projects / deliverable / linux.git / blob
? search:


6de6ad1610d867793fa5eb0e177c9ee2ae5b2a06
[deliverable/linux.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36 #include "tss.h"
37
38 /*
39 * Opcode effective-address decode tables.
40 * Note that we only emulate instructions that have at least one memory
41 * operand (excluding implicit stack references). We assume that stack
42 * references and instruction fetches will never occur in special memory
43 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
44 * not be handled.
45 */
46
47 /* Operand sizes: 8-bit operands or specified/overridden size. */
48 #define ByteOp (1<<0) /* 8-bit operands. */
49 /* Destination operand type. */
50 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
51 #define DstReg (2<<1) /* Register operand. */
52 #define DstMem (3<<1) /* Memory operand. */
53 #define DstAcc (4<<1) /* Destination Accumulator */
54 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
55 #define DstMask (7<<1)
56 /* Source operand type. */
57 #define SrcNone (0<<4) /* No source operand. */
58 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
59 #define SrcReg (1<<4) /* Register operand. */
60 #define SrcMem (2<<4) /* Memory operand. */
61 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
62 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
63 #define SrcImm (5<<4) /* Immediate operand. */
64 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
65 #define SrcOne (7<<4) /* Implied '1' */
66 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
67 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
68 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
69 #define SrcMask (0xf<<4)
70 /* Generic ModRM decode. */
71 #define ModRM (1<<8)
72 /* Destination is only written; never read. */
73 #define Mov (1<<9)
74 #define BitOp (1<<10)
75 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
76 #define String (1<<12) /* String instruction (rep capable) */
77 #define Stack (1<<13) /* Stack instruction (push/pop) */
78 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
79 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
80 #define GroupMask 0xff /* Group number stored in bits 0:7 */
81 /* Misc flags */
82 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
83 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
84 #define No64 (1<<28)
85 /* Source 2 operand type */
86 #define Src2None (0<<29)
87 #define Src2CL (1<<29)
88 #define Src2ImmByte (2<<29)
89 #define Src2One (3<<29)
90 #define Src2Imm16 (4<<29)
91 #define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
92 in memory and second argument is located
93 immediately after the first one in memory. */
94 #define Src2Mask (7<<29)
95
96 enum {
97 Group1_80, Group1_81, Group1_82, Group1_83,
98 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
99 Group8, Group9,
100 };
101
102 static u32 opcode_table[256] = {
103 /* 0x00 - 0x07 */
104 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
105 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
106 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
107 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
108 /* 0x08 - 0x0F */
109 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
110 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
111 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
112 ImplicitOps | Stack | No64, 0,
113 /* 0x10 - 0x17 */
114 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
115 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
118 /* 0x18 - 0x1F */
119 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
120 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
123 /* 0x20 - 0x27 */
124 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
125 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
127 /* 0x28 - 0x2F */
128 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
129 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
130 0, 0, 0, 0,
131 /* 0x30 - 0x37 */
132 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
133 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
134 0, 0, 0, 0,
135 /* 0x38 - 0x3F */
136 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
137 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
138 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
139 0, 0,
140 /* 0x40 - 0x47 */
141 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
142 /* 0x48 - 0x4F */
143 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
144 /* 0x50 - 0x57 */
145 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 /* 0x58 - 0x5F */
148 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 /* 0x60 - 0x67 */
151 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
152 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
153 0, 0, 0, 0,
154 /* 0x68 - 0x6F */
155 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
156 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
157 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
158 /* 0x70 - 0x77 */
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 /* 0x78 - 0x7F */
162 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 /* 0x80 - 0x87 */
165 Group | Group1_80, Group | Group1_81,
166 Group | Group1_82, Group | Group1_83,
167 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
168 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
169 /* 0x88 - 0x8F */
170 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
171 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
172 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
173 DstReg | SrcMem | ModRM | Mov, Group | Group1A,
174 /* 0x90 - 0x97 */
175 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
176 /* 0x98 - 0x9F */
177 0, 0, SrcImm | Src2Imm16 | No64, 0,
178 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
179 /* 0xA0 - 0xA7 */
180 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
181 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
182 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
183 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
184 /* 0xA8 - 0xAF */
185 0, 0, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
186 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
187 ByteOp | DstDI | String, DstDI | String,
188 /* 0xB0 - 0xB7 */
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 /* 0xB8 - 0xBF */
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 /* 0xC0 - 0xC7 */
199 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
200 0, ImplicitOps | Stack, 0, 0,
201 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
202 /* 0xC8 - 0xCF */
203 0, 0, 0, ImplicitOps | Stack,
204 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
205 /* 0xD0 - 0xD7 */
206 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 0, 0, 0, 0,
209 /* 0xD8 - 0xDF */
210 0, 0, 0, 0, 0, 0, 0, 0,
211 /* 0xE0 - 0xE7 */
212 0, 0, 0, 0,
213 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 /* 0xE8 - 0xEF */
216 SrcImm | Stack, SrcImm | ImplicitOps,
217 SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
218 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 /* 0xF0 - 0xF7 */
221 0, 0, 0, 0,
222 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
223 /* 0xF8 - 0xFF */
224 ImplicitOps, 0, ImplicitOps, ImplicitOps,
225 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
226 };
227
228 static u32 twobyte_table[256] = {
229 /* 0x00 - 0x0F */
230 0, Group | GroupDual | Group7, 0, 0,
231 0, ImplicitOps, ImplicitOps | Priv, 0,
232 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
233 0, ImplicitOps | ModRM, 0, 0,
234 /* 0x10 - 0x1F */
235 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
236 /* 0x20 - 0x2F */
237 ModRM | ImplicitOps | Priv, ModRM | Priv,
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 0, 0, 0, 0,
240 0, 0, 0, 0, 0, 0, 0, 0,
241 /* 0x30 - 0x3F */
242 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
243 ImplicitOps, ImplicitOps | Priv, 0, 0,
244 0, 0, 0, 0, 0, 0, 0, 0,
245 /* 0x40 - 0x47 */
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 /* 0x48 - 0x4F */
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 /* 0x50 - 0x5F */
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 /* 0x60 - 0x6F */
258 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 /* 0x70 - 0x7F */
260 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 /* 0x80 - 0x8F */
262 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 /* 0x90 - 0x9F */
265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 /* 0xA0 - 0xA7 */
267 ImplicitOps | Stack, ImplicitOps | Stack,
268 0, DstMem | SrcReg | ModRM | BitOp,
269 DstMem | SrcReg | Src2ImmByte | ModRM,
270 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
271 /* 0xA8 - 0xAF */
272 ImplicitOps | Stack, ImplicitOps | Stack,
273 0, DstMem | SrcReg | ModRM | BitOp | Lock,
274 DstMem | SrcReg | Src2ImmByte | ModRM,
275 DstMem | SrcReg | Src2CL | ModRM,
276 ModRM, 0,
277 /* 0xB0 - 0xB7 */
278 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
279 0, DstMem | SrcReg | ModRM | BitOp | Lock,
280 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
281 DstReg | SrcMem16 | ModRM | Mov,
282 /* 0xB8 - 0xBF */
283 0, 0,
284 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
285 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
286 DstReg | SrcMem16 | ModRM | Mov,
287 /* 0xC0 - 0xCF */
288 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
289 0, 0, 0, Group | GroupDual | Group9,
290 0, 0, 0, 0, 0, 0, 0, 0,
291 /* 0xD0 - 0xDF */
292 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
293 /* 0xE0 - 0xEF */
294 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
295 /* 0xF0 - 0xFF */
296 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
297 };
298
299 static u32 group_table[] = {
300 [Group1_80*8] =
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM,
309 [Group1_81*8] =
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM,
318 [Group1_82*8] =
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64,
327 [Group1_83*8] =
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM,
336 [Group1A*8] =
337 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
338 [Group3_Byte*8] =
339 ByteOp | SrcImm | DstMem | ModRM, 0,
340 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
341 0, 0, 0, 0,
342 [Group3*8] =
343 DstMem | SrcImm | ModRM, 0,
344 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
345 0, 0, 0, 0,
346 [Group4*8] =
347 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
348 0, 0, 0, 0, 0, 0,
349 [Group5*8] =
350 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
351 SrcMem | ModRM | Stack, 0,
352 SrcMem | ModRM | Stack, SrcMem | ModRM | Src2Mem16 | ImplicitOps,
353 SrcMem | ModRM | Stack, 0,
354 [Group7*8] =
355 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
356 SrcNone | ModRM | DstMem | Mov, 0,
357 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
358 [Group8*8] =
359 0, 0, 0, 0,
360 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
361 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
362 [Group9*8] =
363 0, ImplicitOps | ModRM | Lock, 0, 0, 0, 0, 0, 0,
364 };
365
366 static u32 group2_table[] = {
367 [Group7*8] =
368 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
369 SrcNone | ModRM | DstMem | Mov, 0,
370 SrcMem16 | ModRM | Mov | Priv, 0,
371 [Group9*8] =
372 0, 0, 0, 0, 0, 0, 0, 0,
373 };
374
375 /* EFLAGS bit definitions. */
376 #define EFLG_ID (1<<21)
377 #define EFLG_VIP (1<<20)
378 #define EFLG_VIF (1<<19)
379 #define EFLG_AC (1<<18)
380 #define EFLG_VM (1<<17)
381 #define EFLG_RF (1<<16)
382 #define EFLG_IOPL (3<<12)
383 #define EFLG_NT (1<<14)
384 #define EFLG_OF (1<<11)
385 #define EFLG_DF (1<<10)
386 #define EFLG_IF (1<<9)
387 #define EFLG_TF (1<<8)
388 #define EFLG_SF (1<<7)
389 #define EFLG_ZF (1<<6)
390 #define EFLG_AF (1<<4)
391 #define EFLG_PF (1<<2)
392 #define EFLG_CF (1<<0)
393
394 /*
395 * Instruction emulation:
396 * Most instructions are emulated directly via a fragment of inline assembly
397 * code. This allows us to save/restore EFLAGS and thus very easily pick up
398 * any modified flags.
399 */
400
401 #if defined(CONFIG_X86_64)
402 #define _LO32 "k" /* force 32-bit operand */
403 #define _STK "%%rsp" /* stack pointer */
404 #elif defined(__i386__)
405 #define _LO32 "" /* force 32-bit operand */
406 #define _STK "%%esp" /* stack pointer */
407 #endif
408
409 /*
410 * These EFLAGS bits are restored from saved value during emulation, and
411 * any changes are written back to the saved value after emulation.
