, insn, insn_len);
4134 case X86EMUL_MODE_REAL:
4135 case X86EMUL_MODE_VM86:
4136 case X86EMUL_MODE_PROT16:
4137 def_op_bytes = def_ad_bytes = 2;
4139 case X86EMUL_MODE_PROT32:
4140 def_op_bytes = def_ad_bytes = 4;
4142 #ifdef CONFIG_X86_64
4143 case X86EMUL_MODE_PROT64:
4149 return EMULATION_FAILED;
4152 ctxt->op_bytes = def_op_bytes;
4153 ctxt->ad_bytes = def_ad_bytes;
4155 /* Legacy prefixes. */
4157 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4158 case 0x66: /* operand-size override */
4160 /* switch between 2/4 bytes */
4161 ctxt->op_bytes = def_op_bytes ^ 6;
4163 case 0x67: /* address-size override */
4164 if (mode == X86EMUL_MODE_PROT64)
4165 /* switch between 4/8 bytes */
4166 ctxt->ad_bytes = def_ad_bytes ^ 12;
4168 /* switch between 2/4 bytes */
4169 ctxt->ad_bytes = def_ad_bytes ^ 6;
4171 case 0x26: /* ES override */
4172 case 0x2e: /* CS override */
4173 case 0x36: /* SS override */
4174 case 0x3e: /* DS override */
4175 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
4177 case 0x64: /* FS override */
4178 case 0x65: /* GS override */
4179 set_seg_override(ctxt, ctxt->b & 7);
4181 case 0x40 ... 0x4f: /* REX */
4182 if (mode != X86EMUL_MODE_PROT64)
4184 ctxt->rex_prefix = ctxt->b;
4186 case 0xf0: /* LOCK */
4187 ctxt->lock_prefix = 1;
4189 case 0xf2: /* REPNE/REPNZ */
4190 case 0xf3: /* REP/REPE/REPZ */
4191 ctxt->rep_prefix = ctxt->b;
4197 /* Any legacy prefix after a REX prefix nullifies its effect. */
4199 ctxt->rex_prefix = 0;
4205 if (ctxt->rex_prefix & 8)
4206 ctxt->op_bytes = 8; /* REX.W */
4208 /* Opcode byte(s). */
4209 opcode = opcode_table[ctxt->b];
4210 /* Two-byte opcode? */
4211 if (ctxt->b == 0x0f) {
4213 ctxt->b = insn_fetch(u8, ctxt);
4214 opcode = twobyte_table[ctxt->b];
4216 ctxt->d = opcode.flags;
4218 if (ctxt->d & ModRM)
4219 ctxt->modrm = insn_fetch(u8, ctxt);
4221 while (ctxt->d & GroupMask) {
4222 switch (ctxt->d & GroupMask) {
4224 goffset = (ctxt->modrm >> 3) & 7;
4225 opcode = opcode.u.group[goffset];
4228 goffset = (ctxt->modrm >> 3) & 7;
4229 if ((ctxt->modrm >> 6) == 3)
4230 opcode = opcode.u.gdual->mod3[goffset];
4232 opcode = opcode.u.gdual->mod012[goffset];
4235 goffset = ctxt->modrm & 7;
4236 opcode = opcode.u.group[goffset];
4239 if (ctxt->rep_prefix && op_prefix)
4240 return EMULATION_FAILED;
4241 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4242 switch (simd_prefix) {
4243 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4244 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4245 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4246 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4250 return EMULATION_FAILED;
4253 ctxt->d &= ~(u64)GroupMask;
4254 ctxt->d |= opcode.flags;
4257 ctxt->execute = opcode.u.execute;
4258 ctxt->check_perm = opcode.check_perm;
4259 ctxt->intercept = opcode.intercept;
4262 if (ctxt->d == 0 || (ctxt->d & Undefined))
4263 return EMULATION_FAILED;
4265 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
4266 return EMULATION_FAILED;
4268 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
4271 if (ctxt->d & Op3264) {
4272 if (mode == X86EMUL_MODE_PROT64)
4279 ctxt->op_bytes = 16;
4280 else if (ctxt->d & Mmx)
4283 /* ModRM and SIB bytes. */
4284 if (ctxt->d & ModRM) {
4285 rc = decode_modrm(ctxt, &ctxt->memop);
4286 if (!ctxt->has_seg_override)
4287 set_seg_override(ctxt, ctxt->modrm_seg);
4288 } else if (ctxt->d & MemAbs)
4289 rc = decode_abs(ctxt, &ctxt->memop);
4290 if (rc != X86EMUL_CONTINUE)
4293 if (!ctxt->has_seg_override)
4294 set_seg_override(ctxt, VCPU_SREG_DS);
4296 ctxt->memop.addr.mem.seg = seg_override(ctxt);
4298 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
4299 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4302 * Decode and fetch the source operand: register, memory
