search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
KVM: Use task switch from emulator.c
[linux-2.6/btrfs-unstable.git] / arch / x86 / kvm / emulate.c
blob8225ec26efed1bbf9b3fba28b88c8223efdd59e3
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36 #include "tss.h"
37
38 /*
39 * Opcode effective-address decode tables.
40 * Note that we only emulate instructions that have at least one memory
41 * operand (excluding implicit stack references). We assume that stack
42 * references and instruction fetches will never occur in special memory
43 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
44 * not be handled.
45 */
46
47 /* Operand sizes: 8-bit operands or specified/overridden size. */
48 #define ByteOp (1<<0) /* 8-bit operands. */
49 /* Destination operand type. */
50 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
51 #define DstReg (2<<1) /* Register operand. */
52 #define DstMem (3<<1) /* Memory operand. */
53 #define DstAcc (4<<1) /* Destination Accumulator */
54 #define DstMask (7<<1)
55 /* Source operand type. */
56 #define SrcNone (0<<4) /* No source operand. */
57 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
58 #define SrcReg (1<<4) /* Register operand. */
59 #define SrcMem (2<<4) /* Memory operand. */
60 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
61 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
62 #define SrcImm (5<<4) /* Immediate operand. */
63 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
64 #define SrcOne (7<<4) /* Implied '1' */
65 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
66 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
67 #define SrcMask (0xf<<4)
68 /* Generic ModRM decode. */
69 #define ModRM (1<<8)
70 /* Destination is only written; never read. */
71 #define Mov (1<<9)
72 #define BitOp (1<<10)
73 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
74 #define String (1<<12) /* String instruction (rep capable) */
75 #define Stack (1<<13) /* Stack instruction (push/pop) */
76 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
77 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
78 #define GroupMask 0xff /* Group number stored in bits 0:7 */
79 /* Misc flags */
80 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
81 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
82 #define No64 (1<<28)
83 /* Source 2 operand type */
84 #define Src2None (0<<29)
85 #define Src2CL (1<<29)
86 #define Src2ImmByte (2<<29)
87 #define Src2One (3<<29)
88 #define Src2Imm16 (4<<29)
89 #define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
90 in memory and second argument is located
91 immediately after the first one in memory. */
92 #define Src2Mask (7<<29)
93
94 enum {
95 Group1_80, Group1_81, Group1_82, Group1_83,
96 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
97 Group8, Group9,
98 };
99
100 static u32 opcode_table[256] = {
101 /* 0x00 - 0x07 */
102 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
103 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
104 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
105 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
106 /* 0x08 - 0x0F */
107 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
108 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
109 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
110 ImplicitOps | Stack | No64, 0,
111 /* 0x10 - 0x17 */
112 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
113 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
114 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
115 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
116 /* 0x18 - 0x1F */
117 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
118 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
119 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
120 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
121 /* 0x20 - 0x27 */
122 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
123 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
124 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
125 /* 0x28 - 0x2F */
126 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
127 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
128 0, 0, 0, 0,
129 /* 0x30 - 0x37 */
130 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
131 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
132 0, 0, 0, 0,
133 /* 0x38 - 0x3F */
134 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
135 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
136 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
137 0, 0,
138 /* 0x40 - 0x47 */
139 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
140 /* 0x48 - 0x4F */
141 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
142 /* 0x50 - 0x57 */
143 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
144 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
145 /* 0x58 - 0x5F */
146 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
147 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
148 /* 0x60 - 0x67 */
149 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
150 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
151 0, 0, 0, 0,
152 /* 0x68 - 0x6F */
153 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
154 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* insb, insw/insd */
155 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* outsb, outsw/outsd */
156 /* 0x70 - 0x77 */
157 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
158 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
159 /* 0x78 - 0x7F */
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
162 /* 0x80 - 0x87 */
163 Group | Group1_80, Group | Group1_81,
164 Group | Group1_82, Group | Group1_83,
165 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
166 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
167 /* 0x88 - 0x8F */
168 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
169 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
170 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
171 DstReg | SrcMem | ModRM | Mov, Group | Group1A,
172 /* 0x90 - 0x97 */
173 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
174 /* 0x98 - 0x9F */
175 0, 0, SrcImm | Src2Imm16 | No64, 0,
176 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
177 /* 0xA0 - 0xA7 */
178 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
179 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
180 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
181 ByteOp | ImplicitOps | String, ImplicitOps | String,
182 /* 0xA8 - 0xAF */
183 0, 0, ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
184 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
185 ByteOp | ImplicitOps | String, ImplicitOps | String,
186 /* 0xB0 - 0xB7 */
187 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
188 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 /* 0xB8 - 0xBF */
192 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
193 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 /* 0xC0 - 0xC7 */
197 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
198 0, ImplicitOps | Stack, 0, 0,
199 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
200 /* 0xC8 - 0xCF */
201 0, 0, 0, ImplicitOps | Stack,
202 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
203 /* 0xD0 - 0xD7 */
204 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
205 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
206 0, 0, 0, 0,
207 /* 0xD8 - 0xDF */
208 0, 0, 0, 0, 0, 0, 0, 0,
209 /* 0xE0 - 0xE7 */
210 0, 0, 0, 0,
211 ByteOp | SrcImmUByte, SrcImmUByte,
212 ByteOp | SrcImmUByte, SrcImmUByte,
213 /* 0xE8 - 0xEF */
214 SrcImm | Stack, SrcImm | ImplicitOps,
215 SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
216 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
217 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
218 /* 0xF0 - 0xF7 */
219 0, 0, 0, 0,
220 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
221 /* 0xF8 - 0xFF */
222 ImplicitOps, 0, ImplicitOps, ImplicitOps,
223 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
224 };
225
226 static u32 twobyte_table[256] = {
227 /* 0x00 - 0x0F */
228 0, Group | GroupDual | Group7, 0, 0,
229 0, ImplicitOps, ImplicitOps | Priv, 0,
230 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
231 0, ImplicitOps | ModRM, 0, 0,
232 /* 0x10 - 0x1F */
233 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
234 /* 0x20 - 0x2F */
235 ModRM | ImplicitOps | Priv, ModRM | Priv,
236 ModRM | ImplicitOps | Priv, ModRM | Priv,
237 0, 0, 0, 0,
238 0, 0, 0, 0, 0, 0, 0, 0,
239 /* 0x30 - 0x3F */
240 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
241 ImplicitOps, ImplicitOps | Priv, 0, 0,
242 0, 0, 0, 0, 0, 0, 0, 0,
243 /* 0x40 - 0x47 */
244 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
245 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 /* 0x48 - 0x4F */
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 /* 0x50 - 0x5F */
254 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
255 /* 0x60 - 0x6F */
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 /* 0x70 - 0x7F */
258 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 /* 0x80 - 0x8F */
260 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
261 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
262 /* 0x90 - 0x9F */
263 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
264 /* 0xA0 - 0xA7 */
265 ImplicitOps | Stack, ImplicitOps | Stack,
266 0, DstMem | SrcReg | ModRM | BitOp,
267 DstMem | SrcReg | Src2ImmByte | ModRM,
268 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
269 /* 0xA8 - 0xAF */
270 ImplicitOps | Stack, ImplicitOps | Stack,
271 0, DstMem | SrcReg | ModRM | BitOp | Lock,
272 DstMem | SrcReg | Src2ImmByte | ModRM,
273 DstMem | SrcReg | Src2CL | ModRM,
274 ModRM, 0,
275 /* 0xB0 - 0xB7 */
276 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
277 0, DstMem | SrcReg | ModRM | BitOp | Lock,
278 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
279 DstReg | SrcMem16 | ModRM | Mov,
280 /* 0xB8 - 0xBF */
281 0, 0,
282 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
283 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
284 DstReg | SrcMem16 | ModRM | Mov,
285 /* 0xC0 - 0xCF */
286 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
287 0, 0, 0, Group | GroupDual | Group9,
288 0, 0, 0, 0, 0, 0, 0, 0,
289 /* 0xD0 - 0xDF */
290 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
291 /* 0xE0 - 0xEF */
292 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
293 /* 0xF0 - 0xFF */
294 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
295 };
296
297 static u32 group_table[] = {
298 [Group1_80*8] =
299 ByteOp | DstMem | SrcImm | ModRM | Lock,
300 ByteOp | DstMem | SrcImm | ModRM | Lock,
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM,
307 [Group1_81*8] =
308 DstMem | SrcImm | ModRM | Lock,
309 DstMem | SrcImm | ModRM | Lock,
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM,
316 [Group1_82*8] =
317 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
318 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64,
325 [Group1_83*8] =
326 DstMem | SrcImmByte | ModRM | Lock,
327 DstMem | SrcImmByte | ModRM | Lock,
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM,
334 [Group1A*8] =
335 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
336 [Group3_Byte*8] =
337 ByteOp | SrcImm | DstMem | ModRM, 0,
338 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
339 0, 0, 0, 0,
340 [Group3*8] =
341 DstMem | SrcImm | ModRM, 0,
342 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
343 0, 0, 0, 0,
344 [Group4*8] =
345 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
346 0, 0, 0, 0, 0, 0,
347 [Group5*8] =
348 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
349 SrcMem | ModRM | Stack, 0,
350 SrcMem | ModRM | Stack, SrcMem | ModRM | Src2Mem16 | ImplicitOps,
351 SrcMem | ModRM | Stack, 0,
352 [Group7*8] =
353 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
354 SrcNone | ModRM | DstMem | Mov, 0,
355 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
356 [Group8*8] =
357 0, 0, 0, 0,
358 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
359 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
360 [Group9*8] =
361 0, ImplicitOps | ModRM | Lock, 0, 0, 0, 0, 0, 0,
362 };
363
364 static u32 group2_table[] = {
365 [Group7*8] =
366 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
367 SrcNone | ModRM | DstMem | Mov, 0,
368 SrcMem16 | ModRM | Mov | Priv, 0,
369 [Group9*8] =
370 0, 0, 0, 0, 0, 0, 0, 0,
371 };
372
373 /* EFLAGS bit definitions. */
374 #define EFLG_ID (1<<21)
375 #define EFLG_VIP (1<<20)
376 #define EFLG_VIF (1<<19)
377 #define EFLG_AC (1<<18)
378 #define EFLG_VM (1<<17)
379 #define EFLG_RF (1<<16)
380 #define EFLG_IOPL (3<<12)
381 #define EFLG_NT (1<<14)
382 #define EFLG_OF (1<<11)
383 #define EFLG_DF (1<<10)
384 #define EFLG_IF (1<<9)
385 #define EFLG_TF (1<<8)
386 #define EFLG_SF (1<<7)
387 #define EFLG_ZF (1<<6)
388 #define EFLG_AF (1<<4)
389 #define EFLG_PF (1<<2)
390 #define EFLG_CF (1<<0)
391
392 /*
393 * Instruction emulation:
394 * Most instructions are emulated directly via a fragment of inline assembly
395 * code. This allows us to save/restore EFLAGS and thus very easily pick up
396 * any modified flags.
397 */
398
399 #if defined(CONFIG_X86_64)
400 #define _LO32 "k" /* force 32-bit operand */
401 #define _STK "%%rsp" /* stack pointer */
402 #elif defined(__i386__)
403 #define _LO32 "" /* force 32-bit operand */
404 #define _STK "%%esp" /* stack pointer */
405 #endif
406
407 /*
408 * These EFLAGS bits are restored from saved value during emulation, and
409 * any changes are written back to the saved value after emulation.
