search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
KVM: x86 emulator: fix the comment of out instruction
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / arch / x86 / kvm / emulate.c
blobad8d7cdd1eb95d83ec4b630c0ce781f9f3d9115c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #ifndef __KERNEL__
24 #include <stdio.h>
25 #include <stdint.h>
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
28 #else
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
32 #endif
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
35
36 #include "x86.h"
37 #include "tss.h"
38
39 /*
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
45 * not be handled.
46 */
47
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcMask (0xf<<4)
74 /* Generic ModRM decode. */
75 #define ModRM (1<<8)
76 /* Destination is only written; never read. */
77 #define Mov (1<<9)
78 #define BitOp (1<<10)
79 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
80 #define String (1<<12) /* String instruction (rep capable) */
81 #define Stack (1<<13) /* Stack instruction (push/pop) */
82 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
83 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
84 #define GroupMask 0xff /* Group number stored in bits 0:7 */
85 /* Misc flags */
86 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
87 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
88 #define No64 (1<<28)
89 /* Source 2 operand type */
90 #define Src2None (0<<29)
91 #define Src2CL (1<<29)
92 #define Src2ImmByte (2<<29)
93 #define Src2One (3<<29)
94 #define Src2Mask (7<<29)
95
96 enum {
97 Group1_80, Group1_81, Group1_82, Group1_83,
98 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
99 Group8, Group9,
100 };
101
102 static u32 opcode_table[256] = {
103 /* 0x00 - 0x07 */
104 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
105 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
106 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
107 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
108 /* 0x08 - 0x0F */
109 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
110 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
111 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
112 ImplicitOps | Stack | No64, 0,
113 /* 0x10 - 0x17 */
114 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
115 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
118 /* 0x18 - 0x1F */
119 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
120 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
123 /* 0x20 - 0x27 */
124 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
125 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
127 /* 0x28 - 0x2F */
128 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
129 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
130 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
131 /* 0x30 - 0x37 */
132 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
133 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
134 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
135 /* 0x38 - 0x3F */
136 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
137 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
138 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
139 0, 0,
140 /* 0x40 - 0x47 */
141 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
142 /* 0x48 - 0x4F */
143 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
144 /* 0x50 - 0x57 */
145 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 /* 0x58 - 0x5F */
148 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 /* 0x60 - 0x67 */
151 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
152 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
153 0, 0, 0, 0,
154 /* 0x68 - 0x6F */
155 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
156 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
157 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
158 /* 0x70 - 0x77 */
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 /* 0x78 - 0x7F */
162 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 /* 0x80 - 0x87 */
165 Group | Group1_80, Group | Group1_81,
166 Group | Group1_82, Group | Group1_83,
167 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
168 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
169 /* 0x88 - 0x8F */
170 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
171 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
172 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
173 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
174 /* 0x90 - 0x97 */
175 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
176 /* 0x98 - 0x9F */
177 0, 0, SrcImmFAddr | No64, 0,
178 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
179 /* 0xA0 - 0xA7 */
180 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
181 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
182 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
183 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
184 /* 0xA8 - 0xAF */
185 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
186 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
187 ByteOp | DstDI | String, DstDI | String,
188 /* 0xB0 - 0xB7 */
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 /* 0xB8 - 0xBF */
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 /* 0xC0 - 0xC7 */
199 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
200 0, ImplicitOps | Stack, 0, 0,
201 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
202 /* 0xC8 - 0xCF */
203 0, 0, 0, ImplicitOps | Stack,
204 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
205 /* 0xD0 - 0xD7 */
206 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 0, 0, 0, 0,
209 /* 0xD8 - 0xDF */
210 0, 0, 0, 0, 0, 0, 0, 0,
211 /* 0xE0 - 0xE7 */
212 0, 0, 0, 0,
213 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 /* 0xE8 - 0xEF */
216 SrcImm | Stack, SrcImm | ImplicitOps,
217 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
218 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 /* 0xF0 - 0xF7 */
221 0, 0, 0, 0,
222 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
223 /* 0xF8 - 0xFF */
224 ImplicitOps, 0, ImplicitOps, ImplicitOps,
225 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
226 };
227
228 static u32 twobyte_table[256] = {
229 /* 0x00 - 0x0F */
230 0, Group | GroupDual | Group7, 0, 0,
231 0, ImplicitOps, ImplicitOps | Priv, 0,
232 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
233 0, ImplicitOps | ModRM, 0, 0,
234 /* 0x10 - 0x1F */
235 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
236 /* 0x20 - 0x2F */
237 ModRM | ImplicitOps | Priv, ModRM | Priv,
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 0, 0, 0, 0,
240 0, 0, 0, 0, 0, 0, 0, 0,
241 /* 0x30 - 0x3F */
242 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
243 ImplicitOps, ImplicitOps | Priv, 0, 0,
244 0, 0, 0, 0, 0, 0, 0, 0,
245 /* 0x40 - 0x47 */
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 /* 0x48 - 0x4F */
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 /* 0x50 - 0x5F */
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 /* 0x60 - 0x6F */
258 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 /* 0x70 - 0x7F */
260 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 /* 0x80 - 0x8F */
262 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 /* 0x90 - 0x9F */
265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 /* 0xA0 - 0xA7 */
267 ImplicitOps | Stack, ImplicitOps | Stack,
268 0, DstMem | SrcReg | ModRM | BitOp,
269 DstMem | SrcReg | Src2ImmByte | ModRM,
270 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
271 /* 0xA8 - 0xAF */
272 ImplicitOps | Stack, ImplicitOps | Stack,
273 0, DstMem | SrcReg | ModRM | BitOp | Lock,
274 DstMem | SrcReg | Src2ImmByte | ModRM,
275 DstMem | SrcReg | Src2CL | ModRM,
276 ModRM, 0,
277 /* 0xB0 - 0xB7 */
278 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
279 0, DstMem | SrcReg | ModRM | BitOp | Lock,
280 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
281 DstReg | SrcMem16 | ModRM | Mov,
282 /* 0xB8 - 0xBF */
283 0, 0,
284 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
285 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
286 DstReg | SrcMem16 | ModRM | Mov,
287 /* 0xC0 - 0xCF */
288 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
289 0, 0, 0, Group | GroupDual | Group9,
290 0, 0, 0, 0, 0, 0, 0, 0,
291 /* 0xD0 - 0xDF */
292 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
293 /* 0xE0 - 0xEF */
294 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
295 /* 0xF0 - 0xFF */
296 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
297 };
298
299 static u32 group_table[] = {
300 [Group1_80*8] =
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM,
309 [Group1_81*8] =
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM,
318 [Group1_82*8] =
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64,
327 [Group1_83*8] =
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM,
336 [Group1A*8] =
337 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
338 [Group3_Byte*8] =
339 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
340 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
341 0, 0, 0, 0,
342 [Group3*8] =
343 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
344 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
345 0, 0, 0, 0,
346 [Group4*8] =
347 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
348 0, 0, 0, 0, 0, 0,
349 [Group5*8] =
350 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
351 SrcMem | ModRM | Stack, 0,
352 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
353 SrcMem | ModRM | Stack, 0,
354 [Group7*8] =
355 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
356 SrcNone | ModRM | DstMem | Mov, 0,
357 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
358 [Group8*8] =
359 0, 0, 0, 0,
360 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
361 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
362 [Group9*8] =
363 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
364 };
365
366 static u32 group2_table[] = {
367 [Group7*8] =
368 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
369 SrcNone | ModRM | DstMem | Mov, 0,
370 SrcMem16 | ModRM | Mov | Priv, 0,
371 [Group9*8] =
372 0, 0, 0, 0, 0, 0, 0, 0,
373 };
374
375 /* EFLAGS bit definitions. */
376 #define EFLG_ID (1<<21)
377 #define EFLG_VIP (1<<20)
378 #define EFLG_VIF (1<<19)
379 #define EFLG_AC (1<<18)
380 #define EFLG_VM (1<<17)
381 #define EFLG_RF (1<<16)
382 #define EFLG_IOPL (3<<12)
383 #define EFLG_NT (1<<14)
384 #define EFLG_OF (1<<11)
385 #define EFLG_DF (1<<10)
386 #define EFLG_IF (1<<9)
387 #define EFLG_TF (1<<8)
388 #define EFLG_SF (1<<7)
389 #define EFLG_ZF (1<<6)
390 #define EFLG_AF (1<<4)
391 #define EFLG_PF (1<<2)
392 #define EFLG_CF (1<<0)
393
394 /*
395 * Instruction emulation:
396 * Most instructions are emulated directly via a fragment of inline assembly
397 * code. This allows us to save/restore EFLAGS and thus very easily pick up
398 * any modified flags.
399 */
400
401 #if defined(CONFIG_X86_64)
402 #define _LO32 "k" /* force 32-bit operand */
403 #define _STK "%%rsp" /* stack pointer */
404 #elif defined(__i386__)
405 #define _LO32 "" /* force 32-bit operand */
406 #define _STK "%%esp" /* stack pointer */
407 #endif
408
409 /*
410 * These EFLAGS bits are restored from saved value during emulation, and
411 * any changes are written back to the saved value after emulation.