4305 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4306 if (rc != X86EMUL_CONTINUE)
4310 * Decode and fetch the second source operand: register, memory
4313 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4314 if (rc != X86EMUL_CONTINUE)
4317 /* Decode and fetch the destination operand: register or memory. */
4318 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4321 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
4322 ctxt->memopp->addr.mem.ea += ctxt->_eip;
4324 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4327 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4329 return ctxt->d & PageTable;
4332 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4334 /* The second termination condition only applies for REPE
4335 * and REPNE. Test if the repeat string operation prefix is
4336 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4337 * corresponding termination condition according to:
4338 * - if REPE/REPZ and ZF = 0 then done
4339 * - if REPNE/REPNZ and ZF = 1 then done
4341 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4342 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4343 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4344 ((ctxt->eflags & EFLG_ZF) == 0))
4345 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4346 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4352 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4356 ctxt->ops->get_fpu(ctxt);
4357 asm volatile("1: fwait \n\t"
4359 ".pushsection .fixup,\"ax\" \n\t"
4361 "movb $1, %[fault] \n\t"
4364 _ASM_EXTABLE(1b, 3b)
4365 : [fault]"+qm"(fault));
4366 ctxt->ops->put_fpu(ctxt);
4368 if (unlikely(fault))
4369 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4371 return X86EMUL_CONTINUE;
4374 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4377 if (op->type == OP_MM)
4378 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4382 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4384 const struct x86_emulate_ops *ops = ctxt->ops;
4385 int rc = X86EMUL_CONTINUE;
4386 int saved_dst_type = ctxt->dst.type;
4388 ctxt->mem_read.pos = 0;
4390 if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
4391 rc = emulate_ud(ctxt);
4395 /* LOCK prefix is allowed only with some instructions */
4396 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4397 rc = emulate_ud(ctxt);
4401 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4402 rc = emulate_ud(ctxt);
4406 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4407 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4408 rc = emulate_ud(ctxt);
4412 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4413 rc = emulate_nm(ctxt);
4417 if (ctxt->d & Mmx) {
4418 rc = flush_pending_x87_faults(ctxt);
4419 if (rc != X86EMUL_CONTINUE)
4422 * Now that we know the fpu is exception safe, we can fetch
4425 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4426 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4427 if (!(ctxt->d & Mov))
4428 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4431 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4432 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4433 X86_ICPT_PRE_EXCEPT);
4434 if (rc != X86EMUL_CONTINUE)
4438 /* Privileged instruction can be executed only in CPL=0 */
4439 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4440 rc = emulate_gp(ctxt, 0);
4444 /* Instruction can only be executed in protected mode */
4445 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
4446 rc = emulate_ud(ctxt);
4450 /* Do instruction specific permission checks */
4451 if (ctxt->check_perm) {
4452 rc = ctxt->check_perm(ctxt);
4453 if (rc != X86EMUL_CONTINUE)
4457 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4458 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4459 X86_ICPT_POST_EXCEPT);
4460 if (rc != X86EMUL_CONTINUE)
