search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
GUI: Fix Tomato RAF theme for all builds. Compilation typo.
[tomato.git] / release / src-rt-6.x.4708 / linux / linux-2.6.36 / arch / x86 / kvm / emulate.c
blobc193b29b028354db39d7899a3f4c3866ef837a23
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #ifndef __KERNEL__
24 #include <stdio.h>
25 #include <stdint.h>
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
28 #else
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
32 #endif
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
35
36 #include "x86.h"
37 #include "tss.h"
38
39 /*
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
45 * not be handled.
46 */
47
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
76 #define ModRM (1<<8)
77 /* Destination is only written; never read. */
78 #define Mov (1<<9)
79 #define BitOp (1<<10)
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0xff /* Group number stored in bits 0:7 */
86 /* Misc flags */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
89 #define No64 (1<<28)
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
96
97 enum {
98 Group1_80, Group1_81, Group1_82, Group1_83,
99 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
100 Group8, Group9,
101 };
102
103 static u32 opcode_table[256] = {
104 /* 0x00 - 0x07 */
105 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
106 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
107 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
108 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
109 /* 0x08 - 0x0F */
110 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
111 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
112 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
113 ImplicitOps | Stack | No64, 0,
114 /* 0x10 - 0x17 */
115 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
116 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
117 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
118 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
119 /* 0x18 - 0x1F */
120 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
121 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
122 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
123 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
124 /* 0x20 - 0x27 */
125 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
126 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
127 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
128 /* 0x28 - 0x2F */
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
132 /* 0x30 - 0x37 */
133 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
134 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
135 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
136 /* 0x38 - 0x3F */
137 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
138 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
139 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
140 0, 0,
141 /* 0x40 - 0x47 */
142 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
143 /* 0x48 - 0x4F */
144 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
145 /* 0x50 - 0x57 */
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
148 /* 0x58 - 0x5F */
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
151 /* 0x60 - 0x67 */
152 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
153 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
154 0, 0, 0, 0,
155 /* 0x68 - 0x6F */
156 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
157 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
158 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
159 /* 0x70 - 0x77 */
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
162 /* 0x78 - 0x7F */
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
165 /* 0x80 - 0x87 */
166 Group | Group1_80, Group | Group1_81,
167 Group | Group1_82, Group | Group1_83,
168 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
169 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
170 /* 0x88 - 0x8F */
171 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
172 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
173 DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
174 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
175 /* 0x90 - 0x97 */
176 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
177 /* 0x98 - 0x9F */
178 0, 0, SrcImmFAddr | No64, 0,
179 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
180 /* 0xA0 - 0xA7 */
181 ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
182 ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
183 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
184 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
185 /* 0xA8 - 0xAF */
186 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
187 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
188 ByteOp | DstDI | String, DstDI | String,
189 /* 0xB0 - 0xB7 */
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
194 /* 0xB8 - 0xBF */
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
199 /* 0xC0 - 0xC7 */
200 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
201 0, ImplicitOps | Stack, 0, 0,
202 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
203 /* 0xC8 - 0xCF */
204 0, 0, 0, ImplicitOps | Stack,
205 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
206 /* 0xD0 - 0xD7 */
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
209 0, 0, 0, 0,
210 /* 0xD8 - 0xDF */
211 0, 0, 0, 0, 0, 0, 0, 0,
212 /* 0xE0 - 0xE7 */
213 0, 0, 0, 0,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
216 /* 0xE8 - 0xEF */
217 SrcImm | Stack, SrcImm | ImplicitOps,
218 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
221 /* 0xF0 - 0xF7 */
222 0, 0, 0, 0,
223 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
224 /* 0xF8 - 0xFF */
225 ImplicitOps, 0, ImplicitOps, ImplicitOps,
226 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
227 };
228
229 static u32 twobyte_table[256] = {
230 /* 0x00 - 0x0F */
231 0, Group | GroupDual | Group7, 0, 0,
232 0, ImplicitOps, ImplicitOps | Priv, 0,
233 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
234 0, ImplicitOps | ModRM, 0, 0,
235 /* 0x10 - 0x1F */
236 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
237 /* 0x20 - 0x2F */
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 ModRM | ImplicitOps | Priv, ModRM | Priv,
240 0, 0, 0, 0,
241 0, 0, 0, 0, 0, 0, 0, 0,
242 /* 0x30 - 0x3F */
243 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
244 ImplicitOps, ImplicitOps | Priv, 0, 0,
245 0, 0, 0, 0, 0, 0, 0, 0,
246 /* 0x40 - 0x47 */
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
251 /* 0x48 - 0x4F */
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
256 /* 0x50 - 0x5F */
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
258 /* 0x60 - 0x6F */
259 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
260 /* 0x70 - 0x7F */
261 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
262 /* 0x80 - 0x8F */
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
265 /* 0x90 - 0x9F */
266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
267 /* 0xA0 - 0xA7 */
268 ImplicitOps | Stack, ImplicitOps | Stack,
269 0, DstMem | SrcReg | ModRM | BitOp,
270 DstMem | SrcReg | Src2ImmByte | ModRM,
271 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
272 /* 0xA8 - 0xAF */
273 ImplicitOps | Stack, ImplicitOps | Stack,
274 0, DstMem | SrcReg | ModRM | BitOp | Lock,
275 DstMem | SrcReg | Src2ImmByte | ModRM,
276 DstMem | SrcReg | Src2CL | ModRM,
277 ModRM, 0,
278 /* 0xB0 - 0xB7 */
279 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
280 0, DstMem | SrcReg | ModRM | BitOp | Lock,
281 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
282 DstReg | SrcMem16 | ModRM | Mov,
283 /* 0xB8 - 0xBF */
284 0, 0,
285 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
286 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
287 DstReg | SrcMem16 | ModRM | Mov,
288 /* 0xC0 - 0xCF */
289 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
290 0, 0, 0, Group | GroupDual | Group9,
291 0, 0, 0, 0, 0, 0, 0, 0,
292 /* 0xD0 - 0xDF */
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
294 /* 0xE0 - 0xEF */
295 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
296 /* 0xF0 - 0xFF */
297 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
298 };
299
300 static u32 group_table[] = {
301 [Group1_80*8] =
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM | Lock,
309 ByteOp | DstMem | SrcImm | ModRM,
310 [Group1_81*8] =
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM | Lock,
318 DstMem | SrcImm | ModRM,
319 [Group1_82*8] =
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
327 ByteOp | DstMem | SrcImm | ModRM | No64,
328 [Group1_83*8] =
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM | Lock,
336 DstMem | SrcImmByte | ModRM,
337 [Group1A*8] =
338 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
339 [Group3_Byte*8] =
340 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
341 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
342 0, 0, 0, 0,
343 [Group3*8] =
344 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
345 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
346 0, 0, 0, 0,
347 [Group4*8] =
348 ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
349 0, 0, 0, 0, 0, 0,
350 [Group5*8] =
351 DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
352 SrcMem | ModRM | Stack, 0,
353 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
354 SrcMem | ModRM | Stack, 0,
355 [Group7*8] =
356 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
357 SrcNone | ModRM | DstMem | Mov, 0,
358 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
359 [Group8*8] =
360 0, 0, 0, 0,
361 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
362 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
363 [Group9*8] =
364 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
365 };
366
367 static u32 group2_table[] = {
368 [Group7*8] =
369 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
370 SrcNone | ModRM | DstMem | Mov, 0,
371 SrcMem16 | ModRM | Mov | Priv, 0,
372 [Group9*8] =
373 0, 0, 0, 0, 0, 0, 0, 0,
374 };
375
376 /* EFLAGS bit definitions. */
377 #define EFLG_ID (1<<21)
378 #define EFLG_VIP (1<<20)
379 #define EFLG_VIF (1<<19)
380 #define EFLG_AC (1<<18)
381 #define EFLG_VM (1<<17)
382 #define EFLG_RF (1<<16)
383 #define EFLG_IOPL (3<<12)
384 #define EFLG_NT (1<<14)
385 #define EFLG_OF (1<<11)
386 #define EFLG_DF (1<<10)
387 #define EFLG_IF (1<<9)
388 #define EFLG_TF (1<<8)
389 #define EFLG_SF (1<<7)
390 #define EFLG_ZF (1<<6)
391 #define EFLG_AF (1<<4)
392 #define EFLG_PF (1<<2)
393 #define EFLG_CF (1<<0)
394
395 /*
396 * Instruction emulation:
397 * Most instructions are emulated directly via a fragment of inline assembly
398 * code. This allows us to save/restore EFLAGS and thus very easily pick up
399 * any modified flags.
400 */
401
402 #if defined(CONFIG_X86_64)
403 #define _LO32 "k" /* force 32-bit operand */
404 #define _STK "%%rsp" /* stack pointer */
405 #elif defined(__i386__)
406 #define _LO32 "" /* force 32-bit operand */
407 #define _STK "%%esp" /* stack pointer */
408 #endif
409
410 /*
411 * These EFLAGS bits are restored from saved value during emulation, and
412 * any changes are written back to the saved value after emulation.
