1 // SPDX-License-Identifier: GPL-2.0-only
2 /******************************************************************************
5 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
7 * Copyright (c) 2005 Keir Fraser
9 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
10 * privileged instructions:
12 * Copyright (C) 2006 Qumranet
13 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
15 * Avi Kivity <avi@qumranet.com>
16 * Yaniv Kamay <yaniv@qumranet.com>
18 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 #include <linux/kvm_host.h>
22 #include "kvm_cache_regs.h"
23 #include "kvm_emulate.h"
24 #include <linux/stringify.h>
25 #include <asm/debugreg.h>
26 #include <asm/nospec-branch.h>
38 #define OpImplicit 1ull /* No generic decode */
39 #define OpReg 2ull /* Register */
40 #define OpMem 3ull /* Memory */
41 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
42 #define OpDI 5ull /* ES:DI/EDI/RDI */
43 #define OpMem64 6ull /* Memory, 64-bit */
44 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
45 #define OpDX 8ull /* DX register */
46 #define OpCL 9ull /* CL register (for shifts) */
47 #define OpImmByte 10ull /* 8-bit sign extended immediate */
48 #define OpOne 11ull /* Implied 1 */
49 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
50 #define OpMem16 13ull /* Memory operand (16-bit). */
51 #define OpMem32 14ull /* Memory operand (32-bit). */
52 #define OpImmU 15ull /* Immediate operand, zero extended */
53 #define OpSI 16ull /* SI/ESI/RSI */
54 #define OpImmFAddr 17ull /* Immediate far address */
55 #define OpMemFAddr 18ull /* Far address in memory */
56 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
57 #define OpES 20ull /* ES */
58 #define OpCS 21ull /* CS */
59 #define OpSS 22ull /* SS */
60 #define OpDS 23ull /* DS */
61 #define OpFS 24ull /* FS */
62 #define OpGS 25ull /* GS */
63 #define OpMem8 26ull /* 8-bit zero extended memory operand */
64 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
65 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
66 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
67 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
69 #define OpBits 5 /* Width of operand field */
70 #define OpMask ((1ull << OpBits) - 1)
73 * Opcode effective-address decode tables.
74 * Note that we only emulate instructions that have at least one memory
75 * operand (excluding implicit stack references). We assume that stack
76 * references and instruction fetches will never occur in special memory
77 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
81 /* Operand sizes: 8-bit operands or specified/overridden size. */
82 #define ByteOp (1<<0) /* 8-bit operands. */
83 /* Destination operand type. */
85 #define ImplicitOps (OpImplicit << DstShift)
86 #define DstReg (OpReg << DstShift)
87 #define DstMem (OpMem << DstShift)
88 #define DstAcc (OpAcc << DstShift)
89 #define DstDI (OpDI << DstShift)
90 #define DstMem64 (OpMem64 << DstShift)
91 #define DstMem16 (OpMem16 << DstShift)
92 #define DstImmUByte (OpImmUByte << DstShift)
93 #define DstDX (OpDX << DstShift)
94 #define DstAccLo (OpAccLo << DstShift)
95 #define DstMask (OpMask << DstShift)
96 /* Source operand type. */
98 #define SrcNone (OpNone << SrcShift)
99 #define SrcReg (OpReg << SrcShift)
100 #define SrcMem (OpMem << SrcShift)
101 #define SrcMem16 (OpMem16 << SrcShift)
102 #define SrcMem32 (OpMem32 << SrcShift)
103 #define SrcImm (OpImm << SrcShift)
104 #define SrcImmByte (OpImmByte << SrcShift)
105 #define SrcOne (OpOne << SrcShift)
106 #define SrcImmUByte (OpImmUByte << SrcShift)
107 #define SrcImmU (OpImmU << SrcShift)
108 #define SrcSI (OpSI << SrcShift)
109 #define SrcXLat (OpXLat << SrcShift)
110 #define SrcImmFAddr (OpImmFAddr << SrcShift)
111 #define SrcMemFAddr (OpMemFAddr << SrcShift)
112 #define SrcAcc (OpAcc << SrcShift)
113 #define SrcImmU16 (OpImmU16 << SrcShift)
114 #define SrcImm64 (OpImm64 << SrcShift)
115 #define SrcDX (OpDX << SrcShift)
116 #define SrcMem8 (OpMem8 << SrcShift)
117 #define SrcAccHi (OpAccHi << SrcShift)
118 #define SrcMask (OpMask << SrcShift)
119 #define BitOp (1<<11)
120 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
121 #define String (1<<13) /* String instruction (rep capable) */
122 #define Stack (1<<14) /* Stack instruction (push/pop) */
123 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
124 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
125 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
126 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
127 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
128 #define Escape (5<<15) /* Escape to coprocessor instruction */
129 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
130 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
131 #define Sse (1<<18) /* SSE Vector instruction */
132 /* Generic ModRM decode. */
133 #define ModRM (1<<19)
134 /* Destination is only written; never read. */
137 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
138 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
139 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
140 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
141 #define Undefined (1<<25) /* No Such Instruction */
142 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
143 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
145 #define PageTable (1 << 29) /* instruction used to write page table */
146 #define NotImpl (1 << 30) /* instruction is not implemented */
147 /* Source 2 operand type */
148 #define Src2Shift (31)
149 #define Src2None (OpNone << Src2Shift)
150 #define Src2Mem (OpMem << Src2Shift)
151 #define Src2CL (OpCL << Src2Shift)
152 #define Src2ImmByte (OpImmByte << Src2Shift)
153 #define Src2One (OpOne << Src2Shift)
154 #define Src2Imm (OpImm << Src2Shift)
155 #define Src2ES (OpES << Src2Shift)
156 #define Src2CS (OpCS << Src2Shift)
157 #define Src2SS (OpSS << Src2Shift)
158 #define Src2DS (OpDS << Src2Shift)
159 #define Src2FS (OpFS << Src2Shift)
160 #define Src2GS (OpGS << Src2Shift)
161 #define Src2Mask (OpMask << Src2Shift)
162 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
163 #define AlignMask ((u64)7 << 41)
164 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
165 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
166 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
167 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
168 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
169 #define NoWrite ((u64)1 << 45) /* No writeback */
170 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
171 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
172 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
173 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
174 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
175 #define NearBranch ((u64)1 << 52) /* Near branches */
176 #define No16 ((u64)1 << 53) /* No 16 bit operand */
177 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
178 #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand */
179 #define IsBranch ((u64)1 << 56) /* Instruction is considered a branch. */
181 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
183 #define X2(x...) x, x
184 #define X3(x...) X2(x), x
185 #define X4(x...) X2(x), X2(x)
186 #define X5(x...) X4(x), x
187 #define X6(x...) X4(x), X2(x)
188 #define X7(x...) X4(x), X3(x)
189 #define X8(x...) X4(x), X4(x)
190 #define X16(x...) X8(x), X8(x)
197 int (*execute)(struct x86_emulate_ctxt *ctxt);
198 const struct opcode *group;
199 const struct group_dual *gdual;
200 const struct gprefix *gprefix;
201 const struct escape *esc;
202 const struct instr_dual *idual;
203 const struct mode_dual *mdual;
204 void (*fastop)(struct fastop *fake);
206 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
210 struct opcode mod012[8];
211 struct opcode mod3[8];
215 struct opcode pfx_no;
216 struct opcode pfx_66;
217 struct opcode pfx_f2;
218 struct opcode pfx_f3;
223 struct opcode high[64];
227 struct opcode mod012;
232 struct opcode mode32;
233 struct opcode mode64;
236 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
238 enum x86_transfer_type {
240 X86_TRANSFER_CALL_JMP,
242 X86_TRANSFER_TASK_SWITCH,
245 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
247 if (KVM_EMULATOR_BUG_ON(nr >= NR_EMULATOR_GPRS, ctxt))
248 nr &= NR_EMULATOR_GPRS - 1;
250 if (!(ctxt->regs_valid & (1 << nr))) {
251 ctxt->regs_valid |= 1 << nr;
252 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
254 return ctxt->_regs[nr];
257 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
259 if (KVM_EMULATOR_BUG_ON(nr >= NR_EMULATOR_GPRS, ctxt))
260 nr &= NR_EMULATOR_GPRS - 1;
262 BUILD_BUG_ON(sizeof(ctxt->regs_dirty) * BITS_PER_BYTE < NR_EMULATOR_GPRS);
263 BUILD_BUG_ON(sizeof(ctxt->regs_valid) * BITS_PER_BYTE < NR_EMULATOR_GPRS);
265 ctxt->regs_valid |= 1 << nr;
266 ctxt->regs_dirty |= 1 << nr;
267 return &ctxt->_regs[nr];
270 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
273 return reg_write(ctxt, nr);
276 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
278 unsigned long dirty = ctxt->regs_dirty;
281 for_each_set_bit(reg, &dirty, NR_EMULATOR_GPRS)
282 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
285 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
287 ctxt->regs_dirty = 0;
288 ctxt->regs_valid = 0;
292 * These EFLAGS bits are restored from saved value during emulation, and
293 * any changes are written back to the saved value after emulation.
295 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
296 X86_EFLAGS_PF|X86_EFLAGS_CF)
305 * fastop functions have a special calling convention:
310 * flags: rflags (in/out)
311 * ex: rsi (in:fastop pointer, out:zero if exception)
313 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
314 * different operand sizes can be reached by calculation, rather than a jump
315 * table (which would be bigger than the code).
317 * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR
318 * and 1 for the straight line speculation INT3, leaves 7 bytes for the
319 * body of the function. Currently none is larger than 4.
321 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
323 #define FASTOP_SIZE 16
325 #define __FOP_FUNC(name) \
326 ".align " __stringify(FASTOP_SIZE) " \n\t" \
327 ".type " name ", @function \n\t" \
332 #define FOP_FUNC(name) \
335 #define __FOP_RET(name) \
337 ".size " name ", .-" name "\n\t"
339 #define FOP_RET(name) \
342 #define __FOP_START(op, align) \
343 extern void em_##op(struct fastop *fake); \
344 asm(".pushsection .text, \"ax\" \n\t" \
345 ".global em_" #op " \n\t" \
346 ".align " __stringify(align) " \n\t" \
349 #define FOP_START(op) __FOP_START(op, FASTOP_SIZE)
354 #define __FOPNOP(name) \
359 __FOPNOP(__stringify(__UNIQUE_ID(nop)))
361 #define FOP1E(op, dst) \
362 __FOP_FUNC(#op "_" #dst) \
363 "10: " #op " %" #dst " \n\t" \
364 __FOP_RET(#op "_" #dst)
366 #define FOP1EEX(op, dst) \
367 FOP1E(op, dst) _ASM_EXTABLE_TYPE_REG(10b, 11b, EX_TYPE_ZERO_REG, %%esi)
369 #define FASTOP1(op) \
374 ON64(FOP1E(op##q, rax)) \
377 /* 1-operand, using src2 (for MUL/DIV r/m) */
378 #define FASTOP1SRC2(op, name) \
383 ON64(FOP1E(op, rcx)) \
386 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
387 #define FASTOP1SRC2EX(op, name) \
392 ON64(FOP1EEX(op, rcx)) \
395 #define FOP2E(op, dst, src) \
396 __FOP_FUNC(#op "_" #dst "_" #src) \
397 #op " %" #src ", %" #dst " \n\t" \
398 __FOP_RET(#op "_" #dst "_" #src)
400 #define FASTOP2(op) \
402 FOP2E(op##b, al, dl) \
403 FOP2E(op##w, ax, dx) \
404 FOP2E(op##l, eax, edx) \
405 ON64(FOP2E(op##q, rax, rdx)) \
408 /* 2 operand, word only */
409 #define FASTOP2W(op) \
412 FOP2E(op##w, ax, dx) \
413 FOP2E(op##l, eax, edx) \
414 ON64(FOP2E(op##q, rax, rdx)) \
417 /* 2 operand, src is CL */
418 #define FASTOP2CL(op) \
420 FOP2E(op##b, al, cl) \
421 FOP2E(op##w, ax, cl) \
422 FOP2E(op##l, eax, cl) \
423 ON64(FOP2E(op##q, rax, cl)) \
426 /* 2 operand, src and dest are reversed */
427 #define FASTOP2R(op, name) \
429 FOP2E(op##b, dl, al) \
430 FOP2E(op##w, dx, ax) \
431 FOP2E(op##l, edx, eax) \
432 ON64(FOP2E(op##q, rdx, rax)) \
435 #define FOP3E(op, dst, src, src2) \
436 __FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
437 #op " %" #src2 ", %" #src ", %" #dst " \n\t"\
438 __FOP_RET(#op "_" #dst "_" #src "_" #src2)
440 /* 3-operand, word-only, src2=cl */
441 #define FASTOP3WCL(op) \
444 FOP3E(op##w, ax, dx, cl) \
445 FOP3E(op##l, eax, edx, cl) \
446 ON64(FOP3E(op##q, rax, rdx, cl)) \
449 /* Special case for SETcc - 1 instruction per cc */
450 #define FOP_SETCC(op) \
476 "pushf; sbb %al, %al; popf \n\t"
481 * XXX: inoutclob user must know where the argument is being expanded.
482 * Using asm goto would allow us to remove _fault.
484 #define asm_safe(insn, inoutclob...) \
488 asm volatile("1:" insn "\n" \
490 _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_ONE_REG, %[_fault]) \
491 : [_fault] "+r"(_fault) inoutclob ); \
493 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
496 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
497 enum x86_intercept intercept,
498 enum x86_intercept_stage stage)
500 struct x86_instruction_info info = {
501 .intercept = intercept,
502 .rep_prefix = ctxt->rep_prefix,
503 .modrm_mod = ctxt->modrm_mod,
504 .modrm_reg = ctxt->modrm_reg,
505 .modrm_rm = ctxt->modrm_rm,
506 .src_val = ctxt->src.val64,
507 .dst_val = ctxt->dst.val64,
508 .src_bytes = ctxt->src.bytes,
509 .dst_bytes = ctxt->dst.bytes,
510 .ad_bytes = ctxt->ad_bytes,
511 .next_rip = ctxt->eip,
514 return ctxt->ops->intercept(ctxt, &info, stage);
517 static void assign_masked(ulong *dest, ulong src, ulong mask)
519 *dest = (*dest & ~mask) | (src & mask);
522 static void assign_register(unsigned long *reg, u64 val, int bytes)
524 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
527 *(u8 *)reg = (u8)val;
530 *(u16 *)reg = (u16)val;
534 break; /* 64b: zero-extend */
541 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
543 return (1UL << (ctxt->ad_bytes << 3)) - 1;
546 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
549 struct desc_struct ss;
551 if (ctxt->mode == X86EMUL_MODE_PROT64)
553 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
554 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
557 static int stack_size(struct x86_emulate_ctxt *ctxt)
559 return (__fls(stack_mask(ctxt)) + 1) >> 3;
562 /* Access/update address held in a register, based on addressing mode. */
563 static inline unsigned long
564 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
566 if (ctxt->ad_bytes == sizeof(unsigned long))
569 return reg & ad_mask(ctxt);
572 static inline unsigned long
573 register_address(struct x86_emulate_ctxt *ctxt, int reg)
575 return address_mask(ctxt, reg_read(ctxt, reg));
578 static void masked_increment(ulong *reg, ulong mask, int inc)
580 assign_masked(reg, *reg + inc, mask);
584 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
586 ulong *preg = reg_rmw(ctxt, reg);
588 assign_register(preg, *preg + inc, ctxt->ad_bytes);
591 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
593 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
596 static u32 desc_limit_scaled(struct desc_struct *desc)
598 u32 limit = get_desc_limit(desc);
600 return desc->g ? (limit << 12) | 0xfff : limit;
603 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
605 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
608 return ctxt->ops->get_cached_segment_base(ctxt, seg);
611 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
612 u32 error, bool valid)
614 if (KVM_EMULATOR_BUG_ON(vec > 0x1f, ctxt))
615 return X86EMUL_UNHANDLEABLE;
617 ctxt->exception.vector = vec;
618 ctxt->exception.error_code = error;
619 ctxt->exception.error_code_valid = valid;
620 return X86EMUL_PROPAGATE_FAULT;
623 static int emulate_db(struct x86_emulate_ctxt *ctxt)
625 return emulate_exception(ctxt, DB_VECTOR, 0, false);
628 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
630 return emulate_exception(ctxt, GP_VECTOR, err, true);
633 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
635 return emulate_exception(ctxt, SS_VECTOR, err, true);
638 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
640 return emulate_exception(ctxt, UD_VECTOR, 0, false);
643 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
645 return emulate_exception(ctxt, TS_VECTOR, err, true);
648 static int emulate_de(struct x86_emulate_ctxt *ctxt)
650 return emulate_exception(ctxt, DE_VECTOR, 0, false);
653 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
655 return emulate_exception(ctxt, NM_VECTOR, 0, false);
658 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
661 struct desc_struct desc;
663 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
667 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
672 struct desc_struct desc;
674 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
675 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
678 static inline u8 ctxt_virt_addr_bits(struct x86_emulate_ctxt *ctxt)
680 return (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_LA57) ? 57 : 48;
683 static inline bool emul_is_noncanonical_address(u64 la,
684 struct x86_emulate_ctxt *ctxt)
686 return !__is_canonical_address(la, ctxt_virt_addr_bits(ctxt));
690 * x86 defines three classes of vector instructions: explicitly
691 * aligned, explicitly unaligned, and the rest, which change behaviour
692 * depending on whether they're AVX encoded or not.