412 */
413 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
414
415 /* Before executing instruction: restore necessary bits in EFLAGS. */
416 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
417 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
418 "movl %"_sav",%"_LO32 _tmp"; " \
419 "push %"_tmp"; " \
420 "push %"_tmp"; " \
421 "movl %"_msk",%"_LO32 _tmp"; " \
422 "andl %"_LO32 _tmp",("_STK"); " \
423 "pushf; " \
424 "notl %"_LO32 _tmp"; " \
425 "andl %"_LO32 _tmp",("_STK"); " \
426 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
427 "pop %"_tmp"; " \
428 "orl %"_LO32 _tmp",("_STK"); " \
429 "popf; " \
430 "pop %"_sav"; "
431
432 /* After executing instruction: write-back necessary bits in EFLAGS. */
433 #define _POST_EFLAGS(_sav, _msk, _tmp) \
434 /* _sav |= EFLAGS & _msk; */ \
435 "pushf; " \
436 "pop %"_tmp"; " \
437 "andl %"_msk",%"_LO32 _tmp"; " \
438 "orl %"_LO32 _tmp",%"_sav"; "
439
440 #ifdef CONFIG_X86_64
441 #define ON64(x) x
442 #else
443 #define ON64(x)
444 #endif
445
446 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
447 do { \
448 __asm__ __volatile__ ( \
449 _PRE_EFLAGS("0", "4", "2") \
450 _op _suffix " %"_x"3,%1; " \
451 _POST_EFLAGS("0", "4", "2") \
452 : "=m" (_eflags), "=m" ((_dst).val), \
453 "=&r" (_tmp) \
454 : _y ((_src).val), "i" (EFLAGS_MASK)); \
455 } while (0)
456
457
458 /* Raw emulation: instruction has two explicit operands. */
459 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
460 do { \
461 unsigned long _tmp; \
462 \
463 switch ((_dst).bytes) { \
464 case 2: \
465 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
466 break; \
467 case 4: \
468 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
469 break; \
470 case 8: \
471 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
472 break; \
473 } \
474 } while (0)
475
476 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
477 do { \
478 unsigned long _tmp; \
479 switch ((_dst).bytes) { \
480 case 1: \
481 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
482 break; \
483 default: \
484 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
485 _wx, _wy, _lx, _ly, _qx, _qy); \
486 break; \
487 } \
488 } while (0)
489
490 /* Source operand is byte-sized and may be restricted to just %cl. */
491 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
492 __emulate_2op(_op, _src, _dst, _eflags, \
493 "b", "c", "b", "c", "b", "c", "b", "c")
494
495 /* Source operand is byte, word, long or quad sized. */
496 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
497 __emulate_2op(_op, _src, _dst, _eflags, \
498 "b", "q", "w", "r", _LO32, "r", "", "r")
499
500 /* Source operand is word, long or quad sized. */
501 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
502 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
503 "w", "r", _LO32, "r", "", "r")
504
505 /* Instruction has three operands and one operand is stored in ECX register */
506 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
507 do { \
508 unsigned long _tmp; \
509 _type _clv = (_cl).val; \
510 _type _srcv = (_src).val; \
511 _type _dstv = (_dst).val; \
512 \
513 __asm__ __volatile__ ( \
514 _PRE_EFLAGS("0", "5", "2") \
515 _op _suffix " %4,%1 \n" \
516 _POST_EFLAGS("0", "5", "2") \
517 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
518 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
519 ); \
520 \
521 (_cl).val = (unsigned long) _clv; \
522 (_src).val = (unsigned long) _srcv; \
523 (_dst).val = (unsigned long) _dstv; \
524 } while (0)
525
526 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
527 do { \
528 switch ((_dst).bytes) { \
529 case 2: \
530 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
531 "w", unsigned short); \
532 break; \
533 case 4: \
534 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
535 "l", unsigned int); \
536 break; \
537 case 8: \
538 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
539 "q", unsigned long)); \
540 break; \
541 } \
542 } while (0)
543
544 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
545 do { \
546 unsigned long _tmp; \
547 \
548 __asm__ __volatile__ ( \
549 _PRE_EFLAGS("0", "3", "2") \
550 _op _suffix " %1; " \
551 _POST_EFLAGS("0", "3", "2") \
552 : "=m" (_eflags), "+m" ((_dst).val), \
553 "=&r" (_tmp) \
554 : "i" (EFLAGS_MASK)); \
555 } while (0)
556
557 /* Instruction has only one explicit operand (no source operand). */
558 #define emulate_1op(_op, _dst, _eflags) \
559 do { \
560 switch ((_dst).bytes) { \
561 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
562 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
563 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
564 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
565 } \
566 } while (0)
567
568 /* Fetch next part of the instruction being emulated. */
569 #define insn_fetch(_type, _size, _eip) \
570 ({ unsigned long _x; \
571 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
572 if (rc != X86EMUL_CONTINUE) \
573 goto done; \
574 (_eip) += (_size); \
575 (_type)_x; \
576 })
577
578 #define insn_fetch_arr(_arr, _size, _eip) \
579 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
580 if (rc != X86EMUL_CONTINUE) \
581 goto done; \
582 (_eip) += (_size); \
583 })
584
585 static inline unsigned long ad_mask(struct decode_cache *c)
586 {
587 return (1UL << (c->ad_bytes << 3)) - 1;
588 }
589
590 /* Access/update address held in a register, based on addressing mode. */
591 static inline unsigned long
592 address_mask(struct decode_cache *c, unsigned long reg)
593 {
594 if (c->ad_bytes == sizeof(unsigned long))
595 return reg;
596 else
597 return reg & ad_mask(c);
598 }
599
600 static inline unsigned long
601 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
602 {
603 return base + address_mask(c, reg);
604 }
605
606 static inline void
607 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
608 {
609 if (c->ad_bytes == sizeof(unsigned long))
610 *reg += inc;
611 else
612 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
613 }
614
615 static inline void jmp_rel(struct decode_cache *c, int rel)
616 {
617 register_address_increment(c, &c->eip, rel);
618 }
619
620 static void set_seg_override(struct decode_cache *c, int seg)
621 {
622 c->has_seg_override = true;
623 c->seg_override = seg;
624 }
625
626 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
627 struct x86_emulate_ops *ops, int seg)
628 {
629 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
630 return 0;
631
632 return ops->get_cached_segment_base(seg, ctxt->vcpu);
633 }
634
635 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
636 struct x86_emulate_ops *ops,
637 struct decode_cache *c)
638 {
639 if (!c->has_seg_override)
640 return 0;
641
642 return seg_base(ctxt, ops, c->seg_override);
643 }
644
645 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
646 struct x86_emulate_ops *ops)
647 {
648 return seg_base(ctxt, ops, VCPU_SREG_ES);
649 }
650
651 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
652 struct x86_emulate_ops *ops)
653 {
654 return seg_base(ctxt, ops, VCPU_SREG_SS);
655 }
656
657 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
658 u32 error, bool valid)
659 {
660 ctxt->exception = vec;
661 ctxt->error_code = error;
662 ctxt->error_code_valid = valid;
663 ctxt->restart = false;
664 }
665
666 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
667 {
668 emulate_exception(ctxt, GP_VECTOR, err, true);
669 }
670
671 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
672 int err)
673 {
674 ctxt->cr2 = addr;
675 emulate_exception(ctxt, PF_VECTOR, err, true);
676 }
677
678 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
679 {
680 emulate_exception(ctxt, UD_VECTOR, 0, false);
681 }
682
683 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
684 {
685 emulate_exception(ctxt, TS_VECTOR, err, true);
686 }
687
688 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
689 struct x86_emulate_ops *ops,
690 unsigned long eip, u8 *dest)
691 {
692 struct fetch_cache *fc = &ctxt->decode.fetch;
693 int rc;
694 int size, cur_size;
695
696 if (eip == fc->end) {
697 cur_size = fc->end - fc->start;
698 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
699 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
700 size, ctxt->vcpu, NULL);
701 if (rc != X86EMUL_CONTINUE)
702 return rc;
703 fc->end += size;
704 }
705 *dest = fc->data[eip - fc->start];
706 return X86EMUL_CONTINUE;
707 }
708
709 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
710 struct x86_emulate_ops *ops,
711 unsigned long eip, void *dest, unsigned size)
712 {
713 int rc;
714
715 /* x86 instructions are limited to 15 bytes. */
716 if (eip + size - ctxt->eip > 15)
717 return X86EMUL_UNHANDLEABLE;
718 while (size--) {
719 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
720 if (rc != X86EMUL_CONTINUE)
721 return rc;
722 }
723 return X86EMUL_CONTINUE;
724 }
725
726 /*
727 * Given the 'reg' portion of a ModRM byte, and a register block, return a
728 * pointer into the block that addresses the relevant register.
729 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
730 */
731 static void *decode_register(u8 modrm_reg, unsigned long *regs,
732 int highbyte_regs)
733 {
734 void *p;
735
736 p = &regs[modrm_reg];
737 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
738 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
739 return p;
740 }
741
742 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
743 struct x86_emulate_ops *ops,
744 void *ptr,
745 u16 *size, unsigned long *address, int op_bytes)
746 {
747 int rc;
748
749 if (op_bytes == 2)
750 op_bytes = 3;
751 *address = 0;
752 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
753 ctxt->vcpu, NULL);
754 if (rc != X86EMUL_CONTINUE)
755 return rc;
756 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
757 ctxt->vcpu, NULL);
758 return rc;
759 }
760
761 static int test_cc(unsigned int condition, unsigned int flags)
762 {
763 int rc = 0;
764
765 switch ((condition & 15) >> 1) {
766 case 0: /* o */
767 rc |= (flags & EFLG_OF);
768 break;
769 case 1: /* b/c/nae */
770 rc |= (flags & EFLG_CF);
771 break;
772 case 2: /* z/e */
773 rc |= (flags & EFLG_ZF);
774 break;
775 case 3: /* be/na */
776 rc |= (flags & (EFLG_CF|EFLG_ZF));
777 break;
778 case 4: /* s */
779 rc |= (flags & EFLG_SF);
780 break;
781 case 5: /* p/pe */
782 rc |= (flags & EFLG_PF);
783 break;
784 case 7: /* le/ng */
785 rc |= (flags & EFLG_ZF);
786 /* fall through */
787 case 6: /* l/nge */
788 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
789 break;
790 }
791
792 /* Odd condition identifiers (lsb == 1) have inverted sense. */
793 return (!!rc ^ (condition & 1));
794 }
795
796 static void decode_register_operand(struct operand *op,
797 struct decode_cache *c,
798 int inhibit_bytereg)
799 {
800 unsigned reg = c->modrm_reg;
801 int highbyte_regs = c->rex_prefix == 0;
802
803 if (!(c->d & ModRM))
804 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
805 op->type = OP_REG;
806 if ((c->d & ByteOp) && !inhibit_bytereg) {
807 op->ptr = decode_register(reg, c->regs, highbyte_regs);
808 op->val = *(u8 *)op->ptr;
809 op->bytes = 1;
810 } else {
811 op->ptr = decode_register(reg, c->regs, 0);
812 op->bytes = c->op_bytes;
813 switch (op->bytes) {
814 case 2:
815 op->val = *(u16 *)op->ptr;
816 break;
817 case 4:
818 op->val = *(u32 *)op->ptr;
819 break;
820 case 8:
821 op->val = *(u64 *) op->ptr;
822 break;
823 }
824 }
825 op->orig_val = op->val;
826 }
827
828 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
829 struct x86_emulate_ops *ops)
830 {
831 struct decode_cache *c = &ctxt->decode;
832 u8 sib;
833 int index_reg = 0, base_reg = 0, scale;
834 int rc = X86EMUL_CONTINUE;
835
836 if (c->rex_prefix) {
837 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
838 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
839 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
840 }
841
842 c->modrm = insn_fetch(u8, 1, c->eip);
843 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
844 c->modrm_reg |= (c->modrm & 0x38) >> 3;
845 c->modrm_rm |= (c->modrm & 0x07);
846 c->modrm_ea = 0;
847 c->use_modrm_ea = 1;
848
849 if (c->modrm_mod == 3) {
850 c->modrm_ptr = decode_register(c->modrm_rm,
851 c->regs, c->d & ByteOp);
852 c->modrm_val = *(unsigned long *)c->modrm_ptr;
853 return rc;
854 }
855
856 if (c->ad_bytes == 2) {
857 unsigned bx = c->regs[VCPU_REGS_RBX];