413 */
414 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
415
416 /* Before executing instruction: restore necessary bits in EFLAGS. */
417 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
418 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
419 "movl %"_sav",%"_LO32 _tmp"; " \
420 "push %"_tmp"; " \
421 "push %"_tmp"; " \
422 "movl %"_msk",%"_LO32 _tmp"; " \
423 "andl %"_LO32 _tmp",("_STK"); " \
424 "pushf; " \
425 "notl %"_LO32 _tmp"; " \
426 "andl %"_LO32 _tmp",("_STK"); " \
427 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
428 "pop %"_tmp"; " \
429 "orl %"_LO32 _tmp",("_STK"); " \
430 "popf; " \
431 "pop %"_sav"; "
432
433 /* After executing instruction: write-back necessary bits in EFLAGS. */
434 #define _POST_EFLAGS(_sav, _msk, _tmp) \
435 /* _sav |= EFLAGS & _msk; */ \
436 "pushf; " \
437 "pop %"_tmp"; " \
438 "andl %"_msk",%"_LO32 _tmp"; " \
439 "orl %"_LO32 _tmp",%"_sav"; "
440
441 #ifdef CONFIG_X86_64
442 #define ON64(x) x
443 #else
444 #define ON64(x)
445 #endif
446
447 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
448 do { \
449 __asm__ __volatile__ ( \
450 _PRE_EFLAGS("0", "4", "2") \
451 _op _suffix " %"_x"3,%1; " \
452 _POST_EFLAGS("0", "4", "2") \
453 : "=m" (_eflags), "=m" ((_dst).val), \
454 "=&r" (_tmp) \
455 : _y ((_src).val), "i" (EFLAGS_MASK)); \
456 } while (0)
457
458
459 /* Raw emulation: instruction has two explicit operands. */
460 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
461 do { \
462 unsigned long _tmp; \
463 \
464 switch ((_dst).bytes) { \
465 case 2: \
466 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
467 break; \
468 case 4: \
469 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
470 break; \
471 case 8: \
472 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
473 break; \
474 } \
475 } while (0)
476
477 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
478 do { \
479 unsigned long _tmp; \
480 switch ((_dst).bytes) { \
481 case 1: \
482 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
483 break; \
484 default: \
485 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
486 _wx, _wy, _lx, _ly, _qx, _qy); \
487 break; \
488 } \
489 } while (0)
490
491 /* Source operand is byte-sized and may be restricted to just %cl. */
492 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
493 __emulate_2op(_op, _src, _dst, _eflags, \
494 "b", "c", "b", "c", "b", "c", "b", "c")
495
496 /* Source operand is byte, word, long or quad sized. */
497 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
498 __emulate_2op(_op, _src, _dst, _eflags, \
499 "b", "q", "w", "r", _LO32, "r", "", "r")
500
501 /* Source operand is word, long or quad sized. */
502 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
503 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
504 "w", "r", _LO32, "r", "", "r")
505
506 /* Instruction has three operands and one operand is stored in ECX register */
507 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
508 do { \
509 unsigned long _tmp; \
510 _type _clv = (_cl).val; \
511 _type _srcv = (_src).val; \
512 _type _dstv = (_dst).val; \
513 \
514 __asm__ __volatile__ ( \
515 _PRE_EFLAGS("0", "5", "2") \
516 _op _suffix " %4,%1 \n" \
517 _POST_EFLAGS("0", "5", "2") \
518 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
519 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
520 ); \
521 \
522 (_cl).val = (unsigned long) _clv; \
523 (_src).val = (unsigned long) _srcv; \
524 (_dst).val = (unsigned long) _dstv; \
525 } while (0)
526
527 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
528 do { \
529 switch ((_dst).bytes) { \
530 case 2: \
531 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
532 "w", unsigned short); \
533 break; \
534 case 4: \
535 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
536 "l", unsigned int); \
537 break; \
538 case 8: \
539 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
540 "q", unsigned long)); \
541 break; \
542 } \
543 } while (0)
544
545 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
546 do { \
547 unsigned long _tmp; \
548 \
549 __asm__ __volatile__ ( \
550 _PRE_EFLAGS("0", "3", "2") \
551 _op _suffix " %1; " \
552 _POST_EFLAGS("0", "3", "2") \
553 : "=m" (_eflags), "+m" ((_dst).val), \
554 "=&r" (_tmp) \
555 : "i" (EFLAGS_MASK)); \
556 } while (0)
557
558 /* Instruction has only one explicit operand (no source operand). */
559 #define emulate_1op(_op, _dst, _eflags) \
560 do { \
561 switch ((_dst).bytes) { \
562 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
563 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
564 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
565 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
566 } \
567 } while (0)
568
569 /* Fetch next part of the instruction being emulated. */
570 #define insn_fetch(_type, _size, _eip) \
571 ({ unsigned long _x; \
572 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
573 if (rc != X86EMUL_CONTINUE) \
574 goto done; \
575 (_eip) += (_size); \
576 (_type)_x; \
577 })
578
579 #define insn_fetch_arr(_arr, _size, _eip) \
580 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
581 if (rc != X86EMUL_CONTINUE) \
582 goto done; \
583 (_eip) += (_size); \
584 })
585
586 static inline unsigned long ad_mask(struct decode_cache *c)
587 {
588 return (1UL << (c->ad_bytes << 3)) - 1;
589 }
590
591 /* Access/update address held in a register, based on addressing mode. */
592 static inline unsigned long
593 address_mask(struct decode_cache *c, unsigned long reg)
594 {
595 if (c->ad_bytes == sizeof(unsigned long))
596 return reg;
597 else
598 return reg & ad_mask(c);
599 }
600
601 static inline unsigned long
602 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
603 {
604 return base + address_mask(c, reg);
605 }
606
607 static inline void
608 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
609 {
610 if (c->ad_bytes == sizeof(unsigned long))
611 *reg += inc;
612 else
613 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
614 }
615
616 static inline void jmp_rel(struct decode_cache *c, int rel)
617 {
618 register_address_increment(c, &c->eip, rel);
619 }
620
621 static void set_seg_override(struct decode_cache *c, int seg)
622 {
623 c->has_seg_override = true;
624 c->seg_override = seg;
625 }
626
627 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
628 struct x86_emulate_ops *ops, int seg)
629 {
630 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
631 return 0;
632
633 return ops->get_cached_segment_base(seg, ctxt->vcpu);
634 }
635
636 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
637 struct x86_emulate_ops *ops,
638 struct decode_cache *c)
639 {
640 if (!c->has_seg_override)
641 return 0;
642
643 return seg_base(ctxt, ops, c->seg_override);
644 }
645
646 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops)
648 {
649 return seg_base(ctxt, ops, VCPU_SREG_ES);
650 }
651
652 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
653 struct x86_emulate_ops *ops)
654 {
655 return seg_base(ctxt, ops, VCPU_SREG_SS);
656 }
657
658 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
659 u32 error, bool valid)
660 {
661 ctxt->exception = vec;
662 ctxt->error_code = error;
663 ctxt->error_code_valid = valid;
664 ctxt->restart = false;
665 }
666
667 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
668 {
669 emulate_exception(ctxt, GP_VECTOR, err, true);
670 }
671
672 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
673 int err)
674 {
675 ctxt->cr2 = addr;
676 emulate_exception(ctxt, PF_VECTOR, err, true);
677 }
678
679 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
680 {
681 emulate_exception(ctxt, UD_VECTOR, 0, false);
682 }
683
684 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
685 {
686 emulate_exception(ctxt, TS_VECTOR, err, true);
687 }
688
689 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
690 struct x86_emulate_ops *ops,
691 unsigned long eip, u8 *dest)
692 {
693 struct fetch_cache *fc = &ctxt->decode.fetch;
694 int rc;
695 int size, cur_size;
696
697 if (eip == fc->end) {
698 cur_size = fc->end - fc->start;
699 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
700 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
701 size, ctxt->vcpu, NULL);
702 if (rc != X86EMUL_CONTINUE)
703 return rc;
704 fc->end += size;
705 }
706 *dest = fc->data[eip - fc->start];
707 return X86EMUL_CONTINUE;
708 }
709
710 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
711 struct x86_emulate_ops *ops,
712 unsigned long eip, void *dest, unsigned size)
713 {
714 int rc;
715
716 /* x86 instructions are limited to 15 bytes. */
717 if (eip + size - ctxt->eip > 15)
718 return X86EMUL_UNHANDLEABLE;
719 while (size--) {
720 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
721 if (rc != X86EMUL_CONTINUE)
722 return rc;
723 }
724 return X86EMUL_CONTINUE;
725 }
726
727 /*
728 * Given the 'reg' portion of a ModRM byte, and a register block, return a
729 * pointer into the block that addresses the relevant register.
730 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
731 */
732 static void *decode_register(u8 modrm_reg, unsigned long *regs,
733 int highbyte_regs)
734 {
735 void *p;
736
737 p = &regs[modrm_reg];
738 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
739 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
740 return p;
741 }
742
743 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
744 struct x86_emulate_ops *ops,
745 void *ptr,
746 u16 *size, unsigned long *address, int op_bytes)
747 {
748 int rc;
749
750 if (op_bytes == 2)
751 op_bytes = 3;
752 *address = 0;
753 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
754 ctxt->vcpu, NULL);
755 if (rc != X86EMUL_CONTINUE)
756 return rc;
757 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
758 ctxt->vcpu, NULL);
759 return rc;
760 }
761
762 static int test_cc(unsigned int condition, unsigned int flags)
763 {
764 int rc = 0;
765
766 switch ((condition & 15) >> 1) {
767 case 0: /* o */
768 rc |= (flags & EFLG_OF);
769 break;
770 case 1: /* b/c/nae */
771 rc |= (flags & EFLG_CF);
772 break;
773 case 2: /* z/e */
774 rc |= (flags & EFLG_ZF);
775 break;
776 case 3: /* be/na */
777 rc |= (flags & (EFLG_CF|EFLG_ZF));
778 break;
779 case 4: /* s */
780 rc |= (flags & EFLG_SF);
781 break;
782 case 5: /* p/pe */
783 rc |= (flags & EFLG_PF);
784 break;
785 case 7: /* le/ng */
786 rc |= (flags & EFLG_ZF);
787 /* fall through */
788 case 6: /* l/nge */
789 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
790 break;
791 }
792
793 /* Odd condition identifiers (lsb == 1) have inverted sense. */
794 return (!!rc ^ (condition & 1));
795 }
796
797 static void decode_register_operand(struct operand *op,
798 struct decode_cache *c,
799 int inhibit_bytereg)
800 {
801 unsigned reg = c->modrm_reg;
802 int highbyte_regs = c->rex_prefix == 0;
803
804 if (!(c->d & ModRM))
805 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
806 op->type = OP_REG;
807 if ((c->d & ByteOp) && !inhibit_bytereg) {
808 op->ptr = decode_register(reg, c->regs, highbyte_regs);
809 op->val = *(u8 *)op->ptr;
810 op->bytes = 1;
811 } else {
812 op->ptr = decode_register(reg, c->regs, 0);
813 op->bytes = c->op_bytes;
814 switch (op->bytes) {
815 case 2:
816 op->val = *(u16 *)op->ptr;
817 break;
818 case 4:
819 op->val = *(u32 *)op->ptr;
820 break;
821 case 8:
822 op->val = *(u64 *) op->ptr;
823 break;
824 }
825 }
826 op->orig_val = op->val;
827 }
828
829 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
830 struct x86_emulate_ops *ops)
831 {
832 struct decode_cache *c = &ctxt->decode;
833 u8 sib;
834 int index_reg = 0, base_reg = 0, scale;
835 int rc = X86EMUL_CONTINUE;
836
837 if (c->rex_prefix) {
838 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
839 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
840 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
841 }
842
843 c->modrm = insn_fetch(u8, 1, c->eip);
844 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
845 c->modrm_reg |= (c->modrm & 0x38) >> 3;
846 c->modrm_rm |= (c->modrm & 0x07);
847 c->modrm_ea = 0;
848 c->use_modrm_ea = 1;
849
850 if (c->modrm_mod == 3) {
851 c->modrm_ptr = decode_register(c->modrm_rm,
852 c->regs, c->d & ByteOp);
853 c->modrm_val = *(unsigned long *)c->modrm_ptr;
854 return rc;
855 }
856
857 if (c->ad_bytes == 2) {
858 unsigned bx = c->regs[VCPU_REGS_RBX];
859 unsigned bp = c->regs[VCPU_REGS_RBP];
860 unsigned si = c->regs[VCPU_REGS_RSI];
861 unsigned di = c->regs[VCPU_REGS_RDI];
862
863 /* 16-bit ModR/M decode. */
864 switch (c->modrm_mod) {
865 case 0:
866 if (c->modrm_rm == 6)