410 */
411 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
412
413 /* Before executing instruction: restore necessary bits in EFLAGS. */
414 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
415 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
416 "movl %"_sav",%"_LO32 _tmp"; " \
417 "push %"_tmp"; " \
418 "push %"_tmp"; " \
419 "movl %"_msk",%"_LO32 _tmp"; " \
420 "andl %"_LO32 _tmp",("_STK"); " \
421 "pushf; " \
422 "notl %"_LO32 _tmp"; " \
423 "andl %"_LO32 _tmp",("_STK"); " \
424 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
425 "pop %"_tmp"; " \
426 "orl %"_LO32 _tmp",("_STK"); " \
427 "popf; " \
428 "pop %"_sav"; "
429
430 /* After executing instruction: write-back necessary bits in EFLAGS. */
431 #define _POST_EFLAGS(_sav, _msk, _tmp) \
432 /* _sav |= EFLAGS & _msk; */ \
433 "pushf; " \
434 "pop %"_tmp"; " \
435 "andl %"_msk",%"_LO32 _tmp"; " \
436 "orl %"_LO32 _tmp",%"_sav"; "
437
438 #ifdef CONFIG_X86_64
439 #define ON64(x) x
440 #else
441 #define ON64(x)
442 #endif
443
444 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
445 do { \
446 __asm__ __volatile__ ( \
447 _PRE_EFLAGS("0", "4", "2") \
448 _op _suffix " %"_x"3,%1; " \
449 _POST_EFLAGS("0", "4", "2") \
450 : "=m" (_eflags), "=m" ((_dst).val), \
451 "=&r" (_tmp) \
452 : _y ((_src).val), "i" (EFLAGS_MASK)); \
453 } while (0)
454
455
456 /* Raw emulation: instruction has two explicit operands. */
457 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
458 do { \
459 unsigned long _tmp; \
460 \
461 switch ((_dst).bytes) { \
462 case 2: \
463 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
464 break; \
465 case 4: \
466 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
467 break; \
468 case 8: \
469 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
470 break; \
471 } \
472 } while (0)
473
474 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
475 do { \
476 unsigned long _tmp; \
477 switch ((_dst).bytes) { \
478 case 1: \
479 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
480 break; \
481 default: \
482 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
483 _wx, _wy, _lx, _ly, _qx, _qy); \
484 break; \
485 } \
486 } while (0)
487
488 /* Source operand is byte-sized and may be restricted to just %cl. */
489 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
490 __emulate_2op(_op, _src, _dst, _eflags, \
491 "b", "c", "b", "c", "b", "c", "b", "c")
492
493 /* Source operand is byte, word, long or quad sized. */
494 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
495 __emulate_2op(_op, _src, _dst, _eflags, \
496 "b", "q", "w", "r", _LO32, "r", "", "r")
497
498 /* Source operand is word, long or quad sized. */
499 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
500 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
501 "w", "r", _LO32, "r", "", "r")
502
503 /* Instruction has three operands and one operand is stored in ECX register */
504 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
505 do { \
506 unsigned long _tmp; \
507 _type _clv = (_cl).val; \
508 _type _srcv = (_src).val; \
509 _type _dstv = (_dst).val; \
510 \
511 __asm__ __volatile__ ( \
512 _PRE_EFLAGS("0", "5", "2") \
513 _op _suffix " %4,%1 \n" \
514 _POST_EFLAGS("0", "5", "2") \
515 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
516 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
517 ); \
518 \
519 (_cl).val = (unsigned long) _clv; \
520 (_src).val = (unsigned long) _srcv; \
521 (_dst).val = (unsigned long) _dstv; \
522 } while (0)
523
524 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
525 do { \
526 switch ((_dst).bytes) { \
527 case 2: \
528 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
529 "w", unsigned short); \
530 break; \
531 case 4: \
532 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
533 "l", unsigned int); \
534 break; \
535 case 8: \
536 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
537 "q", unsigned long)); \
538 break; \
539 } \
540 } while (0)
541
542 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
543 do { \
544 unsigned long _tmp; \
545 \
546 __asm__ __volatile__ ( \
547 _PRE_EFLAGS("0", "3", "2") \
548 _op _suffix " %1; " \
549 _POST_EFLAGS("0", "3", "2") \
550 : "=m" (_eflags), "+m" ((_dst).val), \
551 "=&r" (_tmp) \
552 : "i" (EFLAGS_MASK)); \
553 } while (0)
554
555 /* Instruction has only one explicit operand (no source operand). */
556 #define emulate_1op(_op, _dst, _eflags) \
557 do { \
558 switch ((_dst).bytes) { \
559 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
560 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
561 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
562 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
563 } \
564 } while (0)
565
566 /* Fetch next part of the instruction being emulated. */
567 #define insn_fetch(_type, _size, _eip) \
568 ({ unsigned long _x; \
569 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
570 if (rc != X86EMUL_CONTINUE) \
571 goto done; \
572 (_eip) += (_size); \
573 (_type)_x; \
574 })
575
576 static inline unsigned long ad_mask(struct decode_cache *c)
577 {
578 return (1UL << (c->ad_bytes << 3)) - 1;
579 }
580
581 /* Access/update address held in a register, based on addressing mode. */
582 static inline unsigned long
583 address_mask(struct decode_cache *c, unsigned long reg)
584 {
585 if (c->ad_bytes == sizeof(unsigned long))
586 return reg;
587 else
588 return reg & ad_mask(c);
589 }
590
591 static inline unsigned long
592 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
593 {
594 return base + address_mask(c, reg);
595 }
596
597 static inline void
598 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
599 {
600 if (c->ad_bytes == sizeof(unsigned long))
601 *reg += inc;
602 else
603 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
604 }
605
606 static inline void jmp_rel(struct decode_cache *c, int rel)
607 {
608 register_address_increment(c, &c->eip, rel);
609 }
610
611 static void set_seg_override(struct decode_cache *c, int seg)
612 {
613 c->has_seg_override = true;
614 c->seg_override = seg;
615 }
616
617 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
618 {
619 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
620 return 0;
621
622 return kvm_x86_ops->get_segment_base(ctxt->vcpu, seg);
623 }
624
625 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
626 struct decode_cache *c)
627 {
628 if (!c->has_seg_override)
629 return 0;
630
631 return seg_base(ctxt, c->seg_override);
632 }
633
634 static unsigned long es_base(struct x86_emulate_ctxt *ctxt)
635 {
636 return seg_base(ctxt, VCPU_SREG_ES);
637 }
638
639 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt)
640 {
641 return seg_base(ctxt, VCPU_SREG_SS);
642 }
643
644 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
645 struct x86_emulate_ops *ops,
646 unsigned long linear, u8 *dest)
647 {
648 struct fetch_cache *fc = &ctxt->decode.fetch;
649 int rc;
650 int size;
651
652 if (linear < fc->start || linear >= fc->end) {
653 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
654 rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
655 if (rc != X86EMUL_CONTINUE)
656 return rc;
657 fc->start = linear;
658 fc->end = linear + size;
659 }
660 *dest = fc->data[linear - fc->start];
661 return X86EMUL_CONTINUE;
662 }
663
664 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
665 struct x86_emulate_ops *ops,
666 unsigned long eip, void *dest, unsigned size)
667 {
668 int rc;
669
670 /* x86 instructions are limited to 15 bytes. */
671 if (eip + size - ctxt->eip > 15)
672 return X86EMUL_UNHANDLEABLE;
673 eip += ctxt->cs_base;
674 while (size--) {
675 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
676 if (rc != X86EMUL_CONTINUE)
677 return rc;
678 }
679 return X86EMUL_CONTINUE;
680 }
681
682 /*
683 * Given the 'reg' portion of a ModRM byte, and a register block, return a
684 * pointer into the block that addresses the relevant register.
685 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
686 */
687 static void *decode_register(u8 modrm_reg, unsigned long *regs,
688 int highbyte_regs)
689 {
690 void *p;
691
692 p = &regs[modrm_reg];
693 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
694 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
695 return p;
696 }
697
698 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
699 struct x86_emulate_ops *ops,
700 void *ptr,
701 u16 *size, unsigned long *address, int op_bytes)
702 {
703 int rc;
704
705 if (op_bytes == 2)
706 op_bytes = 3;
707 *address = 0;
708 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
709 ctxt->vcpu, NULL);
710 if (rc != X86EMUL_CONTINUE)
711 return rc;
712 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
713 ctxt->vcpu, NULL);
714 return rc;
715 }
716
717 static int test_cc(unsigned int condition, unsigned int flags)
718 {
719 int rc = 0;
720
721 switch ((condition & 15) >> 1) {
722 case 0: /* o */
723 rc |= (flags & EFLG_OF);
724 break;
725 case 1: /* b/c/nae */
726 rc |= (flags & EFLG_CF);
727 break;
728 case 2: /* z/e */
729 rc |= (flags & EFLG_ZF);
730 break;
731 case 3: /* be/na */
732 rc |= (flags & (EFLG_CF|EFLG_ZF));
733 break;
734 case 4: /* s */
735 rc |= (flags & EFLG_SF);
736 break;
737 case 5: /* p/pe */
738 rc |= (flags & EFLG_PF);
739 break;
740 case 7: /* le/ng */
741 rc |= (flags & EFLG_ZF);
742 /* fall through */
743 case 6: /* l/nge */
744 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
745 break;
746 }
747
748 /* Odd condition identifiers (lsb == 1) have inverted sense. */
749 return (!!rc ^ (condition & 1));
750 }
751
752 static void decode_register_operand(struct operand *op,
753 struct decode_cache *c,
754 int inhibit_bytereg)
755 {
756 unsigned reg = c->modrm_reg;
757 int highbyte_regs = c->rex_prefix == 0;
758
759 if (!(c->d & ModRM))
760 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
761 op->type = OP_REG;
762 if ((c->d & ByteOp) && !inhibit_bytereg) {
763 op->ptr = decode_register(reg, c->regs, highbyte_regs);
764 op->val = *(u8 *)op->ptr;
765 op->bytes = 1;
766 } else {
767 op->ptr = decode_register(reg, c->regs, 0);
768 op->bytes = c->op_bytes;
769 switch (op->bytes) {
770 case 2:
771 op->val = *(u16 *)op->ptr;
772 break;
773 case 4:
774 op->val = *(u32 *)op->ptr;
775 break;
776 case 8:
777 op->val = *(u64 *) op->ptr;
778 break;
779 }
780 }
781 op->orig_val = op->val;
782 }
783
784 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
785 struct x86_emulate_ops *ops)
786 {
787 struct decode_cache *c = &ctxt->decode;
788 u8 sib;
789 int index_reg = 0, base_reg = 0, scale;
790 int rc = X86EMUL_CONTINUE;
791
792 if (c->rex_prefix) {
793 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
794 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
795 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
796 }
797
798 c->modrm = insn_fetch(u8, 1, c->eip);
799 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
800 c->modrm_reg |= (c->modrm & 0x38) >> 3;
801 c->modrm_rm |= (c->modrm & 0x07);
802 c->modrm_ea = 0;
803 c->use_modrm_ea = 1;
804
805 if (c->modrm_mod == 3) {
806 c->modrm_ptr = decode_register(c->modrm_rm,
807 c->regs, c->d & ByteOp);
808 c->modrm_val = *(unsigned long *)c->modrm_ptr;
809 return rc;
810 }
811
812 if (c->ad_bytes == 2) {
813 unsigned bx = c->regs[VCPU_REGS_RBX];
814 unsigned bp = c->regs[VCPU_REGS_RBP];
815 unsigned si = c->regs[VCPU_REGS_RSI];
816 unsigned di = c->regs[VCPU_REGS_RDI];
817
818 /* 16-bit ModR/M decode. */