412 */
413 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
414
415 /* Before executing instruction: restore necessary bits in EFLAGS. */
416 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
417 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
418 "movl %"_sav",%"_LO32 _tmp"; " \
419 "push %"_tmp"; " \
420 "push %"_tmp"; " \
421 "movl %"_msk",%"_LO32 _tmp"; " \
422 "andl %"_LO32 _tmp",("_STK"); " \
423 "pushf; " \
424 "notl %"_LO32 _tmp"; " \
425 "andl %"_LO32 _tmp",("_STK"); " \
426 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
427 "pop %"_tmp"; " \
428 "orl %"_LO32 _tmp",("_STK"); " \
429 "popf; " \
430 "pop %"_sav"; "
431
432 /* After executing instruction: write-back necessary bits in EFLAGS. */
433 #define _POST_EFLAGS(_sav, _msk, _tmp) \
434 /* _sav |= EFLAGS & _msk; */ \
435 "pushf; " \
436 "pop %"_tmp"; " \
437 "andl %"_msk",%"_LO32 _tmp"; " \
438 "orl %"_LO32 _tmp",%"_sav"; "
439
440 #ifdef CONFIG_X86_64
441 #define ON64(x) x
442 #else
443 #define ON64(x)
444 #endif
445
446 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
447 do { \
448 __asm__ __volatile__ ( \
449 _PRE_EFLAGS("0", "4", "2") \
450 _op _suffix " %"_x"3,%1; " \
451 _POST_EFLAGS("0", "4", "2") \
452 : "=m" (_eflags), "=m" ((_dst).val), \
453 "=&r" (_tmp) \
454 : _y ((_src).val), "i" (EFLAGS_MASK)); \
455 } while (0)
456
457
458 /* Raw emulation: instruction has two explicit operands. */
459 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
460 do { \
461 unsigned long _tmp; \
462 \
463 switch ((_dst).bytes) { \
464 case 2: \
465 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
466 break; \
467 case 4: \
468 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
469 break; \
470 case 8: \
471 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
472 break; \
473 } \
474 } while (0)
475
476 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
477 do { \
478 unsigned long _tmp; \
479 switch ((_dst).bytes) { \
480 case 1: \
481 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
482 break; \
483 default: \
484 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
485 _wx, _wy, _lx, _ly, _qx, _qy); \
486 break; \
487 } \
488 } while (0)
489
490 /* Source operand is byte-sized and may be restricted to just %cl. */
491 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
492 __emulate_2op(_op, _src, _dst, _eflags, \
493 "b", "c", "b", "c", "b", "c", "b", "c")
494
495 /* Source operand is byte, word, long or quad sized. */
496 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
497 __emulate_2op(_op, _src, _dst, _eflags, \
498 "b", "q", "w", "r", _LO32, "r", "", "r")
499
500 /* Source operand is word, long or quad sized. */
501 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
502 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
503 "w", "r", _LO32, "r", "", "r")
504
505 /* Instruction has three operands and one operand is stored in ECX register */
506 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
507 do { \
508 unsigned long _tmp; \
509 _type _clv = (_cl).val; \
510 _type _srcv = (_src).val; \
511 _type _dstv = (_dst).val; \
512 \
513 __asm__ __volatile__ ( \
514 _PRE_EFLAGS("0", "5", "2") \
515 _op _suffix " %4,%1 \n" \
516 _POST_EFLAGS("0", "5", "2") \
517 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
518 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
519 ); \
520 \
521 (_cl).val = (unsigned long) _clv; \
522 (_src).val = (unsigned long) _srcv; \
523 (_dst).val = (unsigned long) _dstv; \
524 } while (0)
525
526 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
527 do { \
528 switch ((_dst).bytes) { \
529 case 2: \
530 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
531 "w", unsigned short); \
532 break; \
533 case 4: \
534 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
535 "l", unsigned int); \
536 break; \
537 case 8: \
538 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
539 "q", unsigned long)); \
540 break; \
541 } \
542 } while (0)
543
544 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
545 do { \
546 unsigned long _tmp; \
547 \
548 __asm__ __volatile__ ( \
549 _PRE_EFLAGS("0", "3", "2") \
550 _op _suffix " %1; " \
551 _POST_EFLAGS("0", "3", "2") \
552 : "=m" (_eflags), "+m" ((_dst).val), \
553 "=&r" (_tmp) \
554 : "i" (EFLAGS_MASK)); \
555 } while (0)
556
557 /* Instruction has only one explicit operand (no source operand). */
558 #define emulate_1op(_op, _dst, _eflags) \
559 do { \
560 switch ((_dst).bytes) { \
561 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
562 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
563 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
564 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
565 } \
566 } while (0)
567
568 /* Fetch next part of the instruction being emulated. */
569 #define insn_fetch(_type, _size, _eip) \
570 ({ unsigned long _x; \
571 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
572 if (rc != X86EMUL_CONTINUE) \
573 goto done; \
574 (_eip) += (_size); \
575 (_type)_x; \
576 })
577
578 static inline unsigned long ad_mask(struct decode_cache *c)
579 {
580 return (1UL << (c->ad_bytes << 3)) - 1;
581 }
582
583 /* Access/update address held in a register, based on addressing mode. */
584 static inline unsigned long
585 address_mask(struct decode_cache *c, unsigned long reg)
586 {
587 if (c->ad_bytes == sizeof(unsigned long))
588 return reg;
589 else
590 return reg & ad_mask(c);
591 }
592
593 static inline unsigned long
594 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
595 {
596 return base + address_mask(c, reg);
597 }
598
599 static inline void
600 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
601 {
602 if (c->ad_bytes == sizeof(unsigned long))
603 *reg += inc;
604 else
605 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
606 }
607
608 static inline void jmp_rel(struct decode_cache *c, int rel)
609 {
610 register_address_increment(c, &c->eip, rel);
611 }
612
613 static void set_seg_override(struct decode_cache *c, int seg)
614 {
615 c->has_seg_override = true;
616 c->seg_override = seg;
617 }
618
619 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
620 {
621 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
622 return 0;
623
624 return kvm_x86_ops->get_segment_base(ctxt->vcpu, seg);
625 }
626
627 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
628 struct decode_cache *c)
629 {
630 if (!c->has_seg_override)
631 return 0;
632
633 return seg_base(ctxt, c->seg_override);
634 }
635
636 static unsigned long es_base(struct x86_emulate_ctxt *ctxt)
637 {
638 return seg_base(ctxt, VCPU_SREG_ES);
639 }
640
641 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt)
642 {
643 return seg_base(ctxt, VCPU_SREG_SS);
644 }
645
646 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops,
648 unsigned long linear, u8 *dest)
649 {
650 struct fetch_cache *fc = &ctxt->decode.fetch;
651 int rc;
652 int size;
653
654 if (linear < fc->start || linear >= fc->end) {
655 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
656 rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
657 if (rc != X86EMUL_CONTINUE)
658 return rc;
659 fc->start = linear;
660 fc->end = linear + size;
661 }
662 *dest = fc->data[linear - fc->start];
663 return X86EMUL_CONTINUE;
664 }
665
666 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
667 struct x86_emulate_ops *ops,
668 unsigned long eip, void *dest, unsigned size)
669 {
670 int rc;
671
672 /* x86 instructions are limited to 15 bytes. */
673 if (eip + size - ctxt->eip > 15)
674 return X86EMUL_UNHANDLEABLE;
675 eip += ctxt->cs_base;
676 while (size--) {
677 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
678 if (rc != X86EMUL_CONTINUE)
679 return rc;
680 }
681 return X86EMUL_CONTINUE;
682 }
683
684 /*
685 * Given the 'reg' portion of a ModRM byte, and a register block, return a
686 * pointer into the block that addresses the relevant register.
687 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
688 */
689 static void *decode_register(u8 modrm_reg, unsigned long *regs,
690 int highbyte_regs)
691 {
692 void *p;
693
694 p = &regs[modrm_reg];
695 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
696 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
697 return p;
698 }
699
700 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
701 struct x86_emulate_ops *ops,
702 void *ptr,
703 u16 *size, unsigned long *address, int op_bytes)
704 {
705 int rc;
706
707 if (op_bytes == 2)
708 op_bytes = 3;
709 *address = 0;
710 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
711 ctxt->vcpu, NULL);
712 if (rc != X86EMUL_CONTINUE)
713 return rc;
714 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
715 ctxt->vcpu, NULL);
716 return rc;
717 }
718
719 static int test_cc(unsigned int condition, unsigned int flags)
720 {
721 int rc = 0;
722
723 switch ((condition & 15) >> 1) {
724 case 0: /* o */
725 rc |= (flags & EFLG_OF);
726 break;
727 case 1: /* b/c/nae */
728 rc |= (flags & EFLG_CF);
729 break;
730 case 2: /* z/e */
731 rc |= (flags & EFLG_ZF);
732 break;
733 case 3: /* be/na */
734 rc |= (flags & (EFLG_CF|EFLG_ZF));
735 break;
736 case 4: /* s */
737 rc |= (flags & EFLG_SF);
738 break;
739 case 5: /* p/pe */
740 rc |= (flags & EFLG_PF);
741 break;
742 case 7: /* le/ng */
743 rc |= (flags & EFLG_ZF);
744 /* fall through */
745 case 6: /* l/nge */
746 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
747 break;
748 }
749
750 /* Odd condition identifiers (lsb == 1) have inverted sense. */
751 return (!!rc ^ (condition & 1));
752 }
753
754 static void decode_register_operand(struct operand *op,
755 struct decode_cache *c,
756 int inhibit_bytereg)
757 {
758 unsigned reg = c->modrm_reg;
759 int highbyte_regs = c->rex_prefix == 0;
760
761 if (!(c->d & ModRM))
762 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
763 op->type = OP_REG;
764 if ((c->d & ByteOp) && !inhibit_bytereg) {
765 op->ptr = decode_register(reg, c->regs, highbyte_regs);
766 op->val = *(u8 *)op->ptr;
767 op->bytes = 1;
768 } else {
769 op->ptr = decode_register(reg, c->regs, 0);
770 op->bytes = c->op_bytes;
771 switch (op->bytes) {
772 case 2:
773 op->val = *(u16 *)op->ptr;
774 break;
775 case 4:
776 op->val = *(u32 *)op->ptr;
777 break;
778 case 8:
779 op->val = *(u64 *) op->ptr;
780 break;
781 }
782 }
783 op->orig_val = op->val;
784 }
785
786 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
787 struct x86_emulate_ops *ops)
788 {
789 struct decode_cache *c = &ctxt->decode;
790 u8 sib;
791 int index_reg = 0, base_reg = 0, scale;
792 int rc = X86EMUL_CONTINUE;
793
794 if (c->rex_prefix) {
795 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
796 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
797 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
798 }
799
800 c->modrm = insn_fetch(u8, 1, c->eip);
801 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
802 c->modrm_reg |= (c->modrm & 0x38) >> 3;
803 c->modrm_rm |= (c->modrm & 0x07);
804 c->modrm_ea = 0;
805 c->use_modrm_ea = 1;
806
807 if (c->modrm_mod == 3) {
808 c->modrm_ptr = decode_register(c->modrm_rm,
809 c->regs, c->d & ByteOp);
810 c->modrm_val = *(unsigned long *)c->modrm_ptr;
811 return rc;
812 }
813
814 if (c->ad_bytes == 2) {
815 unsigned bx = c->regs[VCPU_REGS_RBX];
816 unsigned bp = c->regs[VCPU_REGS_RBP];
817 unsigned si = c->regs[VCPU_REGS_RSI];
818 unsigned di = c->regs[VCPU_REGS_RDI];
819
820 /* 16-bit ModR/M decode. */
821 switch (c->modrm_mod) {
822 case 0:
823 if (c->modrm_rm == 6)
824 c->modrm_ea += insn_fetch(u16, 2, c->eip);
825 break;
826 case 1:
827 c->modrm_ea += insn_fetch(s8, 1, c->eip);
828 break;
829 case 2:
830 c->modrm_ea += insn_fetch(u16, 2, c->eip);
831 break;
832 }
833 switch (c->modrm_rm) {
834 case 0:
835 c->modrm_ea += bx + si;
836 break;
837 case 1:
838 c->modrm_ea += bx + di;