867 c->modrm_ea += insn_fetch(u16, 2, c->eip);
868 break;
869 case 1:
870 c->modrm_ea += insn_fetch(s8, 1, c->eip);
871 break;
872 case 2:
873 c->modrm_ea += insn_fetch(u16, 2, c->eip);
874 break;
875 }
876 switch (c->modrm_rm) {
877 case 0:
878 c->modrm_ea += bx + si;
879 break;
880 case 1:
881 c->modrm_ea += bx + di;
882 break;
883 case 2:
884 c->modrm_ea += bp + si;
885 break;
886 case 3:
887 c->modrm_ea += bp + di;
888 break;
889 case 4:
890 c->modrm_ea += si;
891 break;
892 case 5:
893 c->modrm_ea += di;
894 break;
895 case 6:
896 if (c->modrm_mod != 0)
897 c->modrm_ea += bp;
898 break;
899 case 7:
900 c->modrm_ea += bx;
901 break;
902 }
903 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
904 (c->modrm_rm == 6 && c->modrm_mod != 0))
905 if (!c->has_seg_override)
906 set_seg_override(c, VCPU_SREG_SS);
907 c->modrm_ea = (u16)c->modrm_ea;
908 } else {
909 /* 32/64-bit ModR/M decode. */
910 if ((c->modrm_rm & 7) == 4) {
911 sib = insn_fetch(u8, 1, c->eip);
912 index_reg |= (sib >> 3) & 7;
913 base_reg |= sib & 7;
914 scale = sib >> 6;
915
916 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
917 c->modrm_ea += insn_fetch(s32, 4, c->eip);
918 else
919 c->modrm_ea += c->regs[base_reg];
920 if (index_reg != 4)
921 c->modrm_ea += c->regs[index_reg] << scale;
922 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
923 if (ctxt->mode == X86EMUL_MODE_PROT64)
924 c->rip_relative = 1;
925 } else
926 c->modrm_ea += c->regs[c->modrm_rm];
927 switch (c->modrm_mod) {
928 case 0:
929 if (c->modrm_rm == 5)
930 c->modrm_ea += insn_fetch(s32, 4, c->eip);
931 break;
932 case 1:
933 c->modrm_ea += insn_fetch(s8, 1, c->eip);
934 break;
935 case 2:
936 c->modrm_ea += insn_fetch(s32, 4, c->eip);
937 break;
938 }
939 }
940 done:
941 return rc;
942 }
943
944 static int decode_abs(struct x86_emulate_ctxt *ctxt,
945 struct x86_emulate_ops *ops)
946 {
947 struct decode_cache *c = &ctxt->decode;
948 int rc = X86EMUL_CONTINUE;
949
950 switch (c->ad_bytes) {
951 case 2:
952 c->modrm_ea = insn_fetch(u16, 2, c->eip);
953 break;
954 case 4:
955 c->modrm_ea = insn_fetch(u32, 4, c->eip);
956 break;
957 case 8:
958 c->modrm_ea = insn_fetch(u64, 8, c->eip);
959 break;
960 }
961 done:
962 return rc;
963 }
964
965 int
966 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
967 {
968 struct decode_cache *c = &ctxt->decode;
969 int rc = X86EMUL_CONTINUE;
970 int mode = ctxt->mode;
971 int def_op_bytes, def_ad_bytes, group;
972
973
974 /* we cannot decode insn before we complete previous rep insn */
975 WARN_ON(ctxt->restart);
976
977 c->eip = ctxt->eip;
978 c->fetch.start = c->fetch.end = c->eip;
979 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
980
981 switch (mode) {
982 case X86EMUL_MODE_REAL:
983 case X86EMUL_MODE_VM86:
984 case X86EMUL_MODE_PROT16:
985 def_op_bytes = def_ad_bytes = 2;
986 break;
987 case X86EMUL_MODE_PROT32:
988 def_op_bytes = def_ad_bytes = 4;
989 break;
990 #ifdef CONFIG_X86_64
991 case X86EMUL_MODE_PROT64:
992 def_op_bytes = 4;
993 def_ad_bytes = 8;
994 break;
995 #endif
996 default:
997 return -1;
998 }
999
1000 c->op_bytes = def_op_bytes;
1001 c->ad_bytes = def_ad_bytes;
1002
1003 /* Legacy prefixes. */
1004 for (;;) {
1005 switch (c->b = insn_fetch(u8, 1, c->eip)) {
1006 case 0x66: /* operand-size override */
1007 /* switch between 2/4 bytes */
1008 c->op_bytes = def_op_bytes ^ 6;
1009 break;
1010 case 0x67: /* address-size override */
1011 if (mode == X86EMUL_MODE_PROT64)
1012 /* switch between 4/8 bytes */
1013 c->ad_bytes = def_ad_bytes ^ 12;
1014 else
1015 /* switch between 2/4 bytes */
1016 c->ad_bytes = def_ad_bytes ^ 6;
1017 break;
1018 case 0x26: /* ES override */
1019 case 0x2e: /* CS override */
1020 case 0x36: /* SS override */
1021 case 0x3e: /* DS override */
1022 set_seg_override(c, (c->b >> 3) & 3);
1023 break;
1024 case 0x64: /* FS override */
1025 case 0x65: /* GS override */
1026 set_seg_override(c, c->b & 7);
1027 break;
1028 case 0x40 ... 0x4f: /* REX */
1029 if (mode != X86EMUL_MODE_PROT64)
1030 goto done_prefixes;
1031 c->rex_prefix = c->b;
1032 continue;
1033 case 0xf0: /* LOCK */
1034 c->lock_prefix = 1;
1035 break;
1036 case 0xf2: /* REPNE/REPNZ */
1037 c->rep_prefix = REPNE_PREFIX;
1038 break;
1039 case 0xf3: /* REP/REPE/REPZ */
1040 c->rep_prefix = REPE_PREFIX;
1041 break;
1042 default:
1043 goto done_prefixes;
1044 }
1045
1046 /* Any legacy prefix after a REX prefix nullifies its effect. */
1047
1048 c->rex_prefix = 0;
1049 }
1050
1051 done_prefixes:
1052
1053 /* REX prefix. */
1054 if (c->rex_prefix)
1055 if (c->rex_prefix & 8)
1056 c->op_bytes = 8; /* REX.W */
1057
1058 /* Opcode byte(s). */
1059 c->d = opcode_table[c->b];
1060 if (c->d == 0) {
1061 /* Two-byte opcode? */
1062 if (c->b == 0x0f) {
1063 c->twobyte = 1;
1064 c->b = insn_fetch(u8, 1, c->eip);
1065 c->d = twobyte_table[c->b];
1066 }
1067 }
1068
1069 if (c->d & Group) {
1070 group = c->d & GroupMask;
1071 c->modrm = insn_fetch(u8, 1, c->eip);
1072 --c->eip;
1073
1074 group = (group << 3) + ((c->modrm >> 3) & 7);
1075 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1076 c->d = group2_table[group];
1077 else
1078 c->d = group_table[group];
1079 }
1080
1081 /* Unrecognised? */
1082 if (c->d == 0) {
1083 DPRINTF("Cannot emulate %02x\n", c->b);
1084 return -1;
1085 }
1086
1087 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1088 c->op_bytes = 8;
1089
1090 /* ModRM and SIB bytes. */
1091 if (c->d & ModRM)
1092 rc = decode_modrm(ctxt, ops);
1093 else if (c->d & MemAbs)
1094 rc = decode_abs(ctxt, ops);
1095 if (rc != X86EMUL_CONTINUE)
1096 goto done;
1097
1098 if (!c->has_seg_override)
1099 set_seg_override(c, VCPU_SREG_DS);
1100
1101 if (!(!c->twobyte && c->b == 0x8d))
1102 c->modrm_ea += seg_override_base(ctxt, ops, c);
1103
1104 if (c->ad_bytes != 8)
1105 c->modrm_ea = (u32)c->modrm_ea;
1106
1107 if (c->rip_relative)
1108 c->modrm_ea += c->eip;
1109
1110 /*
1111 * Decode and fetch the source operand: register, memory
1112 * or immediate.
1113 */
1114 switch (c->d & SrcMask) {
1115 case SrcNone:
1116 break;
1117 case SrcReg:
1118 decode_register_operand(&c->src, c, 0);
1119 break;
1120 case SrcMem16:
1121 c->src.bytes = 2;
1122 goto srcmem_common;
1123 case SrcMem32:
1124 c->src.bytes = 4;
1125 goto srcmem_common;
1126 case SrcMem:
1127 c->src.bytes = (c->d & ByteOp) ? 1 :
1128 c->op_bytes;
1129 /* Don't fetch the address for invlpg: it could be unmapped. */
1130 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1131 break;
1132 srcmem_common:
1133 /*
1134 * For instructions with a ModR/M byte, switch to register
1135 * access if Mod = 3.
1136 */
1137 if ((c->d & ModRM) && c->modrm_mod == 3) {
1138 c->src.type = OP_REG;
1139 c->src.val = c->modrm_val;
1140 c->src.ptr = c->modrm_ptr;
1141 break;
1142 }
1143 c->src.type = OP_MEM;
1144 c->src.ptr = (unsigned long *)c->modrm_ea;
1145 c->src.val = 0;
1146 break;
1147 case SrcImm:
1148 case SrcImmU:
1149 c->src.type = OP_IMM;
1150 c->src.ptr = (unsigned long *)c->eip;
1151 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1152 if (c->src.bytes == 8)
1153 c->src.bytes = 4;
1154 /* NB. Immediates are sign-extended as necessary. */
1155 switch (c->src.bytes) {
1156 case 1:
1157 c->src.val = insn_fetch(s8, 1, c->eip);
1158 break;
1159 case 2:
1160 c->src.val = insn_fetch(s16, 2, c->eip);
1161 break;
1162 case 4:
1163 c->src.val = insn_fetch(s32, 4, c->eip);
1164 break;
1165 }
1166 if ((c->d & SrcMask) == SrcImmU) {
1167 switch (c->src.bytes) {
1168 case 1:
1169 c->src.val &= 0xff;
1170 break;
1171 case 2:
1172 c->src.val &= 0xffff;
1173 break;
1174 case 4:
1175 c->src.val &= 0xffffffff;
1176 break;
1177 }
1178 }
1179 break;
1180 case SrcImmByte:
1181 case SrcImmUByte:
1182 c->src.type = OP_IMM;
1183 c->src.ptr = (unsigned long *)c->eip;
1184 c->src.bytes = 1;
1185 if ((c->d & SrcMask) == SrcImmByte)
1186 c->src.val = insn_fetch(s8, 1, c->eip);
1187 else
1188 c->src.val = insn_fetch(u8, 1, c->eip);
1189 break;
1190 case SrcAcc:
1191 c->src.type = OP_REG;
1192 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1193 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1194 switch (c->src.bytes) {
1195 case 1:
1196 c->src.val = *(u8 *)c->src.ptr;
1197 break;
1198 case 2:
1199 c->src.val = *(u16 *)c->src.ptr;
1200 break;
1201 case 4:
1202 c->src.val = *(u32 *)c->src.ptr;
1203 break;
1204 case 8:
1205 c->src.val = *(u64 *)c->src.ptr;
1206 break;
1207 }
1208 break;
1209 case SrcOne:
1210 c->src.bytes = 1;
1211 c->src.val = 1;
1212 break;
1213 case SrcSI:
1214 c->src.type = OP_MEM;
1215 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1216 c->src.ptr = (unsigned long *)
1217 register_address(c, seg_override_base(ctxt, ops, c),
1218 c->regs[VCPU_REGS_RSI]);
1219 c->src.val = 0;
1220 break;
1221 case SrcImmFAddr:
1222 c->src.type = OP_IMM;
1223 c->src.ptr = (unsigned long *)c->eip;
1224 c->src.bytes = c->op_bytes + 2;
1225 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1226 break;
1227 case SrcMemFAddr:
1228 c->src.type = OP_MEM;
1229 c->src.ptr = (unsigned long *)c->modrm_ea;
1230 c->src.bytes = c->op_bytes + 2;
1231 break;
1232 }
1233
1234 /*
1235 * Decode and fetch the second source operand: register, memory
1236 * or immediate.
1237 */
1238 switch (c->d & Src2Mask) {
1239 case Src2None:
1240 break;
1241 case Src2CL:
1242 c->src2.bytes = 1;
1243 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1244 break;
1245 case Src2ImmByte:
1246 c->src2.type = OP_IMM;
1247 c->src2.ptr = (unsigned long *)c->eip;
1248 c->src2.bytes = 1;
1249 c->src2.val = insn_fetch(u8, 1, c->eip);
1250 break;
1251 case Src2One:
1252 c->src2.bytes = 1;
1253 c->src2.val = 1;
1254 break;
1255 }
1256
1257 /* Decode and fetch the destination operand: register or memory. */
1258 switch (c->d & DstMask) {
1259 case ImplicitOps:
1260 /* Special instructions do their own operand decoding. */
1261 return 0;
1262 case DstReg:
1263 decode_register_operand(&c->dst, c,
1264 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1265 break;
1266 case DstMem:
1267 case DstMem64:
1268 if ((c->d & ModRM) && c->modrm_mod == 3) {
1269 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1270 c->dst.type = OP_REG;
1271 c->dst.val = c->dst.orig_val = c->modrm_val;
1272 c->dst.ptr = c->modrm_ptr;
1273 break;
1274 }
1275 c->dst.type = OP_MEM;
1276 c->dst.ptr = (unsigned long *)c->modrm_ea;
1277 if ((c->d & DstMask) == DstMem64)
1278 c->dst.bytes = 8;
1279 else
1280 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1281 c->dst.val = 0;
1282 if (c->d & BitOp) {
1283 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1284
1285 c->dst.ptr = (void *)c->dst.ptr +
1286 (c->src.val & mask) / 8;
1287 }
1288 break;
1289 case DstAcc:
1290 c->dst.type = OP_REG;
1291 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1292 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1293 switch (c->dst.bytes) {
1294 case 1:
1295 c->dst.val = *(u8 *)c->dst.ptr;
1296 break;
1297 case 2:
1298 c->dst.val = *(u16 *)c->dst.ptr;
1299 break;
1300 case 4:
1301 c->dst.val = *(u32 *)c->dst.ptr;
1302 break;
1303 case 8:
1304 c->dst.val = *(u64 *)c->dst.ptr;
1305 break;
1306 }
1307 c->dst.orig_val = c->dst.val;
1308 break;
1309 case DstDI:
1310 c->dst.type = OP_MEM;
1311 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1312 c->dst.ptr = (unsigned long *)
1313 register_address(c, es_base(ctxt, ops),
1314 c->regs[VCPU_REGS_RDI]);
1315 c->dst.val = 0;
1316 break;
1317 }
1318
1319 done:
1320 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1321 }
1322
1323 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1324 struct x86_emulate_ops *ops,
1325 unsigned long addr, void *dest, unsigned size)
1326 {
1327 int rc;
1328 struct read_cache *mc = &ctxt->decode.mem_read;
1329 u32 err;
1330
1331 while (size) {
1332 int n = min(size, 8u);
1333 size -= n;
1334 if (mc->pos < mc->end)
1335 goto read_cached;
1336
1337 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1338 ctxt->vcpu);
1339 if (rc == X86EMUL_PROPAGATE_FAULT)
1340 emulate_pf(ctxt, addr, err);
1341 if (rc != X86EMUL_CONTINUE)
1342 return rc;
1343 mc->end += n;
1344
1345 read_cached:
1346 memcpy(dest, mc->data + mc->pos, n);
1347 mc->pos += n;
1348 dest += n;
1349 addr += n;
1350 }
1351 return X86EMUL_CONTINUE;
1352 }
1353
1354 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1355 struct x86_emulate_ops *ops,
1356 unsigned int size, unsigned short port,
1357 void *dest)
1358 {
1359 struct read_cache *rc = &ctxt->decode.io_read;
1360
1361 if (rc->pos == rc->end) { /* refill pio read ahead */
1362 struct decode_cache *c = &ctxt->decode;
1363 unsigned int in_page, n;
1364 unsigned int count = c->rep_prefix ?