819 switch (c->modrm_mod) {
820 case 0:
821 if (c->modrm_rm == 6)
822 c->modrm_ea += insn_fetch(u16, 2, c->eip);
823 break;
824 case 1:
825 c->modrm_ea += insn_fetch(s8, 1, c->eip);
826 break;
827 case 2:
828 c->modrm_ea += insn_fetch(u16, 2, c->eip);
829 break;
830 }
831 switch (c->modrm_rm) {
832 case 0:
833 c->modrm_ea += bx + si;
834 break;
835 case 1:
836 c->modrm_ea += bx + di;
837 break;
838 case 2:
839 c->modrm_ea += bp + si;
840 break;
841 case 3:
842 c->modrm_ea += bp + di;
843 break;
844 case 4:
845 c->modrm_ea += si;
846 break;
847 case 5:
848 c->modrm_ea += di;
849 break;
850 case 6:
851 if (c->modrm_mod != 0)
852 c->modrm_ea += bp;
853 break;
854 case 7:
855 c->modrm_ea += bx;
856 break;
857 }
858 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
859 (c->modrm_rm == 6 && c->modrm_mod != 0))
860 if (!c->has_seg_override)
861 set_seg_override(c, VCPU_SREG_SS);
862 c->modrm_ea = (u16)c->modrm_ea;
863 } else {
864 /* 32/64-bit ModR/M decode. */
865 if ((c->modrm_rm & 7) == 4) {
866 sib = insn_fetch(u8, 1, c->eip);
867 index_reg |= (sib >> 3) & 7;
868 base_reg |= sib & 7;
869 scale = sib >> 6;
870
871 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
872 c->modrm_ea += insn_fetch(s32, 4, c->eip);
873 else
874 c->modrm_ea += c->regs[base_reg];
875 if (index_reg != 4)
876 c->modrm_ea += c->regs[index_reg] << scale;
877 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
878 if (ctxt->mode == X86EMUL_MODE_PROT64)
879 c->rip_relative = 1;
880 } else
881 c->modrm_ea += c->regs[c->modrm_rm];
882 switch (c->modrm_mod) {
883 case 0:
884 if (c->modrm_rm == 5)
885 c->modrm_ea += insn_fetch(s32, 4, c->eip);
886 break;
887 case 1:
888 c->modrm_ea += insn_fetch(s8, 1, c->eip);
889 break;
890 case 2:
891 c->modrm_ea += insn_fetch(s32, 4, c->eip);
892 break;
893 }
894 }
895 done:
896 return rc;
897 }
898
899 static int decode_abs(struct x86_emulate_ctxt *ctxt,
900 struct x86_emulate_ops *ops)
901 {
902 struct decode_cache *c = &ctxt->decode;
903 int rc = X86EMUL_CONTINUE;
904
905 switch (c->ad_bytes) {
906 case 2:
907 c->modrm_ea = insn_fetch(u16, 2, c->eip);
908 break;
909 case 4:
910 c->modrm_ea = insn_fetch(u32, 4, c->eip);
911 break;
912 case 8:
913 c->modrm_ea = insn_fetch(u64, 8, c->eip);
914 break;
915 }
916 done:
917 return rc;
918 }
919
920 int
921 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
922 {
923 struct decode_cache *c = &ctxt->decode;
924 int rc = X86EMUL_CONTINUE;
925 int mode = ctxt->mode;
926 int def_op_bytes, def_ad_bytes, group;
927
928 /* Shadow copy of register state. Committed on successful emulation. */
929
930 memset(c, 0, sizeof(struct decode_cache));
931 c->eip = ctxt->eip;
932 ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
933 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
934
935 switch (mode) {
936 case X86EMUL_MODE_REAL:
937 case X86EMUL_MODE_VM86:
938 case X86EMUL_MODE_PROT16:
939 def_op_bytes = def_ad_bytes = 2;
940 break;
941 case X86EMUL_MODE_PROT32:
942 def_op_bytes = def_ad_bytes = 4;
943 break;
944 #ifdef CONFIG_X86_64
945 case X86EMUL_MODE_PROT64:
946 def_op_bytes = 4;
947 def_ad_bytes = 8;
948 break;
949 #endif
950 default:
951 return -1;
952 }
953
954 c->op_bytes = def_op_bytes;
955 c->ad_bytes = def_ad_bytes;
956
957 /* Legacy prefixes. */
958 for (;;) {
959 switch (c->b = insn_fetch(u8, 1, c->eip)) {
960 case 0x66: /* operand-size override */
961 /* switch between 2/4 bytes */
962 c->op_bytes = def_op_bytes ^ 6;
963 break;
964 case 0x67: /* address-size override */
965 if (mode == X86EMUL_MODE_PROT64)
966 /* switch between 4/8 bytes */
967 c->ad_bytes = def_ad_bytes ^ 12;
968 else
969 /* switch between 2/4 bytes */
970 c->ad_bytes = def_ad_bytes ^ 6;
971 break;
972 case 0x26: /* ES override */
973 case 0x2e: /* CS override */
974 case 0x36: /* SS override */
975 case 0x3e: /* DS override */
976 set_seg_override(c, (c->b >> 3) & 3);
977 break;
978 case 0x64: /* FS override */
979 case 0x65: /* GS override */
980 set_seg_override(c, c->b & 7);
981 break;
982 case 0x40 ... 0x4f: /* REX */
983 if (mode != X86EMUL_MODE_PROT64)
984 goto done_prefixes;
985 c->rex_prefix = c->b;
986 continue;
987 case 0xf0: /* LOCK */
988 c->lock_prefix = 1;
989 break;
990 case 0xf2: /* REPNE/REPNZ */
991 c->rep_prefix = REPNE_PREFIX;
992 break;
993 case 0xf3: /* REP/REPE/REPZ */
994 c->rep_prefix = REPE_PREFIX;
995 break;
996 default:
997 goto done_prefixes;
998 }
999
1000 /* Any legacy prefix after a REX prefix nullifies its effect. */
1001
1002 c->rex_prefix = 0;
1003 }
1004
1005 done_prefixes:
1006
1007 /* REX prefix. */
1008 if (c->rex_prefix)
1009 if (c->rex_prefix & 8)
1010 c->op_bytes = 8; /* REX.W */
1011
1012 /* Opcode byte(s). */
1013 c->d = opcode_table[c->b];
1014 if (c->d == 0) {
1015 /* Two-byte opcode? */
1016 if (c->b == 0x0f) {
1017 c->twobyte = 1;
1018 c->b = insn_fetch(u8, 1, c->eip);
1019 c->d = twobyte_table[c->b];
1020 }
1021 }
1022
1023 if (c->d & Group) {
1024 group = c->d & GroupMask;
1025 c->modrm = insn_fetch(u8, 1, c->eip);
1026 --c->eip;
1027
1028 group = (group << 3) + ((c->modrm >> 3) & 7);
1029 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1030 c->d = group2_table[group];
1031 else
1032 c->d = group_table[group];
1033 }
1034
1035 /* Unrecognised? */
1036 if (c->d == 0) {
1037 DPRINTF("Cannot emulate %02x\n", c->b);
1038 return -1;
1039 }
1040
1041 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1042 c->op_bytes = 8;
1043
1044 /* ModRM and SIB bytes. */
1045 if (c->d & ModRM)
1046 rc = decode_modrm(ctxt, ops);
1047 else if (c->d & MemAbs)
1048 rc = decode_abs(ctxt, ops);
1049 if (rc != X86EMUL_CONTINUE)
1050 goto done;
1051
1052 if (!c->has_seg_override)
1053 set_seg_override(c, VCPU_SREG_DS);
1054
1055 if (!(!c->twobyte && c->b == 0x8d))
1056 c->modrm_ea += seg_override_base(ctxt, c);
1057
1058 if (c->ad_bytes != 8)
1059 c->modrm_ea = (u32)c->modrm_ea;
1060 /*
1061 * Decode and fetch the source operand: register, memory
1062 * or immediate.
1063 */
1064 switch (c->d & SrcMask) {
1065 case SrcNone:
1066 break;
1067 case SrcReg:
1068 decode_register_operand(&c->src, c, 0);
1069 break;
1070 case SrcMem16:
1071 c->src.bytes = 2;
1072 goto srcmem_common;
1073 case SrcMem32:
1074 c->src.bytes = 4;
1075 goto srcmem_common;
1076 case SrcMem:
1077 c->src.bytes = (c->d & ByteOp) ? 1 :
1078 c->op_bytes;
1079 /* Don't fetch the address for invlpg: it could be unmapped. */
1080 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1081 break;
1082 srcmem_common:
1083 /*
1084 * For instructions with a ModR/M byte, switch to register
1085 * access if Mod = 3.
1086 */
1087 if ((c->d & ModRM) && c->modrm_mod == 3) {
1088 c->src.type = OP_REG;
1089 c->src.val = c->modrm_val;
1090 c->src.ptr = c->modrm_ptr;
1091 break;
1092 }
1093 c->src.type = OP_MEM;
1094 break;
1095 case SrcImm:
1096 case SrcImmU:
1097 c->src.type = OP_IMM;
1098 c->src.ptr = (unsigned long *)c->eip;
1099 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1100 if (c->src.bytes == 8)
1101 c->src.bytes = 4;
1102 /* NB. Immediates are sign-extended as necessary. */
1103 switch (c->src.bytes) {
1104 case 1:
1105 c->src.val = insn_fetch(s8, 1, c->eip);
1106 break;
1107 case 2:
1108 c->src.val = insn_fetch(s16, 2, c->eip);
1109 break;
1110 case 4:
1111 c->src.val = insn_fetch(s32, 4, c->eip);
1112 break;
1113 }
1114 if ((c->d & SrcMask) == SrcImmU) {
1115 switch (c->src.bytes) {
1116 case 1:
1117 c->src.val &= 0xff;
1118 break;
1119 case 2:
1120 c->src.val &= 0xffff;
1121 break;
1122 case 4:
1123 c->src.val &= 0xffffffff;
1124 break;
1125 }
1126 }
1127 break;
1128 case SrcImmByte:
1129 case SrcImmUByte:
1130 c->src.type = OP_IMM;
1131 c->src.ptr = (unsigned long *)c->eip;
1132 c->src.bytes = 1;
1133 if ((c->d & SrcMask) == SrcImmByte)
1134 c->src.val = insn_fetch(s8, 1, c->eip);
1135 else
1136 c->src.val = insn_fetch(u8, 1, c->eip);
1137 break;
1138 case SrcOne:
1139 c->src.bytes = 1;
1140 c->src.val = 1;
1141 break;
1142 }
1143
1144 /*
1145 * Decode and fetch the second source operand: register, memory
1146 * or immediate.
1147 */
1148 switch (c->d & Src2Mask) {
1149 case Src2None:
1150 break;
1151 case Src2CL:
1152 c->src2.bytes = 1;
1153 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1154 break;
1155 case Src2ImmByte:
1156 c->src2.type = OP_IMM;
1157 c->src2.ptr = (unsigned long *)c->eip;
1158 c->src2.bytes = 1;
1159 c->src2.val = insn_fetch(u8, 1, c->eip);
1160 break;
1161 case Src2Imm16:
1162 c->src2.type = OP_IMM;
1163 c->src2.ptr = (unsigned long *)c->eip;
1164 c->src2.bytes = 2;
1165 c->src2.val = insn_fetch(u16, 2, c->eip);
1166 break;
1167 case Src2One:
1168 c->src2.bytes = 1;
1169 c->src2.val = 1;
1170 break;
1171 case Src2Mem16:
1172 c->src2.bytes = 2;
1173 c->src2.type = OP_MEM;
1174 break;
1175 }
1176
1177 /* Decode and fetch the destination operand: register or memory. */
1178 switch (c->d & DstMask) {
1179 case ImplicitOps:
1180 /* Special instructions do their own operand decoding. */
1181 return 0;
1182 case DstReg:
1183 decode_register_operand(&c->dst, c,
1184 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1185 break;
1186 case DstMem:
1187 if ((c->d & ModRM) && c->modrm_mod == 3) {
1188 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1189 c->dst.type = OP_REG;
1190 c->dst.val = c->dst.orig_val = c->modrm_val;
1191 c->dst.ptr = c->modrm_ptr;
1192 break;
1193 }
1194 c->dst.type = OP_MEM;
1195 break;
1196 case DstAcc:
1197 c->dst.type = OP_REG;
1198 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1199 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1200 switch (c->dst.bytes) {
1201 case 1:
1202 c->dst.val = *(u8 *)c->dst.ptr;
1203 break;
1204 case 2:
1205 c->dst.val = *(u16 *)c->dst.ptr;
1206 break;
1207 case 4:
1208 c->dst.val = *(u32 *)c->dst.ptr;
1209 break;
1210 case 8:
1211 c->dst.val = *(u64 *)c->dst.ptr;
1212 break;
1213 }
1214 c->dst.orig_val = c->dst.val;
1215 break;
1216 }
1217
1218 if (c->rip_relative)
1219 c->modrm_ea += c->eip;
1220
1221 done:
1222 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1223 }
1224
1225 static u32 desc_limit_scaled(struct desc_struct *desc)
1226 {
1227 u32 limit = get_desc_limit(desc);
1228
1229 return desc->g ? (limit << 12) | 0xfff : limit;
1230 }
1231
1232 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1233 struct x86_emulate_ops *ops,
1234 u16 selector, struct desc_ptr *dt)
1235 {
1236 if (selector & 1 << 2) {
1237 struct desc_struct desc;
1238 memset (dt, 0, sizeof *dt);
1239 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1240 return;
1241
1242 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1243 dt->address = get_desc_base(&desc);
1244 } else
1245 ops->get_gdt(dt, ctxt->vcpu);
1246 }
1247
1248 /* allowed just for 8 bytes segments */
1249 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1250 struct x86_emulate_ops *ops,
1251 u16 selector, struct desc_struct *desc)
1252 {
1253 struct desc_ptr dt;
1254 u16 index = selector >> 3;
1255 int ret;
1256 u32 err;
1257 ulong addr;
1258
1259 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1260
1261 if (dt.size < index * 8 + 7) {
1262 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1263 return X86EMUL_PROPAGATE_FAULT;
1264 }
1265 addr = dt.address + index * 8;
1266 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1267 if (ret == X86EMUL_PROPAGATE_FAULT)
1268 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1269
1270 return ret;
1271 }
1272
1273 /* allowed just for 8 bytes segments */