858 unsigned bp = c->regs[VCPU_REGS_RBP];
859 unsigned si = c->regs[VCPU_REGS_RSI];
860 unsigned di = c->regs[VCPU_REGS_RDI];
861
862 /* 16-bit ModR/M decode. */
863 switch (c->modrm_mod) {
864 case 0:
865 if (c->modrm_rm == 6)
866 c->modrm_ea += insn_fetch(u16, 2, c->eip);
867 break;
868 case 1:
869 c->modrm_ea += insn_fetch(s8, 1, c->eip);
870 break;
871 case 2:
872 c->modrm_ea += insn_fetch(u16, 2, c->eip);
873 break;
874 }
875 switch (c->modrm_rm) {
876 case 0:
877 c->modrm_ea += bx + si;
878 break;
879 case 1:
880 c->modrm_ea += bx + di;
881 break;
882 case 2:
883 c->modrm_ea += bp + si;
884 break;
885 case 3:
886 c->modrm_ea += bp + di;
887 break;
888 case 4:
889 c->modrm_ea += si;
890 break;
891 case 5:
892 c->modrm_ea += di;
893 break;
894 case 6:
895 if (c->modrm_mod != 0)
896 c->modrm_ea += bp;
897 break;
898 case 7:
899 c->modrm_ea += bx;
900 break;
901 }
902 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
903 (c->modrm_rm == 6 && c->modrm_mod != 0))
904 if (!c->has_seg_override)
905 set_seg_override(c, VCPU_SREG_SS);
906 c->modrm_ea = (u16)c->modrm_ea;
907 } else {
908 /* 32/64-bit ModR/M decode. */
909 if ((c->modrm_rm & 7) == 4) {
910 sib = insn_fetch(u8, 1, c->eip);
911 index_reg |= (sib >> 3) & 7;
912 base_reg |= sib & 7;
913 scale = sib >> 6;
914
915 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
916 c->modrm_ea += insn_fetch(s32, 4, c->eip);
917 else
918 c->modrm_ea += c->regs[base_reg];
919 if (index_reg != 4)
920 c->modrm_ea += c->regs[index_reg] << scale;
921 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
922 if (ctxt->mode == X86EMUL_MODE_PROT64)
923 c->rip_relative = 1;
924 } else
925 c->modrm_ea += c->regs[c->modrm_rm];
926 switch (c->modrm_mod) {
927 case 0:
928 if (c->modrm_rm == 5)
929 c->modrm_ea += insn_fetch(s32, 4, c->eip);
930 break;
931 case 1:
932 c->modrm_ea += insn_fetch(s8, 1, c->eip);
933 break;
934 case 2:
935 c->modrm_ea += insn_fetch(s32, 4, c->eip);
936 break;
937 }
938 }
939 done:
940 return rc;
941 }
942
943 static int decode_abs(struct x86_emulate_ctxt *ctxt,
944 struct x86_emulate_ops *ops)
945 {
946 struct decode_cache *c = &ctxt->decode;
947 int rc = X86EMUL_CONTINUE;
948
949 switch (c->ad_bytes) {
950 case 2:
951 c->modrm_ea = insn_fetch(u16, 2, c->eip);
952 break;
953 case 4:
954 c->modrm_ea = insn_fetch(u32, 4, c->eip);
955 break;
956 case 8:
957 c->modrm_ea = insn_fetch(u64, 8, c->eip);
958 break;
959 }
960 done:
961 return rc;
962 }
963
964 int
965 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
966 {
967 struct decode_cache *c = &ctxt->decode;
968 int rc = X86EMUL_CONTINUE;
969 int mode = ctxt->mode;
970 int def_op_bytes, def_ad_bytes, group;
971
972
973 /* we cannot decode insn before we complete previous rep insn */
974 WARN_ON(ctxt->restart);
975
976 c->eip = ctxt->eip;
977 c->fetch.start = c->fetch.end = c->eip;
978 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
979
980 switch (mode) {
981 case X86EMUL_MODE_REAL:
982 case X86EMUL_MODE_VM86:
983 case X86EMUL_MODE_PROT16:
984 def_op_bytes = def_ad_bytes = 2;
985 break;
986 case X86EMUL_MODE_PROT32:
987 def_op_bytes = def_ad_bytes = 4;
988 break;
989 #ifdef CONFIG_X86_64
990 case X86EMUL_MODE_PROT64:
991 def_op_bytes = 4;
992 def_ad_bytes = 8;
993 break;
994 #endif
995 default:
996 return -1;
997 }
998
999 c->op_bytes = def_op_bytes;
1000 c->ad_bytes = def_ad_bytes;
1001
1002 /* Legacy prefixes. */
1003 for (;;) {
1004 switch (c->b = insn_fetch(u8, 1, c->eip)) {
1005 case 0x66: /* operand-size override */
1006 /* switch between 2/4 bytes */
1007 c->op_bytes = def_op_bytes ^ 6;
1008 break;
1009 case 0x67: /* address-size override */
1010 if (mode == X86EMUL_MODE_PROT64)
1011 /* switch between 4/8 bytes */
1012 c->ad_bytes = def_ad_bytes ^ 12;
1013 else
1014 /* switch between 2/4 bytes */
1015 c->ad_bytes = def_ad_bytes ^ 6;
1016 break;
1017 case 0x26: /* ES override */
1018 case 0x2e: /* CS override */
1019 case 0x36: /* SS override */
1020 case 0x3e: /* DS override */
1021 set_seg_override(c, (c->b >> 3) & 3);
1022 break;
1023 case 0x64: /* FS override */
1024 case 0x65: /* GS override */
1025 set_seg_override(c, c->b & 7);
1026 break;
1027 case 0x40 ... 0x4f: /* REX */
1028 if (mode != X86EMUL_MODE_PROT64)
1029 goto done_prefixes;
1030 c->rex_prefix = c->b;
1031 continue;
1032 case 0xf0: /* LOCK */
1033 c->lock_prefix = 1;
1034 break;
1035 case 0xf2: /* REPNE/REPNZ */
1036 c->rep_prefix = REPNE_PREFIX;
1037 break;
1038 case 0xf3: /* REP/REPE/REPZ */
1039 c->rep_prefix = REPE_PREFIX;
1040 break;
1041 default:
1042 goto done_prefixes;
1043 }
1044
1045 /* Any legacy prefix after a REX prefix nullifies its effect. */
1046
1047 c->rex_prefix = 0;
1048 }
1049
1050 done_prefixes:
1051
1052 /* REX prefix. */
1053 if (c->rex_prefix)
1054 if (c->rex_prefix & 8)
1055 c->op_bytes = 8; /* REX.W */
1056
1057 /* Opcode byte(s). */
1058 c->d = opcode_table[c->b];
1059 if (c->d == 0) {
1060 /* Two-byte opcode? */
1061 if (c->b == 0x0f) {
1062 c->twobyte = 1;
1063 c->b = insn_fetch(u8, 1, c->eip);
1064 c->d = twobyte_table[c->b];
1065 }
1066 }
1067
1068 if (c->d & Group) {
1069 group = c->d & GroupMask;
1070 c->modrm = insn_fetch(u8, 1, c->eip);
1071 --c->eip;
1072
1073 group = (group << 3) + ((c->modrm >> 3) & 7);
1074 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1075 c->d = group2_table[group];
1076 else
1077 c->d = group_table[group];
1078 }
1079
1080 /* Unrecognised? */
1081 if (c->d == 0) {
1082 DPRINTF("Cannot emulate %02x\n", c->b);
1083 return -1;
1084 }
1085
1086 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1087 c->op_bytes = 8;
1088
1089 /* ModRM and SIB bytes. */
1090 if (c->d & ModRM)
1091 rc = decode_modrm(ctxt, ops);
1092 else if (c->d & MemAbs)
1093 rc = decode_abs(ctxt, ops);
1094 if (rc != X86EMUL_CONTINUE)
1095 goto done;
1096
1097 if (!c->has_seg_override)
1098 set_seg_override(c, VCPU_SREG_DS);
1099
1100 if (!(!c->twobyte && c->b == 0x8d))
1101 c->modrm_ea += seg_override_base(ctxt, ops, c);
1102
1103 if (c->ad_bytes != 8)
1104 c->modrm_ea = (u32)c->modrm_ea;
1105
1106 if (c->rip_relative)
1107 c->modrm_ea += c->eip;
1108
1109 /*
1110 * Decode and fetch the source operand: register, memory
1111 * or immediate.
1112 */
1113 switch (c->d & SrcMask) {
1114 case SrcNone:
1115 break;
1116 case SrcReg:
1117 decode_register_operand(&c->src, c, 0);
1118 break;
1119 case SrcMem16:
1120 c->src.bytes = 2;
1121 goto srcmem_common;
1122 case SrcMem32:
1123 c->src.bytes = 4;
1124 goto srcmem_common;
1125 case SrcMem:
1126 c->src.bytes = (c->d & ByteOp) ? 1 :
1127 c->op_bytes;
1128 /* Don't fetch the address for invlpg: it could be unmapped. */
1129 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1130 break;
1131 srcmem_common:
1132 /*
1133 * For instructions with a ModR/M byte, switch to register
1134 * access if Mod = 3.
1135 */
1136 if ((c->d & ModRM) && c->modrm_mod == 3) {
1137 c->src.type = OP_REG;
1138 c->src.val = c->modrm_val;
1139 c->src.ptr = c->modrm_ptr;
1140 break;
1141 }
1142 c->src.type = OP_MEM;
1143 c->src.ptr = (unsigned long *)c->modrm_ea;
1144 c->src.val = 0;
1145 break;
1146 case SrcImm:
1147 case SrcImmU:
1148 c->src.type = OP_IMM;
1149 c->src.ptr = (unsigned long *)c->eip;
1150 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1151 if (c->src.bytes == 8)
1152 c->src.bytes = 4;
1153 /* NB. Immediates are sign-extended as necessary. */
1154 switch (c->src.bytes) {
1155 case 1:
1156 c->src.val = insn_fetch(s8, 1, c->eip);
1157 break;
1158 case 2:
1159 c->src.val = insn_fetch(s16, 2, c->eip);
1160 break;
1161 case 4:
1162 c->src.val = insn_fetch(s32, 4, c->eip);
1163 break;
1164 }
1165 if ((c->d & SrcMask) == SrcImmU) {
1166 switch (c->src.bytes) {
1167 case 1:
1168 c->src.val &= 0xff;
1169 break;
1170 case 2:
1171 c->src.val &= 0xffff;
1172 break;
1173 case 4:
1174 c->src.val &= 0xffffffff;
1175 break;
1176 }
1177 }
1178 break;
1179 case SrcImmByte:
1180 case SrcImmUByte:
1181 c->src.type = OP_IMM;
1182 c->src.ptr = (unsigned long *)c->eip;
1183 c->src.bytes = 1;
1184 if ((c->d & SrcMask) == SrcImmByte)
1185 c->src.val = insn_fetch(s8, 1, c->eip);
1186 else
1187 c->src.val = insn_fetch(u8, 1, c->eip);
1188 break;
1189 case SrcOne:
1190 c->src.bytes = 1;
1191 c->src.val = 1;
1192 break;
1193 case SrcSI:
1194 c->src.type = OP_MEM;
1195 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1196 c->src.ptr = (unsigned long *)
1197 register_address(c, seg_override_base(ctxt, ops, c),
1198 c->regs[VCPU_REGS_RSI]);
1199 c->src.val = 0;
1200 break;
1201 case SrcImmFAddr:
1202 c->src.type = OP_IMM;
1203 c->src.ptr = (unsigned long *)c->eip;
1204 c->src.bytes = c->op_bytes + 2;
1205 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1206 break;
1207 case SrcMemFAddr:
1208 c->src.type = OP_MEM;
1209 c->src.ptr = (unsigned long *)c->modrm_ea;
1210 c->src.bytes = c->op_bytes + 2;
1211 break;
1212 }
1213
1214 /*
1215 * Decode and fetch the second source operand: register, memory
1216 * or immediate.
1217 */
1218 switch (c->d & Src2Mask) {
1219 case Src2None:
1220 break;
1221 case Src2CL:
1222 c->src2.bytes = 1;
1223 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1224 break;
1225 case Src2ImmByte:
1226 c->src2.type = OP_IMM;
1227 c->src2.ptr = (unsigned long *)c->eip;
1228 c->src2.bytes = 1;
1229 c->src2.val = insn_fetch(u8, 1, c->eip);
1230 break;
1231 case Src2One:
1232 c->src2.bytes = 1;
1233 c->src2.val = 1;
1234 break;
1235 }
1236
1237 /* Decode and fetch the destination operand: register or memory. */
1238 switch (c->d & DstMask) {
1239 case ImplicitOps:
1240 /* Special instructions do their own operand decoding. */
1241 return 0;
1242 case DstReg:
1243 decode_register_operand(&c->dst, c,
1244 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1245 break;
1246 case DstMem:
1247 case DstMem64:
1248 if ((c->d & ModRM) && c->modrm_mod == 3) {
1249 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1250 c->dst.type = OP_REG;
1251 c->dst.val = c->dst.orig_val = c->modrm_val;
1252 c->dst.ptr = c->modrm_ptr;
1253 break;
1254 }
1255 c->dst.type = OP_MEM;
1256 c->dst.ptr = (unsigned long *)c->modrm_ea;
1257 if ((c->d & DstMask) == DstMem64)
1258 c->dst.bytes = 8;
1259 else
1260 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1261 c->dst.val = 0;
1262 if (c->d & BitOp) {
1263 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1264
1265 c->dst.ptr = (void *)c->dst.ptr +
1266 (c->src.val & mask) / 8;
1267 }
1268 break;
1269 case DstAcc:
1270 c->dst.type = OP_REG;
1271 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1272 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1273 switch (c->dst.bytes) {
1274 case 1:
1275 c->dst.val = *(u8 *)c->dst.ptr;
1276 break;
1277 case 2:
1278 c->dst.val = *(u16 *)c->dst.ptr;
1279 break;
1280 case 4:
1281 c->dst.val = *(u32 *)c->dst.ptr;
1282 break;
1283 case 8:
1284 c->dst.val = *(u64 *)c->dst.ptr;
1285 break;
1286 }
1287 c->dst.orig_val = c->dst.val;
1288 break;
1289 case DstDI:
1290 c->dst.type = OP_MEM;
1291 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1292 c->dst.ptr = (unsigned long *)
1293 register_address(c, es_base(ctxt, ops),
1294 c->regs[VCPU_REGS_RDI]);
1295 c->dst.val = 0;
1296 break;
1297 }
1298
1299 done:
1300 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1301 }
1302
1303 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1304 struct x86_emulate_ops *ops,
1305 unsigned long addr, void *dest, unsigned size)
1306 {
1307 int rc;
1308 struct read_cache *mc = &ctxt->decode.mem_read;
1309 u32 err;
1310
1311 while (size) {
1312 int n = min(size, 8u);
1313 size -= n;
1314 if (mc->pos < mc->end)
1315 goto read_cached;
1316
1317 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1318 ctxt->vcpu);
1319 if (rc == X86EMUL_PROPAGATE_FAULT)
1320 emulate_pf(ctxt, addr, err);
1321 if (rc != X86EMUL_CONTINUE)
1322 return rc;
1323 mc->end += n;
1324
1325 read_cached:
1326 memcpy(dest, mc->data + mc->pos, n);
1327 mc->pos += n;
1328 dest += n;
1329 addr += n;
1330 }
1331 return X86EMUL_CONTINUE;
1332 }
1333
1334 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1335 struct x86_emulate_ops *ops,
1336 unsigned int size, unsigned short port,
1337 void *dest)
1338 {
1339 struct read_cache *rc = &ctxt->decode.io_read;
1340
1341 if (rc->pos == rc->end) { /* refill pio read ahead */
1342 struct decode_cache *c = &ctxt->decode;
1343 unsigned int in_page, n;
1344 unsigned int count = c->rep_prefix ?
