search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
KVM: x86 emulator: make (get|set)_dr() callback return error if it fails
[linux-2.6/btrfs-unstable.git] / arch / x86 / kvm / emulate.c
blobd5979ecc2521cc70231792ba31b074e528ad9485
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36 #include "tss.h"
37
38 /*
39 * Opcode effective-address decode tables.
40 * Note that we only emulate instructions that have at least one memory
41 * operand (excluding implicit stack references). We assume that stack
42 * references and instruction fetches will never occur in special memory
43 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
44 * not be handled.
45 */
46
47 /* Operand sizes: 8-bit operands or specified/overridden size. */
48 #define ByteOp (1<<0) /* 8-bit operands. */
49 /* Destination operand type. */
50 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
51 #define DstReg (2<<1) /* Register operand. */
52 #define DstMem (3<<1) /* Memory operand. */
53 #define DstAcc (4<<1) /* Destination Accumulator */
54 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
55 #define DstMem64 (6<<1) /* 64bit memory operand */
56 #define DstMask (7<<1)
57 /* Source operand type. */
58 #define SrcNone (0<<4) /* No source operand. */
59 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
60 #define SrcReg (1<<4) /* Register operand. */
61 #define SrcMem (2<<4) /* Memory operand. */
62 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
63 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
64 #define SrcImm (5<<4) /* Immediate operand. */
65 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
66 #define SrcOne (7<<4) /* Implied '1' */
67 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
68 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
69 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
70 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
71 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
72 #define SrcMask (0xf<<4)
73 /* Generic ModRM decode. */
74 #define ModRM (1<<8)
75 /* Destination is only written; never read. */
76 #define Mov (1<<9)
77 #define BitOp (1<<10)
78 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
79 #define String (1<<12) /* String instruction (rep capable) */
80 #define Stack (1<<13) /* Stack instruction (push/pop) */
81 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
82 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
83 #define GroupMask 0xff /* Group number stored in bits 0:7 */
84 /* Misc flags */
85 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
86 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
87 #define No64 (1<<28)
88 /* Source 2 operand type */
89 #define Src2None (0<<29)
90 #define Src2CL (1<<29)
91 #define Src2ImmByte (2<<29)
92 #define Src2One (3<<29)
93 #define Src2Mask (7<<29)
94
95 enum {
96 Group1_80, Group1_81, Group1_82, Group1_83,
97 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
98 Group8, Group9,
99 };
100
101 static u32 opcode_table[256] = {
102 /* 0x00 - 0x07 */
103 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
104 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
105 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
106 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
107 /* 0x08 - 0x0F */
108 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
109 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
110 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
111 ImplicitOps | Stack | No64, 0,
112 /* 0x10 - 0x17 */
113 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
114 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
115 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
116 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
117 /* 0x18 - 0x1F */
118 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
119 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
120 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
121 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
122 /* 0x20 - 0x27 */
123 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
124 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
125 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
126 /* 0x28 - 0x2F */
127 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
128 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
129 0, 0, 0, 0,
130 /* 0x30 - 0x37 */
131 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
132 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
133 0, 0, 0, 0,
134 /* 0x38 - 0x3F */
135 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
136 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
137 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
138 0, 0,
139 /* 0x40 - 0x47 */
140 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
141 /* 0x48 - 0x4F */
142 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
143 /* 0x50 - 0x57 */
144 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
145 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
146 /* 0x58 - 0x5F */
147 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
148 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
149 /* 0x60 - 0x67 */
150 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
151 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
152 0, 0, 0, 0,
153 /* 0x68 - 0x6F */
154 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
155 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
156 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
157 /* 0x70 - 0x77 */
158 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 /* 0x78 - 0x7F */
161 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
162 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 /* 0x80 - 0x87 */
164 Group | Group1_80, Group | Group1_81,
165 Group | Group1_82, Group | Group1_83,
166 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
167 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
168 /* 0x88 - 0x8F */
169 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
170 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
171 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
172 ImplicitOps | SrcMem | ModRM, Group | Group1A,
173 /* 0x90 - 0x97 */
174 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
175 /* 0x98 - 0x9F */
176 0, 0, SrcImmFAddr | No64, 0,
177 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
178 /* 0xA0 - 0xA7 */
179 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
180 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
181 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
182 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
183 /* 0xA8 - 0xAF */
184 0, 0, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
185 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
186 ByteOp | DstDI | String, DstDI | String,
187 /* 0xB0 - 0xB7 */
188 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 /* 0xB8 - 0xBF */
193 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 /* 0xC0 - 0xC7 */
198 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
199 0, ImplicitOps | Stack, 0, 0,
200 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
201 /* 0xC8 - 0xCF */
202 0, 0, 0, ImplicitOps | Stack,
203 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
204 /* 0xD0 - 0xD7 */
205 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
206 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
207 0, 0, 0, 0,
208 /* 0xD8 - 0xDF */
209 0, 0, 0, 0, 0, 0, 0, 0,
210 /* 0xE0 - 0xE7 */
211 0, 0, 0, 0,
212 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
213 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
214 /* 0xE8 - 0xEF */
215 SrcImm | Stack, SrcImm | ImplicitOps,
216 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
217 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
218 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
219 /* 0xF0 - 0xF7 */
220 0, 0, 0, 0,
221 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
222 /* 0xF8 - 0xFF */
223 ImplicitOps, 0, ImplicitOps, ImplicitOps,
224 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
225 };
226
227 static u32 twobyte_table[256] = {
228 /* 0x00 - 0x0F */
229 0, Group | GroupDual | Group7, 0, 0,
230 0, ImplicitOps, ImplicitOps | Priv, 0,
231 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
232 0, ImplicitOps | ModRM, 0, 0,
233 /* 0x10 - 0x1F */
234 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
235 /* 0x20 - 0x2F */
236 ModRM | ImplicitOps | Priv, ModRM | Priv,
237 ModRM | ImplicitOps | Priv, ModRM | Priv,
238 0, 0, 0, 0,
239 0, 0, 0, 0, 0, 0, 0, 0,
240 /* 0x30 - 0x3F */
241 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
242 ImplicitOps, ImplicitOps | Priv, 0, 0,
243 0, 0, 0, 0, 0, 0, 0, 0,
244 /* 0x40 - 0x47 */
245 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 /* 0x48 - 0x4F */
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 /* 0x50 - 0x5F */
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 /* 0x60 - 0x6F */
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
258 /* 0x70 - 0x7F */
259 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
260 /* 0x80 - 0x8F */
261 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
262 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
263 /* 0x90 - 0x9F */
264 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
265 /* 0xA0 - 0xA7 */
266 ImplicitOps | Stack, ImplicitOps | Stack,
267 0, DstMem | SrcReg | ModRM | BitOp,
268 DstMem | SrcReg | Src2ImmByte | ModRM,
269 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
270 /* 0xA8 - 0xAF */
271 ImplicitOps | Stack, ImplicitOps | Stack,
272 0, DstMem | SrcReg | ModRM | BitOp | Lock,
273 DstMem | SrcReg | Src2ImmByte | ModRM,
274 DstMem | SrcReg | Src2CL | ModRM,
275 ModRM, 0,
276 /* 0xB0 - 0xB7 */
277 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
278 0, DstMem | SrcReg | ModRM | BitOp | Lock,
279 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
280 DstReg | SrcMem16 | ModRM | Mov,
281 /* 0xB8 - 0xBF */
282 0, 0,
283 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
284 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
285 DstReg | SrcMem16 | ModRM | Mov,
286 /* 0xC0 - 0xCF */
287 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
288 0, 0, 0, Group | GroupDual | Group9,
289 0, 0, 0, 0, 0, 0, 0, 0,
290 /* 0xD0 - 0xDF */
291 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
292 /* 0xE0 - 0xEF */
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
294 /* 0xF0 - 0xFF */
295 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
296 };
297
298 static u32 group_table[] = {
299 [Group1_80*8] =
300 ByteOp | DstMem | SrcImm | ModRM | Lock,
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM,
308 [Group1_81*8] =
309 DstMem | SrcImm | ModRM | Lock,
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM,
317 [Group1_82*8] =
318 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64,
326 [Group1_83*8] =
327 DstMem | SrcImmByte | ModRM | Lock,
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM,
335 [Group1A*8] =
336 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
337 [Group3_Byte*8] =
338 ByteOp | SrcImm | DstMem | ModRM, 0,
339 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
340 0, 0, 0, 0,
341 [Group3*8] =
342 DstMem | SrcImm | ModRM, 0,
343 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
344 0, 0, 0, 0,
345 [Group4*8] =
346 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
347 0, 0, 0, 0, 0, 0,
348 [Group5*8] =
349 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
350 SrcMem | ModRM | Stack, 0,
351 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
352 SrcMem | ModRM | Stack, 0,
353 [Group7*8] =
354 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
355 SrcNone | ModRM | DstMem | Mov, 0,
356 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
357 [Group8*8] =
358 0, 0, 0, 0,
359 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
360 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
361 [Group9*8] =
362 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
363 };
364
365 static u32 group2_table[] = {
366 [Group7*8] =
367 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
368 SrcNone | ModRM | DstMem | Mov, 0,
369 SrcMem16 | ModRM | Mov | Priv, 0,
370 [Group9*8] =
371 0, 0, 0, 0, 0, 0, 0, 0,
372 };
373
374 /* EFLAGS bit definitions. */
375 #define EFLG_ID (1<<21)
376 #define EFLG_VIP (1<<20)
377 #define EFLG_VIF (1<<19)
378 #define EFLG_AC (1<<18)
379 #define EFLG_VM (1<<17)
380 #define EFLG_RF (1<<16)
381 #define EFLG_IOPL (3<<12)
382 #define EFLG_NT (1<<14)
383 #define EFLG_OF (1<<11)
384 #define EFLG_DF (1<<10)
385 #define EFLG_IF (1<<9)
386 #define EFLG_TF (1<<8)
387 #define EFLG_SF (1<<7)
388 #define EFLG_ZF (1<<6)
389 #define EFLG_AF (1<<4)
390 #define EFLG_PF (1<<2)
391 #define EFLG_CF (1<<0)
392
393 /*
394 * Instruction emulation:
395 * Most instructions are emulated directly via a fragment of inline assembly
396 * code. This allows us to save/restore EFLAGS and thus very easily pick up
397 * any modified flags.
398 */
399
400 #if defined(CONFIG_X86_64)
401 #define _LO32 "k" /* force 32-bit operand */
402 #define _STK "%%rsp" /* stack pointer */
403 #elif defined(__i386__)
404 #define _LO32 "" /* force 32-bit operand */
405 #define _STK "%%esp" /* stack pointer */
406 #endif
407
408 /*
409 * These EFLAGS bits are restored from saved value during emulation, and
410 * any changes are written back to the saved value after emulation.