4464 if (ctxt->rep_prefix && (ctxt->d & String)) {
4465 /* All REP prefixes have the same first termination condition */
4466 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
4467 ctxt->eip = ctxt->_eip;
4472 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4473 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4474 ctxt->src.valptr, ctxt->src.bytes);
4475 if (rc != X86EMUL_CONTINUE)
4477 ctxt->src.orig_val64 = ctxt->src.val64;
4480 if (ctxt->src2.type == OP_MEM) {
4481 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4482 &ctxt->src2.val, ctxt->src2.bytes);
4483 if (rc != X86EMUL_CONTINUE)
4487 if ((ctxt->d & DstMask) == ImplicitOps)
4491 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4492 /* optimisation - avoid slow emulated read if Mov */
4493 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4494 &ctxt->dst.val, ctxt->dst.bytes);
4495 if (rc != X86EMUL_CONTINUE)
4498 ctxt->dst.orig_val = ctxt->dst.val;
4502 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4503 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4504 X86_ICPT_POST_MEMACCESS);
4505 if (rc != X86EMUL_CONTINUE)
4509 if (ctxt->execute) {
4510 rc = ctxt->execute(ctxt);
4511 if (rc != X86EMUL_CONTINUE)
4520 case 0x40 ... 0x47: /* inc r16/r32 */
4521 emulate_1op(ctxt, "inc");
4523 case 0x48 ... 0x4f: /* dec r16/r32 */
4524 emulate_1op(ctxt, "dec");
4526 case 0x63: /* movsxd */
4527 if (ctxt->mode != X86EMUL_MODE_PROT64)
4528 goto cannot_emulate;
4529 ctxt->dst.val = (s32) ctxt->src.val;
4531 case 0x70 ... 0x7f: /* jcc (short) */
4532 if (test_cc(ctxt->b, ctxt->eflags))
4533 jmp_rel(ctxt, ctxt->src.val);
4535 case 0x8d: /* lea r16/r32, m */
4536 ctxt->dst.val = ctxt->src.addr.mem.ea;
4538 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4539 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
4543 case 0x98: /* cbw/cwde/cdqe */
4544 switch (ctxt->op_bytes) {
4545 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4546 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4547 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4553 case 0xcc: /* int3 */
4554 rc = emulate_int(ctxt, 3);
4556 case 0xcd: /* int n */
4557 rc = emulate_int(ctxt, ctxt->src.val);
4559 case 0xce: /* into */
4560 if (ctxt->eflags & EFLG_OF)
4561 rc = emulate_int(ctxt, 4);
4563 case 0xd0 ... 0xd1: /* Grp2 */
4566 case 0xd2 ... 0xd3: /* Grp2 */
4567 ctxt->src.val = reg_read(ctxt, VCPU_REGS_RCX);
4570 case 0xe9: /* jmp rel */
4571 case 0xeb: /* jmp rel short */
4572 jmp_rel(ctxt, ctxt->src.val);
4573 ctxt->dst.type = OP_NONE; /* Disable writeback. */
4575 case 0xf4: /* hlt */
4576 ctxt->ops->halt(ctxt);
4578 case 0xf5: /* cmc */
4579 /* complement carry flag from eflags reg */
4580 ctxt->eflags ^= EFLG_CF;
4582 case 0xf8: /* clc */
4583 ctxt->eflags &= ~EFLG_CF;
4585 case 0xf9: /* stc */
4586 ctxt->eflags |= EFLG_CF;
4588 case 0xfc: /* cld */
4589 ctxt->eflags &= ~EFLG_DF;
4591 case 0xfd: /* std */
4592 ctxt->eflags |= EFLG_DF;
4595 goto cannot_emulate;
4598 if (rc != X86EMUL_CONTINUE)
4602 rc = writeback(ctxt);
4603 if (rc != X86EMUL_CONTINUE)
4607 * restore dst type in case the decoding will be reused
4608 * (happens for string instruction )
4610 ctxt->dst.type = saved_dst_type;
4612 if ((ctxt->d & SrcMask) == SrcSI)
4613 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
4615 if ((ctxt->d & DstMask) == DstDI)
4616 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
4618 if (ctxt->rep_prefix && (ctxt->d & String)) {
4620 struct read_cache *r = &ctxt->io_read;
4621 if ((ctxt->d & SrcMask) == SrcSI)
4622 count = ctxt->src.count;
4624 count = ctxt->dst.count;
4625 register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX),
4628 if (!string_insn_completed(ctxt)) {
4630 * Re-enter guest when pio read ahead buffer is empty
4631 * or, if it is not used, after each 1024 iteration.