1345 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1346 in_page = (ctxt->eflags & EFLG_DF) ?
1347 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1348 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1349 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1350 count);
1351 if (n == 0)
1352 n = 1;
1353 rc->pos = rc->end = 0;
1354 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1355 return 0;
1356 rc->end = n * size;
1357 }
1358
1359 memcpy(dest, rc->data + rc->pos, size);
1360 rc->pos += size;
1361 return 1;
1362 }
1363
1364 static u32 desc_limit_scaled(struct desc_struct *desc)
1365 {
1366 u32 limit = get_desc_limit(desc);
1367
1368 return desc->g ? (limit << 12) | 0xfff : limit;
1369 }
1370
1371 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1372 struct x86_emulate_ops *ops,
1373 u16 selector, struct desc_ptr *dt)
1374 {
1375 if (selector & 1 << 2) {
1376 struct desc_struct desc;
1377 memset (dt, 0, sizeof *dt);
1378 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1379 return;
1380
1381 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1382 dt->address = get_desc_base(&desc);
1383 } else
1384 ops->get_gdt(dt, ctxt->vcpu);
1385 }
1386
1387 /* allowed just for 8 bytes segments */
1388 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1389 struct x86_emulate_ops *ops,
1390 u16 selector, struct desc_struct *desc)
1391 {
1392 struct desc_ptr dt;
1393 u16 index = selector >> 3;
1394 int ret;
1395 u32 err;
1396 ulong addr;
1397
1398 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1399
1400 if (dt.size < index * 8 + 7) {
1401 emulate_gp(ctxt, selector & 0xfffc);
1402 return X86EMUL_PROPAGATE_FAULT;
1403 }
1404 addr = dt.address + index * 8;
1405 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1406 if (ret == X86EMUL_PROPAGATE_FAULT)
1407 emulate_pf(ctxt, addr, err);
1408
1409 return ret;
1410 }
1411
1412 /* allowed just for 8 bytes segments */
1413 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1414 struct x86_emulate_ops *ops,
1415 u16 selector, struct desc_struct *desc)
1416 {
1417 struct desc_ptr dt;
1418 u16 index = selector >> 3;
1419 u32 err;
1420 ulong addr;
1421 int ret;
1422
1423 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1424
1425 if (dt.size < index * 8 + 7) {
1426 emulate_gp(ctxt, selector & 0xfffc);
1427 return X86EMUL_PROPAGATE_FAULT;
1428 }
1429
1430 addr = dt.address + index * 8;
1431 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1432 if (ret == X86EMUL_PROPAGATE_FAULT)
1433 emulate_pf(ctxt, addr, err);
1434
1435 return ret;
1436 }
1437
1438 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1439 struct x86_emulate_ops *ops,
1440 u16 selector, int seg)
1441 {
1442 struct desc_struct seg_desc;
1443 u8 dpl, rpl, cpl;
1444 unsigned err_vec = GP_VECTOR;
1445 u32 err_code = 0;
1446 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1447 int ret;
1448
1449 memset(&seg_desc, 0, sizeof seg_desc);
1450
1451 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1452 || ctxt->mode == X86EMUL_MODE_REAL) {
1453 /* set real mode segment descriptor */
1454 set_desc_base(&seg_desc, selector << 4);
1455 set_desc_limit(&seg_desc, 0xffff);
1456 seg_desc.type = 3;
1457 seg_desc.p = 1;
1458 seg_desc.s = 1;
1459 goto load;
1460 }
1461
1462 /* NULL selector is not valid for TR, CS and SS */
1463 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1464 && null_selector)
1465 goto exception;
1466
1467 /* TR should be in GDT only */
1468 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1469 goto exception;
1470
1471 if (null_selector) /* for NULL selector skip all following checks */
1472 goto load;
1473
1474 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1475 if (ret != X86EMUL_CONTINUE)
1476 return ret;
1477
1478 err_code = selector & 0xfffc;
1479 err_vec = GP_VECTOR;
1480
1481 /* can't load system descriptor into segment selecor */
1482 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1483 goto exception;
1484
1485 if (!seg_desc.p) {
1486 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1487 goto exception;
1488 }
1489
1490 rpl = selector & 3;
1491 dpl = seg_desc.dpl;
1492 cpl = ops->cpl(ctxt->vcpu);
1493
1494 switch (seg) {
1495 case VCPU_SREG_SS:
1496 /*
1497 * segment is not a writable data segment or segment
1498 * selector's RPL != CPL or segment selector's RPL != CPL
1499 */
1500 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1501 goto exception;
1502 break;
1503 case VCPU_SREG_CS:
1504 if (!(seg_desc.type & 8))
1505 goto exception;
1506
1507 if (seg_desc.type & 4) {
1508 /* conforming */
1509 if (dpl > cpl)
1510 goto exception;
1511 } else {
1512 /* nonconforming */
1513 if (rpl > cpl || dpl != cpl)
1514 goto exception;
1515 }
1516 /* CS(RPL) <- CPL */
1517 selector = (selector & 0xfffc) | cpl;
1518 break;
1519 case VCPU_SREG_TR:
1520 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1521 goto exception;
1522 break;
1523 case VCPU_SREG_LDTR:
1524 if (seg_desc.s || seg_desc.type != 2)
1525 goto exception;
1526 break;
1527 default: /* DS, ES, FS, or GS */
1528 /*
1529 * segment is not a data or readable code segment or
1530 * ((segment is a data or nonconforming code segment)
1531 * and (both RPL and CPL > DPL))
1532 */
1533 if ((seg_desc.type & 0xa) == 0x8 ||
1534 (((seg_desc.type & 0xc) != 0xc) &&
1535 (rpl > dpl && cpl > dpl)))
1536 goto exception;
1537 break;
1538 }
1539
1540 if (seg_desc.s) {
1541 /* mark segment as accessed */
1542 seg_desc.type |= 1;
1543 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1544 if (ret != X86EMUL_CONTINUE)
1545 return ret;
1546 }
1547 load:
1548 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1549 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1550 return X86EMUL_CONTINUE;
1551 exception:
1552 emulate_exception(ctxt, err_vec, err_code, true);
1553 return X86EMUL_PROPAGATE_FAULT;
1554 }
1555
1556 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1557 struct x86_emulate_ops *ops)
1558 {
1559 int rc;
1560 struct decode_cache *c = &ctxt->decode;
1561 u32 err;
1562
1563 switch (c->dst.type) {
1564 case OP_REG:
1565 /* The 4-byte case *is* correct:
1566 * in 64-bit mode we zero-extend.
1567 */
1568 switch (c->dst.bytes) {
1569 case 1:
1570 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1571 break;
1572 case 2:
1573 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1574 break;
1575 case 4:
1576 *c->dst.ptr = (u32)c->dst.val;
1577 break; /* 64b: zero-ext */
1578 case 8:
1579 *c->dst.ptr = c->dst.val;
1580 break;
1581 }
1582 break;
1583 case OP_MEM:
1584 if (c->lock_prefix)
1585 rc = ops->cmpxchg_emulated(
1586 (unsigned long)c->dst.ptr,
1587 &c->dst.orig_val,
1588 &c->dst.val,
1589 c->dst.bytes,
1590 &err,
1591 ctxt->vcpu);
1592 else
1593 rc = ops->write_emulated(
1594 (unsigned long)c->dst.ptr,
1595 &c->dst.val,
1596 c->dst.bytes,
1597 &err,
1598 ctxt->vcpu);
1599 if (rc == X86EMUL_PROPAGATE_FAULT)
1600 emulate_pf(ctxt,
1601 (unsigned long)c->dst.ptr, err);
1602 if (rc != X86EMUL_CONTINUE)
1603 return rc;
1604 break;
1605 case OP_NONE:
1606 /* no writeback */
1607 break;
1608 default:
1609 break;
1610 }
1611 return X86EMUL_CONTINUE;
1612 }
1613
1614 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1615 struct x86_emulate_ops *ops)
1616 {
1617 struct decode_cache *c = &ctxt->decode;
1618
1619 c->dst.type = OP_MEM;
1620 c->dst.bytes = c->op_bytes;
1621 c->dst.val = c->src.val;
1622 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1623 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1624 c->regs[VCPU_REGS_RSP]);
1625 }
1626
1627 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1628 struct x86_emulate_ops *ops,
1629 void *dest, int len)
1630 {
1631 struct decode_cache *c = &ctxt->decode;
1632 int rc;
1633
1634 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1635 c->regs[VCPU_REGS_RSP]),
1636 dest, len);
1637 if (rc != X86EMUL_CONTINUE)
1638 return rc;
1639
1640 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1641 return rc;
1642 }
1643
1644 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1645 struct x86_emulate_ops *ops,
1646 void *dest, int len)
1647 {
1648 int rc;
1649 unsigned long val, change_mask;
1650 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1651 int cpl = ops->cpl(ctxt->vcpu);
1652
1653 rc = emulate_pop(ctxt, ops, &val, len);
1654 if (rc != X86EMUL_CONTINUE)
1655 return rc;
1656
1657 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1658 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1659
1660 switch(ctxt->mode) {
1661 case X86EMUL_MODE_PROT64:
1662 case X86EMUL_MODE_PROT32:
1663 case X86EMUL_MODE_PROT16:
1664 if (cpl == 0)
1665 change_mask |= EFLG_IOPL;
1666 if (cpl <= iopl)
1667 change_mask |= EFLG_IF;
1668 break;
1669 case X86EMUL_MODE_VM86:
1670 if (iopl < 3) {
1671 emulate_gp(ctxt, 0);
1672 return X86EMUL_PROPAGATE_FAULT;
1673 }
1674 change_mask |= EFLG_IF;
1675 break;
1676 default: /* real mode */
1677 change_mask |= (EFLG_IOPL | EFLG_IF);
1678 break;
1679 }
1680
1681 *(unsigned long *)dest =
1682 (ctxt->eflags & ~change_mask) | (val & change_mask);
1683
1684 return rc;
1685 }
1686
1687 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1688 struct x86_emulate_ops *ops, int seg)
1689 {
1690 struct decode_cache *c = &ctxt->decode;
1691
1692 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1693
1694 emulate_push(ctxt, ops);
1695 }
1696
1697 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1698 struct x86_emulate_ops *ops, int seg)
1699 {
1700 struct decode_cache *c = &ctxt->decode;
1701 unsigned long selector;
1702 int rc;
1703
1704 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1705 if (rc != X86EMUL_CONTINUE)
1706 return rc;
1707
1708 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1709 return rc;
1710 }
1711
1712 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1713 struct x86_emulate_ops *ops)
1714 {
1715 struct decode_cache *c = &ctxt->decode;
1716 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1717 int rc = X86EMUL_CONTINUE;
1718 int reg = VCPU_REGS_RAX;
1719
1720 while (reg <= VCPU_REGS_RDI) {
1721 (reg == VCPU_REGS_RSP) ?