1274 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1275 struct x86_emulate_ops *ops,
1276 u16 selector, struct desc_struct *desc)
1277 {
1278 struct desc_ptr dt;
1279 u16 index = selector >> 3;
1280 u32 err;
1281 ulong addr;
1282 int ret;
1283
1284 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1285
1286 if (dt.size < index * 8 + 7) {
1287 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1288 return X86EMUL_PROPAGATE_FAULT;
1289 }
1290
1291 addr = dt.address + index * 8;
1292 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1293 if (ret == X86EMUL_PROPAGATE_FAULT)
1294 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1295
1296 return ret;
1297 }
1298
1299 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1300 struct x86_emulate_ops *ops,
1301 u16 selector, int seg)
1302 {
1303 struct desc_struct seg_desc;
1304 u8 dpl, rpl, cpl;
1305 unsigned err_vec = GP_VECTOR;
1306 u32 err_code = 0;
1307 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1308 int ret;
1309
1310 memset(&seg_desc, 0, sizeof seg_desc);
1311
1312 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1313 || ctxt->mode == X86EMUL_MODE_REAL) {
1314 /* set real mode segment descriptor */
1315 set_desc_base(&seg_desc, selector << 4);
1316 set_desc_limit(&seg_desc, 0xffff);
1317 seg_desc.type = 3;
1318 seg_desc.p = 1;
1319 seg_desc.s = 1;
1320 goto load;
1321 }
1322
1323 /* NULL selector is not valid for TR, CS and SS */
1324 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1325 && null_selector)
1326 goto exception;
1327
1328 /* TR should be in GDT only */
1329 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1330 goto exception;
1331
1332 if (null_selector) /* for NULL selector skip all following checks */
1333 goto load;
1334
1335 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1336 if (ret != X86EMUL_CONTINUE)
1337 return ret;
1338
1339 err_code = selector & 0xfffc;
1340 err_vec = GP_VECTOR;
1341
1342 /* can't load system descriptor into segment selecor */
1343 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1344 goto exception;
1345
1346 if (!seg_desc.p) {
1347 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1348 goto exception;
1349 }
1350
1351 rpl = selector & 3;
1352 dpl = seg_desc.dpl;
1353 cpl = ops->cpl(ctxt->vcpu);
1354
1355 switch (seg) {
1356 case VCPU_SREG_SS:
1357 /*
1358 * segment is not a writable data segment or segment
1359 * selector's RPL != CPL or segment selector's RPL != CPL
1360 */
1361 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1362 goto exception;
1363 break;
1364 case VCPU_SREG_CS:
1365 if (!(seg_desc.type & 8))
1366 goto exception;
1367
1368 if (seg_desc.type & 4) {
1369 /* conforming */
1370 if (dpl > cpl)
1371 goto exception;
1372 } else {
1373 /* nonconforming */
1374 if (rpl > cpl || dpl != cpl)
1375 goto exception;
1376 }
1377 /* CS(RPL) <- CPL */
1378 selector = (selector & 0xfffc) | cpl;
1379 break;
1380 case VCPU_SREG_TR:
1381 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1382 goto exception;
1383 break;
1384 case VCPU_SREG_LDTR:
1385 if (seg_desc.s || seg_desc.type != 2)
1386 goto exception;
1387 break;
1388 default: /* DS, ES, FS, or GS */
1389 /*
1390 * segment is not a data or readable code segment or
1391 * ((segment is a data or nonconforming code segment)
1392 * and (both RPL and CPL > DPL))
1393 */
1394 if ((seg_desc.type & 0xa) == 0x8 ||
1395 (((seg_desc.type & 0xc) != 0xc) &&
1396 (rpl > dpl && cpl > dpl)))
1397 goto exception;
1398 break;
1399 }
1400
1401 if (seg_desc.s) {
1402 /* mark segment as accessed */
1403 seg_desc.type |= 1;
1404 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1405 if (ret != X86EMUL_CONTINUE)
1406 return ret;
1407 }
1408 load:
1409 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1410 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1411 return X86EMUL_CONTINUE;
1412 exception:
1413 kvm_queue_exception_e(ctxt->vcpu, err_vec, err_code);
1414 return X86EMUL_PROPAGATE_FAULT;
1415 }
1416
1417 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1418 {
1419 struct decode_cache *c = &ctxt->decode;
1420
1421 c->dst.type = OP_MEM;
1422 c->dst.bytes = c->op_bytes;
1423 c->dst.val = c->src.val;
1424 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1425 c->dst.ptr = (void *) register_address(c, ss_base(ctxt),
1426 c->regs[VCPU_REGS_RSP]);
1427 }
1428
1429 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1430 struct x86_emulate_ops *ops,
1431 void *dest, int len)
1432 {
1433 struct decode_cache *c = &ctxt->decode;
1434 int rc;
1435
1436 rc = ops->read_emulated(register_address(c, ss_base(ctxt),
1437 c->regs[VCPU_REGS_RSP]),
1438 dest, len, ctxt->vcpu);
1439 if (rc != X86EMUL_CONTINUE)
1440 return rc;
1441
1442 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1443 return rc;
1444 }
1445
1446 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1447 struct x86_emulate_ops *ops,
1448 void *dest, int len)
1449 {
1450 int rc;
1451 unsigned long val, change_mask;
1452 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1453 int cpl = ops->cpl(ctxt->vcpu);
1454
1455 rc = emulate_pop(ctxt, ops, &val, len);
1456 if (rc != X86EMUL_CONTINUE)
1457 return rc;
1458
1459 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1460 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1461
1462 switch(ctxt->mode) {
1463 case X86EMUL_MODE_PROT64:
1464 case X86EMUL_MODE_PROT32:
1465 case X86EMUL_MODE_PROT16:
1466 if (cpl == 0)
1467 change_mask |= EFLG_IOPL;
1468 if (cpl <= iopl)
1469 change_mask |= EFLG_IF;
1470 break;
1471 case X86EMUL_MODE_VM86:
1472 if (iopl < 3) {
1473 kvm_inject_gp(ctxt->vcpu, 0);
1474 return X86EMUL_PROPAGATE_FAULT;
1475 }
1476 change_mask |= EFLG_IF;
1477 break;
1478 default: /* real mode */
1479 change_mask |= (EFLG_IOPL | EFLG_IF);
1480 break;
1481 }
1482
1483 *(unsigned long *)dest =
1484 (ctxt->eflags & ~change_mask) | (val & change_mask);
1485
1486 return rc;
1487 }
1488
1489 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1490 {
1491 struct decode_cache *c = &ctxt->decode;
1492 struct kvm_segment segment;
1493
1494 kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
1495
1496 c->src.val = segment.selector;
1497 emulate_push(ctxt);
1498 }
1499
1500 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1501 struct x86_emulate_ops *ops, int seg)
1502 {
1503 struct decode_cache *c = &ctxt->decode;
1504 unsigned long selector;
1505 int rc;
1506
1507 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1508 if (rc != X86EMUL_CONTINUE)
1509 return rc;
1510
1511 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1512 return rc;
1513 }
1514
1515 static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
1516 {
1517 struct decode_cache *c = &ctxt->decode;
1518 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1519 int reg = VCPU_REGS_RAX;
1520
1521 while (reg <= VCPU_REGS_RDI) {
1522 (reg == VCPU_REGS_RSP) ?
1523 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1524
1525 emulate_push(ctxt);
1526 ++reg;
1527 }
1528 }
1529
1530 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1531 struct x86_emulate_ops *ops)
1532 {
1533 struct decode_cache *c = &ctxt->decode;
1534 int rc = X86EMUL_CONTINUE;
1535 int reg = VCPU_REGS_RDI;
1536
1537 while (reg >= VCPU_REGS_RAX) {
1538 if (reg == VCPU_REGS_RSP) {
1539 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1540 c->op_bytes);
1541 --reg;
1542 }
1543
1544 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1545 if (rc != X86EMUL_CONTINUE)
1546 break;
1547 --reg;
1548 }
1549 return rc;
1550 }
1551
1552 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1553 struct x86_emulate_ops *ops)
1554 {
1555 struct decode_cache *c = &ctxt->decode;
1556
1557 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1558 }
1559
1560 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1561 {
1562 struct decode_cache *c = &ctxt->decode;
1563 switch (c->modrm_reg) {
1564 case 0: /* rol */
1565 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1566 break;
1567 case 1: /* ror */
1568 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1569 break;
1570 case 2: /* rcl */
1571 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1572 break;
1573 case 3: /* rcr */
1574 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1575 break;
1576 case 4: /* sal/shl */
1577 case 6: /* sal/shl */
1578 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1579 break;
1580 case 5: /* shr */
1581 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1582 break;
1583 case 7: /* sar */
1584 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1585 break;
1586 }
1587 }
1588
1589 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1590 struct x86_emulate_ops *ops)
1591 {
1592 struct decode_cache *c = &ctxt->decode;
1593
1594 switch (c->modrm_reg) {
1595 case 0 ... 1: /* test */
1596 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1597 break;
1598 case 2: /* not */
1599 c->dst.val = ~c->dst.val;
1600 break;
1601 case 3: /* neg */
1602 emulate_1op("neg", c->dst, ctxt->eflags);
1603 break;
1604 default:
1605 return 0;
1606 }
1607 return 1;
1608 }
1609
1610 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1611 struct x86_emulate_ops *ops)
1612 {
1613 struct decode_cache *c = &ctxt->decode;
1614
1615 switch (c->modrm_reg) {
1616 case 0: /* inc */
1617 emulate_1op("inc", c->dst, ctxt->eflags);
1618 break;
1619 case 1: /* dec */
1620 emulate_1op("dec", c->dst, ctxt->eflags);
1621 break;
1622 case 2: /* call near abs */ {
1623 long int old_eip;
1624 old_eip = c->eip;
1625 c->eip = c->src.val;
1626 c->src.val = old_eip;
1627 emulate_push(ctxt);
1628 break;
1629 }
1630 case 4: /* jmp abs */
1631 c->eip = c->src.val;
1632 break;
1633 case 6: /* push */
1634 emulate_push(ctxt);
1635 break;
1636 }
1637 return X86EMUL_CONTINUE;
1638 }
1639
1640 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1641 struct x86_emulate_ops *ops,
1642 unsigned long memop)
1643 {
1644 struct decode_cache *c = &ctxt->decode;
1645 u64 old, new;
1646 int rc;
1647
1648 rc = ops->read_emulated(memop, &old, 8, ctxt->vcpu);
1649 if (rc != X86EMUL_CONTINUE)
1650 return rc;
1651
1652 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1653 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1654
1655 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1656 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1657 ctxt->eflags &= ~EFLG_ZF;
1658
1659 } else {
1660 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1661 (u32) c->regs[VCPU_REGS_RBX];
1662
1663 rc = ops->cmpxchg_emulated(memop, &old, &new, 8, ctxt->vcpu);
1664 if (rc != X86EMUL_CONTINUE)
1665 return rc;
1666 ctxt->eflags |= EFLG_ZF;
1667 }
1668 return X86EMUL_CONTINUE;
1669 }
1670
1671 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1672 struct x86_emulate_ops *ops)
1673 {
1674 struct decode_cache *c = &ctxt->decode;
1675 int rc;
1676 unsigned long cs;
1677
1678 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1679 if (rc != X86EMUL_CONTINUE)
1680 return rc;
1681 if (c->op_bytes == 4)
1682 c->eip = (u32)c->eip;
1683 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1684 if (rc != X86EMUL_CONTINUE)
1685 return rc;
1686 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1687 return rc;
1688 }
1689
1690 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1691 struct x86_emulate_ops *ops)
1692 {
1693 int rc;
1694 struct decode_cache *c = &ctxt->decode;
1695
1696 switch (c->dst.type) {
1697 case OP_REG:
1698 /* The 4-byte case *is* correct:
1699 * in 64-bit mode we zero-extend.