1365 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1366 in_page = (ctxt->eflags & EFLG_DF) ?
1367 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1368 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1369 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1370 count);
1371 if (n == 0)
1372 n = 1;
1373 rc->pos = rc->end = 0;
1374 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1375 return 0;
1376 rc->end = n * size;
1377 }
1378
1379 memcpy(dest, rc->data + rc->pos, size);
1380 rc->pos += size;
1381 return 1;
1382 }
1383
1384 static u32 desc_limit_scaled(struct desc_struct *desc)
1385 {
1386 u32 limit = get_desc_limit(desc);
1387
1388 return desc->g ? (limit << 12) | 0xfff : limit;
1389 }
1390
1391 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1392 struct x86_emulate_ops *ops,
1393 u16 selector, struct desc_ptr *dt)
1394 {
1395 if (selector & 1 << 2) {
1396 struct desc_struct desc;
1397 memset (dt, 0, sizeof *dt);
1398 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1399 return;
1400
1401 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1402 dt->address = get_desc_base(&desc);
1403 } else
1404 ops->get_gdt(dt, ctxt->vcpu);
1405 }
1406
1407 /* allowed just for 8 bytes segments */
1408 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1409 struct x86_emulate_ops *ops,
1410 u16 selector, struct desc_struct *desc)
1411 {
1412 struct desc_ptr dt;
1413 u16 index = selector >> 3;
1414 int ret;
1415 u32 err;
1416 ulong addr;
1417
1418 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1419
1420 if (dt.size < index * 8 + 7) {
1421 emulate_gp(ctxt, selector & 0xfffc);
1422 return X86EMUL_PROPAGATE_FAULT;
1423 }
1424 addr = dt.address + index * 8;
1425 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1426 if (ret == X86EMUL_PROPAGATE_FAULT)
1427 emulate_pf(ctxt, addr, err);
1428
1429 return ret;
1430 }
1431
1432 /* allowed just for 8 bytes segments */
1433 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1434 struct x86_emulate_ops *ops,
1435 u16 selector, struct desc_struct *desc)
1436 {
1437 struct desc_ptr dt;
1438 u16 index = selector >> 3;
1439 u32 err;
1440 ulong addr;
1441 int ret;
1442
1443 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1444
1445 if (dt.size < index * 8 + 7) {
1446 emulate_gp(ctxt, selector & 0xfffc);
1447 return X86EMUL_PROPAGATE_FAULT;
1448 }
1449
1450 addr = dt.address + index * 8;
1451 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1452 if (ret == X86EMUL_PROPAGATE_FAULT)
1453 emulate_pf(ctxt, addr, err);
1454
1455 return ret;
1456 }
1457
1458 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1459 struct x86_emulate_ops *ops,
1460 u16 selector, int seg)
1461 {
1462 struct desc_struct seg_desc;
1463 u8 dpl, rpl, cpl;
1464 unsigned err_vec = GP_VECTOR;
1465 u32 err_code = 0;
1466 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1467 int ret;
1468
1469 memset(&seg_desc, 0, sizeof seg_desc);
1470
1471 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1472 || ctxt->mode == X86EMUL_MODE_REAL) {
1473 /* set real mode segment descriptor */
1474 set_desc_base(&seg_desc, selector << 4);
1475 set_desc_limit(&seg_desc, 0xffff);
1476 seg_desc.type = 3;
1477 seg_desc.p = 1;
1478 seg_desc.s = 1;
1479 goto load;
1480 }
1481
1482 /* NULL selector is not valid for TR, CS and SS */
1483 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1484 && null_selector)
1485 goto exception;
1486
1487 /* TR should be in GDT only */
1488 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1489 goto exception;
1490
1491 if (null_selector) /* for NULL selector skip all following checks */
1492 goto load;
1493
1494 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1495 if (ret != X86EMUL_CONTINUE)
1496 return ret;
1497
1498 err_code = selector & 0xfffc;
1499 err_vec = GP_VECTOR;
1500
1501 /* can't load system descriptor into segment selecor */
1502 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1503 goto exception;
1504
1505 if (!seg_desc.p) {
1506 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1507 goto exception;
1508 }
1509
1510 rpl = selector & 3;
1511 dpl = seg_desc.dpl;
1512 cpl = ops->cpl(ctxt->vcpu);
1513
1514 switch (seg) {
1515 case VCPU_SREG_SS:
1516 /*
1517 * segment is not a writable data segment or segment
1518 * selector's RPL != CPL or segment selector's RPL != CPL
1519 */
1520 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1521 goto exception;
1522 break;
1523 case VCPU_SREG_CS:
1524 if (!(seg_desc.type & 8))
1525 goto exception;
1526
1527 if (seg_desc.type & 4) {
1528 /* conforming */
1529 if (dpl > cpl)
1530 goto exception;
1531 } else {
1532 /* nonconforming */
1533 if (rpl > cpl || dpl != cpl)
1534 goto exception;
1535 }
1536 /* CS(RPL) <- CPL */
1537 selector = (selector & 0xfffc) | cpl;
1538 break;
1539 case VCPU_SREG_TR:
1540 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1541 goto exception;
1542 break;
1543 case VCPU_SREG_LDTR:
1544 if (seg_desc.s || seg_desc.type != 2)
1545 goto exception;
1546 break;
1547 default: /* DS, ES, FS, or GS */
1548 /*
1549 * segment is not a data or readable code segment or
1550 * ((segment is a data or nonconforming code segment)
1551 * and (both RPL and CPL > DPL))
1552 */
1553 if ((seg_desc.type & 0xa) == 0x8 ||
1554 (((seg_desc.type & 0xc) != 0xc) &&
1555 (rpl > dpl && cpl > dpl)))
1556 goto exception;
1557 break;
1558 }
1559
1560 if (seg_desc.s) {
1561 /* mark segment as accessed */
1562 seg_desc.type |= 1;
1563 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1564 if (ret != X86EMUL_CONTINUE)
1565 return ret;
1566 }
1567 load:
1568 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1569 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1570 return X86EMUL_CONTINUE;
1571 exception:
1572 emulate_exception(ctxt, err_vec, err_code, true);
1573 return X86EMUL_PROPAGATE_FAULT;
1574 }
1575
1576 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1577 struct x86_emulate_ops *ops)
1578 {
1579 int rc;
1580 struct decode_cache *c = &ctxt->decode;
1581 u32 err;
1582
1583 switch (c->dst.type) {
1584 case OP_REG:
1585 /* The 4-byte case *is* correct:
1586 * in 64-bit mode we zero-extend.
1587 */
1588 switch (c->dst.bytes) {
1589 case 1:
1590 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1591 break;
1592 case 2:
1593 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1594 break;
1595 case 4:
1596 *c->dst.ptr = (u32)c->dst.val;
1597 break; /* 64b: zero-ext */
1598 case 8:
1599 *c->dst.ptr = c->dst.val;
1600 break;
1601 }
1602 break;
1603 case OP_MEM:
1604 if (c->lock_prefix)
1605 rc = ops->cmpxchg_emulated(
1606 (unsigned long)c->dst.ptr,
1607 &c->dst.orig_val,
1608 &c->dst.val,
1609 c->dst.bytes,
1610 &err,
1611 ctxt->vcpu);
1612 else
1613 rc = ops->write_emulated(
1614 (unsigned long)c->dst.ptr,
1615 &c->dst.val,
1616 c->dst.bytes,
1617 &err,
1618 ctxt->vcpu);
1619 if (rc == X86EMUL_PROPAGATE_FAULT)
1620 emulate_pf(ctxt,
1621 (unsigned long)c->dst.ptr, err);
1622 if (rc != X86EMUL_CONTINUE)
1623 return rc;
1624 break;
1625 case OP_NONE:
1626 /* no writeback */
1627 break;
1628 default:
1629 break;
1630 }
1631 return X86EMUL_CONTINUE;
1632 }
1633
1634 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1635 struct x86_emulate_ops *ops)
1636 {
1637 struct decode_cache *c = &ctxt->decode;
1638
1639 c->dst.type = OP_MEM;
1640 c->dst.bytes = c->op_bytes;
1641 c->dst.val = c->src.val;
1642 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1643 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1644 c->regs[VCPU_REGS_RSP]);
1645 }
1646
1647 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1648 struct x86_emulate_ops *ops,
1649 void *dest, int len)
1650 {
1651 struct decode_cache *c = &ctxt->decode;
1652 int rc;
1653
1654 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1655 c->regs[VCPU_REGS_RSP]),
1656 dest, len);
1657 if (rc != X86EMUL_CONTINUE)
1658 return rc;
1659
1660 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1661 return rc;
1662 }
1663
1664 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1666 void *dest, int len)
1667 {
1668 int rc;
1669 unsigned long val, change_mask;
1670 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1671 int cpl = ops->cpl(ctxt->vcpu);
1672
1673 rc = emulate_pop(ctxt, ops, &val, len);
1674 if (rc != X86EMUL_CONTINUE)
1675 return rc;
1676
1677 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1678 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1679
1680 switch(ctxt->mode) {
1681 case X86EMUL_MODE_PROT64:
1682 case X86EMUL_MODE_PROT32:
1683 case X86EMUL_MODE_PROT16:
1684 if (cpl == 0)
1685 change_mask |= EFLG_IOPL;
1686 if (cpl <= iopl)
1687 change_mask |= EFLG_IF;
1688 break;
1689 case X86EMUL_MODE_VM86:
1690 if (iopl < 3) {
1691 emulate_gp(ctxt, 0);
1692 return X86EMUL_PROPAGATE_FAULT;
1693 }
1694 change_mask |= EFLG_IF;
1695 break;
1696 default: /* real mode */
1697 change_mask |= (EFLG_IOPL | EFLG_IF);
1698 break;
1699 }
1700
1701 *(unsigned long *)dest =
1702 (ctxt->eflags & ~change_mask) | (val & change_mask);
1703
1704 return rc;
1705 }
1706
1707 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1708 struct x86_emulate_ops *ops, int seg)
1709 {
1710 struct decode_cache *c = &ctxt->decode;
1711
1712 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1713
1714 emulate_push(ctxt, ops);
1715 }
1716
1717 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1718 struct x86_emulate_ops *ops, int seg)
1719 {
1720 struct decode_cache *c = &ctxt->decode;
1721 unsigned long selector;
1722 int rc;
1723
1724 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1725 if (rc != X86EMUL_CONTINUE)
1726 return rc;
1727
1728 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1729 return rc;
1730 }
1731
1732 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1733 struct x86_emulate_ops *ops)
1734 {
1735 struct decode_cache *c = &ctxt->decode;
1736 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1737 int rc = X86EMUL_CONTINUE;
1738 int reg = VCPU_REGS_RAX;
1739
1740 while (reg <= VCPU_REGS_RDI) {
1741 (reg == VCPU_REGS_RSP) ?
