]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - arch/x86/kvm/emulate.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:


6af3cac6ec898d3b988ce74c4880ebfe0fa45417
[mirror_ubuntu-artful-kernel.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <asm/kvm_emulate.h>
26 #include <linux/stringify.h>
27 #include <asm/debugreg.h>
28
29 #include "x86.h"
30 #include "tss.h"
31
32 /*
33 * Operand types
34 */
35 #define OpNone 0ull
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
64 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
65 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
66
67 #define OpBits 5 /* Width of operand field */
68 #define OpMask ((1ull << OpBits) - 1)
69
70 /*
71 * Opcode effective-address decode tables.
72 * Note that we only emulate instructions that have at least one memory
73 * operand (excluding implicit stack references). We assume that stack
74 * references and instruction fetches will never occur in special memory
75 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
76 * not be handled.
77 */
78
79 /* Operand sizes: 8-bit operands or specified/overridden size. */
80 #define ByteOp (1<<0) /* 8-bit operands. */
81 /* Destination operand type. */
82 #define DstShift 1
83 #define ImplicitOps (OpImplicit << DstShift)
84 #define DstReg (OpReg << DstShift)
85 #define DstMem (OpMem << DstShift)
86 #define DstAcc (OpAcc << DstShift)
87 #define DstDI (OpDI << DstShift)
88 #define DstMem64 (OpMem64 << DstShift)
89 #define DstMem16 (OpMem16 << DstShift)
90 #define DstImmUByte (OpImmUByte << DstShift)
91 #define DstDX (OpDX << DstShift)
92 #define DstAccLo (OpAccLo << DstShift)
93 #define DstMask (OpMask << DstShift)
94 /* Source operand type. */
95 #define SrcShift 6
96 #define SrcNone (OpNone << SrcShift)
97 #define SrcReg (OpReg << SrcShift)
98 #define SrcMem (OpMem << SrcShift)
99 #define SrcMem16 (OpMem16 << SrcShift)
100 #define SrcMem32 (OpMem32 << SrcShift)
101 #define SrcImm (OpImm << SrcShift)
102 #define SrcImmByte (OpImmByte << SrcShift)
103 #define SrcOne (OpOne << SrcShift)
104 #define SrcImmUByte (OpImmUByte << SrcShift)
105 #define SrcImmU (OpImmU << SrcShift)
106 #define SrcSI (OpSI << SrcShift)
107 #define SrcXLat (OpXLat << SrcShift)
108 #define SrcImmFAddr (OpImmFAddr << SrcShift)
109 #define SrcMemFAddr (OpMemFAddr << SrcShift)
110 #define SrcAcc (OpAcc << SrcShift)
111 #define SrcImmU16 (OpImmU16 << SrcShift)
112 #define SrcImm64 (OpImm64 << SrcShift)
113 #define SrcDX (OpDX << SrcShift)
114 #define SrcMem8 (OpMem8 << SrcShift)
115 #define SrcAccHi (OpAccHi << SrcShift)
116 #define SrcMask (OpMask << SrcShift)
117 #define BitOp (1<<11)
118 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
119 #define String (1<<13) /* String instruction (rep capable) */
120 #define Stack (1<<14) /* Stack instruction (push/pop) */
121 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
122 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
123 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
124 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
125 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
126 #define Escape (5<<15) /* Escape to coprocessor instruction */
127 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
128 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
129 #define Sse (1<<18) /* SSE Vector instruction */
130 /* Generic ModRM decode. */
131 #define ModRM (1<<19)
132 /* Destination is only written; never read. */
133 #define Mov (1<<20)
134 /* Misc flags */
135 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
136 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
137 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
138 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
139 #define Undefined (1<<25) /* No Such Instruction */
140 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
141 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
142 #define No64 (1<<28)
143 #define PageTable (1 << 29) /* instruction used to write page table */
144 #define NotImpl (1 << 30) /* instruction is not implemented */
145 /* Source 2 operand type */
146 #define Src2Shift (31)
147 #define Src2None (OpNone << Src2Shift)
148 #define Src2Mem (OpMem << Src2Shift)
149 #define Src2CL (OpCL << Src2Shift)
150 #define Src2ImmByte (OpImmByte << Src2Shift)
151 #define Src2One (OpOne << Src2Shift)
152 #define Src2Imm (OpImm << Src2Shift)
153 #define Src2ES (OpES << Src2Shift)
154 #define Src2CS (OpCS << Src2Shift)
155 #define Src2SS (OpSS << Src2Shift)
156 #define Src2DS (OpDS << Src2Shift)
157 #define Src2FS (OpFS << Src2Shift)
158 #define Src2GS (OpGS << Src2Shift)
159 #define Src2Mask (OpMask << Src2Shift)
160 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
161 #define AlignMask ((u64)7 << 41)
162 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
163 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
164 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
165 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
166 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
167 #define NoWrite ((u64)1 << 45) /* No writeback */
168 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
169 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
170 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
171 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
172 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
173 #define NearBranch ((u64)1 << 52) /* Near branches */
174 #define No16 ((u64)1 << 53) /* No 16 bit operand */
175 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
176
177 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
178
179 #define X2(x...) x, x
180 #define X3(x...) X2(x), x
181 #define X4(x...) X2(x), X2(x)
182 #define X5(x...) X4(x), x
183 #define X6(x...) X4(x), X2(x)
184 #define X7(x...) X4(x), X3(x)
185 #define X8(x...) X4(x), X4(x)
186 #define X16(x...) X8(x), X8(x)
187
188 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
189 #define FASTOP_SIZE 8
190
191 /*
192 * fastop functions have a special calling convention:
193 *
194 * dst: rax (in/out)
195 * src: rdx (in/out)
196 * src2: rcx (in)
197 * flags: rflags (in/out)
198 * ex: rsi (in:fastop pointer, out:zero if exception)
199 *
200 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
201 * different operand sizes can be reached by calculation, rather than a jump
202 * table (which would be bigger than the code).
203 *
204 * fastop functions are declared as taking a never-defined fastop parameter,
205 * so they can't be called from C directly.
206 */
207
208 struct fastop;
209
210 struct opcode {
211 u64 flags : 56;
212 u64 intercept : 8;
213 union {
214 int (*execute)(struct x86_emulate_ctxt *ctxt);
215 const struct opcode *group;
216 const struct group_dual *gdual;
217 const struct gprefix *gprefix;
218 const struct escape *esc;
219 const struct instr_dual *idual;
220 const struct mode_dual *mdual;
221 void (*fastop)(struct fastop *fake);
222 } u;
223 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
224 };
225
226 struct group_dual {
227 struct opcode mod012[8];
228 struct opcode mod3[8];
229 };
230
231 struct gprefix {
232 struct opcode pfx_no;
233 struct opcode pfx_66;
234 struct opcode pfx_f2;
235 struct opcode pfx_f3;
236 };
237
238 struct escape {
239 struct opcode op[8];
240 struct opcode high[64];
241 };
242
243 struct instr_dual {
244 struct opcode mod012;
245 struct opcode mod3;
246 };
247
248 struct mode_dual {
249 struct opcode mode32;
250 struct opcode mode64;
251 };
252
253 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
254
255 enum x86_transfer_type {
256 X86_TRANSFER_NONE,
257 X86_TRANSFER_CALL_JMP,
258 X86_TRANSFER_RET,
259 X86_TRANSFER_TASK_SWITCH,
260 };
261
262 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
263 {
264 if (!(ctxt->regs_valid & (1 << nr))) {
265 ctxt->regs_valid |= 1 << nr;
266 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
267 }
268 return ctxt->_regs[nr];
269 }
270
271 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
272 {
273 ctxt->regs_valid |= 1 << nr;
274 ctxt->regs_dirty |= 1 << nr;
275 return &ctxt->_regs[nr];
276 }
277
278 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
279 {
280 reg_read(ctxt, nr);
281 return reg_write(ctxt, nr);
282 }
283
284 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
285 {
286 unsigned reg;
287
288 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
289 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
290 }
291
292 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
293 {
294 ctxt->regs_dirty = 0;
295 ctxt->regs_valid = 0;
296 }
297
298 /*
299 * These EFLAGS bits are restored from saved value during emulation, and
300 * any changes are written back to the saved value after emulation.
301 */
302 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
303 X86_EFLAGS_PF|X86_EFLAGS_CF)
304
305 #ifdef CONFIG_X86_64
306 #define ON64(x) x
307 #else
308 #define ON64(x)
309 #endif
310
311 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
312
313 #define FOP_FUNC(name) \
314 ".align " __stringify(FASTOP_SIZE) " \n\t" \
315 ".type " name ", @function \n\t" \
316 name ":\n\t"
317
318 #define FOP_RET "ret \n\t"
319
320 #define FOP_START(op) \
321 extern void em_##op(struct fastop *fake); \
322 asm(".pushsection .text, \"ax\" \n\t" \
323 ".global em_" #op " \n\t" \
324 FOP_FUNC("em_" #op)
325
326 #define FOP_END \
327 ".popsection")
328
329 #define FOPNOP() \
330 FOP_FUNC(__stringify(__UNIQUE_ID(nop))) \
331 FOP_RET
332
333 #define FOP1E(op, dst) \
334 FOP_FUNC(#op "_" #dst) \
335 "10: " #op " %" #dst " \n\t" FOP_RET
336
337 #define FOP1EEX(op, dst) \
338 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
339
340 #define FASTOP1(op) \
341 FOP_START(op) \
342 FOP1E(op##b, al) \
343 FOP1E(op##w, ax) \
344 FOP1E(op##l, eax) \
345 ON64(FOP1E(op##q, rax)) \
346 FOP_END
347
348 /* 1-operand, using src2 (for MUL/DIV r/m) */
349 #define FASTOP1SRC2(op, name) \
350 FOP_START(name) \
351 FOP1E(op, cl) \
352 FOP1E(op, cx) \
353 FOP1E(op, ecx) \
354 ON64(FOP1E(op, rcx)) \
355 FOP_END
356
357 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
358 #define FASTOP1SRC2EX(op, name) \
359 FOP_START(name) \
360 FOP1EEX(op, cl) \
361 FOP1EEX(op, cx) \
362 FOP1EEX(op, ecx) \
363 ON64(FOP1EEX(op, rcx)) \
364 FOP_END
365
366 #define FOP2E(op, dst, src) \
367 FOP_FUNC(#op "_" #dst "_" #src) \
368 #op " %" #src ", %" #dst " \n\t" FOP_RET
369
370 #define FASTOP2(op) \
371 FOP_START(op) \
372 FOP2E(op##b, al, dl) \
373 FOP2E(op##w, ax, dx) \
374 FOP2E(op##l, eax, edx) \
375 ON64(FOP2E(op##q, rax, rdx)) \
376 FOP_END
377
378 /* 2 operand, word only */
379 #define FASTOP2W(op) \
380 FOP_START(op) \
381 FOPNOP() \
382 FOP2E(op##w, ax, dx) \
383 FOP2E(op##l, eax, edx) \
384 ON64(FOP2E(op##q, rax, rdx)) \
385 FOP_END
386
387 /* 2 operand, src is CL */
388 #define FASTOP2CL(op) \
389 FOP_START(op) \
390 FOP2E(op##b, al, cl) \
391 FOP2E(op##w, ax, cl) \
392 FOP2E(op##l, eax, cl) \
393 ON64(FOP2E(op##q, rax, cl)) \
394 FOP_END
395
396 /* 2 operand, src and dest are reversed */
397 #define FASTOP2R(op, name) \
398 FOP_START(name) \
399 FOP2E(op##b, dl, al) \
400 FOP2E(op##w, dx, ax) \
401 FOP2E(op##l, edx, eax) \
402 ON64(FOP2E(op##q, rdx, rax)) \
403 FOP_END
404
405 #define FOP3E(op, dst, src, src2) \
406 FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
407 #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
408
409 /* 3-operand, word-only, src2=cl */
410 #define FASTOP3WCL(op) \
411 FOP_START(op) \
412 FOPNOP() \
413 FOP3E(op##w, ax, dx, cl) \
414 FOP3E(op##l, eax, edx, cl) \
415 ON64(FOP3E(op##q, rax, rdx, cl)) \
416 FOP_END
417
418 /* Special case for SETcc - 1 instruction per cc */
419 #define FOP_SETCC(op) \
420 ".align 4 \n\t" \
421 ".type " #op ", @function \n\t" \
422 #op ": \n\t" \
423 #op " %al \n\t" \
424 FOP_RET
425
426 asm(".global kvm_fastop_exception \n"
427 "kvm_fastop_exception: xor %esi, %esi; ret");
428
429 FOP_START(setcc)
430 FOP_SETCC(seto)
431 FOP_SETCC(setno)
432 FOP_SETCC(setc)
433 FOP_SETCC(setnc)
434 FOP_SETCC(setz)
435 FOP_SETCC(setnz)
436 FOP_SETCC(setbe)
437 FOP_SETCC(setnbe)
438 FOP_SETCC(sets)
439 FOP_SETCC(setns)
440 FOP_SETCC(setp)
441 FOP_SETCC(setnp)
442 FOP_SETCC(setl)
443 FOP_SETCC(setnl)
444 FOP_SETCC(setle)
445 FOP_SETCC(setnle)
446 FOP_END;
447
448 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
449 FOP_END;
450
451 /*
452 * XXX: inoutclob user must know where the argument is being expanded.
453 * Relying on CC_HAVE_ASM_GOTO would allow us to remove _fault.
454 */
455 #define asm_safe(insn, inoutclob...) \
456 ({ \
457 int _fault = 0; \
458 \
459 asm volatile("1:" insn "\n" \
460 "2:\n" \
461 ".pushsection .fixup, \"ax\"\n" \
462 "3: movl $1, %[_fault]\n" \
463 " jmp 2b\n" \
464 ".popsection\n" \
465 _ASM_EXTABLE(1b, 3b) \
466 : [_fault] "+qm"(_fault) inoutclob ); \
467 \
468 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
469 })
470
471 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
472 enum x86_intercept intercept,
473 enum x86_intercept_stage stage)
474 {
475 struct x86_instruction_info info = {
476 .intercept = intercept,
477 .rep_prefix = ctxt->rep_prefix,
478 .modrm_mod = ctxt->modrm_mod,
479 .modrm_reg = ctxt->modrm_reg,
480 .modrm_rm = ctxt->modrm_rm,
481 .src_val = ctxt->src.val64,
482 .dst_val = ctxt->dst.val64,
483 .src_bytes = ctxt->src.bytes,
484 .dst_bytes = ctxt->dst.bytes,
485 .ad_bytes = ctxt->ad_bytes,
486 .next_rip = ctxt->eip,
487 };
488
489 return ctxt->ops->intercept(ctxt, &info, stage);
490 }
491
492 static void assign_masked(ulong *dest, ulong src, ulong mask)
493 {
494 *dest = (*dest & ~mask) | (src & mask);
495 }
496
497 static void assign_register(unsigned long *reg, u64 val, int bytes)
498 {
499 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
500 switch (bytes) {
501 case 1:
502 *(u8 *)reg = (u8)val;
503 break;
504 case 2:
505 *(u16 *)reg = (u16)val;
506 break;
507 case 4:
508 *reg = (u32)val;
509 break; /* 64b: zero-extend */
510 case 8:
511 *reg = val;
512 break;
513 }
514 }
515
516 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
517 {
518 return (1UL << (ctxt->ad_bytes << 3)) - 1;
519 }
520
521 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
522 {
523 u16 sel;
524 struct desc_struct ss;
525
526 if (ctxt->mode == X86EMUL_MODE_PROT64)
527 return ~0UL;
528 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
529 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
530 }
531
532 static int stack_size(struct x86_emulate_ctxt *ctxt)
533 {
534 return (__fls(stack_mask(ctxt)) + 1) >> 3;
535 }
536
537 /* Access/update address held in a register, based on addressing mode. */
538 static inline unsigned long
539 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
540 {
541 if (ctxt->ad_bytes == sizeof(unsigned long))
542 return reg;
543 else
544 return reg & ad_mask(ctxt);
545 }
546
547 static inline unsigned long
548 register_address(struct x86_emulate_ctxt *ctxt, int reg)
549 {
550 return address_mask(ctxt, reg_read(ctxt, reg));
551 }
552
553 static void masked_increment(ulong *reg, ulong mask, int inc)
554 {
555 assign_masked(reg, *reg + inc, mask);
556 }
557
558 static inline void
559 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
560 {
561 ulong *preg = reg_rmw(ctxt, reg);
562
563 assign_register(preg, *preg + inc, ctxt->ad_bytes);
564 }
565
566 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
567 {
568 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
569 }
570
571 static u32 desc_limit_scaled(struct desc_struct *desc)
572 {
573 u32 limit = get_desc_limit(desc);
574
575 return desc->g ? (limit << 12) | 0xfff : limit;
576 }
577
578 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
579 {
580 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
581 return 0;
582
583 return ctxt->ops->get_cached_segment_base(ctxt, seg);
584 }
585
586 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
587 u32 error, bool valid)
588 {
589 WARN_ON(vec > 0x1f);
590 ctxt->exception.vector = vec;
591 ctxt->exception.error_code = error;
592 ctxt->exception.error_code_valid = valid;
593 return X86EMUL_PROPAGATE_FAULT;
594 }
595
596 static int emulate_db(struct x86_emulate_ctxt *ctxt)
597 {
598 return emulate_exception(ctxt, DB_VECTOR, 0, false);
599 }
600
601 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
602 {
603 return emulate_exception(ctxt, GP_VECTOR, err, true);
604 }
605
606 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
607 {
608 return emulate_exception(ctxt, SS_VECTOR, err, true);
609 }
610
611 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
612 {
613 return emulate_exception(ctxt, UD_VECTOR, 0, false);
614 }
615
616 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
617 {
618 return emulate_exception(ctxt, TS_VECTOR, err, true);
619 }
620
621 static int emulate_de(struct x86_emulate_ctxt *ctxt)
622 {
623 return emulate_exception(ctxt, DE_VECTOR, 0, false);
624 }
625
626 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
627 {
628 return emulate_exception(ctxt, NM_VECTOR, 0, false);
629 }
630
631 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
632 {
633 u16 selector;
634 struct desc_struct desc;
635
636 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
637 return selector;
638 }
639
640 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
641 unsigned seg)
642 {
643 u16 dummy;
644 u32 base3;
645 struct desc_struct desc;
646
647 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
648 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
649 }
650
651 /*
652 * x86 defines three classes of vector instructions: explicitly
653 * aligned, explicitly unaligned, and the rest, which change behaviour
654 * depending on whether they're AVX encoded or not.
655 *
656 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
657 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
658 * 512 bytes of data must be aligned to a 16 byte boundary.
659 */
660 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
661 {
662 u64 alignment = ctxt->d & AlignMask;
663
664 if (likely(size < 16))
665 return 1;
666
667 switch (alignment) {
668 case Unaligned:
669 case Avx:
670 return 1;
671 case Aligned16:
672 return 16;
673 case Aligned:
674 default:
675 return size;
676 }
677 }
678
679 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
680 struct segmented_address addr,
681 unsigned *max_size, unsigned size,
682 bool write, bool fetch,
683 enum x86emul_mode mode, ulong *linear)
684 {
685 struct desc_struct desc;
686 bool usable;
687 ulong la;
688 u32 lim;
689 u16 sel;
690
691 la = seg_base(ctxt, addr.seg) + addr.ea;
692 *max_size = 0;
693 switch (mode) {
694 case X86EMUL_MODE_PROT64:
695 *linear = la;
696 if (is_noncanonical_address(la))
697 goto bad;
698
699 *max_size = min_t(u64, ~0u, (1ull << 48) - la);
700 if (size > *max_size)
701 goto bad;
702 break;
703 default:
704 *linear = la = (u32)la;
705 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
706 addr.seg);
707 if (!usable)
708 goto bad;
709 /* code segment in protected mode or read-only data segment */
710 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
711 || !(desc.type & 2)) && write)
712 goto bad;
713 /* unreadable code segment */
714 if (!fetch && (desc.type & 8) && !(desc.type & 2))
715 goto bad;
716 lim = desc_limit_scaled(&desc);
717 if (!(desc.type & 8) && (desc.type & 4)) {
718 /* expand-down segment */
719 if (addr.ea <= lim)
720 goto bad;
721 lim = desc.d ? 0xffffffff : 0xffff;
722 }
723 if (addr.ea > lim)
724 goto bad;
725 if (lim == 0xffffffff)
726 *max_size = ~0u;
727 else {
728 *max_size = (u64)lim + 1 - addr.ea;
729 if (size > *max_size)
730 goto bad;
731 }
732 break;
733 }
734 if (la & (insn_alignment(ctxt, size) - 1))
735 return emulate_gp(ctxt, 0);
736 return X86EMUL_CONTINUE;
737 bad:
738 if (addr.seg == VCPU_SREG_SS)
739 return emulate_ss(ctxt, 0);
740 else
741 return emulate_gp(ctxt, 0);
742 }
743
744 static int linearize(struct x86_emulate_ctxt *ctxt,
745 struct segmented_address addr,
746 unsigned size, bool write,
747 ulong *linear)
748 {
749 unsigned max_size;
750 return __linearize(ctxt, addr, &max_size, size, write, false,
751 ctxt->mode, linear);
752 }
753
754 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
755 enum x86emul_mode mode)
756 {
757 ulong linear;
758 int rc;
759 unsigned max_size;
760 struct segmented_address addr = { .seg = VCPU_SREG_CS,
761 .ea = dst };
762
763 if (ctxt->op_bytes != sizeof(unsigned long))
764 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
765 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
766 if (rc == X86EMUL_CONTINUE)
767 ctxt->_eip = addr.ea;
768 return rc;
769 }
770
771 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
772 {
773 return assign_eip(ctxt, dst, ctxt->mode);
774 }
775
776 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
777 const struct desc_struct *cs_desc)
778 {
779 enum x86emul_mode mode = ctxt->mode;
780 int rc;
781
782 #ifdef CONFIG_X86_64
783 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
784 if (cs_desc->l) {
785 u64 efer = 0;
786
787 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
788 if (efer & EFER_LMA)
789 mode = X86EMUL_MODE_PROT64;
790 } else
791 mode = X86EMUL_MODE_PROT32; /* temporary value */
792 }
793 #endif
794 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
795 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
796 rc = assign_eip(ctxt, dst, mode);
797 if (rc == X86EMUL_CONTINUE)
798 ctxt->mode = mode;
799 return rc;
800 }
801
802 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
803 {
804 return assign_eip_near(ctxt, ctxt->_eip + rel);
805 }
806
807 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
808 struct segmented_address addr,
809 void *data,
810 unsigned size)
811 {
812 int rc;
813 ulong linear;
814
815 rc = linearize(ctxt, addr, size, false, &linear);
816 if (rc != X86EMUL_CONTINUE)
817 return rc;
818 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
819 }
820
821 /*
822 * Prefetch the remaining bytes of the instruction without crossing page
823 * boundary if they are not in fetch_cache yet.
824 */
825 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
826 {
827 int rc;
828 unsigned size, max_size;
829 unsigned long linear;
830 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
831 struct segmented_address addr = { .seg = VCPU_SREG_CS,
832 .ea = ctxt->eip + cur_size };
833
834 /*
835 * We do not know exactly how many bytes will be needed, and
836 * __linearize is expensive, so fetch as much as possible. We
837 * just have to avoid going beyond the 15 byte limit, the end
838 * of the segment, or the end of the page.
839 *
840 * __linearize is called with size 0 so that it does not do any
841 * boundary check itself. Instead, we use max_size to check
842 * against op_size.
843 */
844 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
845 &linear);
846 if (unlikely(rc != X86EMUL_CONTINUE))
847 return rc;
848
849 size = min_t(unsigned, 15UL ^ cur_size, max_size);
850 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
851
852 /*
853 * One instruction can only straddle two pages,
854 * and one has been loaded at the beginning of
855 * x86_decode_insn. So, if not enough bytes
856 * still, we must have hit the 15-byte boundary.
857 */
858 if (unlikely(size < op_size))
859 return emulate_gp(ctxt, 0);
860
861 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
862 size, &ctxt->exception);
863 if (unlikely(rc != X86EMUL_CONTINUE))
864 return rc;
865 ctxt->fetch.end += size;
866 return X86EMUL_CONTINUE;
867 }
868
869 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
870 unsigned size)
871 {
872 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
873
874 if (unlikely(done_size < size))
875 return __do_insn_fetch_bytes(ctxt, size - done_size);
876 else
877 return X86EMUL_CONTINUE;
878 }
879
880 /* Fetch next part of the instruction being emulated. */
881 #define insn_fetch(_type, _ctxt) \
882 ({ _type _x; \
883 \
884 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
885 if (rc != X86EMUL_CONTINUE) \
886 goto done; \
887 ctxt->_eip += sizeof(_type); \
888 _x = *(_type __aligned(1) *) ctxt->fetch.ptr; \
889 ctxt->fetch.ptr += sizeof(_type); \
890 _x; \
891 })
892
893 #define insn_fetch_arr(_arr, _size, _ctxt) \
894 ({ \
895 rc = do_insn_fetch_bytes(_ctxt, _size); \
896 if (rc != X86EMUL_CONTINUE) \
897 goto done; \
898 ctxt->_eip += (_size); \
899 memcpy(_arr, ctxt->fetch.ptr, _size); \
900 ctxt->fetch.ptr += (_size); \
901 })
902
903 /*
904 * Given the 'reg' portion of a ModRM byte, and a register block, return a
905 * pointer into the block that addresses the relevant register.
906 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
907 */
908 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
909 int byteop)
910 {
911 void *p;
912 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
913
914 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
915 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
916 else
917 p = reg_rmw(ctxt, modrm_reg);
918 return p;
919 }
920
921 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
922 struct segmented_address addr,
923 u16 *size, unsigned long *address, int op_bytes)
924 {
925 int rc;
926
927 if (op_bytes == 2)
928 op_bytes = 3;
929 *address = 0;
930 rc = segmented_read_std(ctxt, addr, size, 2);
931 if (rc != X86EMUL_CONTINUE)
932 return rc;
933 addr.ea += 2;
934 rc = segmented_read_std(ctxt, addr, address, op_bytes);
935 return rc;
936 }
937
938 FASTOP2(add);
939 FASTOP2(or);
940 FASTOP2(adc);
941 FASTOP2(sbb);
942 FASTOP2(and);
943 FASTOP2(sub);
944 FASTOP2(xor);
945 FASTOP2(cmp);
946 FASTOP2(test);
947
948 FASTOP1SRC2(mul, mul_ex);
949 FASTOP1SRC2(imul, imul_ex);
950 FASTOP1SRC2EX(div, div_ex);
951 FASTOP1SRC2EX(idiv, idiv_ex);
952
953 FASTOP3WCL(shld);
954 FASTOP3WCL(shrd);
955
956 FASTOP2W(imul);
957
958 FASTOP1(not);
959 FASTOP1(neg);
960 FASTOP1(inc);
961 FASTOP1(dec);
962
963 FASTOP2CL(rol);
964 FASTOP2CL(ror);
965 FASTOP2CL(rcl);
966 FASTOP2CL(rcr);
967 FASTOP2CL(shl);
968 FASTOP2CL(shr);
969 FASTOP2CL(sar);
970
971 FASTOP2W(bsf);
972 FASTOP2W(bsr);
973 FASTOP2W(bt);
974 FASTOP2W(bts);
975 FASTOP2W(btr);
976 FASTOP2W(btc);
977
978 FASTOP2(xadd);
979
980 FASTOP2R(cmp, cmp_r);
981
982 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
983 {
984 /* If src is zero, do not writeback, but update flags */
985 if (ctxt->src.val == 0)
986 ctxt->dst.type = OP_NONE;
987 return fastop(ctxt, em_bsf);
988 }
989
990 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
991 {
992 /* If src is zero, do not writeback, but update flags */
993 if (ctxt->src.val == 0)
994 ctxt->dst.type = OP_NONE;
995 return fastop(ctxt, em_bsr);
996 }
997
998 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
999 {
1000 u8 rc;
1001 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
1002
1003 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1004 asm("push %[flags]; popf; call *%[fastop]"
1005 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
1006 return rc;
1007 }
1008
1009 static void fetch_register_operand(struct operand *op)
1010 {
1011 switch (op->bytes) {
1012 case 1:
1013 op->val = *(u8 *)op->addr.reg;
1014 break;
1015 case 2:
1016 op->val = *(u16 *)op->addr.reg;
1017 break;
1018 case 4:
1019 op->val = *(u32 *)op->addr.reg;
1020 break;
1021 case 8:
1022 op->val = *(u64 *)op->addr.reg;
1023 break;
1024 }
1025 }
1026
1027 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1028 {
1029 ctxt->ops->get_fpu(ctxt);
1030 switch (reg) {
1031 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1032 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1033 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1034 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1035 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1036 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1037 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1038 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1039 #ifdef CONFIG_X86_64
1040 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1041 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1042 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1043 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1044 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1045 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1046 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1047 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1048 #endif
1049 default: BUG();
1050 }
1051 ctxt->ops->put_fpu(ctxt);
1052 }
1053
1054 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1055 int reg)
1056 {
1057 ctxt->ops->get_fpu(ctxt);
1058 switch (reg) {
1059 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1060 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1061 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1062 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1063 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1064 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1065 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1066 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1067 #ifdef CONFIG_X86_64
1068 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1069 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1070 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1071 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1072 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1073 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1074 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1075 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1076 #endif
1077 default: BUG();
1078 }
1079 ctxt->ops->put_fpu(ctxt);
1080 }
1081
1082 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1083 {
1084 ctxt->ops->get_fpu(ctxt);
1085 switch (reg) {
1086 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1087 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1088 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1089 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1090 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1091 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1092 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1093 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1094 default: BUG();
1095 }
1096 ctxt->ops->put_fpu(ctxt);
1097 }
1098
1099 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1100 {
1101 ctxt->ops->get_fpu(ctxt);
1102 switch (reg) {
1103 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1104 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1105 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1106 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1107 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1108 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1109 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1110 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1111 default: BUG();
1112 }
1113 ctxt->ops->put_fpu(ctxt);
1114 }
1115
1116 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1117 {
1118 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1119 return emulate_nm(ctxt);
1120
1121 ctxt->ops->get_fpu(ctxt);
1122 asm volatile("fninit");
1123 ctxt->ops->put_fpu(ctxt);
1124 return X86EMUL_CONTINUE;
1125 }
1126
1127 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1128 {
1129 u16 fcw;
1130
1131 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1132 return emulate_nm(ctxt);
1133
1134 ctxt->ops->get_fpu(ctxt);
1135 asm volatile("fnstcw %0": "+m"(fcw));
1136 ctxt->ops->put_fpu(ctxt);
1137
1138 ctxt->dst.val = fcw;
1139
1140 return X86EMUL_CONTINUE;
1141 }
1142
1143 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1144 {
1145 u16 fsw;
1146
1147 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1148 return emulate_nm(ctxt);
1149
1150 ctxt->ops->get_fpu(ctxt);
1151 asm volatile("fnstsw %0": "+m"(fsw));
1152 ctxt->ops->put_fpu(ctxt);
1153
1154 ctxt->dst.val = fsw;
1155
1156 return X86EMUL_CONTINUE;
1157 }
1158
1159 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1160 struct operand *op)
1161 {
1162 unsigned reg = ctxt->modrm_reg;
1163
1164 if (!(ctxt->d & ModRM))
1165 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1166
1167 if (ctxt->d & Sse) {
1168 op->type = OP_XMM;
1169 op->bytes = 16;
1170 op->addr.xmm = reg;
1171 read_sse_reg(ctxt, &op->vec_val, reg);
1172 return;
1173 }
1174 if (ctxt->d & Mmx) {
1175 reg &= 7;
1176 op->type = OP_MM;
1177 op->bytes = 8;
1178 op->addr.mm = reg;
1179 return;
1180 }
1181
1182 op->type = OP_REG;
1183 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1184 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1185
1186 fetch_register_operand(op);
1187 op->orig_val = op->val;
1188 }
1189
1190 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1191 {
1192 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1193 ctxt->modrm_seg = VCPU_SREG_SS;
1194 }
1195
1196 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1197 struct operand *op)
1198 {
1199 u8 sib;
1200 int index_reg, base_reg, scale;
1201 int rc = X86EMUL_CONTINUE;
1202 ulong modrm_ea = 0;
1203
1204 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1205 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1206 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1207
1208 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1209 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1210 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1211 ctxt->modrm_seg = VCPU_SREG_DS;
1212
1213 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1214 op->type = OP_REG;
1215 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1216 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1217 ctxt->d & ByteOp);
1218 if (ctxt->d & Sse) {
1219 op->type = OP_XMM;
1220 op->bytes = 16;
1221 op->addr.xmm = ctxt->modrm_rm;
1222 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1223 return rc;
1224 }
1225 if (ctxt->d & Mmx) {
1226 op->type = OP_MM;
1227 op->bytes = 8;
1228 op->addr.mm = ctxt->modrm_rm & 7;
1229 return rc;
1230 }
1231 fetch_register_operand(op);
1232 return rc;
1233 }
1234
1235 op->type = OP_MEM;
1236
1237 if (ctxt->ad_bytes == 2) {
1238 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1239 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1240 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1241 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1242
1243 /* 16-bit ModR/M decode. */
1244 switch (ctxt->modrm_mod) {
1245 case 0:
1246 if (ctxt->modrm_rm == 6)
1247 modrm_ea += insn_fetch(u16, ctxt);
1248 break;
1249 case 1:
1250 modrm_ea += insn_fetch(s8, ctxt);
1251 break;
1252 case 2:
1253 modrm_ea += insn_fetch(u16, ctxt);
1254 break;
1255 }
1256 switch (ctxt->modrm_rm) {
1257 case 0:
1258 modrm_ea += bx + si;
1259 break;
1260 case 1:
1261 modrm_ea += bx + di;
1262 break;
1263 case 2:
1264 modrm_ea += bp + si;
1265 break;
1266 case 3:
1267 modrm_ea += bp + di;
1268 break;
1269 case 4:
1270 modrm_ea += si;
1271 break;
1272 case 5:
1273 modrm_ea += di;
1274 break;
1275 case 6:
1276 if (ctxt->modrm_mod != 0)
1277 modrm_ea += bp;
1278 break;
1279 case 7:
1280 modrm_ea += bx;
1281 break;
1282 }
1283 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1284 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1285 ctxt->modrm_seg = VCPU_SREG_SS;
1286 modrm_ea = (u16)modrm_ea;
1287 } else {
1288 /* 32/64-bit ModR/M decode. */
1289 if ((ctxt->modrm_rm & 7) == 4) {
1290 sib = insn_fetch(u8, ctxt);
1291 index_reg |= (sib >> 3) & 7;
1292 base_reg |= sib & 7;
1293 scale = sib >> 6;
1294
1295 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1296 modrm_ea += insn_fetch(s32, ctxt);
1297 else {
1298 modrm_ea += reg_read(ctxt, base_reg);
1299 adjust_modrm_seg(ctxt, base_reg);
1300 /* Increment ESP on POP [ESP] */
1301 if ((ctxt->d & IncSP) &&
1302 base_reg == VCPU_REGS_RSP)
1303 modrm_ea += ctxt->op_bytes;
1304 }
1305 if (index_reg != 4)
1306 modrm_ea += reg_read(ctxt, index_reg) << scale;
1307 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1308 modrm_ea += insn_fetch(s32, ctxt);
1309 if (ctxt->mode == X86EMUL_MODE_PROT64)
1310 ctxt->rip_relative = 1;
1311 } else {
1312 base_reg = ctxt->modrm_rm;
1313 modrm_ea += reg_read(ctxt, base_reg);
1314 adjust_modrm_seg(ctxt, base_reg);
1315 }
1316 switch (ctxt->modrm_mod) {
1317 case 1:
1318 modrm_ea += insn_fetch(s8, ctxt);
1319 break;
1320 case 2:
1321 modrm_ea += insn_fetch(s32, ctxt);
1322 break;
1323 }
1324 }
1325 op->addr.mem.ea = modrm_ea;
1326 if (ctxt->ad_bytes != 8)
1327 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1328
1329 done:
1330 return rc;
1331 }
1332
1333 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1334 struct operand *op)
1335 {
1336 int rc = X86EMUL_CONTINUE;
1337
1338 op->type = OP_MEM;
1339 switch (ctxt->ad_bytes) {
1340 case 2:
1341 op->addr.mem.ea = insn_fetch(u16, ctxt);
1342 break;
1343 case 4:
1344 op->addr.mem.ea = insn_fetch(u32, ctxt);
1345 break;
1346 case 8:
1347 op->addr.mem.ea = insn_fetch(u64, ctxt);
1348 break;
1349 }
1350 done:
1351 return rc;
1352 }
1353
1354 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1355 {
1356 long sv = 0, mask;
1357
1358 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1359 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1360
1361 if (ctxt->src.bytes == 2)
1362 sv = (s16)ctxt->src.val & (s16)mask;
1363 else if (ctxt->src.bytes == 4)
1364 sv = (s32)ctxt->src.val & (s32)mask;
1365 else
1366 sv = (s64)ctxt->src.val & (s64)mask;
1367
1368 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1369 ctxt->dst.addr.mem.ea + (sv >> 3));
1370 }
1371
1372 /* only subword offset */
1373 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1374 }
1375
1376 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1377 unsigned long addr, void *dest, unsigned size)
1378 {
1379 int rc;
1380 struct read_cache *mc = &ctxt->mem_read;
1381
1382 if (mc->pos < mc->end)
1383 goto read_cached;
1384
1385 WARN_ON((mc->end + size) >= sizeof(mc->data));
1386
1387 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1388 &ctxt->exception);
1389 if (rc != X86EMUL_CONTINUE)
1390 return rc;
1391
1392 mc->end += size;
1393
1394 read_cached:
1395 memcpy(dest, mc->data + mc->pos, size);
1396 mc->pos += size;
1397 return X86EMUL_CONTINUE;
1398 }
1399
1400 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1401 struct segmented_address addr,
1402 void *data,
1403 unsigned size)
1404 {
1405 int rc;
1406 ulong linear;
1407
1408 rc = linearize(ctxt, addr, size, false, &linear);
1409 if (rc != X86EMUL_CONTINUE)
1410 return rc;
1411 return read_emulated(ctxt, linear, data, size);
1412 }
1413
1414 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1415 struct segmented_address addr,
1416 const void *data,
1417 unsigned size)
1418 {
1419 int rc;
1420 ulong linear;
1421
1422 rc = linearize(ctxt, addr, size, true, &linear);
1423 if (rc != X86EMUL_CONTINUE)
1424 return rc;
1425 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1426 &ctxt->exception);
1427 }
1428
1429 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1430 struct segmented_address addr,
1431 const void *orig_data, const void *data,
1432 unsigned size)
1433 {
1434 int rc;
1435 ulong linear;
1436
1437 rc = linearize(ctxt, addr, size, true, &linear);
1438 if (rc != X86EMUL_CONTINUE)
1439 return rc;
1440 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1441 size, &ctxt->exception);
1442 }
1443
1444 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1445 unsigned int size, unsigned short port,
1446 void *dest)
1447 {
1448 struct read_cache *rc = &ctxt->io_read;
1449
1450 if (rc->pos == rc->end) { /* refill pio read ahead */
1451 unsigned int in_page, n;
1452 unsigned int count = ctxt->rep_prefix ?
1453 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1454 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1455 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1456 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1457 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1458 if (n == 0)
1459 n = 1;
1460 rc->pos = rc->end = 0;
1461 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1462 return 0;
1463 rc->end = n * size;
1464 }
1465
1466 if (ctxt->rep_prefix && (ctxt->d & String) &&
1467 !(ctxt->eflags & X86_EFLAGS_DF)) {
1468 ctxt->dst.data = rc->data + rc->pos;
1469 ctxt->dst.type = OP_MEM_STR;
1470 ctxt->dst.count = (rc->end - rc->pos) / size;
1471 rc->pos = rc->end;
1472 } else {
1473 memcpy(dest, rc->data + rc->pos, size);
1474 rc->pos += size;
1475 }
1476 return 1;
1477 }
1478
1479 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1480 u16 index, struct desc_struct *desc)
1481 {
1482 struct desc_ptr dt;
1483 ulong addr;
1484
1485 ctxt->ops->get_idt(ctxt, &dt);
1486
1487 if (dt.size < index * 8 + 7)
1488 return emulate_gp(ctxt, index << 3 | 0x2);
1489
1490 addr = dt.address + index * 8;
1491 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1492 &ctxt->exception);
1493 }
1494
1495 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1496 u16 selector, struct desc_ptr *dt)
1497 {
1498 const struct x86_emulate_ops *ops = ctxt->ops;
1499 u32 base3 = 0;
1500
1501 if (selector & 1 << 2) {
1502 struct desc_struct desc;
1503 u16 sel;
1504
1505 memset (dt, 0, sizeof *dt);
1506 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1507 VCPU_SREG_LDTR))
1508 return;
1509
1510 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1511 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1512 } else
1513 ops->get_gdt(ctxt, dt);
1514 }
1515
1516 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1517 u16 selector, ulong *desc_addr_p)
1518 {
1519 struct desc_ptr dt;
1520 u16 index = selector >> 3;
1521 ulong addr;
1522
1523 get_descriptor_table_ptr(ctxt, selector, &dt);
1524
1525 if (dt.size < index * 8 + 7)
1526 return emulate_gp(ctxt, selector & 0xfffc);
1527
1528 addr = dt.address + index * 8;
1529
1530 #ifdef CONFIG_X86_64
1531 if (addr >> 32 != 0) {
1532 u64 efer = 0;
1533
1534 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1535 if (!(efer & EFER_LMA))
1536 addr &= (u32)-1;
1537 }
1538 #endif
1539
1540 *desc_addr_p = addr;
1541 return X86EMUL_CONTINUE;
1542 }
1543
1544 /* allowed just for 8 bytes segments */
1545 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1546 u16 selector, struct desc_struct *desc,
1547 ulong *desc_addr_p)
1548 {
1549 int rc;
1550
1551 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1552 if (rc != X86EMUL_CONTINUE)
1553 return rc;
1554
1555 return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
1556 &ctxt->exception);
1557 }
1558
1559 /* allowed just for 8 bytes segments */
1560 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1561 u16 selector, struct desc_struct *desc)
1562 {
1563 int rc;
1564 ulong addr;
1565
1566 rc = get_descriptor_ptr(ctxt, selector, &addr);
1567 if (rc != X86EMUL_CONTINUE)
1568 return rc;
1569
1570 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1571 &ctxt->exception);
1572 }
1573
1574 /* Does not support long mode */
1575 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1576 u16 selector, int seg, u8 cpl,
1577 enum x86_transfer_type transfer,
1578 struct desc_struct *desc)
1579 {
1580 struct desc_struct seg_desc, old_desc;
1581 u8 dpl, rpl;
1582 unsigned err_vec = GP_VECTOR;
1583 u32 err_code = 0;
1584 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1585 ulong desc_addr;
1586 int ret;
1587 u16 dummy;
1588 u32 base3 = 0;
1589
1590 memset(&seg_desc, 0, sizeof seg_desc);
1591
1592 if (ctxt->mode == X86EMUL_MODE_REAL) {
1593 /* set real mode segment descriptor (keep limit etc. for
1594 * unreal mode) */
1595 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1596 set_desc_base(&seg_desc, selector << 4);
1597 goto load;
1598 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1599 /* VM86 needs a clean new segment descriptor */
1600 set_desc_base(&seg_desc, selector << 4);
1601 set_desc_limit(&seg_desc, 0xffff);
1602 seg_desc.type = 3;
1603 seg_desc.p = 1;
1604 seg_desc.s = 1;
1605 seg_desc.dpl = 3;
1606 goto load;
1607 }
1608
1609 rpl = selector & 3;
1610
1611 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1612 if ((seg == VCPU_SREG_CS
1613 || (seg == VCPU_SREG_SS
1614 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1615 || seg == VCPU_SREG_TR)
1616 && null_selector)
1617 goto exception;
1618
1619 /* TR should be in GDT only */
1620 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1621 goto exception;
1622
1623 if (null_selector) /* for NULL selector skip all following checks */
1624 goto load;
1625
1626 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1627 if (ret != X86EMUL_CONTINUE)
1628 return ret;
1629
1630 err_code = selector & 0xfffc;
1631 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1632 GP_VECTOR;
1633
1634 /* can't load system descriptor into segment selector */
1635 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1636 if (transfer == X86_TRANSFER_CALL_JMP)
1637 return X86EMUL_UNHANDLEABLE;
1638 goto exception;
1639 }
1640
1641 if (!seg_desc.p) {
1642 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1643 goto exception;
1644 }
1645
1646 dpl = seg_desc.dpl;
1647
1648 switch (seg) {
1649 case VCPU_SREG_SS:
1650 /*
1651 * segment is not a writable data segment or segment
1652 * selector's RPL != CPL or segment selector's RPL != CPL
1653 */
1654 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1655 goto exception;
1656 break;
1657 case VCPU_SREG_CS:
1658 if (!(seg_desc.type & 8))
1659 goto exception;
1660
1661 if (seg_desc.type & 4) {
1662 /* conforming */
1663 if (dpl > cpl)
1664 goto exception;
1665 } else {
1666 /* nonconforming */
1667 if (rpl > cpl || dpl != cpl)
1668 goto exception;
1669 }
1670 /* in long-mode d/b must be clear if l is set */
1671 if (seg_desc.d && seg_desc.l) {
1672 u64 efer = 0;
1673
1674 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1675 if (efer & EFER_LMA)
1676 goto exception;
1677 }
1678
1679 /* CS(RPL) <- CPL */
1680 selector = (selector & 0xfffc) | cpl;
1681 break;
1682 case VCPU_SREG_TR:
1683 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1684 goto exception;
1685 old_desc = seg_desc;
1686 seg_desc.type |= 2; /* busy */
1687 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1688 sizeof(seg_desc), &ctxt->exception);
1689 if (ret != X86EMUL_CONTINUE)
1690 return ret;
1691 break;
1692 case VCPU_SREG_LDTR:
1693 if (seg_desc.s || seg_desc.type != 2)
1694 goto exception;
1695 break;
1696 default: /* DS, ES, FS, or GS */
1697 /*
1698 * segment is not a data or readable code segment or
1699 * ((segment is a data or nonconforming code segment)
1700 * and (both RPL and CPL > DPL))
1701 */
1702 if ((seg_desc.type & 0xa) == 0x8 ||
1703 (((seg_desc.type & 0xc) != 0xc) &&
1704 (rpl > dpl && cpl > dpl)))
1705 goto exception;
1706 break;
1707 }
1708
1709 if (seg_desc.s) {
1710 /* mark segment as accessed */
1711 if (!(seg_desc.type & 1)) {
1712 seg_desc.type |= 1;
1713 ret = write_segment_descriptor(ctxt, selector,
1714 &seg_desc);
1715 if (ret != X86EMUL_CONTINUE)
1716 return ret;
1717 }
1718 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1719 ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
1720 sizeof(base3), &ctxt->exception);
1721 if (ret != X86EMUL_CONTINUE)
1722 return ret;
1723 if (is_noncanonical_address(get_desc_base(&seg_desc) |
1724 ((u64)base3 << 32)))
1725 return emulate_gp(ctxt, 0);
1726 }
1727 load:
1728 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1729 if (desc)
1730 *desc = seg_desc;
1731 return X86EMUL_CONTINUE;
1732 exception:
1733 return emulate_exception(ctxt, err_vec, err_code, true);
1734 }
1735
1736 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1737 u16 selector, int seg)
1738 {
1739 u8 cpl = ctxt->ops->cpl(ctxt);
1740 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1741 X86_TRANSFER_NONE, NULL);
1742 }
1743
1744 static void write_register_operand(struct operand *op)
1745 {
1746 return assign_register(op->addr.reg, op->val, op->bytes);
1747 }
1748
1749 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1750 {
1751 switch (op->type) {
1752 case OP_REG:
1753 write_register_operand(op);
1754 break;
1755 case OP_MEM:
1756 if (ctxt->lock_prefix)
1757 return segmented_cmpxchg(ctxt,
1758 op->addr.mem,
1759 &op->orig_val,
1760 &op->val,
1761 op->bytes);
1762 else
1763 return segmented_write(ctxt,
1764 op->addr.mem,
1765 &op->val,
1766 op->bytes);
1767 break;
1768 case OP_MEM_STR:
1769 return segmented_write(ctxt,
1770 op->addr.mem,
1771 op->data,
1772 op->bytes * op->count);
1773 break;
1774 case OP_XMM:
1775 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1776 break;
1777 case OP_MM:
1778 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1779 break;
1780 case OP_NONE:
1781 /* no writeback */
1782 break;
1783 default:
1784 break;
1785 }
1786 return X86EMUL_CONTINUE;
1787 }
1788
1789 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1790 {
1791 struct segmented_address addr;
1792
1793 rsp_increment(ctxt, -bytes);
1794 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1795 addr.seg = VCPU_SREG_SS;
1796
1797 return segmented_write(ctxt, addr, data, bytes);
1798 }
1799
1800 static int em_push(struct x86_emulate_ctxt *ctxt)
1801 {
1802 /* Disable writeback. */
1803 ctxt->dst.type = OP_NONE;
1804 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1805 }
1806
1807 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1808 void *dest, int len)
1809 {
1810 int rc;
1811 struct segmented_address addr;
1812
1813 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1814 addr.seg = VCPU_SREG_SS;
1815 rc = segmented_read(ctxt, addr, dest, len);
1816 if (rc != X86EMUL_CONTINUE)
1817 return rc;
1818
1819 rsp_increment(ctxt, len);
1820 return rc;
1821 }
1822
1823 static int em_pop(struct x86_emulate_ctxt *ctxt)
1824 {
1825 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1826 }
1827
1828 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1829 void *dest, int len)
1830 {
1831 int rc;
1832 unsigned long val, change_mask;
1833 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1834 int cpl = ctxt->ops->cpl(ctxt);
1835
1836 rc = emulate_pop(ctxt, &val, len);
1837 if (rc != X86EMUL_CONTINUE)
1838 return rc;
1839
1840 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1841 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1842 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1843 X86_EFLAGS_AC | X86_EFLAGS_ID;
1844
1845 switch(ctxt->mode) {
1846 case X86EMUL_MODE_PROT64:
1847 case X86EMUL_MODE_PROT32:
1848 case X86EMUL_MODE_PROT16:
1849 if (cpl == 0)
1850 change_mask |= X86_EFLAGS_IOPL;
1851 if (cpl <= iopl)
1852 change_mask |= X86_EFLAGS_IF;
1853 break;
1854 case X86EMUL_MODE_VM86:
1855 if (iopl < 3)
1856 return emulate_gp(ctxt, 0);
1857 change_mask |= X86_EFLAGS_IF;
1858 break;
1859 default: /* real mode */
1860 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1861 break;
1862 }
1863
1864 *(unsigned long *)dest =
1865 (ctxt->eflags & ~change_mask) | (val & change_mask);
1866
1867 return rc;
1868 }
1869
1870 static int em_popf(struct x86_emulate_ctxt *ctxt)
1871 {
1872 ctxt->dst.type = OP_REG;
1873 ctxt->dst.addr.reg = &ctxt->eflags;
1874 ctxt->dst.bytes = ctxt->op_bytes;
1875 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1876 }
1877
1878 static int em_enter(struct x86_emulate_ctxt *ctxt)
1879 {
1880 int rc;
1881 unsigned frame_size = ctxt->src.val;
1882 unsigned nesting_level = ctxt->src2.val & 31;
1883 ulong rbp;
1884
1885 if (nesting_level)
1886 return X86EMUL_UNHANDLEABLE;
1887
1888 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1889 rc = push(ctxt, &rbp, stack_size(ctxt));
1890 if (rc != X86EMUL_CONTINUE)
1891 return rc;
1892 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1893 stack_mask(ctxt));
1894 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1895 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1896 stack_mask(ctxt));
1897 return X86EMUL_CONTINUE;
1898 }
1899
1900 static int em_leave(struct x86_emulate_ctxt *ctxt)
1901 {
1902 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1903 stack_mask(ctxt));
1904 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1905 }
1906
1907 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1908 {
1909 int seg = ctxt->src2.val;
1910
1911 ctxt->src.val = get_segment_selector(ctxt, seg);
1912 if (ctxt->op_bytes == 4) {
1913 rsp_increment(ctxt, -2);
1914 ctxt->op_bytes = 2;
1915 }
1916
1917 return em_push(ctxt);
1918 }
1919
1920 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1921 {
1922 int seg = ctxt->src2.val;
1923 unsigned long selector;
1924 int rc;
1925
1926 rc = emulate_pop(ctxt, &selector, 2);
1927 if (rc != X86EMUL_CONTINUE)
1928 return rc;
1929
1930 if (ctxt->modrm_reg == VCPU_SREG_SS)
1931 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1932 if (ctxt->op_bytes > 2)
1933 rsp_increment(ctxt, ctxt->op_bytes - 2);
1934
1935 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1936 return rc;
1937 }
1938
1939 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1940 {
1941 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1942 int rc = X86EMUL_CONTINUE;
1943 int reg = VCPU_REGS_RAX;
1944
1945 while (reg <= VCPU_REGS_RDI) {
1946 (reg == VCPU_REGS_RSP) ?
1947 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1948
1949 rc = em_push(ctxt);
1950 if (rc != X86EMUL_CONTINUE)
1951 return rc;
1952
1953 ++reg;
1954 }
1955
1956 return rc;
1957 }
1958
1959 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1960 {
1961 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1962 return em_push(ctxt);
1963 }
1964
1965 static int em_popa(struct x86_emulate_ctxt *ctxt)
1966 {
1967 int rc = X86EMUL_CONTINUE;
1968 int reg = VCPU_REGS_RDI;
1969 u32 val;
1970
1971 while (reg >= VCPU_REGS_RAX) {
1972 if (reg == VCPU_REGS_RSP) {
1973 rsp_increment(ctxt, ctxt->op_bytes);
1974 --reg;
1975 }
1976
1977 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
1978 if (rc != X86EMUL_CONTINUE)
1979 break;
1980 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
1981 --reg;
1982 }
1983 return rc;
1984 }
1985
1986 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1987 {
1988 const struct x86_emulate_ops *ops = ctxt->ops;
1989 int rc;
1990 struct desc_ptr dt;
1991 gva_t cs_addr;
1992 gva_t eip_addr;
1993 u16 cs, eip;
1994
1995 /* TODO: Add limit checks */
1996 ctxt->src.val = ctxt->eflags;
1997 rc = em_push(ctxt);
1998 if (rc != X86EMUL_CONTINUE)
1999 return rc;
2000
2001 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2002
2003 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2004 rc = em_push(ctxt);
2005 if (rc != X86EMUL_CONTINUE)
2006 return rc;
2007
2008 ctxt->src.val = ctxt->_eip;
2009 rc = em_push(ctxt);
2010 if (rc != X86EMUL_CONTINUE)
2011 return rc;
2012
2013 ops->get_idt(ctxt, &dt);
2014
2015 eip_addr = dt.address + (irq << 2);
2016 cs_addr = dt.address + (irq << 2) + 2;
2017
2018 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
2019 if (rc != X86EMUL_CONTINUE)
2020 return rc;
2021
2022 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
2023 if (rc != X86EMUL_CONTINUE)
2024 return rc;
2025
2026 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2027 if (rc != X86EMUL_CONTINUE)
2028 return rc;
2029
2030 ctxt->_eip = eip;
2031
2032 return rc;
2033 }
2034
2035 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2036 {
2037 int rc;
2038
2039 invalidate_registers(ctxt);
2040 rc = __emulate_int_real(ctxt, irq);
2041 if (rc == X86EMUL_CONTINUE)
2042 writeback_registers(ctxt);
2043 return rc;
2044 }
2045
2046 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2047 {
2048 switch(ctxt->mode) {
2049 case X86EMUL_MODE_REAL:
2050 return __emulate_int_real(ctxt, irq);
2051 case X86EMUL_MODE_VM86:
2052 case X86EMUL_MODE_PROT16:
2053 case X86EMUL_MODE_PROT32:
2054 case X86EMUL_MODE_PROT64:
2055 default:
2056 /* Protected mode interrupts unimplemented yet */
2057 return X86EMUL_UNHANDLEABLE;
2058 }
2059 }
2060
2061 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2062 {
2063 int rc = X86EMUL_CONTINUE;
2064 unsigned long temp_eip = 0;
2065 unsigned long temp_eflags = 0;
2066 unsigned long cs = 0;
2067 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2068 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2069 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2070 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2071 X86_EFLAGS_AC | X86_EFLAGS_ID |
2072 X86_EFLAGS_FIXED;
2073 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2074 X86_EFLAGS_VIP;
2075
2076 /* TODO: Add stack limit check */
2077
2078 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2079
2080 if (rc != X86EMUL_CONTINUE)
2081 return rc;
2082
2083 if (temp_eip & ~0xffff)
2084 return emulate_gp(ctxt, 0);
2085
2086 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2087
2088 if (rc != X86EMUL_CONTINUE)
2089 return rc;
2090
2091 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2092
2093 if (rc != X86EMUL_CONTINUE)
2094 return rc;
2095
2096 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2097
2098 if (rc != X86EMUL_CONTINUE)
2099 return rc;
2100
2101 ctxt->_eip = temp_eip;
2102
2103 if (ctxt->op_bytes == 4)
2104 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2105 else if (ctxt->op_bytes == 2) {
2106 ctxt->eflags &= ~0xffff;
2107 ctxt->eflags |= temp_eflags;
2108 }
2109
2110 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2111 ctxt->eflags |= X86_EFLAGS_FIXED;
2112 ctxt->ops->set_nmi_mask(ctxt, false);
2113
2114 return rc;
2115 }
2116
2117 static int em_iret(struct x86_emulate_ctxt *ctxt)
2118 {
2119 switch(ctxt->mode) {
2120 case X86EMUL_MODE_REAL:
2121 return emulate_iret_real(ctxt);
2122 case X86EMUL_MODE_VM86:
2123 case X86EMUL_MODE_PROT16:
2124 case X86EMUL_MODE_PROT32:
2125 case X86EMUL_MODE_PROT64:
2126 default:
2127 /* iret from protected mode unimplemented yet */
2128 return X86EMUL_UNHANDLEABLE;
2129 }
2130 }
2131
2132 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2133 {
2134 int rc;
2135 unsigned short sel, old_sel;
2136 struct desc_struct old_desc, new_desc;
2137 const struct x86_emulate_ops *ops = ctxt->ops;
2138 u8 cpl = ctxt->ops->cpl(ctxt);
2139
2140 /* Assignment of RIP may only fail in 64-bit mode */
2141 if (ctxt->mode == X86EMUL_MODE_PROT64)
2142 ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
2143 VCPU_SREG_CS);
2144
2145 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2146
2147 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2148 X86_TRANSFER_CALL_JMP,
2149 &new_desc);
2150 if (rc != X86EMUL_CONTINUE)
2151 return rc;
2152
2153 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2154 if (rc != X86EMUL_CONTINUE) {
2155 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2156 /* assigning eip failed; restore the old cs */
2157 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
2158 return rc;
2159 }
2160 return rc;
2161 }
2162
2163 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2164 {
2165 return assign_eip_near(ctxt, ctxt->src.val);
2166 }
2167
2168 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2169 {
2170 int rc;
2171 long int old_eip;
2172
2173 old_eip = ctxt->_eip;
2174 rc = assign_eip_near(ctxt, ctxt->src.val);
2175 if (rc != X86EMUL_CONTINUE)
2176 return rc;
2177 ctxt->src.val = old_eip;
2178 rc = em_push(ctxt);
2179 return rc;
2180 }
2181
2182 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2183 {
2184 u64 old = ctxt->dst.orig_val64;
2185
2186 if (ctxt->dst.bytes == 16)
2187 return X86EMUL_UNHANDLEABLE;
2188
2189 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2190 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2191 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2192 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2193 ctxt->eflags &= ~X86_EFLAGS_ZF;
2194 } else {
2195 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2196 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2197
2198 ctxt->eflags |= X86_EFLAGS_ZF;
2199 }
2200 return X86EMUL_CONTINUE;
2201 }
2202
2203 static int em_ret(struct x86_emulate_ctxt *ctxt)
2204 {
2205 int rc;
2206 unsigned long eip;
2207
2208 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2209 if (rc != X86EMUL_CONTINUE)
2210 return rc;
2211
2212 return assign_eip_near(ctxt, eip);
2213 }
2214
2215 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2216 {
2217 int rc;
2218 unsigned long eip, cs;
2219 u16 old_cs;
2220 int cpl = ctxt->ops->cpl(ctxt);
2221 struct desc_struct old_desc, new_desc;
2222 const struct x86_emulate_ops *ops = ctxt->ops;
2223
2224 if (ctxt->mode == X86EMUL_MODE_PROT64)
2225 ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
2226 VCPU_SREG_CS);
2227
2228 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2229 if (rc != X86EMUL_CONTINUE)
2230 return rc;
2231 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2232 if (rc != X86EMUL_CONTINUE)
2233 return rc;
2234 /* Outer-privilege level return is not implemented */
2235 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2236 return X86EMUL_UNHANDLEABLE;
2237 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2238 X86_TRANSFER_RET,
2239 &new_desc);
2240 if (rc != X86EMUL_CONTINUE)
2241 return rc;
2242 rc = assign_eip_far(ctxt, eip, &new_desc);
2243 if (rc != X86EMUL_CONTINUE) {
2244 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2245 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
2246 }
2247 return rc;
2248 }
2249
2250 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2251 {
2252 int rc;
2253
2254 rc = em_ret_far(ctxt);
2255 if (rc != X86EMUL_CONTINUE)
2256 return rc;
2257 rsp_increment(ctxt, ctxt->src.val);
2258 return X86EMUL_CONTINUE;
2259 }
2260
2261 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2262 {
2263 /* Save real source value, then compare EAX against destination. */
2264 ctxt->dst.orig_val = ctxt->dst.val;
2265 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2266 ctxt->src.orig_val = ctxt->src.val;
2267 ctxt->src.val = ctxt->dst.orig_val;
2268 fastop(ctxt, em_cmp);
2269
2270 if (ctxt->eflags & X86_EFLAGS_ZF) {
2271 /* Success: write back to memory; no update of EAX */
2272 ctxt->src.type = OP_NONE;
2273 ctxt->dst.val = ctxt->src.orig_val;
2274 } else {
2275 /* Failure: write the value we saw to EAX. */
2276 ctxt->src.type = OP_REG;
2277 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2278 ctxt->src.val = ctxt->dst.orig_val;
2279 /* Create write-cycle to dest by writing the same value */
2280 ctxt->dst.val = ctxt->dst.orig_val;
2281 }
2282 return X86EMUL_CONTINUE;
2283 }
2284
2285 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2286 {
2287 int seg = ctxt->src2.val;
2288 unsigned short sel;
2289 int rc;
2290
2291 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2292
2293 rc = load_segment_descriptor(ctxt, sel, seg);
2294 if (rc != X86EMUL_CONTINUE)
2295 return rc;
2296
2297 ctxt->dst.val = ctxt->src.val;
2298 return rc;
2299 }
2300
2301 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2302 {
2303 u32 eax, ebx, ecx, edx;
2304
2305 eax = 0x80000001;
2306 ecx = 0;
2307 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2308 return edx & bit(X86_FEATURE_LM);
2309 }
2310
2311 #define GET_SMSTATE(type, smbase, offset) \
2312 ({ \
2313 type __val; \
2314 int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
2315 sizeof(__val)); \
2316 if (r != X86EMUL_CONTINUE) \
2317 return X86EMUL_UNHANDLEABLE; \
2318 __val; \
2319 })
2320
2321 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2322 {
2323 desc->g = (flags >> 23) & 1;
2324 desc->d = (flags >> 22) & 1;
2325 desc->l = (flags >> 21) & 1;
2326 desc->avl = (flags >> 20) & 1;
2327 desc->p = (flags >> 15) & 1;
2328 desc->dpl = (flags >> 13) & 3;
2329 desc->s = (flags >> 12) & 1;
2330 desc->type = (flags >> 8) & 15;
2331 }
2332
2333 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2334 {
2335 struct desc_struct desc;
2336 int offset;
2337 u16 selector;
2338
2339 selector = GET_SMSTATE(u32, smbase, 0x7fa8 + n * 4);
2340
2341 if (n < 3)
2342 offset = 0x7f84 + n * 12;
2343 else
2344 offset = 0x7f2c + (n - 3) * 12;
2345
2346 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2347 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2348 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, offset));
2349 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2350 return X86EMUL_CONTINUE;
2351 }
2352
2353 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2354 {
2355 struct desc_struct desc;
2356 int offset;
2357 u16 selector;
2358 u32 base3;
2359
2360 offset = 0x7e00 + n * 16;
2361
2362 selector = GET_SMSTATE(u16, smbase, offset);
2363 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smbase, offset + 2) << 8);
2364 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2365 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2366 base3 = GET_SMSTATE(u32, smbase, offset + 12);
2367
2368 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2369 return X86EMUL_CONTINUE;
2370 }
2371
2372 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2373 u64 cr0, u64 cr4)
2374 {
2375 int bad;
2376
2377 /*
2378 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2379 * Then enable protected mode. However, PCID cannot be enabled
2380 * if EFER.LMA=0, so set it separately.
2381 */
2382 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2383 if (bad)
2384 return X86EMUL_UNHANDLEABLE;
2385
2386 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2387 if (bad)
2388 return X86EMUL_UNHANDLEABLE;
2389
2390 if (cr4 & X86_CR4_PCIDE) {
2391 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2392 if (bad)
2393 return X86EMUL_UNHANDLEABLE;
2394 }
2395
2396 return X86EMUL_CONTINUE;
2397 }
2398
2399 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
2400 {
2401 struct desc_struct desc;
2402 struct desc_ptr dt;
2403 u16 selector;
2404 u32 val, cr0, cr4;
2405 int i;
2406
2407 cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
2408 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u32, smbase, 0x7ff8));
2409 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
2410 ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
2411
2412 for (i = 0; i < 8; i++)
2413 *reg_write(ctxt, i) = GET_SMSTATE(u32, smbase, 0x7fd0 + i * 4);
2414
2415 val = GET_SMSTATE(u32, smbase, 0x7fcc);
2416 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2417 val = GET_SMSTATE(u32, smbase, 0x7fc8);
2418 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2419
2420 selector = GET_SMSTATE(u32, smbase, 0x7fc4);
2421 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f64));
2422 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f60));
2423 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f5c));
2424 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2425
2426 selector = GET_SMSTATE(u32, smbase, 0x7fc0);
2427 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f80));
2428 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f7c));
2429 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f78));
2430 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2431
2432 dt.address = GET_SMSTATE(u32, smbase, 0x7f74);
2433 dt.size = GET_SMSTATE(u32, smbase, 0x7f70);
2434 ctxt->ops->set_gdt(ctxt, &dt);
2435
2436 dt.address = GET_SMSTATE(u32, smbase, 0x7f58);
2437 dt.size = GET_SMSTATE(u32, smbase, 0x7f54);
2438 ctxt->ops->set_idt(ctxt, &dt);
2439
2440 for (i = 0; i < 6; i++) {
2441 int r = rsm_load_seg_32(ctxt, smbase, i);
2442 if (r != X86EMUL_CONTINUE)
2443 return r;
2444 }
2445
2446 cr4 = GET_SMSTATE(u32, smbase, 0x7f14);
2447
2448 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
2449
2450 return rsm_enter_protected_mode(ctxt, cr0, cr4);
2451 }
2452
2453 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
2454 {
2455 struct desc_struct desc;
2456 struct desc_ptr dt;
2457 u64 val, cr0, cr4;
2458 u32 base3;
2459 u16 selector;
2460 int i, r;
2461
2462 for (i = 0; i < 16; i++)
2463 *reg_write(ctxt, i) = GET_SMSTATE(u64, smbase, 0x7ff8 - i * 8);
2464
2465 ctxt->_eip = GET_SMSTATE(u64, smbase, 0x7f78);
2466 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7f70) | X86_EFLAGS_FIXED;
2467
2468 val = GET_SMSTATE(u32, smbase, 0x7f68);
2469 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2470 val = GET_SMSTATE(u32, smbase, 0x7f60);
2471 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2472
2473 cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
2474 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u64, smbase, 0x7f50));
2475 cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
2476 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
2477 val = GET_SMSTATE(u64, smbase, 0x7ed0);
2478 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2479
2480 selector = GET_SMSTATE(u32, smbase, 0x7e90);
2481 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e92) << 8);
2482 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e94));
2483 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e98));
2484 base3 = GET_SMSTATE(u32, smbase, 0x7e9c);
2485 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2486
2487 dt.size = GET_SMSTATE(u32, smbase, 0x7e84);
2488 dt.address = GET_SMSTATE(u64, smbase, 0x7e88);
2489 ctxt->ops->set_idt(ctxt, &dt);
2490
2491 selector = GET_SMSTATE(u32, smbase, 0x7e70);
2492 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e72) << 8);
2493 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e74));
2494 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e78));
2495 base3 = GET_SMSTATE(u32, smbase, 0x7e7c);
2496 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2497
2498 dt.size = GET_SMSTATE(u32, smbase, 0x7e64);
2499 dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
2500 ctxt->ops->set_gdt(ctxt, &dt);
2501
2502 r = rsm_enter_protected_mode(ctxt, cr0, cr4);
2503 if (r != X86EMUL_CONTINUE)
2504 return r;
2505
2506 for (i = 0; i < 6; i++) {
2507 r = rsm_load_seg_64(ctxt, smbase, i);
2508 if (r != X86EMUL_CONTINUE)
2509 return r;
2510 }
2511
2512 return X86EMUL_CONTINUE;
2513 }
2514
2515 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2516 {
2517 unsigned long cr0, cr4, efer;
2518 u64 smbase;
2519 int ret;
2520
2521 if ((ctxt->emul_flags & X86EMUL_SMM_MASK) == 0)
2522 return emulate_ud(ctxt);
2523
2524 /*
2525 * Get back to real mode, to prepare a safe state in which to load
2526 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2527 * supports long mode.
2528 */
2529 cr4 = ctxt->ops->get_cr(ctxt, 4);
2530 if (emulator_has_longmode(ctxt)) {
2531 struct desc_struct cs_desc;
2532
2533 /* Zero CR4.PCIDE before CR0.PG. */
2534 if (cr4 & X86_CR4_PCIDE) {
2535 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2536 cr4 &= ~X86_CR4_PCIDE;
2537 }
2538
2539 /* A 32-bit code segment is required to clear EFER.LMA. */
2540 memset(&cs_desc, 0, sizeof(cs_desc));
2541 cs_desc.type = 0xb;
2542 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2543 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2544 }
2545
2546 /* For the 64-bit case, this will clear EFER.LMA. */
2547 cr0 = ctxt->ops->get_cr(ctxt, 0);
2548 if (cr0 & X86_CR0_PE)
2549 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2550
2551 /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
2552 if (cr4 & X86_CR4_PAE)
2553 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2554
2555 /* And finally go back to 32-bit mode. */
2556 efer = 0;
2557 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2558
2559 smbase = ctxt->ops->get_smbase(ctxt);
2560 if (emulator_has_longmode(ctxt))
2561 ret = rsm_load_state_64(ctxt, smbase + 0x8000);
2562 else
2563 ret = rsm_load_state_32(ctxt, smbase + 0x8000);
2564
2565 if (ret != X86EMUL_CONTINUE) {
2566 /* FIXME: should triple fault */
2567 return X86EMUL_UNHANDLEABLE;
2568 }
2569
2570 if ((ctxt->emul_flags & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2571 ctxt->ops->set_nmi_mask(ctxt, false);
2572
2573 ctxt->emul_flags &= ~X86EMUL_SMM_INSIDE_NMI_MASK;
2574 ctxt->emul_flags &= ~X86EMUL_SMM_MASK;
2575 return X86EMUL_CONTINUE;
2576 }
2577
2578 static void
2579 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2580 struct desc_struct *cs, struct desc_struct *ss)
2581 {
2582 cs->l = 0; /* will be adjusted later */
2583 set_desc_base(cs, 0); /* flat segment */
2584 cs->g = 1; /* 4kb granularity */
2585 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2586 cs->type = 0x0b; /* Read, Execute, Accessed */
2587 cs->s = 1;
2588 cs->dpl = 0; /* will be adjusted later */
2589 cs->p = 1;
2590 cs->d = 1;
2591 cs->avl = 0;
2592
2593 set_desc_base(ss, 0); /* flat segment */
2594 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2595 ss->g = 1; /* 4kb granularity */
2596 ss->s = 1;
2597 ss->type = 0x03; /* Read/Write, Accessed */
2598 ss->d = 1; /* 32bit stack segment */
2599 ss->dpl = 0;
2600 ss->p = 1;
2601 ss->l = 0;
2602 ss->avl = 0;
2603 }
2604
2605 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2606 {
2607 u32 eax, ebx, ecx, edx;
2608
2609 eax = ecx = 0;
2610 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2611 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2612 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2613 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2614 }
2615
2616 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2617 {
2618 const struct x86_emulate_ops *ops = ctxt->ops;
2619 u32 eax, ebx, ecx, edx;
2620
2621 /*
2622 * syscall should always be enabled in longmode - so only become
2623 * vendor specific (cpuid) if other modes are active...
2624 */
2625 if (ctxt->mode == X86EMUL_MODE_PROT64)
2626 return true;
2627
2628 eax = 0x00000000;
2629 ecx = 0x00000000;
2630 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2631 /*
2632 * Intel ("GenuineIntel")
2633 * remark: Intel CPUs only support "syscall" in 64bit
2634 * longmode. Also an 64bit guest with a
2635 * 32bit compat-app running will #UD !! While this
2636 * behaviour can be fixed (by emulating) into AMD
2637 * response - CPUs of AMD can't behave like Intel.
2638 */
2639 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2640 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2641 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2642 return false;
2643
2644 /* AMD ("AuthenticAMD") */
2645 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2646 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2647 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2648 return true;
2649
2650 /* AMD ("AMDisbetter!") */
2651 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2652 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2653 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2654 return true;
2655
2656 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2657 return false;
2658 }
2659
2660 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2661 {
2662 const struct x86_emulate_ops *ops = ctxt->ops;
2663 struct desc_struct cs, ss;
2664 u64 msr_data;
2665 u16 cs_sel, ss_sel;
2666 u64 efer = 0;
2667
2668 /* syscall is not available in real mode */
2669 if (ctxt->mode == X86EMUL_MODE_REAL ||
2670 ctxt->mode == X86EMUL_MODE_VM86)
2671 return emulate_ud(ctxt);
2672
2673 if (!(em_syscall_is_enabled(ctxt)))
2674 return emulate_ud(ctxt);
2675
2676 ops->get_msr(ctxt, MSR_EFER, &efer);
2677 setup_syscalls_segments(ctxt, &cs, &ss);
2678
2679 if (!(efer & EFER_SCE))
2680 return emulate_ud(ctxt);
2681
2682 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2683 msr_data >>= 32;
2684 cs_sel = (u16)(msr_data & 0xfffc);
2685 ss_sel = (u16)(msr_data + 8);
2686
2687 if (efer & EFER_LMA) {
2688 cs.d = 0;
2689 cs.l = 1;
2690 }
2691 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2692 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2693
2694 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2695 if (efer & EFER_LMA) {
2696 #ifdef CONFIG_X86_64
2697 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2698
2699 ops->get_msr(ctxt,
2700 ctxt->mode == X86EMUL_MODE_PROT64 ?
2701 MSR_LSTAR : MSR_CSTAR, &msr_data);
2702 ctxt->_eip = msr_data;
2703
2704 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2705 ctxt->eflags &= ~msr_data;
2706 ctxt->eflags |= X86_EFLAGS_FIXED;
2707 #endif
2708 } else {
2709 /* legacy mode */
2710 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2711 ctxt->_eip = (u32)msr_data;
2712
2713 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2714 }
2715
2716 return X86EMUL_CONTINUE;
2717 }
2718
2719 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2720 {
2721 const struct x86_emulate_ops *ops = ctxt->ops;
2722 struct desc_struct cs, ss;
2723 u64 msr_data;
2724 u16 cs_sel, ss_sel;
2725 u64 efer = 0;
2726
2727 ops->get_msr(ctxt, MSR_EFER, &efer);
2728 /* inject #GP if in real mode */
2729 if (ctxt->mode == X86EMUL_MODE_REAL)
2730 return emulate_gp(ctxt, 0);
2731
2732 /*
2733 * Not recognized on AMD in compat mode (but is recognized in legacy
2734 * mode).
2735 */
2736 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2737 && !vendor_intel(ctxt))
2738 return emulate_ud(ctxt);
2739
2740 /* sysenter/sysexit have not been tested in 64bit mode. */
2741 if (ctxt->mode == X86EMUL_MODE_PROT64)
2742 return X86EMUL_UNHANDLEABLE;
2743
2744 setup_syscalls_segments(ctxt, &cs, &ss);
2745
2746 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2747 if ((msr_data & 0xfffc) == 0x0)
2748 return emulate_gp(ctxt, 0);
2749
2750 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2751 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2752 ss_sel = cs_sel + 8;
2753 if (efer & EFER_LMA) {
2754 cs.d = 0;
2755 cs.l = 1;
2756 }
2757
2758 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2759 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2760
2761 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2762 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2763
2764 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2765 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2766 (u32)msr_data;
2767
2768 return X86EMUL_CONTINUE;
2769 }
2770
2771 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2772 {
2773 const struct x86_emulate_ops *ops = ctxt->ops;
2774 struct desc_struct cs, ss;
2775 u64 msr_data, rcx, rdx;
2776 int usermode;
2777 u16 cs_sel = 0, ss_sel = 0;
2778
2779 /* inject #GP if in real mode or Virtual 8086 mode */
2780 if (ctxt->mode == X86EMUL_MODE_REAL ||
2781 ctxt->mode == X86EMUL_MODE_VM86)
2782 return emulate_gp(ctxt, 0);
2783
2784 setup_syscalls_segments(ctxt, &cs, &ss);
2785
2786 if ((ctxt->rex_prefix & 0x8) != 0x0)
2787 usermode = X86EMUL_MODE_PROT64;
2788 else
2789 usermode = X86EMUL_MODE_PROT32;
2790
2791 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2792 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2793
2794 cs.dpl = 3;
2795 ss.dpl = 3;
2796 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2797 switch (usermode) {
2798 case X86EMUL_MODE_PROT32:
2799 cs_sel = (u16)(msr_data + 16);
2800 if ((msr_data & 0xfffc) == 0x0)
2801 return emulate_gp(ctxt, 0);
2802 ss_sel = (u16)(msr_data + 24);
2803 rcx = (u32)rcx;
2804 rdx = (u32)rdx;
2805 break;
2806 case X86EMUL_MODE_PROT64:
2807 cs_sel = (u16)(msr_data + 32);
2808 if (msr_data == 0x0)
2809 return emulate_gp(ctxt, 0);
2810 ss_sel = cs_sel + 8;
2811 cs.d = 0;
2812 cs.l = 1;
2813 if (is_noncanonical_address(rcx) ||
2814 is_noncanonical_address(rdx))
2815 return emulate_gp(ctxt, 0);
2816 break;
2817 }
2818 cs_sel |= SEGMENT_RPL_MASK;
2819 ss_sel |= SEGMENT_RPL_MASK;
2820
2821 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2822 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2823
2824 ctxt->_eip = rdx;
2825 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2826
2827 return X86EMUL_CONTINUE;
2828 }
2829
2830 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2831 {
2832 int iopl;
2833 if (ctxt->mode == X86EMUL_MODE_REAL)
2834 return false;
2835 if (ctxt->mode == X86EMUL_MODE_VM86)
2836 return true;
2837 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2838 return ctxt->ops->cpl(ctxt) > iopl;
2839 }
2840
2841 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2842 u16 port, u16 len)
2843 {
2844 const struct x86_emulate_ops *ops = ctxt->ops;
2845 struct desc_struct tr_seg;
2846 u32 base3;
2847 int r;
2848 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2849 unsigned mask = (1 << len) - 1;
2850 unsigned long base;
2851
2852 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2853 if (!tr_seg.p)
2854 return false;
2855 if (desc_limit_scaled(&tr_seg) < 103)
2856 return false;
2857 base = get_desc_base(&tr_seg);
2858 #ifdef CONFIG_X86_64
2859 base |= ((u64)base3) << 32;
2860 #endif
2861 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2862 if (r != X86EMUL_CONTINUE)
2863 return false;
2864 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2865 return false;
2866 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2867 if (r != X86EMUL_CONTINUE)
2868 return false;
2869 if ((perm >> bit_idx) & mask)
2870 return false;
2871 return true;
2872 }
2873
2874 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2875 u16 port, u16 len)
2876 {
2877 if (ctxt->perm_ok)
2878 return true;
2879
2880 if (emulator_bad_iopl(ctxt))
2881 if (!emulator_io_port_access_allowed(ctxt, port, len))
2882 return false;
2883
2884 ctxt->perm_ok = true;
2885
2886 return true;
2887 }
2888
2889 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2890 {
2891 /*
2892 * Intel CPUs mask the counter and pointers in quite strange
2893 * manner when ECX is zero due to REP-string optimizations.
2894 */
2895 #ifdef CONFIG_X86_64
2896 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2897 return;
2898
2899 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2900
2901 switch (ctxt->b) {
2902 case 0xa4: /* movsb */
2903 case 0xa5: /* movsd/w */
2904 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2905 /* fall through */
2906 case 0xaa: /* stosb */
2907 case 0xab: /* stosd/w */
2908 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2909 }
2910 #endif
2911 }
2912
2913 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2914 struct tss_segment_16 *tss)
2915 {
2916 tss->ip = ctxt->_eip;
2917 tss->flag = ctxt->eflags;
2918 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2919 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2920 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2921 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2922 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2923 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2924 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2925 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2926
2927 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2928 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2929 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2930 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2931 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2932 }
2933
2934 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2935 struct tss_segment_16 *tss)
2936 {
2937 int ret;
2938 u8 cpl;
2939
2940 ctxt->_eip = tss->ip;
2941 ctxt->eflags = tss->flag | 2;
2942 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2943 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2944 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2945 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2946 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2947 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2948 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2949 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2950
2951 /*
2952 * SDM says that segment selectors are loaded before segment
2953 * descriptors
2954 */
2955 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2956 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2957 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2958 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2959 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2960
2961 cpl = tss->cs & 3;
2962
2963 /*
2964 * Now load segment descriptors. If fault happens at this stage
2965 * it is handled in a context of new task
2966 */
2967 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2968 X86_TRANSFER_TASK_SWITCH, NULL);
2969 if (ret != X86EMUL_CONTINUE)
2970 return ret;
2971 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2972 X86_TRANSFER_TASK_SWITCH, NULL);
2973 if (ret != X86EMUL_CONTINUE)
2974 return ret;
2975 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2976 X86_TRANSFER_TASK_SWITCH, NULL);
2977 if (ret != X86EMUL_CONTINUE)
2978 return ret;
2979 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2980 X86_TRANSFER_TASK_SWITCH, NULL);
2981 if (ret != X86EMUL_CONTINUE)
2982 return ret;
2983 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2984 X86_TRANSFER_TASK_SWITCH, NULL);
2985 if (ret != X86EMUL_CONTINUE)
2986 return ret;
2987
2988 return X86EMUL_CONTINUE;
2989 }
2990
2991 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2992 u16 tss_selector, u16 old_tss_sel,
2993 ulong old_tss_base, struct desc_struct *new_desc)
2994 {
2995 const struct x86_emulate_ops *ops = ctxt->ops;
2996 struct tss_segment_16 tss_seg;
2997 int ret;
2998 u32 new_tss_base = get_desc_base(new_desc);
2999
3000 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3001 &ctxt->exception);
3002 if (ret != X86EMUL_CONTINUE)
3003 return ret;
3004
3005 save_state_to_tss16(ctxt, &tss_seg);
3006
3007 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3008 &ctxt->exception);
3009 if (ret != X86EMUL_CONTINUE)
3010 return ret;
3011
3012 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3013 &ctxt->exception);
3014 if (ret != X86EMUL_CONTINUE)
3015 return ret;
3016
3017 if (old_tss_sel != 0xffff) {
3018 tss_seg.prev_task_link = old_tss_sel;
3019
3020 ret = ops->write_std(ctxt, new_tss_base,
3021 &tss_seg.prev_task_link,
3022 sizeof tss_seg.prev_task_link,
3023 &ctxt->exception);
3024 if (ret != X86EMUL_CONTINUE)
3025 return ret;
3026 }
3027
3028 return load_state_from_tss16(ctxt, &tss_seg);
3029 }
3030
3031 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3032 struct tss_segment_32 *tss)
3033 {
3034 /* CR3 and ldt selector are not saved intentionally */
3035 tss->eip = ctxt->_eip;
3036 tss->eflags = ctxt->eflags;
3037 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3038 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3039 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3040 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3041 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3042 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3043 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3044 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3045
3046 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3047 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3048 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3049 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3050 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3051 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3052 }
3053
3054 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3055 struct tss_segment_32 *tss)
3056 {
3057 int ret;
3058 u8 cpl;
3059
3060 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3061 return emulate_gp(ctxt, 0);
3062 ctxt->_eip = tss->eip;
3063 ctxt->eflags = tss->eflags | 2;
3064
3065 /* General purpose registers */
3066 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3067 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3068 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3069 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3070 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3071 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3072 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3073 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3074
3075 /*
3076 * SDM says that segment selectors are loaded before segment
3077 * descriptors. This is important because CPL checks will
3078 * use CS.RPL.
3079 */
3080 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3081 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3082 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3083 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3084 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3085 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3086 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3087
3088 /*
3089 * If we're switching between Protected Mode and VM86, we need to make
3090 * sure to update the mode before loading the segment descriptors so
3091 * that the selectors are interpreted correctly.
3092 */
3093 if (ctxt->eflags & X86_EFLAGS_VM) {
3094 ctxt->mode = X86EMUL_MODE_VM86;
3095 cpl = 3;
3096 } else {
3097 ctxt->mode = X86EMUL_MODE_PROT32;
3098 cpl = tss->cs & 3;
3099 }
3100
3101 /*
3102 * Now load segment descriptors. If fault happenes at this stage
3103 * it is handled in a context of new task
3104 */
3105 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3106 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3107 if (ret != X86EMUL_CONTINUE)
3108 return ret;
3109 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3110 X86_TRANSFER_TASK_SWITCH, NULL);
3111 if (ret != X86EMUL_CONTINUE)
3112 return ret;
3113 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3114 X86_TRANSFER_TASK_SWITCH, NULL);
3115 if (ret != X86EMUL_CONTINUE)
3116 return ret;
3117 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3118 X86_TRANSFER_TASK_SWITCH, NULL);
3119 if (ret != X86EMUL_CONTINUE)
3120 return ret;
3121 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3122 X86_TRANSFER_TASK_SWITCH, NULL);
3123 if (ret != X86EMUL_CONTINUE)
3124 return ret;
3125 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3126 X86_TRANSFER_TASK_SWITCH, NULL);
3127 if (ret != X86EMUL_CONTINUE)
3128 return ret;
3129 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3130 X86_TRANSFER_TASK_SWITCH, NULL);
3131
3132 return ret;
3133 }
3134
3135 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3136 u16 tss_selector, u16 old_tss_sel,
3137 ulong old_tss_base, struct desc_struct *new_desc)
3138 {
3139 const struct x86_emulate_ops *ops = ctxt->ops;
3140 struct tss_segment_32 tss_seg;
3141 int ret;
3142 u32 new_tss_base = get_desc_base(new_desc);
3143 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3144 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3145
3146 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3147 &ctxt->exception);
3148 if (ret != X86EMUL_CONTINUE)
3149 return ret;
3150
3151 save_state_to_tss32(ctxt, &tss_seg);
3152
3153 /* Only GP registers and segment selectors are saved */
3154 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3155 ldt_sel_offset - eip_offset, &ctxt->exception);
3156 if (ret != X86EMUL_CONTINUE)
3157 return ret;
3158
3159 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3160 &ctxt->exception);
3161 if (ret != X86EMUL_CONTINUE)
3162 return ret;
3163
3164 if (old_tss_sel != 0xffff) {
3165 tss_seg.prev_task_link = old_tss_sel;
3166
3167 ret = ops->write_std(ctxt, new_tss_base,
3168 &tss_seg.prev_task_link,
3169 sizeof tss_seg.prev_task_link,
3170 &ctxt->exception);
3171 if (ret != X86EMUL_CONTINUE)
3172 return ret;
3173 }
3174
3175 return load_state_from_tss32(ctxt, &tss_seg);
3176 }
3177
3178 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3179 u16 tss_selector, int idt_index, int reason,
3180 bool has_error_code, u32 error_code)
3181 {
3182 const struct x86_emulate_ops *ops = ctxt->ops;
3183 struct desc_struct curr_tss_desc, next_tss_desc;
3184 int ret;
3185 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3186 ulong old_tss_base =
3187 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3188 u32 desc_limit;
3189 ulong desc_addr, dr7;
3190
3191 /* FIXME: old_tss_base == ~0 ? */
3192
3193 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3194 if (ret != X86EMUL_CONTINUE)
3195 return ret;
3196 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3197 if (ret != X86EMUL_CONTINUE)
3198 return ret;
3199
3200 /* FIXME: check that next_tss_desc is tss */
3201
3202 /*
3203 * Check privileges. The three cases are task switch caused by...
3204 *
3205 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3206 * 2. Exception/IRQ/iret: No check is performed
3207 * 3. jmp/call to TSS/task-gate: No check is performed since the
3208 * hardware checks it before exiting.
3209 */
3210 if (reason == TASK_SWITCH_GATE) {
3211 if (idt_index != -1) {
3212 /* Software interrupts */
3213 struct desc_struct task_gate_desc;
3214 int dpl;
3215
3216 ret = read_interrupt_descriptor(ctxt, idt_index,
3217 &task_gate_desc);
3218 if (ret != X86EMUL_CONTINUE)
3219 return ret;
3220
3221 dpl = task_gate_desc.dpl;
3222 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3223 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3224 }
3225 }
3226
3227 desc_limit = desc_limit_scaled(&next_tss_desc);
3228 if (!next_tss_desc.p ||
3229 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3230 desc_limit < 0x2b)) {
3231 return emulate_ts(ctxt, tss_selector & 0xfffc);
3232 }
3233
3234 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3235 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3236 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3237 }
3238
3239 if (reason == TASK_SWITCH_IRET)
3240 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3241
3242 /* set back link to prev task only if NT bit is set in eflags
3243 note that old_tss_sel is not used after this point */
3244 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3245 old_tss_sel = 0xffff;
3246
3247 if (next_tss_desc.type & 8)
3248 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3249 old_tss_base, &next_tss_desc);
3250 else
3251 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3252 old_tss_base, &next_tss_desc);
3253 if (ret != X86EMUL_CONTINUE)
3254 return ret;
3255
3256 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3257 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3258
3259 if (reason != TASK_SWITCH_IRET) {
3260 next_tss_desc.type |= (1 << 1); /* set busy flag */
3261 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3262 }
3263
3264 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3265 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3266
3267 if (has_error_code) {
3268 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3269 ctxt->lock_prefix = 0;
3270 ctxt->src.val = (unsigned long) error_code;
3271 ret = em_push(ctxt);
3272 }
3273
3274 ops->get_dr(ctxt, 7, &dr7);
3275 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3276
3277 return ret;
3278 }
3279
3280 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3281 u16 tss_selector, int idt_index, int reason,
3282 bool has_error_code, u32 error_code)
3283 {
3284 int rc;
3285
3286 invalidate_registers(ctxt);
3287 ctxt->_eip = ctxt->eip;
3288 ctxt->dst.type = OP_NONE;
3289
3290 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3291 has_error_code, error_code);
3292
3293 if (rc == X86EMUL_CONTINUE) {
3294 ctxt->eip = ctxt->_eip;
3295 writeback_registers(ctxt);
3296 }
3297
3298 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3299 }
3300
3301 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3302 struct operand *op)
3303 {
3304 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3305
3306 register_address_increment(ctxt, reg, df * op->bytes);
3307 op->addr.mem.ea = register_address(ctxt, reg);
3308 }
3309
3310 static int em_das(struct x86_emulate_ctxt *ctxt)
3311 {
3312 u8 al, old_al;
3313 bool af, cf, old_cf;
3314
3315 cf = ctxt->eflags & X86_EFLAGS_CF;
3316 al = ctxt->dst.val;
3317
3318 old_al = al;
3319 old_cf = cf;
3320 cf = false;
3321 af = ctxt->eflags & X86_EFLAGS_AF;
3322 if ((al & 0x0f) > 9 || af) {
3323 al -= 6;
3324 cf = old_cf | (al >= 250);
3325 af = true;
3326 } else {
3327 af = false;
3328 }
3329 if (old_al > 0x99 || old_cf) {
3330 al -= 0x60;
3331 cf = true;
3332 }
3333
3334 ctxt->dst.val = al;
3335 /* Set PF, ZF, SF */
3336 ctxt->src.type = OP_IMM;
3337 ctxt->src.val = 0;
3338 ctxt->src.bytes = 1;
3339 fastop(ctxt, em_or);
3340 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3341 if (cf)
3342 ctxt->eflags |= X86_EFLAGS_CF;
3343 if (af)
3344 ctxt->eflags |= X86_EFLAGS_AF;
3345 return X86EMUL_CONTINUE;
3346 }
3347
3348 static int em_aam(struct x86_emulate_ctxt *ctxt)
3349 {
3350 u8 al, ah;
3351
3352 if (ctxt->src.val == 0)
3353 return emulate_de(ctxt);
3354
3355 al = ctxt->dst.val & 0xff;
3356 ah = al / ctxt->src.val;
3357 al %= ctxt->src.val;
3358
3359 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3360
3361 /* Set PF, ZF, SF */
3362 ctxt->src.type = OP_IMM;
3363 ctxt->src.val = 0;
3364 ctxt->src.bytes = 1;
3365 fastop(ctxt, em_or);
3366
3367 return X86EMUL_CONTINUE;
3368 }
3369
3370 static int em_aad(struct x86_emulate_ctxt *ctxt)
3371 {
3372 u8 al = ctxt->dst.val & 0xff;
3373 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3374
3375 al = (al + (ah * ctxt->src.val)) & 0xff;
3376
3377 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3378
3379 /* Set PF, ZF, SF */
3380 ctxt->src.type = OP_IMM;
3381 ctxt->src.val = 0;
3382 ctxt->src.bytes = 1;
3383 fastop(ctxt, em_or);
3384
3385 return X86EMUL_CONTINUE;
3386 }
3387
3388 static int em_call(struct x86_emulate_ctxt *ctxt)
3389 {
3390 int rc;
3391 long rel = ctxt->src.val;
3392
3393 ctxt->src.val = (unsigned long)ctxt->_eip;
3394 rc = jmp_rel(ctxt, rel);
3395 if (rc != X86EMUL_CONTINUE)
3396 return rc;
3397 return em_push(ctxt);
3398 }
3399
3400 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3401 {
3402 u16 sel, old_cs;
3403 ulong old_eip;
3404 int rc;
3405 struct desc_struct old_desc, new_desc;
3406 const struct x86_emulate_ops *ops = ctxt->ops;
3407 int cpl = ctxt->ops->cpl(ctxt);
3408 enum x86emul_mode prev_mode = ctxt->mode;
3409
3410 old_eip = ctxt->_eip;
3411 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3412
3413 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3414 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3415 X86_TRANSFER_CALL_JMP, &new_desc);
3416 if (rc != X86EMUL_CONTINUE)
3417 return rc;
3418
3419 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3420 if (rc != X86EMUL_CONTINUE)
3421 goto fail;
3422
3423 ctxt->src.val = old_cs;
3424 rc = em_push(ctxt);
3425 if (rc != X86EMUL_CONTINUE)
3426 goto fail;
3427
3428 ctxt->src.val = old_eip;
3429 rc = em_push(ctxt);
3430 /* If we failed, we tainted the memory, but the very least we should
3431 restore cs */
3432 if (rc != X86EMUL_CONTINUE) {
3433 pr_warn_once("faulting far call emulation tainted memory\n");
3434 goto fail;
3435 }
3436 return rc;
3437 fail:
3438 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3439 ctxt->mode = prev_mode;
3440 return rc;
3441
3442 }
3443
3444 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3445 {
3446 int rc;
3447 unsigned long eip;
3448
3449 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3450 if (rc != X86EMUL_CONTINUE)
3451 return rc;
3452 rc = assign_eip_near(ctxt, eip);
3453 if (rc != X86EMUL_CONTINUE)
3454 return rc;
3455 rsp_increment(ctxt, ctxt->src.val);
3456 return X86EMUL_CONTINUE;
3457 }
3458
3459 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3460 {
3461 /* Write back the register source. */
3462 ctxt->src.val = ctxt->dst.val;
3463 write_register_operand(&ctxt->src);
3464
3465 /* Write back the memory destination with implicit LOCK prefix. */
3466 ctxt->dst.val = ctxt->src.orig_val;
3467 ctxt->lock_prefix = 1;
3468 return X86EMUL_CONTINUE;
3469 }
3470
3471 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3472 {
3473 ctxt->dst.val = ctxt->src2.val;
3474 return fastop(ctxt, em_imul);
3475 }
3476
3477 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3478 {
3479 ctxt->dst.type = OP_REG;
3480 ctxt->dst.bytes = ctxt->src.bytes;
3481 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3482 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3483
3484 return X86EMUL_CONTINUE;
3485 }
3486
3487 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3488 {
3489 u64 tsc = 0;
3490
3491 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3492 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3493 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3494 return X86EMUL_CONTINUE;
3495 }
3496
3497 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3498 {
3499 u64 pmc;
3500
3501 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3502 return emulate_gp(ctxt, 0);
3503 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3504 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3505 return X86EMUL_CONTINUE;
3506 }
3507
3508 static int em_mov(struct x86_emulate_ctxt *ctxt)
3509 {
3510 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3511 return X86EMUL_CONTINUE;
3512 }
3513
3514 #define FFL(x) bit(X86_FEATURE_##x)
3515
3516 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3517 {
3518 u32 ebx, ecx, edx, eax = 1;
3519 u16 tmp;
3520
3521 /*
3522 * Check MOVBE is set in the guest-visible CPUID leaf.
3523 */
3524 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3525 if (!(ecx & FFL(MOVBE)))
3526 return emulate_ud(ctxt);
3527
3528 switch (ctxt->op_bytes) {
3529 case 2:
3530 /*
3531 * From MOVBE definition: "...When the operand size is 16 bits,
3532 * the upper word of the destination register remains unchanged
3533 * ..."
3534 *
3535 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3536 * rules so we have to do the operation almost per hand.
3537 */
3538 tmp = (u16)ctxt->src.val;
3539 ctxt->dst.val &= ~0xffffUL;
3540 ctxt->dst.val |= (unsigned long)swab16(tmp);
3541 break;
3542 case 4:
3543 ctxt->dst.val = swab32((u32)ctxt->src.val);
3544 break;
3545 case 8:
3546 ctxt->dst.val = swab64(ctxt->src.val);
3547 break;
3548 default:
3549 BUG();
3550 }
3551 return X86EMUL_CONTINUE;
3552 }
3553
3554 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3555 {
3556 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3557 return emulate_gp(ctxt, 0);
3558
3559 /* Disable writeback. */
3560 ctxt->dst.type = OP_NONE;
3561 return X86EMUL_CONTINUE;
3562 }
3563
3564 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3565 {
3566 unsigned long val;
3567
3568 if (ctxt->mode == X86EMUL_MODE_PROT64)
3569 val = ctxt->src.val & ~0ULL;
3570 else
3571 val = ctxt->src.val & ~0U;
3572
3573 /* #UD condition is already handled. */
3574 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3575 return emulate_gp(ctxt, 0);
3576
3577 /* Disable writeback. */
3578 ctxt->dst.type = OP_NONE;
3579 return X86EMUL_CONTINUE;
3580 }
3581
3582 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3583 {
3584 u64 msr_data;
3585
3586 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3587 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3588 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3589 return emulate_gp(ctxt, 0);
3590
3591 return X86EMUL_CONTINUE;
3592 }
3593
3594 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3595 {
3596 u64 msr_data;
3597
3598 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3599 return emulate_gp(ctxt, 0);
3600
3601 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3602 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3603 return X86EMUL_CONTINUE;
3604 }
3605
3606 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3607 {
3608 if (ctxt->modrm_reg > VCPU_SREG_GS)
3609 return emulate_ud(ctxt);
3610
3611 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3612 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3613 ctxt->dst.bytes = 2;
3614 return X86EMUL_CONTINUE;
3615 }
3616
3617 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3618 {
3619 u16 sel = ctxt->src.val;
3620
3621 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3622 return emulate_ud(ctxt);
3623
3624 if (ctxt->modrm_reg == VCPU_SREG_SS)
3625 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3626
3627 /* Disable writeback. */
3628 ctxt->dst.type = OP_NONE;
3629 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3630 }
3631
3632 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3633 {
3634 u16 sel = ctxt->src.val;
3635
3636 /* Disable writeback. */
3637 ctxt->dst.type = OP_NONE;
3638 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3639 }
3640
3641 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3642 {
3643 u16 sel = ctxt->src.val;
3644
3645 /* Disable writeback. */
3646 ctxt->dst.type = OP_NONE;
3647 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3648 }
3649
3650 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3651 {
3652 int rc;
3653 ulong linear;
3654
3655 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3656 if (rc == X86EMUL_CONTINUE)
3657 ctxt->ops->invlpg(ctxt, linear);
3658 /* Disable writeback. */
3659 ctxt->dst.type = OP_NONE;
3660 return X86EMUL_CONTINUE;
3661 }
3662
3663 static int em_clts(struct x86_emulate_ctxt *ctxt)
3664 {
3665 ulong cr0;
3666
3667 cr0 = ctxt->ops->get_cr(ctxt, 0);
3668 cr0 &= ~X86_CR0_TS;
3669 ctxt->ops->set_cr(ctxt, 0, cr0);
3670 return X86EMUL_CONTINUE;
3671 }
3672
3673 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3674 {
3675 int rc = ctxt->ops->fix_hypercall(ctxt);
3676
3677 if (rc != X86EMUL_CONTINUE)
3678 return rc;
3679
3680 /* Let the processor re-execute the fixed hypercall */
3681 ctxt->_eip = ctxt->eip;
3682 /* Disable writeback. */
3683 ctxt->dst.type = OP_NONE;
3684 return X86EMUL_CONTINUE;
3685 }
3686
3687 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3688 void (*get)(struct x86_emulate_ctxt *ctxt,
3689 struct desc_ptr *ptr))
3690 {
3691 struct desc_ptr desc_ptr;
3692
3693 if (ctxt->mode == X86EMUL_MODE_PROT64)
3694 ctxt->op_bytes = 8;
3695 get(ctxt, &desc_ptr);
3696 if (ctxt->op_bytes == 2) {
3697 ctxt->op_bytes = 4;
3698 desc_ptr.address &= 0x00ffffff;
3699 }
3700 /* Disable writeback. */
3701 ctxt->dst.type = OP_NONE;
3702 return segmented_write(ctxt, ctxt->dst.addr.mem,
3703 &desc_ptr, 2 + ctxt->op_bytes);
3704 }
3705
3706 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3707 {
3708 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3709 }
3710
3711 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3712 {
3713 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3714 }
3715
3716 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3717 {
3718 struct desc_ptr desc_ptr;
3719 int rc;
3720
3721 if (ctxt->mode == X86EMUL_MODE_PROT64)
3722 ctxt->op_bytes = 8;
3723 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3724 &desc_ptr.size, &desc_ptr.address,
3725 ctxt->op_bytes);
3726 if (rc != X86EMUL_CONTINUE)
3727 return rc;
3728 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3729 is_noncanonical_address(desc_ptr.address))
3730 return emulate_gp(ctxt, 0);
3731 if (lgdt)
3732 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3733 else
3734 ctxt->ops->set_idt(ctxt, &desc_ptr);
3735 /* Disable writeback. */
3736 ctxt->dst.type = OP_NONE;
3737 return X86EMUL_CONTINUE;
3738 }
3739
3740 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3741 {
3742 return em_lgdt_lidt(ctxt, true);
3743 }
3744
3745 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3746 {
3747 return em_lgdt_lidt(ctxt, false);
3748 }
3749
3750 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3751 {
3752 if (ctxt->dst.type == OP_MEM)
3753 ctxt->dst.bytes = 2;
3754 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3755 return X86EMUL_CONTINUE;
3756 }
3757
3758 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3759 {
3760 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3761 | (ctxt->src.val & 0x0f));
3762 ctxt->dst.type = OP_NONE;
3763 return X86EMUL_CONTINUE;
3764 }
3765
3766 static int em_loop(struct x86_emulate_ctxt *ctxt)
3767 {
3768 int rc = X86EMUL_CONTINUE;
3769
3770 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3771 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3772 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3773 rc = jmp_rel(ctxt, ctxt->src.val);
3774
3775 return rc;
3776 }
3777
3778 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3779 {
3780 int rc = X86EMUL_CONTINUE;
3781
3782 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3783 rc = jmp_rel(ctxt, ctxt->src.val);
3784
3785 return rc;
3786 }
3787
3788 static int em_in(struct x86_emulate_ctxt *ctxt)
3789 {
3790 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3791 &ctxt->dst.val))
3792 return X86EMUL_IO_NEEDED;
3793
3794 return X86EMUL_CONTINUE;
3795 }
3796
3797 static int em_out(struct x86_emulate_ctxt *ctxt)
3798 {
3799 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3800 &ctxt->src.val, 1);
3801 /* Disable writeback. */
3802 ctxt->dst.type = OP_NONE;
3803 return X86EMUL_CONTINUE;
3804 }
3805
3806 static int em_cli(struct x86_emulate_ctxt *ctxt)
3807 {
3808 if (emulator_bad_iopl(ctxt))
3809 return emulate_gp(ctxt, 0);
3810
3811 ctxt->eflags &= ~X86_EFLAGS_IF;
3812 return X86EMUL_CONTINUE;
3813 }
3814
3815 static int em_sti(struct x86_emulate_ctxt *ctxt)
3816 {
3817 if (emulator_bad_iopl(ctxt))
3818 return emulate_gp(ctxt, 0);
3819
3820 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3821 ctxt->eflags |= X86_EFLAGS_IF;
3822 return X86EMUL_CONTINUE;
3823 }
3824
3825 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3826 {
3827 u32 eax, ebx, ecx, edx;
3828
3829 eax = reg_read(ctxt, VCPU_REGS_RAX);
3830 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3831 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3832 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3833 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3834 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3835 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3836 return X86EMUL_CONTINUE;
3837 }
3838
3839 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3840 {
3841 u32 flags;
3842
3843 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3844 X86_EFLAGS_SF;
3845 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3846
3847 ctxt->eflags &= ~0xffUL;
3848 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3849 return X86EMUL_CONTINUE;
3850 }
3851
3852 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3853 {
3854 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3855 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3856 return X86EMUL_CONTINUE;
3857 }
3858
3859 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3860 {
3861 switch (ctxt->op_bytes) {
3862 #ifdef CONFIG_X86_64
3863 case 8:
3864 asm("bswap %0" : "+r"(ctxt->dst.val));
3865 break;
3866 #endif
3867 default:
3868 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3869 break;
3870 }
3871 return X86EMUL_CONTINUE;
3872 }
3873
3874 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3875 {
3876 /* emulating clflush regardless of cpuid */
3877 return X86EMUL_CONTINUE;
3878 }
3879
3880 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3881 {
3882 ctxt->dst.val = (s32) ctxt->src.val;
3883 return X86EMUL_CONTINUE;
3884 }
3885
3886 static bool valid_cr(int nr)
3887 {
3888 switch (nr) {
3889 case 0:
3890 case 2 ... 4:
3891 case 8:
3892 return true;
3893 default:
3894 return false;
3895 }
3896 }
3897
3898 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3899 {
3900 if (!valid_cr(ctxt->modrm_reg))
3901 return emulate_ud(ctxt);
3902
3903 return X86EMUL_CONTINUE;
3904 }
3905
3906 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3907 {
3908 u64 new_val = ctxt->src.val64;
3909 int cr = ctxt->modrm_reg;
3910 u64 efer = 0;
3911
3912 static u64 cr_reserved_bits[] = {
3913 0xffffffff00000000ULL,
3914 0, 0, 0, /* CR3 checked later */
3915 CR4_RESERVED_BITS,
3916 0, 0, 0,
3917 CR8_RESERVED_BITS,
3918 };
3919
3920 if (!valid_cr(cr))
3921 return emulate_ud(ctxt);
3922
3923 if (new_val & cr_reserved_bits[cr])
3924 return emulate_gp(ctxt, 0);
3925
3926 switch (cr) {
3927 case 0: {
3928 u64 cr4;
3929 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3930 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3931 return emulate_gp(ctxt, 0);
3932
3933 cr4 = ctxt->ops->get_cr(ctxt, 4);
3934 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3935
3936 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3937 !(cr4 & X86_CR4_PAE))
3938 return emulate_gp(ctxt, 0);
3939
3940 break;
3941 }
3942 case 3: {
3943 u64 rsvd = 0;
3944
3945 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3946 if (efer & EFER_LMA)
3947 rsvd = CR3_L_MODE_RESERVED_BITS & ~CR3_PCID_INVD;
3948
3949 if (new_val & rsvd)
3950 return emulate_gp(ctxt, 0);
3951
3952 break;
3953 }
3954 case 4: {
3955 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3956
3957 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3958 return emulate_gp(ctxt, 0);
3959
3960 break;
3961 }
3962 }
3963
3964 return X86EMUL_CONTINUE;
3965 }
3966
3967 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3968 {
3969 unsigned long dr7;
3970
3971 ctxt->ops->get_dr(ctxt, 7, &dr7);
3972
3973 /* Check if DR7.Global_Enable is set */
3974 return dr7 & (1 << 13);
3975 }
3976
3977 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3978 {
3979 int dr = ctxt->modrm_reg;
3980 u64 cr4;
3981
3982 if (dr > 7)
3983 return emulate_ud(ctxt);
3984
3985 cr4 = ctxt->ops->get_cr(ctxt, 4);
3986 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3987 return emulate_ud(ctxt);
3988
3989 if (check_dr7_gd(ctxt)) {
3990 ulong dr6;
3991
3992 ctxt->ops->get_dr(ctxt, 6, &dr6);
3993 dr6 &= ~15;
3994 dr6 |= DR6_BD | DR6_RTM;
3995 ctxt->ops->set_dr(ctxt, 6, dr6);
3996 return emulate_db(ctxt);
3997 }
3998
3999 return X86EMUL_CONTINUE;
4000 }
4001
4002 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
4003 {
4004 u64 new_val = ctxt->src.val64;
4005 int dr = ctxt->modrm_reg;
4006
4007 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
4008 return emulate_gp(ctxt, 0);
4009
4010 return check_dr_read(ctxt);
4011 }
4012
4013 static int check_svme(struct x86_emulate_ctxt *ctxt)
4014 {
4015 u64 efer;
4016
4017 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4018
4019 if (!(efer & EFER_SVME))
4020 return emulate_ud(ctxt);
4021
4022 return X86EMUL_CONTINUE;
4023 }
4024
4025 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4026 {
4027 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4028
4029 /* Valid physical address? */
4030 if (rax & 0xffff000000000000ULL)
4031 return emulate_gp(ctxt, 0);
4032
4033 return check_svme(ctxt);
4034 }
4035
4036 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4037 {
4038 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4039
4040 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4041 return emulate_ud(ctxt);
4042
4043 return X86EMUL_CONTINUE;
4044 }
4045
4046 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4047 {
4048 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4049 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4050
4051 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4052 ctxt->ops->check_pmc(ctxt, rcx))
4053 return emulate_gp(ctxt, 0);
4054
4055 return X86EMUL_CONTINUE;
4056 }
4057
4058 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4059 {
4060 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4061 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4062 return emulate_gp(ctxt, 0);
4063
4064 return X86EMUL_CONTINUE;
4065 }
4066
4067 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4068 {
4069 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4070 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4071 return emulate_gp(ctxt, 0);
4072
4073 return X86EMUL_CONTINUE;
4074 }
4075
4076 #define D(_y) { .flags = (_y) }
4077 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4078 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4079 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4080 #define N D(NotImpl)
4081 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4082 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4083 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4084 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4085 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4086 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4087 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4088 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4089 #define II(_f, _e, _i) \
4090 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4091 #define IIP(_f, _e, _i, _p) \
4092 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4093 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4094 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4095
4096 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4097 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4098 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4099 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4100 #define I2bvIP(_f, _e, _i, _p) \
4101 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4102
4103 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4104 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4105 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4106
4107 static const struct opcode group7_rm0[] = {
4108 N,
4109 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4110 N, N, N, N, N, N,
4111 };
4112
4113 static const struct opcode group7_rm1[] = {
4114 DI(SrcNone | Priv, monitor),
4115 DI(SrcNone | Priv, mwait),
4116 N, N, N, N, N, N,
4117 };
4118
4119 static const struct opcode group7_rm3[] = {
4120 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4121 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4122 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4123 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4124 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4125 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4126 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4127 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4128 };
4129
4130 static const struct opcode group7_rm7[] = {
4131 N,
4132 DIP(SrcNone, rdtscp, check_rdtsc),
4133 N, N, N, N, N, N,
4134 };
4135
4136 static const struct opcode group1[] = {
4137 F(Lock, em_add),
4138 F(Lock | PageTable, em_or),
4139 F(Lock, em_adc),
4140 F(Lock, em_sbb),
4141 F(Lock | PageTable, em_and),
4142 F(Lock, em_sub),
4143 F(Lock, em_xor),
4144 F(NoWrite, em_cmp),
4145 };
4146
4147 static const struct opcode group1A[] = {
4148 I(DstMem | SrcNone | Mov | Stack | IncSP, em_pop), N, N, N, N, N, N, N,
4149 };
4150
4151 static const struct opcode group2[] = {
4152 F(DstMem | ModRM, em_rol),
4153 F(DstMem | ModRM, em_ror),
4154 F(DstMem | ModRM, em_rcl),
4155 F(DstMem | ModRM, em_rcr),
4156 F(DstMem | ModRM, em_shl),
4157 F(DstMem | ModRM, em_shr),
4158 F(DstMem | ModRM, em_shl),
4159 F(DstMem | ModRM, em_sar),
4160 };
4161
4162 static const struct opcode group3[] = {
4163 F(DstMem | SrcImm | NoWrite, em_test),
4164 F(DstMem | SrcImm | NoWrite, em_test),
4165 F(DstMem | SrcNone | Lock, em_not),
4166 F(DstMem | SrcNone | Lock, em_neg),
4167 F(DstXacc | Src2Mem, em_mul_ex),
4168 F(DstXacc | Src2Mem, em_imul_ex),
4169 F(DstXacc | Src2Mem, em_div_ex),
4170 F(DstXacc | Src2Mem, em_idiv_ex),
4171 };
4172
4173 static const struct opcode group4[] = {
4174 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4175 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4176 N, N, N, N, N, N,
4177 };
4178
4179 static const struct opcode group5[] = {
4180 F(DstMem | SrcNone | Lock, em_inc),
4181 F(DstMem | SrcNone | Lock, em_dec),
4182 I(SrcMem | NearBranch, em_call_near_abs),
4183 I(SrcMemFAddr | ImplicitOps, em_call_far),
4184 I(SrcMem | NearBranch, em_jmp_abs),
4185 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4186 I(SrcMem | Stack, em_push), D(Undefined),
4187 };
4188
4189 static const struct opcode group6[] = {
4190 DI(Prot | DstMem, sldt),
4191 DI(Prot | DstMem, str),
4192 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4193 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4194 N, N, N, N,