1700 */
1701 switch (c->dst.bytes) {
1702 case 1:
1703 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1704 break;
1705 case 2:
1706 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1707 break;
1708 case 4:
1709 *c->dst.ptr = (u32)c->dst.val;
1710 break; /* 64b: zero-ext */
1711 case 8:
1712 *c->dst.ptr = c->dst.val;
1713 break;
1714 }
1715 break;
1716 case OP_MEM:
1717 if (c->lock_prefix)
1718 rc = ops->cmpxchg_emulated(
1719 (unsigned long)c->dst.ptr,
1720 &c->dst.orig_val,
1721 &c->dst.val,
1722 c->dst.bytes,
1723 ctxt->vcpu);
1724 else
1725 rc = ops->write_emulated(
1726 (unsigned long)c->dst.ptr,
1727 &c->dst.val,
1728 c->dst.bytes,
1729 ctxt->vcpu);
1730 if (rc != X86EMUL_CONTINUE)
1731 return rc;
1732 break;
1733 case OP_NONE:
1734 /* no writeback */
1735 break;
1736 default:
1737 break;
1738 }
1739 return X86EMUL_CONTINUE;
1740 }
1741
1742 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1743 {
1744 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1745 /*
1746 * an sti; sti; sequence only disable interrupts for the first
1747 * instruction. So, if the last instruction, be it emulated or
1748 * not, left the system with the INT_STI flag enabled, it
1749 * means that the last instruction is an sti. We should not
1750 * leave the flag on in this case. The same goes for mov ss
1751 */
1752 if (!(int_shadow & mask))
1753 ctxt->interruptibility = mask;
1754 }
1755
1756 static inline void
1757 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1758 struct kvm_segment *cs, struct kvm_segment *ss)
1759 {
1760 memset(cs, 0, sizeof(struct kvm_segment));
1761 kvm_x86_ops->get_segment(ctxt->vcpu, cs, VCPU_SREG_CS);
1762 memset(ss, 0, sizeof(struct kvm_segment));
1763
1764 cs->l = 0; /* will be adjusted later */
1765 cs->base = 0; /* flat segment */
1766 cs->g = 1; /* 4kb granularity */
1767 cs->limit = 0xffffffff; /* 4GB limit */
1768 cs->type = 0x0b; /* Read, Execute, Accessed */
1769 cs->s = 1;
1770 cs->dpl = 0; /* will be adjusted later */
1771 cs->present = 1;
1772 cs->db = 1;
1773
1774 ss->unusable = 0;
1775 ss->base = 0; /* flat segment */
1776 ss->limit = 0xffffffff; /* 4GB limit */
1777 ss->g = 1; /* 4kb granularity */
1778 ss->s = 1;
1779 ss->type = 0x03; /* Read/Write, Accessed */
1780 ss->db = 1; /* 32bit stack segment */
1781 ss->dpl = 0;
1782 ss->present = 1;
1783 }
1784
1785 static int
1786 emulate_syscall(struct x86_emulate_ctxt *ctxt)
1787 {
1788 struct decode_cache *c = &ctxt->decode;
1789 struct kvm_segment cs, ss;
1790 u64 msr_data;
1791
1792 /* syscall is not available in real mode */
1793 if (ctxt->mode == X86EMUL_MODE_REAL ||
1794 ctxt->mode == X86EMUL_MODE_VM86) {
1795 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1796 return X86EMUL_PROPAGATE_FAULT;
1797 }
1798
1799 setup_syscalls_segments(ctxt, &cs, &ss);
1800
1801 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1802 msr_data >>= 32;
1803 cs.selector = (u16)(msr_data & 0xfffc);
1804 ss.selector = (u16)(msr_data + 8);
1805
1806 if (is_long_mode(ctxt->vcpu)) {
1807 cs.db = 0;
1808 cs.l = 1;
1809 }
1810 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1811 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1812
1813 c->regs[VCPU_REGS_RCX] = c->eip;
1814 if (is_long_mode(ctxt->vcpu)) {
1815 #ifdef CONFIG_X86_64
1816 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1817
1818 kvm_x86_ops->get_msr(ctxt->vcpu,
1819 ctxt->mode == X86EMUL_MODE_PROT64 ?
1820 MSR_LSTAR : MSR_CSTAR, &msr_data);
1821 c->eip = msr_data;
1822
1823 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1824 ctxt->eflags &= ~(msr_data | EFLG_RF);
1825 #endif
1826 } else {
1827 /* legacy mode */
1828 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1829 c->eip = (u32)msr_data;
1830
1831 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1832 }
1833
1834 return X86EMUL_CONTINUE;
1835 }
1836
1837 static int
1838 emulate_sysenter(struct x86_emulate_ctxt *ctxt)
1839 {
1840 struct decode_cache *c = &ctxt->decode;
1841 struct kvm_segment cs, ss;
1842 u64 msr_data;
1843
1844 /* inject #GP if in real mode */
1845 if (ctxt->mode == X86EMUL_MODE_REAL) {
1846 kvm_inject_gp(ctxt->vcpu, 0);
1847 return X86EMUL_PROPAGATE_FAULT;
1848 }
1849
1850 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1851 * Therefore, we inject an #UD.
1852 */
1853 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1854 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1855 return X86EMUL_PROPAGATE_FAULT;
1856 }
1857
1858 setup_syscalls_segments(ctxt, &cs, &ss);
1859
1860 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1861 switch (ctxt->mode) {
1862 case X86EMUL_MODE_PROT32:
1863 if ((msr_data & 0xfffc) == 0x0) {
1864 kvm_inject_gp(ctxt->vcpu, 0);
1865 return X86EMUL_PROPAGATE_FAULT;
1866 }
1867 break;
1868 case X86EMUL_MODE_PROT64:
1869 if (msr_data == 0x0) {
1870 kvm_inject_gp(ctxt->vcpu, 0);
1871 return X86EMUL_PROPAGATE_FAULT;
1872 }
1873 break;
1874 }
1875
1876 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1877 cs.selector = (u16)msr_data;
1878 cs.selector &= ~SELECTOR_RPL_MASK;
1879 ss.selector = cs.selector + 8;
1880 ss.selector &= ~SELECTOR_RPL_MASK;
1881 if (ctxt->mode == X86EMUL_MODE_PROT64
1882 || is_long_mode(ctxt->vcpu)) {
1883 cs.db = 0;
1884 cs.l = 1;
1885 }
1886
1887 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1888 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1889
1890 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1891 c->eip = msr_data;
1892
1893 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1894 c->regs[VCPU_REGS_RSP] = msr_data;
1895
1896 return X86EMUL_CONTINUE;
1897 }
1898
1899 static int
1900 emulate_sysexit(struct x86_emulate_ctxt *ctxt)
1901 {
1902 struct decode_cache *c = &ctxt->decode;
1903 struct kvm_segment cs, ss;
1904 u64 msr_data;
1905 int usermode;
1906
1907 /* inject #GP if in real mode or Virtual 8086 mode */
1908 if (ctxt->mode == X86EMUL_MODE_REAL ||
1909 ctxt->mode == X86EMUL_MODE_VM86) {
1910 kvm_inject_gp(ctxt->vcpu, 0);
1911 return X86EMUL_PROPAGATE_FAULT;
1912 }
1913
1914 setup_syscalls_segments(ctxt, &cs, &ss);
1915
1916 if ((c->rex_prefix & 0x8) != 0x0)
1917 usermode = X86EMUL_MODE_PROT64;
1918 else
1919 usermode = X86EMUL_MODE_PROT32;
1920
1921 cs.dpl = 3;
1922 ss.dpl = 3;
1923 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1924 switch (usermode) {
1925 case X86EMUL_MODE_PROT32:
1926 cs.selector = (u16)(msr_data + 16);
1927 if ((msr_data & 0xfffc) == 0x0) {
1928 kvm_inject_gp(ctxt->vcpu, 0);
1929 return X86EMUL_PROPAGATE_FAULT;
1930 }
1931 ss.selector = (u16)(msr_data + 24);
1932 break;
1933 case X86EMUL_MODE_PROT64:
1934 cs.selector = (u16)(msr_data + 32);
1935 if (msr_data == 0x0) {
1936 kvm_inject_gp(ctxt->vcpu, 0);
1937 return X86EMUL_PROPAGATE_FAULT;
1938 }
1939 ss.selector = cs.selector + 8;
1940 cs.db = 0;
1941 cs.l = 1;
1942 break;
1943 }
1944 cs.selector |= SELECTOR_RPL_MASK;
1945 ss.selector |= SELECTOR_RPL_MASK;
1946
1947 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1948 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1949
1950 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
1951 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
1952
1953 return X86EMUL_CONTINUE;
1954 }
1955
1956 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1957 struct x86_emulate_ops *ops)
1958 {
1959 int iopl;
1960 if (ctxt->mode == X86EMUL_MODE_REAL)
1961 return false;
1962 if (ctxt->mode == X86EMUL_MODE_VM86)
1963 return true;
1964 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1965 return ops->cpl(ctxt->vcpu) > iopl;
1966 }
1967
1968 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1969 struct x86_emulate_ops *ops,
1970 u16 port, u16 len)
1971 {
1972 struct kvm_segment tr_seg;
1973 int r;
1974 u16 io_bitmap_ptr;
1975 u8 perm, bit_idx = port & 0x7;
1976 unsigned mask = (1 << len) - 1;
1977
1978 kvm_get_segment(ctxt->vcpu, &tr_seg, VCPU_SREG_TR);
1979 if (tr_seg.unusable)
1980 return false;
1981 if (tr_seg.limit < 103)
1982 return false;
1983 r = ops->read_std(tr_seg.base + 102, &io_bitmap_ptr, 2, ctxt->vcpu,
1984 NULL);
1985 if (r != X86EMUL_CONTINUE)
1986 return false;
1987 if (io_bitmap_ptr + port/8 > tr_seg.limit)
1988 return false;
1989 r = ops->read_std(tr_seg.base + io_bitmap_ptr + port/8, &perm, 1,
1990 ctxt->vcpu, NULL);
1991 if (r != X86EMUL_CONTINUE)
1992 return false;
1993 if ((perm >> bit_idx) & mask)
1994 return false;
1995 return true;
1996 }
1997
1998 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1999 struct x86_emulate_ops *ops,
2000 u16 port, u16 len)
2001 {
2002 if (emulator_bad_iopl(ctxt, ops))
2003 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2004 return false;
2005 return true;
2006 }
2007
2008 static u32 get_cached_descriptor_base(struct x86_emulate_ctxt *ctxt,
2009 struct x86_emulate_ops *ops,
2010 int seg)
2011 {
2012 struct desc_struct desc;
2013 if (ops->get_cached_descriptor(&desc, seg, ctxt->vcpu))
2014 return get_desc_base(&desc);
2015 else
2016 return ~0;
2017 }
2018
2019 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2020 struct x86_emulate_ops *ops,
2021 struct tss_segment_16 *tss)
2022 {
2023 struct decode_cache *c = &ctxt->decode;
2024
2025 tss->ip = c->eip;
2026 tss->flag = ctxt->eflags;
2027 tss->ax = c->regs[VCPU_REGS_RAX];
2028 tss->cx = c->regs[VCPU_REGS_RCX];
2029 tss->dx = c->regs[VCPU_REGS_RDX];
2030 tss->bx = c->regs[VCPU_REGS_RBX];
2031 tss->sp = c->regs[VCPU_REGS_RSP];
2032 tss->bp = c->regs[VCPU_REGS_RBP];
2033 tss->si = c->regs[VCPU_REGS_RSI];
2034 tss->di = c->regs[VCPU_REGS_RDI];
2035
2036 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2037 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2038 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2039 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2040 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2041 }
2042
2043 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2044 struct x86_emulate_ops *ops,
2045 struct tss_segment_16 *tss)
2046 {
2047 struct decode_cache *c = &ctxt->decode;
2048 int ret;
2049
2050 c->eip = tss->ip;
2051 ctxt->eflags = tss->flag | 2;
2052 c->regs[VCPU_REGS_RAX] = tss->ax;
2053 c->regs[VCPU_REGS_RCX] = tss->cx;
2054 c->regs[VCPU_REGS_RDX] = tss->dx;
2055 c->regs[VCPU_REGS_RBX] = tss->bx;
2056 c->regs[VCPU_REGS_RSP] = tss->sp;
2057 c->regs[VCPU_REGS_RBP] = tss->bp;
2058 c->regs[VCPU_REGS_RSI] = tss->si;
2059 c->regs[VCPU_REGS_RDI] = tss->di;
2060
2061 /*
2062 * SDM says that segment selectors are loaded before segment
2063 * descriptors
2064 */
2065 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2066 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2067 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2068 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2069 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2070
2071 /*
2072 * Now load segment descriptors. If fault happenes at this stage
2073 * it is handled in a context of new task
2074 */
2075 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2076 if (ret != X86EMUL_CONTINUE)
2077 return ret;
2078 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2079 if (ret != X86EMUL_CONTINUE)
2080 return ret;
2081 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2082 if (ret != X86EMUL_CONTINUE)
2083 return ret;
2084 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2085 if (ret != X86EMUL_CONTINUE)
2086 return ret;
2087 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2088 if (ret != X86EMUL_CONTINUE)
2089 return ret;
2090
2091 return X86EMUL_CONTINUE;
2092 }
2093
2094 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2095 struct x86_emulate_ops *ops,
2096 u16 tss_selector, u16 old_tss_sel,
2097 ulong old_tss_base, struct desc_struct *new_desc)
2098 {
2099 struct tss_segment_16 tss_seg;
2100 int ret;
2101 u32 err, new_tss_base = get_desc_base(new_desc);
2102
2103 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2104 &err);
2105 if (ret == X86EMUL_PROPAGATE_FAULT) {
2106 /* FIXME: need to provide precise fault address */
2107 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2108 return ret;
2109 }
2110
2111 save_state_to_tss16(ctxt, ops, &tss_seg);
2112
2113 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2114 &err);
2115 if (ret == X86EMUL_PROPAGATE_FAULT) {
2116 /* FIXME: need to provide precise fault address */
2117 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2118 return ret;
2119 }
2120
2121 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2122 &err);
2123 if (ret == X86EMUL_PROPAGATE_FAULT) {
2124 /* FIXME: need to provide precise fault address */
2125 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2126 return ret;
2127 }
2128
2129 if (old_tss_sel != 0xffff) {
2130 tss_seg.prev_task_link = old_tss_sel;
2131
2132 ret = ops->write_std(new_tss_base,
2133 &tss_seg.prev_task_link,
2134 sizeof tss_seg.prev_task_link,
2135 ctxt->vcpu, &err);
2136 if (ret == X86EMUL_PROPAGATE_FAULT) {
2137 /* FIXME: need to provide precise fault address */
2138 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2139 return ret;
2140 }
2141 }
2142
2143 return load_state_from_tss16(ctxt, ops, &tss_seg);
2144 }
2145
2146 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2147 struct x86_emulate_ops *ops,
2148 struct tss_segment_32 *tss)
2149 {
2150 struct decode_cache *c = &ctxt->decode;
2151
2152 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2153 tss->eip = c->eip;
2154 tss->eflags = ctxt->eflags;
2155 tss->eax = c->regs[VCPU_REGS_RAX];
2156 tss->ecx = c->regs[VCPU_REGS_RCX];
2157 tss->edx = c->regs[VCPU_REGS_RDX];
2158 tss->ebx = c->regs[VCPU_REGS_RBX];
2159 tss->esp = c->regs[VCPU_REGS_RSP];
2160 tss->ebp = c->regs[VCPU_REGS_RBP];
2161 tss->esi = c->regs[VCPU_REGS_RSI];
2162 tss->edi = c->regs[VCPU_REGS_RDI];
2163