1742 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1743
1744 emulate_push(ctxt, ops);
1745
1746 rc = writeback(ctxt, ops);
1747 if (rc != X86EMUL_CONTINUE)
1748 return rc;
1749
1750 ++reg;
1751 }
1752
1753 /* Disable writeback. */
1754 c->dst.type = OP_NONE;
1755
1756 return rc;
1757 }
1758
1759 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1760 struct x86_emulate_ops *ops)
1761 {
1762 struct decode_cache *c = &ctxt->decode;
1763 int rc = X86EMUL_CONTINUE;
1764 int reg = VCPU_REGS_RDI;
1765
1766 while (reg >= VCPU_REGS_RAX) {
1767 if (reg == VCPU_REGS_RSP) {
1768 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1769 c->op_bytes);
1770 --reg;
1771 }
1772
1773 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1774 if (rc != X86EMUL_CONTINUE)
1775 break;
1776 --reg;
1777 }
1778 return rc;
1779 }
1780
1781 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1782 struct x86_emulate_ops *ops)
1783 {
1784 struct decode_cache *c = &ctxt->decode;
1785
1786 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1787 }
1788
1789 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1790 {
1791 struct decode_cache *c = &ctxt->decode;
1792 switch (c->modrm_reg) {
1793 case 0: /* rol */
1794 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1795 break;
1796 case 1: /* ror */
1797 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1798 break;
1799 case 2: /* rcl */
1800 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1801 break;
1802 case 3: /* rcr */
1803 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1804 break;
1805 case 4: /* sal/shl */
1806 case 6: /* sal/shl */
1807 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1808 break;
1809 case 5: /* shr */
1810 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1811 break;
1812 case 7: /* sar */
1813 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1814 break;
1815 }
1816 }
1817
1818 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1819 struct x86_emulate_ops *ops)
1820 {
1821 struct decode_cache *c = &ctxt->decode;
1822
1823 switch (c->modrm_reg) {
1824 case 0 ... 1: /* test */
1825 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1826 break;
1827 case 2: /* not */
1828 c->dst.val = ~c->dst.val;
1829 break;
1830 case 3: /* neg */
1831 emulate_1op("neg", c->dst, ctxt->eflags);
1832 break;
1833 default:
1834 return 0;
1835 }
1836 return 1;
1837 }
1838
1839 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1840 struct x86_emulate_ops *ops)
1841 {
1842 struct decode_cache *c = &ctxt->decode;
1843
1844 switch (c->modrm_reg) {
1845 case 0: /* inc */
1846 emulate_1op("inc", c->dst, ctxt->eflags);
1847 break;
1848 case 1: /* dec */
1849 emulate_1op("dec", c->dst, ctxt->eflags);
1850 break;
1851 case 2: /* call near abs */ {
1852 long int old_eip;
1853 old_eip = c->eip;
1854 c->eip = c->src.val;
1855 c->src.val = old_eip;
1856 emulate_push(ctxt, ops);
1857 break;
1858 }
1859 case 4: /* jmp abs */
1860 c->eip = c->src.val;
1861 break;
1862 case 6: /* push */
1863 emulate_push(ctxt, ops);
1864 break;
1865 }
1866 return X86EMUL_CONTINUE;
1867 }
1868
1869 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1870 struct x86_emulate_ops *ops)
1871 {
1872 struct decode_cache *c = &ctxt->decode;
1873 u64 old = c->dst.orig_val64;
1874
1875 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1876 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1877 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1878 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1879 ctxt->eflags &= ~EFLG_ZF;
1880 } else {
1881 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1882 (u32) c->regs[VCPU_REGS_RBX];
1883
1884 ctxt->eflags |= EFLG_ZF;
1885 }
1886 return X86EMUL_CONTINUE;
1887 }
1888
1889 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1890 struct x86_emulate_ops *ops)
1891 {
1892 struct decode_cache *c = &ctxt->decode;
1893 int rc;
1894 unsigned long cs;
1895
1896 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1897 if (rc != X86EMUL_CONTINUE)
1898 return rc;
1899 if (c->op_bytes == 4)
1900 c->eip = (u32)c->eip;
1901 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1902 if (rc != X86EMUL_CONTINUE)
1903 return rc;
1904 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1905 return rc;
1906 }
1907
1908 static inline void
1909 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1910 struct x86_emulate_ops *ops, struct desc_struct *cs,
1911 struct desc_struct *ss)
1912 {
1913 memset(cs, 0, sizeof(struct desc_struct));
1914 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1915 memset(ss, 0, sizeof(struct desc_struct));
1916
1917 cs->l = 0; /* will be adjusted later */
1918 set_desc_base(cs, 0); /* flat segment */
1919 cs->g = 1; /* 4kb granularity */
1920 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1921 cs->type = 0x0b; /* Read, Execute, Accessed */
1922 cs->s = 1;
1923 cs->dpl = 0; /* will be adjusted later */
1924 cs->p = 1;
1925 cs->d = 1;
1926
1927 set_desc_base(ss, 0); /* flat segment */
1928 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1929 ss->g = 1; /* 4kb granularity */
1930 ss->s = 1;
1931 ss->type = 0x03; /* Read/Write, Accessed */
1932 ss->d = 1; /* 32bit stack segment */
1933 ss->dpl = 0;
1934 ss->p = 1;
1935 }
1936
1937 static int
1938 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1939 {
1940 struct decode_cache *c = &ctxt->decode;
1941 struct desc_struct cs, ss;
1942 u64 msr_data;
1943 u16 cs_sel, ss_sel;
1944
1945 /* syscall is not available in real mode */
1946 if (ctxt->mode == X86EMUL_MODE_REAL ||
1947 ctxt->mode == X86EMUL_MODE_VM86) {
1948 emulate_ud(ctxt);
1949 return X86EMUL_PROPAGATE_FAULT;
1950 }
1951
1952 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1953
1954 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1955 msr_data >>= 32;
1956 cs_sel = (u16)(msr_data & 0xfffc);
1957 ss_sel = (u16)(msr_data + 8);
1958
1959 if (is_long_mode(ctxt->vcpu)) {
1960 cs.d = 0;
1961 cs.l = 1;
1962 }
1963 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1964 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1965 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1966 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1967
1968 c->regs[VCPU_REGS_RCX] = c->eip;
1969 if (is_long_mode(ctxt->vcpu)) {
1970 #ifdef CONFIG_X86_64
1971 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1972
1973 ops->get_msr(ctxt->vcpu,
1974 ctxt->mode == X86EMUL_MODE_PROT64 ?
1975 MSR_LSTAR : MSR_CSTAR, &msr_data);
1976 c->eip = msr_data;
1977
1978 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1979 ctxt->eflags &= ~(msr_data | EFLG_RF);
1980 #endif
1981 } else {
1982 /* legacy mode */
1983 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1984 c->eip = (u32)msr_data;
1985
1986 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1987 }
1988
1989 return X86EMUL_CONTINUE;
1990 }
1991
1992 static int
1993 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1994 {
1995 struct decode_cache *c = &ctxt->decode;
1996 struct desc_struct cs, ss;
1997 u64 msr_data;
1998 u16 cs_sel, ss_sel;
1999
2000 /* inject #GP if in real mode */
2001 if (ctxt->mode == X86EMUL_MODE_REAL) {
2002 emulate_gp(ctxt, 0);
2003 return X86EMUL_PROPAGATE_FAULT;
2004 }
2005
2006 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2007 emulate_ud(ctxt);
2008 return X86EMUL_PROPAGATE_FAULT;
2009 }
2010
2011 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2012
2013 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2014 switch (ctxt->mode) {
2015 case X86EMUL_MODE_PROT32:
2016 if ((msr_data & 0xfffc) == 0x0) {
2017 emulate_gp(ctxt, 0);
2018 return X86EMUL_PROPAGATE_FAULT;
2019 }
2020 break;
2021 case X86EMUL_MODE_PROT64:
2022 if (msr_data == 0x0) {
2023 emulate_gp(ctxt, 0);
2024 return X86EMUL_PROPAGATE_FAULT;
2025 }
2026 break;
2027 }
2028
2029 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2030 cs_sel = (u16)msr_data;
2031 cs_sel &= ~SELECTOR_RPL_MASK;
2032 ss_sel = cs_sel + 8;
2033 ss_sel &= ~SELECTOR_RPL_MASK;
2034 if (ctxt->mode == X86EMUL_MODE_PROT64
2035 || is_long_mode(ctxt->vcpu)) {
2036 cs.d = 0;
2037 cs.l = 1;
2038 }
2039
2040 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2041 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2042 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2043 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2044
2045 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2046 c->eip = msr_data;
2047
2048 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2049 c->regs[VCPU_REGS_RSP] = msr_data;
2050
2051 return X86EMUL_CONTINUE;
2052 }
2053
2054 static int
2055 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2056 {
2057 struct decode_cache *c = &ctxt->decode;
2058 struct desc_struct cs, ss;
2059 u64 msr_data;
2060 int usermode;
2061 u16 cs_sel, ss_sel;
2062
2063 /* inject #GP if in real mode or Virtual 8086 mode */
2064 if (ctxt->mode == X86EMUL_MODE_REAL ||
2065 ctxt->mode == X86EMUL_MODE_VM86) {
2066 emulate_gp(ctxt, 0);
2067 return X86EMUL_PROPAGATE_FAULT;
2068 }
2069
2070 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2071
2072 if ((c->rex_prefix & 0x8) != 0x0)
2073 usermode = X86EMUL_MODE_PROT64;
2074 else
2075 usermode = X86EMUL_MODE_PROT32;
2076
2077 cs.dpl = 3;
2078 ss.dpl = 3;
2079 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2080 switch (usermode) {
2081 case X86EMUL_MODE_PROT32:
2082 cs_sel = (u16)(msr_data + 16);
2083 if ((msr_data & 0xfffc) == 0x0) {
2084 emulate_gp(ctxt, 0);
2085 return X86EMUL_PROPAGATE_FAULT;
2086 }
2087 ss_sel = (u16)(msr_data + 24);
2088 break;
2089 case X86EMUL_MODE_PROT64:
2090 cs_sel = (u16)(msr_data + 32);
2091 if (msr_data == 0x0) {
2092 emulate_gp(ctxt, 0);
2093 return X86EMUL_PROPAGATE_FAULT;
2094 }
2095 ss_sel = cs_sel + 8;
2096 cs.d = 0;
2097 cs.l = 1;
2098 break;
2099 }
2100 cs_sel |= SELECTOR_RPL_MASK;
2101 ss_sel |= SELECTOR_RPL_MASK;
2102
2103 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2104 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2105 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2106 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2107
2108 c->eip = c->regs[VCPU_REGS_RDX];
2109 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2110
2111 return X86EMUL_CONTINUE;
2112 }
2113
2114 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2115 struct x86_emulate_ops *ops)
2116 {
2117 int iopl;
2118 if (ctxt->mode == X86EMUL_MODE_REAL)
2119 return false;
2120 if (ctxt->mode == X86EMUL_MODE_VM86)
2121 return true;
2122 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2123 return ops->cpl(ctxt->vcpu) > iopl;
2124 }
2125
2126 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2127 struct x86_emulate_ops *ops,
2128 u16 port, u16 len)
2129 {
2130 struct desc_struct tr_seg;
2131 int r;
2132 u16 io_bitmap_ptr;
2133 u8 perm, bit_idx = port & 0x7;
2134 unsigned mask = (1 << len) - 1;
2135
2136 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2137 if (!tr_seg.p)
2138 return false;
2139 if (desc_limit_scaled(&tr_seg) < 103)
2140 return false;
2141 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2142 ctxt->vcpu, NULL);
2143 if (r != X86EMUL_CONTINUE)
2144 return false;
2145 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2146 return false;
2147 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2148 &perm, 1, ctxt->vcpu, NULL);
2149 if (r != X86EMUL_CONTINUE)
2150 return false;
2151 if ((perm >> bit_idx) & mask)
2152 return false;
2153 return true;
2154 }
2155
2156 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2157 struct x86_emulate_ops *ops,
2158 u16 port, u16 len)
2159 {
2160 if (emulator_bad_iopl(ctxt, ops))
2161 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2162 return false;
2163 return true;
2164 }
2165
2166 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2167 struct x86_emulate_ops *ops,
2168 struct tss_segment_16 *tss)
2169 {
2170 struct decode_cache *c = &ctxt->decode;
2171
2172 tss->ip = c->eip;
2173 tss->flag = ctxt->eflags;
2174 tss->ax = c->regs[VCPU_REGS_RAX];
2175 tss->cx = c->regs[VCPU_REGS_RCX];
2176 tss->dx = c->regs[VCPU_REGS_RDX];
2177 tss->bx = c->regs[VCPU_REGS_RBX];
2178 tss->sp = c->regs[VCPU_REGS_RSP];
2179 tss->bp = c->regs[VCPU_REGS_RBP];
2180 tss->si = c->regs[VCPU_REGS_RSI];
2181 tss->di = c->regs[VCPU_REGS_RDI];
2182
2183 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2184 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2185 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2186 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2187 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2188 }
2189