839 break;
840 case 2:
841 c->modrm_ea += bp + si;
842 break;
843 case 3:
844 c->modrm_ea += bp + di;
845 break;
846 case 4:
847 c->modrm_ea += si;
848 break;
849 case 5:
850 c->modrm_ea += di;
851 break;
852 case 6:
853 if (c->modrm_mod != 0)
854 c->modrm_ea += bp;
855 break;
856 case 7:
857 c->modrm_ea += bx;
858 break;
859 }
860 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
861 (c->modrm_rm == 6 && c->modrm_mod != 0))
862 if (!c->has_seg_override)
863 set_seg_override(c, VCPU_SREG_SS);
864 c->modrm_ea = (u16)c->modrm_ea;
865 } else {
866 /* 32/64-bit ModR/M decode. */
867 if ((c->modrm_rm & 7) == 4) {
868 sib = insn_fetch(u8, 1, c->eip);
869 index_reg |= (sib >> 3) & 7;
870 base_reg |= sib & 7;
871 scale = sib >> 6;
872
873 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
874 c->modrm_ea += insn_fetch(s32, 4, c->eip);
875 else
876 c->modrm_ea += c->regs[base_reg];
877 if (index_reg != 4)
878 c->modrm_ea += c->regs[index_reg] << scale;
879 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
880 if (ctxt->mode == X86EMUL_MODE_PROT64)
881 c->rip_relative = 1;
882 } else
883 c->modrm_ea += c->regs[c->modrm_rm];
884 switch (c->modrm_mod) {
885 case 0:
886 if (c->modrm_rm == 5)
887 c->modrm_ea += insn_fetch(s32, 4, c->eip);
888 break;
889 case 1:
890 c->modrm_ea += insn_fetch(s8, 1, c->eip);
891 break;
892 case 2:
893 c->modrm_ea += insn_fetch(s32, 4, c->eip);
894 break;
895 }
896 }
897 done:
898 return rc;
899 }
900
901 static int decode_abs(struct x86_emulate_ctxt *ctxt,
902 struct x86_emulate_ops *ops)
903 {
904 struct decode_cache *c = &ctxt->decode;
905 int rc = X86EMUL_CONTINUE;
906
907 switch (c->ad_bytes) {
908 case 2:
909 c->modrm_ea = insn_fetch(u16, 2, c->eip);
910 break;
911 case 4:
912 c->modrm_ea = insn_fetch(u32, 4, c->eip);
913 break;
914 case 8:
915 c->modrm_ea = insn_fetch(u64, 8, c->eip);
916 break;
917 }
918 done:
919 return rc;
920 }
921
922 int
923 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
924 {
925 struct decode_cache *c = &ctxt->decode;
926 int rc = X86EMUL_CONTINUE;
927 int mode = ctxt->mode;
928 int def_op_bytes, def_ad_bytes, group;
929
930
931 /* we cannot decode insn before we complete previous rep insn */
932 WARN_ON(ctxt->restart);
933
934 /* Shadow copy of register state. Committed on successful emulation. */
935 memset(c, 0, sizeof(struct decode_cache));
936 c->eip = ctxt->eip;
937 ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
938 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
939
940 switch (mode) {
941 case X86EMUL_MODE_REAL:
942 case X86EMUL_MODE_VM86:
943 case X86EMUL_MODE_PROT16:
944 def_op_bytes = def_ad_bytes = 2;
945 break;
946 case X86EMUL_MODE_PROT32:
947 def_op_bytes = def_ad_bytes = 4;
948 break;
949 #ifdef CONFIG_X86_64
950 case X86EMUL_MODE_PROT64:
951 def_op_bytes = 4;
952 def_ad_bytes = 8;
953 break;
954 #endif
955 default:
956 return -1;
957 }
958
959 c->op_bytes = def_op_bytes;
960 c->ad_bytes = def_ad_bytes;
961
962 /* Legacy prefixes. */
963 for (;;) {
964 switch (c->b = insn_fetch(u8, 1, c->eip)) {
965 case 0x66: /* operand-size override */
966 /* switch between 2/4 bytes */
967 c->op_bytes = def_op_bytes ^ 6;
968 break;
969 case 0x67: /* address-size override */
970 if (mode == X86EMUL_MODE_PROT64)
971 /* switch between 4/8 bytes */
972 c->ad_bytes = def_ad_bytes ^ 12;
973 else
974 /* switch between 2/4 bytes */
975 c->ad_bytes = def_ad_bytes ^ 6;
976 break;
977 case 0x26: /* ES override */
978 case 0x2e: /* CS override */
979 case 0x36: /* SS override */
980 case 0x3e: /* DS override */
981 set_seg_override(c, (c->b >> 3) & 3);
982 break;
983 case 0x64: /* FS override */
984 case 0x65: /* GS override */
985 set_seg_override(c, c->b & 7);
986 break;
987 case 0x40 ... 0x4f: /* REX */
988 if (mode != X86EMUL_MODE_PROT64)
989 goto done_prefixes;
990 c->rex_prefix = c->b;
991 continue;
992 case 0xf0: /* LOCK */
993 c->lock_prefix = 1;
994 break;
995 case 0xf2: /* REPNE/REPNZ */
996 c->rep_prefix = REPNE_PREFIX;
997 break;
998 case 0xf3: /* REP/REPE/REPZ */
999 c->rep_prefix = REPE_PREFIX;
1000 break;
1001 default:
1002 goto done_prefixes;
1003 }
1004
1005 /* Any legacy prefix after a REX prefix nullifies its effect. */
1006
1007 c->rex_prefix = 0;
1008 }
1009
1010 done_prefixes:
1011
1012 /* REX prefix. */
1013 if (c->rex_prefix)
1014 if (c->rex_prefix & 8)
1015 c->op_bytes = 8; /* REX.W */
1016
1017 /* Opcode byte(s). */
1018 c->d = opcode_table[c->b];
1019 if (c->d == 0) {
1020 /* Two-byte opcode? */
1021 if (c->b == 0x0f) {
1022 c->twobyte = 1;
1023 c->b = insn_fetch(u8, 1, c->eip);
1024 c->d = twobyte_table[c->b];
1025 }
1026 }
1027
1028 if (c->d & Group) {
1029 group = c->d & GroupMask;
1030 c->modrm = insn_fetch(u8, 1, c->eip);
1031 --c->eip;
1032
1033 group = (group << 3) + ((c->modrm >> 3) & 7);
1034 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1035 c->d = group2_table[group];
1036 else
1037 c->d = group_table[group];
1038 }
1039
1040 /* Unrecognised? */
1041 if (c->d == 0) {
1042 DPRINTF("Cannot emulate %02x\n", c->b);
1043 return -1;
1044 }
1045
1046 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1047 c->op_bytes = 8;
1048
1049 /* ModRM and SIB bytes. */
1050 if (c->d & ModRM)
1051 rc = decode_modrm(ctxt, ops);
1052 else if (c->d & MemAbs)
1053 rc = decode_abs(ctxt, ops);
1054 if (rc != X86EMUL_CONTINUE)
1055 goto done;
1056
1057 if (!c->has_seg_override)
1058 set_seg_override(c, VCPU_SREG_DS);
1059
1060 if (!(!c->twobyte && c->b == 0x8d))
1061 c->modrm_ea += seg_override_base(ctxt, c);
1062
1063 if (c->ad_bytes != 8)
1064 c->modrm_ea = (u32)c->modrm_ea;
1065
1066 if (c->rip_relative)
1067 c->modrm_ea += c->eip;
1068
1069 /*
1070 * Decode and fetch the source operand: register, memory
1071 * or immediate.
1072 */
1073 switch (c->d & SrcMask) {
1074 case SrcNone:
1075 break;
1076 case SrcReg:
1077 decode_register_operand(&c->src, c, 0);
1078 break;
1079 case SrcMem16:
1080 c->src.bytes = 2;
1081 goto srcmem_common;
1082 case SrcMem32:
1083 c->src.bytes = 4;
1084 goto srcmem_common;
1085 case SrcMem:
1086 c->src.bytes = (c->d & ByteOp) ? 1 :
1087 c->op_bytes;
1088 /* Don't fetch the address for invlpg: it could be unmapped. */
1089 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1090 break;
1091 srcmem_common:
1092 /*
1093 * For instructions with a ModR/M byte, switch to register
1094 * access if Mod = 3.
1095 */
1096 if ((c->d & ModRM) && c->modrm_mod == 3) {
1097 c->src.type = OP_REG;
1098 c->src.val = c->modrm_val;
1099 c->src.ptr = c->modrm_ptr;
1100 break;
1101 }
1102 c->src.type = OP_MEM;
1103 c->src.ptr = (unsigned long *)c->modrm_ea;
1104 c->src.val = 0;
1105 break;
1106 case SrcImm:
1107 case SrcImmU:
1108 c->src.type = OP_IMM;
1109 c->src.ptr = (unsigned long *)c->eip;
1110 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1111 if (c->src.bytes == 8)
1112 c->src.bytes = 4;
1113 /* NB. Immediates are sign-extended as necessary. */
1114 switch (c->src.bytes) {
1115 case 1:
1116 c->src.val = insn_fetch(s8, 1, c->eip);
1117 break;
1118 case 2:
1119 c->src.val = insn_fetch(s16, 2, c->eip);
1120 break;
1121 case 4:
1122 c->src.val = insn_fetch(s32, 4, c->eip);
1123 break;
1124 }
1125 if ((c->d & SrcMask) == SrcImmU) {
1126 switch (c->src.bytes) {
1127 case 1:
1128 c->src.val &= 0xff;
1129 break;
1130 case 2:
1131 c->src.val &= 0xffff;
1132 break;
1133 case 4:
1134 c->src.val &= 0xffffffff;
1135 break;
1136 }
1137 }
1138 break;
1139 case SrcImmByte:
1140 case SrcImmUByte:
1141 c->src.type = OP_IMM;
1142 c->src.ptr = (unsigned long *)c->eip;
1143 c->src.bytes = 1;
1144 if ((c->d & SrcMask) == SrcImmByte)
1145 c->src.val = insn_fetch(s8, 1, c->eip);
1146 else
1147 c->src.val = insn_fetch(u8, 1, c->eip);
1148 break;
1149 case SrcOne:
1150 c->src.bytes = 1;
1151 c->src.val = 1;
1152 break;
1153 case SrcSI:
1154 c->src.type = OP_MEM;
1155 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1156 c->src.ptr = (unsigned long *)
1157 register_address(c, seg_override_base(ctxt, c),
1158 c->regs[VCPU_REGS_RSI]);
1159 c->src.val = 0;
1160 break;
1161 }
1162
1163 /*
1164 * Decode and fetch the second source operand: register, memory
1165 * or immediate.
1166 */
1167 switch (c->d & Src2Mask) {
1168 case Src2None:
1169 break;
1170 case Src2CL:
1171 c->src2.bytes = 1;
1172 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1173 break;
1174 case Src2ImmByte:
1175 c->src2.type = OP_IMM;
1176 c->src2.ptr = (unsigned long *)c->eip;
1177 c->src2.bytes = 1;
1178 c->src2.val = insn_fetch(u8, 1, c->eip);
1179 break;
1180 case Src2Imm16:
1181 c->src2.type = OP_IMM;
1182 c->src2.ptr = (unsigned long *)c->eip;
1183 c->src2.bytes = 2;
1184 c->src2.val = insn_fetch(u16, 2, c->eip);
1185 break;
1186 case Src2One:
1187 c->src2.bytes = 1;
1188 c->src2.val = 1;
1189 break;
1190 case Src2Mem16:
1191 c->src2.type = OP_MEM;
1192 c->src2.bytes = 2;
1193 c->src2.ptr = (unsigned long *)(c->modrm_ea + c->src.bytes);
1194 c->src2.val = 0;
1195 break;
1196 }
1197
1198 /* Decode and fetch the destination operand: register or memory. */
1199 switch (c->d & DstMask) {
1200 case ImplicitOps:
1201 /* Special instructions do their own operand decoding. */
1202 return 0;
1203 case DstReg:
1204 decode_register_operand(&c->dst, c,
1205 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1206 break;
1207 case DstMem:
1208 if ((c->d & ModRM) && c->modrm_mod == 3) {
1209 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1210 c->dst.type = OP_REG;
1211 c->dst.val = c->dst.orig_val = c->modrm_val;
1212 c->dst.ptr = c->modrm_ptr;
1213 break;
1214 }
1215 c->dst.type = OP_MEM;
1216 c->dst.ptr = (unsigned long *)c->modrm_ea;
1217 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1218 c->dst.val = 0;
1219 if (c->d & BitOp) {
1220 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1221
1222 c->dst.ptr = (void *)c->dst.ptr +
1223 (c->src.val & mask) / 8;
1224 }
1225 break;
1226 case DstAcc:
1227 c->dst.type = OP_REG;
1228 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1229 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1230 switch (c->dst.bytes) {
1231 case 1:
1232 c->dst.val = *(u8 *)c->dst.ptr;
1233 break;
1234 case 2:
1235 c->dst.val = *(u16 *)c->dst.ptr;
1236 break;
1237 case 4:
1238 c->dst.val = *(u32 *)c->dst.ptr;
1239 break;
1240 case 8:
1241 c->dst.val = *(u64 *)c->dst.ptr;
1242 break;
1243 }
1244 c->dst.orig_val = c->dst.val;
1245 break;
1246 case DstDI:
1247 c->dst.type = OP_MEM;
1248 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1249 c->dst.ptr = (unsigned long *)
1250 register_address(c, es_base(ctxt),
1251 c->regs[VCPU_REGS_RDI]);
1252 c->dst.val = 0;
1253 break;
1254 }
1255
1256 done:
1257 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1258 }
1259
1260 static u32 desc_limit_scaled(struct desc_struct *desc)
1261 {
1262 u32 limit = get_desc_limit(desc);
1263
1264 return desc->g ? (limit << 12) | 0xfff : limit;
1265 }
1266
1267 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1268 struct x86_emulate_ops *ops,
1269 u16 selector, struct desc_ptr *dt)
1270 {
1271 if (selector & 1 << 2) {
1272 struct desc_struct desc;
1273 memset (dt, 0, sizeof *dt);
1274 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1275 return;
1276
1277 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1278 dt->address = get_desc_base(&desc);
1279 } else
1280 ops->get_gdt(dt, ctxt->vcpu);
1281 }
1282
1283 /* allowed just for 8 bytes segments */
1284 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1285 struct x86_emulate_ops *ops,
1286 u16 selector, struct desc_struct *desc)
1287 {
1288 struct desc_ptr dt;
1289 u16 index = selector >> 3;
1290 int ret;
1291 u32 err;
1292 ulong addr;
1293
1294 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1295
1296 if (dt.size < index * 8 + 7) {
1297 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1298 return X86EMUL_PROPAGATE_FAULT;