2164 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2165 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2166 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2167 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2168 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2169 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2170 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2171 }
2172
2173 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2174 struct x86_emulate_ops *ops,
2175 struct tss_segment_32 *tss)
2176 {
2177 struct decode_cache *c = &ctxt->decode;
2178 int ret;
2179
2180 ops->set_cr(3, tss->cr3, ctxt->vcpu);
2181 c->eip = tss->eip;
2182 ctxt->eflags = tss->eflags | 2;
2183 c->regs[VCPU_REGS_RAX] = tss->eax;
2184 c->regs[VCPU_REGS_RCX] = tss->ecx;
2185 c->regs[VCPU_REGS_RDX] = tss->edx;
2186 c->regs[VCPU_REGS_RBX] = tss->ebx;
2187 c->regs[VCPU_REGS_RSP] = tss->esp;
2188 c->regs[VCPU_REGS_RBP] = tss->ebp;
2189 c->regs[VCPU_REGS_RSI] = tss->esi;
2190 c->regs[VCPU_REGS_RDI] = tss->edi;
2191
2192 /*
2193 * SDM says that segment selectors are loaded before segment
2194 * descriptors
2195 */
2196 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2197 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2198 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2199 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2200 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2201 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2202 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2203
2204 /*
2205 * Now load segment descriptors. If fault happenes at this stage
2206 * it is handled in a context of new task
2207 */
2208 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2209 if (ret != X86EMUL_CONTINUE)
2210 return ret;
2211 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2212 if (ret != X86EMUL_CONTINUE)
2213 return ret;
2214 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2215 if (ret != X86EMUL_CONTINUE)
2216 return ret;
2217 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2218 if (ret != X86EMUL_CONTINUE)
2219 return ret;
2220 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2221 if (ret != X86EMUL_CONTINUE)
2222 return ret;
2223 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2224 if (ret != X86EMUL_CONTINUE)
2225 return ret;
2226 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2227 if (ret != X86EMUL_CONTINUE)
2228 return ret;
2229
2230 return X86EMUL_CONTINUE;
2231 }
2232
2233 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2234 struct x86_emulate_ops *ops,
2235 u16 tss_selector, u16 old_tss_sel,
2236 ulong old_tss_base, struct desc_struct *new_desc)
2237 {
2238 struct tss_segment_32 tss_seg;
2239 int ret;
2240 u32 err, new_tss_base = get_desc_base(new_desc);
2241
2242 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2243 &err);
2244 if (ret == X86EMUL_PROPAGATE_FAULT) {
2245 /* FIXME: need to provide precise fault address */
2246 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2247 return ret;
2248 }
2249
2250 save_state_to_tss32(ctxt, ops, &tss_seg);
2251
2252 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2253 &err);
2254 if (ret == X86EMUL_PROPAGATE_FAULT) {
2255 /* FIXME: need to provide precise fault address */
2256 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2257 return ret;
2258 }
2259
2260 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2261 &err);
2262 if (ret == X86EMUL_PROPAGATE_FAULT) {
2263 /* FIXME: need to provide precise fault address */
2264 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2265 return ret;
2266 }
2267
2268 if (old_tss_sel != 0xffff) {
2269 tss_seg.prev_task_link = old_tss_sel;
2270
2271 ret = ops->write_std(new_tss_base,
2272 &tss_seg.prev_task_link,
2273 sizeof tss_seg.prev_task_link,
2274 ctxt->vcpu, &err);
2275 if (ret == X86EMUL_PROPAGATE_FAULT) {
2276 /* FIXME: need to provide precise fault address */
2277 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2278 return ret;
2279 }
2280 }
2281
2282 return load_state_from_tss32(ctxt, ops, &tss_seg);
2283 }
2284
2285 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2286 struct x86_emulate_ops *ops,
2287 u16 tss_selector, int reason)
2288 {
2289 struct desc_struct curr_tss_desc, next_tss_desc;
2290 int ret;
2291 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2292 ulong old_tss_base =
2293 get_cached_descriptor_base(ctxt, ops, VCPU_SREG_TR);
2294 u32 desc_limit;
2295
2296 /* FIXME: old_tss_base == ~0 ? */
2297
2298 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2299 if (ret != X86EMUL_CONTINUE)
2300 return ret;
2301 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2302 if (ret != X86EMUL_CONTINUE)
2303 return ret;
2304
2305 /* FIXME: check that next_tss_desc is tss */
2306
2307 if (reason != TASK_SWITCH_IRET) {
2308 if ((tss_selector & 3) > next_tss_desc.dpl ||
2309 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2310 kvm_inject_gp(ctxt->vcpu, 0);
2311 return X86EMUL_PROPAGATE_FAULT;
2312 }
2313 }
2314
2315 desc_limit = desc_limit_scaled(&next_tss_desc);
2316 if (!next_tss_desc.p ||
2317 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2318 desc_limit < 0x2b)) {
2319 kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
2320 tss_selector & 0xfffc);
2321 return X86EMUL_PROPAGATE_FAULT;
2322 }
2323
2324 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2325 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2326 write_segment_descriptor(ctxt, ops, old_tss_sel,
2327 &curr_tss_desc);
2328 }
2329
2330 if (reason == TASK_SWITCH_IRET)
2331 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2332
2333 /* set back link to prev task only if NT bit is set in eflags
2334 note that old_tss_sel is not used afetr this point */
2335 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2336 old_tss_sel = 0xffff;
2337
2338 if (next_tss_desc.type & 8)
2339 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2340 old_tss_base, &next_tss_desc);
2341 else
2342 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2343 old_tss_base, &next_tss_desc);
2344
2345 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2346 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2347
2348 if (reason != TASK_SWITCH_IRET) {
2349 next_tss_desc.type |= (1 << 1); /* set busy flag */
2350 write_segment_descriptor(ctxt, ops, tss_selector,
2351 &next_tss_desc);
2352 }
2353
2354 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2355 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2356 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2357
2358 return ret;
2359 }
2360
2361 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2362 struct x86_emulate_ops *ops,
2363 u16 tss_selector, int reason)
2364 {
2365 struct decode_cache *c = &ctxt->decode;
2366 int rc;
2367
2368 memset(c, 0, sizeof(struct decode_cache));
2369 c->eip = ctxt->eip;
2370 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2371
2372 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason);
2373
2374 if (rc == X86EMUL_CONTINUE) {
2375 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2376 kvm_rip_write(ctxt->vcpu, c->eip);
2377 }
2378
2379 return rc;
2380 }
2381
2382 int
2383 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2384 {
2385 unsigned long memop = 0;
2386 u64 msr_data;
2387 unsigned long saved_eip = 0;
2388 struct decode_cache *c = &ctxt->decode;
2389 unsigned int port;
2390 int io_dir_in;
2391 int rc = X86EMUL_CONTINUE;
2392
2393 ctxt->interruptibility = 0;
2394
2395 /* Shadow copy of register state. Committed on successful emulation.
2396 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
2397 * modify them.
2398 */
2399
2400 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2401 saved_eip = c->eip;
2402
2403 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2404 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2405 goto done;
2406 }
2407
2408 /* LOCK prefix is allowed only with some instructions */
2409 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2410 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2411 goto done;
2412 }
2413
2414 /* Privileged instruction can be executed only in CPL=0 */
2415 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2416 kvm_inject_gp(ctxt->vcpu, 0);
2417 goto done;
2418 }
2419
2420 if (((c->d & ModRM) && (c->modrm_mod != 3)) || (c->d & MemAbs))
2421 memop = c->modrm_ea;
2422
2423 if (c->rep_prefix && (c->d & String)) {
2424 /* All REP prefixes have the same first termination condition */
2425 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2426 kvm_rip_write(ctxt->vcpu, c->eip);
2427 goto done;
2428 }
2429 /* The second termination condition only applies for REPE
2430 * and REPNE. Test if the repeat string operation prefix is
2431 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2432 * corresponding termination condition according to:
2433 * - if REPE/REPZ and ZF = 0 then done
2434 * - if REPNE/REPNZ and ZF = 1 then done
2435 */
2436 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2437 (c->b == 0xae) || (c->b == 0xaf)) {
2438 if ((c->rep_prefix == REPE_PREFIX) &&
2439 ((ctxt->eflags & EFLG_ZF) == 0)) {
2440 kvm_rip_write(ctxt->vcpu, c->eip);
2441 goto done;
2442 }
2443 if ((c->rep_prefix == REPNE_PREFIX) &&
2444 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF)) {
2445 kvm_rip_write(ctxt->vcpu, c->eip);
2446 goto done;
2447 }
2448 }
2449 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
2450 c->eip = ctxt->eip;
2451 }
2452
2453 if (c->src.type == OP_MEM) {
2454 c->src.ptr = (unsigned long *)memop;
2455 c->src.val = 0;
2456 rc = ops->read_emulated((unsigned long)c->src.ptr,
2457 &c->src.val,
2458 c->src.bytes,
2459 ctxt->vcpu);
2460 if (rc != X86EMUL_CONTINUE)
2461 goto done;
2462 c->src.orig_val = c->src.val;
2463 }
2464
2465 if (c->src2.type == OP_MEM) {
2466 c->src2.ptr = (unsigned long *)(memop + c->src.bytes);
2467 c->src2.val = 0;
2468 rc = ops->read_emulated((unsigned long)c->src2.ptr,
2469 &c->src2.val,
2470 c->src2.bytes,
2471 ctxt->vcpu);
2472 if (rc != X86EMUL_CONTINUE)
2473 goto done;
2474 }
2475
2476 if ((c->d & DstMask) == ImplicitOps)
2477 goto special_insn;
2478
2479
2480 if (c->dst.type == OP_MEM) {
2481 c->dst.ptr = (unsigned long *)memop;
2482 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2483 c->dst.val = 0;
2484 if (c->d & BitOp) {
2485 unsigned long mask = ~(c->dst.bytes * 8 - 1);
2486
2487 c->dst.ptr = (void *)c->dst.ptr +
2488 (c->src.val & mask) / 8;
2489 }
2490 if (!(c->d & Mov)) {
2491 /* optimisation - avoid slow emulated read */
2492 rc = ops->read_emulated((unsigned long)c->dst.ptr,
2493 &c->dst.val,
2494 c->dst.bytes,
2495 ctxt->vcpu);
2496 if (rc != X86EMUL_CONTINUE)
2497 goto done;
2498 }
2499 }
2500 c->dst.orig_val = c->dst.val;
2501
2502 special_insn:
2503
2504 if (c->twobyte)
2505 goto twobyte_insn;
2506
2507 switch (c->b) {
2508 case 0x00 ... 0x05:
2509 add: /* add */
2510 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2511 break;
2512 case 0x06: /* push es */
2513 emulate_push_sreg(ctxt, VCPU_SREG_ES);
2514 break;
2515 case 0x07: /* pop es */
2516 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2517 if (rc != X86EMUL_CONTINUE)
2518 goto done;
2519 break;
2520 case 0x08 ... 0x0d:
2521 or: /* or */
2522 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2523 break;
2524 case 0x0e: /* push cs */
2525 emulate_push_sreg(ctxt, VCPU_SREG_CS);
2526 break;
2527 case 0x10 ... 0x15:
2528 adc: /* adc */
2529 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2530 break;
2531 case 0x16: /* push ss */
2532 emulate_push_sreg(ctxt, VCPU_SREG_SS);
2533 break;
2534 case 0x17: /* pop ss */
2535 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2536 if (rc != X86EMUL_CONTINUE)
2537 goto done;
2538 break;
2539 case 0x18 ... 0x1d:
2540 sbb: /* sbb */
2541 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2542 break;
2543 case 0x1e: /* push ds */
2544 emulate_push_sreg(ctxt, VCPU_SREG_DS);
2545 break;
2546 case 0x1f: /* pop ds */
2547 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2548 if (rc != X86EMUL_CONTINUE)
2549 goto done;
2550 break;
2551 case 0x20 ... 0x25:
2552 and: /* and */
2553 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2554 break;
2555 case 0x28 ... 0x2d:
2556 sub: /* sub */
2557 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2558 break;
2559 case 0x30 ... 0x35:
2560 xor: /* xor */
2561 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2562 break;
2563 case 0x38 ... 0x3d:
2564 cmp: /* cmp */
2565 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2566 break;
2567 case 0x40 ... 0x47: /* inc r16/r32 */
2568 emulate_1op("inc", c->dst, ctxt->eflags);
2569 break;
2570 case 0x48 ... 0x4f: /* dec r16/r32 */
2571 emulate_1op("dec", c->dst, ctxt->eflags);
2572 break;
2573 case 0x50 ... 0x57: /* push reg */
2574 emulate_push(ctxt);
2575 break;
2576 case 0x58 ... 0x5f: /* pop reg */
2577 pop_instruction:
2578 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2579 if (rc != X86EMUL_CONTINUE)
2580 goto done;
2581 break;
2582 case 0x60: /* pusha */
2583 emulate_pusha(ctxt);
2584 break;
2585 case 0x61: /* popa */
2586 rc = emulate_popa(ctxt, ops);
2587 if (rc != X86EMUL_CONTINUE)
2588 goto done;
2589 break;
2590 case 0x63: /* movsxd */
2591 if (ctxt->mode != X86EMUL_MODE_PROT64)
2592 goto cannot_emulate;
2593 c->dst.val = (s32) c->src.val;
2594 break;
2595 case 0x68: /* push imm */
2596 case 0x6a: /* push imm8 */
2597 emulate_push(ctxt);
2598 break;
2599 case 0x6c: /* insb */
2600 case 0x6d: /* insw/insd */
2601 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2602 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2603 kvm_inject_gp(ctxt->vcpu, 0);
2604 goto done;
2605 }
2606 if (kvm_emulate_pio_string(ctxt->vcpu,
2607 1,
2608 (c->d & ByteOp) ? 1 : c->op_bytes,
2609 c->rep_prefix ?