2190 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2191 struct x86_emulate_ops *ops,
2192 struct tss_segment_16 *tss)
2193 {
2194 struct decode_cache *c = &ctxt->decode;
2195 int ret;
2196
2197 c->eip = tss->ip;
2198 ctxt->eflags = tss->flag | 2;
2199 c->regs[VCPU_REGS_RAX] = tss->ax;
2200 c->regs[VCPU_REGS_RCX] = tss->cx;
2201 c->regs[VCPU_REGS_RDX] = tss->dx;
2202 c->regs[VCPU_REGS_RBX] = tss->bx;
2203 c->regs[VCPU_REGS_RSP] = tss->sp;
2204 c->regs[VCPU_REGS_RBP] = tss->bp;
2205 c->regs[VCPU_REGS_RSI] = tss->si;
2206 c->regs[VCPU_REGS_RDI] = tss->di;
2207
2208 /*
2209 * SDM says that segment selectors are loaded before segment
2210 * descriptors
2211 */
2212 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2213 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2214 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2215 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2216 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2217
2218 /*
2219 * Now load segment descriptors. If fault happenes at this stage
2220 * it is handled in a context of new task
2221 */
2222 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2223 if (ret != X86EMUL_CONTINUE)
2224 return ret;
2225 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2226 if (ret != X86EMUL_CONTINUE)
2227 return ret;
2228 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2229 if (ret != X86EMUL_CONTINUE)
2230 return ret;
2231 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2232 if (ret != X86EMUL_CONTINUE)
2233 return ret;
2234 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2235 if (ret != X86EMUL_CONTINUE)
2236 return ret;
2237
2238 return X86EMUL_CONTINUE;
2239 }
2240
2241 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2242 struct x86_emulate_ops *ops,
2243 u16 tss_selector, u16 old_tss_sel,
2244 ulong old_tss_base, struct desc_struct *new_desc)
2245 {
2246 struct tss_segment_16 tss_seg;
2247 int ret;
2248 u32 err, new_tss_base = get_desc_base(new_desc);
2249
2250 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2251 &err);
2252 if (ret == X86EMUL_PROPAGATE_FAULT) {
2253 emulate_pf(ctxt, old_tss_base, err);
2254 return ret;
2255 }
2256
2257 save_state_to_tss16(ctxt, ops, &tss_seg);
2258
2259 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2260 &err);
2261 if (ret == X86EMUL_PROPAGATE_FAULT) {
2262 emulate_pf(ctxt, old_tss_base, err);
2263 return ret;
2264 }
2265
2266 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2267 &err);
2268 if (ret == X86EMUL_PROPAGATE_FAULT) {
2269 emulate_pf(ctxt, new_tss_base, err);
2270 return ret;
2271 }
2272
2273 if (old_tss_sel != 0xffff) {
2274 tss_seg.prev_task_link = old_tss_sel;
2275
2276 ret = ops->write_std(new_tss_base,
2277 &tss_seg.prev_task_link,
2278 sizeof tss_seg.prev_task_link,
2279 ctxt->vcpu, &err);
2280 if (ret == X86EMUL_PROPAGATE_FAULT) {
2281 emulate_pf(ctxt, new_tss_base, err);
2282 return ret;
2283 }
2284 }
2285
2286 return load_state_from_tss16(ctxt, ops, &tss_seg);
2287 }
2288
2289 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2290 struct x86_emulate_ops *ops,
2291 struct tss_segment_32 *tss)
2292 {
2293 struct decode_cache *c = &ctxt->decode;
2294
2295 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2296 tss->eip = c->eip;
2297 tss->eflags = ctxt->eflags;
2298 tss->eax = c->regs[VCPU_REGS_RAX];
2299 tss->ecx = c->regs[VCPU_REGS_RCX];
2300 tss->edx = c->regs[VCPU_REGS_RDX];
2301 tss->ebx = c->regs[VCPU_REGS_RBX];
2302 tss->esp = c->regs[VCPU_REGS_RSP];
2303 tss->ebp = c->regs[VCPU_REGS_RBP];
2304 tss->esi = c->regs[VCPU_REGS_RSI];
2305 tss->edi = c->regs[VCPU_REGS_RDI];
2306
2307 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2308 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2309 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2310 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2311 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2312 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2313 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2314 }
2315
2316 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2317 struct x86_emulate_ops *ops,
2318 struct tss_segment_32 *tss)
2319 {
2320 struct decode_cache *c = &ctxt->decode;
2321 int ret;
2322
2323 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2324 emulate_gp(ctxt, 0);
2325 return X86EMUL_PROPAGATE_FAULT;
2326 }
2327 c->eip = tss->eip;
2328 ctxt->eflags = tss->eflags | 2;
2329 c->regs[VCPU_REGS_RAX] = tss->eax;
2330 c->regs[VCPU_REGS_RCX] = tss->ecx;
2331 c->regs[VCPU_REGS_RDX] = tss->edx;
2332 c->regs[VCPU_REGS_RBX] = tss->ebx;
2333 c->regs[VCPU_REGS_RSP] = tss->esp;
2334 c->regs[VCPU_REGS_RBP] = tss->ebp;
2335 c->regs[VCPU_REGS_RSI] = tss->esi;
2336 c->regs[VCPU_REGS_RDI] = tss->edi;
2337
2338 /*
2339 * SDM says that segment selectors are loaded before segment
2340 * descriptors
2341 */
2342 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2343 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2344 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2345 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2346 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2347 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2348 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2349
2350 /*
2351 * Now load segment descriptors. If fault happenes at this stage
2352 * it is handled in a context of new task
2353 */
2354 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2355 if (ret != X86EMUL_CONTINUE)
2356 return ret;
2357 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2358 if (ret != X86EMUL_CONTINUE)
2359 return ret;
2360 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2361 if (ret != X86EMUL_CONTINUE)
2362 return ret;
2363 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2364 if (ret != X86EMUL_CONTINUE)
2365 return ret;
2366 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2367 if (ret != X86EMUL_CONTINUE)
2368 return ret;
2369 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2370 if (ret != X86EMUL_CONTINUE)
2371 return ret;
2372 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2373 if (ret != X86EMUL_CONTINUE)
2374 return ret;
2375
2376 return X86EMUL_CONTINUE;
2377 }
2378
2379 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2380 struct x86_emulate_ops *ops,
2381 u16 tss_selector, u16 old_tss_sel,
2382 ulong old_tss_base, struct desc_struct *new_desc)
2383 {
2384 struct tss_segment_32 tss_seg;
2385 int ret;
2386 u32 err, new_tss_base = get_desc_base(new_desc);
2387
2388 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2389 &err);
2390 if (ret == X86EMUL_PROPAGATE_FAULT) {
2391 emulate_pf(ctxt, old_tss_base, err);
2392 return ret;
2393 }
2394
2395 save_state_to_tss32(ctxt, ops, &tss_seg);
2396
2397 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2398 &err);
2399 if (ret == X86EMUL_PROPAGATE_FAULT) {
2400 emulate_pf(ctxt, old_tss_base, err);
2401 return ret;
2402 }
2403
2404 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2405 &err);
2406 if (ret == X86EMUL_PROPAGATE_FAULT) {
2407 emulate_pf(ctxt, new_tss_base, err);
2408 return ret;
2409 }
2410
2411 if (old_tss_sel != 0xffff) {
2412 tss_seg.prev_task_link = old_tss_sel;
2413
2414 ret = ops->write_std(new_tss_base,
2415 &tss_seg.prev_task_link,
2416 sizeof tss_seg.prev_task_link,
2417 ctxt->vcpu, &err);
2418 if (ret == X86EMUL_PROPAGATE_FAULT) {
2419 emulate_pf(ctxt, new_tss_base, err);
2420 return ret;
2421 }
2422 }
2423
2424 return load_state_from_tss32(ctxt, ops, &tss_seg);
2425 }
2426
2427 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2428 struct x86_emulate_ops *ops,
2429 u16 tss_selector, int reason,
2430 bool has_error_code, u32 error_code)
2431 {
2432 struct desc_struct curr_tss_desc, next_tss_desc;
2433 int ret;
2434 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2435 ulong old_tss_base =
2436 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2437 u32 desc_limit;
2438
2439
2440 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2441 if (ret != X86EMUL_CONTINUE)
2442 return ret;
2443 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2444 if (ret != X86EMUL_CONTINUE)
2445 return ret;
2446
2447
2448 if (reason != TASK_SWITCH_IRET) {
2449 if ((tss_selector & 3) > next_tss_desc.dpl ||
2450 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2451 emulate_gp(ctxt, 0);
2452 return X86EMUL_PROPAGATE_FAULT;
2453 }
2454 }
2455
2456 desc_limit = desc_limit_scaled(&next_tss_desc);
2457 if (!next_tss_desc.p ||
2458 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2459 desc_limit < 0x2b)) {
2460 emulate_ts(ctxt, tss_selector & 0xfffc);
2461 return X86EMUL_PROPAGATE_FAULT;
2462 }
2463
2464 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2465 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2466 write_segment_descriptor(ctxt, ops, old_tss_sel,
2467 &curr_tss_desc);
2468 }
2469
2470 if (reason == TASK_SWITCH_IRET)
2471 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2472
2473 /* set back link to prev task only if NT bit is set in eflags
2474 note that old_tss_sel is not used afetr this point */
2475 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2476 old_tss_sel = 0xffff;
2477
2478 if (next_tss_desc.type & 8)
2479 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2480 old_tss_base, &next_tss_desc);
2481 else
2482 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2483 old_tss_base, &next_tss_desc);
2484 if (ret != X86EMUL_CONTINUE)
2485 return ret;
2486
2487 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2488 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2489
2490 if (reason != TASK_SWITCH_IRET) {
2491 next_tss_desc.type |= (1 << 1); /* set busy flag */
2492 write_segment_descriptor(ctxt, ops, tss_selector,
2493 &next_tss_desc);
2494 }
2495
2496 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2497 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2498 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2499
2500 if (has_error_code) {
2501 struct decode_cache *c = &ctxt->decode;
2502
2503 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2504 c->lock_prefix = 0;
2505 c->src.val = (unsigned long) error_code;
2506 emulate_push(ctxt, ops);
2507 }
2508
2509 return ret;
2510 }
2511
2512 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2513 struct x86_emulate_ops *ops,
2514 u16 tss_selector, int reason,
2515 bool has_error_code, u32 error_code)
2516 {
2517 struct decode_cache *c = &ctxt->decode;
2518 int rc;
2519
2520 c->eip = ctxt->eip;
2521 c->dst.type = OP_NONE;
2522
2523 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2524 has_error_code, error_code);
2525
2526 if (rc == X86EMUL_CONTINUE) {
2527 rc = writeback(ctxt, ops);
2528 if (rc == X86EMUL_CONTINUE)
2529 ctxt->eip = c->eip;
2530 }
2531
2532 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2533 }
2534
2535 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2536 int reg, struct operand *op)
2537 {
2538 struct decode_cache *c = &ctxt->decode;
2539 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2540
2541 register_address_increment(c, &c->regs[reg], df * op->bytes);
2542 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2543 }
2544
2545 int
2546 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2547 {
2548 u64 msr_data;
2549 struct decode_cache *c = &ctxt->decode;
2550 int rc = X86EMUL_CONTINUE;
2551 int saved_dst_type = c->dst.type;
2552
2553 ctxt->decode.mem_read.pos = 0;
2554
2555 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2556 emulate_ud(ctxt);
2557 goto done;
2558 }
2559
2560 /* LOCK prefix is allowed only with some instructions */
2561 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2562 emulate_ud(ctxt);
2563 goto done;
2564 }
2565
2566 /* Privileged instruction can be executed only in CPL=0 */
2567 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2568 emulate_gp(ctxt, 0);
2569 goto done;
2570 }
2571
2572 if (c->rep_prefix && (c->d & String)) {
2573 ctxt->restart = true;
2574 /* All REP prefixes have the same first termination condition */
2575 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2576 string_done:
2577 ctxt->restart = false;
2578 ctxt->eip = c->eip;
2579 goto done;
2580 }
2581 /* The second termination condition only applies for REPE
2582 * and REPNE. Test if the repeat string operation prefix is
2583 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2584 * corresponding termination condition according to:
2585 * - if REPE/REPZ and ZF = 0 then done
2586 * - if REPNE/REPNZ and ZF = 1 then done
2587 */
2588 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2589 (c->b == 0xae) || (c->b == 0xaf)) {
2590 if ((c->rep_prefix == REPE_PREFIX) &&
