projects / deliverable / linux.git / blob
? search:


8bd05571672c6b6b913e637bf7f1a4ed75821c79
[deliverable/linux.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36
37 /*
38 * Opcode effective-address decode tables.
39 * Note that we only emulate instructions that have at least one memory
40 * operand (excluding implicit stack references). We assume that stack
41 * references and instruction fetches will never occur in special memory
42 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
43 * not be handled.
44 */
45
46 /* Operand sizes: 8-bit operands or specified/overridden size. */
47 #define ByteOp (1<<0) /* 8-bit operands. */
48 /* Destination operand type. */
49 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
50 #define DstReg (2<<1) /* Register operand. */
51 #define DstMem (3<<1) /* Memory operand. */
52 #define DstAcc (4<<1) /* Destination Accumulator */
53 #define DstMask (7<<1)
54 /* Source operand type. */
55 #define SrcNone (0<<4) /* No source operand. */
56 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
57 #define SrcReg (1<<4) /* Register operand. */
58 #define SrcMem (2<<4) /* Memory operand. */
59 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
60 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
61 #define SrcImm (5<<4) /* Immediate operand. */
62 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
63 #define SrcOne (7<<4) /* Implied '1' */
64 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
65 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
66 #define SrcMask (0xf<<4)
67 /* Generic ModRM decode. */
68 #define ModRM (1<<8)
69 /* Destination is only written; never read. */
70 #define Mov (1<<9)
71 #define BitOp (1<<10)
72 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
73 #define String (1<<12) /* String instruction (rep capable) */
74 #define Stack (1<<13) /* Stack instruction (push/pop) */
75 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
76 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
77 #define GroupMask 0xff /* Group number stored in bits 0:7 */
78 /* Misc flags */
79 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
80 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
81 #define No64 (1<<28)
82 /* Source 2 operand type */
83 #define Src2None (0<<29)
84 #define Src2CL (1<<29)
85 #define Src2ImmByte (2<<29)
86 #define Src2One (3<<29)
87 #define Src2Imm16 (4<<29)
88 #define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
89 in memory and second argument is located
90 immediately after the first one in memory. */
91 #define Src2Mask (7<<29)
92
93 enum {
94 Group1_80, Group1_81, Group1_82, Group1_83,
95 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
96 Group8, Group9,
97 };
98
99 static u32 opcode_table[256] = {
100 /* 0x00 - 0x07 */
101 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
102 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
103 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
104 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
105 /* 0x08 - 0x0F */
106 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
107 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
108 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
109 ImplicitOps | Stack | No64, 0,
110 /* 0x10 - 0x17 */
111 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
112 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
113 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
114 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
115 /* 0x18 - 0x1F */
116 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
117 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
118 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
119 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
120 /* 0x20 - 0x27 */
121 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
122 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
123 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
124 /* 0x28 - 0x2F */
125 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
126 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
127 0, 0, 0, 0,
128 /* 0x30 - 0x37 */
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 0, 0, 0, 0,
132 /* 0x38 - 0x3F */
133 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
134 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
135 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
136 0, 0,
137 /* 0x40 - 0x47 */
138 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
139 /* 0x48 - 0x4F */
140 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
141 /* 0x50 - 0x57 */
142 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
143 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
144 /* 0x58 - 0x5F */
145 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
146 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
147 /* 0x60 - 0x67 */
148 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
149 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
150 0, 0, 0, 0,
151 /* 0x68 - 0x6F */
152 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
153 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* insb, insw/insd */
154 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* outsb, outsw/outsd */
155 /* 0x70 - 0x77 */
156 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
157 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
158 /* 0x78 - 0x7F */
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 /* 0x80 - 0x87 */
162 Group | Group1_80, Group | Group1_81,
163 Group | Group1_82, Group | Group1_83,
164 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
165 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
166 /* 0x88 - 0x8F */
167 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
168 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
169 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
170 DstReg | SrcMem | ModRM | Mov, Group | Group1A,
171 /* 0x90 - 0x97 */
172 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
173 /* 0x98 - 0x9F */
174 0, 0, SrcImm | Src2Imm16 | No64, 0,
175 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
176 /* 0xA0 - 0xA7 */
177 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
178 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
179 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
180 ByteOp | ImplicitOps | String, ImplicitOps | String,
181 /* 0xA8 - 0xAF */
182 0, 0, ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
183 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
184 ByteOp | ImplicitOps | String, ImplicitOps | String,
185 /* 0xB0 - 0xB7 */
186 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
187 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
188 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 /* 0xB8 - 0xBF */
191 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
192 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
193 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 /* 0xC0 - 0xC7 */
196 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
197 0, ImplicitOps | Stack, 0, 0,
198 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
199 /* 0xC8 - 0xCF */
200 0, 0, 0, ImplicitOps | Stack,
201 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
202 /* 0xD0 - 0xD7 */
203 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
204 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
205 0, 0, 0, 0,
206 /* 0xD8 - 0xDF */
207 0, 0, 0, 0, 0, 0, 0, 0,
208 /* 0xE0 - 0xE7 */
209 0, 0, 0, 0,
210 ByteOp | SrcImmUByte, SrcImmUByte,
211 ByteOp | SrcImmUByte, SrcImmUByte,
212 /* 0xE8 - 0xEF */
213 SrcImm | Stack, SrcImm | ImplicitOps,
214 SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
215 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
216 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
217 /* 0xF0 - 0xF7 */
218 0, 0, 0, 0,
219 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
220 /* 0xF8 - 0xFF */
221 ImplicitOps, 0, ImplicitOps, ImplicitOps,
222 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
223 };
224
225 static u32 twobyte_table[256] = {
226 /* 0x00 - 0x0F */
227 0, Group | GroupDual | Group7, 0, 0,
228 0, ImplicitOps, ImplicitOps | Priv, 0,
229 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
230 0, ImplicitOps | ModRM, 0, 0,
231 /* 0x10 - 0x1F */
232 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
233 /* 0x20 - 0x2F */
234 ModRM | ImplicitOps | Priv, ModRM | Priv,
235 ModRM | ImplicitOps | Priv, ModRM | Priv,
236 0, 0, 0, 0,
237 0, 0, 0, 0, 0, 0, 0, 0,
238 /* 0x30 - 0x3F */
239 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
240 ImplicitOps, ImplicitOps | Priv, 0, 0,
241 0, 0, 0, 0, 0, 0, 0, 0,
242 /* 0x40 - 0x47 */
243 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
244 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
245 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 /* 0x48 - 0x4F */
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 /* 0x50 - 0x5F */
253 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
254 /* 0x60 - 0x6F */
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 /* 0x70 - 0x7F */
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
258 /* 0x80 - 0x8F */
259 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
260 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
261 /* 0x90 - 0x9F */
262 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
263 /* 0xA0 - 0xA7 */
264 ImplicitOps | Stack, ImplicitOps | Stack,
265 0, DstMem | SrcReg | ModRM | BitOp,
266 DstMem | SrcReg | Src2ImmByte | ModRM,
267 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
268 /* 0xA8 - 0xAF */
269 ImplicitOps | Stack, ImplicitOps | Stack,
270 0, DstMem | SrcReg | ModRM | BitOp | Lock,
271 DstMem | SrcReg | Src2ImmByte | ModRM,
272 DstMem | SrcReg | Src2CL | ModRM,
273 ModRM, 0,
274 /* 0xB0 - 0xB7 */
275 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
276 0, DstMem | SrcReg | ModRM | BitOp | Lock,
277 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
278 DstReg | SrcMem16 | ModRM | Mov,
279 /* 0xB8 - 0xBF */
280 0, 0,
281 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
282 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
283 DstReg | SrcMem16 | ModRM | Mov,
284 /* 0xC0 - 0xCF */
285 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
286 0, 0, 0, Group | GroupDual | Group9,
287 0, 0, 0, 0, 0, 0, 0, 0,
288 /* 0xD0 - 0xDF */
289 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
290 /* 0xE0 - 0xEF */
291 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
292 /* 0xF0 - 0xFF */
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
294 };
295
296 static u32 group_table[] = {
297 [Group1_80*8] =
298 ByteOp | DstMem | SrcImm | ModRM | Lock,
299 ByteOp | DstMem | SrcImm | ModRM | Lock,
300 ByteOp | DstMem | SrcImm | ModRM | Lock,
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM,
306 [Group1_81*8] =
307 DstMem | SrcImm | ModRM | Lock,
308 DstMem | SrcImm | ModRM | Lock,
309 DstMem | SrcImm | ModRM | Lock,
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM,
315 [Group1_82*8] =
316 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
317 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
318 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64,
324 [Group1_83*8] =
325 DstMem | SrcImmByte | ModRM | Lock,
326 DstMem | SrcImmByte | ModRM | Lock,
327 DstMem | SrcImmByte | ModRM | Lock,
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM,
333 [Group1A*8] =
334 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
335 [Group3_Byte*8] =
336 ByteOp | SrcImm | DstMem | ModRM, 0,
337 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
338 0, 0, 0, 0,
339 [Group3*8] =
340 DstMem | SrcImm | ModRM, 0,
341 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
342 0, 0, 0, 0,
343 [Group4*8] =
344 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
345 0, 0, 0, 0, 0, 0,
346 [Group5*8] =
347 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
348 SrcMem | ModRM | Stack, 0,
349 SrcMem | ModRM | Stack, SrcMem | ModRM | Src2Mem16 | ImplicitOps,
350 SrcMem | ModRM | Stack, 0,
351 [Group7*8] =
352 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
353 SrcNone | ModRM | DstMem | Mov, 0,
354 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
355 [Group8*8] =
356 0, 0, 0, 0,
357 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
358 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
359 [Group9*8] =
360 0, ImplicitOps | ModRM | Lock, 0, 0, 0, 0, 0, 0,
361 };
362
363 static u32 group2_table[] = {
364 [Group7*8] =
365 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
366 SrcNone | ModRM | DstMem | Mov, 0,
367 SrcMem16 | ModRM | Mov | Priv, 0,
368 [Group9*8] =
369 0, 0, 0, 0, 0, 0, 0, 0,
370 };
371
372 /* EFLAGS bit definitions. */
373 #define EFLG_ID (1<<21)
374 #define EFLG_VIP (1<<20)
375 #define EFLG_VIF (1<<19)
376 #define EFLG_AC (1<<18)
377 #define EFLG_VM (1<<17)
378 #define EFLG_RF (1<<16)
379 #define EFLG_IOPL (3<<12)
380 #define EFLG_NT (1<<14)
381 #define EFLG_OF (1<<11)
382 #define EFLG_DF (1<<10)
383 #define EFLG_IF (1<<9)
384 #define EFLG_TF (1<<8)
385 #define EFLG_SF (1<<7)
386 #define EFLG_ZF (1<<6)
387 #define EFLG_AF (1<<4)
388 #define EFLG_PF (1<<2)
389 #define EFLG_CF (1<<0)
390
391 /*
392 * Instruction emulation:
393 * Most instructions are emulated directly via a fragment of inline assembly
394 * code. This allows us to save/restore EFLAGS and thus very easily pick up
395 * any modified flags.
396 */
397
398 #if defined(CONFIG_X86_64)
399 #define _LO32 "k" /* force 32-bit operand */
400 #define _STK "%%rsp" /* stack pointer */
401 #elif defined(__i386__)
402 #define _LO32 "" /* force 32-bit operand */
403 #define _STK "%%esp" /* stack pointer */
404 #endif
405
406 /*
407 * These EFLAGS bits are restored from saved value during emulation, and
408 * any changes are written back to the saved value after emulation.
409 */
410 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
411
412 /* Before executing instruction: restore necessary bits in EFLAGS. */
413 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
414 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
415 "movl %"_sav",%"_LO32 _tmp"; " \
416 "push %"_tmp"; " \
417 "push %"_tmp"; " \
418 "movl %"_msk",%"_LO32 _tmp"; " \
419 "andl %"_LO32 _tmp",("_STK"); " \
420 "pushf; " \
421 "notl %"_LO32 _tmp"; " \
422 "andl %"_LO32 _tmp",("_STK"); " \
423 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
424 "pop %"_tmp"; " \
425 "orl %"_LO32 _tmp",("_STK"); " \
426 "popf; " \
427 "pop %"_sav"; "
428
429 /* After executing instruction: write-back necessary bits in EFLAGS. */
430 #define _POST_EFLAGS(_sav, _msk, _tmp) \
431 /* _sav |= EFLAGS & _msk; */ \
432 "pushf; " \
433 "pop %"_tmp"; " \
434 "andl %"_msk",%"_LO32 _tmp"; " \
435 "orl %"_LO32 _tmp",%"_sav"; "
436
437 #ifdef CONFIG_X86_64
438 #define ON64(x) x
439 #else
440 #define ON64(x)
441 #endif
442
443 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
444 do { \
445 __asm__ __volatile__ ( \
446 _PRE_EFLAGS("0", "4", "2") \
447 _op _suffix " %"_x"3,%1; " \
448 _POST_EFLAGS("0", "4", "2") \
449 : "=m" (_eflags), "=m" ((_dst).val), \
450 "=&r" (_tmp) \
451 : _y ((_src).val), "i" (EFLAGS_MASK)); \
452 } while (0)
453
454
455 /* Raw emulation: instruction has two explicit operands. */
456 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
457 do { \
458 unsigned long _tmp; \
459 \
460 switch ((_dst).bytes) { \
461 case 2: \
462 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
463 break; \
464 case 4: \
465 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
466 break; \
467 case 8: \
468 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
469 break; \
470 } \
471 } while (0)
472
473 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
474 do { \
475 unsigned long _tmp; \
476 switch ((_dst).bytes) { \
477 case 1: \
478 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
479 break; \
480 default: \
481 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
482 _wx, _wy, _lx, _ly, _qx, _qy); \
483 break; \
484 } \
485 } while (0)
486
487 /* Source operand is byte-sized and may be restricted to just %cl. */
488 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
489 __emulate_2op(_op, _src, _dst, _eflags, \
490 "b", "c", "b", "c", "b", "c", "b", "c")
491
492 /* Source operand is byte, word, long or quad sized. */
493 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
494 __emulate_2op(_op, _src, _dst, _eflags, \
495 "b", "q", "w", "r", _LO32, "r", "", "r")
496
497 /* Source operand is word, long or quad sized. */
498 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
499 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
500 "w", "r", _LO32, "r", "", "r")
501
502 /* Instruction has three operands and one operand is stored in ECX register */
503 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
504 do { \
505 unsigned long _tmp; \
506 _type _clv = (_cl).val; \
507 _type _srcv = (_src).val; \
508 _type _dstv = (_dst).val; \
509 \
510 __asm__ __volatile__ ( \
511 _PRE_EFLAGS("0", "5", "2") \
512 _op _suffix " %4,%1 \n" \
513 _POST_EFLAGS("0", "5", "2") \
514 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
515 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
516 ); \
517 \
518 (_cl).val = (unsigned long) _clv; \
519 (_src).val = (unsigned long) _srcv; \
520 (_dst).val = (unsigned long) _dstv; \
521 } while (0)
522
523 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
524 do { \
525 switch ((_dst).bytes) { \
526 case 2: \
527 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
528 "w", unsigned short); \
529 break; \
530 case 4: \
531 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
532 "l", unsigned int); \
533 break; \
534 case 8: \
535 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
536 "q", unsigned long)); \
537 break; \
538 } \
539 } while (0)
540
541 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
542 do { \
543 unsigned long _tmp; \
544 \
545 __asm__ __volatile__ ( \
546 _PRE_EFLAGS("0", "3", "2") \
547 _op _suffix " %1; " \
548 _POST_EFLAGS("0", "3", "2") \
549 : "=m" (_eflags), "+m" ((_dst).val), \
550 "=&r" (_tmp) \
551 : "i" (EFLAGS_MASK)); \
552 } while (0)
553
554 /* Instruction has only one explicit operand (no source operand). */
555 #define emulate_1op(_op, _dst, _eflags) \
556 do { \
557 switch ((_dst).bytes) { \
558 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
559 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
560 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
561 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
562 } \
563 } while (0)
564
565 /* Fetch next part of the instruction being emulated. */
566 #define insn_fetch(_type, _size, _eip) \
567 ({ unsigned long _x; \
568 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
569 if (rc != X86EMUL_CONTINUE) \
570 goto done; \
571 (_eip) += (_size); \
572 (_type)_x; \
573 })
574
575 static inline unsigned long ad_mask(struct decode_cache *c)
576 {
577 return (1UL << (c->ad_bytes << 3)) - 1;
578 }
579
580 /* Access/update address held in a register, based on addressing mode. */
581 static inline unsigned long
582 address_mask(struct decode_cache *c, unsigned long reg)
583 {
584 if (c->ad_bytes == sizeof(unsigned long))
585 return reg;
586 else
587 return reg & ad_mask(c);
588 }
589
590 static inline unsigned long
591 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
592 {
593 return base + address_mask(c, reg);
594 }
595
596 static inline void
597 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
598 {
599 if (c->ad_bytes == sizeof(unsigned long))
600 *reg += inc;
601 else
602 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
603 }
604
605 static inline void jmp_rel(struct decode_cache *c, int rel)
606 {
607 register_address_increment(c, &c->eip, rel);
608 }
609
610 static void set_seg_override(struct decode_cache *c, int seg)
611 {
612 c->has_seg_override = true;
613 c->seg_override = seg;
614 }
615
616 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
617 {
618 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
619 return 0;
620
621 return kvm_x86_ops->get_segment_base(ctxt->vcpu, seg);
622 }
623
624 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
625 struct decode_cache *c)
626 {
627 if (!c->has_seg_override)
628 return 0;
629
630 return seg_base(ctxt, c->seg_override);
631 }
632
633 static unsigned long es_base(struct x86_emulate_ctxt *ctxt)
634 {
635 return seg_base(ctxt, VCPU_SREG_ES);
636 }
637
638 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt)
639 {
640 return seg_base(ctxt, VCPU_SREG_SS);
641 }
642
643 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
644 struct x86_emulate_ops *ops,
645 unsigned long linear, u8 *dest)
646 {
647 struct fetch_cache *fc = &ctxt->decode.fetch;
648 int rc;
649 int size;
650
651 if (linear < fc->start || linear >= fc->end) {
652 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
653 rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
654 if (rc != X86EMUL_CONTINUE)
655 return rc;
656 fc->start = linear;
657 fc->end = linear + size;
658 }
659 *dest = fc->data[linear - fc->start];
660 return X86EMUL_CONTINUE;
661 }
662
663 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
664 struct x86_emulate_ops *ops,
665 unsigned long eip, void *dest, unsigned size)
666 {
667 int rc;
668
669 /* x86 instructions are limited to 15 bytes. */
670 if (eip + size - ctxt->decode.eip_orig > 15)
671 return X86EMUL_UNHANDLEABLE;
672 eip += ctxt->cs_base;
673 while (size--) {
674 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
675 if (rc != X86EMUL_CONTINUE)
676 return rc;
677 }
678 return X86EMUL_CONTINUE;
679 }
680
681 /*
682 * Given the 'reg' portion of a ModRM byte, and a register block, return a
683 * pointer into the block that addresses the relevant register.
684 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
685 */
686 static void *decode_register(u8 modrm_reg, unsigned long *regs,
687 int highbyte_regs)
688 {
689 void *p;
690
691 p = &regs[modrm_reg];
692 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
693 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
694 return p;
695 }
696
697 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
698 struct x86_emulate_ops *ops,
699 void *ptr,
700 u16 *size, unsigned long *address, int op_bytes)
701 {
702 int rc;
703
704 if (op_bytes == 2)
705 op_bytes = 3;
706 *address = 0;
707 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
708 ctxt->vcpu, NULL);
709 if (rc != X86EMUL_CONTINUE)
710 return rc;
711 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
712 ctxt->vcpu, NULL);
713 return rc;
714 }
715
716 static int test_cc(unsigned int condition, unsigned int flags)
717 {
718 int rc = 0;
719
720 switch ((condition & 15) >> 1) {
721 case 0: /* o */
722 rc |= (flags & EFLG_OF);
723 break;
724 case 1: /* b/c/nae */
725 rc |= (flags & EFLG_CF);
726 break;
727 case 2: /* z/e */
728 rc |= (flags & EFLG_ZF);
729 break;
730 case 3: /* be/na */
731 rc |= (flags & (EFLG_CF|EFLG_ZF));
732 break;
733 case 4: /* s */
734 rc |= (flags & EFLG_SF);
735 break;
736 case 5: /* p/pe */
737 rc |= (flags & EFLG_PF);
738 break;
739 case 7: /* le/ng */
740 rc |= (flags & EFLG_ZF);
741 /* fall through */
742 case 6: /* l/nge */
743 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
744 break;
745 }
746
747 /* Odd condition identifiers (lsb == 1) have inverted sense. */
748 return (!!rc ^ (condition & 1));
749 }
750
751 static void decode_register_operand(struct operand *op,
752 struct decode_cache *c,
753 int inhibit_bytereg)
754 {
755 unsigned reg = c->modrm_reg;
756 int highbyte_regs = c->rex_prefix == 0;
757
758 if (!(c->d & ModRM))
759 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
760 op->type = OP_REG;
761 if ((c->d & ByteOp) && !inhibit_bytereg) {
762 op->ptr = decode_register(reg, c->regs, highbyte_regs);
763 op->val = *(u8 *)op->ptr;
764 op->bytes = 1;
765 } else {
766 op->ptr = decode_register(reg, c->regs, 0);
767 op->bytes = c->op_bytes;
768 switch (op->bytes) {
769 case 2:
770 op->val = *(u16 *)op->ptr;
771 break;
772 case 4:
773 op->val = *(u32 *)op->ptr;
774 break;
775 case 8:
776 op->val = *(u64 *) op->ptr;
777 break;
778 }
779 }
780 op->orig_val = op->val;
781 }
782
783 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
784 struct x86_emulate_ops *ops)
785 {
786 struct decode_cache *c = &ctxt->decode;
787 u8 sib;
788 int index_reg = 0, base_reg = 0, scale;
789 int rc = X86EMUL_CONTINUE;
790
791 if (c->rex_prefix) {
792 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
793 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
794 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
795 }
796
797 c->modrm = insn_fetch(u8, 1, c->eip);
798 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
799 c->modrm_reg |= (c->modrm & 0x38) >> 3;
800 c->modrm_rm |= (c->modrm & 0x07);
801 c->modrm_ea = 0;
802 c->use_modrm_ea = 1;
803
804 if (c->modrm_mod == 3) {
805 c->modrm_ptr = decode_register(c->modrm_rm,
806 c->regs, c->d & ByteOp);
807 c->modrm_val = *(unsigned long *)c->modrm_ptr;
808 return rc;
809 }
810
811 if (c->ad_bytes == 2) {
812 unsigned bx = c->regs[VCPU_REGS_RBX];
813 unsigned bp = c->regs[VCPU_REGS_RBP];
814 unsigned si = c->regs[VCPU_REGS_RSI];
815 unsigned di = c->regs[VCPU_REGS_RDI];
816
817 /* 16-bit ModR/M decode. */
818 switch (c->modrm_mod) {
819 case 0:
820 if (c->modrm_rm == 6)
821 c->modrm_ea += insn_fetch(u16, 2, c->eip);
822 break;
823 case 1:
824 c->modrm_ea += insn_fetch(s8, 1, c->eip);
825 break;
826 case 2:
827 c->modrm_ea += insn_fetch(u16, 2, c->eip);
828 break;
829 }
830 switch (c->modrm_rm) {
831 case 0:
832 c->modrm_ea += bx + si;
833 break;
834 case 1:
835 c->modrm_ea += bx + di;
836 break;
837 case 2:
838 c->modrm_ea += bp + si;
839 break;
840 case 3:
841 c->modrm_ea += bp + di;
842 break;
843 case 4:
844 c->modrm_ea += si;
845 break;
846 case 5:
847 c->modrm_ea += di;
848 break;
849 case 6:
850 if (c->modrm_mod != 0)
851 c->modrm_ea += bp;
852 break;
853 case 7:
854 c->modrm_ea += bx;
855 break;
856 }
857 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
858 (c->modrm_rm == 6 && c->modrm_mod != 0))
859 if (!c->has_seg_override)
860 set_seg_override(c, VCPU_SREG_SS);
861 c->modrm_ea = (u16)c->modrm_ea;
862 } else {
863 /* 32/64-bit ModR/M decode. */
864 if ((c->modrm_rm & 7) == 4) {
865 sib = insn_fetch(u8, 1, c->eip);
866 index_reg |= (sib >> 3) & 7;
867 base_reg |= sib & 7;
868 scale = sib >> 6;
869
870 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
871 c->modrm_ea += insn_fetch(s32, 4, c->eip);
872 else
873 c->modrm_ea += c->regs[base_reg];
874 if (index_reg != 4)
875 c->modrm_ea += c->regs[index_reg] << scale;
876 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
877 if (ctxt->mode == X86EMUL_MODE_PROT64)
878 c->rip_relative = 1;
879 } else
880 c->modrm_ea += c->regs[c->modrm_rm];
881 switch (c->modrm_mod) {
882 case 0:
883 if (c->modrm_rm == 5)
884 c->modrm_ea += insn_fetch(s32, 4, c->eip);
885 break;
886 case 1:
887 c->modrm_ea += insn_fetch(s8, 1, c->eip);
888 break;
889 case 2:
890 c->modrm_ea += insn_fetch(s32, 4, c->eip);
891 break;
892 }
893 }
894 done:
895 return rc;
896 }
897
898 static int decode_abs(struct x86_emulate_ctxt *ctxt,
899 struct x86_emulate_ops *ops)
900 {
901 struct decode_cache *c = &ctxt->decode;
902 int rc = X86EMUL_CONTINUE;
903
904 switch (c->ad_bytes) {
905 case 2:
906 c->modrm_ea = insn_fetch(u16, 2, c->eip);
907 break;
908 case 4:
909 c->modrm_ea = insn_fetch(u32, 4, c->eip);
910 break;
911 case 8:
912 c->modrm_ea = insn_fetch(u64, 8, c->eip);
913 break;
914 }
915 done:
916 return rc;
917 }
918
919 int
920 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
921 {
922 struct decode_cache *c = &ctxt->decode;
923 int rc = X86EMUL_CONTINUE;
924 int mode = ctxt->mode;
925 int def_op_bytes, def_ad_bytes, group;
926
927 /* Shadow copy of register state. Committed on successful emulation. */
928
929 memset(c, 0, sizeof(struct decode_cache));
930 c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu);
931 ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
932 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
933
934 switch (mode) {
935 case X86EMUL_MODE_REAL:
936 case X86EMUL_MODE_VM86:
937 case X86EMUL_MODE_PROT16:
938 def_op_bytes = def_ad_bytes = 2;
939 break;
940 case X86EMUL_MODE_PROT32:
941 def_op_bytes = def_ad_bytes = 4;
942 break;
943 #ifdef CONFIG_X86_64
944 case X86EMUL_MODE_PROT64:
945 def_op_bytes = 4;
946 def_ad_bytes = 8;
947 break;
948 #endif
949 default:
950 return -1;
951 }
952
953 c->op_bytes = def_op_bytes;
954 c->ad_bytes = def_ad_bytes;
955
956 /* Legacy prefixes. */
957 for (;;) {
958 switch (c->b = insn_fetch(u8, 1, c->eip)) {
959 case 0x66: /* operand-size override */
960 /* switch between 2/4 bytes */
961 c->op_bytes = def_op_bytes ^ 6;
962 break;
963 case 0x67: /* address-size override */
964 if (mode == X86EMUL_MODE_PROT64)
965 /* switch between 4/8 bytes */
966 c->ad_bytes = def_ad_bytes ^ 12;
967 else
968 /* switch between 2/4 bytes */
969 c->ad_bytes = def_ad_bytes ^ 6;
970 break;
971 case 0x26: /* ES override */
972 case 0x2e: /* CS override */
973 case 0x36: /* SS override */
974 case 0x3e: /* DS override */
975 set_seg_override(c, (c->b >> 3) & 3);
976 break;
977 case 0x64: /* FS override */
978 case 0x65: /* GS override */
979 set_seg_override(c, c->b & 7);
980 break;
981 case 0x40 ... 0x4f: /* REX */
982 if (mode != X86EMUL_MODE_PROT64)
983 goto done_prefixes;
984 c->rex_prefix = c->b;
985 continue;
986 case 0xf0: /* LOCK */
987 c->lock_prefix = 1;
988 break;
989 case 0xf2: /* REPNE/REPNZ */
990 c->rep_prefix = REPNE_PREFIX;
991 break;
992 case 0xf3: /* REP/REPE/REPZ */
993 c->rep_prefix = REPE_PREFIX;
994 break;
995 default:
996 goto done_prefixes;
997 }
998
999 /* Any legacy prefix after a REX prefix nullifies its effect. */
1000
1001 c->rex_prefix = 0;
1002 }
1003
1004 done_prefixes:
1005
1006 /* REX prefix. */
1007 if (c->rex_prefix)
1008 if (c->rex_prefix & 8)
1009 c->op_bytes = 8; /* REX.W */
1010
1011 /* Opcode byte(s). */
1012 c->d = opcode_table[c->b];
1013 if (c->d == 0) {
1014 /* Two-byte opcode? */
1015 if (c->b == 0x0f) {
1016 c->twobyte = 1;
1017 c->b = insn_fetch(u8, 1, c->eip);
1018 c->d = twobyte_table[c->b];
1019 }
1020 }
1021
1022 if (c->d & Group) {
1023 group = c->d & GroupMask;
1024 c->modrm = insn_fetch(u8, 1, c->eip);
1025 --c->eip;
1026
1027 group = (group << 3) + ((c->modrm >> 3) & 7);
1028 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1029 c->d = group2_table[group];
1030 else
1031 c->d = group_table[group];
1032 }
1033
1034 /* Unrecognised? */
1035 if (c->d == 0) {
1036 DPRINTF("Cannot emulate %02x\n", c->b);
1037 return -1;
1038 }
1039
1040 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1041 c->op_bytes = 8;
1042
1043 /* ModRM and SIB bytes. */
1044 if (c->d & ModRM)
1045 rc = decode_modrm(ctxt, ops);
1046 else if (c->d & MemAbs)
1047 rc = decode_abs(ctxt, ops);
1048 if (rc != X86EMUL_CONTINUE)
1049 goto done;
1050
1051 if (!c->has_seg_override)
1052 set_seg_override(c, VCPU_SREG_DS);
1053
1054 if (!(!c->twobyte && c->b == 0x8d))
1055 c->modrm_ea += seg_override_base(ctxt, c);
1056
1057 if (c->ad_bytes != 8)
1058 c->modrm_ea = (u32)c->modrm_ea;
1059 /*
1060 * Decode and fetch the source operand: register, memory
1061 * or immediate.
1062 */
1063 switch (c->d & SrcMask) {
1064 case SrcNone:
1065 break;
1066 case SrcReg:
1067 decode_register_operand(&c->src, c, 0);
1068 break;
1069 case SrcMem16:
1070 c->src.bytes = 2;
1071 goto srcmem_common;
1072 case SrcMem32:
1073 c->src.bytes = 4;
1074 goto srcmem_common;
1075 case SrcMem:
1076 c->src.bytes = (c->d & ByteOp) ? 1 :
1077 c->op_bytes;
1078 /* Don't fetch the address for invlpg: it could be unmapped. */
1079 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1080 break;
1081 srcmem_common:
1082 /*
1083 * For instructions with a ModR/M byte, switch to register
1084 * access if Mod = 3.
1085 */
1086 if ((c->d & ModRM) && c->modrm_mod == 3) {
1087 c->src.type = OP_REG;
1088 c->src.val = c->modrm_val;
1089 c->src.ptr = c->modrm_ptr;
1090 break;
1091 }
1092 c->src.type = OP_MEM;
1093 break;
1094 case SrcImm:
1095 case SrcImmU:
1096 c->src.type = OP_IMM;
1097 c->src.ptr = (unsigned long *)c->eip;
1098 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1099 if (c->src.bytes == 8)
1100 c->src.bytes = 4;
1101 /* NB. Immediates are sign-extended as necessary. */
1102 switch (c->src.bytes) {
1103 case 1:
1104 c->src.val = insn_fetch(s8, 1, c->eip);
1105 break;
1106 case 2:
1107 c->src.val = insn_fetch(s16, 2, c->eip);
1108 break;
1109 case 4:
1110 c->src.val = insn_fetch(s32, 4, c->eip);
1111 break;
1112 }
1113 if ((c->d & SrcMask) == SrcImmU) {
1114 switch (c->src.bytes) {
1115 case 1:
1116 c->src.val &= 0xff;
1117 break;
1118 case 2:
1119 c->src.val &= 0xffff;
1120 break;
1121 case 4:
1122 c->src.val &= 0xffffffff;
1123 break;
1124 }
1125 }
1126 break;
1127 case SrcImmByte:
1128 case SrcImmUByte:
1129 c->src.type = OP_IMM;
1130 c->src.ptr = (unsigned long *)c->eip;
1131 c->src.bytes = 1;
1132 if ((c->d & SrcMask) == SrcImmByte)
1133 c->src.val = insn_fetch(s8, 1, c->eip);
1134 else
1135 c->src.val = insn_fetch(u8, 1, c->eip);
1136 break;
1137 case SrcOne:
1138 c->src.bytes = 1;
1139 c->src.val = 1;
1140 break;
1141 }
1142
1143 /*
1144 * Decode and fetch the second source operand: register, memory
1145 * or immediate.
1146 */
1147 switch (c->d & Src2Mask) {
1148 case Src2None:
1149 break;
1150 case Src2CL:
1151 c->src2.bytes = 1;
1152 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1153 break;
1154 case Src2ImmByte:
1155 c->src2.type = OP_IMM;
1156 c->src2.ptr = (unsigned long *)c->eip;
1157 c->src2.bytes = 1;
1158 c->src2.val = insn_fetch(u8, 1, c->eip);
1159 break;
1160 case Src2Imm16:
1161 c->src2.type = OP_IMM;
1162 c->src2.ptr = (unsigned long *)c->eip;
1163 c->src2.bytes = 2;
1164 c->src2.val = insn_fetch(u16, 2, c->eip);
1165 break;
1166 case Src2One:
1167 c->src2.bytes = 1;
1168 c->src2.val = 1;
1169 break;
1170 case Src2Mem16:
1171 c->src2.bytes = 2;
1172 c->src2.type = OP_MEM;
1173 break;
1174 }
1175
1176 /* Decode and fetch the destination operand: register or memory. */
1177 switch (c->d & DstMask) {
1178 case ImplicitOps:
1179 /* Special instructions do their own operand decoding. */
1180 return 0;
1181 case DstReg:
1182 decode_register_operand(&c->dst, c,
1183 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1184 break;
1185 case DstMem:
1186 if ((c->d & ModRM) && c->modrm_mod == 3) {
1187 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1188 c->dst.type = OP_REG;
1189 c->dst.val = c->dst.orig_val = c->modrm_val;
1190 c->dst.ptr = c->modrm_ptr;
1191 break;
1192 }
1193 c->dst.type = OP_MEM;
1194 break;
1195 case DstAcc:
1196 c->dst.type = OP_REG;
1197 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1198 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1199 switch (c->dst.bytes) {
1200 case 1:
1201 c->dst.val = *(u8 *)c->dst.ptr;
1202 break;
1203 case 2:
1204 c->dst.val = *(u16 *)c->dst.ptr;
1205 break;
1206 case 4:
1207 c->dst.val = *(u32 *)c->dst.ptr;
1208 break;
1209 case 8:
1210 c->dst.val = *(u64 *)c->dst.ptr;
1211 break;
1212 }
1213 c->dst.orig_val = c->dst.val;
1214 break;
1215 }
1216
1217 if (c->rip_relative)
1218 c->modrm_ea += c->eip;
1219
1220 done:
1221 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1222 }
1223
1224 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1225 {
1226 struct decode_cache *c = &ctxt->decode;
1227
1228 c->dst.type = OP_MEM;
1229 c->dst.bytes = c->op_bytes;
1230 c->dst.val = c->src.val;
1231 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1232 c->dst.ptr = (void *) register_address(c, ss_base(ctxt),
1233 c->regs[VCPU_REGS_RSP]);
1234 }
1235
1236 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1237 struct x86_emulate_ops *ops,
1238 void *dest, int len)
1239 {
1240 struct decode_cache *c = &ctxt->decode;
1241 int rc;
1242
1243 rc = ops->read_emulated(register_address(c, ss_base(ctxt),
1244 c->regs[VCPU_REGS_RSP]),
1245 dest, len, ctxt->vcpu);
1246 if (rc != X86EMUL_CONTINUE)
1247 return rc;
1248
1249 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1250 return rc;
1251 }
1252
1253 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1254 struct x86_emulate_ops *ops,
1255 void *dest, int len)
1256 {
1257 int rc;
1258 unsigned long val, change_mask;
1259 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1260 int cpl = ops->cpl(ctxt->vcpu);
1261
1262 rc = emulate_pop(ctxt, ops, &val, len);
1263 if (rc != X86EMUL_CONTINUE)
1264 return rc;
1265
1266 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1267 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1268
1269 switch(ctxt->mode) {
1270 case X86EMUL_MODE_PROT64:
1271 case X86EMUL_MODE_PROT32:
1272 case X86EMUL_MODE_PROT16:
1273 if (cpl == 0)
1274 change_mask |= EFLG_IOPL;
1275 if (cpl <= iopl)
1276 change_mask |= EFLG_IF;
1277 break;
1278 case X86EMUL_MODE_VM86:
1279 if (iopl < 3) {
1280 kvm_inject_gp(ctxt->vcpu, 0);
1281 return X86EMUL_PROPAGATE_FAULT;
1282 }
1283 change_mask |= EFLG_IF;
1284 break;
1285 default: /* real mode */
1286 change_mask |= (EFLG_IOPL | EFLG_IF);
1287 break;
1288 }
1289
1290 *(unsigned long *)dest =
1291 (ctxt->eflags & ~change_mask) | (val & change_mask);
1292
1293 return rc;
1294 }
1295
1296 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1297 {
1298 struct decode_cache *c = &ctxt->decode;
1299 struct kvm_segment segment;
1300
1301 kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
1302
1303 c->src.val = segment.selector;
1304 emulate_push(ctxt);
1305 }
1306
1307 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1308 struct x86_emulate_ops *ops, int seg)
1309 {
1310 struct decode_cache *c = &ctxt->decode;
1311 unsigned long selector;
1312 int rc;
1313
1314 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1315 if (rc != X86EMUL_CONTINUE)
1316 return rc;
1317
1318 rc = kvm_load_segment_descriptor(ctxt->vcpu, (u16)selector, seg);
1319 return rc;
1320 }
1321
1322 static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
1323 {
1324 struct decode_cache *c = &ctxt->decode;
1325 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1326 int reg = VCPU_REGS_RAX;
1327
1328 while (reg <= VCPU_REGS_RDI) {
1329 (reg == VCPU_REGS_RSP) ?
1330 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1331
1332 emulate_push(ctxt);
1333 ++reg;
1334 }
1335 }
1336
1337 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1338 struct x86_emulate_ops *ops)
1339 {
1340 struct decode_cache *c = &ctxt->decode;
1341 int rc = X86EMUL_CONTINUE;
1342 int reg = VCPU_REGS_RDI;
1343
1344 while (reg >= VCPU_REGS_RAX) {
1345 if (reg == VCPU_REGS_RSP) {
1346 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1347 c->op_bytes);
1348 --reg;
1349 }
1350
1351 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1352 if (rc != X86EMUL_CONTINUE)
1353 break;
1354 --reg;
1355 }
1356 return rc;
1357 }
1358
1359 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1360 struct x86_emulate_ops *ops)
1361 {
1362 struct decode_cache *c = &ctxt->decode;
1363
1364 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1365 }
1366
1367 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1368 {
1369 struct decode_cache *c = &ctxt->decode;
1370 switch (c->modrm_reg) {
1371 case 0: /* rol */
1372 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1373 break;
1374 case 1: /* ror */
1375 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1376 break;
1377 case 2: /* rcl */
1378 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1379 break;
1380 case 3: /* rcr */
1381 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1382 break;
1383 case 4: /* sal/shl */
1384 case 6: /* sal/shl */
1385 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1386 break;
1387 case 5: /* shr */
1388 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1389 break;
1390 case 7: /* sar */
1391 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1392 break;
1393 }
1394 }
1395
1396 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1397 struct x86_emulate_ops *ops)
1398 {
1399 struct decode_cache *c = &ctxt->decode;
1400 int rc = X86EMUL_CONTINUE;
1401
1402 switch (c->modrm_reg) {
1403 case 0 ... 1: /* test */
1404 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1405 break;
1406 case 2: /* not */
1407 c->dst.val = ~c->dst.val;
1408 break;
1409 case 3: /* neg */
1410 emulate_1op("neg", c->dst, ctxt->eflags);
1411 break;
1412 default:
1413 DPRINTF("Cannot emulate %02x\n", c->b);
1414 rc = X86EMUL_UNHANDLEABLE;
1415 break;
1416 }
1417 return rc;
1418 }
1419
1420 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1421 struct x86_emulate_ops *ops)
1422 {
1423 struct decode_cache *c = &ctxt->decode;
1424
1425 switch (c->modrm_reg) {
1426 case 0: /* inc */
1427 emulate_1op("inc", c->dst, ctxt->eflags);
1428 break;
1429 case 1: /* dec */
1430 emulate_1op("dec", c->dst, ctxt->eflags);
1431 break;
1432 case 2: /* call near abs */ {
1433 long int old_eip;
1434 old_eip = c->eip;
1435 c->eip = c->src.val;
1436 c->src.val = old_eip;
1437 emulate_push(ctxt);
1438 break;
1439 }
1440 case 4: /* jmp abs */
1441 c->eip = c->src.val;
1442 break;
1443 case 6: /* push */
1444 emulate_push(ctxt);
1445 break;
1446 }
1447 return X86EMUL_CONTINUE;
1448 }
1449
1450 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1451 struct x86_emulate_ops *ops,
1452 unsigned long memop)
1453 {
1454 struct decode_cache *c = &ctxt->decode;
1455 u64 old, new;
1456 int rc;
1457
1458 rc = ops->read_emulated(memop, &old, 8, ctxt->vcpu);
1459 if (rc != X86EMUL_CONTINUE)
1460 return rc;
1461
1462 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1463 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1464
1465 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1466 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1467 ctxt->eflags &= ~EFLG_ZF;
1468
1469 } else {
1470 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1471 (u32) c->regs[VCPU_REGS_RBX];
1472
1473 rc = ops->cmpxchg_emulated(memop, &old, &new, 8, ctxt->vcpu);
1474 if (rc != X86EMUL_CONTINUE)
1475 return rc;
1476 ctxt->eflags |= EFLG_ZF;
1477 }
1478 return X86EMUL_CONTINUE;
1479 }
1480
1481 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1482 struct x86_emulate_ops *ops)
1483 {
1484 struct decode_cache *c = &ctxt->decode;
1485 int rc;
1486 unsigned long cs;
1487
1488 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1489 if (rc != X86EMUL_CONTINUE)
1490 return rc;
1491 if (c->op_bytes == 4)
1492 c->eip = (u32)c->eip;
1493 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1494 if (rc != X86EMUL_CONTINUE)
1495 return rc;
1496 rc = kvm_load_segment_descriptor(ctxt->vcpu, (u16)cs, VCPU_SREG_CS);
1497 return rc;
1498 }
1499
1500 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1501 struct x86_emulate_ops *ops)
1502 {
1503 int rc;
1504 struct decode_cache *c = &ctxt->decode;
1505
1506 switch (c->dst.type) {
1507 case OP_REG:
1508 /* The 4-byte case *is* correct:
1509 * in 64-bit mode we zero-extend.
1510 */
1511 switch (c->dst.bytes) {
1512 case 1:
1513 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1514 break;
1515 case 2:
1516 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1517 break;
1518 case 4:
1519 *c->dst.ptr = (u32)c->dst.val;
1520 break; /* 64b: zero-ext */
1521 case 8:
1522 *c->dst.ptr = c->dst.val;
1523 break;
1524 }
1525 break;
1526 case OP_MEM:
1527 if (c->lock_prefix)
1528 rc = ops->cmpxchg_emulated(
1529 (unsigned long)c->dst.ptr,
1530 &c->dst.orig_val,
1531 &c->dst.val,
1532 c->dst.bytes,
1533 ctxt->vcpu);
1534 else
1535 rc = ops->write_emulated(
1536 (unsigned long)c->dst.ptr,
1537 &c->dst.val,
1538 c->dst.bytes,
1539 ctxt->vcpu);
1540 if (rc != X86EMUL_CONTINUE)
1541 return rc;
1542 break;
1543 case OP_NONE:
1544 /* no writeback */
1545 break;
1546 default:
1547 break;
1548 }
1549 return X86EMUL_CONTINUE;
1550 }
1551
1552 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1553 {
1554 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1555 /*
1556 * an sti; sti; sequence only disable interrupts for the first
1557 * instruction. So, if the last instruction, be it emulated or
1558 * not, left the system with the INT_STI flag enabled, it
1559 * means that the last instruction is an sti. We should not
1560 * leave the flag on in this case. The same goes for mov ss
1561 */
1562 if (!(int_shadow & mask))
1563 ctxt->interruptibility = mask;
1564 }
1565
1566 static inline void
1567 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1568 struct kvm_segment *cs, struct kvm_segment *ss)
1569 {
1570 memset(cs, 0, sizeof(struct kvm_segment));
1571 kvm_x86_ops->get_segment(ctxt->vcpu, cs, VCPU_SREG_CS);
1572 memset(ss, 0, sizeof(struct kvm_segment));
1573
1574 cs->l = 0; /* will be adjusted later */
1575 cs->base = 0; /* flat segment */
1576 cs->g = 1; /* 4kb granularity */
1577 cs->limit = 0xffffffff; /* 4GB limit */
1578 cs->type = 0x0b; /* Read, Execute, Accessed */
1579 cs->s = 1;
1580 cs->dpl = 0; /* will be adjusted later */
1581 cs->present = 1;
1582 cs->db = 1;
1583
1584 ss->unusable = 0;
1585 ss->base = 0; /* flat segment */
1586 ss->limit = 0xffffffff; /* 4GB limit */
1587 ss->g = 1; /* 4kb granularity */
1588 ss->s = 1;
1589 ss->type = 0x03; /* Read/Write, Accessed */
1590 ss->db = 1; /* 32bit stack segment */
1591 ss->dpl = 0;
1592 ss->present = 1;
1593 }
1594
1595 static int
1596 emulate_syscall(struct x86_emulate_ctxt *ctxt)
1597 {
1598 struct decode_cache *c = &ctxt->decode;
1599 struct kvm_segment cs, ss;
1600 u64 msr_data;
1601
1602 /* syscall is not available in real mode */
1603 if (ctxt->mode == X86EMUL_MODE_REAL || ctxt->mode == X86EMUL_MODE_VM86)
1604 return X86EMUL_UNHANDLEABLE;
1605
1606 setup_syscalls_segments(ctxt, &cs, &ss);
1607
1608 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1609 msr_data >>= 32;
1610 cs.selector = (u16)(msr_data & 0xfffc);
1611 ss.selector = (u16)(msr_data + 8);
1612
1613 if (is_long_mode(ctxt->vcpu)) {
1614 cs.db = 0;
1615 cs.l = 1;
1616 }
1617 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1618 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1619
1620 c->regs[VCPU_REGS_RCX] = c->eip;
1621 if (is_long_mode(ctxt->vcpu)) {
1622 #ifdef CONFIG_X86_64
1623 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1624
1625 kvm_x86_ops->get_msr(ctxt->vcpu,
1626 ctxt->mode == X86EMUL_MODE_PROT64 ?
1627 MSR_LSTAR : MSR_CSTAR, &msr_data);
1628 c->eip = msr_data;
1629
1630 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1631 ctxt->eflags &= ~(msr_data | EFLG_RF);
1632 #endif
1633 } else {
1634 /* legacy mode */
1635 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1636 c->eip = (u32)msr_data;
1637
1638 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1639 }
1640
1641 return X86EMUL_CONTINUE;
1642 }
1643
1644 static int
1645 emulate_sysenter(struct x86_emulate_ctxt *ctxt)
1646 {
1647 struct decode_cache *c = &ctxt->decode;
1648 struct kvm_segment cs, ss;
1649 u64 msr_data;
1650
1651 /* inject #GP if in real mode */
1652 if (ctxt->mode == X86EMUL_MODE_REAL) {
1653 kvm_inject_gp(ctxt->vcpu, 0);
1654 return X86EMUL_UNHANDLEABLE;
1655 }
1656
1657 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1658 * Therefore, we inject an #UD.
1659 */
1660 if (ctxt->mode == X86EMUL_MODE_PROT64)
1661 return X86EMUL_UNHANDLEABLE;
1662
1663 setup_syscalls_segments(ctxt, &cs, &ss);
1664
1665 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1666 switch (ctxt->mode) {
1667 case X86EMUL_MODE_PROT32:
1668 if ((msr_data & 0xfffc) == 0x0) {
1669 kvm_inject_gp(ctxt->vcpu, 0);
1670 return X86EMUL_PROPAGATE_FAULT;
1671 }
1672 break;
1673 case X86EMUL_MODE_PROT64:
1674 if (msr_data == 0x0) {
1675 kvm_inject_gp(ctxt->vcpu, 0);
1676 return X86EMUL_PROPAGATE_FAULT;
1677 }
1678 break;
1679 }
1680
1681 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1682 cs.selector = (u16)msr_data;
1683 cs.selector &= ~SELECTOR_RPL_MASK;
1684 ss.selector = cs.selector + 8;
1685 ss.selector &= ~SELECTOR_RPL_MASK;
1686 if (ctxt->mode == X86EMUL_MODE_PROT64
1687 || is_long_mode(ctxt->vcpu)) {
1688 cs.db = 0;
1689 cs.l = 1;
1690 }
1691
1692 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1693 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1694
1695 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1696 c->eip = msr_data;
1697
1698 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1699 c->regs[VCPU_REGS_RSP] = msr_data;
1700
1701 return X86EMUL_CONTINUE;
1702 }
1703
1704 static int
1705 emulate_sysexit(struct x86_emulate_ctxt *ctxt)
1706 {
1707 struct decode_cache *c = &ctxt->decode;
1708 struct kvm_segment cs, ss;
1709 u64 msr_data;
1710 int usermode;
1711
1712 /* inject #GP if in real mode or Virtual 8086 mode */
1713 if (ctxt->mode == X86EMUL_MODE_REAL ||
1714 ctxt->mode == X86EMUL_MODE_VM86) {
1715 kvm_inject_gp(ctxt->vcpu, 0);
1716 return X86EMUL_UNHANDLEABLE;
1717 }
1718
1719 setup_syscalls_segments(ctxt, &cs, &ss);
1720
1721 if ((c->rex_prefix & 0x8) != 0x0)
1722 usermode = X86EMUL_MODE_PROT64;
1723 else
1724 usermode = X86EMUL_MODE_PROT32;
1725
1726 cs.dpl = 3;
1727 ss.dpl = 3;
1728 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1729 switch (usermode) {
1730 case X86EMUL_MODE_PROT32:
1731 cs.selector = (u16)(msr_data + 16);
1732 if ((msr_data & 0xfffc) == 0x0) {
1733 kvm_inject_gp(ctxt->vcpu, 0);
1734 return X86EMUL_PROPAGATE_FAULT;
1735 }
1736 ss.selector = (u16)(msr_data + 24);
1737 break;
1738 case X86EMUL_MODE_PROT64:
1739 cs.selector = (u16)(msr_data + 32);
1740 if (msr_data == 0x0) {
1741 kvm_inject_gp(ctxt->vcpu, 0);
1742 return X86EMUL_PROPAGATE_FAULT;
1743 }
1744 ss.selector = cs.selector + 8;
1745 cs.db = 0;
1746 cs.l = 1;
1747 break;
1748 }
1749 cs.selector |= SELECTOR_RPL_MASK;
1750 ss.selector |= SELECTOR_RPL_MASK;
1751
1752 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1753 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1754
1755 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
1756 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
1757
1758 return X86EMUL_CONTINUE;
1759 }
1760
1761 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1762 struct x86_emulate_ops *ops)
1763 {
1764 int iopl;
1765 if (ctxt->mode == X86EMUL_MODE_REAL)
1766 return false;
1767 if (ctxt->mode == X86EMUL_MODE_VM86)
1768 return true;
1769 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1770 return ops->cpl(ctxt->vcpu) > iopl;
1771 }
1772
1773 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1774 struct x86_emulate_ops *ops,
1775 u16 port, u16 len)
1776 {
1777 struct kvm_segment tr_seg;
1778 int r;
1779 u16 io_bitmap_ptr;
1780 u8 perm, bit_idx = port & 0x7;
1781 unsigned mask = (1 << len) - 1;
1782
1783 kvm_get_segment(ctxt->vcpu, &tr_seg, VCPU_SREG_TR);
1784 if (tr_seg.unusable)
1785 return false;
1786 if (tr_seg.limit < 103)
1787 return false;
1788 r = ops->read_std(tr_seg.base + 102, &io_bitmap_ptr, 2, ctxt->vcpu,
1789 NULL);
1790 if (r != X86EMUL_CONTINUE)
1791 return false;
1792 if (io_bitmap_ptr + port/8 > tr_seg.limit)
1793 return false;
1794 r = ops->read_std(tr_seg.base + io_bitmap_ptr + port/8, &perm, 1,
1795 ctxt->vcpu, NULL);
1796 if (r != X86EMUL_CONTINUE)
1797 return false;
1798 if ((perm >> bit_idx) & mask)
1799 return false;
1800 return true;
1801 }
1802
1803 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1804 struct x86_emulate_ops *ops,
1805 u16 port, u16 len)
1806 {
1807 if (emulator_bad_iopl(ctxt, ops))
1808 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1809 return false;
1810 return true;
1811 }
1812
1813 int
1814 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1815 {
1816 unsigned long memop = 0;
1817 u64 msr_data;
1818 unsigned long saved_eip = 0;
1819 struct decode_cache *c = &ctxt->decode;
1820 unsigned int port;
1821 int io_dir_in;
1822 int rc = X86EMUL_CONTINUE;
1823
1824 ctxt->interruptibility = 0;
1825
1826 /* Shadow copy of register state. Committed on successful emulation.
1827 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
1828 * modify them.
1829 */
1830
1831 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
1832 saved_eip = c->eip;
1833
1834 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
1835 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1836 goto done;
1837 }
1838
1839 /* LOCK prefix is allowed only with some instructions */
1840 if (c->lock_prefix && !(c->d & Lock)) {
1841 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1842 goto done;
1843 }
1844
1845 /* Privileged instruction can be executed only in CPL=0 */
1846 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
1847 kvm_inject_gp(ctxt->vcpu, 0);
1848 goto done;
1849 }
1850
1851 if (((c->d & ModRM) && (c->modrm_mod != 3)) || (c->d & MemAbs))
1852 memop = c->modrm_ea;
1853
1854 if (c->rep_prefix && (c->d & String)) {
1855 /* All REP prefixes have the same first termination condition */
1856 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
1857 kvm_rip_write(ctxt->vcpu, c->eip);
1858 goto done;
1859 }
1860 /* The second termination condition only applies for REPE
1861 * and REPNE. Test if the repeat string operation prefix is
1862 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
1863 * corresponding termination condition according to:
1864 * - if REPE/REPZ and ZF = 0 then done
1865 * - if REPNE/REPNZ and ZF = 1 then done
1866 */
1867 if ((c->b == 0xa6) || (c->b == 0xa7) ||
1868 (c->b == 0xae) || (c->b == 0xaf)) {
1869 if ((c->rep_prefix == REPE_PREFIX) &&
1870 ((ctxt->eflags & EFLG_ZF) == 0)) {
1871 kvm_rip_write(ctxt->vcpu, c->eip);
1872 goto done;
1873 }
1874 if ((c->rep_prefix == REPNE_PREFIX) &&
1875 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF)) {
1876 kvm_rip_write(ctxt->vcpu, c->eip);
1877 goto done;
1878 }
1879 }
1880 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
1881 c->eip = kvm_rip_read(ctxt->vcpu);
1882 }
1883
1884 if (c->src.type == OP_MEM) {
1885 c->src.ptr = (unsigned long *)memop;
1886 c->src.val = 0;
1887 rc = ops->read_emulated((unsigned long)c->src.ptr,
1888 &c->src.val,
1889 c->src.bytes,
1890 ctxt->vcpu);
1891 if (rc != X86EMUL_CONTINUE)
1892 goto done;
1893 c->src.orig_val = c->src.val;
1894 }
1895
1896 if (c->src2.type == OP_MEM) {
1897 c->src2.ptr = (unsigned long *)(memop + c->src.bytes);
1898 c->src2.val = 0;
1899 rc = ops->read_emulated((unsigned long)c->src2.ptr,
1900 &c->src2.val,
1901 c->src2.bytes,
1902 ctxt->vcpu);
1903 if (rc != X86EMUL_CONTINUE)
1904 goto done;
1905 }
1906
1907 if ((c->d & DstMask) == ImplicitOps)
1908 goto special_insn;
1909
1910
1911 if (c->dst.type == OP_MEM) {
1912 c->dst.ptr = (unsigned long *)memop;
1913 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1914 c->dst.val = 0;
1915 if (c->d & BitOp) {
1916 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1917
1918 c->dst.ptr = (void *)c->dst.ptr +
1919 (c->src.val & mask) / 8;
1920 }
1921 if (!(c->d & Mov)) {
1922 /* optimisation - avoid slow emulated read */
1923 rc = ops->read_emulated((unsigned long)c->dst.ptr,
1924 &c->dst.val,
1925 c->dst.bytes,
1926 ctxt->vcpu);
1927 if (rc != X86EMUL_CONTINUE)
1928 goto done;
1929 }
1930 }
1931 c->dst.orig_val = c->dst.val;
1932
1933 special_insn:
1934
1935 if (c->twobyte)
1936 goto twobyte_insn;
1937
1938 switch (c->b) {
1939 case 0x00 ... 0x05:
1940 add: /* add */
1941 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
1942 break;
1943 case 0x06: /* push es */
1944 emulate_push_sreg(ctxt, VCPU_SREG_ES);
1945 break;
1946 case 0x07: /* pop es */
1947 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
1948 if (rc != X86EMUL_CONTINUE)
1949 goto done;
1950 break;
1951 case 0x08 ... 0x0d:
1952 or: /* or */
1953 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
1954 break;
1955 case 0x0e: /* push cs */
1956 emulate_push_sreg(ctxt, VCPU_SREG_CS);
1957 break;
1958 case 0x10 ... 0x15:
1959 adc: /* adc */
1960 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
1961 break;
1962 case 0x16: /* push ss */
1963 emulate_push_sreg(ctxt, VCPU_SREG_SS);
1964 break;
1965 case 0x17: /* pop ss */
1966 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
1967 if (rc != X86EMUL_CONTINUE)
1968 goto done;
1969 break;
1970 case 0x18 ... 0x1d:
1971 sbb: /* sbb */
1972 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
1973 break;
1974 case 0x1e: /* push ds */
1975 emulate_push_sreg(ctxt, VCPU_SREG_DS);
1976 break;
1977 case 0x1f: /* pop ds */
1978 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
1979 if (rc != X86EMUL_CONTINUE)
1980 goto done;
1981 break;
1982 case 0x20 ... 0x25:
1983 and: /* and */
1984 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
1985 break;
1986 case 0x28 ... 0x2d:
1987 sub: /* sub */
1988 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
1989 break;
1990 case 0x30 ... 0x35:
1991 xor: /* xor */
1992 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
1993 break;
1994 case 0x38 ... 0x3d:
1995 cmp: /* cmp */
1996 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
1997 break;
1998 case 0x40 ... 0x47: /* inc r16/r32 */
1999 emulate_1op("inc", c->dst, ctxt->eflags);
2000 break;
2001 case 0x48 ... 0x4f: /* dec r16/r32 */
2002 emulate_1op("dec", c->dst, ctxt->eflags);
2003 break;
2004 case 0x50 ... 0x57: /* push reg */
2005 emulate_push(ctxt);
2006 break;
2007 case 0x58 ... 0x5f: /* pop reg */
2008 pop_instruction:
2009 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2010 if (rc != X86EMUL_CONTINUE)
2011 goto done;
2012 break;
2013 case 0x60: /* pusha */
2014 emulate_pusha(ctxt);
2015 break;
2016 case 0x61: /* popa */
2017 rc = emulate_popa(ctxt, ops);
2018 if (rc != X86EMUL_CONTINUE)
2019 goto done;
2020 break;
2021 case 0x63: /* movsxd */
2022 if (ctxt->mode != X86EMUL_MODE_PROT64)
2023 goto cannot_emulate;
2024 c->dst.val = (s32) c->src.val;
2025 break;
2026 case 0x68: /* push imm */
2027 case 0x6a: /* push imm8 */
2028 emulate_push(ctxt);
2029 break;
2030 case 0x6c: /* insb */
2031 case 0x6d: /* insw/insd */
2032 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2033 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2034 kvm_inject_gp(ctxt->vcpu, 0);
2035 goto done;
2036 }
2037 if (kvm_emulate_pio_string(ctxt->vcpu,
2038 1,
2039 (c->d & ByteOp) ? 1 : c->op_bytes,
2040 c->rep_prefix ?
2041 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2042 (ctxt->eflags & EFLG_DF),
2043 register_address(c, es_base(ctxt),
2044 c->regs[VCPU_REGS_RDI]),
2045 c->rep_prefix,
2046 c->regs[VCPU_REGS_RDX]) == 0) {
2047 c->eip = saved_eip;
2048 return -1;
2049 }
2050 return 0;
2051 case 0x6e: /* outsb */
2052 case 0x6f: /* outsw/outsd */
2053 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2054 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2055 kvm_inject_gp(ctxt->vcpu, 0);
2056 goto done;
2057 }
2058 if (kvm_emulate_pio_string(ctxt->vcpu,
2059 0,
2060 (c->d & ByteOp) ? 1 : c->op_bytes,
2061 c->rep_prefix ?
2062 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2063 (ctxt->eflags & EFLG_DF),
2064 register_address(c,
2065 seg_override_base(ctxt, c),
2066 c->regs[VCPU_REGS_RSI]),
2067 c->rep_prefix,
2068 c->regs[VCPU_REGS_RDX]) == 0) {
2069 c->eip = saved_eip;
2070 return -1;
2071 }
2072 return 0;
2073 case 0x70 ... 0x7f: /* jcc (short) */
2074 if (test_cc(c->b, ctxt->eflags))
2075 jmp_rel(c, c->src.val);
2076 break;
2077 case 0x80 ... 0x83: /* Grp1 */
2078 switch (c->modrm_reg) {
2079 case 0:
2080 goto add;
2081 case 1:
2082 goto or;
2083 case 2:
2084 goto adc;
2085 case 3:
2086 goto sbb;
2087 case 4:
2088 goto and;
2089 case 5:
2090 goto sub;
2091 case 6:
2092 goto xor;
2093 case 7:
2094 goto cmp;
2095 }
2096 break;
2097 case 0x84 ... 0x85:
2098 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2099 break;
2100 case 0x86 ... 0x87: /* xchg */
2101 xchg:
2102 /* Write back the register source. */
2103 switch (c->dst.bytes) {
2104 case 1:
2105 *(u8 *) c->src.ptr = (u8) c->dst.val;
2106 break;
2107 case 2:
2108 *(u16 *) c->src.ptr = (u16) c->dst.val;
2109 break;
2110 case 4:
2111 *c->src.ptr = (u32) c->dst.val;
2112 break; /* 64b reg: zero-extend */
2113 case 8:
2114 *c->src.ptr = c->dst.val;
2115 break;
2116 }
2117 /*
2118 * Write back the memory destination with implicit LOCK
2119 * prefix.
2120 */
2121 c->dst.val = c->src.val;
2122 c->lock_prefix = 1;
2123 break;
2124 case 0x88 ... 0x8b: /* mov */
2125 goto mov;
2126 case 0x8c: { /* mov r/m, sreg */
2127 struct kvm_segment segreg;
2128
2129 if (c->modrm_reg <= 5)
2130 kvm_get_segment(ctxt->vcpu, &segreg, c->modrm_reg);
2131 else {
2132 printk(KERN_INFO "0x8c: Invalid segreg in modrm byte 0x%02x\n",
2133 c->modrm);
2134 goto cannot_emulate;
2135 }
2136 c->dst.val = segreg.selector;
2137 break;
2138 }
2139 case 0x8d: /* lea r16/r32, m */
2140 c->dst.val = c->modrm_ea;
2141 break;
2142 case 0x8e: { /* mov seg, r/m16 */
2143 uint16_t sel;
2144
2145 sel = c->src.val;
2146
2147 if (c->modrm_reg == VCPU_SREG_CS ||
2148 c->modrm_reg > VCPU_SREG_GS) {
2149 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2150 goto done;
2151 }
2152
2153 if (c->modrm_reg == VCPU_SREG_SS)
2154 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2155
2156 rc = kvm_load_segment_descriptor(ctxt->vcpu, sel, c->modrm_reg);
2157
2158 c->dst.type = OP_NONE; /* Disable writeback. */
2159 break;
2160 }
2161 case 0x8f: /* pop (sole member of Grp1a) */
2162 rc = emulate_grp1a(ctxt, ops);
2163 if (rc != X86EMUL_CONTINUE)
2164 goto done;
2165 break;
2166 case 0x90: /* nop / xchg r8,rax */
2167 if (!(c->rex_prefix & 1)) { /* nop */
2168 c->dst.type = OP_NONE;
2169 break;
2170 }
2171 case 0x91 ... 0x97: /* xchg reg,rax */
2172 c->src.type = c->dst.type = OP_REG;
2173 c->src.bytes = c->dst.bytes = c->op_bytes;
2174 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2175 c->src.val = *(c->src.ptr);
2176 goto xchg;
2177 case 0x9c: /* pushf */
2178 c->src.val = (unsigned long) ctxt->eflags;
2179 emulate_push(ctxt);
2180 break;
2181 case 0x9d: /* popf */
2182 c->dst.type = OP_REG;
2183 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2184 c->dst.bytes = c->op_bytes;
2185 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2186 if (rc != X86EMUL_CONTINUE)
2187 goto done;
2188 break;
2189 case 0xa0 ... 0xa1: /* mov */
2190 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2191 c->dst.val = c->src.val;
2192 break;
2193 case 0xa2 ... 0xa3: /* mov */
2194 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2195 break;
2196 case 0xa4 ... 0xa5: /* movs */
2197 c->dst.type = OP_MEM;
2198 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2199 c->dst.ptr = (unsigned long *)register_address(c,
2200 es_base(ctxt),
2201 c->regs[VCPU_REGS_RDI]);
2202 rc = ops->read_emulated(register_address(c,
2203 seg_override_base(ctxt, c),
2204 c->regs[VCPU_REGS_RSI]),
2205 &c->dst.val,
2206 c->dst.bytes, ctxt->vcpu);
2207 if (rc != X86EMUL_CONTINUE)
2208 goto done;
2209 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2210 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2211 : c->dst.bytes);
2212 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2213 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2214 : c->dst.bytes);
2215 break;
2216 case 0xa6 ... 0xa7: /* cmps */
2217 c->src.type = OP_NONE; /* Disable writeback. */
2218 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2219 c->src.ptr = (unsigned long *)register_address(c,
2220 seg_override_base(ctxt, c),
2221 c->regs[VCPU_REGS_RSI]);
2222 rc = ops->read_emulated((unsigned long)c->src.ptr,
2223 &c->src.val,
2224 c->src.bytes,
2225 ctxt->vcpu);
2226 if (rc != X86EMUL_CONTINUE)
2227 goto done;
2228
2229 c->dst.type = OP_NONE; /* Disable writeback. */
2230 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2231 c->dst.ptr = (unsigned long *)register_address(c,
2232 es_base(ctxt),
2233 c->regs[VCPU_REGS_RDI]);
2234 rc = ops->read_emulated((unsigned long)c->dst.ptr,
2235 &c->dst.val,
2236 c->dst.bytes,
2237 ctxt->vcpu);
2238 if (rc != X86EMUL_CONTINUE)
2239 goto done;
2240
2241 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2242
2243 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2244
2245 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2246 (ctxt->eflags & EFLG_DF) ? -c->src.bytes
2247 : c->src.bytes);
2248 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2249 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2250 : c->dst.bytes);
2251
2252 break;
2253 case 0xaa ... 0xab: /* stos */
2254 c->dst.type = OP_MEM;
2255 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2256 c->dst.ptr = (unsigned long *)register_address(c,
2257 es_base(ctxt),
2258 c->regs[VCPU_REGS_RDI]);
2259 c->dst.val = c->regs[VCPU_REGS_RAX];
2260 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2261 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2262 : c->dst.bytes);
2263 break;
2264 case 0xac ... 0xad: /* lods */
2265 c->dst.type = OP_REG;
2266 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2267 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2268 rc = ops->read_emulated(register_address(c,
2269 seg_override_base(ctxt, c),
2270 c->regs[VCPU_REGS_RSI]),
2271 &c->dst.val,
2272 c->dst.bytes,
2273 ctxt->vcpu);
2274 if (rc != X86EMUL_CONTINUE)
2275 goto done;
2276 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2277 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2278 : c->dst.bytes);
2279 break;
2280 case 0xae ... 0xaf: /* scas */
2281 DPRINTF("Urk! I don't handle SCAS.\n");
2282 goto cannot_emulate;
2283 case 0xb0 ... 0xbf: /* mov r, imm */
2284 goto mov;
2285 case 0xc0 ... 0xc1:
2286 emulate_grp2(ctxt);
2287 break;
2288 case 0xc3: /* ret */
2289 c->dst.type = OP_REG;
2290 c->dst.ptr = &c->eip;
2291 c->dst.bytes = c->op_bytes;
2292 goto pop_instruction;
2293 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2294 mov:
2295 c->dst.val = c->src.val;
2296 break;
2297 case 0xcb: /* ret far */
2298 rc = emulate_ret_far(ctxt, ops);
2299 if (rc != X86EMUL_CONTINUE)
2300 goto done;
2301 break;
2302 case 0xd0 ... 0xd1: /* Grp2 */
2303 c->src.val = 1;
2304 emulate_grp2(ctxt);
2305 break;
2306 case 0xd2 ... 0xd3: /* Grp2 */
2307 c->src.val = c->regs[VCPU_REGS_RCX];
2308 emulate_grp2(ctxt);
2309 break;
2310 case 0xe4: /* inb */
2311 case 0xe5: /* in */
2312 port = c->src.val;
2313 io_dir_in = 1;
2314 goto do_io;
2315 case 0xe6: /* outb */
2316 case 0xe7: /* out */
2317 port = c->src.val;
2318 io_dir_in = 0;
2319 goto do_io;
2320 case 0xe8: /* call (near) */ {
2321 long int rel = c->src.val;
2322 c->src.val = (unsigned long) c->eip;
2323 jmp_rel(c, rel);
2324 emulate_push(ctxt);
2325 break;
2326 }
2327 case 0xe9: /* jmp rel */
2328 goto jmp;
2329 case 0xea: /* jmp far */
2330 jump_far:
2331 if (kvm_load_segment_descriptor(ctxt->vcpu, c->src2.val,
2332 VCPU_SREG_CS))
2333 goto done;
2334
2335 c->eip = c->src.val;
2336 break;
2337 case 0xeb:
2338 jmp: /* jmp rel short */
2339 jmp_rel(c, c->src.val);
2340 c->dst.type = OP_NONE; /* Disable writeback. */
2341 break;
2342 case 0xec: /* in al,dx */
2343 case 0xed: /* in (e/r)ax,dx */
2344 port = c->regs[VCPU_REGS_RDX];
2345 io_dir_in = 1;
2346 goto do_io;
2347 case 0xee: /* out al,dx */
2348 case 0xef: /* out (e/r)ax,dx */
2349 port = c->regs[VCPU_REGS_RDX];
2350 io_dir_in = 0;
2351 do_io:
2352 if (!emulator_io_permited(ctxt, ops, port,
2353 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2354 kvm_inject_gp(ctxt->vcpu, 0);
2355 goto done;
2356 }
2357 if (kvm_emulate_pio(ctxt->vcpu, io_dir_in,
2358 (c->d & ByteOp) ? 1 : c->op_bytes,
2359 port) != 0) {
2360 c->eip = saved_eip;
2361 goto cannot_emulate;
2362 }
2363 break;
2364 case 0xf4: /* hlt */
2365 ctxt->vcpu->arch.halt_request = 1;
2366 break;
2367 case 0xf5: /* cmc */
2368 /* complement carry flag from eflags reg */
2369 ctxt->eflags ^= EFLG_CF;
2370 c->dst.type = OP_NONE; /* Disable writeback. */
2371 break;
2372 case 0xf6 ... 0xf7: /* Grp3 */
2373 rc = emulate_grp3(ctxt, ops);
2374 if (rc != X86EMUL_CONTINUE)
2375 goto done;
2376 break;
2377 case 0xf8: /* clc */
2378 ctxt->eflags &= ~EFLG_CF;
2379 c->dst.type = OP_NONE; /* Disable writeback. */
2380 break;
2381 case 0xfa: /* cli */
2382 if (emulator_bad_iopl(ctxt, ops))
2383 kvm_inject_gp(ctxt->vcpu, 0);
2384 else {
2385 ctxt->eflags &= ~X86_EFLAGS_IF;
2386 c->dst.type = OP_NONE; /* Disable writeback. */
2387 }
2388 break;
2389 case 0xfb: /* sti */
2390 if (emulator_bad_iopl(ctxt, ops))
2391 kvm_inject_gp(ctxt->vcpu, 0);
2392 else {
2393 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2394 ctxt->eflags |= X86_EFLAGS_IF;
2395 c->dst.type = OP_NONE; /* Disable writeback. */
2396 }
2397 break;
2398 case 0xfc: /* cld */
2399 ctxt->eflags &= ~EFLG_DF;
2400 c->dst.type = OP_NONE; /* Disable writeback. */
2401 break;
2402 case 0xfd: /* std */
2403 ctxt->eflags |= EFLG_DF;
2404 c->dst.type = OP_NONE; /* Disable writeback. */
2405 break;
2406 case 0xfe: /* Grp4 */
2407 grp45:
2408 rc = emulate_grp45(ctxt, ops);
2409 if (rc != X86EMUL_CONTINUE)
2410 goto done;
2411 break;
2412 case 0xff: /* Grp5 */
2413 if (c->modrm_reg == 5)
2414 goto jump_far;
2415 goto grp45;
2416 }
2417
2418 writeback:
2419 rc = writeback(ctxt, ops);
2420 if (rc != X86EMUL_CONTINUE)
2421 goto done;
2422
2423 /* Commit shadow register state. */
2424 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2425 kvm_rip_write(ctxt->vcpu, c->eip);
2426
2427 done:
2428 if (rc == X86EMUL_UNHANDLEABLE) {
2429 c->eip = saved_eip;
2430 return -1;
2431 }
2432 return 0;
2433
2434 twobyte_insn:
2435 switch (c->b) {
2436 case 0x01: /* lgdt, lidt, lmsw */
2437 switch (c->modrm_reg) {
2438 u16 size;
2439 unsigned long address;
2440
2441 case 0: /* vmcall */
2442 if (c->modrm_mod != 3 || c->modrm_rm != 1)
2443 goto cannot_emulate;
2444
2445 rc = kvm_fix_hypercall(ctxt->vcpu);
2446 if (rc != X86EMUL_CONTINUE)
2447 goto done;
2448
2449 /* Let the processor re-execute the fixed hypercall */
2450 c->eip = kvm_rip_read(ctxt->vcpu);
2451 /* Disable writeback. */
2452 c->dst.type = OP_NONE;
2453 break;
2454 case 2: /* lgdt */
2455 rc = read_descriptor(ctxt, ops, c->src.ptr,
2456 &size, &address, c->op_bytes);
2457 if (rc != X86EMUL_CONTINUE)
2458 goto done;
2459 realmode_lgdt(ctxt->vcpu, size, address);
2460 /* Disable writeback. */
2461 c->dst.type = OP_NONE;
2462 break;
2463 case 3: /* lidt/vmmcall */
2464 if (c->modrm_mod == 3) {
2465 switch (c->modrm_rm) {
2466 case 1:
2467 rc = kvm_fix_hypercall(ctxt->vcpu);
2468 if (rc != X86EMUL_CONTINUE)
2469 goto done;
2470 break;
2471 default:
2472 goto cannot_emulate;
2473 }
2474 } else {
2475 rc = read_descriptor(ctxt, ops, c->src.ptr,
2476 &size, &address,
2477 c->op_bytes);
2478 if (rc != X86EMUL_CONTINUE)
2479 goto done;
2480 realmode_lidt(ctxt->vcpu, size, address);
2481 }
2482 /* Disable writeback. */
2483 c->dst.type = OP_NONE;
2484 break;
2485 case 4: /* smsw */
2486 c->dst.bytes = 2;
2487 c->dst.val = ops->get_cr(0, ctxt->vcpu);
2488 break;
2489 case 6: /* lmsw */
2490 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
2491 (c->src.val & 0x0f), ctxt->vcpu);
2492 c->dst.type = OP_NONE;
2493 break;
2494 case 7: /* invlpg*/
2495 emulate_invlpg(ctxt->vcpu, memop);
2496 /* Disable writeback. */
2497 c->dst.type = OP_NONE;
2498 break;
2499 default:
2500 goto cannot_emulate;
2501 }
2502 break;
2503 case 0x05: /* syscall */
2504 rc = emulate_syscall(ctxt);
2505 if (rc != X86EMUL_CONTINUE)
2506 goto done;
2507 else
2508 goto writeback;
2509 break;
2510 case 0x06:
2511 emulate_clts(ctxt->vcpu);
2512 c->dst.type = OP_NONE;
2513 break;
2514 case 0x08: /* invd */
2515 case 0x09: /* wbinvd */
2516 case 0x0d: /* GrpP (prefetch) */
2517 case 0x18: /* Grp16 (prefetch/nop) */
2518 c->dst.type = OP_NONE;
2519 break;
2520 case 0x20: /* mov cr, reg */
2521 if (c->modrm_mod != 3)
2522 goto cannot_emulate;
2523 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
2524 c->dst.type = OP_NONE; /* no writeback */
2525 break;
2526 case 0x21: /* mov from dr to reg */
2527 if (c->modrm_mod != 3)
2528 goto cannot_emulate;
2529 if (emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]))
2530 goto cannot_emulate;
2531 rc = X86EMUL_CONTINUE;
2532 c->dst.type = OP_NONE; /* no writeback */
2533 break;
2534 case 0x22: /* mov reg, cr */
2535 if (c->modrm_mod != 3)
2536 goto cannot_emulate;
2537 ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu);
2538 c->dst.type = OP_NONE;
2539 break;
2540 case 0x23: /* mov from reg to dr */
2541 if (c->modrm_mod != 3)
2542 goto cannot_emulate;
2543 if (emulator_set_dr(ctxt, c->modrm_reg, c->regs[c->modrm_rm]))
2544 goto cannot_emulate;
2545 rc = X86EMUL_CONTINUE;
2546 c->dst.type = OP_NONE; /* no writeback */
2547 break;
2548 case 0x30:
2549 /* wrmsr */
2550 msr_data = (u32)c->regs[VCPU_REGS_RAX]
2551 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
2552 if (kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
2553 kvm_inject_gp(ctxt->vcpu, 0);
2554 c->eip = kvm_rip_read(ctxt->vcpu);
2555 }
2556 rc = X86EMUL_CONTINUE;
2557 c->dst.type = OP_NONE;
2558 break;
2559 case 0x32:
2560 /* rdmsr */
2561 if (kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
2562 kvm_inject_gp(ctxt->vcpu, 0);
2563 c->eip = kvm_rip_read(ctxt->vcpu);
2564 } else {
2565 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
2566 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
2567 }
2568 rc = X86EMUL_CONTINUE;
2569 c->dst.type = OP_NONE;
2570 break;
2571 case 0x34: /* sysenter */
2572 rc = emulate_sysenter(ctxt);
2573 if (rc != X86EMUL_CONTINUE)
2574 goto done;
2575 else
2576 goto writeback;
2577 break;
2578 case 0x35: /* sysexit */
2579 rc = emulate_sysexit(ctxt);
2580 if (rc != X86EMUL_CONTINUE)
2581 goto done;
2582 else
2583 goto writeback;
2584 break;
2585 case 0x40 ... 0x4f: /* cmov */
2586 c->dst.val = c->dst.orig_val = c->src.val;
2587 if (!test_cc(c->b, ctxt->eflags))
2588 c->dst.type = OP_NONE; /* no writeback */
2589 break;
2590 case 0x80 ... 0x8f: /* jnz rel, etc*/
2591 if (test_cc(c->b, ctxt->eflags))
2592 jmp_rel(c, c->src.val);
2593 c->dst.type = OP_NONE;
2594 break;
2595 case 0xa0: /* push fs */
2596 emulate_push_sreg(ctxt, VCPU_SREG_FS);
2597 break;
2598 case 0xa1: /* pop fs */
2599 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
2600 if (rc != X86EMUL_CONTINUE)
2601 goto done;
2602 break;
2603 case 0xa3:
2604 bt: /* bt */
2605 c->dst.type = OP_NONE;
2606 /* only subword offset */
2607 c->src.val &= (c->dst.bytes << 3) - 1;
2608 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
2609 break;
2610 case 0xa4: /* shld imm8, r, r/m */
2611 case 0xa5: /* shld cl, r, r/m */
2612 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
2613 break;
2614 case 0xa8: /* push gs */
2615 emulate_push_sreg(ctxt, VCPU_SREG_GS);
2616 break;
2617 case 0xa9: /* pop gs */
2618 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
2619 if (rc != X86EMUL_CONTINUE)
2620 goto done;
2621 break;
2622 case 0xab:
2623 bts: /* bts */
2624 /* only subword offset */
2625 c->src.val &= (c->dst.bytes << 3) - 1;
2626 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
2627 break;
2628 case 0xac: /* shrd imm8, r, r/m */
2629 case 0xad: /* shrd cl, r, r/m */
2630 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
2631 break;
2632 case 0xae: /* clflush */
2633 break;
2634 case 0xb0 ... 0xb1: /* cmpxchg */
2635 /*
2636 * Save real source value, then compare EAX against
2637 * destination.
2638 */
2639 c->src.orig_val = c->src.val;
2640 c->src.val = c->regs[VCPU_REGS_RAX];
2641 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2642 if (ctxt->eflags & EFLG_ZF) {
2643 /* Success: write back to memory. */
2644 c->dst.val = c->src.orig_val;
2645 } else {
2646 /* Failure: write the value we saw to EAX. */
2647 c->dst.type = OP_REG;
2648 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2649 }
2650 break;
2651 case 0xb3:
2652 btr: /* btr */
2653 /* only subword offset */
2654 c->src.val &= (c->dst.bytes << 3) - 1;
2655 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
2656 break;
2657 case 0xb6 ... 0xb7: /* movzx */
2658 c->dst.bytes = c->op_bytes;
2659 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
2660 : (u16) c->src.val;
2661 break;
2662 case 0xba: /* Grp8 */
2663 switch (c->modrm_reg & 3) {
2664 case 0:
2665 goto bt;
2666 case 1:
2667 goto bts;
2668 case 2:
2669 goto btr;
2670 case 3:
2671 goto btc;
2672 }
2673 break;
2674 case 0xbb:
2675 btc: /* btc */
2676 /* only subword offset */
2677 c->src.val &= (c->dst.bytes << 3) - 1;
2678 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
2679 break;
2680 case 0xbe ... 0xbf: /* movsx */
2681 c->dst.bytes = c->op_bytes;
2682 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
2683 (s16) c->src.val;
2684 break;
2685 case 0xc3: /* movnti */
2686 c->dst.bytes = c->op_bytes;
2687 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
2688 (u64) c->src.val;
2689 break;
2690 case 0xc7: /* Grp9 (cmpxchg8b) */
2691 rc = emulate_grp9(ctxt, ops, memop);
2692 if (rc != X86EMUL_CONTINUE)
2693 goto done;
2694 c->dst.type = OP_NONE;
2695 break;
2696 }
2697 goto writeback;
2698
2699 cannot_emulate:
2700 DPRINTF("Cannot emulate %02x\n", c->b);
2701 c->eip = saved_eip;
2702 return -1;
2703 }
Linux kernel - Deliverables
This page took 0.123415 seconds and 4 git commands to generate.