2610 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2611 (ctxt->eflags & EFLG_DF),
2612 register_address(c, es_base(ctxt),
2613 c->regs[VCPU_REGS_RDI]),
2614 c->rep_prefix,
2615 c->regs[VCPU_REGS_RDX]) == 0) {
2616 c->eip = saved_eip;
2617 return -1;
2618 }
2619 return 0;
2620 case 0x6e: /* outsb */
2621 case 0x6f: /* outsw/outsd */
2622 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2623 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2624 kvm_inject_gp(ctxt->vcpu, 0);
2625 goto done;
2626 }
2627 if (kvm_emulate_pio_string(ctxt->vcpu,
2628 0,
2629 (c->d & ByteOp) ? 1 : c->op_bytes,
2630 c->rep_prefix ?
2631 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2632 (ctxt->eflags & EFLG_DF),
2633 register_address(c,
2634 seg_override_base(ctxt, c),
2635 c->regs[VCPU_REGS_RSI]),
2636 c->rep_prefix,
2637 c->regs[VCPU_REGS_RDX]) == 0) {
2638 c->eip = saved_eip;
2639 return -1;
2640 }
2641 return 0;
2642 case 0x70 ... 0x7f: /* jcc (short) */
2643 if (test_cc(c->b, ctxt->eflags))
2644 jmp_rel(c, c->src.val);
2645 break;
2646 case 0x80 ... 0x83: /* Grp1 */
2647 switch (c->modrm_reg) {
2648 case 0:
2649 goto add;
2650 case 1:
2651 goto or;
2652 case 2:
2653 goto adc;
2654 case 3:
2655 goto sbb;
2656 case 4:
2657 goto and;
2658 case 5:
2659 goto sub;
2660 case 6:
2661 goto xor;
2662 case 7:
2663 goto cmp;
2664 }
2665 break;
2666 case 0x84 ... 0x85:
2667 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2668 break;
2669 case 0x86 ... 0x87: /* xchg */
2670 xchg:
2671 /* Write back the register source. */
2672 switch (c->dst.bytes) {
2673 case 1:
2674 *(u8 *) c->src.ptr = (u8) c->dst.val;
2675 break;
2676 case 2:
2677 *(u16 *) c->src.ptr = (u16) c->dst.val;
2678 break;
2679 case 4:
2680 *c->src.ptr = (u32) c->dst.val;
2681 break; /* 64b reg: zero-extend */
2682 case 8:
2683 *c->src.ptr = c->dst.val;
2684 break;
2685 }
2686 /*
2687 * Write back the memory destination with implicit LOCK
2688 * prefix.
2689 */
2690 c->dst.val = c->src.val;
2691 c->lock_prefix = 1;
2692 break;
2693 case 0x88 ... 0x8b: /* mov */
2694 goto mov;
2695 case 0x8c: { /* mov r/m, sreg */
2696 struct kvm_segment segreg;
2697
2698 if (c->modrm_reg <= VCPU_SREG_GS)
2699 kvm_get_segment(ctxt->vcpu, &segreg, c->modrm_reg);
2700 else {
2701 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2702 goto done;
2703 }
2704 c->dst.val = segreg.selector;
2705 break;
2706 }
2707 case 0x8d: /* lea r16/r32, m */
2708 c->dst.val = c->modrm_ea;
2709 break;
2710 case 0x8e: { /* mov seg, r/m16 */
2711 uint16_t sel;
2712
2713 sel = c->src.val;
2714
2715 if (c->modrm_reg == VCPU_SREG_CS ||
2716 c->modrm_reg > VCPU_SREG_GS) {
2717 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2718 goto done;
2719 }
2720
2721 if (c->modrm_reg == VCPU_SREG_SS)
2722 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2723
2724 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2725
2726 c->dst.type = OP_NONE; /* Disable writeback. */
2727 break;
2728 }
2729 case 0x8f: /* pop (sole member of Grp1a) */
2730 rc = emulate_grp1a(ctxt, ops);
2731 if (rc != X86EMUL_CONTINUE)
2732 goto done;
2733 break;
2734 case 0x90: /* nop / xchg r8,rax */
2735 if (!(c->rex_prefix & 1)) { /* nop */
2736 c->dst.type = OP_NONE;
2737 break;
2738 }
2739 case 0x91 ... 0x97: /* xchg reg,rax */
2740 c->src.type = c->dst.type = OP_REG;
2741 c->src.bytes = c->dst.bytes = c->op_bytes;
2742 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2743 c->src.val = *(c->src.ptr);
2744 goto xchg;
2745 case 0x9c: /* pushf */
2746 c->src.val = (unsigned long) ctxt->eflags;
2747 emulate_push(ctxt);
2748 break;
2749 case 0x9d: /* popf */
2750 c->dst.type = OP_REG;
2751 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2752 c->dst.bytes = c->op_bytes;
2753 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2754 if (rc != X86EMUL_CONTINUE)
2755 goto done;
2756 break;
2757 case 0xa0 ... 0xa1: /* mov */
2758 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2759 c->dst.val = c->src.val;
2760 break;
2761 case 0xa2 ... 0xa3: /* mov */
2762 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2763 break;
2764 case 0xa4 ... 0xa5: /* movs */
2765 c->dst.type = OP_MEM;
2766 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2767 c->dst.ptr = (unsigned long *)register_address(c,
2768 es_base(ctxt),
2769 c->regs[VCPU_REGS_RDI]);
2770 rc = ops->read_emulated(register_address(c,
2771 seg_override_base(ctxt, c),
2772 c->regs[VCPU_REGS_RSI]),
2773 &c->dst.val,
2774 c->dst.bytes, ctxt->vcpu);
2775 if (rc != X86EMUL_CONTINUE)
2776 goto done;
2777 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2778 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2779 : c->dst.bytes);
2780 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2781 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2782 : c->dst.bytes);
2783 break;
2784 case 0xa6 ... 0xa7: /* cmps */
2785 c->src.type = OP_NONE; /* Disable writeback. */
2786 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2787 c->src.ptr = (unsigned long *)register_address(c,
2788 seg_override_base(ctxt, c),
2789 c->regs[VCPU_REGS_RSI]);
2790 rc = ops->read_emulated((unsigned long)c->src.ptr,
2791 &c->src.val,
2792 c->src.bytes,
2793 ctxt->vcpu);
2794 if (rc != X86EMUL_CONTINUE)
2795 goto done;
2796
2797 c->dst.type = OP_NONE; /* Disable writeback. */
2798 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2799 c->dst.ptr = (unsigned long *)register_address(c,
2800 es_base(ctxt),
2801 c->regs[VCPU_REGS_RDI]);
2802 rc = ops->read_emulated((unsigned long)c->dst.ptr,
2803 &c->dst.val,
2804 c->dst.bytes,
2805 ctxt->vcpu);
2806 if (rc != X86EMUL_CONTINUE)
2807 goto done;
2808
2809 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2810
2811 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2812
2813 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2814 (ctxt->eflags & EFLG_DF) ? -c->src.bytes
2815 : c->src.bytes);
2816 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2817 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2818 : c->dst.bytes);
2819
2820 break;
2821 case 0xaa ... 0xab: /* stos */
2822 c->dst.type = OP_MEM;
2823 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2824 c->dst.ptr = (unsigned long *)register_address(c,
2825 es_base(ctxt),
2826 c->regs[VCPU_REGS_RDI]);
2827 c->dst.val = c->regs[VCPU_REGS_RAX];
2828 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2829 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2830 : c->dst.bytes);
2831 break;
2832 case 0xac ... 0xad: /* lods */
2833 c->dst.type = OP_REG;
2834 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2835 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2836 rc = ops->read_emulated(register_address(c,
2837 seg_override_base(ctxt, c),
2838 c->regs[VCPU_REGS_RSI]),
2839 &c->dst.val,
2840 c->dst.bytes,
2841 ctxt->vcpu);
2842 if (rc != X86EMUL_CONTINUE)
2843 goto done;
2844 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2845 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2846 : c->dst.bytes);
2847 break;
2848 case 0xae ... 0xaf: /* scas */
2849 DPRINTF("Urk! I don't handle SCAS.\n");
2850 goto cannot_emulate;
2851 case 0xb0 ... 0xbf: /* mov r, imm */
2852 goto mov;
2853 case 0xc0 ... 0xc1:
2854 emulate_grp2(ctxt);
2855 break;
2856 case 0xc3: /* ret */
2857 c->dst.type = OP_REG;
2858 c->dst.ptr = &c->eip;
2859 c->dst.bytes = c->op_bytes;
2860 goto pop_instruction;
2861 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2862 mov:
2863 c->dst.val = c->src.val;
2864 break;
2865 case 0xcb: /* ret far */
2866 rc = emulate_ret_far(ctxt, ops);
2867 if (rc != X86EMUL_CONTINUE)
2868 goto done;
2869 break;
2870 case 0xd0 ... 0xd1: /* Grp2 */
2871 c->src.val = 1;
2872 emulate_grp2(ctxt);
2873 break;
2874 case 0xd2 ... 0xd3: /* Grp2 */
2875 c->src.val = c->regs[VCPU_REGS_RCX];
2876 emulate_grp2(ctxt);
2877 break;
2878 case 0xe4: /* inb */
2879 case 0xe5: /* in */
2880 port = c->src.val;
2881 io_dir_in = 1;
2882 goto do_io;
2883 case 0xe6: /* outb */
2884 case 0xe7: /* out */
2885 port = c->src.val;
2886 io_dir_in = 0;
2887 goto do_io;
2888 case 0xe8: /* call (near) */ {
2889 long int rel = c->src.val;
2890 c->src.val = (unsigned long) c->eip;
2891 jmp_rel(c, rel);
2892 emulate_push(ctxt);
2893 break;
2894 }
2895 case 0xe9: /* jmp rel */
2896 goto jmp;
2897 case 0xea: /* jmp far */
2898 jump_far:
2899 if (load_segment_descriptor(ctxt, ops, c->src2.val,
2900 VCPU_SREG_CS))
2901 goto done;
2902
2903 c->eip = c->src.val;
2904 break;
2905 case 0xeb:
2906 jmp: /* jmp rel short */
2907 jmp_rel(c, c->src.val);
2908 c->dst.type = OP_NONE; /* Disable writeback. */
2909 break;
2910 case 0xec: /* in al,dx */
2911 case 0xed: /* in (e/r)ax,dx */
2912 port = c->regs[VCPU_REGS_RDX];
2913 io_dir_in = 1;
2914 goto do_io;
2915 case 0xee: /* out al,dx */
2916 case 0xef: /* out (e/r)ax,dx */
2917 port = c->regs[VCPU_REGS_RDX];
2918 io_dir_in = 0;
2919 do_io:
2920 if (!emulator_io_permited(ctxt, ops, port,
2921 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2922 kvm_inject_gp(ctxt->vcpu, 0);
2923 goto done;
2924 }
2925 if (kvm_emulate_pio(ctxt->vcpu, io_dir_in,
2926 (c->d & ByteOp) ? 1 : c->op_bytes,
2927 port) != 0) {
2928 c->eip = saved_eip;
2929 goto cannot_emulate;
2930 }
2931 break;
2932 case 0xf4: /* hlt */
2933 ctxt->vcpu->arch.halt_request = 1;
2934 break;
2935 case 0xf5: /* cmc */
2936 /* complement carry flag from eflags reg */
2937 ctxt->eflags ^= EFLG_CF;
2938 c->dst.type = OP_NONE; /* Disable writeback. */
2939 break;
2940 case 0xf6 ... 0xf7: /* Grp3 */