1722 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1723
1724 emulate_push(ctxt, ops);
1725
1726 rc = writeback(ctxt, ops);
1727 if (rc != X86EMUL_CONTINUE)
1728 return rc;
1729
1730 ++reg;
1731 }
1732
1733 /* Disable writeback. */
1734 c->dst.type = OP_NONE;
1735
1736 return rc;
1737 }
1738
1739 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1740 struct x86_emulate_ops *ops)
1741 {
1742 struct decode_cache *c = &ctxt->decode;
1743 int rc = X86EMUL_CONTINUE;
1744 int reg = VCPU_REGS_RDI;
1745
1746 while (reg >= VCPU_REGS_RAX) {
1747 if (reg == VCPU_REGS_RSP) {
1748 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1749 c->op_bytes);
1750 --reg;
1751 }
1752
1753 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1754 if (rc != X86EMUL_CONTINUE)
1755 break;
1756 --reg;
1757 }
1758 return rc;
1759 }
1760
1761 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1762 struct x86_emulate_ops *ops)
1763 {
1764 struct decode_cache *c = &ctxt->decode;
1765
1766 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1767 }
1768
1769 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1770 {
1771 struct decode_cache *c = &ctxt->decode;
1772 switch (c->modrm_reg) {
1773 case 0: /* rol */
1774 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1775 break;
1776 case 1: /* ror */
1777 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1778 break;
1779 case 2: /* rcl */
1780 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1781 break;
1782 case 3: /* rcr */
1783 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1784 break;
1785 case 4: /* sal/shl */
1786 case 6: /* sal/shl */
1787 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1788 break;
1789 case 5: /* shr */
1790 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1791 break;
1792 case 7: /* sar */
1793 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1794 break;
1795 }
1796 }
1797
1798 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1799 struct x86_emulate_ops *ops)
1800 {
1801 struct decode_cache *c = &ctxt->decode;
1802
1803 switch (c->modrm_reg) {
1804 case 0 ... 1: /* test */
1805 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1806 break;
1807 case 2: /* not */
1808 c->dst.val = ~c->dst.val;
1809 break;
1810 case 3: /* neg */
1811 emulate_1op("neg", c->dst, ctxt->eflags);
1812 break;
1813 default:
1814 return 0;
1815 }
1816 return 1;
1817 }
1818
1819 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1820 struct x86_emulate_ops *ops)
1821 {
1822 struct decode_cache *c = &ctxt->decode;
1823
1824 switch (c->modrm_reg) {
1825 case 0: /* inc */
1826 emulate_1op("inc", c->dst, ctxt->eflags);
1827 break;
1828 case 1: /* dec */
1829 emulate_1op("dec", c->dst, ctxt->eflags);
1830 break;
1831 case 2: /* call near abs */ {
1832 long int old_eip;
1833 old_eip = c->eip;
1834 c->eip = c->src.val;
1835 c->src.val = old_eip;
1836 emulate_push(ctxt, ops);
1837 break;
1838 }
1839 case 4: /* jmp abs */
1840 c->eip = c->src.val;
1841 break;
1842 case 6: /* push */
1843 emulate_push(ctxt, ops);
1844 break;
1845 }
1846 return X86EMUL_CONTINUE;
1847 }
1848
1849 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1850 struct x86_emulate_ops *ops)
1851 {
1852 struct decode_cache *c = &ctxt->decode;
1853 u64 old = c->dst.orig_val;
1854
1855 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1856 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1857
1858 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1859 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1860 ctxt->eflags &= ~EFLG_ZF;
1861 } else {
1862 c->dst.val = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1863 (u32) c->regs[VCPU_REGS_RBX];
1864
1865 ctxt->eflags |= EFLG_ZF;
1866 }
1867 return X86EMUL_CONTINUE;
1868 }
1869
1870 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1871 struct x86_emulate_ops *ops)
1872 {
1873 struct decode_cache *c = &ctxt->decode;
1874 int rc;
1875 unsigned long cs;
1876
1877 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1878 if (rc != X86EMUL_CONTINUE)
1879 return rc;
1880 if (c->op_bytes == 4)
1881 c->eip = (u32)c->eip;
1882 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1883 if (rc != X86EMUL_CONTINUE)
1884 return rc;
1885 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1886 return rc;
1887 }
1888
1889 static inline void
1890 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1891 struct x86_emulate_ops *ops, struct desc_struct *cs,
1892 struct desc_struct *ss)
1893 {
1894 memset(cs, 0, sizeof(struct desc_struct));
1895 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1896 memset(ss, 0, sizeof(struct desc_struct));
1897
1898 cs->l = 0; /* will be adjusted later */
1899 set_desc_base(cs, 0); /* flat segment */
1900 cs->g = 1; /* 4kb granularity */
1901 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1902 cs->type = 0x0b; /* Read, Execute, Accessed */
1903 cs->s = 1;
1904 cs->dpl = 0; /* will be adjusted later */
1905 cs->p = 1;
1906 cs->d = 1;
1907
1908 set_desc_base(ss, 0); /* flat segment */
1909 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1910 ss->g = 1; /* 4kb granularity */
1911 ss->s = 1;
1912 ss->type = 0x03; /* Read/Write, Accessed */
1913 ss->d = 1; /* 32bit stack segment */
1914 ss->dpl = 0;
1915 ss->p = 1;
1916 }
1917
1918 static int
1919 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1920 {
1921 struct decode_cache *c = &ctxt->decode;
1922 struct desc_struct cs, ss;
1923 u64 msr_data;
1924 u16 cs_sel, ss_sel;
1925
1926 /* syscall is not available in real mode */
1927 if (ctxt->mode == X86EMUL_MODE_REAL ||
1928 ctxt->mode == X86EMUL_MODE_VM86) {
1929 emulate_ud(ctxt);
1930 return X86EMUL_PROPAGATE_FAULT;
1931 }
1932
1933 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1934
1935 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1936 msr_data >>= 32;
1937 cs_sel = (u16)(msr_data & 0xfffc);
1938 ss_sel = (u16)(msr_data + 8);
1939
1940 if (is_long_mode(ctxt->vcpu)) {
1941 cs.d = 0;
1942 cs.l = 1;
1943 }
1944 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1945 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1946 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1947 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1948
1949 c->regs[VCPU_REGS_RCX] = c->eip;
1950 if (is_long_mode(ctxt->vcpu)) {
1951 #ifdef CONFIG_X86_64
1952 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1953
1954 ops->get_msr(ctxt->vcpu,
1955 ctxt->mode == X86EMUL_MODE_PROT64 ?
1956 MSR_LSTAR : MSR_CSTAR, &msr_data);
1957 c->eip = msr_data;
1958
1959 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1960 ctxt->eflags &= ~(msr_data | EFLG_RF);
1961 #endif
1962 } else {
1963 /* legacy mode */
1964 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1965 c->eip = (u32)msr_data;
1966
1967 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1968 }
1969
1970 return X86EMUL_CONTINUE;
1971 }
1972
1973 static int
1974 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1975 {
1976 struct decode_cache *c = &ctxt->decode;
1977 struct desc_struct cs, ss;
1978 u64 msr_data;
1979 u16 cs_sel, ss_sel;
1980
1981 /* inject #GP if in real mode */
1982 if (ctxt->mode == X86EMUL_MODE_REAL) {
1983 emulate_gp(ctxt, 0);
1984 return X86EMUL_PROPAGATE_FAULT;
1985 }
1986
1987 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1988 * Therefore, we inject an #UD.
1989 */
1990 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1991 emulate_ud(ctxt);
1992 return X86EMUL_PROPAGATE_FAULT;
1993 }
1994
1995 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1996
1997 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1998 switch (ctxt->mode) {
1999 case X86EMUL_MODE_PROT32:
2000 if ((msr_data & 0xfffc) == 0x0) {
2001 emulate_gp(ctxt, 0);
2002 return X86EMUL_PROPAGATE_FAULT;
2003 }
2004 break;
2005 case X86EMUL_MODE_PROT64:
2006 if (msr_data == 0x0) {
2007 emulate_gp(ctxt, 0);
2008 return X86EMUL_PROPAGATE_FAULT;
2009 }
2010 break;
2011 }
2012
2013 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2014 cs_sel = (u16)msr_data;
2015 cs_sel &= ~SELECTOR_RPL_MASK;
2016 ss_sel = cs_sel + 8;
2017 ss_sel &= ~SELECTOR_RPL_MASK;
2018 if (ctxt->mode == X86EMUL_MODE_PROT64
2019 || is_long_mode(ctxt->vcpu)) {
2020 cs.d = 0;
2021 cs.l = 1;
2022 }
2023
2024 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2025 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2026 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2027 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2028
2029 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2030 c->eip = msr_data;
2031
2032 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2033 c->regs[VCPU_REGS_RSP] = msr_data;
2034
2035 return X86EMUL_CONTINUE;
2036 }
2037
2038 static int
2039 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2040 {
2041 struct decode_cache *c = &ctxt->decode;
2042 struct desc_struct cs, ss;
2043 u64 msr_data;
2044 int usermode;
2045 u16 cs_sel, ss_sel;
2046
2047 /* inject #GP if in real mode or Virtual 8086 mode */
2048 if (ctxt->mode == X86EMUL_MODE_REAL ||
2049 ctxt->mode == X86EMUL_MODE_VM86) {
2050 emulate_gp(ctxt, 0);
2051 return X86EMUL_PROPAGATE_FAULT;
2052 }
2053
2054 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2055
2056 if ((c->rex_prefix & 0x8) != 0x0)
2057 usermode = X86EMUL_MODE_PROT64;
2058 else
2059 usermode = X86EMUL_MODE_PROT32;
2060
2061 cs.dpl = 3;
2062 ss.dpl = 3;
2063 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2064 switch (usermode) {
2065 case X86EMUL_MODE_PROT32:
2066 cs_sel = (u16)(msr_data + 16);
2067 if ((msr_data & 0xfffc) == 0x0) {
2068 emulate_gp(ctxt, 0);
2069 return X86EMUL_PROPAGATE_FAULT;
2070 }
2071 ss_sel = (u16)(msr_data + 24);
2072 break;
2073 case X86EMUL_MODE_PROT64:
2074 cs_sel = (u16)(msr_data + 32);
2075 if (msr_data == 0x0) {
2076 emulate_gp(ctxt, 0);
2077 return X86EMUL_PROPAGATE_FAULT;
2078 }
2079 ss_sel = cs_sel + 8;
2080 cs.d = 0;
2081 cs.l = 1;
2082 break;
2083 }
2084 cs_sel |= SELECTOR_RPL_MASK;
2085 ss_sel |= SELECTOR_RPL_MASK;
2086
2087 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2088 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2089 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2090 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2091
2092 c->eip = c->regs[VCPU_REGS_RDX];
2093 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2094
2095 return X86EMUL_CONTINUE;
2096 }
2097
2098 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2099 struct x86_emulate_ops *ops)
2100 {
2101 int iopl;
2102 if (ctxt->mode == X86EMUL_MODE_REAL)
2103 return false;
2104 if (ctxt->mode == X86EMUL_MODE_VM86)
2105 return true;
2106 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2107 return ops->cpl(ctxt->vcpu) > iopl;
2108 }
2109
2110 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2111 struct x86_emulate_ops *ops,
2112 u16 port, u16 len)
2113 {
2114 struct desc_struct tr_seg;
2115 int r;
2116 u16 io_bitmap_ptr;
2117 u8 perm, bit_idx = port & 0x7;
2118 unsigned mask = (1 << len) - 1;
2119
2120 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2121 if (!tr_seg.p)
2122 return false;
2123 if (desc_limit_scaled(&tr_seg) < 103)
2124 return false;
2125 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2126 ctxt->vcpu, NULL);
2127 if (r != X86EMUL_CONTINUE)
2128 return false;
2129 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2130 return false;
2131 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2132 &perm, 1, ctxt->vcpu, NULL);
2133 if (r != X86EMUL_CONTINUE)
2134 return false;
2135 if ((perm >> bit_idx) & mask)
2136 return false;
2137 return true;
2138 }
2139
2140 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2141 struct x86_emulate_ops *ops,
2142 u16 port, u16 len)
2143 {
2144 if (emulator_bad_iopl(ctxt, ops))
2145 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2146 return false;
2147 return true;
2148 }
2149
2150 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2151 struct x86_emulate_ops *ops,
2152 struct tss_segment_16 *tss)
2153 {
2154 struct decode_cache *c = &ctxt->decode;
2155
2156 tss->ip = c->eip;
2157 tss->flag = ctxt->eflags;
2158 tss->ax = c->regs[VCPU_REGS_RAX];
2159 tss->cx = c->regs[VCPU_REGS_RCX];
2160 tss->dx = c->regs[VCPU_REGS_RDX];
2161 tss->bx = c->regs[VCPU_REGS_RBX];
2162 tss->sp = c->regs[VCPU_REGS_RSP];
2163 tss->bp = c->regs[VCPU_REGS_RBP];
2164 tss->si = c->regs[VCPU_REGS_RSI];
2165 tss->di = c->regs[VCPU_REGS_RDI];
2166
2167 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2168 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2169 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2170 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2171 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2172 }
2173
2174 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2175 struct x86_emulate_ops *ops,
2176 struct tss_segment_16 *tss)
2177 {
2178 struct decode_cache *c = &ctxt->decode;
2179 int ret;