411 */
412 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
413
414 /* Before executing instruction: restore necessary bits in EFLAGS. */
415 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
416 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
417 "movl %"_sav",%"_LO32 _tmp"; " \
418 "push %"_tmp"; " \
419 "push %"_tmp"; " \
420 "movl %"_msk",%"_LO32 _tmp"; " \
421 "andl %"_LO32 _tmp",("_STK"); " \
422 "pushf; " \
423 "notl %"_LO32 _tmp"; " \
424 "andl %"_LO32 _tmp",("_STK"); " \
425 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
426 "pop %"_tmp"; " \
427 "orl %"_LO32 _tmp",("_STK"); " \
428 "popf; " \
429 "pop %"_sav"; "
430
431 /* After executing instruction: write-back necessary bits in EFLAGS. */
432 #define _POST_EFLAGS(_sav, _msk, _tmp) \
433 /* _sav |= EFLAGS & _msk; */ \
434 "pushf; " \
435 "pop %"_tmp"; " \
436 "andl %"_msk",%"_LO32 _tmp"; " \
437 "orl %"_LO32 _tmp",%"_sav"; "
438
439 #ifdef CONFIG_X86_64
440 #define ON64(x) x
441 #else
442 #define ON64(x)
443 #endif
444
445 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
446 do { \
447 __asm__ __volatile__ ( \
448 _PRE_EFLAGS("0", "4", "2") \
449 _op _suffix " %"_x"3,%1; " \
450 _POST_EFLAGS("0", "4", "2") \
451 : "=m" (_eflags), "=m" ((_dst).val), \
452 "=&r" (_tmp) \
453 : _y ((_src).val), "i" (EFLAGS_MASK)); \
454 } while (0)
455
456
457 /* Raw emulation: instruction has two explicit operands. */
458 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
459 do { \
460 unsigned long _tmp; \
461 \
462 switch ((_dst).bytes) { \
463 case 2: \
464 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
465 break; \
466 case 4: \
467 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
468 break; \
469 case 8: \
470 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
471 break; \
472 } \
473 } while (0)
474
475 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
476 do { \
477 unsigned long _tmp; \
478 switch ((_dst).bytes) { \
479 case 1: \
480 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
481 break; \
482 default: \
483 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
484 _wx, _wy, _lx, _ly, _qx, _qy); \
485 break; \
486 } \
487 } while (0)
488
489 /* Source operand is byte-sized and may be restricted to just %cl. */
490 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
491 __emulate_2op(_op, _src, _dst, _eflags, \
492 "b", "c", "b", "c", "b", "c", "b", "c")
493
494 /* Source operand is byte, word, long or quad sized. */
495 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
496 __emulate_2op(_op, _src, _dst, _eflags, \
497 "b", "q", "w", "r", _LO32, "r", "", "r")
498
499 /* Source operand is word, long or quad sized. */
500 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
501 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
502 "w", "r", _LO32, "r", "", "r")
503
504 /* Instruction has three operands and one operand is stored in ECX register */
505 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
506 do { \
507 unsigned long _tmp; \
508 _type _clv = (_cl).val; \
509 _type _srcv = (_src).val; \
510 _type _dstv = (_dst).val; \
511 \
512 __asm__ __volatile__ ( \
513 _PRE_EFLAGS("0", "5", "2") \
514 _op _suffix " %4,%1 \n" \
515 _POST_EFLAGS("0", "5", "2") \
516 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
517 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
518 ); \
519 \
520 (_cl).val = (unsigned long) _clv; \
521 (_src).val = (unsigned long) _srcv; \
522 (_dst).val = (unsigned long) _dstv; \
523 } while (0)
524
525 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
526 do { \
527 switch ((_dst).bytes) { \
528 case 2: \
529 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
530 "w", unsigned short); \
531 break; \
532 case 4: \
533 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
534 "l", unsigned int); \
535 break; \
536 case 8: \
537 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
538 "q", unsigned long)); \
539 break; \
540 } \
541 } while (0)
542
543 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
544 do { \
545 unsigned long _tmp; \
546 \
547 __asm__ __volatile__ ( \
548 _PRE_EFLAGS("0", "3", "2") \
549 _op _suffix " %1; " \
550 _POST_EFLAGS("0", "3", "2") \
551 : "=m" (_eflags), "+m" ((_dst).val), \
552 "=&r" (_tmp) \
553 : "i" (EFLAGS_MASK)); \
554 } while (0)
555
556 /* Instruction has only one explicit operand (no source operand). */
557 #define emulate_1op(_op, _dst, _eflags) \
558 do { \
559 switch ((_dst).bytes) { \
560 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
561 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
562 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
563 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
564 } \
565 } while (0)
566
567 /* Fetch next part of the instruction being emulated. */
568 #define insn_fetch(_type, _size, _eip) \
569 ({ unsigned long _x; \
570 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
571 if (rc != X86EMUL_CONTINUE) \
572 goto done; \
573 (_eip) += (_size); \
574 (_type)_x; \
575 })
576
577 #define insn_fetch_arr(_arr, _size, _eip) \
578 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
579 if (rc != X86EMUL_CONTINUE) \
580 goto done; \
581 (_eip) += (_size); \
582 })
583
584 static inline unsigned long ad_mask(struct decode_cache *c)
585 {
586 return (1UL << (c->ad_bytes << 3)) - 1;
587 }
588
589 /* Access/update address held in a register, based on addressing mode. */
590 static inline unsigned long
591 address_mask(struct decode_cache *c, unsigned long reg)
592 {
593 if (c->ad_bytes == sizeof(unsigned long))
594 return reg;
595 else
596 return reg & ad_mask(c);
597 }
598
599 static inline unsigned long
600 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
601 {
602 return base + address_mask(c, reg);
603 }
604
605 static inline void
606 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
607 {
608 if (c->ad_bytes == sizeof(unsigned long))
609 *reg += inc;
610 else
611 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
612 }
613
614 static inline void jmp_rel(struct decode_cache *c, int rel)
615 {
616 register_address_increment(c, &c->eip, rel);
617 }
618
619 static void set_seg_override(struct decode_cache *c, int seg)
620 {
621 c->has_seg_override = true;
622 c->seg_override = seg;
623 }
624
625 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
626 struct x86_emulate_ops *ops, int seg)
627 {
628 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
629 return 0;
630
631 return ops->get_cached_segment_base(seg, ctxt->vcpu);
632 }
633
634 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
635 struct x86_emulate_ops *ops,
636 struct decode_cache *c)
637 {
638 if (!c->has_seg_override)
639 return 0;
640
641 return seg_base(ctxt, ops, c->seg_override);
642 }
643
644 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
645 struct x86_emulate_ops *ops)
646 {
647 return seg_base(ctxt, ops, VCPU_SREG_ES);
648 }
649
650 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
651 struct x86_emulate_ops *ops)
652 {
653 return seg_base(ctxt, ops, VCPU_SREG_SS);
654 }
655
656 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
657 struct x86_emulate_ops *ops,
658 unsigned long eip, u8 *dest)
659 {
660 struct fetch_cache *fc = &ctxt->decode.fetch;
661 int rc;
662 int size, cur_size;
663
664 if (eip == fc->end) {
665 cur_size = fc->end - fc->start;
666 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
667 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
668 size, ctxt->vcpu, NULL);
669 if (rc != X86EMUL_CONTINUE)
670 return rc;
671 fc->end += size;
672 }
673 *dest = fc->data[eip - fc->start];
674 return X86EMUL_CONTINUE;
675 }
676
677 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
678 struct x86_emulate_ops *ops,
679 unsigned long eip, void *dest, unsigned size)
680 {
681 int rc;
682
683 /* x86 instructions are limited to 15 bytes. */
684 if (eip + size - ctxt->eip > 15)
685 return X86EMUL_UNHANDLEABLE;
686 while (size--) {
687 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
688 if (rc != X86EMUL_CONTINUE)
689 return rc;
690 }
691 return X86EMUL_CONTINUE;
692 }
693
694 /*
695 * Given the 'reg' portion of a ModRM byte, and a register block, return a
696 * pointer into the block that addresses the relevant register.
697 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
698 */
699 static void *decode_register(u8 modrm_reg, unsigned long *regs,
700 int highbyte_regs)
701 {
702 void *p;
703
704 p = &regs[modrm_reg];
705 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
706 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
707 return p;
708 }
709
710 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
711 struct x86_emulate_ops *ops,
712 void *ptr,
713 u16 *size, unsigned long *address, int op_bytes)
714 {
715 int rc;
716
717 if (op_bytes == 2)
718 op_bytes = 3;
719 *address = 0;
720 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
721 ctxt->vcpu, NULL);
722 if (rc != X86EMUL_CONTINUE)
723 return rc;
724 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
725 ctxt->vcpu, NULL);
726 return rc;
727 }
728
729 static int test_cc(unsigned int condition, unsigned int flags)
730 {
731 int rc = 0;
732
733 switch ((condition & 15) >> 1) {
734 case 0: /* o */
735 rc |= (flags & EFLG_OF);
736 break;
737 case 1: /* b/c/nae */
738 rc |= (flags & EFLG_CF);
739 break;
740 case 2: /* z/e */
741 rc |= (flags & EFLG_ZF);
742 break;
743 case 3: /* be/na */
744 rc |= (flags & (EFLG_CF|EFLG_ZF));
745 break;
746 case 4: /* s */
747 rc |= (flags & EFLG_SF);
748 break;
749 case 5: /* p/pe */
750 rc |= (flags & EFLG_PF);
751 break;
752 case 7: /* le/ng */
753 rc |= (flags & EFLG_ZF);
754 /* fall through */
755 case 6: /* l/nge */
756 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
757 break;
758 }
759
760 /* Odd condition identifiers (lsb == 1) have inverted sense. */
761 return (!!rc ^ (condition & 1));
762 }
763
764 static void decode_register_operand(struct operand *op,
765 struct decode_cache *c,
766 int inhibit_bytereg)
767 {
768 unsigned reg = c->modrm_reg;
769 int highbyte_regs = c->rex_prefix == 0;
770
771 if (!(c->d & ModRM))
772 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
773 op->type = OP_REG;
774 if ((c->d & ByteOp) && !inhibit_bytereg) {
775 op->ptr = decode_register(reg, c->regs, highbyte_regs);
776 op->val = *(u8 *)op->ptr;
777 op->bytes = 1;
778 } else {
779 op->ptr = decode_register(reg, c->regs, 0);
780 op->bytes = c->op_bytes;
781 switch (op->bytes) {
782 case 2:
783 op->val = *(u16 *)op->ptr;
784 break;
785 case 4:
786 op->val = *(u32 *)op->ptr;
787 break;
788 case 8:
789 op->val = *(u64 *) op->ptr;
790 break;
791 }
792 }
793 op->orig_val = op->val;
794 }
795
796 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
797 struct x86_emulate_ops *ops)
798 {
799 struct decode_cache *c = &ctxt->decode;
800 u8 sib;
801 int index_reg = 0, base_reg = 0, scale;
802 int rc = X86EMUL_CONTINUE;
803
804 if (c->rex_prefix) {
805 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
806 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
807 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
808 }
809
810 c->modrm = insn_fetch(u8, 1, c->eip);
811 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
812 c->modrm_reg |= (c->modrm & 0x38) >> 3;
813 c->modrm_rm |= (c->modrm & 0x07);
814 c->modrm_ea = 0;
815 c->use_modrm_ea = 1;
816
817 if (c->modrm_mod == 3) {
818 c->modrm_ptr = decode_register(c->modrm_rm,
819 c->regs, c->d & ByteOp);
820 c->modrm_val = *(unsigned long *)c->modrm_ptr;
821 return rc;
822 }
823
824 if (c->ad_bytes == 2) {
825 unsigned bx = c->regs[VCPU_REGS_RBX];
826 unsigned bp = c->regs[VCPU_REGS_RBP];
827 unsigned si = c->regs[VCPU_REGS_RSI];
828 unsigned di = c->regs[VCPU_REGS_RDI];
829
830 /* 16-bit ModR/M decode. */
831 switch (c->modrm_mod) {
832 case 0:
833 if (c->modrm_rm == 6)
834 c->modrm_ea += insn_fetch(u16, 2, c->eip);
835 break;
836 case 1:
837 c->modrm_ea += insn_fetch(s8, 1, c->eip);
838 break;
839 case 2:
840 c->modrm_ea += insn_fetch(u16, 2, c->eip);