2591 ((ctxt->eflags & EFLG_ZF) == 0))
2592 goto string_done;
2593 if ((c->rep_prefix == REPNE_PREFIX) &&
2594 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2595 goto string_done;
2596 }
2597 c->eip = ctxt->eip;
2598 }
2599
2600 if (c->src.type == OP_MEM) {
2601 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2602 c->src.valptr, c->src.bytes);
2603 if (rc != X86EMUL_CONTINUE)
2604 goto done;
2605 c->src.orig_val64 = c->src.val64;
2606 }
2607
2608 if (c->src2.type == OP_MEM) {
2609 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2610 &c->src2.val, c->src2.bytes);
2611 if (rc != X86EMUL_CONTINUE)
2612 goto done;
2613 }
2614
2615 if ((c->d & DstMask) == ImplicitOps)
2616 goto special_insn;
2617
2618
2619 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2620 /* optimisation - avoid slow emulated read if Mov */
2621 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2622 &c->dst.val, c->dst.bytes);
2623 if (rc != X86EMUL_CONTINUE)
2624 goto done;
2625 }
2626 c->dst.orig_val = c->dst.val;
2627
2628 special_insn:
2629
2630 if (c->twobyte)
2631 goto twobyte_insn;
2632
2633 switch (c->b) {
2634 case 0x00 ... 0x05:
2635 add: /* add */
2636 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2637 break;
2638 case 0x06: /* push es */
2639 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2640 break;
2641 case 0x07: /* pop es */
2642 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2643 if (rc != X86EMUL_CONTINUE)
2644 goto done;
2645 break;
2646 case 0x08 ... 0x0d:
2647 or: /* or */
2648 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2649 break;
2650 case 0x0e: /* push cs */
2651 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2652 break;
2653 case 0x10 ... 0x15:
2654 adc: /* adc */
2655 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2656 break;
2657 case 0x16: /* push ss */
2658 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2659 break;
2660 case 0x17: /* pop ss */
2661 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2662 if (rc != X86EMUL_CONTINUE)
2663 goto done;
2664 break;
2665 case 0x18 ... 0x1d:
2666 sbb: /* sbb */
2667 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2668 break;
2669 case 0x1e: /* push ds */
2670 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2671 break;
2672 case 0x1f: /* pop ds */
2673 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2674 if (rc != X86EMUL_CONTINUE)
2675 goto done;
2676 break;
2677 case 0x20 ... 0x25:
2678 and: /* and */
2679 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2680 break;
2681 case 0x28 ... 0x2d:
2682 sub: /* sub */
2683 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2684 break;
2685 case 0x30 ... 0x35:
2686 xor: /* xor */
2687 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2688 break;
2689 case 0x38 ... 0x3d:
2690 cmp: /* cmp */
2691 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2692 break;
2693 case 0x40 ... 0x47: /* inc r16/r32 */
2694 emulate_1op("inc", c->dst, ctxt->eflags);
2695 break;
2696 case 0x48 ... 0x4f: /* dec r16/r32 */
2697 emulate_1op("dec", c->dst, ctxt->eflags);
2698 break;
2699 case 0x50 ... 0x57: /* push reg */
2700 emulate_push(ctxt, ops);
2701 break;
2702 case 0x58 ... 0x5f: /* pop reg */
2703 pop_instruction:
2704 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2705 if (rc != X86EMUL_CONTINUE)
2706 goto done;
2707 break;
2708 case 0x60: /* pusha */
2709 rc = emulate_pusha(ctxt, ops);
2710 if (rc != X86EMUL_CONTINUE)
2711 goto done;
2712 break;
2713 case 0x61: /* popa */
2714 rc = emulate_popa(ctxt, ops);
2715 if (rc != X86EMUL_CONTINUE)
2716 goto done;
2717 break;
2718 case 0x63: /* movsxd */
2719 if (ctxt->mode != X86EMUL_MODE_PROT64)
2720 goto cannot_emulate;
2721 c->dst.val = (s32) c->src.val;
2722 break;
2723 case 0x68: /* push imm */
2724 case 0x6a: /* push imm8 */
2725 emulate_push(ctxt, ops);
2726 break;
2727 case 0x6c: /* insb */
2728 case 0x6d: /* insw/insd */
2729 c->dst.bytes = min(c->dst.bytes, 4u);
2730 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2731 c->dst.bytes)) {
2732 emulate_gp(ctxt, 0);
2733 goto done;
2734 }
2735 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2736 c->regs[VCPU_REGS_RDX], &c->dst.val))
2737 goto done; /* IO is needed, skip writeback */
2738 break;
2739 case 0x6e: /* outsb */
2740 case 0x6f: /* outsw/outsd */
2741 c->src.bytes = min(c->src.bytes, 4u);
2742 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2743 c->src.bytes)) {
2744 emulate_gp(ctxt, 0);
2745 goto done;
2746 }
2747 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2748 &c->src.val, 1, ctxt->vcpu);
2749
2750 c->dst.type = OP_NONE; /* nothing to writeback */
2751 break;
2752 case 0x70 ... 0x7f: /* jcc (short) */
2753 if (test_cc(c->b, ctxt->eflags))
2754 jmp_rel(c, c->src.val);
2755 break;
2756 case 0x80 ... 0x83: /* Grp1 */
2757 switch (c->modrm_reg) {
2758 case 0:
2759 goto add;
2760 case 1:
2761 goto or;
2762 case 2:
2763 goto adc;
2764 case 3:
2765 goto sbb;
2766 case 4:
2767 goto and;
2768 case 5:
2769 goto sub;
2770 case 6:
2771 goto xor;
2772 case 7:
2773 goto cmp;
2774 }
2775 break;
2776 case 0x84 ... 0x85:
2777 test:
2778 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2779 break;
2780 case 0x86 ... 0x87: /* xchg */
2781 xchg:
2782 /* Write back the register source. */
2783 switch (c->dst.bytes) {
2784 case 1:
2785 *(u8 *) c->src.ptr = (u8) c->dst.val;
2786 break;
2787 case 2:
2788 *(u16 *) c->src.ptr = (u16) c->dst.val;
2789 break;
2790 case 4:
2791 *c->src.ptr = (u32) c->dst.val;
2792 break; /* 64b reg: zero-extend */
2793 case 8:
2794 *c->src.ptr = c->dst.val;
2795 break;
2796 }
2797 /*
2798 * Write back the memory destination with implicit LOCK
2799 * prefix.
2800 */
2801 c->dst.val = c->src.val;
2802 c->lock_prefix = 1;
2803 break;
2804 case 0x88 ... 0x8b: /* mov */
2805 goto mov;
2806 case 0x8c: /* mov r/m, sreg */
2807 if (c->modrm_reg > VCPU_SREG_GS) {
2808 emulate_ud(ctxt);
2809 goto done;
2810 }
2811 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2812 break;
2813 case 0x8d: /* lea r16/r32, m */
2814 c->dst.val = c->modrm_ea;
2815 break;
2816 case 0x8e: { /* mov seg, r/m16 */
2817 uint16_t sel;
2818
2819 sel = c->src.val;
2820
2821 if (c->modrm_reg == VCPU_SREG_CS ||
2822 c->modrm_reg > VCPU_SREG_GS) {
2823 emulate_ud(ctxt);
2824 goto done;
2825 }
2826
2827 if (c->modrm_reg == VCPU_SREG_SS)
2828 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2829
2830 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2831
2832 c->dst.type = OP_NONE; /* Disable writeback. */
2833 break;
2834 }
2835 case 0x8f: /* pop (sole member of Grp1a) */
2836 rc = emulate_grp1a(ctxt, ops);
2837 if (rc != X86EMUL_CONTINUE)
2838 goto done;
2839 break;
2840 case 0x90: /* nop / xchg r8,rax */
2841 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2842 c->dst.type = OP_NONE; /* nop */
2843 break;
2844 }
2845 case 0x91 ... 0x97: /* xchg reg,rax */
2846 c->src.type = OP_REG;
2847 c->src.bytes = c->op_bytes;
2848 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2849 c->src.val = *(c->src.ptr);
2850 goto xchg;
2851 case 0x9c: /* pushf */
2852 c->src.val = (unsigned long) ctxt->eflags;
2853 emulate_push(ctxt, ops);
2854 break;
2855 case 0x9d: /* popf */
2856 c->dst.type = OP_REG;
2857 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2858 c->dst.bytes = c->op_bytes;
2859 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2860 if (rc != X86EMUL_CONTINUE)
2861 goto done;
2862 break;
2863 case 0xa0 ... 0xa3: /* mov */
2864 case 0xa4 ... 0xa5: /* movs */
2865 goto mov;
2866 case 0xa6 ... 0xa7: /* cmps */
2867 c->dst.type = OP_NONE; /* Disable writeback. */
2868 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2869 goto cmp;
2870 case 0xa8 ... 0xa9: /* test ax, imm */
2871 goto test;
2872 case 0xaa ... 0xab: /* stos */
2873 c->dst.val = c->regs[VCPU_REGS_RAX];
2874 break;
2875 case 0xac ... 0xad: /* lods */
2876 goto mov;
2877 case 0xae ... 0xaf: /* scas */
2878 DPRINTF("Urk! I don't handle SCAS.\n");
2879 goto cannot_emulate;
2880 case 0xb0 ... 0xbf: /* mov r, imm */
2881 goto mov;
2882 case 0xc0 ... 0xc1:
2883 emulate_grp2(ctxt);
2884 break;
2885 case 0xc3: /* ret */
2886 c->dst.type = OP_REG;
2887 c->dst.ptr = &c->eip;
2888 c->dst.bytes = c->op_bytes;
2889 goto pop_instruction;
2890 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2891 mov:
2892 c->dst.val = c->src.val;
2893 break;
2894 case 0xcb: /* ret far */
2895 rc = emulate_ret_far(ctxt, ops);
2896 if (rc != X86EMUL_CONTINUE)
2897 goto done;
2898 break;
2899 case 0xd0 ... 0xd1: /* Grp2 */
2900 c->src.val = 1;
2901 emulate_grp2(ctxt);
2902 break;
2903 case 0xd2 ... 0xd3: /* Grp2 */
2904 c->src.val = c->regs[VCPU_REGS_RCX];
2905 emulate_grp2(ctxt);
2906 break;
2907 case 0xe4: /* inb */
2908 case 0xe5: /* in */
2909 goto do_io_in;
2910 case 0xe6: /* outb */
2911 case 0xe7: /* out */
2912 goto do_io_out;
2913 case 0xe8: /* call (near) */ {
2914 long int rel = c->src.val;
2915 c->src.val = (unsigned long) c->eip;
2916 jmp_rel(c, rel);
2917 emulate_push(ctxt, ops);
2918 break;
2919 }
2920 case 0xe9: /* jmp rel */
2921 goto jmp;
2922 case 0xea: { /* jmp far */
2923 unsigned short sel;
2924 jump_far:
2925 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2926
2927 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2928 goto done;
2929
2930 c->eip = 0;
2931 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2932 break;
2933 }
2934 case 0xeb:
2935 jmp: /* jmp rel short */
2936 jmp_rel(c, c->src.val);
2937 c->dst.type = OP_NONE; /* Disable writeback. */
2938 break;
2939 case 0xec: /* in al,dx */
2940 case 0xed: /* in (e/r)ax,dx */
2941 c->src.val = c->regs[VCPU_REGS_RDX];
2942 do_io_in:
2943 c->dst.bytes = min(c->dst.bytes, 4u);
2944 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2945 emulate_gp(ctxt, 0);
2946 goto done;
2947 }
2948 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2949 &c->dst.val))
2950 goto done; /* IO is needed */
2951 break;
2952 case 0xee: /* out dx,al */
2953 case 0xef: /* out dx,(e/r)ax */
2954 c->src.val = c->regs[VCPU_REGS_RDX];
2955 do_io_out:
2956 c->dst.bytes = min(c->dst.bytes, 4u);
2957 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2958 emulate_gp(ctxt, 0);
2959 goto done;
2960 }
2961 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2962 ctxt->vcpu);
2963 c->dst.type = OP_NONE; /* Disable writeback. */
2964 break;
2965 case 0xf4: /* hlt */
2966 ctxt->vcpu->arch.halt_request = 1;
2967 break;
2968 case 0xf5: /* cmc */
2969 /* complement carry flag from eflags reg */
2970 ctxt->eflags ^= EFLG_CF;
2971 c->dst.type = OP_NONE; /* Disable writeback. */
2972 break;
2973 case 0xf6 ... 0xf7: /* Grp3 */
2974 if (!emulate_grp3(ctxt, ops))
2975 goto cannot_emulate;
2976 break;
2977 case 0xf8: /* clc */
2978 ctxt->eflags &= ~EFLG_CF;
2979 c->dst.type = OP_NONE; /* Disable writeback. */
2980 break;
2981 case 0xfa: /* cli */
2982 if (emulator_bad_iopl(ctxt, ops)) {
2983 emulate_gp(ctxt, 0);
2984 goto done;
2985 } else {
2986 ctxt->eflags &= ~X86_EFLAGS_IF;
2987 c->dst.type = OP_NONE; /* Disable writeback. */
2988 }
2989 break;
2990 case 0xfb: /* sti */
2991 if (emulator_bad_iopl(ctxt, ops)) {
2992 emulate_gp(ctxt, 0);
2993 goto done;
2994 } else {
2995 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2996 ctxt->eflags |= X86_EFLAGS_IF;
2997 c->dst.type = OP_NONE; /* Disable writeback. */
2998 }
2999 break;
3000 case 0xfc: /* cld */
3001 ctxt->eflags &= ~EFLG_DF;
3002 c->dst.type = OP_NONE; /* Disable writeback. */
3003 break;
3004 case 0xfd: /* std */
3005 ctxt->eflags |= EFLG_DF;
3006 c->dst.type = OP_NONE; /* Disable writeback. */
3007 break;
3008 case 0xfe: /* Grp4 */
3009 grp45:
3010 rc = emulate_grp45(ctxt, ops);
3011 if (rc != X86EMUL_CONTINUE)
3012 goto done;
3013 break;
3014 case 0xff: /* Grp5 */
3015 if (c->modrm_reg == 5)
3016 goto jump_far;
3017 goto grp45;
3018 }
3019
3020 writeback:
3021 rc = writeback(ctxt, ops);
3022 if (rc != X86EMUL_CONTINUE)
3023 goto done;
3024
3025 /*
3026 * restore dst type in case the decoding will be reused
3027 * (happens for string instruction )
3028 */
3029 c->dst.type = saved_dst_type;
3030
3031 if ((c->d & SrcMask) == SrcSI)
3032 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3033 VCPU_REGS_RSI, &c->src);
3034
3035 if ((c->d & DstMask) == DstDI)
3036 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3037 &c->dst);
3038
3039 if (c->rep_prefix && (c->d & String)) {
3040 struct read_cache *rc = &ctxt->decode.io_read;
3041 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3042 /*
3043 * Re-enter guest when pio read ahead buffer is empty or,
3044 * if it is not used, after each 1024 iteration.