4633 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
4634 (r->end == 0 || r->end != r->pos)) {
4636 * Reset read cache. Usually happens before
4637 * decode, but since instruction is restarted
4638 * we have to do it here.
4640 ctxt->mem_read.end = 0;
4641 writeback_registers(ctxt);
4642 return EMULATION_RESTART;
4644 goto done; /* skip rip writeback */
4648 ctxt->eip = ctxt->_eip;
4651 if (rc == X86EMUL_PROPAGATE_FAULT)
4652 ctxt->have_exception = true;
4653 if (rc == X86EMUL_INTERCEPTED)
4654 return EMULATION_INTERCEPTED;
4656 if (rc == X86EMUL_CONTINUE)
4657 writeback_registers(ctxt);
4659 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4663 case 0x09: /* wbinvd */
4664 (ctxt->ops->wbinvd)(ctxt);
4666 case 0x08: /* invd */
4667 case 0x0d: /* GrpP (prefetch) */
4668 case 0x18: /* Grp16 (prefetch/nop) */
4670 case 0x20: /* mov cr, reg */
4671 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4673 case 0x21: /* mov from dr to reg */
4674 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4676 case 0x40 ... 0x4f: /* cmov */
4677 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4678 if (!test_cc(ctxt->b, ctxt->eflags))
4679 ctxt->dst.type = OP_NONE; /* no writeback */
4681 case 0x80 ... 0x8f: /* jnz rel, etc*/
4682 if (test_cc(ctxt->b, ctxt->eflags))
4683 jmp_rel(ctxt, ctxt->src.val);
4685 case 0x90 ... 0x9f: /* setcc r/m8 */
4686 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4688 case 0xa4: /* shld imm8, r, r/m */
4689 case 0xa5: /* shld cl, r, r/m */
4690 emulate_2op_cl(ctxt, "shld");
4692 case 0xac: /* shrd imm8, r, r/m */
4693 case 0xad: /* shrd cl, r, r/m */
4694 emulate_2op_cl(ctxt, "shrd");
4696 case 0xae: /* clflush */
4698 case 0xb6 ... 0xb7: /* movzx */
4699 ctxt->dst.bytes = ctxt->op_bytes;
4700 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
4701 : (u16) ctxt->src.val;
4703 case 0xbe ... 0xbf: /* movsx */
4704 ctxt->dst.bytes = ctxt->op_bytes;
4705 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
4706 (s16) ctxt->src.val;
4708 case 0xc0 ... 0xc1: /* xadd */
4709 emulate_2op_SrcV(ctxt, "add");
4710 /* Write back the register source. */
4711 ctxt->src.val = ctxt->dst.orig_val;
4712 write_register_operand(&ctxt->src);
4714 case 0xc3: /* movnti */
4715 ctxt->dst.bytes = ctxt->op_bytes;
4716 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4717 (u64) ctxt->src.val;
4720 goto cannot_emulate;
4723 if (rc != X86EMUL_CONTINUE)
4729 return EMULATION_FAILED;
4732 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
4734 invalidate_registers(ctxt);
4737 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
4739 writeback_registers(ctxt);
projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blob