2180
2181 c->eip = tss->ip;
2182 ctxt->eflags = tss->flag | 2;
2183 c->regs[VCPU_REGS_RAX] = tss->ax;
2184 c->regs[VCPU_REGS_RCX] = tss->cx;
2185 c->regs[VCPU_REGS_RDX] = tss->dx;
2186 c->regs[VCPU_REGS_RBX] = tss->bx;
2187 c->regs[VCPU_REGS_RSP] = tss->sp;
2188 c->regs[VCPU_REGS_RBP] = tss->bp;
2189 c->regs[VCPU_REGS_RSI] = tss->si;
2190 c->regs[VCPU_REGS_RDI] = tss->di;
2191
2192 /*
2193 * SDM says that segment selectors are loaded before segment
2194 * descriptors
2195 */
2196 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2197 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2198 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2199 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2200 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2201
2202 /*
2203 * Now load segment descriptors. If fault happenes at this stage
2204 * it is handled in a context of new task
2205 */
2206 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2207 if (ret != X86EMUL_CONTINUE)
2208 return ret;
2209 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2210 if (ret != X86EMUL_CONTINUE)
2211 return ret;
2212 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2213 if (ret != X86EMUL_CONTINUE)
2214 return ret;
2215 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2216 if (ret != X86EMUL_CONTINUE)
2217 return ret;
2218 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2219 if (ret != X86EMUL_CONTINUE)
2220 return ret;
2221
2222 return X86EMUL_CONTINUE;
2223 }
2224
2225 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2226 struct x86_emulate_ops *ops,
2227 u16 tss_selector, u16 old_tss_sel,
2228 ulong old_tss_base, struct desc_struct *new_desc)
2229 {
2230 struct tss_segment_16 tss_seg;
2231 int ret;
2232 u32 err, new_tss_base = get_desc_base(new_desc);
2233
2234 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2235 &err);
2236 if (ret == X86EMUL_PROPAGATE_FAULT) {
2237 /* FIXME: need to provide precise fault address */
2238 emulate_pf(ctxt, old_tss_base, err);
2239 return ret;
2240 }
2241
2242 save_state_to_tss16(ctxt, ops, &tss_seg);
2243
2244 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2245 &err);
2246 if (ret == X86EMUL_PROPAGATE_FAULT) {
2247 /* FIXME: need to provide precise fault address */
2248 emulate_pf(ctxt, old_tss_base, err);
2249 return ret;
2250 }
2251
2252 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2253 &err);
2254 if (ret == X86EMUL_PROPAGATE_FAULT) {
2255 /* FIXME: need to provide precise fault address */
2256 emulate_pf(ctxt, new_tss_base, err);
2257 return ret;
2258 }
2259
2260 if (old_tss_sel != 0xffff) {
2261 tss_seg.prev_task_link = old_tss_sel;
2262
2263 ret = ops->write_std(new_tss_base,
2264 &tss_seg.prev_task_link,
2265 sizeof tss_seg.prev_task_link,
2266 ctxt->vcpu, &err);
2267 if (ret == X86EMUL_PROPAGATE_FAULT) {
2268 /* FIXME: need to provide precise fault address */
2269 emulate_pf(ctxt, new_tss_base, err);
2270 return ret;
2271 }
2272 }
2273
2274 return load_state_from_tss16(ctxt, ops, &tss_seg);
2275 }
2276
2277 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2278 struct x86_emulate_ops *ops,
2279 struct tss_segment_32 *tss)
2280 {
2281 struct decode_cache *c = &ctxt->decode;
2282
2283 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2284 tss->eip = c->eip;
2285 tss->eflags = ctxt->eflags;
2286 tss->eax = c->regs[VCPU_REGS_RAX];
2287 tss->ecx = c->regs[VCPU_REGS_RCX];
2288 tss->edx = c->regs[VCPU_REGS_RDX];
2289 tss->ebx = c->regs[VCPU_REGS_RBX];
2290 tss->esp = c->regs[VCPU_REGS_RSP];
2291 tss->ebp = c->regs[VCPU_REGS_RBP];
2292 tss->esi = c->regs[VCPU_REGS_RSI];
2293 tss->edi = c->regs[VCPU_REGS_RDI];
2294
2295 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2296 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2297 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2298 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2299 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2300 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2301 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2302 }
2303
2304 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2305 struct x86_emulate_ops *ops,
2306 struct tss_segment_32 *tss)
2307 {
2308 struct decode_cache *c = &ctxt->decode;
2309 int ret;
2310
2311 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2312 emulate_gp(ctxt, 0);
2313 return X86EMUL_PROPAGATE_FAULT;
2314 }
2315 c->eip = tss->eip;
2316 ctxt->eflags = tss->eflags | 2;
2317 c->regs[VCPU_REGS_RAX] = tss->eax;
2318 c->regs[VCPU_REGS_RCX] = tss->ecx;
2319 c->regs[VCPU_REGS_RDX] = tss->edx;
2320 c->regs[VCPU_REGS_RBX] = tss->ebx;
2321 c->regs[VCPU_REGS_RSP] = tss->esp;
2322 c->regs[VCPU_REGS_RBP] = tss->ebp;
2323 c->regs[VCPU_REGS_RSI] = tss->esi;
2324 c->regs[VCPU_REGS_RDI] = tss->edi;
2325
2326 /*
2327 * SDM says that segment selectors are loaded before segment
2328 * descriptors
2329 */
2330 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2331 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2332 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2333 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2334 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2335 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2336 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2337
2338 /*
2339 * Now load segment descriptors. If fault happenes at this stage
2340 * it is handled in a context of new task
2341 */
2342 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2343 if (ret != X86EMUL_CONTINUE)
2344 return ret;
2345 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2346 if (ret != X86EMUL_CONTINUE)
2347 return ret;
2348 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2349 if (ret != X86EMUL_CONTINUE)
2350 return ret;
2351 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2352 if (ret != X86EMUL_CONTINUE)
2353 return ret;
2354 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2355 if (ret != X86EMUL_CONTINUE)
2356 return ret;
2357 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2358 if (ret != X86EMUL_CONTINUE)
2359 return ret;
2360 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2361 if (ret != X86EMUL_CONTINUE)
2362 return ret;
2363
2364 return X86EMUL_CONTINUE;
2365 }
2366
2367 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2368 struct x86_emulate_ops *ops,
2369 u16 tss_selector, u16 old_tss_sel,
2370 ulong old_tss_base, struct desc_struct *new_desc)
2371 {
2372 struct tss_segment_32 tss_seg;
2373 int ret;
2374 u32 err, new_tss_base = get_desc_base(new_desc);
2375
2376 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2377 &err);
2378 if (ret == X86EMUL_PROPAGATE_FAULT) {
2379 /* FIXME: need to provide precise fault address */
2380 emulate_pf(ctxt, old_tss_base, err);
2381 return ret;
2382 }
2383
2384 save_state_to_tss32(ctxt, ops, &tss_seg);
2385
2386 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2387 &err);
2388 if (ret == X86EMUL_PROPAGATE_FAULT) {
2389 /* FIXME: need to provide precise fault address */
2390 emulate_pf(ctxt, old_tss_base, err);
2391 return ret;
2392 }
2393
2394 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2395 &err);
2396 if (ret == X86EMUL_PROPAGATE_FAULT) {
2397 /* FIXME: need to provide precise fault address */
2398 emulate_pf(ctxt, new_tss_base, err);
2399 return ret;
2400 }
2401
2402 if (old_tss_sel != 0xffff) {
2403 tss_seg.prev_task_link = old_tss_sel;
2404
2405 ret = ops->write_std(new_tss_base,
2406 &tss_seg.prev_task_link,
2407 sizeof tss_seg.prev_task_link,
2408 ctxt->vcpu, &err);
2409 if (ret == X86EMUL_PROPAGATE_FAULT) {
2410 /* FIXME: need to provide precise fault address */
2411 emulate_pf(ctxt, new_tss_base, err);
2412 return ret;
2413 }
2414 }
2415
2416 return load_state_from_tss32(ctxt, ops, &tss_seg);
2417 }
2418
2419 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2420 struct x86_emulate_ops *ops,
2421 u16 tss_selector, int reason,
2422 bool has_error_code, u32 error_code)
2423 {
2424 struct desc_struct curr_tss_desc, next_tss_desc;
2425 int ret;
2426 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2427 ulong old_tss_base =
2428 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2429 u32 desc_limit;
2430
2431 /* FIXME: old_tss_base == ~0 ? */
2432
2433 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2434 if (ret != X86EMUL_CONTINUE)
2435 return ret;
2436 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2437 if (ret != X86EMUL_CONTINUE)
2438 return ret;
2439
2440 /* FIXME: check that next_tss_desc is tss */
2441
2442 if (reason != TASK_SWITCH_IRET) {
2443 if ((tss_selector & 3) > next_tss_desc.dpl ||
2444 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2445 emulate_gp(ctxt, 0);
2446 return X86EMUL_PROPAGATE_FAULT;
2447 }
2448 }
2449
2450 desc_limit = desc_limit_scaled(&next_tss_desc);
2451 if (!next_tss_desc.p ||
2452 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2453 desc_limit < 0x2b)) {
2454 emulate_ts(ctxt, tss_selector & 0xfffc);
2455 return X86EMUL_PROPAGATE_FAULT;
2456 }
2457
2458 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2459 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2460 write_segment_descriptor(ctxt, ops, old_tss_sel,
2461 &curr_tss_desc);
2462 }
2463
2464 if (reason == TASK_SWITCH_IRET)
2465 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2466
2467 /* set back link to prev task only if NT bit is set in eflags
2468 note that old_tss_sel is not used afetr this point */
2469 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2470 old_tss_sel = 0xffff;
2471
2472 if (next_tss_desc.type & 8)
2473 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2474 old_tss_base, &next_tss_desc);
2475 else
2476 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2477 old_tss_base, &next_tss_desc);
2478 if (ret != X86EMUL_CONTINUE)
2479 return ret;
2480
2481 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2482 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2483
2484 if (reason != TASK_SWITCH_IRET) {
2485 next_tss_desc.type |= (1 << 1); /* set busy flag */
2486 write_segment_descriptor(ctxt, ops, tss_selector,
2487 &next_tss_desc);
2488 }
2489
2490 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2491 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2492 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2493
2494 if (has_error_code) {
2495 struct decode_cache *c = &ctxt->decode;
2496
2497 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2498 c->lock_prefix = 0;
2499 c->src.val = (unsigned long) error_code;
2500 emulate_push(ctxt, ops);
2501 }
2502
2503 return ret;
2504 }
2505
2506 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2507 struct x86_emulate_ops *ops,
2508 u16 tss_selector, int reason,
2509 bool has_error_code, u32 error_code)
2510 {
2511 struct decode_cache *c = &ctxt->decode;
2512 int rc;
2513
2514 c->eip = ctxt->eip;
2515 c->dst.type = OP_NONE;
2516
2517 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2518 has_error_code, error_code);
2519
2520 if (rc == X86EMUL_CONTINUE) {
2521 rc = writeback(ctxt, ops);
2522 if (rc == X86EMUL_CONTINUE)
2523 ctxt->eip = c->eip;
2524 }
2525
2526 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2527 }
2528
2529 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2530 int reg, struct operand *op)
2531 {
2532 struct decode_cache *c = &ctxt->decode;
2533 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2534
2535 register_address_increment(c, &c->regs[reg], df * op->bytes);
2536 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2537 }
2538
2539 int
2540 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2541 {
2542 u64 msr_data;
2543 struct decode_cache *c = &ctxt->decode;
2544 int rc = X86EMUL_CONTINUE;
2545 int saved_dst_type = c->dst.type;
2546
2547 ctxt->decode.mem_read.pos = 0;
2548
2549 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2550 emulate_ud(ctxt);
2551 goto done;
2552 }
2553
2554 /* LOCK prefix is allowed only with some instructions */
2555 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2556 emulate_ud(ctxt);
2557 goto done;
2558 }
2559
2560 /* Privileged instruction can be executed only in CPL=0 */
2561 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2562 emulate_gp(ctxt, 0);
2563 goto done;
2564 }
2565
2566 if (c->rep_prefix && (c->d & String)) {
2567 ctxt->restart = true;
2568 /* All REP prefixes have the same first termination condition */
2569 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2570 string_done:
2571 ctxt->restart = false;
2572 ctxt->eip = c->eip;
2573 goto done;
2574 }
2575 /* The second termination condition only applies for REPE
2576 * and REPNE. Test if the repeat string operation prefix is
2577 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2578 * corresponding termination condition according to:
2579 * - if REPE/REPZ and ZF = 0 then done
2580 * - if REPNE/REPNZ and ZF = 1 then done
2581 */