1299 }
1300 addr = dt.address + index * 8;
1301 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1302 if (ret == X86EMUL_PROPAGATE_FAULT)
1303 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1304
1305 return ret;
1306 }
1307
1308 /* allowed just for 8 bytes segments */
1309 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1310 struct x86_emulate_ops *ops,
1311 u16 selector, struct desc_struct *desc)
1312 {
1313 struct desc_ptr dt;
1314 u16 index = selector >> 3;
1315 u32 err;
1316 ulong addr;
1317 int ret;
1318
1319 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1320
1321 if (dt.size < index * 8 + 7) {
1322 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1323 return X86EMUL_PROPAGATE_FAULT;
1324 }
1325
1326 addr = dt.address + index * 8;
1327 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1328 if (ret == X86EMUL_PROPAGATE_FAULT)
1329 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1330
1331 return ret;
1332 }
1333
1334 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1335 struct x86_emulate_ops *ops,
1336 u16 selector, int seg)
1337 {
1338 struct desc_struct seg_desc;
1339 u8 dpl, rpl, cpl;
1340 unsigned err_vec = GP_VECTOR;
1341 u32 err_code = 0;
1342 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1343 int ret;
1344
1345 memset(&seg_desc, 0, sizeof seg_desc);
1346
1347 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1348 || ctxt->mode == X86EMUL_MODE_REAL) {
1349 /* set real mode segment descriptor */
1350 set_desc_base(&seg_desc, selector << 4);
1351 set_desc_limit(&seg_desc, 0xffff);
1352 seg_desc.type = 3;
1353 seg_desc.p = 1;
1354 seg_desc.s = 1;
1355 goto load;
1356 }
1357
1358 /* NULL selector is not valid for TR, CS and SS */
1359 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1360 && null_selector)
1361 goto exception;
1362
1363 /* TR should be in GDT only */
1364 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1365 goto exception;
1366
1367 if (null_selector) /* for NULL selector skip all following checks */
1368 goto load;
1369
1370 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1371 if (ret != X86EMUL_CONTINUE)
1372 return ret;
1373
1374 err_code = selector & 0xfffc;
1375 err_vec = GP_VECTOR;
1376
1377 /* can't load system descriptor into segment selecor */
1378 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1379 goto exception;
1380
1381 if (!seg_desc.p) {
1382 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1383 goto exception;
1384 }
1385
1386 rpl = selector & 3;
1387 dpl = seg_desc.dpl;
1388 cpl = ops->cpl(ctxt->vcpu);
1389
1390 switch (seg) {
1391 case VCPU_SREG_SS:
1392 /*
1393 * segment is not a writable data segment or segment
1394 * selector's RPL != CPL or segment selector's RPL != CPL
1395 */
1396 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1397 goto exception;
1398 break;
1399 case VCPU_SREG_CS:
1400 if (!(seg_desc.type & 8))
1401 goto exception;
1402
1403 if (seg_desc.type & 4) {
1404 /* conforming */
1405 if (dpl > cpl)
1406 goto exception;
1407 } else {
1408 /* nonconforming */
1409 if (rpl > cpl || dpl != cpl)
1410 goto exception;
1411 }
1412 /* CS(RPL) <- CPL */
1413 selector = (selector & 0xfffc) | cpl;
1414 break;
1415 case VCPU_SREG_TR:
1416 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1417 goto exception;
1418 break;
1419 case VCPU_SREG_LDTR:
1420 if (seg_desc.s || seg_desc.type != 2)
1421 goto exception;
1422 break;
1423 default: /* DS, ES, FS, or GS */
1424 /*
1425 * segment is not a data or readable code segment or
1426 * ((segment is a data or nonconforming code segment)
1427 * and (both RPL and CPL > DPL))
1428 */
1429 if ((seg_desc.type & 0xa) == 0x8 ||
1430 (((seg_desc.type & 0xc) != 0xc) &&
1431 (rpl > dpl && cpl > dpl)))
1432 goto exception;
1433 break;
1434 }
1435
1436 if (seg_desc.s) {
1437 /* mark segment as accessed */
1438 seg_desc.type |= 1;
1439 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1440 if (ret != X86EMUL_CONTINUE)
1441 return ret;
1442 }
1443 load:
1444 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1445 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1446 return X86EMUL_CONTINUE;
1447 exception:
1448 kvm_queue_exception_e(ctxt->vcpu, err_vec, err_code);
1449 return X86EMUL_PROPAGATE_FAULT;
1450 }
1451
1452 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1453 {
1454 struct decode_cache *c = &ctxt->decode;
1455
1456 c->dst.type = OP_MEM;
1457 c->dst.bytes = c->op_bytes;
1458 c->dst.val = c->src.val;
1459 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1460 c->dst.ptr = (void *) register_address(c, ss_base(ctxt),
1461 c->regs[VCPU_REGS_RSP]);
1462 }
1463
1464 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1465 struct x86_emulate_ops *ops,
1466 void *dest, int len)
1467 {
1468 struct decode_cache *c = &ctxt->decode;
1469 int rc;
1470
1471 rc = ops->read_emulated(register_address(c, ss_base(ctxt),
1472 c->regs[VCPU_REGS_RSP]),
1473 dest, len, ctxt->vcpu);
1474 if (rc != X86EMUL_CONTINUE)
1475 return rc;
1476
1477 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1478 return rc;
1479 }
1480
1481 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1482 struct x86_emulate_ops *ops,
1483 void *dest, int len)
1484 {
1485 int rc;
1486 unsigned long val, change_mask;
1487 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1488 int cpl = ops->cpl(ctxt->vcpu);
1489
1490 rc = emulate_pop(ctxt, ops, &val, len);
1491 if (rc != X86EMUL_CONTINUE)
1492 return rc;
1493
1494 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1495 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1496
1497 switch(ctxt->mode) {
1498 case X86EMUL_MODE_PROT64:
1499 case X86EMUL_MODE_PROT32:
1500 case X86EMUL_MODE_PROT16:
1501 if (cpl == 0)
1502 change_mask |= EFLG_IOPL;
1503 if (cpl <= iopl)
1504 change_mask |= EFLG_IF;
1505 break;
1506 case X86EMUL_MODE_VM86:
1507 if (iopl < 3) {
1508 kvm_inject_gp(ctxt->vcpu, 0);
1509 return X86EMUL_PROPAGATE_FAULT;
1510 }
1511 change_mask |= EFLG_IF;
1512 break;
1513 default: /* real mode */
1514 change_mask |= (EFLG_IOPL | EFLG_IF);
1515 break;
1516 }
1517
1518 *(unsigned long *)dest =
1519 (ctxt->eflags & ~change_mask) | (val & change_mask);
1520
1521 return rc;
1522 }
1523
1524 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1525 {
1526 struct decode_cache *c = &ctxt->decode;
1527 struct kvm_segment segment;
1528
1529 kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
1530
1531 c->src.val = segment.selector;
1532 emulate_push(ctxt);
1533 }
1534
1535 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1536 struct x86_emulate_ops *ops, int seg)
1537 {
1538 struct decode_cache *c = &ctxt->decode;
1539 unsigned long selector;
1540 int rc;
1541
1542 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1543 if (rc != X86EMUL_CONTINUE)
1544 return rc;
1545
1546 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1547 return rc;
1548 }
1549
1550 static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
1551 {
1552 struct decode_cache *c = &ctxt->decode;
1553 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1554 int reg = VCPU_REGS_RAX;
1555
1556 while (reg <= VCPU_REGS_RDI) {
1557 (reg == VCPU_REGS_RSP) ?
1558 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1559
1560 emulate_push(ctxt);
1561 ++reg;
1562 }
1563 }
1564
1565 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1566 struct x86_emulate_ops *ops)
1567 {
1568 struct decode_cache *c = &ctxt->decode;
1569 int rc = X86EMUL_CONTINUE;
1570 int reg = VCPU_REGS_RDI;
1571
1572 while (reg >= VCPU_REGS_RAX) {
1573 if (reg == VCPU_REGS_RSP) {
1574 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1575 c->op_bytes);
1576 --reg;
1577 }
1578
1579 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1580 if (rc != X86EMUL_CONTINUE)
1581 break;
1582 --reg;
1583 }
1584 return rc;
1585 }
1586
1587 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1588 struct x86_emulate_ops *ops)
1589 {
1590 struct decode_cache *c = &ctxt->decode;
1591
1592 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1593 }
1594
1595 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1596 {
1597 struct decode_cache *c = &ctxt->decode;
1598 switch (c->modrm_reg) {
1599 case 0: /* rol */
1600 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1601 break;
1602 case 1: /* ror */
1603 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1604 break;
1605 case 2: /* rcl */
1606 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1607 break;
1608 case 3: /* rcr */
1609 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1610 break;
1611 case 4: /* sal/shl */
1612 case 6: /* sal/shl */
1613 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1614 break;
1615 case 5: /* shr */
1616 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1617 break;
1618 case 7: /* sar */
1619 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1620 break;
1621 }
1622 }
1623
1624 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1625 struct x86_emulate_ops *ops)
1626 {
1627 struct decode_cache *c = &ctxt->decode;
1628
1629 switch (c->modrm_reg) {
1630 case 0 ... 1: /* test */
1631 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1632 break;
1633 case 2: /* not */
1634 c->dst.val = ~c->dst.val;
1635 break;
1636 case 3: /* neg */
1637 emulate_1op("neg", c->dst, ctxt->eflags);
1638 break;
1639 default:
1640 return 0;
1641 }
1642 return 1;
1643 }
1644
1645 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1646 struct x86_emulate_ops *ops)
1647 {
1648 struct decode_cache *c = &ctxt->decode;
1649
1650 switch (c->modrm_reg) {
1651 case 0: /* inc */
1652 emulate_1op("inc", c->dst, ctxt->eflags);
1653 break;
1654 case 1: /* dec */
1655 emulate_1op("dec", c->dst, ctxt->eflags);
1656 break;
1657 case 2: /* call near abs */ {
1658 long int old_eip;
1659 old_eip = c->eip;
1660 c->eip = c->src.val;
1661 c->src.val = old_eip;
1662 emulate_push(ctxt);
1663 break;
1664 }
1665 case 4: /* jmp abs */
1666 c->eip = c->src.val;
1667 break;
1668 case 6: /* push */
1669 emulate_push(ctxt);
1670 break;
1671 }
1672 return X86EMUL_CONTINUE;
1673 }
1674
1675 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1676 struct x86_emulate_ops *ops)
1677 {
1678 struct decode_cache *c = &ctxt->decode;
1679 u64 old, new;
1680 int rc;
1681
1682 rc = ops->read_emulated(c->modrm_ea, &old, 8, ctxt->vcpu);
1683 if (rc != X86EMUL_CONTINUE)
1684 return rc;
1685
1686 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1687 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1688
1689 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1690 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1691 ctxt->eflags &= ~EFLG_ZF;
1692
1693 } else {
1694 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1695 (u32) c->regs[VCPU_REGS_RBX];
1696
1697 rc = ops->cmpxchg_emulated(c->modrm_ea, &old, &new, 8, ctxt->vcpu);
1698 if (rc != X86EMUL_CONTINUE)
1699 return rc;
1700 ctxt->eflags |= EFLG_ZF;
1701 }
1702 return X86EMUL_CONTINUE;
1703 }
1704
1705 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1706 struct x86_emulate_ops *ops)
1707 {
1708 struct decode_cache *c = &ctxt->decode;
1709 int rc;
1710 unsigned long cs;
1711
1712 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1713 if (rc != X86EMUL_CONTINUE)
1714 return rc;
1715 if (c->op_bytes == 4)
1716 c->eip = (u32)c->eip;
1717 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1718 if (rc != X86EMUL_CONTINUE)
1719 return rc;
1720 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1721 return rc;
1722 }
1723
1724 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1725 struct x86_emulate_ops *ops)
1726 {
1727 int rc;
1728 struct decode_cache *c = &ctxt->decode;
1729
1730 switch (c->dst.type) {
1731 case OP_REG:
1732 /* The 4-byte case *is* correct:
1733 * in 64-bit mode we zero-extend.