694 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
695 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
696 * 512 bytes of data must be aligned to a 16 byte boundary.
698 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
700 u64 alignment = ctxt->d & AlignMask;
702 if (likely(size < 16))
717 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
718 struct segmented_address addr,
719 unsigned *max_size, unsigned size,
720 bool write, bool fetch,
721 enum x86emul_mode mode, ulong *linear)
723 struct desc_struct desc;
730 la = seg_base(ctxt, addr.seg) + addr.ea;
733 case X86EMUL_MODE_PROT64:
735 va_bits = ctxt_virt_addr_bits(ctxt);
736 if (!__is_canonical_address(la, va_bits))
739 *max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
740 if (size > *max_size)
744 *linear = la = (u32)la;
745 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
749 /* code segment in protected mode or read-only data segment */
750 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
751 || !(desc.type & 2)) && write)
753 /* unreadable code segment */
754 if (!fetch && (desc.type & 8) && !(desc.type & 2))
756 lim = desc_limit_scaled(&desc);
757 if (!(desc.type & 8) && (desc.type & 4)) {
758 /* expand-down segment */
761 lim = desc.d ? 0xffffffff : 0xffff;
765 if (lim == 0xffffffff)
768 *max_size = (u64)lim + 1 - addr.ea;
769 if (size > *max_size)
774 if (la & (insn_alignment(ctxt, size) - 1))
775 return emulate_gp(ctxt, 0);
776 return X86EMUL_CONTINUE;
778 if (addr.seg == VCPU_SREG_SS)
779 return emulate_ss(ctxt, 0);
781 return emulate_gp(ctxt, 0);
784 static int linearize(struct x86_emulate_ctxt *ctxt,
785 struct segmented_address addr,
786 unsigned size, bool write,
790 return __linearize(ctxt, addr, &max_size, size, write, false,
794 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
795 enum x86emul_mode mode)
800 struct segmented_address addr = { .seg = VCPU_SREG_CS,
803 if (ctxt->op_bytes != sizeof(unsigned long))
804 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
805 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
806 if (rc == X86EMUL_CONTINUE)
807 ctxt->_eip = addr.ea;
811 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
813 return assign_eip(ctxt, dst, ctxt->mode);
816 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
817 const struct desc_struct *cs_desc)
819 enum x86emul_mode mode = ctxt->mode;
823 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
827 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
829 mode = X86EMUL_MODE_PROT64;
831 mode = X86EMUL_MODE_PROT32; /* temporary value */
834 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
835 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
836 rc = assign_eip(ctxt, dst, mode);
837 if (rc == X86EMUL_CONTINUE)
842 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
844 return assign_eip_near(ctxt, ctxt->_eip + rel);
847 static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
848 void *data, unsigned size)
850 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
853 static int linear_write_system(struct x86_emulate_ctxt *ctxt,
854 ulong linear, void *data,
857 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
860 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
861 struct segmented_address addr,
868 rc = linearize(ctxt, addr, size, false, &linear);
869 if (rc != X86EMUL_CONTINUE)
871 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
874 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
875 struct segmented_address addr,
882 rc = linearize(ctxt, addr, size, true, &linear);
883 if (rc != X86EMUL_CONTINUE)
885 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
889 * Prefetch the remaining bytes of the instruction without crossing page
890 * boundary if they are not in fetch_cache yet.
892 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
895 unsigned size, max_size;
896 unsigned long linear;
897 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
898 struct segmented_address addr = { .seg = VCPU_SREG_CS,
899 .ea = ctxt->eip + cur_size };
902 * We do not know exactly how many bytes will be needed, and
903 * __linearize is expensive, so fetch as much as possible. We
904 * just have to avoid going beyond the 15 byte limit, the end
905 * of the segment, or the end of the page.
907 * __linearize is called with size 0 so that it does not do any
908 * boundary check itself. Instead, we use max_size to check
911 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
913 if (unlikely(rc != X86EMUL_CONTINUE))
916 size = min_t(unsigned, 15UL ^ cur_size, max_size);
917 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
920 * One instruction can only straddle two pages,
921 * and one has been loaded at the beginning of
922 * x86_decode_insn. So, if not enough bytes
923 * still, we must have hit the 15-byte boundary.
925 if (unlikely(size < op_size))
926 return emulate_gp(ctxt, 0);
928 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
929 size, &ctxt->exception);
930 if (unlikely(rc != X86EMUL_CONTINUE))
932 ctxt->fetch.end += size;
933 return X86EMUL_CONTINUE;
936 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
939 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
941 if (unlikely(done_size < size))
942 return __do_insn_fetch_bytes(ctxt, size - done_size);
944 return X86EMUL_CONTINUE;
947 /* Fetch next part of the instruction being emulated. */
948 #define insn_fetch(_type, _ctxt) \
951 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
952 if (rc != X86EMUL_CONTINUE) \
954 ctxt->_eip += sizeof(_type); \
955 memcpy(&_x, ctxt->fetch.ptr, sizeof(_type)); \
956 ctxt->fetch.ptr += sizeof(_type); \
960 #define insn_fetch_arr(_arr, _size, _ctxt) \
962 rc = do_insn_fetch_bytes(_ctxt, _size); \
963 if (rc != X86EMUL_CONTINUE) \
965 ctxt->_eip += (_size); \
966 memcpy(_arr, ctxt->fetch.ptr, _size); \
967 ctxt->fetch.ptr += (_size); \
971 * Given the 'reg' portion of a ModRM byte, and a register block, return a
972 * pointer into the block that addresses the relevant register.
973 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
975 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
979 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
981 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
982 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
984 p = reg_rmw(ctxt, modrm_reg);
988 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
989 struct segmented_address addr,
990 u16 *size, unsigned long *address, int op_bytes)
997 rc = segmented_read_std(ctxt, addr, size, 2);
998 if (rc != X86EMUL_CONTINUE)
1001 rc = segmented_read_std(ctxt, addr, address, op_bytes);
1015 FASTOP1SRC2(mul, mul_ex);
1016 FASTOP1SRC2(imul, imul_ex);
1017 FASTOP1SRC2EX(div, div_ex);
1018 FASTOP1SRC2EX(idiv, idiv_ex);
1047 FASTOP2R(cmp, cmp_r);
1049 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1051 /* If src is zero, do not writeback, but update flags */
1052 if (ctxt->src.val == 0)
1053 ctxt->dst.type = OP_NONE;
1054 return fastop(ctxt, em_bsf);
1057 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1059 /* If src is zero, do not writeback, but update flags */
1060 if (ctxt->src.val == 0)
1061 ctxt->dst.type = OP_NONE;
1062 return fastop(ctxt, em_bsr);
1065 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1068 void (*fop)(void) = (void *)em_setcc + FASTOP_SIZE * (condition & 0xf);
1070 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1071 asm("push %[flags]; popf; " CALL_NOSPEC
1072 : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
1076 static void fetch_register_operand(struct operand *op)
1078 switch (op->bytes) {
1080 op->val = *(u8 *)op->addr.reg;
1083 op->val = *(u16 *)op->addr.reg;
1086 op->val = *(u32 *)op->addr.reg;
1089 op->val = *(u64 *)op->addr.reg;
1094 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1096 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1097 return emulate_nm(ctxt);
1100 asm volatile("fninit");
1102 return X86EMUL_CONTINUE;
1105 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1109 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1110 return emulate_nm(ctxt);
1113 asm volatile("fnstcw %0": "+m"(fcw));
1116 ctxt->dst.val = fcw;
1118 return X86EMUL_CONTINUE;
1121 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1125 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1126 return emulate_nm(ctxt);
1129 asm volatile("fnstsw %0": "+m"(fsw));
1132 ctxt->dst.val = fsw;
1134 return X86EMUL_CONTINUE;
1137 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1142 if (ctxt->d & ModRM)
1143 reg = ctxt->modrm_reg;
1145 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1147 if (ctxt->d & Sse) {
1151 kvm_read_sse_reg(reg, &op->vec_val);
1154 if (ctxt->d & Mmx) {
1163 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1164 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1166 fetch_register_operand(op);
1167 op->orig_val = op->val;
1170 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1172 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1173 ctxt->modrm_seg = VCPU_SREG_SS;
1176 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1180 int index_reg, base_reg, scale;
1181 int rc = X86EMUL_CONTINUE;
1184 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1185 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1186 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1188 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1189 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1190 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1191 ctxt->modrm_seg = VCPU_SREG_DS;
1193 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1195 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1196 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1198 if (ctxt->d & Sse) {
1201 op->addr.xmm = ctxt->modrm_rm;
1202 kvm_read_sse_reg(ctxt->modrm_rm, &op->vec_val);
1205 if (ctxt->d & Mmx) {
1208 op->addr.mm = ctxt->modrm_rm & 7;
1211 fetch_register_operand(op);
1217 if (ctxt->ad_bytes == 2) {
1218 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1219 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1220 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1221 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1223 /* 16-bit ModR/M decode. */
1224 switch (ctxt->modrm_mod) {
1226 if (ctxt->modrm_rm == 6)
1227 modrm_ea += insn_fetch(u16, ctxt);
1230 modrm_ea += insn_fetch(s8, ctxt);
1233 modrm_ea += insn_fetch(u16, ctxt);
1236 switch (ctxt->modrm_rm) {
1238 modrm_ea += bx + si;
1241 modrm_ea += bx + di;
1244 modrm_ea += bp + si;
1247 modrm_ea += bp + di;
1256 if (ctxt->modrm_mod != 0)
1263 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1264 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1265 ctxt->modrm_seg = VCPU_SREG_SS;
1266 modrm_ea = (u16)modrm_ea;
1268 /* 32/64-bit ModR/M decode. */
1269 if ((ctxt->modrm_rm & 7) == 4) {
1270 sib = insn_fetch(u8, ctxt);
1271 index_reg |= (sib >> 3) & 7;
1272 base_reg |= sib & 7;
1275 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1276 modrm_ea += insn_fetch(s32, ctxt);
1278 modrm_ea += reg_read(ctxt, base_reg);
1279 adjust_modrm_seg(ctxt, base_reg);
1280 /* Increment ESP on POP [ESP] */
1281 if ((ctxt->d & IncSP) &&
1282 base_reg == VCPU_REGS_RSP)
1283 modrm_ea += ctxt->op_bytes;
1286 modrm_ea += reg_read(ctxt, index_reg) << scale;
1287 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1288 modrm_ea += insn_fetch(s32, ctxt);
1289 if (ctxt->mode == X86EMUL_MODE_PROT64)
1290 ctxt->rip_relative = 1;
1292 base_reg = ctxt->modrm_rm;
1293 modrm_ea += reg_read(ctxt, base_reg);
1294 adjust_modrm_seg(ctxt, base_reg);
1296 switch (ctxt->modrm_mod) {
1298 modrm_ea += insn_fetch(s8, ctxt);
1301 modrm_ea += insn_fetch(s32, ctxt);
1305 op->addr.mem.ea = modrm_ea;
1306 if (ctxt->ad_bytes != 8)
1307 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1313 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1316 int rc = X86EMUL_CONTINUE;
1319 switch (ctxt->ad_bytes) {
1321 op->addr.mem.ea = insn_fetch(u16, ctxt);
1324 op->addr.mem.ea = insn_fetch(u32, ctxt);
1327 op->addr.mem.ea = insn_fetch(u64, ctxt);
1334 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1338 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1339 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1341 if (ctxt->src.bytes == 2)
1342 sv = (s16)ctxt->src.val & (s16)mask;
1343 else if (ctxt->src.bytes == 4)
1344 sv = (s32)ctxt->src.val & (s32)mask;
1346 sv = (s64)ctxt->src.val & (s64)mask;
1348 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1349 ctxt->dst.addr.mem.ea + (sv >> 3));
1352 /* only subword offset */
1353 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1356 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1357 unsigned long addr, void *dest, unsigned size)
1360 struct read_cache *mc = &ctxt->mem_read;
1362 if (mc->pos < mc->end)
1365 if (KVM_EMULATOR_BUG_ON((mc->end + size) >= sizeof(mc->data), ctxt))
1366 return X86EMUL_UNHANDLEABLE;
1368 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1370 if (rc != X86EMUL_CONTINUE)
1376 memcpy(dest, mc->data + mc->pos, size);
1378 return X86EMUL_CONTINUE;
1381 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1382 struct segmented_address addr,
1389 rc = linearize(ctxt, addr, size, false, &linear);
1390 if (rc != X86EMUL_CONTINUE)
1392 return read_emulated(ctxt, linear, data, size);
1395 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1396 struct segmented_address addr,
1403 rc = linearize(ctxt, addr, size, true, &linear);
1404 if (rc != X86EMUL_CONTINUE)
1406 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1410 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1411 struct segmented_address addr,
1412 const void *orig_data, const void *data,
1418 rc = linearize(ctxt, addr, size, true, &linear);
1419 if (rc != X86EMUL_CONTINUE)
1421 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1422 size, &ctxt->exception);
1425 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1426 unsigned int size, unsigned short port,
1429 struct read_cache *rc = &ctxt->io_read;
1431 if (rc->pos == rc->end) { /* refill pio read ahead */
1432 unsigned int in_page, n;
1433 unsigned int count = ctxt->rep_prefix ?