841 break;
842 }
843 switch (c->modrm_rm) {
844 case 0:
845 c->modrm_ea += bx + si;
846 break;
847 case 1:
848 c->modrm_ea += bx + di;
849 break;
850 case 2:
851 c->modrm_ea += bp + si;
852 break;
853 case 3:
854 c->modrm_ea += bp + di;
855 break;
856 case 4:
857 c->modrm_ea += si;
858 break;
859 case 5:
860 c->modrm_ea += di;
861 break;
862 case 6:
863 if (c->modrm_mod != 0)
864 c->modrm_ea += bp;
865 break;
866 case 7:
867 c->modrm_ea += bx;
868 break;
869 }
870 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
871 (c->modrm_rm == 6 && c->modrm_mod != 0))
872 if (!c->has_seg_override)
873 set_seg_override(c, VCPU_SREG_SS);
874 c->modrm_ea = (u16)c->modrm_ea;
875 } else {
876 /* 32/64-bit ModR/M decode. */
877 if ((c->modrm_rm & 7) == 4) {
878 sib = insn_fetch(u8, 1, c->eip);
879 index_reg |= (sib >> 3) & 7;
880 base_reg |= sib & 7;
881 scale = sib >> 6;
882
883 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
884 c->modrm_ea += insn_fetch(s32, 4, c->eip);
885 else
886 c->modrm_ea += c->regs[base_reg];
887 if (index_reg != 4)
888 c->modrm_ea += c->regs[index_reg] << scale;
889 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
890 if (ctxt->mode == X86EMUL_MODE_PROT64)
891 c->rip_relative = 1;
892 } else
893 c->modrm_ea += c->regs[c->modrm_rm];
894 switch (c->modrm_mod) {
895 case 0:
896 if (c->modrm_rm == 5)
897 c->modrm_ea += insn_fetch(s32, 4, c->eip);
898 break;
899 case 1:
900 c->modrm_ea += insn_fetch(s8, 1, c->eip);
901 break;
902 case 2:
903 c->modrm_ea += insn_fetch(s32, 4, c->eip);
904 break;
905 }
906 }
907 done:
908 return rc;
909 }
910
911 static int decode_abs(struct x86_emulate_ctxt *ctxt,
912 struct x86_emulate_ops *ops)
913 {
914 struct decode_cache *c = &ctxt->decode;
915 int rc = X86EMUL_CONTINUE;
916
917 switch (c->ad_bytes) {
918 case 2:
919 c->modrm_ea = insn_fetch(u16, 2, c->eip);
920 break;
921 case 4:
922 c->modrm_ea = insn_fetch(u32, 4, c->eip);
923 break;
924 case 8:
925 c->modrm_ea = insn_fetch(u64, 8, c->eip);
926 break;
927 }
928 done:
929 return rc;
930 }
931
932 int
933 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
934 {
935 struct decode_cache *c = &ctxt->decode;
936 int rc = X86EMUL_CONTINUE;
937 int mode = ctxt->mode;
938 int def_op_bytes, def_ad_bytes, group;
939
940
941 /* we cannot decode insn before we complete previous rep insn */
942 WARN_ON(ctxt->restart);
943
944 /* Shadow copy of register state. Committed on successful emulation. */
945 memset(c, 0, sizeof(struct decode_cache));
946 c->eip = ctxt->eip;
947 c->fetch.start = c->fetch.end = c->eip;
948 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
949 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
950
951 switch (mode) {
952 case X86EMUL_MODE_REAL:
953 case X86EMUL_MODE_VM86:
954 case X86EMUL_MODE_PROT16:
955 def_op_bytes = def_ad_bytes = 2;
956 break;
957 case X86EMUL_MODE_PROT32:
958 def_op_bytes = def_ad_bytes = 4;
959 break;
960 #ifdef CONFIG_X86_64
961 case X86EMUL_MODE_PROT64:
962 def_op_bytes = 4;
963 def_ad_bytes = 8;
964 break;
965 #endif
966 default:
967 return -1;
968 }
969
970 c->op_bytes = def_op_bytes;
971 c->ad_bytes = def_ad_bytes;
972
973 /* Legacy prefixes. */
974 for (;;) {
975 switch (c->b = insn_fetch(u8, 1, c->eip)) {
976 case 0x66: /* operand-size override */
977 /* switch between 2/4 bytes */
978 c->op_bytes = def_op_bytes ^ 6;
979 break;
980 case 0x67: /* address-size override */
981 if (mode == X86EMUL_MODE_PROT64)
982 /* switch between 4/8 bytes */
983 c->ad_bytes = def_ad_bytes ^ 12;
984 else
985 /* switch between 2/4 bytes */
986 c->ad_bytes = def_ad_bytes ^ 6;
987 break;
988 case 0x26: /* ES override */
989 case 0x2e: /* CS override */
990 case 0x36: /* SS override */
991 case 0x3e: /* DS override */
992 set_seg_override(c, (c->b >> 3) & 3);
993 break;
994 case 0x64: /* FS override */
995 case 0x65: /* GS override */
996 set_seg_override(c, c->b & 7);
997 break;
998 case 0x40 ... 0x4f: /* REX */
999 if (mode != X86EMUL_MODE_PROT64)
1000 goto done_prefixes;
1001 c->rex_prefix = c->b;
1002 continue;
1003 case 0xf0: /* LOCK */
1004 c->lock_prefix = 1;
1005 break;
1006 case 0xf2: /* REPNE/REPNZ */
1007 c->rep_prefix = REPNE_PREFIX;
1008 break;
1009 case 0xf3: /* REP/REPE/REPZ */
1010 c->rep_prefix = REPE_PREFIX;
1011 break;
1012 default:
1013 goto done_prefixes;
1014 }
1015
1016 /* Any legacy prefix after a REX prefix nullifies its effect. */
1017
1018 c->rex_prefix = 0;
1019 }
1020
1021 done_prefixes:
1022
1023 /* REX prefix. */
1024 if (c->rex_prefix)
1025 if (c->rex_prefix & 8)
1026 c->op_bytes = 8; /* REX.W */
1027
1028 /* Opcode byte(s). */
1029 c->d = opcode_table[c->b];
1030 if (c->d == 0) {
1031 /* Two-byte opcode? */
1032 if (c->b == 0x0f) {
1033 c->twobyte = 1;
1034 c->b = insn_fetch(u8, 1, c->eip);
1035 c->d = twobyte_table[c->b];
1036 }
1037 }
1038
1039 if (c->d & Group) {
1040 group = c->d & GroupMask;
1041 c->modrm = insn_fetch(u8, 1, c->eip);
1042 --c->eip;
1043
1044 group = (group << 3) + ((c->modrm >> 3) & 7);
1045 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1046 c->d = group2_table[group];
1047 else
1048 c->d = group_table[group];
1049 }
1050
1051 /* Unrecognised? */
1052 if (c->d == 0) {
1053 DPRINTF("Cannot emulate %02x\n", c->b);
1054 return -1;
1055 }
1056
1057 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1058 c->op_bytes = 8;
1059
1060 /* ModRM and SIB bytes. */
1061 if (c->d & ModRM)
1062 rc = decode_modrm(ctxt, ops);
1063 else if (c->d & MemAbs)
1064 rc = decode_abs(ctxt, ops);
1065 if (rc != X86EMUL_CONTINUE)
1066 goto done;
1067
1068 if (!c->has_seg_override)
1069 set_seg_override(c, VCPU_SREG_DS);
1070
1071 if (!(!c->twobyte && c->b == 0x8d))
1072 c->modrm_ea += seg_override_base(ctxt, ops, c);
1073
1074 if (c->ad_bytes != 8)
1075 c->modrm_ea = (u32)c->modrm_ea;
1076
1077 if (c->rip_relative)
1078 c->modrm_ea += c->eip;
1079
1080 /*
1081 * Decode and fetch the source operand: register, memory
1082 * or immediate.
1083 */
1084 switch (c->d & SrcMask) {
1085 case SrcNone:
1086 break;
1087 case SrcReg:
1088 decode_register_operand(&c->src, c, 0);
1089 break;
1090 case SrcMem16:
1091 c->src.bytes = 2;
1092 goto srcmem_common;
1093 case SrcMem32:
1094 c->src.bytes = 4;
1095 goto srcmem_common;
1096 case SrcMem:
1097 c->src.bytes = (c->d & ByteOp) ? 1 :
1098 c->op_bytes;
1099 /* Don't fetch the address for invlpg: it could be unmapped. */
1100 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1101 break;
1102 srcmem_common:
1103 /*
1104 * For instructions with a ModR/M byte, switch to register
1105 * access if Mod = 3.
1106 */
1107 if ((c->d & ModRM) && c->modrm_mod == 3) {
1108 c->src.type = OP_REG;
1109 c->src.val = c->modrm_val;
1110 c->src.ptr = c->modrm_ptr;
1111 break;
1112 }
1113 c->src.type = OP_MEM;
1114 c->src.ptr = (unsigned long *)c->modrm_ea;
1115 c->src.val = 0;
1116 break;
1117 case SrcImm:
1118 case SrcImmU:
1119 c->src.type = OP_IMM;
1120 c->src.ptr = (unsigned long *)c->eip;
1121 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1122 if (c->src.bytes == 8)
1123 c->src.bytes = 4;
1124 /* NB. Immediates are sign-extended as necessary. */
1125 switch (c->src.bytes) {
1126 case 1:
1127 c->src.val = insn_fetch(s8, 1, c->eip);
1128 break;
1129 case 2:
1130 c->src.val = insn_fetch(s16, 2, c->eip);
1131 break;
1132 case 4:
1133 c->src.val = insn_fetch(s32, 4, c->eip);
1134 break;
1135 }
1136 if ((c->d & SrcMask) == SrcImmU) {
1137 switch (c->src.bytes) {
1138 case 1:
1139 c->src.val &= 0xff;
1140 break;
1141 case 2:
1142 c->src.val &= 0xffff;
1143 break;
1144 case 4:
1145 c->src.val &= 0xffffffff;
1146 break;
1147 }
1148 }
1149 break;
1150 case SrcImmByte:
1151 case SrcImmUByte:
1152 c->src.type = OP_IMM;
1153 c->src.ptr = (unsigned long *)c->eip;
1154 c->src.bytes = 1;
1155 if ((c->d & SrcMask) == SrcImmByte)
1156 c->src.val = insn_fetch(s8, 1, c->eip);
1157 else
1158 c->src.val = insn_fetch(u8, 1, c->eip);
1159 break;
1160 case SrcOne:
1161 c->src.bytes = 1;
1162 c->src.val = 1;
1163 break;
1164 case SrcSI:
1165 c->src.type = OP_MEM;
1166 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1167 c->src.ptr = (unsigned long *)
1168 register_address(c, seg_override_base(ctxt, ops, c),
1169 c->regs[VCPU_REGS_RSI]);
1170 c->src.val = 0;
1171 break;
1172 case SrcImmFAddr:
1173 c->src.type = OP_IMM;
1174 c->src.ptr = (unsigned long *)c->eip;
1175 c->src.bytes = c->op_bytes + 2;
1176 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1177 break;
1178 case SrcMemFAddr:
1179 c->src.type = OP_MEM;
1180 c->src.ptr = (unsigned long *)c->modrm_ea;
1181 c->src.bytes = c->op_bytes + 2;
1182 break;
1183 }
1184
1185 /*
1186 * Decode and fetch the second source operand: register, memory
1187 * or immediate.
1188 */
1189 switch (c->d & Src2Mask) {
1190 case Src2None:
1191 break;
1192 case Src2CL:
1193 c->src2.bytes = 1;
1194 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1195 break;
1196 case Src2ImmByte:
1197 c->src2.type = OP_IMM;
1198 c->src2.ptr = (unsigned long *)c->eip;
1199 c->src2.bytes = 1;
1200 c->src2.val = insn_fetch(u8, 1, c->eip);
1201 break;
1202 case Src2One:
1203 c->src2.bytes = 1;
1204 c->src2.val = 1;
1205 break;
1206 }
1207
1208 /* Decode and fetch the destination operand: register or memory. */
1209 switch (c->d & DstMask) {
1210 case ImplicitOps:
1211 /* Special instructions do their own operand decoding. */
1212 return 0;
1213 case DstReg:
1214 decode_register_operand(&c->dst, c,
1215 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1216 break;
1217 case DstMem:
1218 case DstMem64:
1219 if ((c->d & ModRM) && c->modrm_mod == 3) {
1220 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1221 c->dst.type = OP_REG;
1222 c->dst.val = c->dst.orig_val = c->modrm_val;
1223 c->dst.ptr = c->modrm_ptr;
1224 break;
1225 }
1226 c->dst.type = OP_MEM;
1227 c->dst.ptr = (unsigned long *)c->modrm_ea;
1228 if ((c->d & DstMask) == DstMem64)
1229 c->dst.bytes = 8;
1230 else
1231 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1232 c->dst.val = 0;
1233 if (c->d & BitOp) {
1234 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1235
1236 c->dst.ptr = (void *)c->dst.ptr +
1237 (c->src.val & mask) / 8;
1238 }
1239 break;
1240 case DstAcc:
1241 c->dst.type = OP_REG;
1242 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1243 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1244 switch (c->dst.bytes) {
1245 case 1:
1246 c->dst.val = *(u8 *)c->dst.ptr;
1247 break;
1248 case 2:
1249 c->dst.val = *(u16 *)c->dst.ptr;
1250 break;
1251 case 4:
1252 c->dst.val = *(u32 *)c->dst.ptr;
1253 break;
1254 case 8:
1255 c->dst.val = *(u64 *)c->dst.ptr;
1256 break;
1257 }
1258 c->dst.orig_val = c->dst.val;
1259 break;
1260 case DstDI:
1261 c->dst.type = OP_MEM;
1262 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1263 c->dst.ptr = (unsigned long *)
1264 register_address(c, es_base(ctxt, ops),
1265 c->regs[VCPU_REGS_RDI]);
1266 c->dst.val = 0;
1267 break;
1268 }
1269
1270 done:
1271 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1272 }
1273
1274 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1275 struct x86_emulate_ops *ops,
1276 unsigned long addr, void *dest, unsigned size)
1277 {
1278 int rc;
1279 struct read_cache *mc = &ctxt->decode.mem_read;
1280
1281 while (size) {
1282 int n = min(size, 8u);
1283 size -= n;
1284 if (mc->pos < mc->end)
1285 goto read_cached;
1286
1287 rc = ops->read_emulated(addr, mc->data + mc->end, n, ctxt->vcpu);
1288 if (rc != X86EMUL_CONTINUE)
1289 return rc;
1290 mc->end += n;
1291
1292 read_cached:
1293 memcpy(dest, mc->data + mc->pos, n);
1294 mc->pos += n;
1295 dest += n;
1296 addr += n;
1297 }
1298 return X86EMUL_CONTINUE;
1299 }
1300
1301 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1302 struct x86_emulate_ops *ops,
1303 unsigned int size, unsigned short port,
1304 void *dest)
1305 {
1306 struct read_cache *rc = &ctxt->decode.io_read;
1307
1308 if (rc->pos == rc->end) { /* refill pio read ahead */
1309 struct decode_cache *c = &ctxt->decode;
1310 unsigned int in_page, n;
1311 unsigned int count = c->rep_prefix ?
1312 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1313 in_page = (ctxt->eflags & EFLG_DF) ?
1314 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1315 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1316 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1317 count);
1318 if (n == 0)
1319 n = 1;
1320 rc->pos = rc->end = 0;
1321 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1322 return 0;
1323 rc->end = n * size;
1324 }
1325
1326 memcpy(dest, rc->data + rc->pos, size);
1327 rc->pos += size;
1328 return 1;
1329 }
1330
1331 static u32 desc_limit_scaled(struct desc_struct *desc)
1332 {
1333 u32 limit = get_desc_limit(desc);
1334
1335 return desc->g ? (limit << 12) | 0xfff : limit;
1336 }
1337
1338 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1339 struct x86_emulate_ops *ops,
1340 u16 selector, struct desc_ptr *dt)
1341 {
1342 if (selector & 1 << 2) {
1343 struct desc_struct desc;
1344 memset (dt, 0, sizeof *dt);
1345 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1346 return;
1347
1348 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1349 dt->address = get_desc_base(&desc);
1350 } else
1351 ops->get_gdt(dt, ctxt->vcpu);
1352 }
1353
1354 /* allowed just for 8 bytes segments */
1355 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1356 struct x86_emulate_ops *ops,
1357 u16 selector, struct desc_struct *desc)
1358 {
1359 struct desc_ptr dt;
1360 u16 index = selector >> 3;
1361 int ret;
1362 u32 err;
1363 ulong addr;
1364
1365 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1366
1367 if (dt.size < index * 8 + 7) {
1368 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1369 return X86EMUL_PROPAGATE_FAULT;
1370 }
1371 addr = dt.address + index * 8;
1372 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1373 if (ret == X86EMUL_PROPAGATE_FAULT)
1374 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1375
1376 return ret;
1377 }
1378
1379 /* allowed just for 8 bytes segments */
1380 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1381 struct x86_emulate_ops *ops,
1382 u16 selector, struct desc_struct *desc)
1383 {
1384 struct desc_ptr dt;
1385 u16 index = selector >> 3;
1386 u32 err;
1387 ulong addr;
1388 int ret;
1389
1390 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1391
1392 if (dt.size < index * 8 + 7) {
1393 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1394 return X86EMUL_PROPAGATE_FAULT;
1395 }
1396
1397 addr = dt.address + index * 8;
1398 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1399 if (ret == X86EMUL_PROPAGATE_FAULT)
1400 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1401
1402 return ret;
1403 }
1404
1405 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1406 struct x86_emulate_ops *ops,
1407 u16 selector, int seg)
1408 {
1409 struct desc_struct seg_desc;
1410 u8 dpl, rpl, cpl;
1411 unsigned err_vec = GP_VECTOR;
1412 u32 err_code = 0;
1413 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1414 int ret;
1415
1416 memset(&seg_desc, 0, sizeof seg_desc);
1417
1418 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1419 || ctxt->mode == X86EMUL_MODE_REAL) {
1420 /* set real mode segment descriptor */
1421 set_desc_base(&seg_desc, selector << 4);
1422 set_desc_limit(&seg_desc, 0xffff);
1423 seg_desc.type = 3;
1424 seg_desc.p = 1;
1425 seg_desc.s = 1;
1426 goto load;
1427 }
1428
1429 /* NULL selector is not valid for TR, CS and SS */
1430 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1431 && null_selector)
1432 goto exception;
1433
1434 /* TR should be in GDT only */
1435 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1436 goto exception;
1437
1438 if (null_selector) /* for NULL selector skip all following checks */
1439 goto load;
1440
1441 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1442 if (ret != X86EMUL_CONTINUE)
1443 return ret;
1444
1445 err_code = selector & 0xfffc;
1446 err_vec = GP_VECTOR;
1447
1448 /* can't load system descriptor into segment selecor */
1449 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1450 goto exception;
1451
1452 if (!seg_desc.p) {
1453 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1454 goto exception;
1455 }
1456
1457 rpl = selector & 3;
1458 dpl = seg_desc.dpl;
1459 cpl = ops->cpl(ctxt->vcpu);
1460
1461 switch (seg) {
1462 case VCPU_SREG_SS:
1463 /*
1464 * segment is not a writable data segment or segment
1465 * selector's RPL != CPL or segment selector's RPL != CPL
1466 */
1467 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1468 goto exception;
1469 break;
1470 case VCPU_SREG_CS:
1471 if (!(seg_desc.type & 8))
1472 goto exception;
1473
1474 if (seg_desc.type & 4) {
1475 /* conforming */
1476 if (dpl > cpl)
1477 goto exception;
1478 } else {
1479 /* nonconforming */
1480 if (rpl > cpl || dpl != cpl)
1481 goto exception;
1482 }
1483 /* CS(RPL) <- CPL */
1484 selector = (selector & 0xfffc) | cpl;
1485 break;
1486 case VCPU_SREG_TR:
1487 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1488 goto exception;
1489 break;
1490 case VCPU_SREG_LDTR:
1491 if (seg_desc.s || seg_desc.type != 2)
1492 goto exception;
1493 break;
1494 default: /* DS, ES, FS, or GS */
1495 /*
1496 * segment is not a data or readable code segment or
1497 * ((segment is a data or nonconforming code segment)
1498 * and (both RPL and CPL > DPL))
1499 */
1500 if ((seg_desc.type & 0xa) == 0x8 ||
1501 (((seg_desc.type & 0xc) != 0xc) &&
1502 (rpl > dpl && cpl > dpl)))
1503 goto exception;
1504 break;
1505 }
1506
1507 if (seg_desc.s) {
1508 /* mark segment as accessed */
1509 seg_desc.type |= 1;
1510 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1511 if (ret != X86EMUL_CONTINUE)
1512 return ret;
1513 }
1514 load:
1515 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1516 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1517 return X86EMUL_CONTINUE;
1518 exception:
1519 kvm_queue_exception_e(ctxt->vcpu, err_vec, err_code);
1520 return X86EMUL_PROPAGATE_FAULT;
1521 }
1522
1523 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1524 struct x86_emulate_ops *ops)
1525 {
1526 struct decode_cache *c = &ctxt->decode;
1527
1528 c->dst.type = OP_MEM;
1529 c->dst.bytes = c->op_bytes;
1530 c->dst.val = c->src.val;
1531 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1532 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1533 c->regs[VCPU_REGS_RSP]);
1534 }
1535
1536 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1537 struct x86_emulate_ops *ops,
1538 void *dest, int len)
1539 {
1540 struct decode_cache *c = &ctxt->decode;
1541 int rc;
1542
1543 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1544 c->regs[VCPU_REGS_RSP]),
1545 dest, len);
1546 if (rc != X86EMUL_CONTINUE)
1547 return rc;
1548
1549 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1550 return rc;
1551 }
1552
1553 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1554 struct x86_emulate_ops *ops,
1555 void *dest, int len)
1556 {
1557 int rc;
1558 unsigned long val, change_mask;
1559 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1560 int cpl = ops->cpl(ctxt->vcpu);
1561
1562 rc = emulate_pop(ctxt, ops, &val, len);
1563 if (rc != X86EMUL_CONTINUE)
1564 return rc;
1565
1566 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1567 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1568
1569 switch(ctxt->mode) {
1570 case X86EMUL_MODE_PROT64:
1571 case X86EMUL_MODE_PROT32:
1572 case X86EMUL_MODE_PROT16:
1573 if (cpl == 0)
1574 change_mask |= EFLG_IOPL;
1575 if (cpl <= iopl)
1576 change_mask |= EFLG_IF;
1577 break;
1578 case X86EMUL_MODE_VM86:
1579 if (iopl < 3) {
1580 kvm_inject_gp(ctxt->vcpu, 0);
1581 return X86EMUL_PROPAGATE_FAULT;
1582 }
1583 change_mask |= EFLG_IF;
1584 break;
1585 default: /* real mode */
1586 change_mask |= (EFLG_IOPL | EFLG_IF);
1587 break;
1588 }
1589
1590 *(unsigned long *)dest =
1591 (ctxt->eflags & ~change_mask) | (val & change_mask);
1592
1593 return rc;
1594 }
1595
1596 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1597 struct x86_emulate_ops *ops, int seg)
1598 {
1599 struct decode_cache *c = &ctxt->decode;
1600
1601 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1602
1603 emulate_push(ctxt, ops);
1604 }
1605
1606 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1607 struct x86_emulate_ops *ops, int seg)
1608 {
1609 struct decode_cache *c = &ctxt->decode;
1610 unsigned long selector;
1611 int rc;
1612
1613 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1614 if (rc != X86EMUL_CONTINUE)
1615 return rc;
1616
1617 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1618 return rc;
1619 }
1620
1621 static void emulate_pusha(struct x86_emulate_ctxt *ctxt,
1622 struct x86_emulate_ops *ops)
1623 {
1624 struct decode_cache *c = &ctxt->decode;
1625 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1626 int reg = VCPU_REGS_RAX;
1627
1628 while (reg <= VCPU_REGS_RDI) {
1629 (reg == VCPU_REGS_RSP) ?
1630 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1631
1632 emulate_push(ctxt, ops);
1633 ++reg;
1634 }
1635 }
1636
1637 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1638 struct x86_emulate_ops *ops)
1639 {
1640 struct decode_cache *c = &ctxt->decode;
1641 int rc = X86EMUL_CONTINUE;
1642 int reg = VCPU_REGS_RDI;
1643
1644 while (reg >= VCPU_REGS_RAX) {
1645 if (reg == VCPU_REGS_RSP) {
1646 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1647 c->op_bytes);
1648 --reg;
1649 }
1650
1651 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1652 if (rc != X86EMUL_CONTINUE)
1653 break;
1654 --reg;
1655 }
1656 return rc;
1657 }
1658
1659 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1660 struct x86_emulate_ops *ops)
1661 {
1662 struct decode_cache *c = &ctxt->decode;
1663
1664 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1665 }
1666
1667 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1668 {
1669 struct decode_cache *c = &ctxt->decode;
1670 switch (c->modrm_reg) {
1671 case 0: /* rol */
1672 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1673 break;
1674 case 1: /* ror */
1675 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1676 break;
1677 case 2: /* rcl */
1678 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1679 break;
1680 case 3: /* rcr */
1681 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1682 break;
1683 case 4: /* sal/shl */
1684 case 6: /* sal/shl */
1685 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1686 break;
1687 case 5: /* shr */
1688 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1689 break;
1690 case 7: /* sar */
1691 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1692 break;
1693 }
1694 }
1695
1696 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1697 struct x86_emulate_ops *ops)
1698 {
1699 struct decode_cache *c = &ctxt->decode;
1700
1701 switch (c->modrm_reg) {
1702 case 0 ... 1: /* test */
1703 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1704 break;
1705 case 2: /* not */
1706 c->dst.val = ~c->dst.val;
1707 break;
1708 case 3: /* neg */
1709 emulate_1op("neg", c->dst, ctxt->eflags);
1710 break;
1711 default:
1712 return 0;
1713 }
1714 return 1;
1715 }
1716
1717 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1718 struct x86_emulate_ops *ops)
1719 {
1720 struct decode_cache *c = &ctxt->decode;
1721
1722 switch (c->modrm_reg) {
1723 case 0: /* inc */
1724 emulate_1op("inc", c->dst, ctxt->eflags);
1725 break;
1726 case 1: /* dec */
1727 emulate_1op("dec", c->dst, ctxt->eflags);
1728 break;
1729 case 2: /* call near abs */ {
1730 long int old_eip;
1731 old_eip = c->eip;
1732 c->eip = c->src.val;
1733 c->src.val = old_eip;
1734 emulate_push(ctxt, ops);
1735 break;
1736 }
1737 case 4: /* jmp abs */
1738 c->eip = c->src.val;
1739 break;
1740 case 6: /* push */
1741 emulate_push(ctxt, ops);
1742 break;
1743 }
1744 return X86EMUL_CONTINUE;
1745 }
1746
1747 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1748 struct x86_emulate_ops *ops)
1749 {
1750 struct decode_cache *c = &ctxt->decode;
1751 u64 old = c->dst.orig_val;
1752
1753 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1754 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1755
1756 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1757 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1758 ctxt->eflags &= ~EFLG_ZF;
1759 } else {
1760 c->dst.val = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1761 (u32) c->regs[VCPU_REGS_RBX];
1762
1763 ctxt->eflags |= EFLG_ZF;
1764 }
1765 return X86EMUL_CONTINUE;
1766 }
1767
1768 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1769 struct x86_emulate_ops *ops)
1770 {
1771 struct decode_cache *c = &ctxt->decode;
1772 int rc;
1773 unsigned long cs;
1774
1775 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1776 if (rc != X86EMUL_CONTINUE)
1777 return rc;
1778 if (c->op_bytes == 4)
1779 c->eip = (u32)c->eip;
1780 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1781 if (rc != X86EMUL_CONTINUE)
1782 return rc;
1783 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1784 return rc;
1785 }
1786
1787 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1788 struct x86_emulate_ops *ops)
1789 {
1790 int rc;
1791 struct decode_cache *c = &ctxt->decode;
1792
1793 switch (c->dst.type) {
1794 case OP_REG:
1795 /* The 4-byte case *is* correct:
1796 * in 64-bit mode we zero-extend.
1797 */
1798 switch (c->dst.bytes) {
1799 case 1:
1800 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1801 break;
1802 case 2:
1803 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1804 break;
1805 case 4:
1806 *c->dst.ptr = (u32)c->dst.val;
1807 break; /* 64b: zero-ext */
1808 case 8:
1809 *c->dst.ptr = c->dst.val;
1810 break;
1811 }
1812 break;
1813 case OP_MEM:
1814 if (c->lock_prefix)
1815 rc = ops->cmpxchg_emulated(
1816 (unsigned long)c->dst.ptr,
1817 &c->dst.orig_val,
1818 &c->dst.val,
1819 c->dst.bytes,
1820 ctxt->vcpu);
1821 else
1822 rc = ops->write_emulated(
1823 (unsigned long)c->dst.ptr,
1824 &c->dst.val,
1825 c->dst.bytes,
1826 ctxt->vcpu);
1827 if (rc != X86EMUL_CONTINUE)
1828 return rc;
1829 break;
1830 case OP_NONE:
1831 /* no writeback */
1832 break;
1833 default:
1834 break;
1835 }
1836 return X86EMUL_CONTINUE;
1837 }
1838
1839 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1840 {
1841 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1842 /*
1843 * an sti; sti; sequence only disable interrupts for the first
1844 * instruction. So, if the last instruction, be it emulated or
1845 * not, left the system with the INT_STI flag enabled, it
1846 * means that the last instruction is an sti. We should not
1847 * leave the flag on in this case. The same goes for mov ss
1848 */
1849 if (!(int_shadow & mask))
1850 ctxt->interruptibility = mask;
1851 }
1852
1853 static inline void
1854 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1855 struct x86_emulate_ops *ops, struct desc_struct *cs,
1856 struct desc_struct *ss)
1857 {
1858 memset(cs, 0, sizeof(struct desc_struct));
1859 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1860 memset(ss, 0, sizeof(struct desc_struct));
1861
1862 cs->l = 0; /* will be adjusted later */
1863 set_desc_base(cs, 0); /* flat segment */
1864 cs->g = 1; /* 4kb granularity */
1865 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1866 cs->type = 0x0b; /* Read, Execute, Accessed */
1867 cs->s = 1;
1868 cs->dpl = 0; /* will be adjusted later */
1869 cs->p = 1;
1870 cs->d = 1;
1871
1872 set_desc_base(ss, 0); /* flat segment */
1873 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1874 ss->g = 1; /* 4kb granularity */
1875 ss->s = 1;
1876 ss->type = 0x03; /* Read/Write, Accessed */
1877 ss->d = 1; /* 32bit stack segment */
1878 ss->dpl = 0;
1879 ss->p = 1;
1880 }
1881
1882 static int
1883 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1884 {
1885 struct decode_cache *c = &ctxt->decode;
1886 struct desc_struct cs, ss;
1887 u64 msr_data;
1888 u16 cs_sel, ss_sel;
1889
1890 /* syscall is not available in real mode */
1891 if (ctxt->mode == X86EMUL_MODE_REAL ||
1892 ctxt->mode == X86EMUL_MODE_VM86) {
1893 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1894 return X86EMUL_PROPAGATE_FAULT;
1895 }
1896
1897 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1898
1899 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1900 msr_data >>= 32;
1901 cs_sel = (u16)(msr_data & 0xfffc);
1902 ss_sel = (u16)(msr_data + 8);
1903
1904 if (is_long_mode(ctxt->vcpu)) {
1905 cs.d = 0;
1906 cs.l = 1;
1907 }
1908 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1909 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1910 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1911 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1912
1913 c->regs[VCPU_REGS_RCX] = c->eip;
1914 if (is_long_mode(ctxt->vcpu)) {
1915 #ifdef CONFIG_X86_64
1916 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1917
1918 ops->get_msr(ctxt->vcpu,
1919 ctxt->mode == X86EMUL_MODE_PROT64 ?
1920 MSR_LSTAR : MSR_CSTAR, &msr_data);
1921 c->eip = msr_data;
1922
1923 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1924 ctxt->eflags &= ~(msr_data | EFLG_RF);
1925 #endif
1926 } else {
1927 /* legacy mode */
1928 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1929 c->eip = (u32)msr_data;
1930
1931 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1932 }
1933
1934 return X86EMUL_CONTINUE;
1935 }
1936
1937 static int
1938 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1939 {
1940 struct decode_cache *c = &ctxt->decode;
1941 struct desc_struct cs, ss;
1942 u64 msr_data;
1943 u16 cs_sel, ss_sel;
1944
1945 /* inject #GP if in real mode */
1946 if (ctxt->mode == X86EMUL_MODE_REAL) {
1947 kvm_inject_gp(ctxt->vcpu, 0);
1948 return X86EMUL_PROPAGATE_FAULT;
1949 }
1950
1951 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1952 * Therefore, we inject an #UD.
1953 */
1954 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1955 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1956 return X86EMUL_PROPAGATE_FAULT;
1957 }
1958
1959 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1960
1961 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1962 switch (ctxt->mode) {
1963 case X86EMUL_MODE_PROT32:
1964 if ((msr_data & 0xfffc) == 0x0) {
1965 kvm_inject_gp(ctxt->vcpu, 0);
1966 return X86EMUL_PROPAGATE_FAULT;
1967 }
1968 break;
1969 case X86EMUL_MODE_PROT64:
1970 if (msr_data == 0x0) {
1971 kvm_inject_gp(ctxt->vcpu, 0);
1972 return X86EMUL_PROPAGATE_FAULT;
1973 }
1974 break;
1975 }
1976
1977 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1978 cs_sel = (u16)msr_data;
1979 cs_sel &= ~SELECTOR_RPL_MASK;
1980 ss_sel = cs_sel + 8;
1981 ss_sel &= ~SELECTOR_RPL_MASK;
1982 if (ctxt->mode == X86EMUL_MODE_PROT64
1983 || is_long_mode(ctxt->vcpu)) {
1984 cs.d = 0;
1985 cs.l = 1;
1986 }
1987
1988 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1989 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1990 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1991 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1992
1993 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1994 c->eip = msr_data;
1995
1996 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1997 c->regs[VCPU_REGS_RSP] = msr_data;
1998
1999 return X86EMUL_CONTINUE;
2000 }
2001
2002 static int
2003 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2004 {
2005 struct decode_cache *c = &ctxt->decode;
2006 struct desc_struct cs, ss;
2007 u64 msr_data;
2008 int usermode;
2009 u16 cs_sel, ss_sel;
2010
2011 /* inject #GP if in real mode or Virtual 8086 mode */
2012 if (ctxt->mode == X86EMUL_MODE_REAL ||
2013 ctxt->mode == X86EMUL_MODE_VM86) {
2014 kvm_inject_gp(ctxt->vcpu, 0);
2015 return X86EMUL_PROPAGATE_FAULT;
2016 }
2017
2018 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2019
2020 if ((c->rex_prefix & 0x8) != 0x0)
2021 usermode = X86EMUL_MODE_PROT64;
2022 else
2023 usermode = X86EMUL_MODE_PROT32;
2024
2025 cs.dpl = 3;
2026 ss.dpl = 3;
2027 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2028 switch (usermode) {
2029 case X86EMUL_MODE_PROT32:
2030 cs_sel = (u16)(msr_data + 16);
2031 if ((msr_data & 0xfffc) == 0x0) {
2032 kvm_inject_gp(ctxt->vcpu, 0);
2033 return X86EMUL_PROPAGATE_FAULT;
2034 }
2035 ss_sel = (u16)(msr_data + 24);
2036 break;
2037 case X86EMUL_MODE_PROT64:
2038 cs_sel = (u16)(msr_data + 32);
2039 if (msr_data == 0x0) {
2040 kvm_inject_gp(ctxt->vcpu, 0);
2041 return X86EMUL_PROPAGATE_FAULT;
2042 }
2043 ss_sel = cs_sel + 8;
2044 cs.d = 0;
2045 cs.l = 1;
2046 break;
2047 }
2048 cs_sel |= SELECTOR_RPL_MASK;
2049 ss_sel |= SELECTOR_RPL_MASK;
2050
2051 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2052 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2053 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2054 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2055
2056 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
2057 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
2058
2059 return X86EMUL_CONTINUE;
2060 }
2061
2062 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2063 struct x86_emulate_ops *ops)
2064 {
2065 int iopl;
2066 if (ctxt->mode == X86EMUL_MODE_REAL)
2067 return false;
2068 if (ctxt->mode == X86EMUL_MODE_VM86)
2069 return true;
2070 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2071 return ops->cpl(ctxt->vcpu) > iopl;
2072 }
2073
2074 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2075 struct x86_emulate_ops *ops,
2076 u16 port, u16 len)
2077 {
2078 struct desc_struct tr_seg;
2079 int r;
2080 u16 io_bitmap_ptr;
2081 u8 perm, bit_idx = port & 0x7;
2082 unsigned mask = (1 << len) - 1;
2083
2084 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2085 if (!tr_seg.p)
2086 return false;
2087 if (desc_limit_scaled(&tr_seg) < 103)
2088 return false;
2089 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2090 ctxt->vcpu, NULL);
2091 if (r != X86EMUL_CONTINUE)
2092 return false;
2093 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2094 return false;
2095 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2096 &perm, 1, ctxt->vcpu, NULL);
2097 if (r != X86EMUL_CONTINUE)
2098 return false;
2099 if ((perm >> bit_idx) & mask)
2100 return false;
2101 return true;
2102 }
2103
2104 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2105 struct x86_emulate_ops *ops,
2106 u16 port, u16 len)
2107 {
2108 if (emulator_bad_iopl(ctxt, ops))
2109 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2110 return false;
2111 return true;
2112 }
2113
2114 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2115 struct x86_emulate_ops *ops,
2116 struct tss_segment_16 *tss)
2117 {
2118 struct decode_cache *c = &ctxt->decode;
2119
2120 tss->ip = c->eip;
2121 tss->flag = ctxt->eflags;
2122 tss->ax = c->regs[VCPU_REGS_RAX];
2123 tss->cx = c->regs[VCPU_REGS_RCX];
2124 tss->dx = c->regs[VCPU_REGS_RDX];
2125 tss->bx = c->regs[VCPU_REGS_RBX];
2126 tss->sp = c->regs[VCPU_REGS_RSP];
2127 tss->bp = c->regs[VCPU_REGS_RBP];
2128 tss->si = c->regs[VCPU_REGS_RSI];
2129 tss->di = c->regs[VCPU_REGS_RDI];
2130
2131 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2132 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2133 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2134 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2135 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2136 }
2137
2138 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2139 struct x86_emulate_ops *ops,
2140 struct tss_segment_16 *tss)
2141 {
2142 struct decode_cache *c = &ctxt->decode;
2143 int ret;
2144
2145 c->eip = tss->ip;
2146 ctxt->eflags = tss->flag | 2;
2147 c->regs[VCPU_REGS_RAX] = tss->ax;
2148 c->regs[VCPU_REGS_RCX] = tss->cx;
2149 c->regs[VCPU_REGS_RDX] = tss->dx;
2150 c->regs[VCPU_REGS_RBX] = tss->bx;
2151 c->regs[VCPU_REGS_RSP] = tss->sp;
2152 c->regs[VCPU_REGS_RBP] = tss->bp;
2153 c->regs[VCPU_REGS_RSI] = tss->si;
2154 c->regs[VCPU_REGS_RDI] = tss->di;
2155
2156 /*
2157 * SDM says that segment selectors are loaded before segment
2158 * descriptors
2159 */
2160 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2161 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2162 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2163 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2164 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2165
2166 /*
2167 * Now load segment descriptors. If fault happenes at this stage
2168 * it is handled in a context of new task
2169 */
2170 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2171 if (ret != X86EMUL_CONTINUE)
2172 return ret;
2173 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2174 if (ret != X86EMUL_CONTINUE)
2175 return ret;
2176 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2177 if (ret != X86EMUL_CONTINUE)
2178 return ret;
2179 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2180 if (ret != X86EMUL_CONTINUE)
2181 return ret;
2182 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2183 if (ret != X86EMUL_CONTINUE)
2184 return ret;
2185
2186 return X86EMUL_CONTINUE;
2187 }
2188
2189 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2190 struct x86_emulate_ops *ops,
2191 u16 tss_selector, u16 old_tss_sel,
2192 ulong old_tss_base, struct desc_struct *new_desc)
2193 {
2194 struct tss_segment_16 tss_seg;
2195 int ret;
2196 u32 err, new_tss_base = get_desc_base(new_desc);
2197
2198 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2199 &err);
2200 if (ret == X86EMUL_PROPAGATE_FAULT) {
2201 /* FIXME: need to provide precise fault address */
2202 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2203 return ret;
2204 }
2205
2206 save_state_to_tss16(ctxt, ops, &tss_seg);
2207
2208 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2209 &err);
2210 if (ret == X86EMUL_PROPAGATE_FAULT) {
2211 /* FIXME: need to provide precise fault address */
2212 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2213 return ret;
2214 }
2215
2216 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2217 &err);
2218 if (ret == X86EMUL_PROPAGATE_FAULT) {
2219 /* FIXME: need to provide precise fault address */
2220 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2221 return ret;
2222 }
2223
2224 if (old_tss_sel != 0xffff) {
2225 tss_seg.prev_task_link = old_tss_sel;
2226
2227 ret = ops->write_std(new_tss_base,
2228 &tss_seg.prev_task_link,
2229 sizeof tss_seg.prev_task_link,
2230 ctxt->vcpu, &err);
2231 if (ret == X86EMUL_PROPAGATE_FAULT) {
2232 /* FIXME: need to provide precise fault address */
2233 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2234 return ret;
2235 }
2236 }
2237
2238 return load_state_from_tss16(ctxt, ops, &tss_seg);
2239 }
2240
2241 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2242 struct x86_emulate_ops *ops,
2243 struct tss_segment_32 *tss)
2244 {
2245 struct decode_cache *c = &ctxt->decode;
2246
2247 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2248 tss->eip = c->eip;
2249 tss->eflags = ctxt->eflags;
2250 tss->eax = c->regs[VCPU_REGS_RAX];
2251 tss->ecx = c->regs[VCPU_REGS_RCX];
2252 tss->edx = c->regs[VCPU_REGS_RDX];
2253 tss->ebx = c->regs[VCPU_REGS_RBX];
2254 tss->esp = c->regs[VCPU_REGS_RSP];
2255 tss->ebp = c->regs[VCPU_REGS_RBP];
2256 tss->esi = c->regs[VCPU_REGS_RSI];
2257 tss->edi = c->regs[VCPU_REGS_RDI];
2258
2259 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2260 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2261 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2262 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2263 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2264 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2265 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2266 }
2267
2268 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2269 struct x86_emulate_ops *ops,
2270 struct tss_segment_32 *tss)
2271 {
2272 struct decode_cache *c = &ctxt->decode;
2273 int ret;
2274
2275 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2276 kvm_inject_gp(ctxt->vcpu, 0);
2277 return X86EMUL_PROPAGATE_FAULT;
2278 }
2279 c->eip = tss->eip;
2280 ctxt->eflags = tss->eflags | 2;
2281 c->regs[VCPU_REGS_RAX] = tss->eax;
2282 c->regs[VCPU_REGS_RCX] = tss->ecx;
2283 c->regs[VCPU_REGS_RDX] = tss->edx;
2284 c->regs[VCPU_REGS_RBX] = tss->ebx;
2285 c->regs[VCPU_REGS_RSP] = tss->esp;
2286 c->regs[VCPU_REGS_RBP] = tss->ebp;
2287 c->regs[VCPU_REGS_RSI] = tss->esi;
2288 c->regs[VCPU_REGS_RDI] = tss->edi;
2289
2290 /*
2291 * SDM says that segment selectors are loaded before segment
2292 * descriptors
2293 */
2294 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2295 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2296 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2297 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2298 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2299 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2300 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2301
2302 /*
2303 * Now load segment descriptors. If fault happenes at this stage
2304 * it is handled in a context of new task
2305 */
2306 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2307 if (ret != X86EMUL_CONTINUE)
2308 return ret;
2309 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2310 if (ret != X86EMUL_CONTINUE)
2311 return ret;
2312 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2313 if (ret != X86EMUL_CONTINUE)
2314 return ret;
2315 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2316 if (ret != X86EMUL_CONTINUE)
2317 return ret;
2318 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2319 if (ret != X86EMUL_CONTINUE)
2320 return ret;
2321 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2322 if (ret != X86EMUL_CONTINUE)
2323 return ret;
2324 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2325 if (ret != X86EMUL_CONTINUE)
2326 return ret;
2327
2328 return X86EMUL_CONTINUE;
2329 }
2330
2331 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2332 struct x86_emulate_ops *ops,
2333 u16 tss_selector, u16 old_tss_sel,
2334 ulong old_tss_base, struct desc_struct *new_desc)
2335 {
2336 struct tss_segment_32 tss_seg;
2337 int ret;
2338 u32 err, new_tss_base = get_desc_base(new_desc);
2339
2340 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2341 &err);
2342 if (ret == X86EMUL_PROPAGATE_FAULT) {
2343 /* FIXME: need to provide precise fault address */
2344 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2345 return ret;
2346 }
2347
2348 save_state_to_tss32(ctxt, ops, &tss_seg);
2349
2350 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2351 &err);
2352 if (ret == X86EMUL_PROPAGATE_FAULT) {
2353 /* FIXME: need to provide precise fault address */
2354 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2355 return ret;
2356 }
2357
2358 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2359 &err);
2360 if (ret == X86EMUL_PROPAGATE_FAULT) {
2361 /* FIXME: need to provide precise fault address */
2362 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2363 return ret;
2364 }
2365
2366 if (old_tss_sel != 0xffff) {
2367 tss_seg.prev_task_link = old_tss_sel;
2368
2369 ret = ops->write_std(new_tss_base,
2370 &tss_seg.prev_task_link,
2371 sizeof tss_seg.prev_task_link,
2372 ctxt->vcpu, &err);
2373 if (ret == X86EMUL_PROPAGATE_FAULT) {
2374 /* FIXME: need to provide precise fault address */
2375 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2376 return ret;
2377 }
2378 }
2379
2380 return load_state_from_tss32(ctxt, ops, &tss_seg);
2381 }
2382
2383 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2384 struct x86_emulate_ops *ops,
2385 u16 tss_selector, int reason,
2386 bool has_error_code, u32 error_code)
2387 {
2388 struct desc_struct curr_tss_desc, next_tss_desc;
2389 int ret;
2390 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2391 ulong old_tss_base =
2392 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2393 u32 desc_limit;
2394
2395 /* FIXME: old_tss_base == ~0 ? */
2396
2397 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2398 if (ret != X86EMUL_CONTINUE)
2399 return ret;
2400 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2401 if (ret != X86EMUL_CONTINUE)
2402 return ret;
2403
2404 /* FIXME: check that next_tss_desc is tss */
2405
2406 if (reason != TASK_SWITCH_IRET) {
2407 if ((tss_selector & 3) > next_tss_desc.dpl ||
2408 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2409 kvm_inject_gp(ctxt->vcpu, 0);
2410 return X86EMUL_PROPAGATE_FAULT;
2411 }
2412 }
2413
2414 desc_limit = desc_limit_scaled(&next_tss_desc);
2415 if (!next_tss_desc.p ||
2416 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2417 desc_limit < 0x2b)) {
2418 kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
2419 tss_selector & 0xfffc);
2420 return X86EMUL_PROPAGATE_FAULT;
2421 }
2422
2423 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2424 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2425 write_segment_descriptor(ctxt, ops, old_tss_sel,
2426 &curr_tss_desc);
2427 }
2428
2429 if (reason == TASK_SWITCH_IRET)
2430 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2431
2432 /* set back link to prev task only if NT bit is set in eflags
2433 note that old_tss_sel is not used afetr this point */
2434 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2435 old_tss_sel = 0xffff;
2436
2437 if (next_tss_desc.type & 8)
2438 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2439 old_tss_base, &next_tss_desc);
2440 else
2441 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2442 old_tss_base, &next_tss_desc);
2443 if (ret != X86EMUL_CONTINUE)
2444 return ret;
2445
2446 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2447 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2448
2449 if (reason != TASK_SWITCH_IRET) {
2450 next_tss_desc.type |= (1 << 1); /* set busy flag */
2451 write_segment_descriptor(ctxt, ops, tss_selector,
2452 &next_tss_desc);
2453 }
2454
2455 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2456 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2457 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2458
2459 if (has_error_code) {
2460 struct decode_cache *c = &ctxt->decode;
2461
2462 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2463 c->lock_prefix = 0;
2464 c->src.val = (unsigned long) error_code;
2465 emulate_push(ctxt, ops);
2466 }
2467
2468 return ret;
2469 }
2470
2471 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2472 struct x86_emulate_ops *ops,
2473 u16 tss_selector, int reason,
2474 bool has_error_code, u32 error_code)
2475 {
2476 struct decode_cache *c = &ctxt->decode;
2477 int rc;
2478
2479 memset(c, 0, sizeof(struct decode_cache));
2480 c->eip = ctxt->eip;
2481 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2482 c->dst.type = OP_NONE;
2483
2484 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2485 has_error_code, error_code);
2486
2487 if (rc == X86EMUL_CONTINUE) {
2488 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2489 kvm_rip_write(ctxt->vcpu, c->eip);
2490 rc = writeback(ctxt, ops);
2491 }
2492
2493 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2494 }
2495
2496 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2497 int reg, struct operand *op)
2498 {
2499 struct decode_cache *c = &ctxt->decode;
2500 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2501
2502 register_address_increment(c, &c->regs[reg], df * op->bytes);
2503 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2504 }
2505
2506 int
2507 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2508 {
2509 u64 msr_data;
2510 struct decode_cache *c = &ctxt->decode;
2511 int rc = X86EMUL_CONTINUE;
2512 int saved_dst_type = c->dst.type;
2513
2514 ctxt->interruptibility = 0;
2515 ctxt->decode.mem_read.pos = 0;
2516
2517 /* Shadow copy of register state. Committed on successful emulation.
2518 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
2519 * modify them.
2520 */
2521
2522 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2523
2524 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2525 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2526 goto done;
2527 }
2528
2529 /* LOCK prefix is allowed only with some instructions */
2530 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2531 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2532 goto done;
2533 }
2534
2535 /* Privileged instruction can be executed only in CPL=0 */
2536 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2537 kvm_inject_gp(ctxt->vcpu, 0);
2538 goto done;
2539 }
2540
2541 if (c->rep_prefix && (c->d & String)) {
2542 ctxt->restart = true;
2543 /* All REP prefixes have the same first termination condition */
2544 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2545 string_done:
2546 ctxt->restart = false;
2547 kvm_rip_write(ctxt->vcpu, c->eip);
2548 goto done;
2549 }
2550 /* The second termination condition only applies for REPE
2551 * and REPNE. Test if the repeat string operation prefix is
2552 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2553 * corresponding termination condition according to:
2554 * - if REPE/REPZ and ZF = 0 then done
2555 * - if REPNE/REPNZ and ZF = 1 then done
2556 */
2557 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2558 (c->b == 0xae) || (c->b == 0xaf)) {
2559 if ((c->rep_prefix == REPE_PREFIX) &&
2560 ((ctxt->eflags & EFLG_ZF) == 0))
2561 goto string_done;
2562 if ((c->rep_prefix == REPNE_PREFIX) &&
2563 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2564 goto string_done;
2565 }
2566 c->eip = ctxt->eip;
2567 }
2568
2569 if (c->src.type == OP_MEM) {
2570 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2571 c->src.valptr, c->src.bytes);
2572 if (rc != X86EMUL_CONTINUE)
2573 goto done;
2574 c->src.orig_val = c->src.val;
2575 }
2576
2577 if (c->src2.type == OP_MEM) {
2578 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2579 &c->src2.val, c->src2.bytes);
2580 if (rc != X86EMUL_CONTINUE)
2581 goto done;
2582 }
2583
2584 if ((c->d & DstMask) == ImplicitOps)
2585 goto special_insn;
2586
2587
2588 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2589 /* optimisation - avoid slow emulated read if Mov */
2590 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2591 &c->dst.val, c->dst.bytes);
2592 if (rc != X86EMUL_CONTINUE)
2593 goto done;
2594 }
2595 c->dst.orig_val = c->dst.val;
2596
2597 special_insn:
2598
2599 if (c->twobyte)
2600 goto twobyte_insn;
2601
2602 switch (c->b) {
2603 case 0x00 ... 0x05:
2604 add: /* add */
2605 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2606 break;
2607 case 0x06: /* push es */
2608 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2609 break;
2610 case 0x07: /* pop es */
2611 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2612 if (rc != X86EMUL_CONTINUE)
2613 goto done;
2614 break;
2615 case 0x08 ... 0x0d:
2616 or: /* or */
2617 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2618 break;
2619 case 0x0e: /* push cs */
2620 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2621 break;
2622 case 0x10 ... 0x15:
2623 adc: /* adc */
2624 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2625 break;
2626 case 0x16: /* push ss */
2627 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2628 break;
2629 case 0x17: /* pop ss */
2630 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2631 if (rc != X86EMUL_CONTINUE)
2632 goto done;
2633 break;
2634 case 0x18 ... 0x1d:
2635 sbb: /* sbb */
2636 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2637 break;
2638 case 0x1e: /* push ds */
2639 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2640 break;
2641 case 0x1f: /* pop ds */
2642 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2643 if (rc != X86EMUL_CONTINUE)
2644 goto done;
2645 break;
2646 case 0x20 ... 0x25:
2647 and: /* and */
2648 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2649 break;
2650 case 0x28 ... 0x2d:
2651 sub: /* sub */
2652 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2653 break;
2654 case 0x30 ... 0x35:
2655 xor: /* xor */
2656 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2657 break;
2658 case 0x38 ... 0x3d:
2659 cmp: /* cmp */
2660 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2661 break;
2662 case 0x40 ... 0x47: /* inc r16/r32 */
2663 emulate_1op("inc", c->dst, ctxt->eflags);
2664 break;
2665 case 0x48 ... 0x4f: /* dec r16/r32 */
2666 emulate_1op("dec", c->dst, ctxt->eflags);
2667 break;
2668 case 0x50 ... 0x57: /* push reg */
2669 emulate_push(ctxt, ops);
2670 break;
2671 case 0x58 ... 0x5f: /* pop reg */
2672 pop_instruction:
2673 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2674 if (rc != X86EMUL_CONTINUE)
2675 goto done;
2676 break;
2677 case 0x60: /* pusha */
2678 emulate_pusha(ctxt, ops);
2679 break;
2680 case 0x61: /* popa */
2681 rc = emulate_popa(ctxt, ops);
2682 if (rc != X86EMUL_CONTINUE)
2683 goto done;
2684 break;
2685 case 0x63: /* movsxd */
2686 if (ctxt->mode != X86EMUL_MODE_PROT64)
2687 goto cannot_emulate;
2688 c->dst.val = (s32) c->src.val;
2689 break;
2690 case 0x68: /* push imm */
2691 case 0x6a: /* push imm8 */
2692 emulate_push(ctxt, ops);
2693 break;
2694 case 0x6c: /* insb */
2695 case 0x6d: /* insw/insd */
2696 c->dst.bytes = min(c->dst.bytes, 4u);
2697 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2698 c->dst.bytes)) {
2699 kvm_inject_gp(ctxt->vcpu, 0);
2700 goto done;
2701 }
2702 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2703 c->regs[VCPU_REGS_RDX], &c->dst.val))
2704 goto done; /* IO is needed, skip writeback */
2705 break;
2706 case 0x6e: /* outsb */
2707 case 0x6f: /* outsw/outsd */
2708 c->src.bytes = min(c->src.bytes, 4u);
2709 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2710 c->src.bytes)) {
2711 kvm_inject_gp(ctxt->vcpu, 0);
2712 goto done;
2713 }
2714 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2715 &c->src.val, 1, ctxt->vcpu);
2716
2717 c->dst.type = OP_NONE; /* nothing to writeback */
2718 break;
2719 case 0x70 ... 0x7f: /* jcc (short) */
2720 if (test_cc(c->b, ctxt->eflags))
2721 jmp_rel(c, c->src.val);
2722 break;
2723 case 0x80 ... 0x83: /* Grp1 */
2724 switch (c->modrm_reg) {
2725 case 0:
2726 goto add;
2727 case 1:
2728 goto or;
2729 case 2:
2730 goto adc;
2731 case 3:
2732 goto sbb;
2733 case 4:
2734 goto and;
2735 case 5:
2736 goto sub;
2737 case 6:
2738 goto xor;
2739 case 7:
2740 goto cmp;
2741 }
2742 break;
2743 case 0x84 ... 0x85:
2744 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2745 break;
2746 case 0x86 ... 0x87: /* xchg */
2747 xchg:
2748 /* Write back the register source. */
2749 switch (c->dst.bytes) {
2750 case 1:
2751 *(u8 *) c->src.ptr = (u8) c->dst.val;
2752 break;
2753 case 2:
2754 *(u16 *) c->src.ptr = (u16) c->dst.val;
2755 break;
2756 case 4:
2757 *c->src.ptr = (u32) c->dst.val;
2758 break; /* 64b reg: zero-extend */
2759 case 8:
2760 *c->src.ptr = c->dst.val;
2761 break;
2762 }
2763 /*
2764 * Write back the memory destination with implicit LOCK
2765 * prefix.
2766 */
2767 c->dst.val = c->src.val;
2768 c->lock_prefix = 1;
2769 break;
2770 case 0x88 ... 0x8b: /* mov */
2771 goto mov;
2772 case 0x8c: /* mov r/m, sreg */
2773 if (c->modrm_reg > VCPU_SREG_GS) {
2774 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2775 goto done;
2776 }
2777 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2778 break;
2779 case 0x8d: /* lea r16/r32, m */
2780 c->dst.val = c->modrm_ea;
2781 break;
2782 case 0x8e: { /* mov seg, r/m16 */
2783 uint16_t sel;
2784
2785 sel = c->src.val;
2786
2787 if (c->modrm_reg == VCPU_SREG_CS ||
2788 c->modrm_reg > VCPU_SREG_GS) {
2789 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2790 goto done;
2791 }
2792
2793 if (c->modrm_reg == VCPU_SREG_SS)
2794 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2795
2796 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2797
2798 c->dst.type = OP_NONE; /* Disable writeback. */
2799 break;
2800 }
2801 case 0x8f: /* pop (sole member of Grp1a) */
2802 rc = emulate_grp1a(ctxt, ops);
2803 if (rc != X86EMUL_CONTINUE)
2804 goto done;
2805 break;
2806 case 0x90: /* nop / xchg r8,rax */
2807 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2808 c->dst.type = OP_NONE; /* nop */
2809 break;
2810 }
2811 case 0x91 ... 0x97: /* xchg reg,rax */
2812 c->src.type = OP_REG;
2813 c->src.bytes = c->op_bytes;
2814 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2815 c->src.val = *(c->src.ptr);
2816 goto xchg;
2817 case 0x9c: /* pushf */
2818 c->src.val = (unsigned long) ctxt->eflags;
2819 emulate_push(ctxt, ops);
2820 break;
2821 case 0x9d: /* popf */
2822 c->dst.type = OP_REG;
2823 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2824 c->dst.bytes = c->op_bytes;
2825 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2826 if (rc != X86EMUL_CONTINUE)
2827 goto done;
2828 break;
2829 case 0xa0 ... 0xa1: /* mov */
2830 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2831 c->dst.val = c->src.val;
2832 break;
2833 case 0xa2 ... 0xa3: /* mov */
2834 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2835 break;
2836 case 0xa4 ... 0xa5: /* movs */
2837 goto mov;
2838 case 0xa6 ... 0xa7: /* cmps */
2839 c->dst.type = OP_NONE; /* Disable writeback. */
2840 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2841 goto cmp;
2842 case 0xaa ... 0xab: /* stos */
2843 c->dst.val = c->regs[VCPU_REGS_RAX];
2844 break;
2845 case 0xac ... 0xad: /* lods */
2846 goto mov;
2847 case 0xae ... 0xaf: /* scas */
2848 DPRINTF("Urk! I don't handle SCAS.\n");
2849 goto cannot_emulate;
2850 case 0xb0 ... 0xbf: /* mov r, imm */
2851 goto mov;
2852 case 0xc0 ... 0xc1:
2853 emulate_grp2(ctxt);
2854 break;
2855 case 0xc3: /* ret */
2856 c->dst.type = OP_REG;
2857 c->dst.ptr = &c->eip;
2858 c->dst.bytes = c->op_bytes;
2859 goto pop_instruction;
2860 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2861 mov:
2862 c->dst.val = c->src.val;
2863 break;
2864 case 0xcb: /* ret far */
2865 rc = emulate_ret_far(ctxt, ops);
2866 if (rc != X86EMUL_CONTINUE)
2867 goto done;
2868 break;
2869 case 0xd0 ... 0xd1: /* Grp2 */
2870 c->src.val = 1;
2871 emulate_grp2(ctxt);
2872 break;
2873 case 0xd2 ... 0xd3: /* Grp2 */
2874 c->src.val = c->regs[VCPU_REGS_RCX];
2875 emulate_grp2(ctxt);
2876 break;
2877 case 0xe4: /* inb */
2878 case 0xe5: /* in */
2879 goto do_io_in;
2880 case 0xe6: /* outb */
2881 case 0xe7: /* out */
2882 goto do_io_out;
2883 case 0xe8: /* call (near) */ {
2884 long int rel = c->src.val;
2885 c->src.val = (unsigned long) c->eip;
2886 jmp_rel(c, rel);
2887 emulate_push(ctxt, ops);
2888 break;
2889 }
2890 case 0xe9: /* jmp rel */
2891 goto jmp;
2892 case 0xea: { /* jmp far */
2893 unsigned short sel;
2894 jump_far:
2895 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2896
2897 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2898 goto done;
2899
2900 c->eip = 0;
2901 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2902 break;
2903 }
2904 case 0xeb:
2905 jmp: /* jmp rel short */
2906 jmp_rel(c, c->src.val);
2907 c->dst.type = OP_NONE; /* Disable writeback. */
2908 break;
2909 case 0xec: /* in al,dx */
2910 case 0xed: /* in (e/r)ax,dx */
2911 c->src.val = c->regs[VCPU_REGS_RDX];
2912 do_io_in:
2913 c->dst.bytes = min(c->dst.bytes, 4u);
2914 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2915 kvm_inject_gp(ctxt->vcpu, 0);
2916 goto done;
2917 }
2918 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2919 &c->dst.val))
2920 goto done; /* IO is needed */
2921 break;
2922 case 0xee: /* out al,dx */
2923 case 0xef: /* out (e/r)ax,dx */
2924 c->src.val = c->regs[VCPU_REGS_RDX];
2925 do_io_out:
2926 c->dst.bytes = min(c->dst.bytes, 4u);
2927 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2928 kvm_inject_gp(ctxt->vcpu, 0);
2929 goto done;
2930 }
2931 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2932 ctxt->vcpu);
2933 c->dst.type = OP_NONE; /* Disable writeback. */
2934 break;
2935 case 0xf4: /* hlt */
2936 ctxt->vcpu->arch.halt_request = 1;
2937 break;
2938 case 0xf5: /* cmc */
2939 /* complement carry flag from eflags reg */
2940 ctxt->eflags ^= EFLG_CF;
2941 c->dst.type = OP_NONE; /* Disable writeback. */
2942 break;
2943 case 0xf6 ... 0xf7: /* Grp3 */
2944 if (!emulate_grp3(ctxt, ops))
2945 goto cannot_emulate;
2946 break;
2947 case 0xf8: /* clc */
2948 ctxt->eflags &= ~EFLG_CF;
2949 c->dst.type = OP_NONE; /* Disable writeback. */
2950 break;
2951 case 0xfa: /* cli */
2952 if (emulator_bad_iopl(ctxt, ops))
2953 kvm_inject_gp(ctxt->vcpu, 0);
2954 else {
2955 ctxt->eflags &= ~X86_EFLAGS_IF;
2956 c->dst.type = OP_NONE; /* Disable writeback. */
2957 }
2958 break;
2959 case 0xfb: /* sti */
2960 if (emulator_bad_iopl(ctxt, ops))
2961 kvm_inject_gp(ctxt->vcpu, 0);
2962 else {
2963 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2964 ctxt->eflags |= X86_EFLAGS_IF;
2965 c->dst.type = OP_NONE; /* Disable writeback. */
2966 }
2967 break;
2968 case 0xfc: /* cld */
2969 ctxt->eflags &= ~EFLG_DF;
2970 c->dst.type = OP_NONE; /* Disable writeback. */
2971 break;
2972 case 0xfd: /* std */
2973 ctxt->eflags |= EFLG_DF;
2974 c->dst.type = OP_NONE; /* Disable writeback. */
2975 break;
2976 case 0xfe: /* Grp4 */
2977 grp45:
2978 rc = emulate_grp45(ctxt, ops);
2979 if (rc != X86EMUL_CONTINUE)
2980 goto done;
2981 break;
2982 case 0xff: /* Grp5 */
2983 if (c->modrm_reg == 5)
2984 goto jump_far;
2985 goto grp45;
2986 }
2987
2988 writeback:
2989 rc = writeback(ctxt, ops);
2990 if (rc != X86EMUL_CONTINUE)
2991 goto done;
2992
2993 /*
2994 * restore dst type in case the decoding will be reused
2995 * (happens for string instruction )
2996 */
2997 c->dst.type = saved_dst_type;
2998
2999 if ((c->d & SrcMask) == SrcSI)
3000 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3001 VCPU_REGS_RSI, &c->src);
3002
3003 if ((c->d & DstMask) == DstDI)
3004 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3005 &c->dst);
3006
3007 if (c->rep_prefix && (c->d & String)) {
3008 struct read_cache *rc = &ctxt->decode.io_read;
3009 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3010 /*
3011 * Re-enter guest when pio read ahead buffer is empty or,
3012 * if it is not used, after each 1024 iteration.
3013 */
3014 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3015 (rc->end != 0 && rc->end == rc->pos))
3016 ctxt->restart = false;
3017 }
3018 /*
3019 * reset read cache here in case string instruction is restared
3020 * without decoding
3021 */
3022 ctxt->decode.mem_read.end = 0;
3023 /* Commit shadow register state. */
3024 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
3025 kvm_rip_write(ctxt->vcpu, c->eip);
3026 ops->set_rflags(ctxt->vcpu, ctxt->eflags);
3027
3028 done:
3029 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3030
3031 twobyte_insn:
3032 switch (c->b) {
3033 case 0x01: /* lgdt, lidt, lmsw */
3034 switch (c->modrm_reg) {
3035 u16 size;
3036 unsigned long address;
3037
3038 case 0: /* vmcall */
3039 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3040 goto cannot_emulate;
3041
3042 rc = kvm_fix_hypercall(ctxt->vcpu);
3043 if (rc != X86EMUL_CONTINUE)
3044 goto done;
3045
3046 /* Let the processor re-execute the fixed hypercall */
3047 c->eip = ctxt->eip;
3048 /* Disable writeback. */
3049 c->dst.type = OP_NONE;
3050 break;
3051 case 2: /* lgdt */
3052 rc = read_descriptor(ctxt, ops, c->src.ptr,
3053 &size, &address, c->op_bytes);
3054 if (rc != X86EMUL_CONTINUE)
3055 goto done;
3056 realmode_lgdt(ctxt->vcpu, size, address);
3057 /* Disable writeback. */
3058 c->dst.type = OP_NONE;
3059 break;
3060 case 3: /* lidt/vmmcall */
3061 if (c->modrm_mod == 3) {
3062 switch (c->modrm_rm) {
3063 case 1:
3064 rc = kvm_fix_hypercall(ctxt->vcpu);
3065 if (rc != X86EMUL_CONTINUE)
3066 goto done;
3067 break;
3068 default:
3069 goto cannot_emulate;
3070 }
3071 } else {
3072 rc = read_descriptor(ctxt, ops, c->src.ptr,
3073 &size, &address,
3074 c->op_bytes);
3075 if (rc != X86EMUL_CONTINUE)
3076 goto done;
3077 realmode_lidt(ctxt->vcpu, size, address);
3078 }
3079 /* Disable writeback. */
3080 c->dst.type = OP_NONE;
3081 break;
3082 case 4: /* smsw */
3083 c->dst.bytes = 2;
3084 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3085 break;
3086 case 6: /* lmsw */
3087 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3088 (c->src.val & 0x0f), ctxt->vcpu);
3089 c->dst.type = OP_NONE;
3090 break;
3091 case 5: /* not defined */
3092 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3093 goto done;
3094 case 7: /* invlpg*/
3095 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3096 /* Disable writeback. */
3097 c->dst.type = OP_NONE;
3098 break;
3099 default:
3100 goto cannot_emulate;
3101 }
3102 break;
3103 case 0x05: /* syscall */
3104 rc = emulate_syscall(ctxt, ops);
3105 if (rc != X86EMUL_CONTINUE)
3106 goto done;
3107 else
3108 goto writeback;
3109 break;
3110 case 0x06:
3111 emulate_clts(ctxt->vcpu);
3112 c->dst.type = OP_NONE;
3113 break;
3114 case 0x08: /* invd */
3115 case 0x09: /* wbinvd */
3116 case 0x0d: /* GrpP (prefetch) */
3117 case 0x18: /* Grp16 (prefetch/nop) */
3118 c->dst.type = OP_NONE;
3119 break;
3120 case 0x20: /* mov cr, reg */
3121 switch (c->modrm_reg) {
3122 case 1:
3123 case 5 ... 7:
3124 case 9 ... 15:
3125 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3126 goto done;
3127 }
3128 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3129 c->dst.type = OP_NONE; /* no writeback */
3130 break;
3131 case 0x21: /* mov from dr to reg */
3132 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3133 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3134 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3135 goto done;
3136 }
3137 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3138 c->dst.type = OP_NONE; /* no writeback */
3139 break;
3140 case 0x22: /* mov reg, cr */
3141 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3142 kvm_inject_gp(ctxt->vcpu, 0);
3143 goto done;
3144 }
3145 c->dst.type = OP_NONE;
3146 break;
3147 case 0x23: /* mov from reg to dr */
3148 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3149 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3150 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3151 goto done;
3152 }
3153
3154 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3155 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3156 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3157 /* #UD condition is already handled by the code above */
3158 kvm_inject_gp(ctxt->vcpu, 0);
3159 goto done;
3160 }
3161
3162 c->dst.type = OP_NONE; /* no writeback */
3163 break;
3164 case 0x30:
3165 /* wrmsr */
3166 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3167 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3168 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3169 kvm_inject_gp(ctxt->vcpu, 0);
3170 goto done;
3171 }
3172 rc = X86EMUL_CONTINUE;
3173 c->dst.type = OP_NONE;
3174 break;
3175 case 0x32:
3176 /* rdmsr */
3177 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3178 kvm_inject_gp(ctxt->vcpu, 0);
3179 goto done;
3180 } else {
3181 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3182 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3183 }
3184 rc = X86EMUL_CONTINUE;
3185 c->dst.type = OP_NONE;
3186 break;
3187 case 0x34: /* sysenter */
3188 rc = emulate_sysenter(ctxt, ops);
3189 if (rc != X86EMUL_CONTINUE)
3190 goto done;
3191 else
3192 goto writeback;
3193 break;
3194 case 0x35: /* sysexit */
3195 rc = emulate_sysexit(ctxt, ops);
3196 if (rc != X86EMUL_CONTINUE)
3197 goto done;
3198 else
3199 goto writeback;
3200 break;
3201 case 0x40 ... 0x4f: /* cmov */
3202 c->dst.val = c->dst.orig_val = c->src.val;
3203 if (!test_cc(c->b, ctxt->eflags))
3204 c->dst.type = OP_NONE; /* no writeback */
3205 break;
3206 case 0x80 ... 0x8f: /* jnz rel, etc*/
3207 if (test_cc(c->b, ctxt->eflags))
3208 jmp_rel(c, c->src.val);
3209 c->dst.type = OP_NONE;
3210 break;
3211 case 0xa0: /* push fs */
3212 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3213 break;
3214 case 0xa1: /* pop fs */
3215 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3216 if (rc != X86EMUL_CONTINUE)
3217 goto done;
3218 break;
3219 case 0xa3:
3220 bt: /* bt */
3221 c->dst.type = OP_NONE;
3222 /* only subword offset */
3223 c->src.val &= (c->dst.bytes << 3) - 1;
3224 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3225 break;
3226 case 0xa4: /* shld imm8, r, r/m */
3227 case 0xa5: /* shld cl, r, r/m */
3228 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3229 break;
3230 case 0xa8: /* push gs */
3231 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3232 break;
3233 case 0xa9: /* pop gs */
3234 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3235 if (rc != X86EMUL_CONTINUE)
3236 goto done;
3237 break;
3238 case 0xab:
3239 bts: /* bts */
3240 /* only subword offset */
3241 c->src.val &= (c->dst.bytes << 3) - 1;
3242 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3243 break;
3244 case 0xac: /* shrd imm8, r, r/m */
3245 case 0xad: /* shrd cl, r, r/m */
3246 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3247 break;
3248 case 0xae: /* clflush */
3249 break;
3250 case 0xb0 ... 0xb1: /* cmpxchg */
3251 /*
3252 * Save real source value, then compare EAX against
3253 * destination.
3254 */
3255 c->src.orig_val = c->src.val;
3256 c->src.val = c->regs[VCPU_REGS_RAX];
3257 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3258 if (ctxt->eflags & EFLG_ZF) {
3259 /* Success: write back to memory. */
3260 c->dst.val = c->src.orig_val;
3261 } else {
3262 /* Failure: write the value we saw to EAX. */
3263 c->dst.type = OP_REG;
3264 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3265 }
3266 break;
3267 case 0xb3:
3268 btr: /* btr */
3269 /* only subword offset */
3270 c->src.val &= (c->dst.bytes << 3) - 1;
3271 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3272 break;
3273 case 0xb6 ... 0xb7: /* movzx */
3274 c->dst.bytes = c->op_bytes;
3275 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3276 : (u16) c->src.val;
3277 break;
3278 case 0xba: /* Grp8 */
3279 switch (c->modrm_reg & 3) {
3280 case 0:
3281 goto bt;
3282 case 1:
3283 goto bts;
3284 case 2:
3285 goto btr;
3286 case 3:
3287 goto btc;
3288 }
3289 break;
3290 case 0xbb:
3291 btc: /* btc */
3292 /* only subword offset */
3293 c->src.val &= (c->dst.bytes << 3) - 1;
3294 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3295 break;
3296 case 0xbe ... 0xbf: /* movsx */
3297 c->dst.bytes = c->op_bytes;
3298 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3299 (s16) c->src.val;
3300 break;
3301 case 0xc3: /* movnti */
3302 c->dst.bytes = c->op_bytes;
3303 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3304 (u64) c->src.val;
3305 break;
3306 case 0xc7: /* Grp9 (cmpxchg8b) */
3307 rc = emulate_grp9(ctxt, ops);
3308 if (rc != X86EMUL_CONTINUE)
3309 goto done;
3310 break;
3311 }
3312 goto writeback;
3313
3314 cannot_emulate:
3315 DPRINTF("Cannot emulate %02x\n", c->b);
3316 return -1;
3317 }
(deprecated) Btrfs devel tree