1734 */
1735 switch (c->dst.bytes) {
1736 case 1:
1737 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1738 break;
1739 case 2:
1740 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1741 break;
1742 case 4:
1743 *c->dst.ptr = (u32)c->dst.val;
1744 break; /* 64b: zero-ext */
1745 case 8:
1746 *c->dst.ptr = c->dst.val;
1747 break;
1748 }
1749 break;
1750 case OP_MEM:
1751 if (c->lock_prefix)
1752 rc = ops->cmpxchg_emulated(
1753 (unsigned long)c->dst.ptr,
1754 &c->dst.orig_val,
1755 &c->dst.val,
1756 c->dst.bytes,
1757 ctxt->vcpu);
1758 else
1759 rc = ops->write_emulated(
1760 (unsigned long)c->dst.ptr,
1761 &c->dst.val,
1762 c->dst.bytes,
1763 ctxt->vcpu);
1764 if (rc != X86EMUL_CONTINUE)
1765 return rc;
1766 break;
1767 case OP_NONE:
1768 /* no writeback */
1769 break;
1770 default:
1771 break;
1772 }
1773 return X86EMUL_CONTINUE;
1774 }
1775
1776 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1777 {
1778 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1779 /*
1780 * an sti; sti; sequence only disable interrupts for the first
1781 * instruction. So, if the last instruction, be it emulated or
1782 * not, left the system with the INT_STI flag enabled, it
1783 * means that the last instruction is an sti. We should not
1784 * leave the flag on in this case. The same goes for mov ss
1785 */
1786 if (!(int_shadow & mask))
1787 ctxt->interruptibility = mask;
1788 }
1789
1790 static inline void
1791 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1792 struct kvm_segment *cs, struct kvm_segment *ss)
1793 {
1794 memset(cs, 0, sizeof(struct kvm_segment));
1795 kvm_x86_ops->get_segment(ctxt->vcpu, cs, VCPU_SREG_CS);
1796 memset(ss, 0, sizeof(struct kvm_segment));
1797
1798 cs->l = 0; /* will be adjusted later */
1799 cs->base = 0; /* flat segment */
1800 cs->g = 1; /* 4kb granularity */
1801 cs->limit = 0xffffffff; /* 4GB limit */
1802 cs->type = 0x0b; /* Read, Execute, Accessed */
1803 cs->s = 1;
1804 cs->dpl = 0; /* will be adjusted later */
1805 cs->present = 1;
1806 cs->db = 1;
1807
1808 ss->unusable = 0;
1809 ss->base = 0; /* flat segment */
1810 ss->limit = 0xffffffff; /* 4GB limit */
1811 ss->g = 1; /* 4kb granularity */
1812 ss->s = 1;
1813 ss->type = 0x03; /* Read/Write, Accessed */
1814 ss->db = 1; /* 32bit stack segment */
1815 ss->dpl = 0;
1816 ss->present = 1;
1817 }
1818
1819 static int
1820 emulate_syscall(struct x86_emulate_ctxt *ctxt)
1821 {
1822 struct decode_cache *c = &ctxt->decode;
1823 struct kvm_segment cs, ss;
1824 u64 msr_data;
1825
1826 /* syscall is not available in real mode */
1827 if (ctxt->mode == X86EMUL_MODE_REAL ||
1828 ctxt->mode == X86EMUL_MODE_VM86) {
1829 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1830 return X86EMUL_PROPAGATE_FAULT;
1831 }
1832
1833 setup_syscalls_segments(ctxt, &cs, &ss);
1834
1835 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1836 msr_data >>= 32;
1837 cs.selector = (u16)(msr_data & 0xfffc);
1838 ss.selector = (u16)(msr_data + 8);
1839
1840 if (is_long_mode(ctxt->vcpu)) {
1841 cs.db = 0;
1842 cs.l = 1;
1843 }
1844 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1845 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1846
1847 c->regs[VCPU_REGS_RCX] = c->eip;
1848 if (is_long_mode(ctxt->vcpu)) {
1849 #ifdef CONFIG_X86_64
1850 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1851
1852 kvm_x86_ops->get_msr(ctxt->vcpu,
1853 ctxt->mode == X86EMUL_MODE_PROT64 ?
1854 MSR_LSTAR : MSR_CSTAR, &msr_data);
1855 c->eip = msr_data;
1856
1857 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1858 ctxt->eflags &= ~(msr_data | EFLG_RF);
1859 #endif
1860 } else {
1861 /* legacy mode */
1862 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1863 c->eip = (u32)msr_data;
1864
1865 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1866 }
1867
1868 return X86EMUL_CONTINUE;
1869 }
1870
1871 static int
1872 emulate_sysenter(struct x86_emulate_ctxt *ctxt)
1873 {
1874 struct decode_cache *c = &ctxt->decode;
1875 struct kvm_segment cs, ss;
1876 u64 msr_data;
1877
1878 /* inject #GP if in real mode */
1879 if (ctxt->mode == X86EMUL_MODE_REAL) {
1880 kvm_inject_gp(ctxt->vcpu, 0);
1881 return X86EMUL_PROPAGATE_FAULT;
1882 }
1883
1884 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1885 * Therefore, we inject an #UD.
1886 */
1887 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1888 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1889 return X86EMUL_PROPAGATE_FAULT;
1890 }
1891
1892 setup_syscalls_segments(ctxt, &cs, &ss);
1893
1894 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1895 switch (ctxt->mode) {
1896 case X86EMUL_MODE_PROT32:
1897 if ((msr_data & 0xfffc) == 0x0) {
1898 kvm_inject_gp(ctxt->vcpu, 0);
1899 return X86EMUL_PROPAGATE_FAULT;
1900 }
1901 break;
1902 case X86EMUL_MODE_PROT64:
1903 if (msr_data == 0x0) {
1904 kvm_inject_gp(ctxt->vcpu, 0);
1905 return X86EMUL_PROPAGATE_FAULT;
1906 }
1907 break;
1908 }
1909
1910 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1911 cs.selector = (u16)msr_data;
1912 cs.selector &= ~SELECTOR_RPL_MASK;
1913 ss.selector = cs.selector + 8;
1914 ss.selector &= ~SELECTOR_RPL_MASK;
1915 if (ctxt->mode == X86EMUL_MODE_PROT64
1916 || is_long_mode(ctxt->vcpu)) {
1917 cs.db = 0;
1918 cs.l = 1;
1919 }
1920
1921 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1922 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1923
1924 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1925 c->eip = msr_data;
1926
1927 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1928 c->regs[VCPU_REGS_RSP] = msr_data;
1929
1930 return X86EMUL_CONTINUE;
1931 }
1932
1933 static int
1934 emulate_sysexit(struct x86_emulate_ctxt *ctxt)
1935 {
1936 struct decode_cache *c = &ctxt->decode;
1937 struct kvm_segment cs, ss;
1938 u64 msr_data;
1939 int usermode;
1940
1941 /* inject #GP if in real mode or Virtual 8086 mode */
1942 if (ctxt->mode == X86EMUL_MODE_REAL ||
1943 ctxt->mode == X86EMUL_MODE_VM86) {
1944 kvm_inject_gp(ctxt->vcpu, 0);
1945 return X86EMUL_PROPAGATE_FAULT;
1946 }
1947
1948 setup_syscalls_segments(ctxt, &cs, &ss);
1949
1950 if ((c->rex_prefix & 0x8) != 0x0)
1951 usermode = X86EMUL_MODE_PROT64;
1952 else
1953 usermode = X86EMUL_MODE_PROT32;
1954
1955 cs.dpl = 3;
1956 ss.dpl = 3;
1957 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1958 switch (usermode) {
1959 case X86EMUL_MODE_PROT32:
1960 cs.selector = (u16)(msr_data + 16);
1961 if ((msr_data & 0xfffc) == 0x0) {
1962 kvm_inject_gp(ctxt->vcpu, 0);
1963 return X86EMUL_PROPAGATE_FAULT;
1964 }
1965 ss.selector = (u16)(msr_data + 24);
1966 break;
1967 case X86EMUL_MODE_PROT64:
1968 cs.selector = (u16)(msr_data + 32);
1969 if (msr_data == 0x0) {
1970 kvm_inject_gp(ctxt->vcpu, 0);
1971 return X86EMUL_PROPAGATE_FAULT;
1972 }
1973 ss.selector = cs.selector + 8;
1974 cs.db = 0;
1975 cs.l = 1;
1976 break;
1977 }
1978 cs.selector |= SELECTOR_RPL_MASK;
1979 ss.selector |= SELECTOR_RPL_MASK;
1980
1981 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1982 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1983
1984 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
1985 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
1986
1987 return X86EMUL_CONTINUE;
1988 }
1989
1990 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1991 struct x86_emulate_ops *ops)
1992 {
1993 int iopl;
1994 if (ctxt->mode == X86EMUL_MODE_REAL)
1995 return false;
1996 if (ctxt->mode == X86EMUL_MODE_VM86)
1997 return true;
1998 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1999 return ops->cpl(ctxt->vcpu) > iopl;
2000 }
2001
2002 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2003 struct x86_emulate_ops *ops,
2004 u16 port, u16 len)
2005 {
2006 struct kvm_segment tr_seg;
2007 int r;
2008 u16 io_bitmap_ptr;
2009 u8 perm, bit_idx = port & 0x7;
2010 unsigned mask = (1 << len) - 1;
2011
2012 kvm_get_segment(ctxt->vcpu, &tr_seg, VCPU_SREG_TR);
2013 if (tr_seg.unusable)
2014 return false;
2015 if (tr_seg.limit < 103)
2016 return false;
2017 r = ops->read_std(tr_seg.base + 102, &io_bitmap_ptr, 2, ctxt->vcpu,
2018 NULL);
2019 if (r != X86EMUL_CONTINUE)
2020 return false;
2021 if (io_bitmap_ptr + port/8 > tr_seg.limit)
2022 return false;
2023 r = ops->read_std(tr_seg.base + io_bitmap_ptr + port/8, &perm, 1,
2024 ctxt->vcpu, NULL);
2025 if (r != X86EMUL_CONTINUE)
2026 return false;
2027 if ((perm >> bit_idx) & mask)
2028 return false;
2029 return true;
2030 }
2031
2032 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2033 struct x86_emulate_ops *ops,
2034 u16 port, u16 len)
2035 {
2036 if (emulator_bad_iopl(ctxt, ops))
2037 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2038 return false;
2039 return true;
2040 }
2041
2042 static u32 get_cached_descriptor_base(struct x86_emulate_ctxt *ctxt,
2043 struct x86_emulate_ops *ops,
2044 int seg)
2045 {
2046 struct desc_struct desc;
2047 if (ops->get_cached_descriptor(&desc, seg, ctxt->vcpu))
2048 return get_desc_base(&desc);
2049 else
2050 return ~0;
2051 }
2052
2053 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2054 struct x86_emulate_ops *ops,
2055 struct tss_segment_16 *tss)
2056 {
2057 struct decode_cache *c = &ctxt->decode;
2058
2059 tss->ip = c->eip;
2060 tss->flag = ctxt->eflags;
2061 tss->ax = c->regs[VCPU_REGS_RAX];
2062 tss->cx = c->regs[VCPU_REGS_RCX];
2063 tss->dx = c->regs[VCPU_REGS_RDX];
2064 tss->bx = c->regs[VCPU_REGS_RBX];
2065 tss->sp = c->regs[VCPU_REGS_RSP];
2066 tss->bp = c->regs[VCPU_REGS_RBP];
2067 tss->si = c->regs[VCPU_REGS_RSI];
2068 tss->di = c->regs[VCPU_REGS_RDI];
2069
2070 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2071 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2072 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2073 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2074 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2075 }
2076
2077 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2078 struct x86_emulate_ops *ops,
2079 struct tss_segment_16 *tss)
2080 {
2081 struct decode_cache *c = &ctxt->decode;
2082 int ret;
2083
2084 c->eip = tss->ip;
2085 ctxt->eflags = tss->flag | 2;
2086 c->regs[VCPU_REGS_RAX] = tss->ax;
2087 c->regs[VCPU_REGS_RCX] = tss->cx;
2088 c->regs[VCPU_REGS_RDX] = tss->dx;
2089 c->regs[VCPU_REGS_RBX] = tss->bx;
2090 c->regs[VCPU_REGS_RSP] = tss->sp;
2091 c->regs[VCPU_REGS_RBP] = tss->bp;
2092 c->regs[VCPU_REGS_RSI] = tss->si;
2093 c->regs[VCPU_REGS_RDI] = tss->di;
2094
2095 /*
2096 * SDM says that segment selectors are loaded before segment
2097 * descriptors
2098 */
2099 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2100 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2101 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2102 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2103 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2104
2105 /*
2106 * Now load segment descriptors. If fault happenes at this stage