1434 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1435 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1436 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1437 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1438 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1441 rc->pos = rc->end = 0;
1442 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1447 if (ctxt->rep_prefix && (ctxt->d & String) &&
1448 !(ctxt->eflags & X86_EFLAGS_DF)) {
1449 ctxt->dst.data = rc->data + rc->pos;
1450 ctxt->dst.type = OP_MEM_STR;
1451 ctxt->dst.count = (rc->end - rc->pos) / size;
1454 memcpy(dest, rc->data + rc->pos, size);
1460 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1461 u16 index, struct desc_struct *desc)
1466 ctxt->ops->get_idt(ctxt, &dt);
1468 if (dt.size < index * 8 + 7)
1469 return emulate_gp(ctxt, index << 3 | 0x2);
1471 addr = dt.address + index * 8;
1472 return linear_read_system(ctxt, addr, desc, sizeof(*desc));
1475 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1476 u16 selector, struct desc_ptr *dt)
1478 const struct x86_emulate_ops *ops = ctxt->ops;
1481 if (selector & 1 << 2) {
1482 struct desc_struct desc;
1485 memset(dt, 0, sizeof(*dt));
1486 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1490 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1491 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1493 ops->get_gdt(ctxt, dt);
1496 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1497 u16 selector, ulong *desc_addr_p)
1500 u16 index = selector >> 3;
1503 get_descriptor_table_ptr(ctxt, selector, &dt);
1505 if (dt.size < index * 8 + 7)
1506 return emulate_gp(ctxt, selector & 0xfffc);
1508 addr = dt.address + index * 8;
1510 #ifdef CONFIG_X86_64
1511 if (addr >> 32 != 0) {
1514 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1515 if (!(efer & EFER_LMA))
1520 *desc_addr_p = addr;
1521 return X86EMUL_CONTINUE;
1524 /* allowed just for 8 bytes segments */
1525 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1526 u16 selector, struct desc_struct *desc,
1531 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1532 if (rc != X86EMUL_CONTINUE)
1535 return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
1538 /* allowed just for 8 bytes segments */
1539 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1540 u16 selector, struct desc_struct *desc)
1545 rc = get_descriptor_ptr(ctxt, selector, &addr);
1546 if (rc != X86EMUL_CONTINUE)
1549 return linear_write_system(ctxt, addr, desc, sizeof(*desc));
1552 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1553 u16 selector, int seg, u8 cpl,
1554 enum x86_transfer_type transfer,
1555 struct desc_struct *desc)
1557 struct desc_struct seg_desc, old_desc;
1559 unsigned err_vec = GP_VECTOR;
1561 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1567 memset(&seg_desc, 0, sizeof(seg_desc));
1569 if (ctxt->mode == X86EMUL_MODE_REAL) {
1570 /* set real mode segment descriptor (keep limit etc. for
1572 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1573 set_desc_base(&seg_desc, selector << 4);
1575 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1576 /* VM86 needs a clean new segment descriptor */
1577 set_desc_base(&seg_desc, selector << 4);
1578 set_desc_limit(&seg_desc, 0xffff);
1588 /* TR should be in GDT only */
1589 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1592 /* NULL selector is not valid for TR, CS and (except for long mode) SS */
1593 if (null_selector) {
1594 if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1597 if (seg == VCPU_SREG_SS) {
1598 if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1602 * ctxt->ops->set_segment expects the CPL to be in
1603 * SS.DPL, so fake an expand-up 32-bit data segment.
1613 /* Skip all following checks */
1617 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1618 if (ret != X86EMUL_CONTINUE)
1621 err_code = selector & 0xfffc;
1622 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1625 /* can't load system descriptor into segment selector */
1626 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1627 if (transfer == X86_TRANSFER_CALL_JMP)
1628 return X86EMUL_UNHANDLEABLE;
1637 * segment is not a writable data segment or segment
1638 * selector's RPL != CPL or segment selector's RPL != CPL
1640 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1644 if (!(seg_desc.type & 8))
1647 if (transfer == X86_TRANSFER_RET) {
1648 /* RET can never return to an inner privilege level. */
1651 /* Outer-privilege level return is not implemented */
1653 return X86EMUL_UNHANDLEABLE;
1655 if (transfer == X86_TRANSFER_RET || transfer == X86_TRANSFER_TASK_SWITCH) {
1656 if (seg_desc.type & 4) {
1665 } else { /* X86_TRANSFER_CALL_JMP */
1666 if (seg_desc.type & 4) {
1672 if (rpl > cpl || dpl != cpl)
1676 /* in long-mode d/b must be clear if l is set */
1677 if (seg_desc.d && seg_desc.l) {
1680 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1681 if (efer & EFER_LMA)
1685 /* CS(RPL) <- CPL */
1686 selector = (selector & 0xfffc) | cpl;
1689 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1692 case VCPU_SREG_LDTR:
1693 if (seg_desc.s || seg_desc.type != 2)
1696 default: /* DS, ES, FS, or GS */
1698 * segment is not a data or readable code segment or
1699 * ((segment is a data or nonconforming code segment)
1700 * and (both RPL and CPL > DPL))
1702 if ((seg_desc.type & 0xa) == 0x8 ||
1703 (((seg_desc.type & 0xc) != 0xc) &&
1704 (rpl > dpl && cpl > dpl)))
1710 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1715 /* mark segment as accessed */
1716 if (!(seg_desc.type & 1)) {
1718 ret = write_segment_descriptor(ctxt, selector,
1720 if (ret != X86EMUL_CONTINUE)
1723 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1724 ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
1725 if (ret != X86EMUL_CONTINUE)
1727 if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1728 ((u64)base3 << 32), ctxt))
1729 return emulate_gp(ctxt, err_code);
1732 if (seg == VCPU_SREG_TR) {
1733 old_desc = seg_desc;
1734 seg_desc.type |= 2; /* busy */
1735 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1736 sizeof(seg_desc), &ctxt->exception);
1737 if (ret != X86EMUL_CONTINUE)
1741 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1744 return X86EMUL_CONTINUE;
1746 return emulate_exception(ctxt, err_vec, err_code, true);
1749 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1750 u16 selector, int seg)
1752 u8 cpl = ctxt->ops->cpl(ctxt);
1755 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1756 * they can load it at CPL<3 (Intel's manual says only LSS can,
1759 * However, the Intel manual says that putting IST=1/DPL=3 in
1760 * an interrupt gate will result in SS=3 (the AMD manual instead
1761 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1762 * and only forbid it here.
1764 if (seg == VCPU_SREG_SS && selector == 3 &&
1765 ctxt->mode == X86EMUL_MODE_PROT64)
1766 return emulate_exception(ctxt, GP_VECTOR, 0, true);
1768 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1769 X86_TRANSFER_NONE, NULL);
1772 static void write_register_operand(struct operand *op)
1774 return assign_register(op->addr.reg, op->val, op->bytes);
1777 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1781 write_register_operand(op);
1784 if (ctxt->lock_prefix)
1785 return segmented_cmpxchg(ctxt,
1791 return segmented_write(ctxt,
1797 return segmented_write(ctxt,
1800 op->bytes * op->count);
1803 kvm_write_sse_reg(op->addr.xmm, &op->vec_val);
1806 kvm_write_mmx_reg(op->addr.mm, &op->mm_val);
1814 return X86EMUL_CONTINUE;
1817 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1819 struct segmented_address addr;
1821 rsp_increment(ctxt, -bytes);
1822 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1823 addr.seg = VCPU_SREG_SS;
1825 return segmented_write(ctxt, addr, data, bytes);
1828 static int em_push(struct x86_emulate_ctxt *ctxt)
1830 /* Disable writeback. */
1831 ctxt->dst.type = OP_NONE;
1832 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1835 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1836 void *dest, int len)
1839 struct segmented_address addr;
1841 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1842 addr.seg = VCPU_SREG_SS;
1843 rc = segmented_read(ctxt, addr, dest, len);
1844 if (rc != X86EMUL_CONTINUE)
1847 rsp_increment(ctxt, len);
1851 static int em_pop(struct x86_emulate_ctxt *ctxt)
1853 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1856 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1857 void *dest, int len)
1860 unsigned long val, change_mask;
1861 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1862 int cpl = ctxt->ops->cpl(ctxt);
1864 rc = emulate_pop(ctxt, &val, len);
1865 if (rc != X86EMUL_CONTINUE)
1868 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1869 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1870 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1871 X86_EFLAGS_AC | X86_EFLAGS_ID;
1873 switch(ctxt->mode) {
1874 case X86EMUL_MODE_PROT64:
1875 case X86EMUL_MODE_PROT32:
1876 case X86EMUL_MODE_PROT16:
1878 change_mask |= X86_EFLAGS_IOPL;
1880 change_mask |= X86_EFLAGS_IF;
1882 case X86EMUL_MODE_VM86:
1884 return emulate_gp(ctxt, 0);
1885 change_mask |= X86_EFLAGS_IF;
1887 default: /* real mode */
1888 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1892 *(unsigned long *)dest =
1893 (ctxt->eflags & ~change_mask) | (val & change_mask);
1898 static int em_popf(struct x86_emulate_ctxt *ctxt)
1900 ctxt->dst.type = OP_REG;
1901 ctxt->dst.addr.reg = &ctxt->eflags;
1902 ctxt->dst.bytes = ctxt->op_bytes;
1903 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1906 static int em_enter(struct x86_emulate_ctxt *ctxt)
1909 unsigned frame_size = ctxt->src.val;
1910 unsigned nesting_level = ctxt->src2.val & 31;
1914 return X86EMUL_UNHANDLEABLE;
1916 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1917 rc = push(ctxt, &rbp, stack_size(ctxt));
1918 if (rc != X86EMUL_CONTINUE)
1920 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1922 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1923 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1925 return X86EMUL_CONTINUE;
1928 static int em_leave(struct x86_emulate_ctxt *ctxt)
1930 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1932 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1935 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1937 int seg = ctxt->src2.val;
1939 ctxt->src.val = get_segment_selector(ctxt, seg);
1940 if (ctxt->op_bytes == 4) {
1941 rsp_increment(ctxt, -2);
1945 return em_push(ctxt);
1948 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1950 int seg = ctxt->src2.val;
1951 unsigned long selector;
1954 rc = emulate_pop(ctxt, &selector, 2);
1955 if (rc != X86EMUL_CONTINUE)
1958 if (seg == VCPU_SREG_SS)
1959 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1960 if (ctxt->op_bytes > 2)
1961 rsp_increment(ctxt, ctxt->op_bytes - 2);
1963 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1967 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1969 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1970 int rc = X86EMUL_CONTINUE;
1971 int reg = VCPU_REGS_RAX;
1973 while (reg <= VCPU_REGS_RDI) {
1974 (reg == VCPU_REGS_RSP) ?
1975 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1978 if (rc != X86EMUL_CONTINUE)
1987 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1989 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1990 return em_push(ctxt);
1993 static int em_popa(struct x86_emulate_ctxt *ctxt)
1995 int rc = X86EMUL_CONTINUE;
1996 int reg = VCPU_REGS_RDI;
1999 while (reg >= VCPU_REGS_RAX) {
2000 if (reg == VCPU_REGS_RSP) {
2001 rsp_increment(ctxt, ctxt->op_bytes);
2005 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2006 if (rc != X86EMUL_CONTINUE)
2008 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2014 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2016 const struct x86_emulate_ops *ops = ctxt->ops;
2023 /* TODO: Add limit checks */
2024 ctxt->src.val = ctxt->eflags;
2026 if (rc != X86EMUL_CONTINUE)
2029 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2031 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2033 if (rc != X86EMUL_CONTINUE)
2036 ctxt->src.val = ctxt->_eip;
2038 if (rc != X86EMUL_CONTINUE)
2041 ops->get_idt(ctxt, &dt);
2043 eip_addr = dt.address + (irq << 2);
2044 cs_addr = dt.address + (irq << 2) + 2;
2046 rc = linear_read_system(ctxt, cs_addr, &cs, 2);
2047 if (rc != X86EMUL_CONTINUE)
2050 rc = linear_read_system(ctxt, eip_addr, &eip, 2);
2051 if (rc != X86EMUL_CONTINUE)
2054 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2055 if (rc != X86EMUL_CONTINUE)
2063 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2067 invalidate_registers(ctxt);
2068 rc = __emulate_int_real(ctxt, irq);
2069 if (rc == X86EMUL_CONTINUE)
2070 writeback_registers(ctxt);
2074 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2076 switch(ctxt->mode) {
2077 case X86EMUL_MODE_REAL:
2078 return __emulate_int_real(ctxt, irq);
2079 case X86EMUL_MODE_VM86:
2080 case X86EMUL_MODE_PROT16:
2081 case X86EMUL_MODE_PROT32:
2082 case X86EMUL_MODE_PROT64:
2084 /* Protected mode interrupts unimplemented yet */
2085 return X86EMUL_UNHANDLEABLE;
2089 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2091 int rc = X86EMUL_CONTINUE;
2092 unsigned long temp_eip = 0;
2093 unsigned long temp_eflags = 0;
2094 unsigned long cs = 0;
2095 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2096 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2097 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2098 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2099 X86_EFLAGS_AC | X86_EFLAGS_ID |
2101 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2104 /* TODO: Add stack limit check */
2106 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2108 if (rc != X86EMUL_CONTINUE)
2111 if (temp_eip & ~0xffff)
2112 return emulate_gp(ctxt, 0);
2114 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2116 if (rc != X86EMUL_CONTINUE)
2119 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2121 if (rc != X86EMUL_CONTINUE)
2124 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2126 if (rc != X86EMUL_CONTINUE)
2129 ctxt->_eip = temp_eip;
2131 if (ctxt->op_bytes == 4)
2132 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2133 else if (ctxt->op_bytes == 2) {
2134 ctxt->eflags &= ~0xffff;
2135 ctxt->eflags |= temp_eflags;
2138 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2139 ctxt->eflags |= X86_EFLAGS_FIXED;
2140 ctxt->ops->set_nmi_mask(ctxt, false);
2145 static int em_iret(struct x86_emulate_ctxt *ctxt)
2147 switch(ctxt->mode) {
2148 case X86EMUL_MODE_REAL:
2149 return emulate_iret_real(ctxt);
2150 case X86EMUL_MODE_VM86:
2151 case X86EMUL_MODE_PROT16:
2152 case X86EMUL_MODE_PROT32:
2153 case X86EMUL_MODE_PROT64:
2155 /* iret from protected mode unimplemented yet */
2156 return X86EMUL_UNHANDLEABLE;
2160 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2164 struct desc_struct new_desc;
2165 u8 cpl = ctxt->ops->cpl(ctxt);
2167 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2169 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2170 X86_TRANSFER_CALL_JMP,
2172 if (rc != X86EMUL_CONTINUE)
2175 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2176 /* Error handling is not implemented. */
2177 if (rc != X86EMUL_CONTINUE)
2178 return X86EMUL_UNHANDLEABLE;
2183 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2185 return assign_eip_near(ctxt, ctxt->src.val);
2188 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2193 old_eip = ctxt->_eip;
2194 rc = assign_eip_near(ctxt, ctxt->src.val);
2195 if (rc != X86EMUL_CONTINUE)
2197 ctxt->src.val = old_eip;
2202 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2204 u64 old = ctxt->dst.orig_val64;
2206 if (ctxt->dst.bytes == 16)
2207 return X86EMUL_UNHANDLEABLE;
2209 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2210 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2211 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2212 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2213 ctxt->eflags &= ~X86_EFLAGS_ZF;
2215 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2216 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2218 ctxt->eflags |= X86_EFLAGS_ZF;
2220 return X86EMUL_CONTINUE;
2223 static int em_ret(struct x86_emulate_ctxt *ctxt)
2228 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2229 if (rc != X86EMUL_CONTINUE)
2232 return assign_eip_near(ctxt, eip);
2235 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2238 unsigned long eip, cs;
2239 int cpl = ctxt->ops->cpl(ctxt);
2240 struct desc_struct new_desc;
2242 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2243 if (rc != X86EMUL_CONTINUE)
2245 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2246 if (rc != X86EMUL_CONTINUE)
2248 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2251 if (rc != X86EMUL_CONTINUE)
2253 rc = assign_eip_far(ctxt, eip, &new_desc);
2254 /* Error handling is not implemented. */
2255 if (rc != X86EMUL_CONTINUE)
2256 return X86EMUL_UNHANDLEABLE;
2261 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2265 rc = em_ret_far(ctxt);
2266 if (rc != X86EMUL_CONTINUE)
2268 rsp_increment(ctxt, ctxt->src.val);
2269 return X86EMUL_CONTINUE;
2272 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2274 /* Save real source value, then compare EAX against destination. */
2275 ctxt->dst.orig_val = ctxt->dst.val;
2276 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2277 ctxt->src.orig_val = ctxt->src.val;
2278 ctxt->src.val = ctxt->dst.orig_val;
2279 fastop(ctxt, em_cmp);
2281 if (ctxt->eflags & X86_EFLAGS_ZF) {
2282 /* Success: write back to memory; no update of EAX */
2283 ctxt->src.type = OP_NONE;
2284 ctxt->dst.val = ctxt->src.orig_val;
2286 /* Failure: write the value we saw to EAX. */
2287 ctxt->src.type = OP_REG;
2288 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2289 ctxt->src.val = ctxt->dst.orig_val;
2290 /* Create write-cycle to dest by writing the same value */
2291 ctxt->dst.val = ctxt->dst.orig_val;
2293 return X86EMUL_CONTINUE;
2296 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2298 int seg = ctxt->src2.val;
2302 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2304 rc = load_segment_descriptor(ctxt, sel, seg);
2305 if (rc != X86EMUL_CONTINUE)
2308 ctxt->dst.val = ctxt->src.val;
2312 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2314 #ifdef CONFIG_X86_64
2315 return ctxt->ops->guest_has_long_mode(ctxt);
2321 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2323 desc->g = (flags >> 23) & 1;
2324 desc->d = (flags >> 22) & 1;
2325 desc->l = (flags >> 21) & 1;
2326 desc->avl = (flags >> 20) & 1;
2327 desc->p = (flags >> 15) & 1;
2328 desc->dpl = (flags >> 13) & 3;
2329 desc->s = (flags >> 12) & 1;
2330 desc->type = (flags >> 8) & 15;
2333 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, const char *smstate,
2336 struct desc_struct desc;
2340 selector = GET_SMSTATE(u32, smstate, 0x7fa8 + n * 4);
2343 offset = 0x7f84 + n * 12;
2345 offset = 0x7f2c + (n - 3) * 12;
2347 set_desc_base(&desc, GET_SMSTATE(u32, smstate, offset + 8));
2348 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, offset + 4));
2349 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, offset));
2350 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2351 return X86EMUL_CONTINUE;
2354 #ifdef CONFIG_X86_64
2355 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, const char *smstate,
2358 struct desc_struct desc;
2363 offset = 0x7e00 + n * 16;
2365 selector = GET_SMSTATE(u16, smstate, offset);
2366 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smstate, offset + 2) << 8);
2367 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, offset + 4));
2368 set_desc_base(&desc, GET_SMSTATE(u32, smstate, offset + 8));
2369 base3 = GET_SMSTATE(u32, smstate, offset + 12);
2371 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2372 return X86EMUL_CONTINUE;
2376 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2377 u64 cr0, u64 cr3, u64 cr4)
2382 /* In order to later set CR4.PCIDE, CR3[11:0] must be zero. */
2384 if (cr4 & X86_CR4_PCIDE) {
2389 bad = ctxt->ops->set_cr(ctxt, 3, cr3);
2391 return X86EMUL_UNHANDLEABLE;
2394 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2395 * Then enable protected mode. However, PCID cannot be enabled
2396 * if EFER.LMA=0, so set it separately.
2398 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2400 return X86EMUL_UNHANDLEABLE;
2402 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2404 return X86EMUL_UNHANDLEABLE;
2406 if (cr4 & X86_CR4_PCIDE) {
2407 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2409 return X86EMUL_UNHANDLEABLE;
2411 bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
2413 return X86EMUL_UNHANDLEABLE;
2418 return X86EMUL_CONTINUE;
2421 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
2422 const char *smstate)
2424 struct desc_struct desc;
2427 u32 val, cr0, cr3, cr4;
2430 cr0 = GET_SMSTATE(u32, smstate, 0x7ffc);
2431 cr3 = GET_SMSTATE(u32, smstate, 0x7ff8);
2432 ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
2433 ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0);
2435 for (i = 0; i < NR_EMULATOR_GPRS; i++)
2436 *reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
2438 val = GET_SMSTATE(u32, smstate, 0x7fcc);
2440 if (ctxt->ops->set_dr(ctxt, 6, val))
2441 return X86EMUL_UNHANDLEABLE;
2443 val = GET_SMSTATE(u32, smstate, 0x7fc8);
2445 if (ctxt->ops->set_dr(ctxt, 7, val))
2446 return X86EMUL_UNHANDLEABLE;
2448 selector = GET_SMSTATE(u32, smstate, 0x7fc4);
2449 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7f64));
2450 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7f60));
2451 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7f5c));
2452 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2454 selector = GET_SMSTATE(u32, smstate, 0x7fc0);
2455 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7f80));
2456 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7f7c));
2457 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7f78));
2458 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2460 dt.address = GET_SMSTATE(u32, smstate, 0x7f74);
2461 dt.size = GET_SMSTATE(u32, smstate, 0x7f70);
2462 ctxt->ops->set_gdt(ctxt, &dt);
2464 dt.address = GET_SMSTATE(u32, smstate, 0x7f58);
2465 dt.size = GET_SMSTATE(u32, smstate, 0x7f54);
2466 ctxt->ops->set_idt(ctxt, &dt);
2468 for (i = 0; i < 6; i++) {
2469 int r = rsm_load_seg_32(ctxt, smstate, i);
2470 if (r != X86EMUL_CONTINUE)
2474 cr4 = GET_SMSTATE(u32, smstate, 0x7f14);
2476 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7ef8));
2478 return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2481 #ifdef CONFIG_X86_64
2482 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
2483 const char *smstate)
2485 struct desc_struct desc;
2487 u64 val, cr0, cr3, cr4;
2492 for (i = 0; i < NR_EMULATOR_GPRS; i++)
2493 *reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
2495 ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);
2496 ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7f70) | X86_EFLAGS_FIXED;
2498 val = GET_SMSTATE(u64, smstate, 0x7f68);
2500 if (ctxt->ops->set_dr(ctxt, 6, val))
2501 return X86EMUL_UNHANDLEABLE;
2503 val = GET_SMSTATE(u64, smstate, 0x7f60);
2505 if (ctxt->ops->set_dr(ctxt, 7, val))
2506 return X86EMUL_UNHANDLEABLE;
2508 cr0 = GET_SMSTATE(u64, smstate, 0x7f58);
2509 cr3 = GET_SMSTATE(u64, smstate, 0x7f50);
2510 cr4 = GET_SMSTATE(u64, smstate, 0x7f48);
2511 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7f00));
2512 val = GET_SMSTATE(u64, smstate, 0x7ed0);
2514 if (ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA))
2515 return X86EMUL_UNHANDLEABLE;
2517 selector = GET_SMSTATE(u32, smstate, 0x7e90);
2518 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7e92) << 8);
2519 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7e94));
2520 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7e98));
2521 base3 = GET_SMSTATE(u32, smstate, 0x7e9c);
2522 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2524 dt.size = GET_SMSTATE(u32, smstate, 0x7e84);
2525 dt.address = GET_SMSTATE(u64, smstate, 0x7e88);
2526 ctxt->ops->set_idt(ctxt, &dt);
2528 selector = GET_SMSTATE(u32, smstate, 0x7e70);
2529 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7e72) << 8);
2530 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7e74));
2531 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7e78));
2532 base3 = GET_SMSTATE(u32, smstate, 0x7e7c);
2533 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2535 dt.size = GET_SMSTATE(u32, smstate, 0x7e64);
2536 dt.address = GET_SMSTATE(u64, smstate, 0x7e68);
2537 ctxt->ops->set_gdt(ctxt, &dt);
2539 r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2540 if (r != X86EMUL_CONTINUE)
2543 for (i = 0; i < 6; i++) {
2544 r = rsm_load_seg_64(ctxt, smstate, i);
2545 if (r != X86EMUL_CONTINUE)
2549 return X86EMUL_CONTINUE;
2553 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2555 unsigned long cr0, cr4, efer;
2560 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
2561 return emulate_ud(ctxt);
2563 smbase = ctxt->ops->get_smbase(ctxt);
2565 ret = ctxt->ops->read_phys(ctxt, smbase + 0xfe00, buf, sizeof(buf));
2566 if (ret != X86EMUL_CONTINUE)
2567 return X86EMUL_UNHANDLEABLE;
2569 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2570 ctxt->ops->set_nmi_mask(ctxt, false);
2572 ctxt->ops->exiting_smm(ctxt);
2575 * Get back to real mode, to prepare a safe state in which to load
2576 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2577 * supports long mode.
2579 if (emulator_has_longmode(ctxt)) {
2580 struct desc_struct cs_desc;
2582 /* Zero CR4.PCIDE before CR0.PG. */
2583 cr4 = ctxt->ops->get_cr(ctxt, 4);
2584 if (cr4 & X86_CR4_PCIDE)
2585 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2587 /* A 32-bit code segment is required to clear EFER.LMA. */
2588 memset(&cs_desc, 0, sizeof(cs_desc));
2590 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2591 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2594 /* For the 64-bit case, this will clear EFER.LMA. */
2595 cr0 = ctxt->ops->get_cr(ctxt, 0);
2596 if (cr0 & X86_CR0_PE)
2597 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2599 if (emulator_has_longmode(ctxt)) {
2600 /* Clear CR4.PAE before clearing EFER.LME. */
2601 cr4 = ctxt->ops->get_cr(ctxt, 4);
2602 if (cr4 & X86_CR4_PAE)
2603 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2605 /* And finally go back to 32-bit mode. */
2607 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2611 * Give leave_smm() a chance to make ISA-specific changes to the vCPU
2612 * state (e.g. enter guest mode) before loading state from the SMM
2615 if (ctxt->ops->leave_smm(ctxt, buf))
2616 goto emulate_shutdown;
2618 #ifdef CONFIG_X86_64
2619 if (emulator_has_longmode(ctxt))
2620 ret = rsm_load_state_64(ctxt, buf);
2623 ret = rsm_load_state_32(ctxt, buf);
2625 if (ret != X86EMUL_CONTINUE)
2626 goto emulate_shutdown;
2629 * Note, the ctxt->ops callbacks are responsible for handling side
2630 * effects when writing MSRs and CRs, e.g. MMU context resets, CPUID
2631 * runtime updates, etc... If that changes, e.g. this flow is moved
2632 * out of the emulator to make it look more like enter_smm(), then
2633 * those side effects need to be explicitly handled for both success
2636 return X86EMUL_CONTINUE;
2639 ctxt->ops->triple_fault(ctxt);
2640 return X86EMUL_CONTINUE;
2644 setup_syscalls_segments(struct desc_struct *cs, struct desc_struct *ss)
2646 cs->l = 0; /* will be adjusted later */
2647 set_desc_base(cs, 0); /* flat segment */
2648 cs->g = 1; /* 4kb granularity */
2649 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2650 cs->type = 0x0b; /* Read, Execute, Accessed */
2652 cs->dpl = 0; /* will be adjusted later */
2657 set_desc_base(ss, 0); /* flat segment */
2658 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2659 ss->g = 1; /* 4kb granularity */
2661 ss->type = 0x03; /* Read/Write, Accessed */
2662 ss->d = 1; /* 32bit stack segment */
2669 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2671 u32 eax, ebx, ecx, edx;
2674 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
2675 return is_guest_vendor_intel(ebx, ecx, edx);
2678 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2680 const struct x86_emulate_ops *ops = ctxt->ops;
2681 u32 eax, ebx, ecx, edx;
2684 * syscall should always be enabled in longmode - so only become
2685 * vendor specific (cpuid) if other modes are active...
2687 if (ctxt->mode == X86EMUL_MODE_PROT64)
2692 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
2694 * remark: Intel CPUs only support "syscall" in 64bit longmode. Also a
2695 * 64bit guest with a 32bit compat-app running will #UD !! While this
2696 * behaviour can be fixed (by emulating) into AMD response - CPUs of
2697 * AMD can't behave like Intel.
2699 if (is_guest_vendor_intel(ebx, ecx, edx))
2702 if (is_guest_vendor_amd(ebx, ecx, edx) ||
2703 is_guest_vendor_hygon(ebx, ecx, edx))
2707 * default: (not Intel, not AMD, not Hygon), apply Intel's
2713 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2715 const struct x86_emulate_ops *ops = ctxt->ops;
2716 struct desc_struct cs, ss;
2721 /* syscall is not available in real mode */
2722 if (ctxt->mode == X86EMUL_MODE_REAL ||
2723 ctxt->mode == X86EMUL_MODE_VM86)
2724 return emulate_ud(ctxt);
2726 if (!(em_syscall_is_enabled(ctxt)))
2727 return emulate_ud(ctxt);
2729 ops->get_msr(ctxt, MSR_EFER, &efer);
2730 if (!(efer & EFER_SCE))
2731 return emulate_ud(ctxt);
2733 setup_syscalls_segments(&cs, &ss);
2734 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2736 cs_sel = (u16)(msr_data & 0xfffc);
2737 ss_sel = (u16)(msr_data + 8);
2739 if (efer & EFER_LMA) {
2743 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2744 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2746 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2747 if (efer & EFER_LMA) {
2748 #ifdef CONFIG_X86_64
2749 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2752 ctxt->mode == X86EMUL_MODE_PROT64 ?
2753 MSR_LSTAR : MSR_CSTAR, &msr_data);
2754 ctxt->_eip = msr_data;
2756 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2757 ctxt->eflags &= ~msr_data;
2758 ctxt->eflags |= X86_EFLAGS_FIXED;
2762 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2763 ctxt->_eip = (u32)msr_data;
2765 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2768 ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2769 return X86EMUL_CONTINUE;
2772 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2774 const struct x86_emulate_ops *ops = ctxt->ops;
2775 struct desc_struct cs, ss;
2780 ops->get_msr(ctxt, MSR_EFER, &efer);
2781 /* inject #GP if in real mode */
2782 if (ctxt->mode == X86EMUL_MODE_REAL)
2783 return emulate_gp(ctxt, 0);
2786 * Not recognized on AMD in compat mode (but is recognized in legacy
2789 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2790 && !vendor_intel(ctxt))
2791 return emulate_ud(ctxt);
2793 /* sysenter/sysexit have not been tested in 64bit mode. */
2794 if (ctxt->mode == X86EMUL_MODE_PROT64)
2795 return X86EMUL_UNHANDLEABLE;
2797 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2798 if ((msr_data & 0xfffc) == 0x0)
2799 return emulate_gp(ctxt, 0);
2801 setup_syscalls_segments(&cs, &ss);
2802 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2803 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2804 ss_sel = cs_sel + 8;
2805 if (efer & EFER_LMA) {
2810 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2811 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2813 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2814 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2816 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2817 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2819 if (efer & EFER_LMA)
2820 ctxt->mode = X86EMUL_MODE_PROT64;
2822 return X86EMUL_CONTINUE;
2825 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2827 const struct x86_emulate_ops *ops = ctxt->ops;
2828 struct desc_struct cs, ss;
2829 u64 msr_data, rcx, rdx;
2831 u16 cs_sel = 0, ss_sel = 0;
2833 /* inject #GP if in real mode or Virtual 8086 mode */
2834 if (ctxt->mode == X86EMUL_MODE_REAL ||
2835 ctxt->mode == X86EMUL_MODE_VM86)
2836 return emulate_gp(ctxt, 0);
2838 setup_syscalls_segments(&cs, &ss);
2840 if ((ctxt->rex_prefix & 0x8) != 0x0)
2841 usermode = X86EMUL_MODE_PROT64;
2843 usermode = X86EMUL_MODE_PROT32;
2845 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2846 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2850 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2852 case X86EMUL_MODE_PROT32:
2853 cs_sel = (u16)(msr_data + 16);
2854 if ((msr_data & 0xfffc) == 0x0)
2855 return emulate_gp(ctxt, 0);
2856 ss_sel = (u16)(msr_data + 24);
2860 case X86EMUL_MODE_PROT64:
2861 cs_sel = (u16)(msr_data + 32);
2862 if (msr_data == 0x0)
2863 return emulate_gp(ctxt, 0);
2864 ss_sel = cs_sel + 8;
2867 if (emul_is_noncanonical_address(rcx, ctxt) ||
2868 emul_is_noncanonical_address(rdx, ctxt))
2869 return emulate_gp(ctxt, 0);
2872 cs_sel |= SEGMENT_RPL_MASK;
2873 ss_sel |= SEGMENT_RPL_MASK;
2875 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2876 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2879 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2881 return X86EMUL_CONTINUE;
2884 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2887 if (ctxt->mode == X86EMUL_MODE_REAL)
2889 if (ctxt->mode == X86EMUL_MODE_VM86)
2891 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2892 return ctxt->ops->cpl(ctxt) > iopl;
2895 #define VMWARE_PORT_VMPORT (0x5658)
2896 #define VMWARE_PORT_VMRPC (0x5659)
2898 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2901 const struct x86_emulate_ops *ops = ctxt->ops;
2902 struct desc_struct tr_seg;
2905 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2906 unsigned mask = (1 << len) - 1;
2910 * VMware allows access to these ports even if denied
2911 * by TSS I/O permission bitmap. Mimic behavior.
2913 if (enable_vmware_backdoor &&
2914 ((port == VMWARE_PORT_VMPORT) || (port == VMWARE_PORT_VMRPC)))
2917 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2920 if (desc_limit_scaled(&tr_seg) < 103)
2922 base = get_desc_base(&tr_seg);
2923 #ifdef CONFIG_X86_64
2924 base |= ((u64)base3) << 32;
2926 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
2927 if (r != X86EMUL_CONTINUE)
2929 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2931 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
2932 if (r != X86EMUL_CONTINUE)
2934 if ((perm >> bit_idx) & mask)
2939 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2945 if (emulator_bad_iopl(ctxt))
2946 if (!emulator_io_port_access_allowed(ctxt, port, len))
2949 ctxt->perm_ok = true;
2954 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2957 * Intel CPUs mask the counter and pointers in quite strange
2958 * manner when ECX is zero due to REP-string optimizations.
2960 #ifdef CONFIG_X86_64
2961 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2964 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2967 case 0xa4: /* movsb */
2968 case 0xa5: /* movsd/w */
2969 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2971 case 0xaa: /* stosb */
2972 case 0xab: /* stosd/w */
2973 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2978 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2979 struct tss_segment_16 *tss)
2981 tss->ip = ctxt->_eip;
2982 tss->flag = ctxt->eflags;
2983 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2984 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2985 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2986 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2987 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2988 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2989 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2990 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2992 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2993 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2994 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2995 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2996 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2999 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
3000 struct tss_segment_16 *tss)
3005 ctxt->_eip = tss->ip;
3006 ctxt->eflags = tss->flag | 2;
3007 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
3008 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
3009 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
3010 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
3011 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
3012 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
3013 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
3014 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
3017 * SDM says that segment selectors are loaded before segment
3020 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
3021 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3022 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3023 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3024 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3029 * Now load segment descriptors. If fault happens at this stage
3030 * it is handled in a context of new task
3032 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
3033 X86_TRANSFER_TASK_SWITCH, NULL);
3034 if (ret != X86EMUL_CONTINUE)
3036 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3037 X86_TRANSFER_TASK_SWITCH, NULL);
3038 if (ret != X86EMUL_CONTINUE)
3040 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3041 X86_TRANSFER_TASK_SWITCH, NULL);
3042 if (ret != X86EMUL_CONTINUE)
3044 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3045 X86_TRANSFER_TASK_SWITCH, NULL);
3046 if (ret != X86EMUL_CONTINUE)
3048 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3049 X86_TRANSFER_TASK_SWITCH, NULL);
3050 if (ret != X86EMUL_CONTINUE)
3053 return X86EMUL_CONTINUE;
3056 static int task_switch_16(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
3057 ulong old_tss_base, struct desc_struct *new_desc)
3059 struct tss_segment_16 tss_seg;
3061 u32 new_tss_base = get_desc_base(new_desc);
3063 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3064 if (ret != X86EMUL_CONTINUE)
3067 save_state_to_tss16(ctxt, &tss_seg);
3069 ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3070 if (ret != X86EMUL_CONTINUE)
3073 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
3074 if (ret != X86EMUL_CONTINUE)
3077 if (old_tss_sel != 0xffff) {
3078 tss_seg.prev_task_link = old_tss_sel;
3080 ret = linear_write_system(ctxt, new_tss_base,
3081 &tss_seg.prev_task_link,
3082 sizeof(tss_seg.prev_task_link));
3083 if (ret != X86EMUL_CONTINUE)
3087 return load_state_from_tss16(ctxt, &tss_seg);
3090 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3091 struct tss_segment_32 *tss)
3093 /* CR3 and ldt selector are not saved intentionally */
3094 tss->eip = ctxt->_eip;
3095 tss->eflags = ctxt->eflags;
3096 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3097 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3098 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3099 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3100 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3101 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3102 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3103 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3105 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3106 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3107 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3108 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3109 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3110 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3113 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3114 struct tss_segment_32 *tss)
3119 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3120 return emulate_gp(ctxt, 0);
3121 ctxt->_eip = tss->eip;
3122 ctxt->eflags = tss->eflags | 2;
3124 /* General purpose registers */
3125 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3126 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3127 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3128 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3129 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3130 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3131 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3132 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3135 * SDM says that segment selectors are loaded before segment
3136 * descriptors. This is important because CPL checks will
3139 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3140 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3141 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3142 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3143 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3144 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3145 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3148 * If we're switching between Protected Mode and VM86, we need to make
3149 * sure to update the mode before loading the segment descriptors so
3150 * that the selectors are interpreted correctly.
3152 if (ctxt->eflags & X86_EFLAGS_VM) {
3153 ctxt->mode = X86EMUL_MODE_VM86;
3156 ctxt->mode = X86EMUL_MODE_PROT32;
3161 * Now load segment descriptors. If fault happens at this stage
3162 * it is handled in a context of new task
3164 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3165 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3166 if (ret != X86EMUL_CONTINUE)
3168 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3169 X86_TRANSFER_TASK_SWITCH, NULL);
3170 if (ret != X86EMUL_CONTINUE)
3172 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3173 X86_TRANSFER_TASK_SWITCH, NULL);
3174 if (ret != X86EMUL_CONTINUE)
3176 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3177 X86_TRANSFER_TASK_SWITCH, NULL);
3178 if (ret != X86EMUL_CONTINUE)
3180 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3181 X86_TRANSFER_TASK_SWITCH, NULL);
3182 if (ret != X86EMUL_CONTINUE)
3184 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3185 X86_TRANSFER_TASK_SWITCH, NULL);
3186 if (ret != X86EMUL_CONTINUE)
3188 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3189 X86_TRANSFER_TASK_SWITCH, NULL);
3194 static int task_switch_32(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
3195 ulong old_tss_base, struct desc_struct *new_desc)
3197 struct tss_segment_32 tss_seg;
3199 u32 new_tss_base = get_desc_base(new_desc);
3200 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3201 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3203 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3204 if (ret != X86EMUL_CONTINUE)
3207 save_state_to_tss32(ctxt, &tss_seg);
3209 /* Only GP registers and segment selectors are saved */
3210 ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3211 ldt_sel_offset - eip_offset);
3212 if (ret != X86EMUL_CONTINUE)
3215 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
3216 if (ret != X86EMUL_CONTINUE)
3219 if (old_tss_sel != 0xffff) {
3220 tss_seg.prev_task_link = old_tss_sel;
3222 ret = linear_write_system(ctxt, new_tss_base,
3223 &tss_seg.prev_task_link,
3224 sizeof(tss_seg.prev_task_link));
3225 if (ret != X86EMUL_CONTINUE)
3229 return load_state_from_tss32(ctxt, &tss_seg);
3232 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3233 u16 tss_selector, int idt_index, int reason,
3234 bool has_error_code, u32 error_code)
3236 const struct x86_emulate_ops *ops = ctxt->ops;
3237 struct desc_struct curr_tss_desc, next_tss_desc;
3239 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3240 ulong old_tss_base =
3241 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3243 ulong desc_addr, dr7;
3245 /* FIXME: old_tss_base == ~0 ? */
3247 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3248 if (ret != X86EMUL_CONTINUE)
3250 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3251 if (ret != X86EMUL_CONTINUE)
3254 /* FIXME: check that next_tss_desc is tss */
3257 * Check privileges. The three cases are task switch caused by...
3259 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3260 * 2. Exception/IRQ/iret: No check is performed
3261 * 3. jmp/call to TSS/task-gate: No check is performed since the
3262 * hardware checks it before exiting.
3264 if (reason == TASK_SWITCH_GATE) {
3265 if (idt_index != -1) {
3266 /* Software interrupts */
3267 struct desc_struct task_gate_desc;
3270 ret = read_interrupt_descriptor(ctxt, idt_index,
3272 if (ret != X86EMUL_CONTINUE)
3275 dpl = task_gate_desc.dpl;
3276 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3277 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3281 desc_limit = desc_limit_scaled(&next_tss_desc);
3282 if (!next_tss_desc.p ||
3283 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3284 desc_limit < 0x2b)) {
3285 return emulate_ts(ctxt, tss_selector & 0xfffc);
3288 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3289 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3290 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3293 if (reason == TASK_SWITCH_IRET)
3294 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3296 /* set back link to prev task only if NT bit is set in eflags
3297 note that old_tss_sel is not used after this point */
3298 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3299 old_tss_sel = 0xffff;
3301 if (next_tss_desc.type & 8)
3302 ret = task_switch_32(ctxt, old_tss_sel, old_tss_base, &next_tss_desc);
3304 ret = task_switch_16(ctxt, old_tss_sel,
3305 old_tss_base, &next_tss_desc);
3306 if (ret != X86EMUL_CONTINUE)
3309 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3310 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3312 if (reason != TASK_SWITCH_IRET) {
3313 next_tss_desc.type |= (1 << 1); /* set busy flag */
3314 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3317 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3318 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3320 if (has_error_code) {
3321 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3322 ctxt->lock_prefix = 0;
3323 ctxt->src.val = (unsigned long) error_code;
3324 ret = em_push(ctxt);
3327 ops->get_dr(ctxt, 7, &dr7);
3328 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3333 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3334 u16 tss_selector, int idt_index, int reason,
3335 bool has_error_code, u32 error_code)
3339 invalidate_registers(ctxt);
3340 ctxt->_eip = ctxt->eip;
3341 ctxt->dst.type = OP_NONE;
3343 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3344 has_error_code, error_code);
3346 if (rc == X86EMUL_CONTINUE) {
3347 ctxt->eip = ctxt->_eip;
3348 writeback_registers(ctxt);
3351 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3354 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3357 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3359 register_address_increment(ctxt, reg, df * op->bytes);
3360 op->addr.mem.ea = register_address(ctxt, reg);
3363 static int em_das(struct x86_emulate_ctxt *ctxt)
3366 bool af, cf, old_cf;
3368 cf = ctxt->eflags & X86_EFLAGS_CF;
3374 af = ctxt->eflags & X86_EFLAGS_AF;
3375 if ((al & 0x0f) > 9 || af) {
3377 cf = old_cf | (al >= 250);
3382 if (old_al > 0x99 || old_cf) {
3388 /* Set PF, ZF, SF */
3389 ctxt->src.type = OP_IMM;
3391 ctxt->src.bytes = 1;
3392 fastop(ctxt, em_or);
3393 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3395 ctxt->eflags |= X86_EFLAGS_CF;
3397 ctxt->eflags |= X86_EFLAGS_AF;
3398 return X86EMUL_CONTINUE;
3401 static int em_aam(struct x86_emulate_ctxt *ctxt)
3405 if (ctxt->src.val == 0)
3406 return emulate_de(ctxt);
3408 al = ctxt->dst.val & 0xff;
3409 ah = al / ctxt->src.val;
3410 al %= ctxt->src.val;
3412 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3414 /* Set PF, ZF, SF */
3415 ctxt->src.type = OP_IMM;
3417 ctxt->src.bytes = 1;
3418 fastop(ctxt, em_or);
3420 return X86EMUL_CONTINUE;
3423 static int em_aad(struct x86_emulate_ctxt *ctxt)
3425 u8 al = ctxt->dst.val & 0xff;
3426 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3428 al = (al + (ah * ctxt->src.val)) & 0xff;
3430 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3432 /* Set PF, ZF, SF */
3433 ctxt->src.type = OP_IMM;
3435 ctxt->src.bytes = 1;
3436 fastop(ctxt, em_or);
3438 return X86EMUL_CONTINUE;
3441 static int em_call(struct x86_emulate_ctxt *ctxt)
3444 long rel = ctxt->src.val;
3446 ctxt->src.val = (unsigned long)ctxt->_eip;
3447 rc = jmp_rel(ctxt, rel);
3448 if (rc != X86EMUL_CONTINUE)
3450 return em_push(ctxt);
3453 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3458 struct desc_struct old_desc, new_desc;
3459 const struct x86_emulate_ops *ops = ctxt->ops;
3460 int cpl = ctxt->ops->cpl(ctxt);
3461 enum x86emul_mode prev_mode = ctxt->mode;
3463 old_eip = ctxt->_eip;
3464 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3466 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3467 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3468 X86_TRANSFER_CALL_JMP, &new_desc);
3469 if (rc != X86EMUL_CONTINUE)
3472 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3473 if (rc != X86EMUL_CONTINUE)
3476 ctxt->src.val = old_cs;
3478 if (rc != X86EMUL_CONTINUE)
3481 ctxt->src.val = old_eip;
3483 /* If we failed, we tainted the memory, but the very least we should
3485 if (rc != X86EMUL_CONTINUE) {
3486 pr_warn_once("faulting far call emulation tainted memory\n");
3491 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3492 ctxt->mode = prev_mode;
3497 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3502 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3503 if (rc != X86EMUL_CONTINUE)
3505 rc = assign_eip_near(ctxt, eip);
3506 if (rc != X86EMUL_CONTINUE)
3508 rsp_increment(ctxt, ctxt->src.val);
3509 return X86EMUL_CONTINUE;
3512 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3514 /* Write back the register source. */
3515 ctxt->src.val = ctxt->dst.val;
3516 write_register_operand(&ctxt->src);
3518 /* Write back the memory destination with implicit LOCK prefix. */
3519 ctxt->dst.val = ctxt->src.orig_val;
3520 ctxt->lock_prefix = 1;
3521 return X86EMUL_CONTINUE;
3524 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3526 ctxt->dst.val = ctxt->src2.val;
3527 return fastop(ctxt, em_imul);
3530 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3532 ctxt->dst.type = OP_REG;
3533 ctxt->dst.bytes = ctxt->src.bytes;
3534 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3535 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3537 return X86EMUL_CONTINUE;
3540 static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3544 if (!ctxt->ops->guest_has_rdpid(ctxt))
3545 return emulate_ud(ctxt);
3547 ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux);
3548 ctxt->dst.val = tsc_aux;
3549 return X86EMUL_CONTINUE;
3552 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3556 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3557 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3558 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3559 return X86EMUL_CONTINUE;
3562 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3566 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3567 return emulate_gp(ctxt, 0);
3568 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3569 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3570 return X86EMUL_CONTINUE;
3573 static int em_mov(struct x86_emulate_ctxt *ctxt)
3575 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3576 return X86EMUL_CONTINUE;
3579 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3583 if (!ctxt->ops->guest_has_movbe(ctxt))
3584 return emulate_ud(ctxt);
3586 switch (ctxt->op_bytes) {
3589 * From MOVBE definition: "...When the operand size is 16 bits,
3590 * the upper word of the destination register remains unchanged
3593 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3594 * rules so we have to do the operation almost per hand.
3596 tmp = (u16)ctxt->src.val;
3597 ctxt->dst.val &= ~0xffffUL;
3598 ctxt->dst.val |= (unsigned long)swab16(tmp);
3601 ctxt->dst.val = swab32((u32)ctxt->src.val);
3604 ctxt->dst.val = swab64(ctxt->src.val);
3609 return X86EMUL_CONTINUE;
3612 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3614 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3615 return emulate_gp(ctxt, 0);
3617 /* Disable writeback. */
3618 ctxt->dst.type = OP_NONE;
3619 return X86EMUL_CONTINUE;
3622 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3626 if (ctxt->mode == X86EMUL_MODE_PROT64)
3627 val = ctxt->src.val & ~0ULL;
3629 val = ctxt->src.val & ~0U;
3631 /* #UD condition is already handled. */
3632 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3633 return emulate_gp(ctxt, 0);
3635 /* Disable writeback. */
3636 ctxt->dst.type = OP_NONE;
3637 return X86EMUL_CONTINUE;
3640 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3642 u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3646 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3647 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3648 r = ctxt->ops->set_msr_with_filter(ctxt, msr_index, msr_data);
3650 if (r == X86EMUL_PROPAGATE_FAULT)
3651 return emulate_gp(ctxt, 0);
3656 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3658 u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3662 r = ctxt->ops->get_msr_with_filter(ctxt, msr_index, &msr_data);
3664 if (r == X86EMUL_PROPAGATE_FAULT)
3665 return emulate_gp(ctxt, 0);
3667 if (r == X86EMUL_CONTINUE) {
3668 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3669 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3674 static int em_store_sreg(struct x86_emulate_ctxt *ctxt, int segment)
3676 if (segment > VCPU_SREG_GS &&
3677 (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3678 ctxt->ops->cpl(ctxt) > 0)
3679 return emulate_gp(ctxt, 0);
3681 ctxt->dst.val = get_segment_selector(ctxt, segment);
3682 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3683 ctxt->dst.bytes = 2;
3684 return X86EMUL_CONTINUE;
3687 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3689 if (ctxt->modrm_reg > VCPU_SREG_GS)
3690 return emulate_ud(ctxt);
3692 return em_store_sreg(ctxt, ctxt->modrm_reg);
3695 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3697 u16 sel = ctxt->src.val;
3699 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3700 return emulate_ud(ctxt);
3702 if (ctxt->modrm_reg == VCPU_SREG_SS)
3703 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3705 /* Disable writeback. */
3706 ctxt->dst.type = OP_NONE;
3707 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3710 static int em_sldt(struct x86_emulate_ctxt *ctxt)
3712 return em_store_sreg(ctxt, VCPU_SREG_LDTR);
3715 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3717 u16 sel = ctxt->src.val;
3719 /* Disable writeback. */
3720 ctxt->dst.type = OP_NONE;
3721 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3724 static int em_str(struct x86_emulate_ctxt *ctxt)
3726 return em_store_sreg(ctxt, VCPU_SREG_TR);
3729 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3731 u16 sel = ctxt->src.val;
3733 /* Disable writeback. */
3734 ctxt->dst.type = OP_NONE;
3735 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3738 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3743 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3744 if (rc == X86EMUL_CONTINUE)
3745 ctxt->ops->invlpg(ctxt, linear);
3746 /* Disable writeback. */
3747 ctxt->dst.type = OP_NONE;
3748 return X86EMUL_CONTINUE;
3751 static int em_clts(struct x86_emulate_ctxt *ctxt)
3755 cr0 = ctxt->ops->get_cr(ctxt, 0);
3757 ctxt->ops->set_cr(ctxt, 0, cr0);
3758 return X86EMUL_CONTINUE;
3761 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3763 int rc = ctxt->ops->fix_hypercall(ctxt);
3765 if (rc != X86EMUL_CONTINUE)
3768 /* Let the processor re-execute the fixed hypercall */
3769 ctxt->_eip = ctxt->eip;
3770 /* Disable writeback. */
3771 ctxt->dst.type = OP_NONE;
3772 return X86EMUL_CONTINUE;
3775 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3776 void (*get)(struct x86_emulate_ctxt *ctxt,
3777 struct desc_ptr *ptr))
3779 struct desc_ptr desc_ptr;
3781 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3782 ctxt->ops->cpl(ctxt) > 0)
3783 return emulate_gp(ctxt, 0);
3785 if (ctxt->mode == X86EMUL_MODE_PROT64)
3787 get(ctxt, &desc_ptr);
3788 if (ctxt->op_bytes == 2) {
3790 desc_ptr.address &= 0x00ffffff;
3792 /* Disable writeback. */
3793 ctxt->dst.type = OP_NONE;
3794 return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3795 &desc_ptr, 2 + ctxt->op_bytes);
3798 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3800 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3803 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3805 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3808 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3810 struct desc_ptr desc_ptr;
3813 if (ctxt->mode == X86EMUL_MODE_PROT64)
3815 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3816 &desc_ptr.size, &desc_ptr.address,
3818 if (rc != X86EMUL_CONTINUE)
3820 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3821 emul_is_noncanonical_address(desc_ptr.address, ctxt))
3822 return emulate_gp(ctxt, 0);
3824 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3826 ctxt->ops->set_idt(ctxt, &desc_ptr);
3827 /* Disable writeback. */
3828 ctxt->dst.type = OP_NONE;
3829 return X86EMUL_CONTINUE;
3832 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3834 return em_lgdt_lidt(ctxt, true);
3837 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3839 return em_lgdt_lidt(ctxt, false);
3842 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3844 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3845 ctxt->ops->cpl(ctxt) > 0)
3846 return emulate_gp(ctxt, 0);
3848 if (ctxt->dst.type == OP_MEM)
3849 ctxt->dst.bytes = 2;
3850 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3851 return X86EMUL_CONTINUE;
3854 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3856 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3857 | (ctxt->src.val & 0x0f));
3858 ctxt->dst.type = OP_NONE;
3859 return X86EMUL_CONTINUE;
3862 static int em_loop(struct x86_emulate_ctxt *ctxt)
3864 int rc = X86EMUL_CONTINUE;
3866 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3867 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3868 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3869 rc = jmp_rel(ctxt, ctxt->src.val);
3874 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3876 int rc = X86EMUL_CONTINUE;
3878 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3879 rc = jmp_rel(ctxt, ctxt->src.val);
3884 static int em_in(struct x86_emulate_ctxt *ctxt)
3886 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3888 return X86EMUL_IO_NEEDED;
3890 return X86EMUL_CONTINUE;
3893 static int em_out(struct x86_emulate_ctxt *ctxt)
3895 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3897 /* Disable writeback. */
3898 ctxt->dst.type = OP_NONE;
3899 return X86EMUL_CONTINUE;
3902 static int em_cli(struct x86_emulate_ctxt *ctxt)
3904 if (emulator_bad_iopl(ctxt))
3905 return emulate_gp(ctxt, 0);
3907 ctxt->eflags &= ~X86_EFLAGS_IF;
3908 return X86EMUL_CONTINUE;
3911 static int em_sti(struct x86_emulate_ctxt *ctxt)
3913 if (emulator_bad_iopl(ctxt))
3914 return emulate_gp(ctxt, 0);
3916 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3917 ctxt->eflags |= X86_EFLAGS_IF;
3918 return X86EMUL_CONTINUE;
3921 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3923 u32 eax, ebx, ecx, edx;
3926 ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3927 if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3928 ctxt->ops->cpl(ctxt)) {
3929 return emulate_gp(ctxt, 0);
3932 eax = reg_read(ctxt, VCPU_REGS_RAX);
3933 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3934 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3935 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3936 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3937 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3938 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3939 return X86EMUL_CONTINUE;
3942 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3946 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3948 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3950 ctxt->eflags &= ~0xffUL;
3951 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3952 return X86EMUL_CONTINUE;
3955 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3957 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3958 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3959 return X86EMUL_CONTINUE;
3962 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3964 switch (ctxt->op_bytes) {
3965 #ifdef CONFIG_X86_64
3967 asm("bswap %0" : "+r"(ctxt->dst.val));
3971 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3974 return X86EMUL_CONTINUE;
3977 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3979 /* emulating clflush regardless of cpuid */
3980 return X86EMUL_CONTINUE;
3983 static int em_clflushopt(struct x86_emulate_ctxt *ctxt)
3985 /* emulating clflushopt regardless of cpuid */
3986 return X86EMUL_CONTINUE;
3989 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3991 ctxt->dst.val = (s32) ctxt->src.val;
3992 return X86EMUL_CONTINUE;
3995 static int check_fxsr(struct x86_emulate_ctxt *ctxt)
3997 if (!ctxt->ops->guest_has_fxsr(ctxt))
3998 return emulate_ud(ctxt);
4000 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
4001 return emulate_nm(ctxt);
4004 * Don't emulate a case that should never be hit, instead of working
4005 * around a lack of fxsave64/fxrstor64 on old compilers.
4007 if (ctxt->mode >= X86EMUL_MODE_PROT64)
4008 return X86EMUL_UNHANDLEABLE;
4010 return X86EMUL_CONTINUE;
4014 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
4015 * and restore MXCSR.
4017 static size_t __fxstate_size(int nregs)
4019 return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
4022 static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
4025 if (ctxt->mode == X86EMUL_MODE_PROT64)
4026 return __fxstate_size(16);
4028 cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
4029 return __fxstate_size(cr4_osfxsr ? 8 : 0);
4033 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
4036 * - like (1), but FIP and FDP (foo) are only 16 bit. At least Intel CPUs
4037 * preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
4039 * 3) 64-bit mode with REX.W prefix
4040 * - like (2), but XMM 8-15 are being saved and restored
4041 * 4) 64-bit mode without REX.W prefix
4042 * - like (3), but FIP and FDP are 64 bit
4044 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
4045 * desired result. (4) is not emulated.
4047 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
4048 * and FPU DS) should match.
4050 static int em_fxsave(struct x86_emulate_ctxt *ctxt)
4052 struct fxregs_state fx_state;
4055 rc = check_fxsr(ctxt);
4056 if (rc != X86EMUL_CONTINUE)
4061 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
4065 if (rc != X86EMUL_CONTINUE)
4068 return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
4069 fxstate_size(ctxt));
4073 * FXRSTOR might restore XMM registers not provided by the guest. Fill
4074 * in the host registers (via FXSAVE) instead, so they won't be modified.
4075 * (preemption has to stay disabled until FXRSTOR).
4077 * Use noinline to keep the stack for other functions called by callers small.
4079 static noinline int fxregs_fixup(struct fxregs_state *fx_state,
4080 const size_t used_size)
4082 struct fxregs_state fx_tmp;
4085 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
4086 memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
4087 __fxstate_size(16) - used_size);
4092 static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
4094 struct fxregs_state fx_state;
4098 rc = check_fxsr(ctxt);
4099 if (rc != X86EMUL_CONTINUE)
4102 size = fxstate_size(ctxt);
4103 rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
4104 if (rc != X86EMUL_CONTINUE)
4109 if (size < __fxstate_size(16)) {
4110 rc = fxregs_fixup(&fx_state, size);
4111 if (rc != X86EMUL_CONTINUE)
4115 if (fx_state.mxcsr >> 16) {
4116 rc = emulate_gp(ctxt, 0);
4120 if (rc == X86EMUL_CONTINUE)
4121 rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
4129 static int em_xsetbv(struct x86_emulate_ctxt *ctxt)
4133 if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSXSAVE))
4134 return emulate_ud(ctxt);
4136 eax = reg_read(ctxt, VCPU_REGS_RAX);
4137 edx = reg_read(ctxt, VCPU_REGS_RDX);
4138 ecx = reg_read(ctxt, VCPU_REGS_RCX);
4140 if (ctxt->ops->set_xcr(ctxt, ecx, ((u64)edx << 32) | eax))
4141 return emulate_gp(ctxt, 0);
4143 return X86EMUL_CONTINUE;
4146 static bool valid_cr(int nr)
4158 static int check_cr_access(struct x86_emulate_ctxt *ctxt)
4160 if (!valid_cr(ctxt->modrm_reg))
4161 return emulate_ud(ctxt);
4163 return X86EMUL_CONTINUE;
4166 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
4170 ctxt->ops->get_dr(ctxt, 7, &dr7);
4172 return dr7 & DR7_GD;
4175 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
4177 int dr = ctxt->modrm_reg;
4181 return emulate_ud(ctxt);
4183 cr4 = ctxt->ops->get_cr(ctxt, 4);
4184 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
4185 return emulate_ud(ctxt);
4187 if (check_dr7_gd(ctxt)) {
4190 ctxt->ops->get_dr(ctxt, 6, &dr6);
4191 dr6 &= ~DR_TRAP_BITS;
4192 dr6 |= DR6_BD | DR6_ACTIVE_LOW;
4193 ctxt->ops->set_dr(ctxt, 6, dr6);
4194 return emulate_db(ctxt);
4197 return X86EMUL_CONTINUE;
4200 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
4202 u64 new_val = ctxt->src.val64;
4203 int dr = ctxt->modrm_reg;
4205 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
4206 return emulate_gp(ctxt, 0);
4208 return check_dr_read(ctxt);
4211 static int check_svme(struct x86_emulate_ctxt *ctxt)
4215 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4217 if (!(efer & EFER_SVME))
4218 return emulate_ud(ctxt);
4220 return X86EMUL_CONTINUE;
4223 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4225 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4227 /* Valid physical address? */
4228 if (rax & 0xffff000000000000ULL)
4229 return emulate_gp(ctxt, 0);
4231 return check_svme(ctxt);
4234 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4236 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4238 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4239 return emulate_gp(ctxt, 0);
4241 return X86EMUL_CONTINUE;
4244 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4246 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4247 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4250 * VMware allows access to these Pseduo-PMCs even when read via RDPMC
4251 * in Ring3 when CR4.PCE=0.
4253 if (enable_vmware_backdoor && is_vmware_backdoor_pmc(rcx))
4254 return X86EMUL_CONTINUE;
4257 * If CR4.PCE is set, the SDM requires CPL=0 or CR0.PE=0. The CR0.PE
4258 * check however is unnecessary because CPL is always 0 outside
4261 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4262 ctxt->ops->check_pmc(ctxt, rcx))
4263 return emulate_gp(ctxt, 0);
4265 return X86EMUL_CONTINUE;
4268 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4270 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4271 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4272 return emulate_gp(ctxt, 0);
4274 return X86EMUL_CONTINUE;
4277 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4279 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4280 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4281 return emulate_gp(ctxt, 0);
4283 return X86EMUL_CONTINUE;
4286 #define D(_y) { .flags = (_y) }
4287 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4288 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4289 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4290 #define N D(NotImpl)
4291 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4292 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4293 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4294 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4295 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4296 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4297 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4298 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4299 #define II(_f, _e, _i) \
4300 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4301 #define IIP(_f, _e, _i, _p) \
4302 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4303 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4304 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4306 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4307 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4308 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4309 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4310 #define I2bvIP(_f, _e, _i, _p) \
4311 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4313 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4314 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4315 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4317 static const struct opcode group7_rm0[] = {
4319 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4323 static const struct opcode group7_rm1[] = {
4324 DI(SrcNone | Priv, monitor),
4325 DI(SrcNone | Priv, mwait),
4329 static const struct opcode group7_rm2[] = {
4331 II(ImplicitOps | Priv, em_xsetbv, xsetbv),
4335 static const struct opcode group7_rm3[] = {
4336 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4337 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4338 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4339 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4340 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4341 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4342 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4343 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4346 static const struct opcode group7_rm7[] = {
4348 DIP(SrcNone, rdtscp, check_rdtsc),
4352 static const struct opcode group1[] = {
4354 F(Lock | PageTable, em_or),
4357 F(Lock | PageTable, em_and),
4363 static const struct opcode group1A[] = {
4364 I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4367 static const struct opcode group2[] = {
4368 F(DstMem | ModRM, em_rol),
4369 F(DstMem | ModRM, em_ror),
4370 F(DstMem | ModRM, em_rcl),
4371 F(DstMem | ModRM, em_rcr),
4372 F(DstMem | ModRM, em_shl),
4373 F(DstMem | ModRM, em_shr),
4374 F(DstMem | ModRM, em_shl),
4375 F(DstMem | ModRM, em_sar),
4378 static const struct opcode group3[] = {
4379 F(DstMem | SrcImm | NoWrite, em_test),
4380 F(DstMem | SrcImm | NoWrite, em_test),
4381 F(DstMem | SrcNone | Lock, em_not),
4382 F(DstMem | SrcNone | Lock, em_neg),
4383 F(DstXacc | Src2Mem, em_mul_ex),
4384 F(DstXacc | Src2Mem, em_imul_ex),
4385 F(DstXacc | Src2Mem, em_div_ex),
4386 F(DstXacc | Src2Mem, em_idiv_ex),
4389 static const struct opcode group4[] = {
4390 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4391 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4395 static const struct opcode group5[] = {
4396 F(DstMem | SrcNone | Lock, em_inc),
4397 F(DstMem | SrcNone | Lock, em_dec),
4398 I(SrcMem | NearBranch | IsBranch, em_call_near_abs),
4399 I(SrcMemFAddr | ImplicitOps | IsBranch, em_call_far),
4400 I(SrcMem | NearBranch | IsBranch, em_jmp_abs),
4401 I(SrcMemFAddr | ImplicitOps | IsBranch, em_jmp_far),
4402 I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined),
4405 static const struct opcode group6[] = {
4406 II(Prot | DstMem, em_sldt, sldt),
4407 II(Prot | DstMem, em_str, str),
4408 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4409 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4413 static const struct group_dual group7 = { {
4414 II(Mov | DstMem, em_sgdt, sgdt),
4415 II(Mov | DstMem, em_sidt, sidt),
4416 II(SrcMem | Priv, em_lgdt, lgdt),
4417 II(SrcMem | Priv, em_lidt, lidt),
4418 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4419 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4420 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4426 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4427 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4431 static const struct opcode group8[] = {
4433 F(DstMem | SrcImmByte | NoWrite, em_bt),
4434 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4435 F(DstMem | SrcImmByte | Lock, em_btr),
4436 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4440 * The "memory" destination is actually always a register, since we come
4441 * from the register case of group9.