3045 */
3046 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3047 (rc->end != 0 && rc->end == rc->pos))
3048 ctxt->restart = false;
3049 }
3050 /*
3051 * reset read cache here in case string instruction is restared
3052 * without decoding
3053 */
3054 ctxt->decode.mem_read.end = 0;
3055 ctxt->eip = c->eip;
3056
3057 done:
3058 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3059
3060 twobyte_insn:
3061 switch (c->b) {
3062 case 0x01: /* lgdt, lidt, lmsw */
3063 switch (c->modrm_reg) {
3064 u16 size;
3065 unsigned long address;
3066
3067 case 0: /* vmcall */
3068 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3069 goto cannot_emulate;
3070
3071 rc = kvm_fix_hypercall(ctxt->vcpu);
3072 if (rc != X86EMUL_CONTINUE)
3073 goto done;
3074
3075 /* Let the processor re-execute the fixed hypercall */
3076 c->eip = ctxt->eip;
3077 /* Disable writeback. */
3078 c->dst.type = OP_NONE;
3079 break;
3080 case 2: /* lgdt */
3081 rc = read_descriptor(ctxt, ops, c->src.ptr,
3082 &size, &address, c->op_bytes);
3083 if (rc != X86EMUL_CONTINUE)
3084 goto done;
3085 realmode_lgdt(ctxt->vcpu, size, address);
3086 /* Disable writeback. */
3087 c->dst.type = OP_NONE;
3088 break;
3089 case 3: /* lidt/vmmcall */
3090 if (c->modrm_mod == 3) {
3091 switch (c->modrm_rm) {
3092 case 1:
3093 rc = kvm_fix_hypercall(ctxt->vcpu);
3094 if (rc != X86EMUL_CONTINUE)
3095 goto done;
3096 break;
3097 default:
3098 goto cannot_emulate;
3099 }
3100 } else {
3101 rc = read_descriptor(ctxt, ops, c->src.ptr,
3102 &size, &address,
3103 c->op_bytes);
3104 if (rc != X86EMUL_CONTINUE)
3105 goto done;
3106 realmode_lidt(ctxt->vcpu, size, address);
3107 }
3108 /* Disable writeback. */
3109 c->dst.type = OP_NONE;
3110 break;
3111 case 4: /* smsw */
3112 c->dst.bytes = 2;
3113 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3114 break;
3115 case 6: /* lmsw */
3116 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3117 (c->src.val & 0x0f), ctxt->vcpu);
3118 c->dst.type = OP_NONE;
3119 break;
3120 case 5: /* not defined */
3121 emulate_ud(ctxt);
3122 goto done;
3123 case 7: /* invlpg*/
3124 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3125 /* Disable writeback. */
3126 c->dst.type = OP_NONE;
3127 break;
3128 default:
3129 goto cannot_emulate;
3130 }
3131 break;
3132 case 0x05: /* syscall */
3133 rc = emulate_syscall(ctxt, ops);
3134 if (rc != X86EMUL_CONTINUE)
3135 goto done;
3136 else
3137 goto writeback;
3138 break;
3139 case 0x06:
3140 emulate_clts(ctxt->vcpu);
3141 c->dst.type = OP_NONE;
3142 break;
3143 case 0x09: /* wbinvd */
3144 kvm_emulate_wbinvd(ctxt->vcpu);
3145 c->dst.type = OP_NONE;
3146 break;
3147 case 0x08: /* invd */
3148 case 0x0d: /* GrpP (prefetch) */
3149 case 0x18: /* Grp16 (prefetch/nop) */
3150 c->dst.type = OP_NONE;
3151 break;
3152 case 0x20: /* mov cr, reg */
3153 switch (c->modrm_reg) {
3154 case 1:
3155 case 5 ... 7:
3156 case 9 ... 15:
3157 emulate_ud(ctxt);
3158 goto done;
3159 }
3160 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3161 c->dst.type = OP_NONE; /* no writeback */
3162 break;
3163 case 0x21: /* mov from dr to reg */
3164 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3165 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3166 emulate_ud(ctxt);
3167 goto done;
3168 }
3169 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3170 c->dst.type = OP_NONE; /* no writeback */
3171 break;
3172 case 0x22: /* mov reg, cr */
3173 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3174 emulate_gp(ctxt, 0);
3175 goto done;
3176 }
3177 c->dst.type = OP_NONE;
3178 break;
3179 case 0x23: /* mov from reg to dr */
3180 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3181 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3182 emulate_ud(ctxt);
3183 goto done;
3184 }
3185
3186 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3187 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3188 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3189 /* #UD condition is already handled by the code above */
3190 emulate_gp(ctxt, 0);
3191 goto done;
3192 }
3193
3194 c->dst.type = OP_NONE; /* no writeback */
3195 break;
3196 case 0x30:
3197 /* wrmsr */
3198 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3199 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3200 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3201 emulate_gp(ctxt, 0);
3202 goto done;
3203 }
3204 rc = X86EMUL_CONTINUE;
3205 c->dst.type = OP_NONE;
3206 break;
3207 case 0x32:
3208 /* rdmsr */
3209 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3210 emulate_gp(ctxt, 0);
3211 goto done;
3212 } else {
3213 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3214 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3215 }
3216 rc = X86EMUL_CONTINUE;
3217 c->dst.type = OP_NONE;
3218 break;
3219 case 0x34: /* sysenter */
3220 rc = emulate_sysenter(ctxt, ops);
3221 if (rc != X86EMUL_CONTINUE)
3222 goto done;
3223 else
3224 goto writeback;
3225 break;
3226 case 0x35: /* sysexit */
3227 rc = emulate_sysexit(ctxt, ops);
3228 if (rc != X86EMUL_CONTINUE)
3229 goto done;
3230 else
3231 goto writeback;
3232 break;
3233 case 0x40 ... 0x4f: /* cmov */
3234 c->dst.val = c->dst.orig_val = c->src.val;
3235 if (!test_cc(c->b, ctxt->eflags))
3236 c->dst.type = OP_NONE; /* no writeback */
3237 break;
3238 case 0x80 ... 0x8f: /* jnz rel, etc*/
3239 if (test_cc(c->b, ctxt->eflags))
3240 jmp_rel(c, c->src.val);
3241 c->dst.type = OP_NONE;
3242 break;
3243 case 0xa0: /* push fs */
3244 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3245 break;
3246 case 0xa1: /* pop fs */
3247 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3248 if (rc != X86EMUL_CONTINUE)
3249 goto done;
3250 break;
3251 case 0xa3:
3252 bt: /* bt */
3253 c->dst.type = OP_NONE;
3254 /* only subword offset */
3255 c->src.val &= (c->dst.bytes << 3) - 1;
3256 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3257 break;
3258 case 0xa4: /* shld imm8, r, r/m */
3259 case 0xa5: /* shld cl, r, r/m */
3260 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3261 break;
3262 case 0xa8: /* push gs */
3263 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3264 break;
3265 case 0xa9: /* pop gs */
3266 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3267 if (rc != X86EMUL_CONTINUE)
3268 goto done;
3269 break;
3270 case 0xab:
3271 bts: /* bts */
3272 /* only subword offset */
3273 c->src.val &= (c->dst.bytes << 3) - 1;
3274 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3275 break;
3276 case 0xac: /* shrd imm8, r, r/m */
3277 case 0xad: /* shrd cl, r, r/m */
3278 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3279 break;
3280 case 0xae: /* clflush */
3281 break;
3282 case 0xb0 ... 0xb1: /* cmpxchg */
3283 /*
3284 * Save real source value, then compare EAX against
3285 * destination.
3286 */
3287 c->src.orig_val = c->src.val;
3288 c->src.val = c->regs[VCPU_REGS_RAX];
3289 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3290 if (ctxt->eflags & EFLG_ZF) {
3291 /* Success: write back to memory. */
3292 c->dst.val = c->src.orig_val;
3293 } else {
3294 /* Failure: write the value we saw to EAX. */
3295 c->dst.type = OP_REG;
3296 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3297 }
3298 break;
3299 case 0xb3:
3300 btr: /* btr */
3301 /* only subword offset */
3302 c->src.val &= (c->dst.bytes << 3) - 1;
3303 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3304 break;
3305 case 0xb6 ... 0xb7: /* movzx */
3306 c->dst.bytes = c->op_bytes;
3307 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3308 : (u16) c->src.val;
3309 break;
3310 case 0xba: /* Grp8 */
3311 switch (c->modrm_reg & 3) {
3312 case 0:
3313 goto bt;
3314 case 1:
3315 goto bts;
3316 case 2:
3317 goto btr;
3318 case 3:
3319 goto btc;
3320 }
3321 break;
3322 case 0xbb:
3323 btc: /* btc */
3324 /* only subword offset */
3325 c->src.val &= (c->dst.bytes << 3) - 1;
3326 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3327 break;
3328 case 0xbe ... 0xbf: /* movsx */
3329 c->dst.bytes = c->op_bytes;
3330 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3331 (s16) c->src.val;
3332 break;
3333 case 0xc3: /* movnti */
3334 c->dst.bytes = c->op_bytes;
3335 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3336 (u64) c->src.val;
3337 break;
3338 case 0xc7: /* Grp9 (cmpxchg8b) */
3339 rc = emulate_grp9(ctxt, ops);
3340 if (rc != X86EMUL_CONTINUE)
3341 goto done;
3342 break;
3343 }
3344 goto writeback;
3345
3346 cannot_emulate:
3347 DPRINTF("Cannot emulate %02x\n", c->b);
3348 return -1;
3349 }
Tomato firmware and modifications.