2107 * it is handled in a context of new task
2108 */
2109 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2110 if (ret != X86EMUL_CONTINUE)
2111 return ret;
2112 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2113 if (ret != X86EMUL_CONTINUE)
2114 return ret;
2115 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2116 if (ret != X86EMUL_CONTINUE)
2117 return ret;
2118 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2119 if (ret != X86EMUL_CONTINUE)
2120 return ret;
2121 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2122 if (ret != X86EMUL_CONTINUE)
2123 return ret;
2124
2125 return X86EMUL_CONTINUE;
2126 }
2127
2128 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2129 struct x86_emulate_ops *ops,
2130 u16 tss_selector, u16 old_tss_sel,
2131 ulong old_tss_base, struct desc_struct *new_desc)
2132 {
2133 struct tss_segment_16 tss_seg;
2134 int ret;
2135 u32 err, new_tss_base = get_desc_base(new_desc);
2136
2137 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2138 &err);
2139 if (ret == X86EMUL_PROPAGATE_FAULT) {
2140 /* FIXME: need to provide precise fault address */
2141 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2142 return ret;
2143 }
2144
2145 save_state_to_tss16(ctxt, ops, &tss_seg);
2146
2147 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2148 &err);
2149 if (ret == X86EMUL_PROPAGATE_FAULT) {
2150 /* FIXME: need to provide precise fault address */
2151 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2152 return ret;
2153 }
2154
2155 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2156 &err);
2157 if (ret == X86EMUL_PROPAGATE_FAULT) {
2158 /* FIXME: need to provide precise fault address */
2159 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2160 return ret;
2161 }
2162
2163 if (old_tss_sel != 0xffff) {
2164 tss_seg.prev_task_link = old_tss_sel;
2165
2166 ret = ops->write_std(new_tss_base,
2167 &tss_seg.prev_task_link,
2168 sizeof tss_seg.prev_task_link,
2169 ctxt->vcpu, &err);
2170 if (ret == X86EMUL_PROPAGATE_FAULT) {
2171 /* FIXME: need to provide precise fault address */
2172 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2173 return ret;
2174 }
2175 }
2176
2177 return load_state_from_tss16(ctxt, ops, &tss_seg);
2178 }
2179
2180 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2181 struct x86_emulate_ops *ops,
2182 struct tss_segment_32 *tss)
2183 {
2184 struct decode_cache *c = &ctxt->decode;
2185
2186 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2187 tss->eip = c->eip;
2188 tss->eflags = ctxt->eflags;
2189 tss->eax = c->regs[VCPU_REGS_RAX];
2190 tss->ecx = c->regs[VCPU_REGS_RCX];
2191 tss->edx = c->regs[VCPU_REGS_RDX];
2192 tss->ebx = c->regs[VCPU_REGS_RBX];
2193 tss->esp = c->regs[VCPU_REGS_RSP];
2194 tss->ebp = c->regs[VCPU_REGS_RBP];
2195 tss->esi = c->regs[VCPU_REGS_RSI];
2196 tss->edi = c->regs[VCPU_REGS_RDI];
2197
2198 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2199 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2200 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2201 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2202 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2203 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2204 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2205 }
2206
2207 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2208 struct x86_emulate_ops *ops,
2209 struct tss_segment_32 *tss)
2210 {
2211 struct decode_cache *c = &ctxt->decode;
2212 int ret;
2213
2214 ops->set_cr(3, tss->cr3, ctxt->vcpu);
2215 c->eip = tss->eip;
2216 ctxt->eflags = tss->eflags | 2;
2217 c->regs[VCPU_REGS_RAX] = tss->eax;
2218 c->regs[VCPU_REGS_RCX] = tss->ecx;
2219 c->regs[VCPU_REGS_RDX] = tss->edx;
2220 c->regs[VCPU_REGS_RBX] = tss->ebx;
2221 c->regs[VCPU_REGS_RSP] = tss->esp;
2222 c->regs[VCPU_REGS_RBP] = tss->ebp;
2223 c->regs[VCPU_REGS_RSI] = tss->esi;
2224 c->regs[VCPU_REGS_RDI] = tss->edi;
2225
2226 /*
2227 * SDM says that segment selectors are loaded before segment
2228 * descriptors
2229 */
2230 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2231 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2232 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2233 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2234 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2235 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2236 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2237
2238 /*
2239 * Now load segment descriptors. If fault happenes at this stage
2240 * it is handled in a context of new task
2241 */
2242 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2243 if (ret != X86EMUL_CONTINUE)
2244 return ret;
2245 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2246 if (ret != X86EMUL_CONTINUE)
2247 return ret;
2248 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2249 if (ret != X86EMUL_CONTINUE)
2250 return ret;
2251 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2252 if (ret != X86EMUL_CONTINUE)
2253 return ret;
2254 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2255 if (ret != X86EMUL_CONTINUE)
2256 return ret;
2257 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2258 if (ret != X86EMUL_CONTINUE)
2259 return ret;
2260 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2261 if (ret != X86EMUL_CONTINUE)
2262 return ret;
2263
2264 return X86EMUL_CONTINUE;
2265 }
2266
2267 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2268 struct x86_emulate_ops *ops,
2269 u16 tss_selector, u16 old_tss_sel,
2270 ulong old_tss_base, struct desc_struct *new_desc)
2271 {
2272 struct tss_segment_32 tss_seg;
2273 int ret;
2274 u32 err, new_tss_base = get_desc_base(new_desc);
2275
2276 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2277 &err);
2278 if (ret == X86EMUL_PROPAGATE_FAULT) {
2279 /* FIXME: need to provide precise fault address */
2280 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2281 return ret;
2282 }
2283
2284 save_state_to_tss32(ctxt, ops, &tss_seg);
2285
2286 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2287 &err);
2288 if (ret == X86EMUL_PROPAGATE_FAULT) {
2289 /* FIXME: need to provide precise fault address */
2290 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2291 return ret;
2292 }
2293
2294 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2295 &err);
2296 if (ret == X86EMUL_PROPAGATE_FAULT) {
2297 /* FIXME: need to provide precise fault address */
2298 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2299 return ret;
2300 }
2301
2302 if (old_tss_sel != 0xffff) {
2303 tss_seg.prev_task_link = old_tss_sel;
2304
2305 ret = ops->write_std(new_tss_base,
2306 &tss_seg.prev_task_link,
2307 sizeof tss_seg.prev_task_link,
2308 ctxt->vcpu, &err);
2309 if (ret == X86EMUL_PROPAGATE_FAULT) {
2310 /* FIXME: need to provide precise fault address */
2311 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2312 return ret;
2313 }
2314 }
2315
2316 return load_state_from_tss32(ctxt, ops, &tss_seg);
2317 }
2318
2319 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2320 struct x86_emulate_ops *ops,
2321 u16 tss_selector, int reason)
2322 {
2323 struct desc_struct curr_tss_desc, next_tss_desc;
2324 int ret;
2325 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2326 ulong old_tss_base =
2327 get_cached_descriptor_base(ctxt, ops, VCPU_SREG_TR);
2328 u32 desc_limit;
2329
2330 /* FIXME: old_tss_base == ~0 ? */
2331
2332 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2333 if (ret != X86EMUL_CONTINUE)
2334 return ret;
2335 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2336 if (ret != X86EMUL_CONTINUE)
2337 return ret;
2338
2339 /* FIXME: check that next_tss_desc is tss */
2340
2341 if (reason != TASK_SWITCH_IRET) {
2342 if ((tss_selector & 3) > next_tss_desc.dpl ||
2343 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2344 kvm_inject_gp(ctxt->vcpu, 0);
2345 return X86EMUL_PROPAGATE_FAULT;
2346 }
2347 }
2348
2349 desc_limit = desc_limit_scaled(&next_tss_desc);
2350 if (!next_tss_desc.p ||
2351 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2352 desc_limit < 0x2b)) {
2353 kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
2354 tss_selector & 0xfffc);
2355 return X86EMUL_PROPAGATE_FAULT;
2356 }
2357
2358 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2359 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2360 write_segment_descriptor(ctxt, ops, old_tss_sel,
2361 &curr_tss_desc);
2362 }
2363
2364 if (reason == TASK_SWITCH_IRET)
2365 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2366
2367 /* set back link to prev task only if NT bit is set in eflags
2368 note that old_tss_sel is not used afetr this point */
2369 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2370 old_tss_sel = 0xffff;
2371
2372 if (next_tss_desc.type & 8)
2373 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2374 old_tss_base, &next_tss_desc);
2375 else
2376 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2377 old_tss_base, &next_tss_desc);
2378
2379 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2380 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2381
2382 if (reason != TASK_SWITCH_IRET) {
2383 next_tss_desc.type |= (1 << 1); /* set busy flag */
2384 write_segment_descriptor(ctxt, ops, tss_selector,
2385 &next_tss_desc);
2386 }
2387
2388 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2389 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2390 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2391
2392 return ret;
2393 }
2394
2395 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2396 struct x86_emulate_ops *ops,
2397 u16 tss_selector, int reason)
2398 {
2399 struct decode_cache *c = &ctxt->decode;
2400 int rc;
2401
2402 memset(c, 0, sizeof(struct decode_cache));
2403 c->eip = ctxt->eip;
2404 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2405
2406 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason);
2407
2408 if (rc == X86EMUL_CONTINUE) {
2409 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2410 kvm_rip_write(ctxt->vcpu, c->eip);
2411 }
2412
2413 return rc;
2414 }
2415
2416 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2417 int reg, struct operand *op)
2418 {
2419 struct decode_cache *c = &ctxt->decode;
2420 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2421
2422 register_address_increment(c, &c->regs[reg], df * op->bytes);
2423 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2424 }
2425
2426 int
2427 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2428 {
2429 u64 msr_data;
2430 struct decode_cache *c = &ctxt->decode;
2431 int rc = X86EMUL_CONTINUE;
2432 int saved_dst_type = c->dst.type;
2433
2434 ctxt->interruptibility = 0;
2435
2436 /* Shadow copy of register state. Committed on successful emulation.
2437 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
2438 * modify them.
2439 */
2440
2441 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2442
2443 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2444 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2445 goto done;
2446 }
2447
2448 /* LOCK prefix is allowed only with some instructions */
2449 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2450 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2451 goto done;
2452 }
2453
2454 /* Privileged instruction can be executed only in CPL=0 */
2455 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2456 kvm_inject_gp(ctxt->vcpu, 0);
2457 goto done;
2458 }
2459
2460 if (c->rep_prefix && (c->d & String)) {
2461 ctxt->restart = true;
2462 /* All REP prefixes have the same first termination condition */
2463 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2464 string_done:
2465 ctxt->restart = false;
2466 kvm_rip_write(ctxt->vcpu, c->eip);
2467 goto done;
2468 }
2469 /* The second termination condition only applies for REPE
2470 * and REPNE. Test if the repeat string operation prefix is
2471 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2472 * corresponding termination condition according to:
2473 * - if REPE/REPZ and ZF = 0 then done
2474 * - if REPNE/REPNZ and ZF = 1 then done
2475 */
2476 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2477 (c->b == 0xae) || (c->b == 0xaf)) {
2478 if ((c->rep_prefix == REPE_PREFIX) &&
2479 ((ctxt->eflags & EFLG_ZF) == 0))
2480 goto string_done;
2481 if ((c->rep_prefix == REPNE_PREFIX) &&
2482 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2483 goto string_done;
2484 }
2485 c->eip = ctxt->eip;
2486 }
2487
2488 if (c->src.type == OP_MEM) {
2489 rc = ops->read_emulated((unsigned long)c->src.ptr,
2490 &c->src.val,
2491 c->src.bytes,
2492 ctxt->vcpu);
2493 if (rc != X86EMUL_CONTINUE)
2494 goto done;
2495 c->src.orig_val = c->src.val;
2496 }
2497
2498 if (c->src2.type == OP_MEM) {
2499 rc = ops->read_emulated((unsigned long)c->src2.ptr,
2500 &c->src2.val,
2501 c->src2.bytes,
2502 ctxt->vcpu);
2503 if (rc != X86EMUL_CONTINUE)
2504 goto done;
2505 }
2506
2507 if ((c->d & DstMask) == ImplicitOps)
2508 goto special_insn;
2509
2510
2511 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2512 /* optimisation - avoid slow emulated read if Mov */
2513 rc = ops->read_emulated((unsigned long)c->dst.ptr, &c->dst.val,
2514 c->dst.bytes, ctxt->vcpu);
2515 if (rc != X86EMUL_CONTINUE)
2516 goto done;
2517 }
2518 c->dst.orig_val = c->dst.val;
2519
2520 special_insn:
2521
2522 if (c->twobyte)
2523 goto twobyte_insn;
2524
2525 switch (c->b) {
2526 case 0x00 ... 0x05:
2527 add: /* add */
2528 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2529 break;
2530 case 0x06: /* push es */
2531 emulate_push_sreg(ctxt, VCPU_SREG_ES);
2532 break;
2533 case 0x07: /* pop es */
2534 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2535 if (rc != X86EMUL_CONTINUE)
2536 goto done;
2537 break;
2538 case 0x08 ... 0x0d:
2539 or: /* or */
2540 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2541 break;
2542 case 0x0e: /* push cs */
2543 emulate_push_sreg(ctxt, VCPU_SREG_CS);
2544 break;
2545 case 0x10 ... 0x15:
2546 adc: /* adc */
2547 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2548 break;
2549 case 0x16: /* push ss */
2550 emulate_push_sreg(ctxt, VCPU_SREG_SS);
2551 break;
2552 case 0x17: /* pop ss */
2553 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2554 if (rc != X86EMUL_CONTINUE)
2555 goto done;
2556 break;
2557 case 0x18 ... 0x1d:
2558 sbb: /* sbb */
2559 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2560 break;
2561 case 0x1e: /* push ds */
2562 emulate_push_sreg(ctxt, VCPU_SREG_DS);
2563 break;
2564 case 0x1f: /* pop ds */
2565 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2566 if (rc != X86EMUL_CONTINUE)
2567 goto done;
2568 break;
2569 case 0x20 ... 0x25:
2570 and: /* and */
2571 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2572 break;
2573 case 0x28 ... 0x2d:
2574 sub: /* sub */
2575 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2576 break;
2577 case 0x30 ... 0x35:
2578 xor: /* xor */
2579 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2580 break;
2581 case 0x38 ... 0x3d:
2582 cmp: /* cmp */
2583 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2584 break;
2585 case 0x40 ... 0x47: /* inc r16/r32 */
2586 emulate_1op("inc", c->dst, ctxt->eflags);
2587 break;
2588 case 0x48 ... 0x4f: /* dec r16/r32 */
2589 emulate_1op("dec", c->dst, ctxt->eflags);
2590 break;
2591 case 0x50 ... 0x57: /* push reg */
2592 emulate_push(ctxt);
2593 break;
2594 case 0x58 ... 0x5f: /* pop reg */
2595 pop_instruction:
2596 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2597 if (rc != X86EMUL_CONTINUE)
2598 goto done;
2599 break;
2600 case 0x60: /* pusha */
2601 emulate_pusha(ctxt);
2602 break;
2603 case 0x61: /* popa */
2604 rc = emulate_popa(ctxt, ops);
2605 if (rc != X86EMUL_CONTINUE)
2606 goto done;
2607 break;
2608 case 0x63: /* movsxd */
2609 if (ctxt->mode != X86EMUL_MODE_PROT64)
2610 goto cannot_emulate;
2611 c->dst.val = (s32) c->src.val;
2612 break;
2613 case 0x68: /* push imm */
2614 case 0x6a: /* push imm8 */
2615 emulate_push(ctxt);
2616 break;
2617 case 0x6c: /* insb */
2618 case 0x6d: /* insw/insd */
2619 c->dst.bytes = min(c->dst.bytes, 4u);
2620 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2621 c->dst.bytes)) {
2622 kvm_inject_gp(ctxt->vcpu, 0);
2623 goto done;
2624 }
2625 if (!ops->pio_in_emulated(c->dst.bytes, c->regs[VCPU_REGS_RDX],
2626 &c->dst.val, 1, ctxt->vcpu))
2627 goto done; /* IO is needed, skip writeback */
2628 break;
2629 case 0x6e: /* outsb */
2630 case 0x6f: /* outsw/outsd */
2631 c->src.bytes = min(c->src.bytes, 4u);
2632 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2633 c->src.bytes)) {
2634 kvm_inject_gp(ctxt->vcpu, 0);
2635 goto done;
2636 }
2637 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2638 &c->src.val, 1, ctxt->vcpu);
2639
2640 c->dst.type = OP_NONE; /* nothing to writeback */
2641 break;
2642 case 0x70 ... 0x7f: /* jcc (short) */
2643 if (test_cc(c->b, ctxt->eflags))
2644 jmp_rel(c, c->src.val);
2645 break;
2646 case 0x80 ... 0x83: /* Grp1 */
2647 switch (c->modrm_reg) {
2648 case 0:
2649 goto add;
2650 case 1:
2651 goto or;
2652 case 2:
2653 goto adc;
2654 case 3:
2655 goto sbb;
2656 case 4:
2657 goto and;
2658 case 5:
2659 goto sub;
2660 case 6:
2661 goto xor;
2662 case 7:
2663 goto cmp;
2664 }
2665 break;
2666 case 0x84 ... 0x85:
2667 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2668 break;
2669 case 0x86 ... 0x87: /* xchg */
2670 xchg:
2671 /* Write back the register source. */
2672 switch (c->dst.bytes) {
2673 case 1:
2674 *(u8 *) c->src.ptr = (u8) c->dst.val;
2675 break;
2676 case 2:
2677 *(u16 *) c->src.ptr = (u16) c->dst.val;
2678 break;
2679 case 4:
2680 *c->src.ptr = (u32) c->dst.val;
2681 break; /* 64b reg: zero-extend */
2682 case 8:
2683 *c->src.ptr = c->dst.val;
2684 break;
2685 }
2686 /*
2687 * Write back the memory destination with implicit LOCK
2688 * prefix.
2689 */
2690 c->dst.val = c->src.val;
2691 c->lock_prefix = 1;
2692 break;
2693 case 0x88 ... 0x8b: /* mov */
2694 goto mov;
2695 case 0x8c: { /* mov r/m, sreg */
2696 struct kvm_segment segreg;
2697
2698 if (c->modrm_reg <= VCPU_SREG_GS)
2699 kvm_get_segment(ctxt->vcpu, &segreg, c->modrm_reg);
2700 else {
2701 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2702 goto done;
2703 }
2704 c->dst.val = segreg.selector;
2705 break;
2706 }
2707 case 0x8d: /* lea r16/r32, m */
2708 c->dst.val = c->modrm_ea;
2709 break;
2710 case 0x8e: { /* mov seg, r/m16 */
2711 uint16_t sel;
2712
2713 sel = c->src.val;
2714
2715 if (c->modrm_reg == VCPU_SREG_CS ||
2716 c->modrm_reg > VCPU_SREG_GS) {
2717 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2718 goto done;
2719 }
2720
2721 if (c->modrm_reg == VCPU_SREG_SS)
2722 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2723
2724 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2725
2726 c->dst.type = OP_NONE; /* Disable writeback. */
2727 break;
2728 }
2729 case 0x8f: /* pop (sole member of Grp1a) */
2730 rc = emulate_grp1a(ctxt, ops);
2731 if (rc != X86EMUL_CONTINUE)
2732 goto done;
2733 break;
2734 case 0x90: /* nop / xchg r8,rax */
2735 if (!(c->rex_prefix & 1)) { /* nop */
2736 c->dst.type = OP_NONE;
2737 break;
2738 }
2739 case 0x91 ... 0x97: /* xchg reg,rax */
2740 c->src.type = c->dst.type = OP_REG;
2741 c->src.bytes = c->dst.bytes = c->op_bytes;
2742 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2743 c->src.val = *(c->src.ptr);
2744 goto xchg;
2745 case 0x9c: /* pushf */
2746 c->src.val = (unsigned long) ctxt->eflags;
2747 emulate_push(ctxt);
2748 break;
2749 case 0x9d: /* popf */
2750 c->dst.type = OP_REG;
2751 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2752 c->dst.bytes = c->op_bytes;
2753 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2754 if (rc != X86EMUL_CONTINUE)
2755 goto done;
2756 break;
2757 case 0xa0 ... 0xa1: /* mov */
2758 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2759 c->dst.val = c->src.val;
2760 break;
2761 case 0xa2 ... 0xa3: /* mov */
2762 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2763 break;
2764 case 0xa4 ... 0xa5: /* movs */
2765 goto mov;
2766 case 0xa6 ... 0xa7: /* cmps */
2767 c->dst.type = OP_NONE; /* Disable writeback. */
2768 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2769 goto cmp;
2770 case 0xaa ... 0xab: /* stos */
2771 c->dst.val = c->regs[VCPU_REGS_RAX];
2772 break;
2773 case 0xac ... 0xad: /* lods */
2774 goto mov;
2775 case 0xae ... 0xaf: /* scas */
2776 DPRINTF("Urk! I don't handle SCAS.\n");
2777 goto cannot_emulate;
2778 case 0xb0 ... 0xbf: /* mov r, imm */
2779 goto mov;
2780 case 0xc0 ... 0xc1:
2781 emulate_grp2(ctxt);
2782 break;
2783 case 0xc3: /* ret */
2784 c->dst.type = OP_REG;
2785 c->dst.ptr = &c->eip;
2786 c->dst.bytes = c->op_bytes;
2787 goto pop_instruction;
2788 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2789 mov:
2790 c->dst.val = c->src.val;
2791 break;
2792 case 0xcb: /* ret far */
2793 rc = emulate_ret_far(ctxt, ops);
2794 if (rc != X86EMUL_CONTINUE)
2795 goto done;
2796 break;
2797 case 0xd0 ... 0xd1: /* Grp2 */
2798 c->src.val = 1;
2799 emulate_grp2(ctxt);
2800 break;
2801 case 0xd2 ... 0xd3: /* Grp2 */
2802 c->src.val = c->regs[VCPU_REGS_RCX];
2803 emulate_grp2(ctxt);
2804 break;
2805 case 0xe4: /* inb */
2806 case 0xe5: /* in */
2807 goto do_io_in;
2808 case 0xe6: /* outb */
2809 case 0xe7: /* out */
2810 goto do_io_out;
2811 case 0xe8: /* call (near) */ {
2812 long int rel = c->src.val;
2813 c->src.val = (unsigned long) c->eip;
2814 jmp_rel(c, rel);
2815 emulate_push(ctxt);
2816 break;
2817 }
2818 case 0xe9: /* jmp rel */
2819 goto jmp;
2820 case 0xea: /* jmp far */
2821 jump_far:
2822 if (load_segment_descriptor(ctxt, ops, c->src2.val,
2823 VCPU_SREG_CS))
2824 goto done;
2825
2826 c->eip = c->src.val;
2827 break;
2828 case 0xeb:
2829 jmp: /* jmp rel short */
2830 jmp_rel(c, c->src.val);
2831 c->dst.type = OP_NONE; /* Disable writeback. */
2832 break;
2833 case 0xec: /* in al,dx */
2834 case 0xed: /* in (e/r)ax,dx */
2835 c->src.val = c->regs[VCPU_REGS_RDX];