4443 static const struct gprefix pfx_0f_c7_7 = {
4444 N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdpid),
4448 static const struct group_dual group9 = { {
4449 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4451 N, N, N, N, N, N, N,
4452 GP(0, &pfx_0f_c7_7),
4455 static const struct opcode group11[] = {
4456 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4460 static const struct gprefix pfx_0f_ae_7 = {
4461 I(SrcMem | ByteOp, em_clflush), I(SrcMem | ByteOp, em_clflushopt), N, N,
4464 static const struct group_dual group15 = { {
4465 I(ModRM | Aligned16, em_fxsave),
4466 I(ModRM | Aligned16, em_fxrstor),
4467 N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4469 N, N, N, N, N, N, N, N,
4472 static const struct gprefix pfx_0f_6f_0f_7f = {
4473 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4476 static const struct instr_dual instr_dual_0f_2b = {
4480 static const struct gprefix pfx_0f_2b = {
4481 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4484 static const struct gprefix pfx_0f_10_0f_11 = {
4485 I(Unaligned, em_mov), I(Unaligned, em_mov), N, N,
4488 static const struct gprefix pfx_0f_28_0f_29 = {
4489 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4492 static const struct gprefix pfx_0f_e7 = {
4493 N, I(Sse, em_mov), N, N,
4496 static const struct escape escape_d9 = { {
4497 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4500 N, N, N, N, N, N, N, N,
4502 N, N, N, N, N, N, N, N,
4504 N, N, N, N, N, N, N, N,
4506 N, N, N, N, N, N, N, N,
4508 N, N, N, N, N, N, N, N,
4510 N, N, N, N, N, N, N, N,
4512 N, N, N, N, N, N, N, N,
4514 N, N, N, N, N, N, N, N,
4517 static const struct escape escape_db = { {
4518 N, N, N, N, N, N, N, N,
4521 N, N, N, N, N, N, N, N,
4523 N, N, N, N, N, N, N, N,
4525 N, N, N, N, N, N, N, N,
4527 N, N, N, N, N, N, N, N,
4529 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4531 N, N, N, N, N, N, N, N,
4533 N, N, N, N, N, N, N, N,
4535 N, N, N, N, N, N, N, N,
4538 static const struct escape escape_dd = { {
4539 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4542 N, N, N, N, N, N, N, N,
4544 N, N, N, N, N, N, N, N,
4546 N, N, N, N, N, N, N, N,
4548 N, N, N, N, N, N, N, N,
4550 N, N, N, N, N, N, N, N,
4552 N, N, N, N, N, N, N, N,
4554 N, N, N, N, N, N, N, N,
4556 N, N, N, N, N, N, N, N,
4559 static const struct instr_dual instr_dual_0f_c3 = {
4560 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4563 static const struct mode_dual mode_dual_63 = {
4564 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4567 static const struct instr_dual instr_dual_8d = {
4568 D(DstReg | SrcMem | ModRM | NoAccess), N
4571 static const struct opcode opcode_table[256] = {
4573 F6ALU(Lock, em_add),
4574 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4575 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4577 F6ALU(Lock | PageTable, em_or),
4578 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4581 F6ALU(Lock, em_adc),
4582 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4583 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4585 F6ALU(Lock, em_sbb),
4586 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4587 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4589 F6ALU(Lock | PageTable, em_and), N, N,
4591 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4593 F6ALU(Lock, em_xor), N, N,
4595 F6ALU(NoWrite, em_cmp), N, N,
4597 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4599 X8(I(SrcReg | Stack, em_push)),
4601 X8(I(DstReg | Stack, em_pop)),
4603 I(ImplicitOps | Stack | No64, em_pusha),
4604 I(ImplicitOps | Stack | No64, em_popa),
4605 N, MD(ModRM, &mode_dual_63),
4608 I(SrcImm | Mov | Stack, em_push),
4609 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4610 I(SrcImmByte | Mov | Stack, em_push),
4611 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4612 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4613 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4615 X16(D(SrcImmByte | NearBranch | IsBranch)),
4617 G(ByteOp | DstMem | SrcImm, group1),
4618 G(DstMem | SrcImm, group1),
4619 G(ByteOp | DstMem | SrcImm | No64, group1),
4620 G(DstMem | SrcImmByte, group1),
4621 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4622 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4624 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4625 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4626 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4627 ID(0, &instr_dual_8d),
4628 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4631 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4633 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4634 I(SrcImmFAddr | No64 | IsBranch, em_call_far), N,
4635 II(ImplicitOps | Stack, em_pushf, pushf),
4636 II(ImplicitOps | Stack, em_popf, popf),
4637 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4639 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4640 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4641 I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4642 F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4644 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4645 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4646 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4647 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4649 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4651 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4653 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4654 I(ImplicitOps | NearBranch | SrcImmU16 | IsBranch, em_ret_near_imm),
4655 I(ImplicitOps | NearBranch | IsBranch, em_ret),
4656 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4657 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4658 G(ByteOp, group11), G(0, group11),
4660 I(Stack | SrcImmU16 | Src2ImmByte | IsBranch, em_enter),
4661 I(Stack | IsBranch, em_leave),
4662 I(ImplicitOps | SrcImmU16 | IsBranch, em_ret_far_imm),
4663 I(ImplicitOps | IsBranch, em_ret_far),
4664 D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch, intn),
4665 D(ImplicitOps | No64 | IsBranch),
4666 II(ImplicitOps | IsBranch, em_iret, iret),
4668 G(Src2One | ByteOp, group2), G(Src2One, group2),
4669 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4670 I(DstAcc | SrcImmUByte | No64, em_aam),
4671 I(DstAcc | SrcImmUByte | No64, em_aad),
4672 F(DstAcc | ByteOp | No64, em_salc),
4673 I(DstAcc | SrcXLat | ByteOp, em_mov),
4675 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4677 X3(I(SrcImmByte | NearBranch | IsBranch, em_loop)),
4678 I(SrcImmByte | NearBranch | IsBranch, em_jcxz),
4679 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4680 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4682 I(SrcImm | NearBranch | IsBranch, em_call),
4683 D(SrcImm | ImplicitOps | NearBranch | IsBranch),
4684 I(SrcImmFAddr | No64 | IsBranch, em_jmp_far),
4685 D(SrcImmByte | ImplicitOps | NearBranch | IsBranch),
4686 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4687 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4689 N, DI(ImplicitOps, icebp), N, N,
4690 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4691 G(ByteOp, group3), G(0, group3),
4693 D(ImplicitOps), D(ImplicitOps),
4694 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4695 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4698 static const struct opcode twobyte_table[256] = {
4700 G(0, group6), GD(0, &group7), N, N,
4701 N, I(ImplicitOps | EmulateOnUD | IsBranch, em_syscall),
4702 II(ImplicitOps | Priv, em_clts, clts), N,
4703 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4704 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4706 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_10_0f_11),
4707 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_10_0f_11),
4709 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 4 * prefetch + 4 * reserved NOP */
4710 D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4711 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4712 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4713 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4714 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* NOP + 7 * reserved NOP */
4716 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_access),
4717 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4718 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4720 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4723 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4724 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4725 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4728 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4729 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4730 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4731 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4732 I(ImplicitOps | EmulateOnUD | IsBranch, em_sysenter),
4733 I(ImplicitOps | Priv | EmulateOnUD | IsBranch, em_sysexit),
4735 N, N, N, N, N, N, N, N,
4737 X16(D(DstReg | SrcMem | ModRM)),
4739 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4744 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4749 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4751 X16(D(SrcImm | NearBranch | IsBranch)),
4753 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4755 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4756 II(ImplicitOps, em_cpuid, cpuid),
4757 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4758 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4759 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4761 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4762 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4763 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4764 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4765 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4766 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4768 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4769 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4770 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4771 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4772 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4773 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4777 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4778 I(DstReg | SrcMem | ModRM, em_bsf_c),
4779 I(DstReg | SrcMem | ModRM, em_bsr_c),
4780 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4782 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4783 N, ID(0, &instr_dual_0f_c3),
4784 N, N, N, GD(0, &group9),
4786 X8(I(DstReg, em_bswap)),
4788 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4790 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4791 N, N, N, N, N, N, N, N,
4793 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4796 static const struct instr_dual instr_dual_0f_38_f0 = {
4797 I(DstReg | SrcMem | Mov, em_movbe), N
4800 static const struct instr_dual instr_dual_0f_38_f1 = {
4801 I(DstMem | SrcReg | Mov, em_movbe), N
4804 static const struct gprefix three_byte_0f_38_f0 = {
4805 ID(0, &instr_dual_0f_38_f0), N, N, N
4808 static const struct gprefix three_byte_0f_38_f1 = {
4809 ID(0, &instr_dual_0f_38_f1), N, N, N
4813 * Insns below are selected by the prefix which indexed by the third opcode
4816 static const struct opcode opcode_map_0f_38[256] = {
4818 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4820 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4822 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4823 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4844 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4848 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4854 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4855 unsigned size, bool sign_extension)
4857 int rc = X86EMUL_CONTINUE;
4861 op->addr.mem.ea = ctxt->_eip;
4862 /* NB. Immediates are sign-extended as necessary. */
4863 switch (op->bytes) {
4865 op->val = insn_fetch(s8, ctxt);
4868 op->val = insn_fetch(s16, ctxt);
4871 op->val = insn_fetch(s32, ctxt);
4874 op->val = insn_fetch(s64, ctxt);
4877 if (!sign_extension) {
4878 switch (op->bytes) {
4886 op->val &= 0xffffffff;
4894 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4897 int rc = X86EMUL_CONTINUE;
4901 decode_register_operand(ctxt, op);
4904 rc = decode_imm(ctxt, op, 1, false);
4907 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4911 if (ctxt->d & BitOp)
4912 fetch_bit_operand(ctxt);
4913 op->orig_val = op->val;
4916 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4920 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4921 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4922 fetch_register_operand(op);
4923 op->orig_val = op->val;
4927 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4928 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4929 fetch_register_operand(op);
4930 op->orig_val = op->val;
4933 if (ctxt->d & ByteOp) {
4938 op->bytes = ctxt->op_bytes;
4939 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4940 fetch_register_operand(op);
4941 op->orig_val = op->val;
4945 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4947 register_address(ctxt, VCPU_REGS_RDI);
4948 op->addr.mem.seg = VCPU_SREG_ES;
4955 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4956 fetch_register_operand(op);
4961 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4964 rc = decode_imm(ctxt, op, 1, true);
4972 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4975 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4978 ctxt->memop.bytes = 1;
4979 if (ctxt->memop.type == OP_REG) {
4980 ctxt->memop.addr.reg = decode_register(ctxt,
4981 ctxt->modrm_rm, true);
4982 fetch_register_operand(&ctxt->memop);
4986 ctxt->memop.bytes = 2;
4989 ctxt->memop.bytes = 4;
4992 rc = decode_imm(ctxt, op, 2, false);
4995 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4999 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5001 register_address(ctxt, VCPU_REGS_RSI);
5002 op->addr.mem.seg = ctxt->seg_override;
5008 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5011 reg_read(ctxt, VCPU_REGS_RBX) +
5012 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
5013 op->addr.mem.seg = ctxt->seg_override;
5018 op->addr.mem.ea = ctxt->_eip;
5019 op->bytes = ctxt->op_bytes + 2;
5020 insn_fetch_arr(op->valptr, op->bytes, ctxt);
5023 ctxt->memop.bytes = ctxt->op_bytes + 2;
5027 op->val = VCPU_SREG_ES;
5031 op->val = VCPU_SREG_CS;
5035 op->val = VCPU_SREG_SS;
5039 op->val = VCPU_SREG_DS;
5043 op->val = VCPU_SREG_FS;
5047 op->val = VCPU_SREG_GS;
5050 /* Special instructions do their own operand decoding. */
5052 op->type = OP_NONE; /* Disable writeback. */
5060 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int emulation_type)
5062 int rc = X86EMUL_CONTINUE;
5063 int mode = ctxt->mode;
5064 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
5065 bool op_prefix = false;
5066 bool has_seg_override = false;
5067 struct opcode opcode;
5069 struct desc_struct desc;
5071 ctxt->memop.type = OP_NONE;
5072 ctxt->memopp = NULL;
5073 ctxt->_eip = ctxt->eip;
5074 ctxt->fetch.ptr = ctxt->fetch.data;
5075 ctxt->fetch.end = ctxt->fetch.data + insn_len;
5076 ctxt->opcode_len = 1;
5077 ctxt->intercept = x86_intercept_none;
5079 memcpy(ctxt->fetch.data, insn, insn_len);
5081 rc = __do_insn_fetch_bytes(ctxt, 1);
5082 if (rc != X86EMUL_CONTINUE)
5087 case X86EMUL_MODE_REAL:
5088 case X86EMUL_MODE_VM86:
5089 def_op_bytes = def_ad_bytes = 2;
5090 ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
5092 def_op_bytes = def_ad_bytes = 4;
5094 case X86EMUL_MODE_PROT16:
5095 def_op_bytes = def_ad_bytes = 2;
5097 case X86EMUL_MODE_PROT32:
5098 def_op_bytes = def_ad_bytes = 4;
5100 #ifdef CONFIG_X86_64
5101 case X86EMUL_MODE_PROT64:
5107 return EMULATION_FAILED;
5110 ctxt->op_bytes = def_op_bytes;
5111 ctxt->ad_bytes = def_ad_bytes;
5113 /* Legacy prefixes. */
5115 switch (ctxt->b = insn_fetch(u8, ctxt)) {
5116 case 0x66: /* operand-size override */
5118 /* switch between 2/4 bytes */
5119 ctxt->op_bytes = def_op_bytes ^ 6;
5121 case 0x67: /* address-size override */
5122 if (mode == X86EMUL_MODE_PROT64)
5123 /* switch between 4/8 bytes */
5124 ctxt->ad_bytes = def_ad_bytes ^ 12;
5126 /* switch between 2/4 bytes */
5127 ctxt->ad_bytes = def_ad_bytes ^ 6;
5129 case 0x26: /* ES override */
5130 has_seg_override = true;
5131 ctxt->seg_override = VCPU_SREG_ES;
5133 case 0x2e: /* CS override */
5134 has_seg_override = true;
5135 ctxt->seg_override = VCPU_SREG_CS;
5137 case 0x36: /* SS override */
5138 has_seg_override = true;
5139 ctxt->seg_override = VCPU_SREG_SS;
5141 case 0x3e: /* DS override */
5142 has_seg_override = true;
5143 ctxt->seg_override = VCPU_SREG_DS;
5145 case 0x64: /* FS override */
5146 has_seg_override = true;
5147 ctxt->seg_override = VCPU_SREG_FS;
5149 case 0x65: /* GS override */
5150 has_seg_override = true;
5151 ctxt->seg_override = VCPU_SREG_GS;
5153 case 0x40 ... 0x4f: /* REX */
5154 if (mode != X86EMUL_MODE_PROT64)
5156 ctxt->rex_prefix = ctxt->b;
5158 case 0xf0: /* LOCK */
5159 ctxt->lock_prefix = 1;
5161 case 0xf2: /* REPNE/REPNZ */
5162 case 0xf3: /* REP/REPE/REPZ */
5163 ctxt->rep_prefix = ctxt->b;
5169 /* Any legacy prefix after a REX prefix nullifies its effect. */
5171 ctxt->rex_prefix = 0;
5177 if (ctxt->rex_prefix & 8)
5178 ctxt->op_bytes = 8; /* REX.W */
5180 /* Opcode byte(s). */
5181 opcode = opcode_table[ctxt->b];
5182 /* Two-byte opcode? */
5183 if (ctxt->b == 0x0f) {
5184 ctxt->opcode_len = 2;
5185 ctxt->b = insn_fetch(u8, ctxt);
5186 opcode = twobyte_table[ctxt->b];
5188 /* 0F_38 opcode map */
5189 if (ctxt->b == 0x38) {
5190 ctxt->opcode_len = 3;
5191 ctxt->b = insn_fetch(u8, ctxt);
5192 opcode = opcode_map_0f_38[ctxt->b];
5195 ctxt->d = opcode.flags;
5197 if (ctxt->d & ModRM)
5198 ctxt->modrm = insn_fetch(u8, ctxt);
5200 /* vex-prefix instructions are not implemented */
5201 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
5202 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
5206 while (ctxt->d & GroupMask) {
5207 switch (ctxt->d & GroupMask) {
5209 goffset = (ctxt->modrm >> 3) & 7;
5210 opcode = opcode.u.group[goffset];
5213 goffset = (ctxt->modrm >> 3) & 7;
5214 if ((ctxt->modrm >> 6) == 3)
5215 opcode = opcode.u.gdual->mod3[goffset];
5217 opcode = opcode.u.gdual->mod012[goffset];
5220 goffset = ctxt->modrm & 7;
5221 opcode = opcode.u.group[goffset];
5224 if (ctxt->rep_prefix && op_prefix)
5225 return EMULATION_FAILED;
5226 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
5227 switch (simd_prefix) {
5228 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
5229 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
5230 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
5231 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
5235 if (ctxt->modrm > 0xbf) {
5236 size_t size = ARRAY_SIZE(opcode.u.esc->high);
5237 u32 index = array_index_nospec(
5238 ctxt->modrm - 0xc0, size);
5240 opcode = opcode.u.esc->high[index];
5242 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
5246 if ((ctxt->modrm >> 6) == 3)
5247 opcode = opcode.u.idual->mod3;
5249 opcode = opcode.u.idual->mod012;
5252 if (ctxt->mode == X86EMUL_MODE_PROT64)
5253 opcode = opcode.u.mdual->mode64;
5255 opcode = opcode.u.mdual->mode32;
5258 return EMULATION_FAILED;
5261 ctxt->d &= ~(u64)GroupMask;
5262 ctxt->d |= opcode.flags;
5265 ctxt->is_branch = opcode.flags & IsBranch;
5269 return EMULATION_FAILED;
5271 ctxt->execute = opcode.u.execute;
5273 if (unlikely(emulation_type & EMULTYPE_TRAP_UD) &&
5274 likely(!(ctxt->d & EmulateOnUD)))
5275 return EMULATION_FAILED;
5277 if (unlikely(ctxt->d &
5278 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
5281 * These are copied unconditionally here, and checked unconditionally
5282 * in x86_emulate_insn.