2582 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2583 (c->b == 0xae) || (c->b == 0xaf)) {
2584 if ((c->rep_prefix == REPE_PREFIX) &&
2585 ((ctxt->eflags & EFLG_ZF) == 0))
2586 goto string_done;
2587 if ((c->rep_prefix == REPNE_PREFIX) &&
2588 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2589 goto string_done;
2590 }
2591 c->eip = ctxt->eip;
2592 }
2593
2594 if (c->src.type == OP_MEM) {
2595 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2596 c->src.valptr, c->src.bytes);
2597 if (rc != X86EMUL_CONTINUE)
2598 goto done;
2599 c->src.orig_val = c->src.val;
2600 }
2601
2602 if (c->src2.type == OP_MEM) {
2603 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2604 &c->src2.val, c->src2.bytes);
2605 if (rc != X86EMUL_CONTINUE)
2606 goto done;
2607 }
2608
2609 if ((c->d & DstMask) == ImplicitOps)
2610 goto special_insn;
2611
2612
2613 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2614 /* optimisation - avoid slow emulated read if Mov */
2615 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2616 &c->dst.val, c->dst.bytes);
2617 if (rc != X86EMUL_CONTINUE)
2618 goto done;
2619 }
2620 c->dst.orig_val = c->dst.val;
2621
2622 special_insn:
2623
2624 if (c->twobyte)
2625 goto twobyte_insn;
2626
2627 switch (c->b) {
2628 case 0x00 ... 0x05:
2629 add: /* add */
2630 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2631 break;
2632 case 0x06: /* push es */
2633 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2634 break;
2635 case 0x07: /* pop es */
2636 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2637 if (rc != X86EMUL_CONTINUE)
2638 goto done;
2639 break;
2640 case 0x08 ... 0x0d:
2641 or: /* or */
2642 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2643 break;
2644 case 0x0e: /* push cs */
2645 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2646 break;
2647 case 0x10 ... 0x15:
2648 adc: /* adc */
2649 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2650 break;
2651 case 0x16: /* push ss */
2652 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2653 break;
2654 case 0x17: /* pop ss */
2655 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2656 if (rc != X86EMUL_CONTINUE)
2657 goto done;
2658 break;
2659 case 0x18 ... 0x1d:
2660 sbb: /* sbb */
2661 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2662 break;
2663 case 0x1e: /* push ds */
2664 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2665 break;
2666 case 0x1f: /* pop ds */
2667 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2668 if (rc != X86EMUL_CONTINUE)
2669 goto done;
2670 break;
2671 case 0x20 ... 0x25:
2672 and: /* and */
2673 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2674 break;
2675 case 0x28 ... 0x2d:
2676 sub: /* sub */
2677 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2678 break;
2679 case 0x30 ... 0x35:
2680 xor: /* xor */
2681 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2682 break;
2683 case 0x38 ... 0x3d:
2684 cmp: /* cmp */
2685 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2686 break;
2687 case 0x40 ... 0x47: /* inc r16/r32 */
2688 emulate_1op("inc", c->dst, ctxt->eflags);
2689 break;
2690 case 0x48 ... 0x4f: /* dec r16/r32 */
2691 emulate_1op("dec", c->dst, ctxt->eflags);
2692 break;
2693 case 0x50 ... 0x57: /* push reg */
2694 emulate_push(ctxt, ops);
2695 break;
2696 case 0x58 ... 0x5f: /* pop reg */
2697 pop_instruction:
2698 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2699 if (rc != X86EMUL_CONTINUE)
2700 goto done;
2701 break;
2702 case 0x60: /* pusha */
2703 rc = emulate_pusha(ctxt, ops);
2704 if (rc != X86EMUL_CONTINUE)
2705 goto done;
2706 break;
2707 case 0x61: /* popa */
2708 rc = emulate_popa(ctxt, ops);
2709 if (rc != X86EMUL_CONTINUE)
2710 goto done;
2711 break;
2712 case 0x63: /* movsxd */
2713 if (ctxt->mode != X86EMUL_MODE_PROT64)
2714 goto cannot_emulate;
2715 c->dst.val = (s32) c->src.val;
2716 break;
2717 case 0x68: /* push imm */
2718 case 0x6a: /* push imm8 */
2719 emulate_push(ctxt, ops);
2720 break;
2721 case 0x6c: /* insb */
2722 case 0x6d: /* insw/insd */
2723 c->dst.bytes = min(c->dst.bytes, 4u);
2724 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2725 c->dst.bytes)) {
2726 emulate_gp(ctxt, 0);
2727 goto done;
2728 }
2729 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2730 c->regs[VCPU_REGS_RDX], &c->dst.val))
2731 goto done; /* IO is needed, skip writeback */
2732 break;
2733 case 0x6e: /* outsb */
2734 case 0x6f: /* outsw/outsd */
2735 c->src.bytes = min(c->src.bytes, 4u);
2736 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2737 c->src.bytes)) {
2738 emulate_gp(ctxt, 0);
2739 goto done;
2740 }
2741 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2742 &c->src.val, 1, ctxt->vcpu);
2743
2744 c->dst.type = OP_NONE; /* nothing to writeback */
2745 break;
2746 case 0x70 ... 0x7f: /* jcc (short) */
2747 if (test_cc(c->b, ctxt->eflags))
2748 jmp_rel(c, c->src.val);
2749 break;
2750 case 0x80 ... 0x83: /* Grp1 */
2751 switch (c->modrm_reg) {
2752 case 0:
2753 goto add;
2754 case 1:
2755 goto or;
2756 case 2:
2757 goto adc;
2758 case 3:
2759 goto sbb;
2760 case 4:
2761 goto and;
2762 case 5:
2763 goto sub;
2764 case 6:
2765 goto xor;
2766 case 7:
2767 goto cmp;
2768 }
2769 break;
2770 case 0x84 ... 0x85:
2771 test:
2772 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2773 break;
2774 case 0x86 ... 0x87: /* xchg */
2775 xchg:
2776 /* Write back the register source. */
2777 switch (c->dst.bytes) {
2778 case 1:
2779 *(u8 *) c->src.ptr = (u8) c->dst.val;
2780 break;
2781 case 2:
2782 *(u16 *) c->src.ptr = (u16) c->dst.val;
2783 break;
2784 case 4:
2785 *c->src.ptr = (u32) c->dst.val;
2786 break; /* 64b reg: zero-extend */
2787 case 8:
2788 *c->src.ptr = c->dst.val;
2789 break;
2790 }
2791 /*
2792 * Write back the memory destination with implicit LOCK
2793 * prefix.
2794 */
2795 c->dst.val = c->src.val;
2796 c->lock_prefix = 1;
2797 break;
2798 case 0x88 ... 0x8b: /* mov */
2799 goto mov;
2800 case 0x8c: /* mov r/m, sreg */
2801 if (c->modrm_reg > VCPU_SREG_GS) {
2802 emulate_ud(ctxt);
2803 goto done;
2804 }
2805 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2806 break;
2807 case 0x8d: /* lea r16/r32, m */
2808 c->dst.val = c->modrm_ea;
2809 break;
2810 case 0x8e: { /* mov seg, r/m16 */
2811 uint16_t sel;
2812
2813 sel = c->src.val;
2814
2815 if (c->modrm_reg == VCPU_SREG_CS ||
2816 c->modrm_reg > VCPU_SREG_GS) {
2817 emulate_ud(ctxt);
2818 goto done;
2819 }
2820
2821 if (c->modrm_reg == VCPU_SREG_SS)
2822 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2823
2824 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2825
2826 c->dst.type = OP_NONE; /* Disable writeback. */
2827 break;
2828 }
2829 case 0x8f: /* pop (sole member of Grp1a) */
2830 rc = emulate_grp1a(ctxt, ops);
2831 if (rc != X86EMUL_CONTINUE)
2832 goto done;
2833 break;
2834 case 0x90: /* nop / xchg r8,rax */
2835 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2836 c->dst.type = OP_NONE; /* nop */
2837 break;
2838 }
2839 case 0x91 ... 0x97: /* xchg reg,rax */
2840 c->src.type = OP_REG;
2841 c->src.bytes = c->op_bytes;
2842 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2843 c->src.val = *(c->src.ptr);
2844 goto xchg;
2845 case 0x9c: /* pushf */
2846 c->src.val = (unsigned long) ctxt->eflags;
2847 emulate_push(ctxt, ops);
2848 break;
2849 case 0x9d: /* popf */
2850 c->dst.type = OP_REG;
2851 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2852 c->dst.bytes = c->op_bytes;
2853 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2854 if (rc != X86EMUL_CONTINUE)
2855 goto done;
2856 break;
2857 case 0xa0 ... 0xa1: /* mov */
2858 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2859 c->dst.val = c->src.val;
2860 break;
2861 case 0xa2 ... 0xa3: /* mov */
2862 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2863 break;
2864 case 0xa4 ... 0xa5: /* movs */
2865 goto mov;
2866 case 0xa6 ... 0xa7: /* cmps */
2867 c->dst.type = OP_NONE; /* Disable writeback. */
2868 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2869 goto cmp;
2870 case 0xa8 ... 0xa9: /* test ax, imm */
2871 goto test;
2872 case 0xaa ... 0xab: /* stos */
2873 c->dst.val = c->regs[VCPU_REGS_RAX];
2874 break;
2875 case 0xac ... 0xad: /* lods */
2876 goto mov;
2877 case 0xae ... 0xaf: /* scas */
2878 DPRINTF("Urk! I don't handle SCAS.\n");
2879 goto cannot_emulate;
2880 case 0xb0 ... 0xbf: /* mov r, imm */
2881 goto mov;
2882 case 0xc0 ... 0xc1:
2883 emulate_grp2(ctxt);
2884 break;
2885 case 0xc3: /* ret */
2886 c->dst.type = OP_REG;
2887 c->dst.ptr = &c->eip;
2888 c->dst.bytes = c->op_bytes;
2889 goto pop_instruction;
2890 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2891 mov:
2892 c->dst.val = c->src.val;
2893 break;
2894 case 0xcb: /* ret far */
2895 rc = emulate_ret_far(ctxt, ops);
2896 if (rc != X86EMUL_CONTINUE)
2897 goto done;
2898 break;
2899 case 0xd0 ... 0xd1: /* Grp2 */
2900 c->src.val = 1;
2901 emulate_grp2(ctxt);
2902 break;
2903 case 0xd2 ... 0xd3: /* Grp2 */
2904 c->src.val = c->regs[VCPU_REGS_RCX];
2905 emulate_grp2(ctxt);
2906 break;
2907 case 0xe4: /* inb */
2908 case 0xe5: /* in */
2909 goto do_io_in;
2910 case 0xe6: /* outb */
2911 case 0xe7: /* out */
2912 goto do_io_out;
2913 case 0xe8: /* call (near) */ {
2914 long int rel = c->src.val;
2915 c->src.val = (unsigned long) c->eip;
2916 jmp_rel(c, rel);
2917 emulate_push(ctxt, ops);
2918 break;
2919 }
2920 case 0xe9: /* jmp rel */
2921 goto jmp;
2922 case 0xea: { /* jmp far */
2923 unsigned short sel;
2924 jump_far:
2925 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2926
2927 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2928 goto done;
2929
2930 c->eip = 0;
2931 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2932 break;
2933 }
2934 case 0xeb:
2935 jmp: /* jmp rel short */
2936 jmp_rel(c, c->src.val);
2937 c->dst.type = OP_NONE; /* Disable writeback. */
2938 break;
2939 case 0xec: /* in al,dx */
2940 case 0xed: /* in (e/r)ax,dx */
2941 c->src.val = c->regs[VCPU_REGS_RDX];
2942 do_io_in:
2943 c->dst.bytes = min(c->dst.bytes, 4u);
2944 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2945 emulate_gp(ctxt, 0);
2946 goto done;
2947 }
2948 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2949 &c->dst.val))
2950 goto done; /* IO is needed */
2951 break;
2952 case 0xee: /* out dx,al */
2953 case 0xef: /* out dx,(e/r)ax */
2954 c->src.val = c->regs[VCPU_REGS_RDX];
2955 do_io_out:
2956 c->dst.bytes = min(c->dst.bytes, 4u);
2957 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2958 emulate_gp(ctxt, 0);
2959 goto done;
2960 }
2961 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2962 ctxt->vcpu);
2963 c->dst.type = OP_NONE; /* Disable writeback. */
2964 break;
2965 case 0xf4: /* hlt */
2966 ctxt->vcpu->arch.halt_request = 1;
2967 break;
2968 case 0xf5: /* cmc */
2969 /* complement carry flag from eflags reg */
2970 ctxt->eflags ^= EFLG_CF;
2971 c->dst.type = OP_NONE; /* Disable writeback. */
2972 break;
2973 case 0xf6 ... 0xf7: /* Grp3 */
2974 if (!emulate_grp3(ctxt, ops))
2975 goto cannot_emulate;
2976 break;
2977 case 0xf8: /* clc */
2978 ctxt->eflags &= ~EFLG_CF;
2979 c->dst.type = OP_NONE; /* Disable writeback. */
2980 break;
2981 case 0xfa: /* cli */
2982 if (emulator_bad_iopl(ctxt, ops))
2983 emulate_gp(ctxt, 0);
2984 else {
2985 ctxt->eflags &= ~X86_EFLAGS_IF;
2986 c->dst.type = OP_NONE; /* Disable writeback. */
2987 }
2988 break;
2989 case 0xfb: /* sti */
2990 if (emulator_bad_iopl(ctxt, ops))
2991 emulate_gp(ctxt, 0);
2992 else {
2993 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2994 ctxt->eflags |= X86_EFLAGS_IF;
2995 c->dst.type = OP_NONE; /* Disable writeback. */
2996 }
2997 break;
2998 case 0xfc: /* cld */
2999 ctxt->eflags &= ~EFLG_DF;
3000 c->dst.type = OP_NONE; /* Disable writeback. */
3001 break;
3002 case 0xfd: /* std */
3003 ctxt->eflags |= EFLG_DF;
3004 c->dst.type = OP_NONE; /* Disable writeback. */
3005 break;
3006 case 0xfe: /* Grp4 */
3007 grp45:
3008 rc = emulate_grp45(ctxt, ops);
3009 if (rc != X86EMUL_CONTINUE)
3010 goto done;
3011 break;
3012 case 0xff: /* Grp5 */
3013 if (c->modrm_reg == 5)
3014 goto jump_far;
3015 goto grp45;
3016 }
3017
3018 writeback:
3019 rc = writeback(ctxt, ops);
3020 if (rc != X86EMUL_CONTINUE)
3021 goto done;
3022
3023 /*
3024 * restore dst type in case the decoding will be reused
3025 * (happens for string instruction )
3026 */
3027 c->dst.type = saved_dst_type;
3028
3029 if ((c->d & SrcMask) == SrcSI)
3030 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3031 VCPU_REGS_RSI, &c->src);
3032
3033 if ((c->d & DstMask) == DstDI)
3034 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3035 &c->dst);
3036
3037 if (c->rep_prefix && (c->d & String)) {
3038 struct read_cache *rc = &ctxt->decode.io_read;
3039 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3040 /*
3041 * Re-enter guest when pio read ahead buffer is empty or,
3042 * if it is not used, after each 1024 iteration.