2941 if (!emulate_grp3(ctxt, ops))
2942 goto cannot_emulate;
2943 break;
2944 case 0xf8: /* clc */
2945 ctxt->eflags &= ~EFLG_CF;
2946 c->dst.type = OP_NONE; /* Disable writeback. */
2947 break;
2948 case 0xfa: /* cli */
2949 if (emulator_bad_iopl(ctxt, ops))
2950 kvm_inject_gp(ctxt->vcpu, 0);
2951 else {
2952 ctxt->eflags &= ~X86_EFLAGS_IF;
2953 c->dst.type = OP_NONE; /* Disable writeback. */
2954 }
2955 break;
2956 case 0xfb: /* sti */
2957 if (emulator_bad_iopl(ctxt, ops))
2958 kvm_inject_gp(ctxt->vcpu, 0);
2959 else {
2960 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2961 ctxt->eflags |= X86_EFLAGS_IF;
2962 c->dst.type = OP_NONE; /* Disable writeback. */
2963 }
2964 break;
2965 case 0xfc: /* cld */
2966 ctxt->eflags &= ~EFLG_DF;
2967 c->dst.type = OP_NONE; /* Disable writeback. */
2968 break;
2969 case 0xfd: /* std */
2970 ctxt->eflags |= EFLG_DF;
2971 c->dst.type = OP_NONE; /* Disable writeback. */
2972 break;
2973 case 0xfe: /* Grp4 */
2974 grp45:
2975 rc = emulate_grp45(ctxt, ops);
2976 if (rc != X86EMUL_CONTINUE)
2977 goto done;
2978 break;
2979 case 0xff: /* Grp5 */
2980 if (c->modrm_reg == 5)
2981 goto jump_far;
2982 goto grp45;
2983 }
2984
2985 writeback:
2986 rc = writeback(ctxt, ops);
2987 if (rc != X86EMUL_CONTINUE)
2988 goto done;
2989
2990 /* Commit shadow register state. */
2991 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2992 kvm_rip_write(ctxt->vcpu, c->eip);
2993
2994 done:
2995 if (rc == X86EMUL_UNHANDLEABLE) {
2996 c->eip = saved_eip;
2997 return -1;
2998 }
2999 return 0;
3000
3001 twobyte_insn:
3002 switch (c->b) {
3003 case 0x01: /* lgdt, lidt, lmsw */
3004 switch (c->modrm_reg) {
3005 u16 size;
3006 unsigned long address;
3007
3008 case 0: /* vmcall */
3009 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3010 goto cannot_emulate;
3011
3012 rc = kvm_fix_hypercall(ctxt->vcpu);
3013 if (rc != X86EMUL_CONTINUE)
3014 goto done;
3015
3016 /* Let the processor re-execute the fixed hypercall */
3017 c->eip = ctxt->eip;
3018 /* Disable writeback. */
3019 c->dst.type = OP_NONE;
3020 break;
3021 case 2: /* lgdt */
3022 rc = read_descriptor(ctxt, ops, c->src.ptr,
3023 &size, &address, c->op_bytes);
3024 if (rc != X86EMUL_CONTINUE)
3025 goto done;
3026 realmode_lgdt(ctxt->vcpu, size, address);
3027 /* Disable writeback. */
3028 c->dst.type = OP_NONE;
3029 break;
3030 case 3: /* lidt/vmmcall */
3031 if (c->modrm_mod == 3) {
3032 switch (c->modrm_rm) {
3033 case 1:
3034 rc = kvm_fix_hypercall(ctxt->vcpu);
3035 if (rc != X86EMUL_CONTINUE)
3036 goto done;
3037 break;
3038 default:
3039 goto cannot_emulate;
3040 }
3041 } else {
3042 rc = read_descriptor(ctxt, ops, c->src.ptr,
3043 &size, &address,
3044 c->op_bytes);
3045 if (rc != X86EMUL_CONTINUE)
3046 goto done;
3047 realmode_lidt(ctxt->vcpu, size, address);
3048 }
3049 /* Disable writeback. */
3050 c->dst.type = OP_NONE;
3051 break;
3052 case 4: /* smsw */
3053 c->dst.bytes = 2;
3054 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3055 break;
3056 case 6: /* lmsw */
3057 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3058 (c->src.val & 0x0f), ctxt->vcpu);
3059 c->dst.type = OP_NONE;
3060 break;
3061 case 5: /* not defined */
3062 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3063 goto done;
3064 case 7: /* invlpg*/
3065 emulate_invlpg(ctxt->vcpu, memop);
3066 /* Disable writeback. */
3067 c->dst.type = OP_NONE;
3068 break;
3069 default:
3070 goto cannot_emulate;
3071 }
3072 break;
3073 case 0x05: /* syscall */
3074 rc = emulate_syscall(ctxt);
3075 if (rc != X86EMUL_CONTINUE)
3076 goto done;
3077 else
3078 goto writeback;
3079 break;
3080 case 0x06:
3081 emulate_clts(ctxt->vcpu);
3082 c->dst.type = OP_NONE;
3083 break;
3084 case 0x08: /* invd */
3085 case 0x09: /* wbinvd */
3086 case 0x0d: /* GrpP (prefetch) */
3087 case 0x18: /* Grp16 (prefetch/nop) */
3088 c->dst.type = OP_NONE;
3089 break;
3090 case 0x20: /* mov cr, reg */
3091 switch (c->modrm_reg) {
3092 case 1:
3093 case 5 ... 7:
3094 case 9 ... 15:
3095 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3096 goto done;
3097 }
3098 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3099 c->dst.type = OP_NONE; /* no writeback */
3100 break;
3101 case 0x21: /* mov from dr to reg */
3102 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3103 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3104 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3105 goto done;
3106 }
3107 emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
3108 c->dst.type = OP_NONE; /* no writeback */
3109 break;
3110 case 0x22: /* mov reg, cr */
3111 ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu);
3112 c->dst.type = OP_NONE;
3113 break;
3114 case 0x23: /* mov from reg to dr */
3115 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3116 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3117 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3118 goto done;
3119 }
3120 emulator_set_dr(ctxt, c->modrm_reg, c->regs[c->modrm_rm]);
3121 c->dst.type = OP_NONE; /* no writeback */
3122 break;
3123 case 0x30:
3124 /* wrmsr */
3125 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3126 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3127 if (kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3128 kvm_inject_gp(ctxt->vcpu, 0);
3129 goto done;
3130 }
3131 rc = X86EMUL_CONTINUE;
3132 c->dst.type = OP_NONE;
3133 break;
3134 case 0x32:
3135 /* rdmsr */
3136 if (kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3137 kvm_inject_gp(ctxt->vcpu, 0);
3138 goto done;
3139 } else {
3140 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3141 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3142 }
3143 rc = X86EMUL_CONTINUE;
3144 c->dst.type = OP_NONE;
3145 break;
3146 case 0x34: /* sysenter */
3147 rc = emulate_sysenter(ctxt);
3148 if (rc != X86EMUL_CONTINUE)
3149 goto done;
3150 else
3151 goto writeback;
3152 break;
3153 case 0x35: /* sysexit */
3154 rc = emulate_sysexit(ctxt);
3155 if (rc != X86EMUL_CONTINUE)
3156 goto done;
3157 else
3158 goto writeback;
3159 break;
3160 case 0x40 ... 0x4f: /* cmov */
3161 c->dst.val = c->dst.orig_val = c->src.val;
3162 if (!test_cc(c->b, ctxt->eflags))
3163 c->dst.type = OP_NONE; /* no writeback */
3164 break;
3165 case 0x80 ... 0x8f: /* jnz rel, etc*/
3166 if (test_cc(c->b, ctxt->eflags))
3167 jmp_rel(c, c->src.val);
3168 c->dst.type = OP_NONE;
3169 break;
3170 case 0xa0: /* push fs */
3171 emulate_push_sreg(ctxt, VCPU_SREG_FS);
3172 break;
3173 case 0xa1: /* pop fs */
3174 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3175 if (rc != X86EMUL_CONTINUE)
3176 goto done;
3177 break;
3178 case 0xa3:
3179 bt: /* bt */
3180 c->dst.type = OP_NONE;
3181 /* only subword offset */
3182 c->src.val &= (c->dst.bytes << 3) - 1;
3183 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3184 break;
3185 case 0xa4: /* shld imm8, r, r/m */
3186 case 0xa5: /* shld cl, r, r/m */
3187 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3188 break;
3189 case 0xa8: /* push gs */
3190 emulate_push_sreg(ctxt, VCPU_SREG_GS);
3191 break;
3192 case 0xa9: /* pop gs */
3193 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3194 if (rc != X86EMUL_CONTINUE)
3195 goto done;
3196 break;
3197 case 0xab:
3198 bts: /* bts */
3199 /* only subword offset */
3200 c->src.val &= (c->dst.bytes << 3) - 1;
3201 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3202 break;
3203 case 0xac: /* shrd imm8, r, r/m */
3204 case 0xad: /* shrd cl, r, r/m */
3205 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3206 break;
3207 case 0xae: /* clflush */
3208 break;
3209 case 0xb0 ... 0xb1: /* cmpxchg */
3210 /*
3211 * Save real source value, then compare EAX against
3212 * destination.
3213 */
3214 c->src.orig_val = c->src.val;
3215 c->src.val = c->regs[VCPU_REGS_RAX];
3216 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3217 if (ctxt->eflags & EFLG_ZF) {
3218 /* Success: write back to memory. */
3219 c->dst.val = c->src.orig_val;
3220 } else {
3221 /* Failure: write the value we saw to EAX. */
3222 c->dst.type = OP_REG;
3223 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3224 }
3225 break;
3226 case 0xb3:
3227 btr: /* btr */
3228 /* only subword offset */
3229 c->src.val &= (c->dst.bytes << 3) - 1;
3230 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3231 break;
3232 case 0xb6 ... 0xb7: /* movzx */
3233 c->dst.bytes = c->op_bytes;
3234 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3235 : (u16) c->src.val;
3236 break;
3237 case 0xba: /* Grp8 */
3238 switch (c->modrm_reg & 3) {
3239 case 0:
3240 goto bt;
3241 case 1:
3242 goto bts;
3243 case 2:
3244 goto btr;
3245 case 3:
3246 goto btc;
3247 }
3248 break;
3249 case 0xbb:
3250 btc: /* btc */
3251 /* only subword offset */
3252 c->src.val &= (c->dst.bytes << 3) - 1;
3253 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3254 break;
3255 case 0xbe ... 0xbf: /* movsx */
3256 c->dst.bytes = c->op_bytes;
3257 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3258 (s16) c->src.val;
3259 break;
3260 case 0xc3: /* movnti */
3261 c->dst.bytes = c->op_bytes;
3262 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3263 (u64) c->src.val;
3264 break;
3265 case 0xc7: /* Grp9 (cmpxchg8b) */
3266 rc = emulate_grp9(ctxt, ops, memop);
3267 if (rc != X86EMUL_CONTINUE)
3268 goto done;
3269 c->dst.type = OP_NONE;
3270 break;
3271 }
3272 goto writeback;
3273
3274 cannot_emulate:
3275 DPRINTF("Cannot emulate %02x\n", c->b);
3276 c->eip = saved_eip;
3277 return -1;
3278 }
(deprecated) Btrfs devel tree