5284 ctxt->check_perm = opcode.check_perm;
5285 ctxt->intercept = opcode.intercept;
5287 if (ctxt->d & NotImpl)
5288 return EMULATION_FAILED;
5290 if (mode == X86EMUL_MODE_PROT64) {
5291 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
5293 else if (ctxt->d & NearBranch)
5297 if (ctxt->d & Op3264) {
5298 if (mode == X86EMUL_MODE_PROT64)
5304 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5308 ctxt->op_bytes = 16;
5309 else if (ctxt->d & Mmx)
5313 /* ModRM and SIB bytes. */
5314 if (ctxt->d & ModRM) {
5315 rc = decode_modrm(ctxt, &ctxt->memop);
5316 if (!has_seg_override) {
5317 has_seg_override = true;
5318 ctxt->seg_override = ctxt->modrm_seg;
5320 } else if (ctxt->d & MemAbs)
5321 rc = decode_abs(ctxt, &ctxt->memop);
5322 if (rc != X86EMUL_CONTINUE)
5325 if (!has_seg_override)
5326 ctxt->seg_override = VCPU_SREG_DS;
5328 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5331 * Decode and fetch the source operand: register, memory
5334 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5335 if (rc != X86EMUL_CONTINUE)
5339 * Decode and fetch the second source operand: register, memory
5342 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5343 if (rc != X86EMUL_CONTINUE)
5346 /* Decode and fetch the destination operand: register or memory. */
5347 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5349 if (ctxt->rip_relative && likely(ctxt->memopp))
5350 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5351 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5354 if (rc == X86EMUL_PROPAGATE_FAULT)
5355 ctxt->have_exception = true;
5356 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5359 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5361 return ctxt->d & PageTable;
5364 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5366 /* The second termination condition only applies for REPE
5367 * and REPNE. Test if the repeat string operation prefix is
5368 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5369 * corresponding termination condition according to:
5370 * - if REPE/REPZ and ZF = 0 then done
5371 * - if REPNE/REPNZ and ZF = 1 then done
5373 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5374 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5375 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5376 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5377 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5378 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5384 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5389 rc = asm_safe("fwait");
5392 if (unlikely(rc != X86EMUL_CONTINUE))
5393 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5395 return X86EMUL_CONTINUE;
5398 static void fetch_possible_mmx_operand(struct operand *op)
5400 if (op->type == OP_MM)
5401 kvm_read_mmx_reg(op->addr.mm, &op->mm_val);
5404 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop)
5406 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5408 if (!(ctxt->d & ByteOp))
5409 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5411 asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5412 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5413 [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5414 : "c"(ctxt->src2.val));
5416 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5417 if (!fop) /* exception is returned in fop variable */
5418 return emulate_de(ctxt);
5419 return X86EMUL_CONTINUE;
5422 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5424 /* Clear fields that are set conditionally but read without a guard. */
5425 ctxt->rip_relative = false;
5426 ctxt->rex_prefix = 0;
5427 ctxt->lock_prefix = 0;
5428 ctxt->rep_prefix = 0;
5429 ctxt->regs_valid = 0;
5430 ctxt->regs_dirty = 0;
5432 ctxt->io_read.pos = 0;
5433 ctxt->io_read.end = 0;
5434 ctxt->mem_read.end = 0;
5437 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5439 const struct x86_emulate_ops *ops = ctxt->ops;
5440 int rc = X86EMUL_CONTINUE;
5441 int saved_dst_type = ctxt->dst.type;
5442 unsigned emul_flags;
5444 ctxt->mem_read.pos = 0;
5446 /* LOCK prefix is allowed only with some instructions */
5447 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5448 rc = emulate_ud(ctxt);
5452 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5453 rc = emulate_ud(ctxt);
5457 emul_flags = ctxt->ops->get_hflags(ctxt);
5458 if (unlikely(ctxt->d &
5459 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5460 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5461 (ctxt->d & Undefined)) {
5462 rc = emulate_ud(ctxt);
5466 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5467 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5468 rc = emulate_ud(ctxt);
5472 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5473 rc = emulate_nm(ctxt);
5477 if (ctxt->d & Mmx) {
5478 rc = flush_pending_x87_faults(ctxt);
5479 if (rc != X86EMUL_CONTINUE)
5482 * Now that we know the fpu is exception safe, we can fetch
5485 fetch_possible_mmx_operand(&ctxt->src);
5486 fetch_possible_mmx_operand(&ctxt->src2);
5487 if (!(ctxt->d & Mov))
5488 fetch_possible_mmx_operand(&ctxt->dst);
5491 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5492 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5493 X86_ICPT_PRE_EXCEPT);
5494 if (rc != X86EMUL_CONTINUE)
5498 /* Instruction can only be executed in protected mode */
5499 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5500 rc = emulate_ud(ctxt);
5504 /* Privileged instruction can be executed only in CPL=0 */
5505 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5506 if (ctxt->d & PrivUD)
5507 rc = emulate_ud(ctxt);
5509 rc = emulate_gp(ctxt, 0);
5513 /* Do instruction specific permission checks */
5514 if (ctxt->d & CheckPerm) {
5515 rc = ctxt->check_perm(ctxt);
5516 if (rc != X86EMUL_CONTINUE)
5520 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5521 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5522 X86_ICPT_POST_EXCEPT);
5523 if (rc != X86EMUL_CONTINUE)
5527 if (ctxt->rep_prefix && (ctxt->d & String)) {
5528 /* All REP prefixes have the same first termination condition */
5529 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5530 string_registers_quirk(ctxt);
5531 ctxt->eip = ctxt->_eip;
5532 ctxt->eflags &= ~X86_EFLAGS_RF;
5538 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5539 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5540 ctxt->src.valptr, ctxt->src.bytes);
5541 if (rc != X86EMUL_CONTINUE)
5543 ctxt->src.orig_val64 = ctxt->src.val64;
5546 if (ctxt->src2.type == OP_MEM) {
5547 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5548 &ctxt->src2.val, ctxt->src2.bytes);
5549 if (rc != X86EMUL_CONTINUE)
5553 if ((ctxt->d & DstMask) == ImplicitOps)
5557 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5558 /* optimisation - avoid slow emulated read if Mov */
5559 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5560 &ctxt->dst.val, ctxt->dst.bytes);
5561 if (rc != X86EMUL_CONTINUE) {
5562 if (!(ctxt->d & NoWrite) &&
5563 rc == X86EMUL_PROPAGATE_FAULT &&
5564 ctxt->exception.vector == PF_VECTOR)
5565 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5569 /* Copy full 64-bit value for CMPXCHG8B. */
5570 ctxt->dst.orig_val64 = ctxt->dst.val64;
5574 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5575 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5576 X86_ICPT_POST_MEMACCESS);
5577 if (rc != X86EMUL_CONTINUE)
5581 if (ctxt->rep_prefix && (ctxt->d & String))
5582 ctxt->eflags |= X86_EFLAGS_RF;
5584 ctxt->eflags &= ~X86_EFLAGS_RF;
5586 if (ctxt->execute) {
5587 if (ctxt->d & Fastop)
5588 rc = fastop(ctxt, ctxt->fop);
5590 rc = ctxt->execute(ctxt);
5591 if (rc != X86EMUL_CONTINUE)
5596 if (ctxt->opcode_len == 2)
5598 else if (ctxt->opcode_len == 3)
5599 goto threebyte_insn;
5602 case 0x70 ... 0x7f: /* jcc (short) */
5603 if (test_cc(ctxt->b, ctxt->eflags))
5604 rc = jmp_rel(ctxt, ctxt->src.val);
5606 case 0x8d: /* lea r16/r32, m */
5607 ctxt->dst.val = ctxt->src.addr.mem.ea;
5609 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5610 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5611 ctxt->dst.type = OP_NONE;
5615 case 0x98: /* cbw/cwde/cdqe */
5616 switch (ctxt->op_bytes) {
5617 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5618 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5619 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5622 case 0xcc: /* int3 */
5623 rc = emulate_int(ctxt, 3);
5625 case 0xcd: /* int n */
5626 rc = emulate_int(ctxt, ctxt->src.val);
5628 case 0xce: /* into */
5629 if (ctxt->eflags & X86_EFLAGS_OF)
5630 rc = emulate_int(ctxt, 4);
5632 case 0xe9: /* jmp rel */
5633 case 0xeb: /* jmp rel short */
5634 rc = jmp_rel(ctxt, ctxt->src.val);
5635 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5637 case 0xf4: /* hlt */
5638 ctxt->ops->halt(ctxt);
5640 case 0xf5: /* cmc */
5641 /* complement carry flag from eflags reg */
5642 ctxt->eflags ^= X86_EFLAGS_CF;
5644 case 0xf8: /* clc */
5645 ctxt->eflags &= ~X86_EFLAGS_CF;
5647 case 0xf9: /* stc */
5648 ctxt->eflags |= X86_EFLAGS_CF;
5650 case 0xfc: /* cld */
5651 ctxt->eflags &= ~X86_EFLAGS_DF;
5653 case 0xfd: /* std */
5654 ctxt->eflags |= X86_EFLAGS_DF;
5657 goto cannot_emulate;
5660 if (rc != X86EMUL_CONTINUE)
5664 if (ctxt->d & SrcWrite) {
5665 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5666 rc = writeback(ctxt, &ctxt->src);
5667 if (rc != X86EMUL_CONTINUE)
5670 if (!(ctxt->d & NoWrite)) {
5671 rc = writeback(ctxt, &ctxt->dst);
5672 if (rc != X86EMUL_CONTINUE)
5677 * restore dst type in case the decoding will be reused
5678 * (happens for string instruction )
5680 ctxt->dst.type = saved_dst_type;
5682 if ((ctxt->d & SrcMask) == SrcSI)
5683 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5685 if ((ctxt->d & DstMask) == DstDI)
5686 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5688 if (ctxt->rep_prefix && (ctxt->d & String)) {
5690 struct read_cache *r = &ctxt->io_read;
5691 if ((ctxt->d & SrcMask) == SrcSI)
5692 count = ctxt->src.count;
5694 count = ctxt->dst.count;
5695 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5697 if (!string_insn_completed(ctxt)) {
5699 * Re-enter guest when pio read ahead buffer is empty
5700 * or, if it is not used, after each 1024 iteration.
5702 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5703 (r->end == 0 || r->end != r->pos)) {
5705 * Reset read cache. Usually happens before
5706 * decode, but since instruction is restarted
5707 * we have to do it here.
5709 ctxt->mem_read.end = 0;
5710 writeback_registers(ctxt);
5711 return EMULATION_RESTART;
5713 goto done; /* skip rip writeback */
5715 ctxt->eflags &= ~X86_EFLAGS_RF;
5718 ctxt->eip = ctxt->_eip;
5719 if (ctxt->mode != X86EMUL_MODE_PROT64)
5720 ctxt->eip = (u32)ctxt->_eip;
5723 if (rc == X86EMUL_PROPAGATE_FAULT) {
5724 if (KVM_EMULATOR_BUG_ON(ctxt->exception.vector > 0x1f, ctxt))
5725 return EMULATION_FAILED;
5726 ctxt->have_exception = true;
5728 if (rc == X86EMUL_INTERCEPTED)
5729 return EMULATION_INTERCEPTED;
5731 if (rc == X86EMUL_CONTINUE)
5732 writeback_registers(ctxt);
5734 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5738 case 0x09: /* wbinvd */
5739 (ctxt->ops->wbinvd)(ctxt);
5741 case 0x08: /* invd */
5742 case 0x0d: /* GrpP (prefetch) */
5743 case 0x18: /* Grp16 (prefetch/nop) */
5744 case 0x1f: /* nop */
5746 case 0x20: /* mov cr, reg */
5747 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5749 case 0x21: /* mov from dr to reg */
5750 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5752 case 0x40 ... 0x4f: /* cmov */
5753 if (test_cc(ctxt->b, ctxt->eflags))
5754 ctxt->dst.val = ctxt->src.val;
5755 else if (ctxt->op_bytes != 4)
5756 ctxt->dst.type = OP_NONE; /* no writeback */
5758 case 0x80 ... 0x8f: /* jnz rel, etc*/
5759 if (test_cc(ctxt->b, ctxt->eflags))
5760 rc = jmp_rel(ctxt, ctxt->src.val);
5762 case 0x90 ... 0x9f: /* setcc r/m8 */
5763 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5765 case 0xb6 ... 0xb7: /* movzx */
5766 ctxt->dst.bytes = ctxt->op_bytes;
5767 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5768 : (u16) ctxt->src.val;
5770 case 0xbe ... 0xbf: /* movsx */
5771 ctxt->dst.bytes = ctxt->op_bytes;
5772 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5773 (s16) ctxt->src.val;
5776 goto cannot_emulate;
5781 if (rc != X86EMUL_CONTINUE)
5787 return EMULATION_FAILED;
5790 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5792 invalidate_registers(ctxt);
5795 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5797 writeback_registers(ctxt);
5800 bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5802 if (ctxt->rep_prefix && (ctxt->d & String))
5805 if (ctxt->d & TwoMemOp)
projects / platform / kernel / linux-starfive.git / blob