3043 */
3044 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3045 (rc->end != 0 && rc->end == rc->pos))
3046 ctxt->restart = false;
3047 }
3048 /*
3049 * reset read cache here in case string instruction is restared
3050 * without decoding
3051 */
3052 ctxt->decode.mem_read.end = 0;
3053 ctxt->eip = c->eip;
3054
3055 done:
3056 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3057
3058 twobyte_insn:
3059 switch (c->b) {
3060 case 0x01: /* lgdt, lidt, lmsw */
3061 switch (c->modrm_reg) {
3062 u16 size;
3063 unsigned long address;
3064
3065 case 0: /* vmcall */
3066 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3067 goto cannot_emulate;
3068
3069 rc = kvm_fix_hypercall(ctxt->vcpu);
3070 if (rc != X86EMUL_CONTINUE)
3071 goto done;
3072
3073 /* Let the processor re-execute the fixed hypercall */
3074 c->eip = ctxt->eip;
3075 /* Disable writeback. */
3076 c->dst.type = OP_NONE;
3077 break;
3078 case 2: /* lgdt */
3079 rc = read_descriptor(ctxt, ops, c->src.ptr,
3080 &size, &address, c->op_bytes);
3081 if (rc != X86EMUL_CONTINUE)
3082 goto done;
3083 realmode_lgdt(ctxt->vcpu, size, address);
3084 /* Disable writeback. */
3085 c->dst.type = OP_NONE;
3086 break;
3087 case 3: /* lidt/vmmcall */
3088 if (c->modrm_mod == 3) {
3089 switch (c->modrm_rm) {
3090 case 1:
3091 rc = kvm_fix_hypercall(ctxt->vcpu);
3092 if (rc != X86EMUL_CONTINUE)
3093 goto done;
3094 break;
3095 default:
3096 goto cannot_emulate;
3097 }
3098 } else {
3099 rc = read_descriptor(ctxt, ops, c->src.ptr,
3100 &size, &address,
3101 c->op_bytes);
3102 if (rc != X86EMUL_CONTINUE)
3103 goto done;
3104 realmode_lidt(ctxt->vcpu, size, address);
3105 }
3106 /* Disable writeback. */
3107 c->dst.type = OP_NONE;
3108 break;
3109 case 4: /* smsw */
3110 c->dst.bytes = 2;
3111 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3112 break;
3113 case 6: /* lmsw */
3114 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3115 (c->src.val & 0x0f), ctxt->vcpu);
3116 c->dst.type = OP_NONE;
3117 break;
3118 case 5: /* not defined */
3119 emulate_ud(ctxt);
3120 goto done;
3121 case 7: /* invlpg*/
3122 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3123 /* Disable writeback. */
3124 c->dst.type = OP_NONE;
3125 break;
3126 default:
3127 goto cannot_emulate;
3128 }
3129 break;
3130 case 0x05: /* syscall */
3131 rc = emulate_syscall(ctxt, ops);
3132 if (rc != X86EMUL_CONTINUE)
3133 goto done;
3134 else
3135 goto writeback;
3136 break;
3137 case 0x06:
3138 emulate_clts(ctxt->vcpu);
3139 c->dst.type = OP_NONE;
3140 break;
3141 case 0x09: /* wbinvd */
3142 kvm_emulate_wbinvd(ctxt->vcpu);
3143 c->dst.type = OP_NONE;
3144 break;
3145 case 0x08: /* invd */
3146 case 0x0d: /* GrpP (prefetch) */
3147 case 0x18: /* Grp16 (prefetch/nop) */
3148 c->dst.type = OP_NONE;
3149 break;
3150 case 0x20: /* mov cr, reg */
3151 switch (c->modrm_reg) {
3152 case 1:
3153 case 5 ... 7:
3154 case 9 ... 15:
3155 emulate_ud(ctxt);
3156 goto done;
3157 }
3158 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3159 c->dst.type = OP_NONE; /* no writeback */
3160 break;
3161 case 0x21: /* mov from dr to reg */
3162 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3163 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3164 emulate_ud(ctxt);
3165 goto done;
3166 }
3167 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3168 c->dst.type = OP_NONE; /* no writeback */
3169 break;
3170 case 0x22: /* mov reg, cr */
3171 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3172 emulate_gp(ctxt, 0);
3173 goto done;
3174 }
3175 c->dst.type = OP_NONE;
3176 break;
3177 case 0x23: /* mov from reg to dr */
3178 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3179 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3180 emulate_ud(ctxt);
3181 goto done;
3182 }
3183
3184 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3185 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3186 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3187 /* #UD condition is already handled by the code above */
3188 emulate_gp(ctxt, 0);
3189 goto done;
3190 }
3191
3192 c->dst.type = OP_NONE; /* no writeback */
3193 break;
3194 case 0x30:
3195 /* wrmsr */
3196 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3197 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3198 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3199 emulate_gp(ctxt, 0);
3200 goto done;
3201 }
3202 rc = X86EMUL_CONTINUE;
3203 c->dst.type = OP_NONE;
3204 break;
3205 case 0x32:
3206 /* rdmsr */
3207 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3208 emulate_gp(ctxt, 0);
3209 goto done;
3210 } else {
3211 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3212 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3213 }
3214 rc = X86EMUL_CONTINUE;
3215 c->dst.type = OP_NONE;
3216 break;
3217 case 0x34: /* sysenter */
3218 rc = emulate_sysenter(ctxt, ops);
3219 if (rc != X86EMUL_CONTINUE)
3220 goto done;
3221 else
3222 goto writeback;
3223 break;
3224 case 0x35: /* sysexit */
3225 rc = emulate_sysexit(ctxt, ops);
3226 if (rc != X86EMUL_CONTINUE)
3227 goto done;
3228 else
3229 goto writeback;
3230 break;
3231 case 0x40 ... 0x4f: /* cmov */
3232 c->dst.val = c->dst.orig_val = c->src.val;
3233 if (!test_cc(c->b, ctxt->eflags))
3234 c->dst.type = OP_NONE; /* no writeback */
3235 break;
3236 case 0x80 ... 0x8f: /* jnz rel, etc*/
3237 if (test_cc(c->b, ctxt->eflags))
3238 jmp_rel(c, c->src.val);
3239 c->dst.type = OP_NONE;
3240 break;
3241 case 0xa0: /* push fs */
3242 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3243 break;
3244 case 0xa1: /* pop fs */
3245 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3246 if (rc != X86EMUL_CONTINUE)
3247 goto done;
3248 break;
3249 case 0xa3:
3250 bt: /* bt */
3251 c->dst.type = OP_NONE;
3252 /* only subword offset */
3253 c->src.val &= (c->dst.bytes << 3) - 1;
3254 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3255 break;
3256 case 0xa4: /* shld imm8, r, r/m */
3257 case 0xa5: /* shld cl, r, r/m */
3258 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3259 break;
3260 case 0xa8: /* push gs */
3261 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3262 break;
3263 case 0xa9: /* pop gs */
3264 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3265 if (rc != X86EMUL_CONTINUE)
3266 goto done;
3267 break;
3268 case 0xab:
3269 bts: /* bts */
3270 /* only subword offset */
3271 c->src.val &= (c->dst.bytes << 3) - 1;
3272 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3273 break;
3274 case 0xac: /* shrd imm8, r, r/m */
3275 case 0xad: /* shrd cl, r, r/m */
3276 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3277 break;
3278 case 0xae: /* clflush */
3279 break;
3280 case 0xb0 ... 0xb1: /* cmpxchg */
3281 /*
3282 * Save real source value, then compare EAX against
3283 * destination.
3284 */
3285 c->src.orig_val = c->src.val;
3286 c->src.val = c->regs[VCPU_REGS_RAX];
3287 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3288 if (ctxt->eflags & EFLG_ZF) {
3289 /* Success: write back to memory. */
3290 c->dst.val = c->src.orig_val;
3291 } else {
3292 /* Failure: write the value we saw to EAX. */
3293 c->dst.type = OP_REG;
3294 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3295 }
3296 break;
3297 case 0xb3:
3298 btr: /* btr */
3299 /* only subword offset */
3300 c->src.val &= (c->dst.bytes << 3) - 1;
3301 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3302 break;
3303 case 0xb6 ... 0xb7: /* movzx */
3304 c->dst.bytes = c->op_bytes;
3305 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3306 : (u16) c->src.val;
3307 break;
3308 case 0xba: /* Grp8 */
3309 switch (c->modrm_reg & 3) {
3310 case 0:
3311 goto bt;
3312 case 1:
3313 goto bts;
3314 case 2:
3315 goto btr;
3316 case 3:
3317 goto btc;
3318 }
3319 break;
3320 case 0xbb:
3321 btc: /* btc */
3322 /* only subword offset */
3323 c->src.val &= (c->dst.bytes << 3) - 1;
3324 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3325 break;
3326 case 0xbe ... 0xbf: /* movsx */
3327 c->dst.bytes = c->op_bytes;
3328 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3329 (s16) c->src.val;
3330 break;
3331 case 0xc3: /* movnti */
3332 c->dst.bytes = c->op_bytes;
3333 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3334 (u64) c->src.val;
3335 break;
3336 case 0xc7: /* Grp9 (cmpxchg8b) */
3337 rc = emulate_grp9(ctxt, ops);
3338 if (rc != X86EMUL_CONTINUE)
3339 goto done;
3340 break;
3341 }
3342 goto writeback;
3343
3344 cannot_emulate:
3345 DPRINTF("Cannot emulate %02x\n", c->b);
3346 return -1;
3347 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree