projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: x86 emulator: introduce pio in string read ahead.
[deliverable/linux.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36 #include "tss.h"
37
38 /*
39 * Opcode effective-address decode tables.
40 * Note that we only emulate instructions that have at least one memory
41 * operand (excluding implicit stack references). We assume that stack
42 * references and instruction fetches will never occur in special memory
43 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
44 * not be handled.
45 */
46
47 /* Operand sizes: 8-bit operands or specified/overridden size. */
48 #define ByteOp (1<<0) /* 8-bit operands. */
49 /* Destination operand type. */
50 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
51 #define DstReg (2<<1) /* Register operand. */
52 #define DstMem (3<<1) /* Memory operand. */
53 #define DstAcc (4<<1) /* Destination Accumulator */
54 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
55 #define DstMask (7<<1)
56 /* Source operand type. */
57 #define SrcNone (0<<4) /* No source operand. */
58 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
59 #define SrcReg (1<<4) /* Register operand. */
60 #define SrcMem (2<<4) /* Memory operand. */
61 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
62 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
63 #define SrcImm (5<<4) /* Immediate operand. */
64 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
65 #define SrcOne (7<<4) /* Implied '1' */
66 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
67 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
68 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
69 #define SrcMask (0xf<<4)
70 /* Generic ModRM decode. */
71 #define ModRM (1<<8)
72 /* Destination is only written; never read. */
73 #define Mov (1<<9)
74 #define BitOp (1<<10)
75 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
76 #define String (1<<12) /* String instruction (rep capable) */
77 #define Stack (1<<13) /* Stack instruction (push/pop) */
78 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
79 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
80 #define GroupMask 0xff /* Group number stored in bits 0:7 */
81 /* Misc flags */
82 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
83 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
84 #define No64 (1<<28)
85 /* Source 2 operand type */
86 #define Src2None (0<<29)
87 #define Src2CL (1<<29)
88 #define Src2ImmByte (2<<29)
89 #define Src2One (3<<29)
90 #define Src2Imm16 (4<<29)
91 #define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
92 in memory and second argument is located
93 immediately after the first one in memory. */
94 #define Src2Mask (7<<29)
95
96 enum {
97 Group1_80, Group1_81, Group1_82, Group1_83,
98 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
99 Group8, Group9,
100 };
101
102 static u32 opcode_table[256] = {
103 /* 0x00 - 0x07 */
104 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
105 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
106 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
107 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
108 /* 0x08 - 0x0F */
109 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
110 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
111 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
112 ImplicitOps | Stack | No64, 0,
113 /* 0x10 - 0x17 */
114 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
115 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
118 /* 0x18 - 0x1F */
119 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
120 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
123 /* 0x20 - 0x27 */
124 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
125 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
127 /* 0x28 - 0x2F */
128 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
129 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
130 0, 0, 0, 0,
131 /* 0x30 - 0x37 */
132 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
133 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
134 0, 0, 0, 0,
135 /* 0x38 - 0x3F */
136 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
137 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
138 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
139 0, 0,
140 /* 0x40 - 0x47 */
141 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
142 /* 0x48 - 0x4F */
143 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
144 /* 0x50 - 0x57 */
145 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 /* 0x58 - 0x5F */
148 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 /* 0x60 - 0x67 */
151 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
152 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
153 0, 0, 0, 0,
154 /* 0x68 - 0x6F */
155 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
156 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
157 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
158 /* 0x70 - 0x77 */
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 /* 0x78 - 0x7F */
162 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 /* 0x80 - 0x87 */
165 Group | Group1_80, Group | Group1_81,
166 Group | Group1_82, Group | Group1_83,
167 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
168 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
169 /* 0x88 - 0x8F */
170 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
171 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
172 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
173 DstReg | SrcMem | ModRM | Mov, Group | Group1A,
174 /* 0x90 - 0x97 */
175 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
176 /* 0x98 - 0x9F */
177 0, 0, SrcImm | Src2Imm16 | No64, 0,
178 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
179 /* 0xA0 - 0xA7 */
180 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
181 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
182 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
183 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
184 /* 0xA8 - 0xAF */
185 0, 0, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
186 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
187 ByteOp | DstDI | String, DstDI | String,
188 /* 0xB0 - 0xB7 */
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 /* 0xB8 - 0xBF */
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 /* 0xC0 - 0xC7 */
199 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
200 0, ImplicitOps | Stack, 0, 0,
201 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
202 /* 0xC8 - 0xCF */
203 0, 0, 0, ImplicitOps | Stack,
204 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
205 /* 0xD0 - 0xD7 */
206 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 0, 0, 0, 0,
209 /* 0xD8 - 0xDF */
210 0, 0, 0, 0, 0, 0, 0, 0,
211 /* 0xE0 - 0xE7 */
212 0, 0, 0, 0,
213 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 /* 0xE8 - 0xEF */
216 SrcImm | Stack, SrcImm | ImplicitOps,
217 SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
218 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 /* 0xF0 - 0xF7 */
221 0, 0, 0, 0,
222 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
223 /* 0xF8 - 0xFF */
224 ImplicitOps, 0, ImplicitOps, ImplicitOps,
225 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
226 };
227
228 static u32 twobyte_table[256] = {
229 /* 0x00 - 0x0F */
230 0, Group | GroupDual | Group7, 0, 0,
231 0, ImplicitOps, ImplicitOps | Priv, 0,
232 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
233 0, ImplicitOps | ModRM, 0, 0,
234 /* 0x10 - 0x1F */
235 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
236 /* 0x20 - 0x2F */
237 ModRM | ImplicitOps | Priv, ModRM | Priv,
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 0, 0, 0, 0,
240 0, 0, 0, 0, 0, 0, 0, 0,
241 /* 0x30 - 0x3F */
242 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
243 ImplicitOps, ImplicitOps | Priv, 0, 0,
244 0, 0, 0, 0, 0, 0, 0, 0,
245 /* 0x40 - 0x47 */
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 /* 0x48 - 0x4F */
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 /* 0x50 - 0x5F */
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 /* 0x60 - 0x6F */
258 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 /* 0x70 - 0x7F */
260 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 /* 0x80 - 0x8F */
262 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 /* 0x90 - 0x9F */
265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 /* 0xA0 - 0xA7 */
267 ImplicitOps | Stack, ImplicitOps | Stack,
268 0, DstMem | SrcReg | ModRM | BitOp,
269 DstMem | SrcReg | Src2ImmByte | ModRM,
270 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
271 /* 0xA8 - 0xAF */
272 ImplicitOps | Stack, ImplicitOps | Stack,
273 0, DstMem | SrcReg | ModRM | BitOp | Lock,
274 DstMem | SrcReg | Src2ImmByte | ModRM,
275 DstMem | SrcReg | Src2CL | ModRM,
276 ModRM, 0,
277 /* 0xB0 - 0xB7 */
278 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
279 0, DstMem | SrcReg | ModRM | BitOp | Lock,
280 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
281 DstReg | SrcMem16 | ModRM | Mov,
282 /* 0xB8 - 0xBF */
283 0, 0,
284 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
285 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
286 DstReg | SrcMem16 | ModRM | Mov,
287 /* 0xC0 - 0xCF */
288 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
289 0, 0, 0, Group | GroupDual | Group9,
290 0, 0, 0, 0, 0, 0, 0, 0,
291 /* 0xD0 - 0xDF */
292 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
293 /* 0xE0 - 0xEF */
294 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
295 /* 0xF0 - 0xFF */
296 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
297 };
298
299 static u32 group_table[] = {
300 [Group1_80*8] =
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM,
309 [Group1_81*8] =
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM,
318 [Group1_82*8] =
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64,
327 [Group1_83*8] =
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM,
336 [Group1A*8] =
337 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
338 [Group3_Byte*8] =
339 ByteOp | SrcImm | DstMem | ModRM, 0,
340 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
341 0, 0, 0, 0,
342 [Group3*8] =
343 DstMem | SrcImm | ModRM, 0,
344 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
345 0, 0, 0, 0,
346 [Group4*8] =
347 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
348 0, 0, 0, 0, 0, 0,
349 [Group5*8] =
350 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
351 SrcMem | ModRM | Stack, 0,
352 SrcMem | ModRM | Stack, SrcMem | ModRM | Src2Mem16 | ImplicitOps,
353 SrcMem | ModRM | Stack, 0,
354 [Group7*8] =
355 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
356 SrcNone | ModRM | DstMem | Mov, 0,
357 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
358 [Group8*8] =
359 0, 0, 0, 0,
360 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
361 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
362 [Group9*8] =
363 0, ImplicitOps | ModRM | Lock, 0, 0, 0, 0, 0, 0,
364 };
365
366 static u32 group2_table[] = {
367 [Group7*8] =
368 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
369 SrcNone | ModRM | DstMem | Mov, 0,
370 SrcMem16 | ModRM | Mov | Priv, 0,
371 [Group9*8] =
372 0, 0, 0, 0, 0, 0, 0, 0,
373 };
374
375 /* EFLAGS bit definitions. */
376 #define EFLG_ID (1<<21)
377 #define EFLG_VIP (1<<20)
378 #define EFLG_VIF (1<<19)
379 #define EFLG_AC (1<<18)
380 #define EFLG_VM (1<<17)
381 #define EFLG_RF (1<<16)
382 #define EFLG_IOPL (3<<12)
383 #define EFLG_NT (1<<14)
384 #define EFLG_OF (1<<11)
385 #define EFLG_DF (1<<10)
386 #define EFLG_IF (1<<9)
387 #define EFLG_TF (1<<8)
388 #define EFLG_SF (1<<7)
389 #define EFLG_ZF (1<<6)
390 #define EFLG_AF (1<<4)
391 #define EFLG_PF (1<<2)
392 #define EFLG_CF (1<<0)
393
394 /*
395 * Instruction emulation:
396 * Most instructions are emulated directly via a fragment of inline assembly
397 * code. This allows us to save/restore EFLAGS and thus very easily pick up
398 * any modified flags.
399 */
400
401 #if defined(CONFIG_X86_64)
402 #define _LO32 "k" /* force 32-bit operand */
403 #define _STK "%%rsp" /* stack pointer */
404 #elif defined(__i386__)
405 #define _LO32 "" /* force 32-bit operand */
406 #define _STK "%%esp" /* stack pointer */
407 #endif
408
409 /*
410 * These EFLAGS bits are restored from saved value during emulation, and
411 * any changes are written back to the saved value after emulation.
412 */
413 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
414
415 /* Before executing instruction: restore necessary bits in EFLAGS. */
416 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
417 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
418 "movl %"_sav",%"_LO32 _tmp"; " \
419 "push %"_tmp"; " \
420 "push %"_tmp"; " \
421 "movl %"_msk",%"_LO32 _tmp"; " \
422 "andl %"_LO32 _tmp",("_STK"); " \
423 "pushf; " \
424 "notl %"_LO32 _tmp"; " \
425 "andl %"_LO32 _tmp",("_STK"); " \
426 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
427 "pop %"_tmp"; " \
428 "orl %"_LO32 _tmp",("_STK"); " \
429 "popf; " \
430 "pop %"_sav"; "
431
432 /* After executing instruction: write-back necessary bits in EFLAGS. */
433 #define _POST_EFLAGS(_sav, _msk, _tmp) \
434 /* _sav |= EFLAGS & _msk; */ \
435 "pushf; " \
436 "pop %"_tmp"; " \
437 "andl %"_msk",%"_LO32 _tmp"; " \
438 "orl %"_LO32 _tmp",%"_sav"; "
439
440 #ifdef CONFIG_X86_64
441 #define ON64(x) x
442 #else
443 #define ON64(x)
444 #endif
445
446 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
447 do { \
448 __asm__ __volatile__ ( \
449 _PRE_EFLAGS("0", "4", "2") \
450 _op _suffix " %"_x"3,%1; " \
451 _POST_EFLAGS("0", "4", "2") \
452 : "=m" (_eflags), "=m" ((_dst).val), \
453 "=&r" (_tmp) \
454 : _y ((_src).val), "i" (EFLAGS_MASK)); \
455 } while (0)
456
457
458 /* Raw emulation: instruction has two explicit operands. */
459 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
460 do { \
461 unsigned long _tmp; \
462 \
463 switch ((_dst).bytes) { \
464 case 2: \
465 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
466 break; \
467 case 4: \
468 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
469 break; \
470 case 8: \
471 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
472 break; \
473 } \
474 } while (0)
475
476 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
477 do { \
478 unsigned long _tmp; \
479 switch ((_dst).bytes) { \
480 case 1: \
481 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
482 break; \
483 default: \
484 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
485 _wx, _wy, _lx, _ly, _qx, _qy); \
486 break; \
487 } \
488 } while (0)
489
490 /* Source operand is byte-sized and may be restricted to just %cl. */
491 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
492 __emulate_2op(_op, _src, _dst, _eflags, \
493 "b", "c", "b", "c", "b", "c", "b", "c")
494
495 /* Source operand is byte, word, long or quad sized. */
496 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
497 __emulate_2op(_op, _src, _dst, _eflags, \
498 "b", "q", "w", "r", _LO32, "r", "", "r")
499
500 /* Source operand is word, long or quad sized. */
501 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
502 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
503 "w", "r", _LO32, "r", "", "r")
504
505 /* Instruction has three operands and one operand is stored in ECX register */
506 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
507 do { \
508 unsigned long _tmp; \
509 _type _clv = (_cl).val; \
510 _type _srcv = (_src).val; \
511 _type _dstv = (_dst).val; \
512 \
513 __asm__ __volatile__ ( \
514 _PRE_EFLAGS("0", "5", "2") \
515 _op _suffix " %4,%1 \n" \
516 _POST_EFLAGS("0", "5", "2") \
517 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
518 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
519 ); \
520 \
521 (_cl).val = (unsigned long) _clv; \
522 (_src).val = (unsigned long) _srcv; \
523 (_dst).val = (unsigned long) _dstv; \
524 } while (0)
525
526 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
527 do { \
528 switch ((_dst).bytes) { \
529 case 2: \
530 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
531 "w", unsigned short); \
532 break; \
533 case 4: \
534 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
535 "l", unsigned int); \
536 break; \
537 case 8: \
538 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
539 "q", unsigned long)); \
540 break; \
541 } \
542 } while (0)
543
544 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
545 do { \
546 unsigned long _tmp; \
547 \
548 __asm__ __volatile__ ( \
549 _PRE_EFLAGS("0", "3", "2") \
550 _op _suffix " %1; " \
551 _POST_EFLAGS("0", "3", "2") \
552 : "=m" (_eflags), "+m" ((_dst).val), \
553 "=&r" (_tmp) \
554 : "i" (EFLAGS_MASK)); \
555 } while (0)
556
557 /* Instruction has only one explicit operand (no source operand). */
558 #define emulate_1op(_op, _dst, _eflags) \
559 do { \
560 switch ((_dst).bytes) { \
561 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
562 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
563 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
564 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
565 } \
566 } while (0)
567
568 /* Fetch next part of the instruction being emulated. */
569 #define insn_fetch(_type, _size, _eip) \
570 ({ unsigned long _x; \
571 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
572 if (rc != X86EMUL_CONTINUE) \
573 goto done; \
574 (_eip) += (_size); \
575 (_type)_x; \
576 })
577
578 static inline unsigned long ad_mask(struct decode_cache *c)
579 {
580 return (1UL << (c->ad_bytes << 3)) - 1;
581 }
582
583 /* Access/update address held in a register, based on addressing mode. */
584 static inline unsigned long
585 address_mask(struct decode_cache *c, unsigned long reg)
586 {
587 if (c->ad_bytes == sizeof(unsigned long))
588 return reg;
589 else
590 return reg & ad_mask(c);
591 }
592
593 static inline unsigned long
594 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
595 {
596 return base + address_mask(c, reg);
597 }
598
599 static inline void
600 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
601 {
602 if (c->ad_bytes == sizeof(unsigned long))
603 *reg += inc;
604 else
605 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
606 }
607
608 static inline void jmp_rel(struct decode_cache *c, int rel)
609 {
610 register_address_increment(c, &c->eip, rel);
611 }
612
613 static void set_seg_override(struct decode_cache *c, int seg)
614 {
615 c->has_seg_override = true;
616 c->seg_override = seg;
617 }
618
619 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
620 {
621 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
622 return 0;
623
624 return kvm_x86_ops->get_segment_base(ctxt->vcpu, seg);
625 }
626
627 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
628 struct decode_cache *c)
629 {
630 if (!c->has_seg_override)
631 return 0;
632
633 return seg_base(ctxt, c->seg_override);
634 }
635
636 static unsigned long es_base(struct x86_emulate_ctxt *ctxt)
637 {
638 return seg_base(ctxt, VCPU_SREG_ES);
639 }
640
641 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt)
642 {
643 return seg_base(ctxt, VCPU_SREG_SS);
644 }
645
646 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops,
648 unsigned long linear, u8 *dest)
649 {
650 struct fetch_cache *fc = &ctxt->decode.fetch;
651 int rc;
652 int size;
653
654 if (linear < fc->start || linear >= fc->end) {
655 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
656 rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
657 if (rc != X86EMUL_CONTINUE)
658 return rc;
659 fc->start = linear;
660 fc->end = linear + size;
661 }
662 *dest = fc->data[linear - fc->start];
663 return X86EMUL_CONTINUE;
664 }
665
666 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
667 struct x86_emulate_ops *ops,
668 unsigned long eip, void *dest, unsigned size)
669 {
670 int rc;
671
672 /* x86 instructions are limited to 15 bytes. */
673 if (eip + size - ctxt->eip > 15)
674 return X86EMUL_UNHANDLEABLE;
675 eip += ctxt->cs_base;
676 while (size--) {
677 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
678 if (rc != X86EMUL_CONTINUE)
679 return rc;
680 }
681 return X86EMUL_CONTINUE;
682 }
683
684 /*
685 * Given the 'reg' portion of a ModRM byte, and a register block, return a
686 * pointer into the block that addresses the relevant register.
687 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
688 */
689 static void *decode_register(u8 modrm_reg, unsigned long *regs,
690 int highbyte_regs)
691 {
692 void *p;
693
694 p = &regs[modrm_reg];
695 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
696 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
697 return p;
698 }
699
700 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
701 struct x86_emulate_ops *ops,
702 void *ptr,
703 u16 *size, unsigned long *address, int op_bytes)
704 {
705 int rc;
706
707 if (op_bytes == 2)
708 op_bytes = 3;
709 *address = 0;
710 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
711 ctxt->vcpu, NULL);
712 if (rc != X86EMUL_CONTINUE)
713 return rc;
714 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
715 ctxt->vcpu, NULL);
716 return rc;
717 }
718
719 static int test_cc(unsigned int condition, unsigned int flags)
720 {
721 int rc = 0;
722
723 switch ((condition & 15) >> 1) {
724 case 0: /* o */
725 rc |= (flags & EFLG_OF);
726 break;
727 case 1: /* b/c/nae */
728 rc |= (flags & EFLG_CF);
729 break;
730 case 2: /* z/e */
731 rc |= (flags & EFLG_ZF);
732 break;
733 case 3: /* be/na */
734 rc |= (flags & (EFLG_CF|EFLG_ZF));
735 break;
736 case 4: /* s */
737 rc |= (flags & EFLG_SF);
738 break;
739 case 5: /* p/pe */
740 rc |= (flags & EFLG_PF);
741 break;
742 case 7: /* le/ng */
743 rc |= (flags & EFLG_ZF);
744 /* fall through */
745 case 6: /* l/nge */
746 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
747 break;
748 }
749
750 /* Odd condition identifiers (lsb == 1) have inverted sense. */
751 return (!!rc ^ (condition & 1));
752 }
753
754 static void decode_register_operand(struct operand *op,
755 struct decode_cache *c,
756 int inhibit_bytereg)
757 {
758 unsigned reg = c->modrm_reg;
759 int highbyte_regs = c->rex_prefix == 0;
760
761 if (!(c->d & ModRM))
762 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
763 op->type = OP_REG;
764 if ((c->d & ByteOp) && !inhibit_bytereg) {
765 op->ptr = decode_register(reg, c->regs, highbyte_regs);
766 op->val = *(u8 *)op->ptr;
767 op->bytes = 1;
768 } else {
769 op->ptr = decode_register(reg, c->regs, 0);
770 op->bytes = c->op_bytes;
771 switch (op->bytes) {
772 case 2:
773 op->val = *(u16 *)op->ptr;
774 break;
775 case 4:
776 op->val = *(u32 *)op->ptr;
777 break;
778 case 8:
779 op->val = *(u64 *) op->ptr;
780 break;
781 }
782 }
783 op->orig_val = op->val;
784 }
785
786 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
787 struct x86_emulate_ops *ops)
788 {
789 struct decode_cache *c = &ctxt->decode;
790 u8 sib;
791 int index_reg = 0, base_reg = 0, scale;
792 int rc = X86EMUL_CONTINUE;
793
794 if (c->rex_prefix) {
795 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
796 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
797 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
798 }
799
800 c->modrm = insn_fetch(u8, 1, c->eip);
801 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
802 c->modrm_reg |= (c->modrm & 0x38) >> 3;
803 c->modrm_rm |= (c->modrm & 0x07);
804 c->modrm_ea = 0;
805 c->use_modrm_ea = 1;
806
807 if (c->modrm_mod == 3) {
808 c->modrm_ptr = decode_register(c->modrm_rm,
809 c->regs, c->d & ByteOp);
810 c->modrm_val = *(unsigned long *)c->modrm_ptr;
811 return rc;
812 }
813
814 if (c->ad_bytes == 2) {
815 unsigned bx = c->regs[VCPU_REGS_RBX];
816 unsigned bp = c->regs[VCPU_REGS_RBP];
817 unsigned si = c->regs[VCPU_REGS_RSI];
818 unsigned di = c->regs[VCPU_REGS_RDI];
819
820 /* 16-bit ModR/M decode. */
821 switch (c->modrm_mod) {
822 case 0:
823 if (c->modrm_rm == 6)
824 c->modrm_ea += insn_fetch(u16, 2, c->eip);
825 break;
826 case 1:
827 c->modrm_ea += insn_fetch(s8, 1, c->eip);
828 break;
829 case 2:
830 c->modrm_ea += insn_fetch(u16, 2, c->eip);
831 break;
832 }
833 switch (c->modrm_rm) {
834 case 0:
835 c->modrm_ea += bx + si;
836 break;
837 case 1:
838 c->modrm_ea += bx + di;
839 break;
840 case 2:
841 c->modrm_ea += bp + si;
842 break;
843 case 3:
844 c->modrm_ea += bp + di;
845 break;
846 case 4:
847 c->modrm_ea += si;
848 break;
849 case 5:
850 c->modrm_ea += di;
851 break;
852 case 6:
853 if (c->modrm_mod != 0)
854 c->modrm_ea += bp;
855 break;
856 case 7:
857 c->modrm_ea += bx;
858 break;
859 }
860 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
861 (c->modrm_rm == 6 && c->modrm_mod != 0))
862 if (!c->has_seg_override)
863 set_seg_override(c, VCPU_SREG_SS);
864 c->modrm_ea = (u16)c->modrm_ea;
865 } else {
866 /* 32/64-bit ModR/M decode. */
867 if ((c->modrm_rm & 7) == 4) {
868 sib = insn_fetch(u8, 1, c->eip);
869 index_reg |= (sib >> 3) & 7;
870 base_reg |= sib & 7;
871 scale = sib >> 6;
872
873 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
874 c->modrm_ea += insn_fetch(s32, 4, c->eip);
875 else
876 c->modrm_ea += c->regs[base_reg];
877 if (index_reg != 4)
878 c->modrm_ea += c->regs[index_reg] << scale;
879 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
880 if (ctxt->mode == X86EMUL_MODE_PROT64)
881 c->rip_relative = 1;
882 } else
883 c->modrm_ea += c->regs[c->modrm_rm];
884 switch (c->modrm_mod) {
885 case 0:
886 if (c->modrm_rm == 5)
887 c->modrm_ea += insn_fetch(s32, 4, c->eip);
888 break;
889 case 1:
890 c->modrm_ea += insn_fetch(s8, 1, c->eip);
891 break;
892 case 2:
893 c->modrm_ea += insn_fetch(s32, 4, c->eip);
894 break;
895 }
896 }
897 done:
898 return rc;
899 }
900
901 static int decode_abs(struct x86_emulate_ctxt *ctxt,
902 struct x86_emulate_ops *ops)
903 {
904 struct decode_cache *c = &ctxt->decode;
905 int rc = X86EMUL_CONTINUE;
906
907 switch (c->ad_bytes) {
908 case 2:
909 c->modrm_ea = insn_fetch(u16, 2, c->eip);
910 break;
911 case 4:
912 c->modrm_ea = insn_fetch(u32, 4, c->eip);
913 break;
914 case 8:
915 c->modrm_ea = insn_fetch(u64, 8, c->eip);
916 break;
917 }
918 done:
919 return rc;
920 }
921
922 int
923 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
924 {
925 struct decode_cache *c = &ctxt->decode;
926 int rc = X86EMUL_CONTINUE;
927 int mode = ctxt->mode;
928 int def_op_bytes, def_ad_bytes, group;
929
930
931 /* we cannot decode insn before we complete previous rep insn */
932 WARN_ON(ctxt->restart);
933
934 /* Shadow copy of register state. Committed on successful emulation. */
935 memset(c, 0, sizeof(struct decode_cache));
936 c->eip = ctxt->eip;
937 ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
938 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
939
940 switch (mode) {
941 case X86EMUL_MODE_REAL:
942 case X86EMUL_MODE_VM86:
943 case X86EMUL_MODE_PROT16:
944 def_op_bytes = def_ad_bytes = 2;
945 break;
946 case X86EMUL_MODE_PROT32:
947 def_op_bytes = def_ad_bytes = 4;
948 break;
949 #ifdef CONFIG_X86_64
950 case X86EMUL_MODE_PROT64:
951 def_op_bytes = 4;
952 def_ad_bytes = 8;
953 break;
954 #endif
955 default:
956 return -1;
957 }
958
959 c->op_bytes = def_op_bytes;
960 c->ad_bytes = def_ad_bytes;
961
962 /* Legacy prefixes. */
963 for (;;) {
964 switch (c->b = insn_fetch(u8, 1, c->eip)) {
965 case 0x66: /* operand-size override */
966 /* switch between 2/4 bytes */
967 c->op_bytes = def_op_bytes ^ 6;
968 break;
969 case 0x67: /* address-size override */
970 if (mode == X86EMUL_MODE_PROT64)
971 /* switch between 4/8 bytes */
972 c->ad_bytes = def_ad_bytes ^ 12;
973 else
974 /* switch between 2/4 bytes */
975 c->ad_bytes = def_ad_bytes ^ 6;
976 break;
977 case 0x26: /* ES override */
978 case 0x2e: /* CS override */
979 case 0x36: /* SS override */
980 case 0x3e: /* DS override */
981 set_seg_override(c, (c->b >> 3) & 3);
982 break;
983 case 0x64: /* FS override */
984 case 0x65: /* GS override */
985 set_seg_override(c, c->b & 7);
986 break;
987 case 0x40 ... 0x4f: /* REX */
988 if (mode != X86EMUL_MODE_PROT64)
989 goto done_prefixes;
990 c->rex_prefix = c->b;
991 continue;
992 case 0xf0: /* LOCK */
993 c->lock_prefix = 1;
994 break;
995 case 0xf2: /* REPNE/REPNZ */
996 c->rep_prefix = REPNE_PREFIX;
997 break;
998 case 0xf3: /* REP/REPE/REPZ */
999 c->rep_prefix = REPE_PREFIX;
1000 break;
1001 default:
1002 goto done_prefixes;
1003 }
1004
1005 /* Any legacy prefix after a REX prefix nullifies its effect. */
1006
1007 c->rex_prefix = 0;
1008 }
1009
1010 done_prefixes:
1011
1012 /* REX prefix. */
1013 if (c->rex_prefix)
1014 if (c->rex_prefix & 8)
1015 c->op_bytes = 8; /* REX.W */
1016
1017 /* Opcode byte(s). */
1018 c->d = opcode_table[c->b];
1019 if (c->d == 0) {
1020 /* Two-byte opcode? */
1021 if (c->b == 0x0f) {
1022 c->twobyte = 1;
1023 c->b = insn_fetch(u8, 1, c->eip);
1024 c->d = twobyte_table[c->b];
1025 }
1026 }
1027
1028 if (c->d & Group) {
1029 group = c->d & GroupMask;
1030 c->modrm = insn_fetch(u8, 1, c->eip);
1031 --c->eip;
1032
1033 group = (group << 3) + ((c->modrm >> 3) & 7);
1034 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1035 c->d = group2_table[group];
1036 else
1037 c->d = group_table[group];
1038 }
1039
1040 /* Unrecognised? */
1041 if (c->d == 0) {
1042 DPRINTF("Cannot emulate %02x\n", c->b);
1043 return -1;
1044 }
1045
1046 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1047 c->op_bytes = 8;
1048
1049 /* ModRM and SIB bytes. */
1050 if (c->d & ModRM)
1051 rc = decode_modrm(ctxt, ops);
1052 else if (c->d & MemAbs)
1053 rc = decode_abs(ctxt, ops);
1054 if (rc != X86EMUL_CONTINUE)
1055 goto done;
1056
1057 if (!c->has_seg_override)
1058 set_seg_override(c, VCPU_SREG_DS);
1059
1060 if (!(!c->twobyte && c->b == 0x8d))
1061 c->modrm_ea += seg_override_base(ctxt, c);
1062
1063 if (c->ad_bytes != 8)
1064 c->modrm_ea = (u32)c->modrm_ea;
1065
1066 if (c->rip_relative)
1067 c->modrm_ea += c->eip;
1068
1069 /*
1070 * Decode and fetch the source operand: register, memory
1071 * or immediate.
1072 */
1073 switch (c->d & SrcMask) {
1074 case SrcNone:
1075 break;
1076 case SrcReg:
1077 decode_register_operand(&c->src, c, 0);
1078 break;
1079 case SrcMem16:
1080 c->src.bytes = 2;
1081 goto srcmem_common;
1082 case SrcMem32:
1083 c->src.bytes = 4;
1084 goto srcmem_common;
1085 case SrcMem:
1086 c->src.bytes = (c->d & ByteOp) ? 1 :
1087 c->op_bytes;
1088 /* Don't fetch the address for invlpg: it could be unmapped. */
1089 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1090 break;
1091 srcmem_common:
1092 /*
1093 * For instructions with a ModR/M byte, switch to register
1094 * access if Mod = 3.
1095 */
1096 if ((c->d & ModRM) && c->modrm_mod == 3) {
1097 c->src.type = OP_REG;
1098 c->src.val = c->modrm_val;
1099 c->src.ptr = c->modrm_ptr;
1100 break;
1101 }
1102 c->src.type = OP_MEM;
1103 c->src.ptr = (unsigned long *)c->modrm_ea;
1104 c->src.val = 0;
1105 break;
1106 case SrcImm:
1107 case SrcImmU:
1108 c->src.type = OP_IMM;
1109 c->src.ptr = (unsigned long *)c->eip;
1110 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1111 if (c->src.bytes == 8)
1112 c->src.bytes = 4;
1113 /* NB. Immediates are sign-extended as necessary. */
1114 switch (c->src.bytes) {
1115 case 1:
1116 c->src.val = insn_fetch(s8, 1, c->eip);
1117 break;
1118 case 2:
1119 c->src.val = insn_fetch(s16, 2, c->eip);
1120 break;
1121 case 4:
1122 c->src.val = insn_fetch(s32, 4, c->eip);
1123 break;
1124 }
1125 if ((c->d & SrcMask) == SrcImmU) {
1126 switch (c->src.bytes) {
1127 case 1:
1128 c->src.val &= 0xff;
1129 break;
1130 case 2:
1131 c->src.val &= 0xffff;
1132 break;
1133 case 4:
1134 c->src.val &= 0xffffffff;
1135 break;
1136 }
1137 }
1138 break;
1139 case SrcImmByte:
1140 case SrcImmUByte:
1141 c->src.type = OP_IMM;
1142 c->src.ptr = (unsigned long *)c->eip;
1143 c->src.bytes = 1;
1144 if ((c->d & SrcMask) == SrcImmByte)
1145 c->src.val = insn_fetch(s8, 1, c->eip);
1146 else
1147 c->src.val = insn_fetch(u8, 1, c->eip);
1148 break;
1149 case SrcOne:
1150 c->src.bytes = 1;
1151 c->src.val = 1;
1152 break;
1153 case SrcSI:
1154 c->src.type = OP_MEM;
1155 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1156 c->src.ptr = (unsigned long *)
1157 register_address(c, seg_override_base(ctxt, c),
1158 c->regs[VCPU_REGS_RSI]);
1159 c->src.val = 0;
1160 break;
1161 }
1162
1163 /*
1164 * Decode and fetch the second source operand: register, memory
1165 * or immediate.
1166 */
1167 switch (c->d & Src2Mask) {
1168 case Src2None:
1169 break;
1170 case Src2CL:
1171 c->src2.bytes = 1;
1172 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1173 break;
1174 case Src2ImmByte:
1175 c->src2.type = OP_IMM;
1176 c->src2.ptr = (unsigned long *)c->eip;
1177 c->src2.bytes = 1;
1178 c->src2.val = insn_fetch(u8, 1, c->eip);
1179 break;
1180 case Src2Imm16:
1181 c->src2.type = OP_IMM;
1182 c->src2.ptr = (unsigned long *)c->eip;
1183 c->src2.bytes = 2;
1184 c->src2.val = insn_fetch(u16, 2, c->eip);
1185 break;
1186 case Src2One:
1187 c->src2.bytes = 1;
1188 c->src2.val = 1;
1189 break;
1190 case Src2Mem16:
1191 c->src2.type = OP_MEM;
1192 c->src2.bytes = 2;
1193 c->src2.ptr = (unsigned long *)(c->modrm_ea + c->src.bytes);
1194 c->src2.val = 0;
1195 break;
1196 }
1197
1198 /* Decode and fetch the destination operand: register or memory. */
1199 switch (c->d & DstMask) {
1200 case ImplicitOps:
1201 /* Special instructions do their own operand decoding. */
1202 return 0;
1203 case DstReg:
1204 decode_register_operand(&c->dst, c,
1205 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1206 break;
1207 case DstMem:
1208 if ((c->d & ModRM) && c->modrm_mod == 3) {
1209 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1210 c->dst.type = OP_REG;
1211 c->dst.val = c->dst.orig_val = c->modrm_val;
1212 c->dst.ptr = c->modrm_ptr;
1213 break;
1214 }
1215 c->dst.type = OP_MEM;
1216 c->dst.ptr = (unsigned long *)c->modrm_ea;
1217 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1218 c->dst.val = 0;
1219 if (c->d & BitOp) {
1220 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1221
1222 c->dst.ptr = (void *)c->dst.ptr +
1223 (c->src.val & mask) / 8;
1224 }
1225 break;
1226 case DstAcc:
1227 c->dst.type = OP_REG;
1228 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1229 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1230 switch (c->dst.bytes) {
1231 case 1:
1232 c->dst.val = *(u8 *)c->dst.ptr;
1233 break;
1234 case 2:
1235 c->dst.val = *(u16 *)c->dst.ptr;
1236 break;
1237 case 4:
1238 c->dst.val = *(u32 *)c->dst.ptr;
1239 break;
1240 case 8:
1241 c->dst.val = *(u64 *)c->dst.ptr;
1242 break;
1243 }
1244 c->dst.orig_val = c->dst.val;
1245 break;
1246 case DstDI:
1247 c->dst.type = OP_MEM;
1248 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1249 c->dst.ptr = (unsigned long *)
1250 register_address(c, es_base(ctxt),
1251 c->regs[VCPU_REGS_RDI]);
1252 c->dst.val = 0;
1253 break;
1254 }
1255
1256 done:
1257 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1258 }
1259
1260 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1261 struct x86_emulate_ops *ops,
1262 unsigned int size, unsigned short port,
1263 void *dest)
1264 {
1265 struct read_cache *rc = &ctxt->decode.io_read;
1266
1267 if (rc->pos == rc->end) { /* refill pio read ahead */
1268 struct decode_cache *c = &ctxt->decode;
1269 unsigned int in_page, n;
1270 unsigned int count = c->rep_prefix ?
1271 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1272 in_page = (ctxt->eflags & EFLG_DF) ?
1273 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1274 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1275 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1276 count);
1277 if (n == 0)
1278 n = 1;
1279 rc->pos = rc->end = 0;
1280 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1281 return 0;
1282 rc->end = n * size;
1283 }
1284
1285 memcpy(dest, rc->data + rc->pos, size);
1286 rc->pos += size;
1287 return 1;
1288 }
1289
1290 static u32 desc_limit_scaled(struct desc_struct *desc)
1291 {
1292 u32 limit = get_desc_limit(desc);
1293
1294 return desc->g ? (limit << 12) | 0xfff : limit;
1295 }
1296
1297 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1298 struct x86_emulate_ops *ops,
1299 u16 selector, struct desc_ptr *dt)
1300 {
1301 if (selector & 1 << 2) {
1302 struct desc_struct desc;
1303 memset (dt, 0, sizeof *dt);
1304 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1305 return;
1306
1307 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1308 dt->address = get_desc_base(&desc);
1309 } else
1310 ops->get_gdt(dt, ctxt->vcpu);
1311 }
1312
1313 /* allowed just for 8 bytes segments */
1314 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1315 struct x86_emulate_ops *ops,
1316 u16 selector, struct desc_struct *desc)
1317 {
1318 struct desc_ptr dt;
1319 u16 index = selector >> 3;
1320 int ret;
1321 u32 err;
1322 ulong addr;
1323
1324 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1325
1326 if (dt.size < index * 8 + 7) {
1327 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1328 return X86EMUL_PROPAGATE_FAULT;
1329 }
1330 addr = dt.address + index * 8;
1331 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1332 if (ret == X86EMUL_PROPAGATE_FAULT)
1333 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1334
1335 return ret;
1336 }
1337
1338 /* allowed just for 8 bytes segments */
1339 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1340 struct x86_emulate_ops *ops,
1341 u16 selector, struct desc_struct *desc)
1342 {
1343 struct desc_ptr dt;
1344 u16 index = selector >> 3;
1345 u32 err;
1346 ulong addr;
1347 int ret;
1348
1349 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1350
1351 if (dt.size < index * 8 + 7) {
1352 kvm_inject_gp(ctxt->vcpu, selector & 0xfffc);
1353 return X86EMUL_PROPAGATE_FAULT;
1354 }
1355
1356 addr = dt.address + index * 8;
1357 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1358 if (ret == X86EMUL_PROPAGATE_FAULT)
1359 kvm_inject_page_fault(ctxt->vcpu, addr, err);
1360
1361 return ret;
1362 }
1363
1364 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1365 struct x86_emulate_ops *ops,
1366 u16 selector, int seg)
1367 {
1368 struct desc_struct seg_desc;
1369 u8 dpl, rpl, cpl;
1370 unsigned err_vec = GP_VECTOR;
1371 u32 err_code = 0;
1372 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1373 int ret;
1374
1375 memset(&seg_desc, 0, sizeof seg_desc);
1376
1377 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1378 || ctxt->mode == X86EMUL_MODE_REAL) {
1379 /* set real mode segment descriptor */
1380 set_desc_base(&seg_desc, selector << 4);
1381 set_desc_limit(&seg_desc, 0xffff);
1382 seg_desc.type = 3;
1383 seg_desc.p = 1;
1384 seg_desc.s = 1;
1385 goto load;
1386 }
1387
1388 /* NULL selector is not valid for TR, CS and SS */
1389 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1390 && null_selector)
1391 goto exception;
1392
1393 /* TR should be in GDT only */
1394 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1395 goto exception;
1396
1397 if (null_selector) /* for NULL selector skip all following checks */
1398 goto load;
1399
1400 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1401 if (ret != X86EMUL_CONTINUE)
1402 return ret;
1403
1404 err_code = selector & 0xfffc;
1405 err_vec = GP_VECTOR;
1406
1407 /* can't load system descriptor into segment selecor */
1408 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1409 goto exception;
1410
1411 if (!seg_desc.p) {
1412 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1413 goto exception;
1414 }
1415
1416 rpl = selector & 3;
1417 dpl = seg_desc.dpl;
1418 cpl = ops->cpl(ctxt->vcpu);
1419
1420 switch (seg) {
1421 case VCPU_SREG_SS:
1422 /*
1423 * segment is not a writable data segment or segment
1424 * selector's RPL != CPL or segment selector's RPL != CPL
1425 */
1426 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1427 goto exception;
1428 break;
1429 case VCPU_SREG_CS:
1430 if (!(seg_desc.type & 8))
1431 goto exception;
1432
1433 if (seg_desc.type & 4) {
1434 /* conforming */
1435 if (dpl > cpl)
1436 goto exception;
1437 } else {
1438 /* nonconforming */
1439 if (rpl > cpl || dpl != cpl)
1440 goto exception;
1441 }
1442 /* CS(RPL) <- CPL */
1443 selector = (selector & 0xfffc) | cpl;
1444 break;
1445 case VCPU_SREG_TR:
1446 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1447 goto exception;
1448 break;
1449 case VCPU_SREG_LDTR:
1450 if (seg_desc.s || seg_desc.type != 2)
1451 goto exception;
1452 break;
1453 default: /* DS, ES, FS, or GS */
1454 /*
1455 * segment is not a data or readable code segment or
1456 * ((segment is a data or nonconforming code segment)
1457 * and (both RPL and CPL > DPL))
1458 */
1459 if ((seg_desc.type & 0xa) == 0x8 ||
1460 (((seg_desc.type & 0xc) != 0xc) &&
1461 (rpl > dpl && cpl > dpl)))
1462 goto exception;
1463 break;
1464 }
1465
1466 if (seg_desc.s) {
1467 /* mark segment as accessed */
1468 seg_desc.type |= 1;
1469 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1470 if (ret != X86EMUL_CONTINUE)
1471 return ret;
1472 }
1473 load:
1474 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1475 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1476 return X86EMUL_CONTINUE;
1477 exception:
1478 kvm_queue_exception_e(ctxt->vcpu, err_vec, err_code);
1479 return X86EMUL_PROPAGATE_FAULT;
1480 }
1481
1482 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1483 {
1484 struct decode_cache *c = &ctxt->decode;
1485
1486 c->dst.type = OP_MEM;
1487 c->dst.bytes = c->op_bytes;
1488 c->dst.val = c->src.val;
1489 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1490 c->dst.ptr = (void *) register_address(c, ss_base(ctxt),
1491 c->regs[VCPU_REGS_RSP]);
1492 }
1493
1494 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1495 struct x86_emulate_ops *ops,
1496 void *dest, int len)
1497 {
1498 struct decode_cache *c = &ctxt->decode;
1499 int rc;
1500
1501 rc = ops->read_emulated(register_address(c, ss_base(ctxt),
1502 c->regs[VCPU_REGS_RSP]),
1503 dest, len, ctxt->vcpu);
1504 if (rc != X86EMUL_CONTINUE)
1505 return rc;
1506
1507 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1508 return rc;
1509 }
1510
1511 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1512 struct x86_emulate_ops *ops,
1513 void *dest, int len)
1514 {
1515 int rc;
1516 unsigned long val, change_mask;
1517 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1518 int cpl = ops->cpl(ctxt->vcpu);
1519
1520 rc = emulate_pop(ctxt, ops, &val, len);
1521 if (rc != X86EMUL_CONTINUE)
1522 return rc;
1523
1524 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1525 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1526
1527 switch(ctxt->mode) {
1528 case X86EMUL_MODE_PROT64:
1529 case X86EMUL_MODE_PROT32:
1530 case X86EMUL_MODE_PROT16:
1531 if (cpl == 0)
1532 change_mask |= EFLG_IOPL;
1533 if (cpl <= iopl)
1534 change_mask |= EFLG_IF;
1535 break;
1536 case X86EMUL_MODE_VM86:
1537 if (iopl < 3) {
1538 kvm_inject_gp(ctxt->vcpu, 0);
1539 return X86EMUL_PROPAGATE_FAULT;
1540 }
1541 change_mask |= EFLG_IF;
1542 break;
1543 default: /* real mode */
1544 change_mask |= (EFLG_IOPL | EFLG_IF);
1545 break;
1546 }
1547
1548 *(unsigned long *)dest =
1549 (ctxt->eflags & ~change_mask) | (val & change_mask);
1550
1551 return rc;
1552 }
1553
1554 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1555 {
1556 struct decode_cache *c = &ctxt->decode;
1557 struct kvm_segment segment;
1558
1559 kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
1560
1561 c->src.val = segment.selector;
1562 emulate_push(ctxt);
1563 }
1564
1565 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1566 struct x86_emulate_ops *ops, int seg)
1567 {
1568 struct decode_cache *c = &ctxt->decode;
1569 unsigned long selector;
1570 int rc;
1571
1572 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1573 if (rc != X86EMUL_CONTINUE)
1574 return rc;
1575
1576 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1577 return rc;
1578 }
1579
1580 static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
1581 {
1582 struct decode_cache *c = &ctxt->decode;
1583 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1584 int reg = VCPU_REGS_RAX;
1585
1586 while (reg <= VCPU_REGS_RDI) {
1587 (reg == VCPU_REGS_RSP) ?
1588 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1589
1590 emulate_push(ctxt);
1591 ++reg;
1592 }
1593 }
1594
1595 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1596 struct x86_emulate_ops *ops)
1597 {
1598 struct decode_cache *c = &ctxt->decode;
1599 int rc = X86EMUL_CONTINUE;
1600 int reg = VCPU_REGS_RDI;
1601
1602 while (reg >= VCPU_REGS_RAX) {
1603 if (reg == VCPU_REGS_RSP) {
1604 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1605 c->op_bytes);
1606 --reg;
1607 }
1608
1609 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1610 if (rc != X86EMUL_CONTINUE)
1611 break;
1612 --reg;
1613 }
1614 return rc;
1615 }
1616
1617 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1618 struct x86_emulate_ops *ops)
1619 {
1620 struct decode_cache *c = &ctxt->decode;
1621
1622 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1623 }
1624
1625 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1626 {
1627 struct decode_cache *c = &ctxt->decode;
1628 switch (c->modrm_reg) {
1629 case 0: /* rol */
1630 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1631 break;
1632 case 1: /* ror */
1633 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1634 break;
1635 case 2: /* rcl */
1636 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1637 break;
1638 case 3: /* rcr */
1639 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1640 break;
1641 case 4: /* sal/shl */
1642 case 6: /* sal/shl */
1643 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1644 break;
1645 case 5: /* shr */
1646 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1647 break;
1648 case 7: /* sar */
1649 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1650 break;
1651 }
1652 }
1653
1654 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1655 struct x86_emulate_ops *ops)
1656 {
1657 struct decode_cache *c = &ctxt->decode;
1658
1659 switch (c->modrm_reg) {
1660 case 0 ... 1: /* test */
1661 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1662 break;
1663 case 2: /* not */
1664 c->dst.val = ~c->dst.val;
1665 break;
1666 case 3: /* neg */
1667 emulate_1op("neg", c->dst, ctxt->eflags);
1668 break;
1669 default:
1670 return 0;
1671 }
1672 return 1;
1673 }
1674
1675 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1676 struct x86_emulate_ops *ops)
1677 {
1678 struct decode_cache *c = &ctxt->decode;
1679
1680 switch (c->modrm_reg) {
1681 case 0: /* inc */
1682 emulate_1op("inc", c->dst, ctxt->eflags);
1683 break;
1684 case 1: /* dec */
1685 emulate_1op("dec", c->dst, ctxt->eflags);
1686 break;
1687 case 2: /* call near abs */ {
1688 long int old_eip;
1689 old_eip = c->eip;
1690 c->eip = c->src.val;
1691 c->src.val = old_eip;
1692 emulate_push(ctxt);
1693 break;
1694 }
1695 case 4: /* jmp abs */
1696 c->eip = c->src.val;
1697 break;
1698 case 6: /* push */
1699 emulate_push(ctxt);
1700 break;
1701 }
1702 return X86EMUL_CONTINUE;
1703 }
1704
1705 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1706 struct x86_emulate_ops *ops)
1707 {
1708 struct decode_cache *c = &ctxt->decode;
1709 u64 old, new;
1710 int rc;
1711
1712 rc = ops->read_emulated(c->modrm_ea, &old, 8, ctxt->vcpu);
1713 if (rc != X86EMUL_CONTINUE)
1714 return rc;
1715
1716 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1717 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1718
1719 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1720 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1721 ctxt->eflags &= ~EFLG_ZF;
1722
1723 } else {
1724 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1725 (u32) c->regs[VCPU_REGS_RBX];
1726
1727 rc = ops->cmpxchg_emulated(c->modrm_ea, &old, &new, 8, ctxt->vcpu);
1728 if (rc != X86EMUL_CONTINUE)
1729 return rc;
1730 ctxt->eflags |= EFLG_ZF;
1731 }
1732 return X86EMUL_CONTINUE;
1733 }
1734
1735 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1736 struct x86_emulate_ops *ops)
1737 {
1738 struct decode_cache *c = &ctxt->decode;
1739 int rc;
1740 unsigned long cs;
1741
1742 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1743 if (rc != X86EMUL_CONTINUE)
1744 return rc;
1745 if (c->op_bytes == 4)
1746 c->eip = (u32)c->eip;
1747 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1748 if (rc != X86EMUL_CONTINUE)
1749 return rc;
1750 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1751 return rc;
1752 }
1753
1754 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1755 struct x86_emulate_ops *ops)
1756 {
1757 int rc;
1758 struct decode_cache *c = &ctxt->decode;
1759
1760 switch (c->dst.type) {
1761 case OP_REG:
1762 /* The 4-byte case *is* correct:
1763 * in 64-bit mode we zero-extend.
1764 */
1765 switch (c->dst.bytes) {
1766 case 1:
1767 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1768 break;
1769 case 2:
1770 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1771 break;
1772 case 4:
1773 *c->dst.ptr = (u32)c->dst.val;
1774 break; /* 64b: zero-ext */
1775 case 8:
1776 *c->dst.ptr = c->dst.val;
1777 break;
1778 }
1779 break;
1780 case OP_MEM:
1781 if (c->lock_prefix)
1782 rc = ops->cmpxchg_emulated(
1783 (unsigned long)c->dst.ptr,
1784 &c->dst.orig_val,
1785 &c->dst.val,
1786 c->dst.bytes,
1787 ctxt->vcpu);
1788 else
1789 rc = ops->write_emulated(
1790 (unsigned long)c->dst.ptr,
1791 &c->dst.val,
1792 c->dst.bytes,
1793 ctxt->vcpu);
1794 if (rc != X86EMUL_CONTINUE)
1795 return rc;
1796 break;
1797 case OP_NONE:
1798 /* no writeback */
1799 break;
1800 default:
1801 break;
1802 }
1803 return X86EMUL_CONTINUE;
1804 }
1805
1806 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1807 {
1808 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1809 /*
1810 * an sti; sti; sequence only disable interrupts for the first
1811 * instruction. So, if the last instruction, be it emulated or
1812 * not, left the system with the INT_STI flag enabled, it
1813 * means that the last instruction is an sti. We should not
1814 * leave the flag on in this case. The same goes for mov ss
1815 */
1816 if (!(int_shadow & mask))
1817 ctxt->interruptibility = mask;
1818 }
1819
1820 static inline void
1821 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1822 struct kvm_segment *cs, struct kvm_segment *ss)
1823 {
1824 memset(cs, 0, sizeof(struct kvm_segment));
1825 kvm_x86_ops->get_segment(ctxt->vcpu, cs, VCPU_SREG_CS);
1826 memset(ss, 0, sizeof(struct kvm_segment));
1827
1828 cs->l = 0; /* will be adjusted later */
1829 cs->base = 0; /* flat segment */
1830 cs->g = 1; /* 4kb granularity */
1831 cs->limit = 0xffffffff; /* 4GB limit */
1832 cs->type = 0x0b; /* Read, Execute, Accessed */
1833 cs->s = 1;
1834 cs->dpl = 0; /* will be adjusted later */
1835 cs->present = 1;
1836 cs->db = 1;
1837
1838 ss->unusable = 0;
1839 ss->base = 0; /* flat segment */
1840 ss->limit = 0xffffffff; /* 4GB limit */
1841 ss->g = 1; /* 4kb granularity */
1842 ss->s = 1;
1843 ss->type = 0x03; /* Read/Write, Accessed */
1844 ss->db = 1; /* 32bit stack segment */
1845 ss->dpl = 0;
1846 ss->present = 1;
1847 }
1848
1849 static int
1850 emulate_syscall(struct x86_emulate_ctxt *ctxt)
1851 {
1852 struct decode_cache *c = &ctxt->decode;
1853 struct kvm_segment cs, ss;
1854 u64 msr_data;
1855
1856 /* syscall is not available in real mode */
1857 if (ctxt->mode == X86EMUL_MODE_REAL ||
1858 ctxt->mode == X86EMUL_MODE_VM86) {
1859 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1860 return X86EMUL_PROPAGATE_FAULT;
1861 }
1862
1863 setup_syscalls_segments(ctxt, &cs, &ss);
1864
1865 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1866 msr_data >>= 32;
1867 cs.selector = (u16)(msr_data & 0xfffc);
1868 ss.selector = (u16)(msr_data + 8);
1869
1870 if (is_long_mode(ctxt->vcpu)) {
1871 cs.db = 0;
1872 cs.l = 1;
1873 }
1874 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1875 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1876
1877 c->regs[VCPU_REGS_RCX] = c->eip;
1878 if (is_long_mode(ctxt->vcpu)) {
1879 #ifdef CONFIG_X86_64
1880 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1881
1882 kvm_x86_ops->get_msr(ctxt->vcpu,
1883 ctxt->mode == X86EMUL_MODE_PROT64 ?
1884 MSR_LSTAR : MSR_CSTAR, &msr_data);
1885 c->eip = msr_data;
1886
1887 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1888 ctxt->eflags &= ~(msr_data | EFLG_RF);
1889 #endif
1890 } else {
1891 /* legacy mode */
1892 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1893 c->eip = (u32)msr_data;
1894
1895 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1896 }
1897
1898 return X86EMUL_CONTINUE;
1899 }
1900
1901 static int
1902 emulate_sysenter(struct x86_emulate_ctxt *ctxt)
1903 {
1904 struct decode_cache *c = &ctxt->decode;
1905 struct kvm_segment cs, ss;
1906 u64 msr_data;
1907
1908 /* inject #GP if in real mode */
1909 if (ctxt->mode == X86EMUL_MODE_REAL) {
1910 kvm_inject_gp(ctxt->vcpu, 0);
1911 return X86EMUL_PROPAGATE_FAULT;
1912 }
1913
1914 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1915 * Therefore, we inject an #UD.
1916 */
1917 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1918 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1919 return X86EMUL_PROPAGATE_FAULT;
1920 }
1921
1922 setup_syscalls_segments(ctxt, &cs, &ss);
1923
1924 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1925 switch (ctxt->mode) {
1926 case X86EMUL_MODE_PROT32:
1927 if ((msr_data & 0xfffc) == 0x0) {
1928 kvm_inject_gp(ctxt->vcpu, 0);
1929 return X86EMUL_PROPAGATE_FAULT;
1930 }
1931 break;
1932 case X86EMUL_MODE_PROT64:
1933 if (msr_data == 0x0) {
1934 kvm_inject_gp(ctxt->vcpu, 0);
1935 return X86EMUL_PROPAGATE_FAULT;
1936 }
1937 break;
1938 }
1939
1940 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1941 cs.selector = (u16)msr_data;
1942 cs.selector &= ~SELECTOR_RPL_MASK;
1943 ss.selector = cs.selector + 8;
1944 ss.selector &= ~SELECTOR_RPL_MASK;
1945 if (ctxt->mode == X86EMUL_MODE_PROT64
1946 || is_long_mode(ctxt->vcpu)) {
1947 cs.db = 0;
1948 cs.l = 1;
1949 }
1950
1951 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1952 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1953
1954 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1955 c->eip = msr_data;
1956
1957 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1958 c->regs[VCPU_REGS_RSP] = msr_data;
1959
1960 return X86EMUL_CONTINUE;
1961 }
1962
1963 static int
1964 emulate_sysexit(struct x86_emulate_ctxt *ctxt)
1965 {
1966 struct decode_cache *c = &ctxt->decode;
1967 struct kvm_segment cs, ss;
1968 u64 msr_data;
1969 int usermode;
1970
1971 /* inject #GP if in real mode or Virtual 8086 mode */
1972 if (ctxt->mode == X86EMUL_MODE_REAL ||
1973 ctxt->mode == X86EMUL_MODE_VM86) {
1974 kvm_inject_gp(ctxt->vcpu, 0);
1975 return X86EMUL_PROPAGATE_FAULT;
1976 }
1977
1978 setup_syscalls_segments(ctxt, &cs, &ss);
1979
1980 if ((c->rex_prefix & 0x8) != 0x0)
1981 usermode = X86EMUL_MODE_PROT64;
1982 else
1983 usermode = X86EMUL_MODE_PROT32;
1984
1985 cs.dpl = 3;
1986 ss.dpl = 3;
1987 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1988 switch (usermode) {
1989 case X86EMUL_MODE_PROT32:
1990 cs.selector = (u16)(msr_data + 16);
1991 if ((msr_data & 0xfffc) == 0x0) {
1992 kvm_inject_gp(ctxt->vcpu, 0);
1993 return X86EMUL_PROPAGATE_FAULT;
1994 }
1995 ss.selector = (u16)(msr_data + 24);
1996 break;
1997 case X86EMUL_MODE_PROT64:
1998 cs.selector = (u16)(msr_data + 32);
1999 if (msr_data == 0x0) {
2000 kvm_inject_gp(ctxt->vcpu, 0);
2001 return X86EMUL_PROPAGATE_FAULT;
2002 }
2003 ss.selector = cs.selector + 8;
2004 cs.db = 0;
2005 cs.l = 1;
2006 break;
2007 }
2008 cs.selector |= SELECTOR_RPL_MASK;
2009 ss.selector |= SELECTOR_RPL_MASK;
2010
2011 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
2012 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
2013
2014 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
2015 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
2016
2017 return X86EMUL_CONTINUE;
2018 }
2019
2020 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2021 struct x86_emulate_ops *ops)
2022 {
2023 int iopl;
2024 if (ctxt->mode == X86EMUL_MODE_REAL)
2025 return false;
2026 if (ctxt->mode == X86EMUL_MODE_VM86)
2027 return true;
2028 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2029 return ops->cpl(ctxt->vcpu) > iopl;
2030 }
2031
2032 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2033 struct x86_emulate_ops *ops,
2034 u16 port, u16 len)
2035 {
2036 struct kvm_segment tr_seg;
2037 int r;
2038 u16 io_bitmap_ptr;
2039 u8 perm, bit_idx = port & 0x7;
2040 unsigned mask = (1 << len) - 1;
2041
2042 kvm_get_segment(ctxt->vcpu, &tr_seg, VCPU_SREG_TR);
2043 if (tr_seg.unusable)
2044 return false;
2045 if (tr_seg.limit < 103)
2046 return false;
2047 r = ops->read_std(tr_seg.base + 102, &io_bitmap_ptr, 2, ctxt->vcpu,
2048 NULL);
2049 if (r != X86EMUL_CONTINUE)
2050 return false;
2051 if (io_bitmap_ptr + port/8 > tr_seg.limit)
2052 return false;
2053 r = ops->read_std(tr_seg.base + io_bitmap_ptr + port/8, &perm, 1,
2054 ctxt->vcpu, NULL);
2055 if (r != X86EMUL_CONTINUE)
2056 return false;
2057 if ((perm >> bit_idx) & mask)
2058 return false;
2059 return true;
2060 }
2061
2062 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2063 struct x86_emulate_ops *ops,
2064 u16 port, u16 len)
2065 {
2066 if (emulator_bad_iopl(ctxt, ops))
2067 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2068 return false;
2069 return true;
2070 }
2071
2072 static u32 get_cached_descriptor_base(struct x86_emulate_ctxt *ctxt,
2073 struct x86_emulate_ops *ops,
2074 int seg)
2075 {
2076 struct desc_struct desc;
2077 if (ops->get_cached_descriptor(&desc, seg, ctxt->vcpu))
2078 return get_desc_base(&desc);
2079 else
2080 return ~0;
2081 }
2082
2083 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2084 struct x86_emulate_ops *ops,
2085 struct tss_segment_16 *tss)
2086 {
2087 struct decode_cache *c = &ctxt->decode;
2088
2089 tss->ip = c->eip;
2090 tss->flag = ctxt->eflags;
2091 tss->ax = c->regs[VCPU_REGS_RAX];
2092 tss->cx = c->regs[VCPU_REGS_RCX];
2093 tss->dx = c->regs[VCPU_REGS_RDX];
2094 tss->bx = c->regs[VCPU_REGS_RBX];
2095 tss->sp = c->regs[VCPU_REGS_RSP];
2096 tss->bp = c->regs[VCPU_REGS_RBP];
2097 tss->si = c->regs[VCPU_REGS_RSI];
2098 tss->di = c->regs[VCPU_REGS_RDI];
2099
2100 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2101 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2102 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2103 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2104 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2105 }
2106
2107 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2108 struct x86_emulate_ops *ops,
2109 struct tss_segment_16 *tss)
2110 {
2111 struct decode_cache *c = &ctxt->decode;
2112 int ret;
2113
2114 c->eip = tss->ip;
2115 ctxt->eflags = tss->flag | 2;
2116 c->regs[VCPU_REGS_RAX] = tss->ax;
2117 c->regs[VCPU_REGS_RCX] = tss->cx;
2118 c->regs[VCPU_REGS_RDX] = tss->dx;
2119 c->regs[VCPU_REGS_RBX] = tss->bx;
2120 c->regs[VCPU_REGS_RSP] = tss->sp;
2121 c->regs[VCPU_REGS_RBP] = tss->bp;
2122 c->regs[VCPU_REGS_RSI] = tss->si;
2123 c->regs[VCPU_REGS_RDI] = tss->di;
2124
2125 /*
2126 * SDM says that segment selectors are loaded before segment
2127 * descriptors
2128 */
2129 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2130 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2131 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2132 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2133 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2134
2135 /*
2136 * Now load segment descriptors. If fault happenes at this stage
2137 * it is handled in a context of new task
2138 */
2139 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2140 if (ret != X86EMUL_CONTINUE)
2141 return ret;
2142 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2143 if (ret != X86EMUL_CONTINUE)
2144 return ret;
2145 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2146 if (ret != X86EMUL_CONTINUE)
2147 return ret;
2148 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2149 if (ret != X86EMUL_CONTINUE)
2150 return ret;
2151 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2152 if (ret != X86EMUL_CONTINUE)
2153 return ret;
2154
2155 return X86EMUL_CONTINUE;
2156 }
2157
2158 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2159 struct x86_emulate_ops *ops,
2160 u16 tss_selector, u16 old_tss_sel,
2161 ulong old_tss_base, struct desc_struct *new_desc)
2162 {
2163 struct tss_segment_16 tss_seg;
2164 int ret;
2165 u32 err, new_tss_base = get_desc_base(new_desc);
2166
2167 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2168 &err);
2169 if (ret == X86EMUL_PROPAGATE_FAULT) {
2170 /* FIXME: need to provide precise fault address */
2171 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2172 return ret;
2173 }
2174
2175 save_state_to_tss16(ctxt, ops, &tss_seg);
2176
2177 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2178 &err);
2179 if (ret == X86EMUL_PROPAGATE_FAULT) {
2180 /* FIXME: need to provide precise fault address */
2181 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2182 return ret;
2183 }
2184
2185 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2186 &err);
2187 if (ret == X86EMUL_PROPAGATE_FAULT) {
2188 /* FIXME: need to provide precise fault address */
2189 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2190 return ret;
2191 }
2192
2193 if (old_tss_sel != 0xffff) {
2194 tss_seg.prev_task_link = old_tss_sel;
2195
2196 ret = ops->write_std(new_tss_base,
2197 &tss_seg.prev_task_link,
2198 sizeof tss_seg.prev_task_link,
2199 ctxt->vcpu, &err);
2200 if (ret == X86EMUL_PROPAGATE_FAULT) {
2201 /* FIXME: need to provide precise fault address */
2202 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2203 return ret;
2204 }
2205 }
2206
2207 return load_state_from_tss16(ctxt, ops, &tss_seg);
2208 }
2209
2210 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2211 struct x86_emulate_ops *ops,
2212 struct tss_segment_32 *tss)
2213 {
2214 struct decode_cache *c = &ctxt->decode;
2215
2216 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2217 tss->eip = c->eip;
2218 tss->eflags = ctxt->eflags;
2219 tss->eax = c->regs[VCPU_REGS_RAX];
2220 tss->ecx = c->regs[VCPU_REGS_RCX];
2221 tss->edx = c->regs[VCPU_REGS_RDX];
2222 tss->ebx = c->regs[VCPU_REGS_RBX];
2223 tss->esp = c->regs[VCPU_REGS_RSP];
2224 tss->ebp = c->regs[VCPU_REGS_RBP];
2225 tss->esi = c->regs[VCPU_REGS_RSI];
2226 tss->edi = c->regs[VCPU_REGS_RDI];
2227
2228 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2229 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2230 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2231 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2232 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2233 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2234 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2235 }
2236
2237 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2238 struct x86_emulate_ops *ops,
2239 struct tss_segment_32 *tss)
2240 {
2241 struct decode_cache *c = &ctxt->decode;
2242 int ret;
2243
2244 ops->set_cr(3, tss->cr3, ctxt->vcpu);
2245 c->eip = tss->eip;
2246 ctxt->eflags = tss->eflags | 2;
2247 c->regs[VCPU_REGS_RAX] = tss->eax;
2248 c->regs[VCPU_REGS_RCX] = tss->ecx;
2249 c->regs[VCPU_REGS_RDX] = tss->edx;
2250 c->regs[VCPU_REGS_RBX] = tss->ebx;
2251 c->regs[VCPU_REGS_RSP] = tss->esp;
2252 c->regs[VCPU_REGS_RBP] = tss->ebp;
2253 c->regs[VCPU_REGS_RSI] = tss->esi;
2254 c->regs[VCPU_REGS_RDI] = tss->edi;
2255
2256 /*
2257 * SDM says that segment selectors are loaded before segment
2258 * descriptors
2259 */
2260 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2261 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2262 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2263 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2264 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2265 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2266 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2267
2268 /*
2269 * Now load segment descriptors. If fault happenes at this stage
2270 * it is handled in a context of new task
2271 */
2272 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2273 if (ret != X86EMUL_CONTINUE)
2274 return ret;
2275 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2276 if (ret != X86EMUL_CONTINUE)
2277 return ret;
2278 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2279 if (ret != X86EMUL_CONTINUE)
2280 return ret;
2281 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2282 if (ret != X86EMUL_CONTINUE)
2283 return ret;
2284 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2285 if (ret != X86EMUL_CONTINUE)
2286 return ret;
2287 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2288 if (ret != X86EMUL_CONTINUE)
2289 return ret;
2290 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2291 if (ret != X86EMUL_CONTINUE)
2292 return ret;
2293
2294 return X86EMUL_CONTINUE;
2295 }
2296
2297 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2298 struct x86_emulate_ops *ops,
2299 u16 tss_selector, u16 old_tss_sel,
2300 ulong old_tss_base, struct desc_struct *new_desc)
2301 {
2302 struct tss_segment_32 tss_seg;
2303 int ret;
2304 u32 err, new_tss_base = get_desc_base(new_desc);
2305
2306 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2307 &err);
2308 if (ret == X86EMUL_PROPAGATE_FAULT) {
2309 /* FIXME: need to provide precise fault address */
2310 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2311 return ret;
2312 }
2313
2314 save_state_to_tss32(ctxt, ops, &tss_seg);
2315
2316 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2317 &err);
2318 if (ret == X86EMUL_PROPAGATE_FAULT) {
2319 /* FIXME: need to provide precise fault address */
2320 kvm_inject_page_fault(ctxt->vcpu, old_tss_base, err);
2321 return ret;
2322 }
2323
2324 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2325 &err);
2326 if (ret == X86EMUL_PROPAGATE_FAULT) {
2327 /* FIXME: need to provide precise fault address */
2328 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2329 return ret;
2330 }
2331
2332 if (old_tss_sel != 0xffff) {
2333 tss_seg.prev_task_link = old_tss_sel;
2334
2335 ret = ops->write_std(new_tss_base,
2336 &tss_seg.prev_task_link,
2337 sizeof tss_seg.prev_task_link,
2338 ctxt->vcpu, &err);
2339 if (ret == X86EMUL_PROPAGATE_FAULT) {
2340 /* FIXME: need to provide precise fault address */
2341 kvm_inject_page_fault(ctxt->vcpu, new_tss_base, err);
2342 return ret;
2343 }
2344 }
2345
2346 return load_state_from_tss32(ctxt, ops, &tss_seg);
2347 }
2348
2349 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2350 struct x86_emulate_ops *ops,
2351 u16 tss_selector, int reason)
2352 {
2353 struct desc_struct curr_tss_desc, next_tss_desc;
2354 int ret;
2355 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2356 ulong old_tss_base =
2357 get_cached_descriptor_base(ctxt, ops, VCPU_SREG_TR);
2358 u32 desc_limit;
2359
2360 /* FIXME: old_tss_base == ~0 ? */
2361
2362 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2363 if (ret != X86EMUL_CONTINUE)
2364 return ret;
2365 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2366 if (ret != X86EMUL_CONTINUE)
2367 return ret;
2368
2369 /* FIXME: check that next_tss_desc is tss */
2370
2371 if (reason != TASK_SWITCH_IRET) {
2372 if ((tss_selector & 3) > next_tss_desc.dpl ||
2373 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2374 kvm_inject_gp(ctxt->vcpu, 0);
2375 return X86EMUL_PROPAGATE_FAULT;
2376 }
2377 }
2378
2379 desc_limit = desc_limit_scaled(&next_tss_desc);
2380 if (!next_tss_desc.p ||
2381 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2382 desc_limit < 0x2b)) {
2383 kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
2384 tss_selector & 0xfffc);
2385 return X86EMUL_PROPAGATE_FAULT;
2386 }
2387
2388 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2389 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2390 write_segment_descriptor(ctxt, ops, old_tss_sel,
2391 &curr_tss_desc);
2392 }
2393
2394 if (reason == TASK_SWITCH_IRET)
2395 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2396
2397 /* set back link to prev task only if NT bit is set in eflags
2398 note that old_tss_sel is not used afetr this point */
2399 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2400 old_tss_sel = 0xffff;
2401
2402 if (next_tss_desc.type & 8)
2403 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2404 old_tss_base, &next_tss_desc);
2405 else
2406 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2407 old_tss_base, &next_tss_desc);
2408
2409 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2410 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2411
2412 if (reason != TASK_SWITCH_IRET) {
2413 next_tss_desc.type |= (1 << 1); /* set busy flag */
2414 write_segment_descriptor(ctxt, ops, tss_selector,
2415 &next_tss_desc);
2416 }
2417
2418 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2419 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2420 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2421
2422 return ret;
2423 }
2424
2425 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2426 struct x86_emulate_ops *ops,
2427 u16 tss_selector, int reason)
2428 {
2429 struct decode_cache *c = &ctxt->decode;
2430 int rc;
2431
2432 memset(c, 0, sizeof(struct decode_cache));
2433 c->eip = ctxt->eip;
2434 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2435
2436 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason);
2437
2438 if (rc == X86EMUL_CONTINUE) {
2439 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2440 kvm_rip_write(ctxt->vcpu, c->eip);
2441 }
2442
2443 return rc;
2444 }
2445
2446 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2447 int reg, struct operand *op)
2448 {
2449 struct decode_cache *c = &ctxt->decode;
2450 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2451
2452 register_address_increment(c, &c->regs[reg], df * op->bytes);
2453 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2454 }
2455
2456 int
2457 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2458 {
2459 u64 msr_data;
2460 struct decode_cache *c = &ctxt->decode;
2461 int rc = X86EMUL_CONTINUE;
2462 int saved_dst_type = c->dst.type;
2463
2464 ctxt->interruptibility = 0;
2465
2466 /* Shadow copy of register state. Committed on successful emulation.
2467 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
2468 * modify them.
2469 */
2470
2471 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
2472
2473 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2474 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2475 goto done;
2476 }
2477
2478 /* LOCK prefix is allowed only with some instructions */
2479 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2480 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2481 goto done;
2482 }
2483
2484 /* Privileged instruction can be executed only in CPL=0 */
2485 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2486 kvm_inject_gp(ctxt->vcpu, 0);
2487 goto done;
2488 }
2489
2490 if (c->rep_prefix && (c->d & String)) {
2491 ctxt->restart = true;
2492 /* All REP prefixes have the same first termination condition */
2493 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2494 string_done:
2495 ctxt->restart = false;
2496 kvm_rip_write(ctxt->vcpu, c->eip);
2497 goto done;
2498 }
2499 /* The second termination condition only applies for REPE
2500 * and REPNE. Test if the repeat string operation prefix is
2501 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2502 * corresponding termination condition according to:
2503 * - if REPE/REPZ and ZF = 0 then done
2504 * - if REPNE/REPNZ and ZF = 1 then done
2505 */
2506 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2507 (c->b == 0xae) || (c->b == 0xaf)) {
2508 if ((c->rep_prefix == REPE_PREFIX) &&
2509 ((ctxt->eflags & EFLG_ZF) == 0))
2510 goto string_done;
2511 if ((c->rep_prefix == REPNE_PREFIX) &&
2512 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2513 goto string_done;
2514 }
2515 c->eip = ctxt->eip;
2516 }
2517
2518 if (c->src.type == OP_MEM) {
2519 rc = ops->read_emulated((unsigned long)c->src.ptr,
2520 &c->src.val,
2521 c->src.bytes,
2522 ctxt->vcpu);
2523 if (rc != X86EMUL_CONTINUE)
2524 goto done;
2525 c->src.orig_val = c->src.val;
2526 }
2527
2528 if (c->src2.type == OP_MEM) {
2529 rc = ops->read_emulated((unsigned long)c->src2.ptr,
2530 &c->src2.val,
2531 c->src2.bytes,
2532 ctxt->vcpu);
2533 if (rc != X86EMUL_CONTINUE)
2534 goto done;
2535 }
2536
2537 if ((c->d & DstMask) == ImplicitOps)
2538 goto special_insn;
2539
2540
2541 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2542 /* optimisation - avoid slow emulated read if Mov */
2543 rc = ops->read_emulated((unsigned long)c->dst.ptr, &c->dst.val,
2544 c->dst.bytes, ctxt->vcpu);
2545 if (rc != X86EMUL_CONTINUE)
2546 goto done;
2547 }
2548 c->dst.orig_val = c->dst.val;
2549
2550 special_insn:
2551
2552 if (c->twobyte)
2553 goto twobyte_insn;
2554
2555 switch (c->b) {
2556 case 0x00 ... 0x05:
2557 add: /* add */
2558 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2559 break;
2560 case 0x06: /* push es */
2561 emulate_push_sreg(ctxt, VCPU_SREG_ES);
2562 break;
2563 case 0x07: /* pop es */
2564 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2565 if (rc != X86EMUL_CONTINUE)
2566 goto done;
2567 break;
2568 case 0x08 ... 0x0d:
2569 or: /* or */
2570 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2571 break;
2572 case 0x0e: /* push cs */
2573 emulate_push_sreg(ctxt, VCPU_SREG_CS);
2574 break;
2575 case 0x10 ... 0x15:
2576 adc: /* adc */
2577 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2578 break;
2579 case 0x16: /* push ss */
2580 emulate_push_sreg(ctxt, VCPU_SREG_SS);
2581 break;
2582 case 0x17: /* pop ss */
2583 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2584 if (rc != X86EMUL_CONTINUE)
2585 goto done;
2586 break;
2587 case 0x18 ... 0x1d:
2588 sbb: /* sbb */
2589 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2590 break;
2591 case 0x1e: /* push ds */
2592 emulate_push_sreg(ctxt, VCPU_SREG_DS);
2593 break;
2594 case 0x1f: /* pop ds */
2595 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2596 if (rc != X86EMUL_CONTINUE)
2597 goto done;
2598 break;
2599 case 0x20 ... 0x25:
2600 and: /* and */
2601 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2602 break;
2603 case 0x28 ... 0x2d:
2604 sub: /* sub */
2605 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2606 break;
2607 case 0x30 ... 0x35:
2608 xor: /* xor */
2609 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2610 break;
2611 case 0x38 ... 0x3d:
2612 cmp: /* cmp */
2613 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2614 break;
2615 case 0x40 ... 0x47: /* inc r16/r32 */
2616 emulate_1op("inc", c->dst, ctxt->eflags);
2617 break;
2618 case 0x48 ... 0x4f: /* dec r16/r32 */
2619 emulate_1op("dec", c->dst, ctxt->eflags);
2620 break;
2621 case 0x50 ... 0x57: /* push reg */
2622 emulate_push(ctxt);
2623 break;
2624 case 0x58 ... 0x5f: /* pop reg */
2625 pop_instruction:
2626 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2627 if (rc != X86EMUL_CONTINUE)
2628 goto done;
2629 break;
2630 case 0x60: /* pusha */
2631 emulate_pusha(ctxt);
2632 break;
2633 case 0x61: /* popa */
2634 rc = emulate_popa(ctxt, ops);
2635 if (rc != X86EMUL_CONTINUE)
2636 goto done;
2637 break;
2638 case 0x63: /* movsxd */
2639 if (ctxt->mode != X86EMUL_MODE_PROT64)
2640 goto cannot_emulate;
2641 c->dst.val = (s32) c->src.val;
2642 break;
2643 case 0x68: /* push imm */
2644 case 0x6a: /* push imm8 */
2645 emulate_push(ctxt);
2646 break;
2647 case 0x6c: /* insb */
2648 case 0x6d: /* insw/insd */
2649 c->dst.bytes = min(c->dst.bytes, 4u);
2650 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2651 c->dst.bytes)) {
2652 kvm_inject_gp(ctxt->vcpu, 0);
2653 goto done;
2654 }
2655 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2656 c->regs[VCPU_REGS_RDX], &c->dst.val))
2657 goto done; /* IO is needed, skip writeback */
2658 break;
2659 case 0x6e: /* outsb */
2660 case 0x6f: /* outsw/outsd */
2661 c->src.bytes = min(c->src.bytes, 4u);
2662 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2663 c->src.bytes)) {
2664 kvm_inject_gp(ctxt->vcpu, 0);
2665 goto done;
2666 }
2667 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2668 &c->src.val, 1, ctxt->vcpu);
2669
2670 c->dst.type = OP_NONE; /* nothing to writeback */
2671 break;
2672 case 0x70 ... 0x7f: /* jcc (short) */
2673 if (test_cc(c->b, ctxt->eflags))
2674 jmp_rel(c, c->src.val);
2675 break;
2676 case 0x80 ... 0x83: /* Grp1 */
2677 switch (c->modrm_reg) {
2678 case 0:
2679 goto add;
2680 case 1:
2681 goto or;
2682 case 2:
2683 goto adc;
2684 case 3:
2685 goto sbb;
2686 case 4:
2687 goto and;
2688 case 5:
2689 goto sub;
2690 case 6:
2691 goto xor;
2692 case 7:
2693 goto cmp;
2694 }
2695 break;
2696 case 0x84 ... 0x85:
2697 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2698 break;
2699 case 0x86 ... 0x87: /* xchg */
2700 xchg:
2701 /* Write back the register source. */
2702 switch (c->dst.bytes) {
2703 case 1:
2704 *(u8 *) c->src.ptr = (u8) c->dst.val;
2705 break;
2706 case 2:
2707 *(u16 *) c->src.ptr = (u16) c->dst.val;
2708 break;
2709 case 4:
2710 *c->src.ptr = (u32) c->dst.val;
2711 break; /* 64b reg: zero-extend */
2712 case 8:
2713 *c->src.ptr = c->dst.val;
2714 break;
2715 }
2716 /*
2717 * Write back the memory destination with implicit LOCK
2718 * prefix.
2719 */
2720 c->dst.val = c->src.val;
2721 c->lock_prefix = 1;
2722 break;
2723 case 0x88 ... 0x8b: /* mov */
2724 goto mov;
2725 case 0x8c: { /* mov r/m, sreg */
2726 struct kvm_segment segreg;
2727
2728 if (c->modrm_reg <= VCPU_SREG_GS)
2729 kvm_get_segment(ctxt->vcpu, &segreg, c->modrm_reg);
2730 else {
2731 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2732 goto done;
2733 }
2734 c->dst.val = segreg.selector;
2735 break;
2736 }
2737 case 0x8d: /* lea r16/r32, m */
2738 c->dst.val = c->modrm_ea;
2739 break;
2740 case 0x8e: { /* mov seg, r/m16 */
2741 uint16_t sel;
2742
2743 sel = c->src.val;
2744
2745 if (c->modrm_reg == VCPU_SREG_CS ||
2746 c->modrm_reg > VCPU_SREG_GS) {
2747 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2748 goto done;
2749 }
2750
2751 if (c->modrm_reg == VCPU_SREG_SS)
2752 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2753
2754 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2755
2756 c->dst.type = OP_NONE; /* Disable writeback. */
2757 break;
2758 }
2759 case 0x8f: /* pop (sole member of Grp1a) */
2760 rc = emulate_grp1a(ctxt, ops);
2761 if (rc != X86EMUL_CONTINUE)
2762 goto done;
2763 break;
2764 case 0x90: /* nop / xchg r8,rax */
2765 if (!(c->rex_prefix & 1)) { /* nop */
2766 c->dst.type = OP_NONE;
2767 break;
2768 }
2769 case 0x91 ... 0x97: /* xchg reg,rax */
2770 c->src.type = c->dst.type = OP_REG;
2771 c->src.bytes = c->dst.bytes = c->op_bytes;
2772 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2773 c->src.val = *(c->src.ptr);
2774 goto xchg;
2775 case 0x9c: /* pushf */
2776 c->src.val = (unsigned long) ctxt->eflags;
2777 emulate_push(ctxt);
2778 break;
2779 case 0x9d: /* popf */
2780 c->dst.type = OP_REG;
2781 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2782 c->dst.bytes = c->op_bytes;
2783 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2784 if (rc != X86EMUL_CONTINUE)
2785 goto done;
2786 break;
2787 case 0xa0 ... 0xa1: /* mov */
2788 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2789 c->dst.val = c->src.val;
2790 break;
2791 case 0xa2 ... 0xa3: /* mov */
2792 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2793 break;
2794 case 0xa4 ... 0xa5: /* movs */
2795 goto mov;
2796 case 0xa6 ... 0xa7: /* cmps */
2797 c->dst.type = OP_NONE; /* Disable writeback. */
2798 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2799 goto cmp;
2800 case 0xaa ... 0xab: /* stos */
2801 c->dst.val = c->regs[VCPU_REGS_RAX];
2802 break;
2803 case 0xac ... 0xad: /* lods */
2804 goto mov;
2805 case 0xae ... 0xaf: /* scas */
2806 DPRINTF("Urk! I don't handle SCAS.\n");
2807 goto cannot_emulate;
2808 case 0xb0 ... 0xbf: /* mov r, imm */
2809 goto mov;
2810 case 0xc0 ... 0xc1:
2811 emulate_grp2(ctxt);
2812 break;
2813 case 0xc3: /* ret */
2814 c->dst.type = OP_REG;
2815 c->dst.ptr = &c->eip;
2816 c->dst.bytes = c->op_bytes;
2817 goto pop_instruction;
2818 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2819 mov:
2820 c->dst.val = c->src.val;
2821 break;
2822 case 0xcb: /* ret far */
2823 rc = emulate_ret_far(ctxt, ops);
2824 if (rc != X86EMUL_CONTINUE)
2825 goto done;
2826 break;
2827 case 0xd0 ... 0xd1: /* Grp2 */
2828 c->src.val = 1;
2829 emulate_grp2(ctxt);
2830 break;
2831 case 0xd2 ... 0xd3: /* Grp2 */
2832 c->src.val = c->regs[VCPU_REGS_RCX];
2833 emulate_grp2(ctxt);
2834 break;
2835 case 0xe4: /* inb */
2836 case 0xe5: /* in */
2837 goto do_io_in;
2838 case 0xe6: /* outb */
2839 case 0xe7: /* out */
2840 goto do_io_out;
2841 case 0xe8: /* call (near) */ {
2842 long int rel = c->src.val;
2843 c->src.val = (unsigned long) c->eip;
2844 jmp_rel(c, rel);
2845 emulate_push(ctxt);
2846 break;
2847 }
2848 case 0xe9: /* jmp rel */
2849 goto jmp;
2850 case 0xea: /* jmp far */
2851 jump_far:
2852 if (load_segment_descriptor(ctxt, ops, c->src2.val,
2853 VCPU_SREG_CS))
2854 goto done;
2855
2856 c->eip = c->src.val;
2857 break;
2858 case 0xeb:
2859 jmp: /* jmp rel short */
2860 jmp_rel(c, c->src.val);
2861 c->dst.type = OP_NONE; /* Disable writeback. */
2862 break;
2863 case 0xec: /* in al,dx */
2864 case 0xed: /* in (e/r)ax,dx */
2865 c->src.val = c->regs[VCPU_REGS_RDX];
2866 do_io_in:
2867 c->dst.bytes = min(c->dst.bytes, 4u);
2868 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2869 kvm_inject_gp(ctxt->vcpu, 0);
2870 goto done;
2871 }
2872 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2873 &c->dst.val))
2874 goto done; /* IO is needed */
2875 break;
2876 case 0xee: /* out al,dx */
2877 case 0xef: /* out (e/r)ax,dx */
2878 c->src.val = c->regs[VCPU_REGS_RDX];
2879 do_io_out:
2880 c->dst.bytes = min(c->dst.bytes, 4u);
2881 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2882 kvm_inject_gp(ctxt->vcpu, 0);
2883 goto done;
2884 }
2885 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2886 ctxt->vcpu);
2887 c->dst.type = OP_NONE; /* Disable writeback. */
2888 break;
2889 case 0xf4: /* hlt */
2890 ctxt->vcpu->arch.halt_request = 1;
2891 break;
2892 case 0xf5: /* cmc */
2893 /* complement carry flag from eflags reg */
2894 ctxt->eflags ^= EFLG_CF;
2895 c->dst.type = OP_NONE; /* Disable writeback. */
2896 break;
2897 case 0xf6 ... 0xf7: /* Grp3 */
2898 if (!emulate_grp3(ctxt, ops))
2899 goto cannot_emulate;
2900 break;
2901 case 0xf8: /* clc */
2902 ctxt->eflags &= ~EFLG_CF;
2903 c->dst.type = OP_NONE; /* Disable writeback. */
2904 break;
2905 case 0xfa: /* cli */
2906 if (emulator_bad_iopl(ctxt, ops))
2907 kvm_inject_gp(ctxt->vcpu, 0);
2908 else {
2909 ctxt->eflags &= ~X86_EFLAGS_IF;
2910 c->dst.type = OP_NONE; /* Disable writeback. */
2911 }
2912 break;
2913 case 0xfb: /* sti */
2914 if (emulator_bad_iopl(ctxt, ops))
2915 kvm_inject_gp(ctxt->vcpu, 0);
2916 else {
2917 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2918 ctxt->eflags |= X86_EFLAGS_IF;
2919 c->dst.type = OP_NONE; /* Disable writeback. */
2920 }
2921 break;
2922 case 0xfc: /* cld */
2923 ctxt->eflags &= ~EFLG_DF;
2924 c->dst.type = OP_NONE; /* Disable writeback. */
2925 break;
2926 case 0xfd: /* std */
2927 ctxt->eflags |= EFLG_DF;
2928 c->dst.type = OP_NONE; /* Disable writeback. */
2929 break;
2930 case 0xfe: /* Grp4 */
2931 grp45:
2932 rc = emulate_grp45(ctxt, ops);
2933 if (rc != X86EMUL_CONTINUE)
2934 goto done;
2935 break;
2936 case 0xff: /* Grp5 */
2937 if (c->modrm_reg == 5)
2938 goto jump_far;
2939 goto grp45;
2940 }
2941
2942 writeback:
2943 rc = writeback(ctxt, ops);
2944 if (rc != X86EMUL_CONTINUE)
2945 goto done;
2946
2947 /*
2948 * restore dst type in case the decoding will be reused
2949 * (happens for string instruction )
2950 */
2951 c->dst.type = saved_dst_type;
2952
2953 if ((c->d & SrcMask) == SrcSI)
2954 string_addr_inc(ctxt, seg_override_base(ctxt, c), VCPU_REGS_RSI,
2955 &c->src);
2956
2957 if ((c->d & DstMask) == DstDI)
2958 string_addr_inc(ctxt, es_base(ctxt), VCPU_REGS_RDI, &c->dst);
2959
2960 if (c->rep_prefix && (c->d & String)) {
2961 struct read_cache *rc = &ctxt->decode.io_read;
2962 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
2963 /*
2964 * Re-enter guest when pio read ahead buffer is empty or,
2965 * if it is not used, after each 1024 iteration.
2966 */
2967 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
2968 (rc->end != 0 && rc->end == rc->pos))
2969 ctxt->restart = false;
2970 }
2971
2972 /* Commit shadow register state. */
2973 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2974 kvm_rip_write(ctxt->vcpu, c->eip);
2975
2976 done:
2977 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2978
2979 twobyte_insn:
2980 switch (c->b) {
2981 case 0x01: /* lgdt, lidt, lmsw */
2982 switch (c->modrm_reg) {
2983 u16 size;
2984 unsigned long address;
2985
2986 case 0: /* vmcall */
2987 if (c->modrm_mod != 3 || c->modrm_rm != 1)
2988 goto cannot_emulate;
2989
2990 rc = kvm_fix_hypercall(ctxt->vcpu);
2991 if (rc != X86EMUL_CONTINUE)
2992 goto done;
2993
2994 /* Let the processor re-execute the fixed hypercall */
2995 c->eip = ctxt->eip;
2996 /* Disable writeback. */
2997 c->dst.type = OP_NONE;
2998 break;
2999 case 2: /* lgdt */
3000 rc = read_descriptor(ctxt, ops, c->src.ptr,
3001 &size, &address, c->op_bytes);
3002 if (rc != X86EMUL_CONTINUE)
3003 goto done;
3004 realmode_lgdt(ctxt->vcpu, size, address);
3005 /* Disable writeback. */
3006 c->dst.type = OP_NONE;
3007 break;
3008 case 3: /* lidt/vmmcall */
3009 if (c->modrm_mod == 3) {
3010 switch (c->modrm_rm) {
3011 case 1:
3012 rc = kvm_fix_hypercall(ctxt->vcpu);
3013 if (rc != X86EMUL_CONTINUE)
3014 goto done;
3015 break;
3016 default:
3017 goto cannot_emulate;
3018 }
3019 } else {
3020 rc = read_descriptor(ctxt, ops, c->src.ptr,
3021 &size, &address,
3022 c->op_bytes);
3023 if (rc != X86EMUL_CONTINUE)
3024 goto done;
3025 realmode_lidt(ctxt->vcpu, size, address);
3026 }
3027 /* Disable writeback. */
3028 c->dst.type = OP_NONE;
3029 break;
3030 case 4: /* smsw */
3031 c->dst.bytes = 2;
3032 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3033 break;
3034 case 6: /* lmsw */
3035 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3036 (c->src.val & 0x0f), ctxt->vcpu);
3037 c->dst.type = OP_NONE;
3038 break;
3039 case 5: /* not defined */
3040 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3041 goto done;
3042 case 7: /* invlpg*/
3043 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3044 /* Disable writeback. */
3045 c->dst.type = OP_NONE;
3046 break;
3047 default:
3048 goto cannot_emulate;
3049 }
3050 break;
3051 case 0x05: /* syscall */
3052 rc = emulate_syscall(ctxt);
3053 if (rc != X86EMUL_CONTINUE)
3054 goto done;
3055 else
3056 goto writeback;
3057 break;
3058 case 0x06:
3059 emulate_clts(ctxt->vcpu);
3060 c->dst.type = OP_NONE;
3061 break;
3062 case 0x08: /* invd */
3063 case 0x09: /* wbinvd */
3064 case 0x0d: /* GrpP (prefetch) */
3065 case 0x18: /* Grp16 (prefetch/nop) */
3066 c->dst.type = OP_NONE;
3067 break;
3068 case 0x20: /* mov cr, reg */
3069 switch (c->modrm_reg) {
3070 case 1:
3071 case 5 ... 7:
3072 case 9 ... 15:
3073 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3074 goto done;
3075 }
3076 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3077 c->dst.type = OP_NONE; /* no writeback */
3078 break;
3079 case 0x21: /* mov from dr to reg */
3080 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3081 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3082 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3083 goto done;
3084 }
3085 emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
3086 c->dst.type = OP_NONE; /* no writeback */
3087 break;
3088 case 0x22: /* mov reg, cr */
3089 ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu);
3090 c->dst.type = OP_NONE;
3091 break;
3092 case 0x23: /* mov from reg to dr */
3093 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3094 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3095 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
3096 goto done;
3097 }
3098 emulator_set_dr(ctxt, c->modrm_reg, c->regs[c->modrm_rm]);
3099 c->dst.type = OP_NONE; /* no writeback */
3100 break;
3101 case 0x30:
3102 /* wrmsr */
3103 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3104 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3105 if (kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3106 kvm_inject_gp(ctxt->vcpu, 0);
3107 goto done;
3108 }
3109 rc = X86EMUL_CONTINUE;
3110 c->dst.type = OP_NONE;
3111 break;
3112 case 0x32:
3113 /* rdmsr */
3114 if (kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3115 kvm_inject_gp(ctxt->vcpu, 0);
3116 goto done;
3117 } else {
3118 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3119 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3120 }
3121 rc = X86EMUL_CONTINUE;
3122 c->dst.type = OP_NONE;
3123 break;
3124 case 0x34: /* sysenter */
3125 rc = emulate_sysenter(ctxt);
3126 if (rc != X86EMUL_CONTINUE)
3127 goto done;
3128 else
3129 goto writeback;
3130 break;
3131 case 0x35: /* sysexit */
3132 rc = emulate_sysexit(ctxt);
3133 if (rc != X86EMUL_CONTINUE)
3134 goto done;
3135 else
3136 goto writeback;
3137 break;
3138 case 0x40 ... 0x4f: /* cmov */
3139 c->dst.val = c->dst.orig_val = c->src.val;
3140 if (!test_cc(c->b, ctxt->eflags))
3141 c->dst.type = OP_NONE; /* no writeback */
3142 break;
3143 case 0x80 ... 0x8f: /* jnz rel, etc*/
3144 if (test_cc(c->b, ctxt->eflags))
3145 jmp_rel(c, c->src.val);
3146 c->dst.type = OP_NONE;
3147 break;
3148 case 0xa0: /* push fs */
3149 emulate_push_sreg(ctxt, VCPU_SREG_FS);
3150 break;
3151 case 0xa1: /* pop fs */
3152 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3153 if (rc != X86EMUL_CONTINUE)
3154 goto done;
3155 break;
3156 case 0xa3:
3157 bt: /* bt */
3158 c->dst.type = OP_NONE;
3159 /* only subword offset */
3160 c->src.val &= (c->dst.bytes << 3) - 1;
3161 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3162 break;
3163 case 0xa4: /* shld imm8, r, r/m */
3164 case 0xa5: /* shld cl, r, r/m */
3165 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3166 break;
3167 case 0xa8: /* push gs */
3168 emulate_push_sreg(ctxt, VCPU_SREG_GS);
3169 break;
3170 case 0xa9: /* pop gs */
3171 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3172 if (rc != X86EMUL_CONTINUE)
3173 goto done;
3174 break;
3175 case 0xab:
3176 bts: /* bts */
3177 /* only subword offset */
3178 c->src.val &= (c->dst.bytes << 3) - 1;
3179 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3180 break;
3181 case 0xac: /* shrd imm8, r, r/m */
3182 case 0xad: /* shrd cl, r, r/m */
3183 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3184 break;
3185 case 0xae: /* clflush */
3186 break;
3187 case 0xb0 ... 0xb1: /* cmpxchg */
3188 /*
3189 * Save real source value, then compare EAX against
3190 * destination.
3191 */
3192 c->src.orig_val = c->src.val;
3193 c->src.val = c->regs[VCPU_REGS_RAX];
3194 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3195 if (ctxt->eflags & EFLG_ZF) {
3196 /* Success: write back to memory. */
3197 c->dst.val = c->src.orig_val;
3198 } else {
3199 /* Failure: write the value we saw to EAX. */
3200 c->dst.type = OP_REG;
3201 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3202 }
3203 break;
3204 case 0xb3:
3205 btr: /* btr */
3206 /* only subword offset */
3207 c->src.val &= (c->dst.bytes << 3) - 1;
3208 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3209 break;
3210 case 0xb6 ... 0xb7: /* movzx */
3211 c->dst.bytes = c->op_bytes;
3212 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3213 : (u16) c->src.val;
3214 break;
3215 case 0xba: /* Grp8 */
3216 switch (c->modrm_reg & 3) {
3217 case 0:
3218 goto bt;
3219 case 1:
3220 goto bts;
3221 case 2:
3222 goto btr;
3223 case 3:
3224 goto btc;
3225 }
3226 break;
3227 case 0xbb:
3228 btc: /* btc */
3229 /* only subword offset */
3230 c->src.val &= (c->dst.bytes << 3) - 1;
3231 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3232 break;
3233 case 0xbe ... 0xbf: /* movsx */
3234 c->dst.bytes = c->op_bytes;
3235 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3236 (s16) c->src.val;
3237 break;
3238 case 0xc3: /* movnti */
3239 c->dst.bytes = c->op_bytes;
3240 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3241 (u64) c->src.val;
3242 break;
3243 case 0xc7: /* Grp9 (cmpxchg8b) */
3244 rc = emulate_grp9(ctxt, ops);
3245 if (rc != X86EMUL_CONTINUE)
3246 goto done;
3247 c->dst.type = OP_NONE;
3248 break;
3249 }
3250 goto writeback;
3251
3252 cannot_emulate:
3253 DPRINTF("Cannot emulate %02x\n", c->b);
3254 return -1;
3255 }
Linux kernel - Deliverables
This page took 0.149198 seconds and 5 git commands to generate.