2836 do_io_in:
2837 c->dst.bytes = min(c->dst.bytes, 4u);
2838 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2839 kvm_inject_gp(ctxt->vcpu, 0);
2840 goto done;
2841 }
2842 if (!ops->pio_in_emulated(c->dst.bytes, c->src.val,
2843 &c->dst.val, 1, ctxt->vcpu))
2844 goto done; /* IO is needed */
2845 break;
2846 case 0xee: /* out al,dx */
2847 case 0xef: /* out (e/r)ax,dx */
2848 c->src.val = c->regs[VCPU_REGS_RDX];
2849 do_io_out:
2850 c->dst.bytes = min(c->dst.bytes, 4u);
2851 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2852 kvm_inject_gp(ctxt->vcpu, 0);
2853 goto done;
2854 }
2855 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2856 ctxt->vcpu);
2857 c->dst.type = OP_NONE; /* Disable writeback. */
2858 break;
2859 case 0xf4: /* hlt */
2860 ctxt->vcpu->arch.halt_request = 1;
2861 break;
2862 case 0xf5: /* cmc */
2863 /* complement carry flag from eflags reg */
2864 ctxt->eflags ^= EFLG_CF;
2865 c->dst.type = OP_NONE; /* Disable writeback. */
2866 break;
2867 case 0xf6 ... 0xf7: /* Grp3 */
2868 if (!emulate_grp3(ctxt, ops))
2869 goto cannot_emulate;
2870 break;
2871 case 0xf8: /* clc */
2872 ctxt->eflags &= ~EFLG_CF;
2873 c->dst.type = OP_NONE; /* Disable writeback. */
2874 break;
2875 case 0xfa: /* cli */
2876 if (emulator_bad_iopl(ctxt, ops))
2877 kvm_inject_gp(ctxt->vcpu, 0);
2878 else {
2879 ctxt->eflags &= ~X86_EFLAGS_IF;
2880 c->dst.type = OP_NONE; /* Disable writeback. */
2881 }
2882 break;
2883 case 0xfb: /* sti */
2884 if (emulator_bad_iopl(ctxt, ops))
2885 kvm_inject_gp(ctxt->vcpu, 0);
2886 else {
2887 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2888 ctxt->eflags |= X86_EFLAGS_IF;
2889 c->dst.type = OP_NONE; /* Disable writeback. */
2890 }
2891 break;
2892 case 0xfc: /* cld */
2893 ctxt->eflags &= ~EFLG_DF;
2894 c->dst.type = OP_NONE; /* Disable writeback. */
2895 break;
2896 case 0xfd: /* std */
2897 ctxt->eflags |= EFLG_DF;
2898 c->dst.type = OP_NONE; /* Disable writeback. */
2899 break;
2900 case 0xfe: /* Grp4 */
2901 grp45:
2902 rc = emulate_grp45(ctxt, ops);
2903 if (rc != X86EMUL_CONTINUE)
2904 goto done;
2905 break;
2906 case 0xff: /* Grp5 */
2907 if (c->modrm_reg == 5)
2908 goto jump_far;
2909 goto grp45;
2910 }
2911
2912 writeback:
2913 rc = writeback(ctxt, ops);
2914 if (rc != X86EMUL_CONTINUE)
2915 goto done;
2916
2917 /*
2918 * restore dst type in case the decoding will be reused
2919 * (happens for string instruction )
2920 */
2921 c->dst.type = saved_dst_type;
2922
2923 if ((c->d & SrcMask) == SrcSI)
2924 string_addr_inc(ctxt, seg_override_base(ctxt, c), VCPU_REGS_RSI,
2925 &c->src);
2926
2927 if ((c->d & DstMask) == DstDI)
2928 string_addr_inc(ctxt, es_base(ctxt), VCPU_REGS_RDI, &c->dst);
2929
2930 if (c->rep_prefix && (c->d & String)) {
2931 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
2932 if (!(c->regs[VCPU_REGS_RCX] & 0x3ff))
2933 ctxt->restart = false;
2934 }
2935
2936 /* Commit shadow register state. */
2937 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2938 kvm_rip_write(ctxt->vcpu, c->eip);
2939
2940 done:
2941 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2942
2943 twobyte_insn:
2944 switch (c->b) {
2945 case 0x01: /* lgdt, lidt, lmsw */
2946 switch (c->modrm_reg) {
2947 u16 size;
2948 unsigned long address;
2949
2950 case 0: /* vmcall */
2951 if (c->modrm_mod != 3 || c->modrm_rm != 1)
2952 goto cannot_emulate;
2953
2954 rc = kvm_fix_hypercall(ctxt->vcpu);
2955 if (rc != X86EMUL_CONTINUE)
2956 goto done;
2957
2958 /* Let the processor re-execute the fixed hypercall */
2959 c->eip = ctxt->eip;
2960 /* Disable writeback. */
2961 c->dst.type = OP_NONE;
2962 break;
2963 case 2: /* lgdt */
2964 rc = read_descriptor(ctxt, ops, c->src.ptr,
2965 &size, &address, c->op_bytes);
2966 if (rc != X86EMUL_CONTINUE)
2967 goto done;
2968 realmode_lgdt(ctxt->vcpu, size, address);
2969 /* Disable writeback. */
2970 c->dst.type = OP_NONE;
2971 break;
2972 case 3: /* lidt/vmmcall */
2973 if (c->modrm_mod == 3) {
2974 switch (c->modrm_rm) {
2975 case 1:
2976 rc = kvm_fix_hypercall(ctxt->vcpu);
2977 if (rc != X86EMUL_CONTINUE)
2978 goto done;
2979 break;
2980 default:
2981 goto cannot_emulate;
2982 }
2983 } else {
2984 rc = read_descriptor(ctxt, ops, c->src.ptr,
2985 &size, &address,
2986 c->op_bytes);
2987 if (rc != X86EMUL_CONTINUE)
2988 goto done;
2989 realmode_lidt(ctxt->vcpu, size, address);
2990 }
2991 /* Disable writeback. */
2992 c->dst.type = OP_NONE;
2993 break;
2994 case 4: /* smsw */
2995 c->dst.bytes = 2;
2996 c->dst.val = ops->get_cr(0, ctxt->vcpu);
2997 break;
2998 case 6: /* lmsw */
2999 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3000 (c->src.val & 0x0f), ctxt->vcpu);
3001 c->dst.type = OP_NONE;
3002 break;
3003 case 5: /* not defined */
3004 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3005 goto done;
3006 case 7: /* invlpg*/
3007 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3008 /* Disable writeback. */
3009 c->dst.type = OP_NONE;
3010 break;
3011 default:
3012 goto cannot_emulate;
3013 }
3014 break;
3015 case 0x05: /* syscall */
3016 rc = emulate_syscall(ctxt);
3017 if (rc != X86EMUL_CONTINUE)
3018 goto done;
3019 else
3020 goto writeback;
3021 break;
3022 case 0x06:
3023 emulate_clts(ctxt->vcpu);
3024 c->dst.type = OP_NONE;
3025 break;
3026 case 0x08: /* invd */
3027 case 0x09: /* wbinvd */
3028 case 0x0d: /* GrpP (prefetch) */
3029 case 0x18: /* Grp16 (prefetch/nop) */
3030 c->dst.type = OP_NONE;
3031 break;
3032 case 0x20: /* mov cr, reg */
3033 switch (c->modrm_reg) {
3034 case 1:
3035 case 5 ... 7:
3036 case 9 ... 15:
3037 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3038 goto done;
3039 }
3040 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3041 c->dst.type = OP_NONE; /* no writeback */
3042 break;
3043 case 0x21: /* mov from dr to reg */
3044 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3045 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3046 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3047 goto done;
3048 }
3049 emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
3050 c->dst.type = OP_NONE; /* no writeback */
3051 break;
3052 case 0x22: /* mov reg, cr */
3053 ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu);
3054 c->dst.type = OP_NONE;
3055 break;
3056 case 0x23: /* mov from reg to dr */
3057 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3058 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3059 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3060 goto done;
3061 }
3062 emulator_set_dr(ctxt, c->modrm_reg, c->regs[c->modrm_rm]);
3063 c->dst.type = OP_NONE; /* no writeback */
3064 break;
3065 case 0x30:
3066 /* wrmsr */
3067 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3068 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3069 if (kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3070 kvm_inject_gp(ctxt->vcpu, 0);
3071 goto done;
3072 }
3073 rc = X86EMUL_CONTINUE;
3074 c->dst.type = OP_NONE;
3075 break;
3076 case 0x32:
3077 /* rdmsr */
3078 if (kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3079 kvm_inject_gp(ctxt->vcpu, 0);
3080 goto done;
3081 } else {
3082 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3083 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3084 }
3085 rc = X86EMUL_CONTINUE;
3086 c->dst.type = OP_NONE;
3087 break;
3088 case 0x34: /* sysenter */
3089 rc = emulate_sysenter(ctxt);
3090 if (rc != X86EMUL_CONTINUE)
3091 goto done;
3092 else
3093 goto writeback;
3094 break;
3095 case 0x35: /* sysexit */
3096 rc = emulate_sysexit(ctxt);
3097 if (rc != X86EMUL_CONTINUE)
3098 goto done;
3099 else
3100 goto writeback;
3101 break;
3102 case 0x40 ... 0x4f: /* cmov */
3103 c->dst.val = c->dst.orig_val = c->src.val;
3104 if (!test_cc(c->b, ctxt->eflags))
3105 c->dst.type = OP_NONE; /* no writeback */
3106 break;
3107 case 0x80 ... 0x8f: /* jnz rel, etc*/
3108 if (test_cc(c->b, ctxt->eflags))
3109 jmp_rel(c, c->src.val);
3110 c->dst.type = OP_NONE;
3111 break;
3112 case 0xa0: /* push fs */
3113 emulate_push_sreg(ctxt, VCPU_SREG_FS);
3114 break;
3115 case 0xa1: /* pop fs */
3116 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3117 if (rc != X86EMUL_CONTINUE)
3118 goto done;
3119 break;
3120 case 0xa3:
3121 bt: /* bt */
3122 c->dst.type = OP_NONE;
3123 /* only subword offset */
3124 c->src.val &= (c->dst.bytes << 3) - 1;
3125 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3126 break;
3127 case 0xa4: /* shld imm8, r, r/m */
3128 case 0xa5: /* shld cl, r, r/m */
3129 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3130 break;
3131 case 0xa8: /* push gs */
3132 emulate_push_sreg(ctxt, VCPU_SREG_GS);
3133 break;
3134 case 0xa9: /* pop gs */
3135 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3136 if (rc != X86EMUL_CONTINUE)
3137 goto done;
3138 break;
3139 case 0xab:
3140 bts: /* bts */
3141 /* only subword offset */
3142 c->src.val &= (c->dst.bytes << 3) - 1;
3143 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3144 break;
3145 case 0xac: /* shrd imm8, r, r/m */
3146 case 0xad: /* shrd cl, r, r/m */
3147 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3148 break;
3149 case 0xae: /* clflush */
3150 break;
3151 case 0xb0 ... 0xb1: /* cmpxchg */
3152 /*
3153 * Save real source value, then compare EAX against
3154 * destination.
3155 */
3156 c->src.orig_val = c->src.val;
3157 c->src.val = c->regs[VCPU_REGS_RAX];
3158 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3159 if (ctxt->eflags & EFLG_ZF) {
3160 /* Success: write back to memory. */
3161 c->dst.val = c->src.orig_val;
3162 } else {
3163 /* Failure: write the value we saw to EAX. */
3164 c->dst.type = OP_REG;
3165 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3166 }
3167 break;
3168 case 0xb3:
3169 btr: /* btr */
3170 /* only subword offset */
3171 c->src.val &= (c->dst.bytes << 3) - 1;
3172 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3173 break;
3174 case 0xb6 ... 0xb7: /* movzx */
3175 c->dst.bytes = c->op_bytes;
3176 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3177 : (u16) c->src.val;
3178 break;
3179 case 0xba: /* Grp8 */
3180 switch (c->modrm_reg & 3) {
3181 case 0:
3182 goto bt;
3183 case 1:
3184 goto bts;
3185 case 2:
3186 goto btr;
3187 case 3:
3188 goto btc;
3189 }
3190 break;
3191 case 0xbb:
3192 btc: /* btc */
3193 /* only subword offset */
3194 c->src.val &= (c->dst.bytes << 3) - 1;
3195 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3196 break;
3197 case 0xbe ... 0xbf: /* movsx */
3198 c->dst.bytes = c->op_bytes;
3199 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3200 (s16) c->src.val;
3201 break;
3202 case 0xc3: /* movnti */
3203 c->dst.bytes = c->op_bytes;
3204 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3205 (u64) c->src.val;
3206 break;
3207 case 0xc7: /* Grp9 (cmpxchg8b) */
3208 rc = emulate_grp9(ctxt, ops);
3209 if (rc != X86EMUL_CONTINUE)
3210 goto done;
3211 c->dst.type = OP_NONE;
3212 break;
3213 }
3214 goto writeback;
3215
3216 cannot_emulate:
3217 DPRINTF("Cannot emulate %02x\n", c->b);
3218 return -1;
3219 }
Linux kernel - Deliverables
This page took 0.111734 seconds and 4 git commands to generate.