4195 };
4196
4197 static const struct group_dual group7 = { {
4198 II(Mov | DstMem, em_sgdt, sgdt),
4199 II(Mov | DstMem, em_sidt, sidt),
4200 II(SrcMem | Priv, em_lgdt, lgdt),
4201 II(SrcMem | Priv, em_lidt, lidt),
4202 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4203 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4204 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4205 }, {
4206 EXT(0, group7_rm0),
4207 EXT(0, group7_rm1),
4208 N, EXT(0, group7_rm3),
4209 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4210 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4211 EXT(0, group7_rm7),
4212 } };
4213
4214 static const struct opcode group8[] = {
4215 N, N, N, N,
4216 F(DstMem | SrcImmByte | NoWrite, em_bt),
4217 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4218 F(DstMem | SrcImmByte | Lock, em_btr),
4219 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4220 };
4221
4222 static const struct group_dual group9 = { {
4223 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4224 }, {
4225 N, N, N, N, N, N, N, N,
4226 } };
4227
4228 static const struct opcode group11[] = {
4229 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4230 X7(D(Undefined)),
4231 };
4232
4233 static const struct gprefix pfx_0f_ae_7 = {
4234 I(SrcMem | ByteOp, em_clflush), N, N, N,
4235 };
4236
4237 static const struct group_dual group15 = { {
4238 N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4239 }, {
4240 N, N, N, N, N, N, N, N,
4241 } };
4242
4243 static const struct gprefix pfx_0f_6f_0f_7f = {
4244 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4245 };
4246
4247 static const struct instr_dual instr_dual_0f_2b = {
4248 I(0, em_mov), N
4249 };
4250
4251 static const struct gprefix pfx_0f_2b = {
4252 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4253 };
4254
4255 static const struct gprefix pfx_0f_28_0f_29 = {
4256 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4257 };
4258
4259 static const struct gprefix pfx_0f_e7 = {
4260 N, I(Sse, em_mov), N, N,
4261 };
4262
4263 static const struct escape escape_d9 = { {
4264 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4265 }, {
4266 /* 0xC0 - 0xC7 */
4267 N, N, N, N, N, N, N, N,
4268 /* 0xC8 - 0xCF */
4269 N, N, N, N, N, N, N, N,
4270 /* 0xD0 - 0xC7 */
4271 N, N, N, N, N, N, N, N,
4272 /* 0xD8 - 0xDF */
4273 N, N, N, N, N, N, N, N,
4274 /* 0xE0 - 0xE7 */
4275 N, N, N, N, N, N, N, N,
4276 /* 0xE8 - 0xEF */
4277 N, N, N, N, N, N, N, N,
4278 /* 0xF0 - 0xF7 */
4279 N, N, N, N, N, N, N, N,
4280 /* 0xF8 - 0xFF */
4281 N, N, N, N, N, N, N, N,
4282 } };
4283
4284 static const struct escape escape_db = { {
4285 N, N, N, N, N, N, N, N,
4286 }, {
4287 /* 0xC0 - 0xC7 */
4288 N, N, N, N, N, N, N, N,
4289 /* 0xC8 - 0xCF */
4290 N, N, N, N, N, N, N, N,
4291 /* 0xD0 - 0xC7 */
4292 N, N, N, N, N, N, N, N,
4293 /* 0xD8 - 0xDF */
4294 N, N, N, N, N, N, N, N,
4295 /* 0xE0 - 0xE7 */
4296 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4297 /* 0xE8 - 0xEF */
4298 N, N, N, N, N, N, N, N,
4299 /* 0xF0 - 0xF7 */
4300 N, N, N, N, N, N, N, N,
4301 /* 0xF8 - 0xFF */
4302 N, N, N, N, N, N, N, N,
4303 } };
4304
4305 static const struct escape escape_dd = { {
4306 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4307 }, {
4308 /* 0xC0 - 0xC7 */
4309 N, N, N, N, N, N, N, N,
4310 /* 0xC8 - 0xCF */
4311 N, N, N, N, N, N, N, N,
4312 /* 0xD0 - 0xC7 */
4313 N, N, N, N, N, N, N, N,
4314 /* 0xD8 - 0xDF */
4315 N, N, N, N, N, N, N, N,
4316 /* 0xE0 - 0xE7 */
4317 N, N, N, N, N, N, N, N,
4318 /* 0xE8 - 0xEF */
4319 N, N, N, N, N, N, N, N,
4320 /* 0xF0 - 0xF7 */
4321 N, N, N, N, N, N, N, N,
4322 /* 0xF8 - 0xFF */
4323 N, N, N, N, N, N, N, N,
4324 } };
4325
4326 static const struct instr_dual instr_dual_0f_c3 = {
4327 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4328 };
4329
4330 static const struct mode_dual mode_dual_63 = {
4331 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4332 };
4333
4334 static const struct opcode opcode_table[256] = {
4335 /* 0x00 - 0x07 */
4336 F6ALU(Lock, em_add),
4337 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4338 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4339 /* 0x08 - 0x0F */
4340 F6ALU(Lock | PageTable, em_or),
4341 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4342 N,
4343 /* 0x10 - 0x17 */
4344 F6ALU(Lock, em_adc),
4345 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4346 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4347 /* 0x18 - 0x1F */
4348 F6ALU(Lock, em_sbb),
4349 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4350 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4351 /* 0x20 - 0x27 */
4352 F6ALU(Lock | PageTable, em_and), N, N,
4353 /* 0x28 - 0x2F */
4354 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4355 /* 0x30 - 0x37 */
4356 F6ALU(Lock, em_xor), N, N,
4357 /* 0x38 - 0x3F */
4358 F6ALU(NoWrite, em_cmp), N, N,
4359 /* 0x40 - 0x4F */
4360 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4361 /* 0x50 - 0x57 */
4362 X8(I(SrcReg | Stack, em_push)),
4363 /* 0x58 - 0x5F */
4364 X8(I(DstReg | Stack, em_pop)),
4365 /* 0x60 - 0x67 */
4366 I(ImplicitOps | Stack | No64, em_pusha),
4367 I(ImplicitOps | Stack | No64, em_popa),
4368 N, MD(ModRM, &mode_dual_63),
4369 N, N, N, N,
4370 /* 0x68 - 0x6F */
4371 I(SrcImm | Mov | Stack, em_push),
4372 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4373 I(SrcImmByte | Mov | Stack, em_push),
4374 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4375 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4376 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4377 /* 0x70 - 0x7F */
4378 X16(D(SrcImmByte | NearBranch)),
4379 /* 0x80 - 0x87 */
4380 G(ByteOp | DstMem | SrcImm, group1),
4381 G(DstMem | SrcImm, group1),
4382 G(ByteOp | DstMem | SrcImm | No64, group1),
4383 G(DstMem | SrcImmByte, group1),
4384 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4385 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4386 /* 0x88 - 0x8F */
4387 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4388 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4389 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4390 D(ModRM | SrcMem | NoAccess | DstReg),
4391 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4392 G(0, group1A),
4393 /* 0x90 - 0x97 */
4394 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4395 /* 0x98 - 0x9F */
4396 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4397 I(SrcImmFAddr | No64, em_call_far), N,
4398 II(ImplicitOps | Stack, em_pushf, pushf),
4399 II(ImplicitOps | Stack, em_popf, popf),
4400 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4401 /* 0xA0 - 0xA7 */
4402 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4403 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4404 I2bv(SrcSI | DstDI | Mov | String, em_mov),
4405 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp_r),
4406 /* 0xA8 - 0xAF */
4407 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4408 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4409 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4410 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4411 /* 0xB0 - 0xB7 */
4412 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4413 /* 0xB8 - 0xBF */
4414 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4415 /* 0xC0 - 0xC7 */
4416 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4417 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4418 I(ImplicitOps | NearBranch, em_ret),
4419 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4420 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4421 G(ByteOp, group11), G(0, group11),
4422 /* 0xC8 - 0xCF */
4423 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4424 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4425 I(ImplicitOps, em_ret_far),
4426 D(ImplicitOps), DI(SrcImmByte, intn),
4427 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4428 /* 0xD0 - 0xD7 */
4429 G(Src2One | ByteOp, group2), G(Src2One, group2),
4430 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4431 I(DstAcc | SrcImmUByte | No64, em_aam),
4432 I(DstAcc | SrcImmUByte | No64, em_aad),
4433 F(DstAcc | ByteOp | No64, em_salc),
4434 I(DstAcc | SrcXLat | ByteOp, em_mov),
4435 /* 0xD8 - 0xDF */
4436 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4437 /* 0xE0 - 0xE7 */
4438 X3(I(SrcImmByte | NearBranch, em_loop)),
4439 I(SrcImmByte | NearBranch, em_jcxz),
4440 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4441 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4442 /* 0xE8 - 0xEF */
4443 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4444 I(SrcImmFAddr | No64, em_jmp_far),
4445 D(SrcImmByte | ImplicitOps | NearBranch),
4446 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4447 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4448 /* 0xF0 - 0xF7 */
4449 N, DI(ImplicitOps, icebp), N, N,
4450 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4451 G(ByteOp, group3), G(0, group3),
4452 /* 0xF8 - 0xFF */
4453 D(ImplicitOps), D(ImplicitOps),
4454 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4455 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4456 };
4457
4458 static const struct opcode twobyte_table[256] = {
4459 /* 0x00 - 0x0F */
4460 G(0, group6), GD(0, &group7), N, N,
4461 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4462 II(ImplicitOps | Priv, em_clts, clts), N,
4463 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4464 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4465 /* 0x10 - 0x1F */
4466 N, N, N, N, N, N, N, N,
4467 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4468 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4469 /* 0x20 - 0x2F */
4470 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4471 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4472 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4473 check_cr_write),
4474 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4475 check_dr_write),
4476 N, N, N, N,
4477 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4478 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4479 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4480 N, N, N, N,
4481 /* 0x30 - 0x3F */
4482 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4483 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4484 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4485 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4486 I(ImplicitOps | EmulateOnUD, em_sysenter),
4487 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4488 N, N,
4489 N, N, N, N, N, N, N, N,
4490 /* 0x40 - 0x4F */
4491 X16(D(DstReg | SrcMem | ModRM)),
4492 /* 0x50 - 0x5F */
4493 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4494 /* 0x60 - 0x6F */
4495 N, N, N, N,
4496 N, N, N, N,
4497 N, N, N, N,
4498 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4499 /* 0x70 - 0x7F */
4500 N, N, N, N,
4501 N, N, N, N,
4502 N, N, N, N,
4503 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4504 /* 0x80 - 0x8F */
4505 X16(D(SrcImm | NearBranch)),
4506 /* 0x90 - 0x9F */
4507 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4508 /* 0xA0 - 0xA7 */
4509 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4510 II(ImplicitOps, em_cpuid, cpuid),
4511 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4512 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4513 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4514 /* 0xA8 - 0xAF */
4515 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4516 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4517 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4518 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4519 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4520 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4521 /* 0xB0 - 0xB7 */
4522 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4523 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4524 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4525 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4526 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4527 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4528 /* 0xB8 - 0xBF */
4529 N, N,
4530 G(BitOp, group8),
4531 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4532 I(DstReg | SrcMem | ModRM, em_bsf_c),
4533 I(DstReg | SrcMem | ModRM, em_bsr_c),
4534 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4535 /* 0xC0 - 0xC7 */
4536 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4537 N, ID(0, &instr_dual_0f_c3),
4538 N, N, N, GD(0, &group9),
4539 /* 0xC8 - 0xCF */
4540 X8(I(DstReg, em_bswap)),
4541 /* 0xD0 - 0xDF */
4542 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4543 /* 0xE0 - 0xEF */
4544 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4545 N, N, N, N, N, N, N, N,
4546 /* 0xF0 - 0xFF */
4547 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4548 };
4549
4550 static const struct instr_dual instr_dual_0f_38_f0 = {
4551 I(DstReg | SrcMem | Mov, em_movbe), N
4552 };
4553
4554 static const struct instr_dual instr_dual_0f_38_f1 = {
4555 I(DstMem | SrcReg | Mov, em_movbe), N
4556 };
4557
4558 static const struct gprefix three_byte_0f_38_f0 = {
4559 ID(0, &instr_dual_0f_38_f0), N, N, N
4560 };
4561
4562 static const struct gprefix three_byte_0f_38_f1 = {
4563 ID(0, &instr_dual_0f_38_f1), N, N, N
4564 };
4565
4566 /*
4567 * Insns below are selected by the prefix which indexed by the third opcode
4568 * byte.
4569 */
4570 static const struct opcode opcode_map_0f_38[256] = {
4571 /* 0x00 - 0x7f */
4572 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4573 /* 0x80 - 0xef */
4574 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4575 /* 0xf0 - 0xf1 */
4576 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4577 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4578 /* 0xf2 - 0xff */
4579 N, N, X4(N), X8(N)
4580 };
4581
4582 #undef D
4583 #undef N
4584 #undef G
4585 #undef GD
4586 #undef I
4587 #undef GP
4588 #undef EXT
4589 #undef MD
4590 #undef ID
4591
4592 #undef D2bv
4593 #undef D2bvIP
4594 #undef I2bv
4595 #undef I2bvIP
4596 #undef I6ALU
4597
4598 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4599 {
4600 unsigned size;
4601
4602 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4603 if (size == 8)
4604 size = 4;
4605 return size;
4606 }
4607
4608 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4609 unsigned size, bool sign_extension)
4610 {
4611 int rc = X86EMUL_CONTINUE;
4612
4613 op->type = OP_IMM;
4614 op->bytes = size;
4615 op->addr.mem.ea = ctxt->_eip;
4616 /* NB. Immediates are sign-extended as necessary. */
4617 switch (op->bytes) {
4618 case 1:
4619 op->val = insn_fetch(s8, ctxt);
4620 break;
4621 case 2:
4622 op->val = insn_fetch(s16, ctxt);
4623 break;
4624 case 4:
4625 op->val = insn_fetch(s32, ctxt);
4626 break;
4627 case 8:
4628 op->val = insn_fetch(s64, ctxt);
4629 break;
4630 }
4631 if (!sign_extension) {
4632 switch (op->bytes) {
4633 case 1:
4634 op->val &= 0xff;
4635 break;
4636 case 2:
4637 op->val &= 0xffff;
4638 break;
4639 case 4:
4640 op->val &= 0xffffffff;
4641 break;
4642 }
4643 }
4644 done:
4645 return rc;
4646 }
4647
4648 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4649 unsigned d)
4650 {
4651 int rc = X86EMUL_CONTINUE;
4652
4653 switch (d) {
4654 case OpReg:
4655 decode_register_operand(ctxt, op);
4656 break;
4657 case OpImmUByte:
4658 rc = decode_imm(ctxt, op, 1, false);
4659 break;
4660 case OpMem:
4661 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4662 mem_common:
4663 *op = ctxt->memop;
4664 ctxt->memopp = op;
4665 if (ctxt->d & BitOp)
4666 fetch_bit_operand(ctxt);
4667 op->orig_val = op->val;
4668 break;
4669 case OpMem64:
4670 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4671 goto mem_common;
4672 case OpAcc:
4673 op->type = OP_REG;
4674 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4675 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4676 fetch_register_operand(op);
4677 op->orig_val = op->val;
4678 break;
4679 case OpAccLo:
4680 op->type = OP_REG;
4681 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4682 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4683 fetch_register_operand(op);
4684 op->orig_val = op->val;
4685 break;
4686 case OpAccHi:
4687 if (ctxt->d & ByteOp) {
4688 op->type = OP_NONE;
4689 break;
4690 }
4691 op->type = OP_REG;
4692 op->bytes = ctxt->op_bytes;
4693 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4694 fetch_register_operand(op);
4695 op->orig_val = op->val;
4696 break;
4697 case OpDI:
4698 op->type = OP_MEM;
4699 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4700 op->addr.mem.ea =
4701 register_address(ctxt, VCPU_REGS_RDI);
4702 op->addr.mem.seg = VCPU_SREG_ES;
4703 op->val = 0;
4704 op->count = 1;
4705 break;
4706 case OpDX:
4707 op->type = OP_REG;
4708 op->bytes = 2;
4709 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4710 fetch_register_operand(op);
4711 break;
4712 case OpCL:
4713 op->type = OP_IMM;
4714 op->bytes = 1;
4715 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4716 break;
4717 case OpImmByte:
4718 rc = decode_imm(ctxt, op, 1, true);
4719 break;
4720 case OpOne:
4721 op->type = OP_IMM;
4722 op->bytes = 1;
4723 op->val = 1;
4724 break;
4725 case OpImm:
4726 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4727 break;
4728 case OpImm64:
4729 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4730 break;
4731 case OpMem8:
4732 ctxt->memop.bytes = 1;
4733 if (ctxt->memop.type == OP_REG) {
4734 ctxt->memop.addr.reg = decode_register(ctxt,
4735 ctxt->modrm_rm, true);
4736 fetch_register_operand(&ctxt->memop);
4737 }
4738 goto mem_common;
4739 case OpMem16:
4740 ctxt->memop.bytes = 2;
4741 goto mem_common;
4742 case OpMem32:
4743 ctxt->memop.bytes = 4;
4744 goto mem_common;
4745 case OpImmU16:
4746 rc = decode_imm(ctxt, op, 2, false);
4747 break;
4748 case OpImmU:
4749 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4750 break;
4751 case OpSI:
4752 op->type = OP_MEM;
4753 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4754 op->addr.mem.ea =
4755 register_address(ctxt, VCPU_REGS_RSI);
4756 op->addr.mem.seg = ctxt->seg_override;
4757 op->val = 0;
4758 op->count = 1;
4759 break;
4760 case OpXLat:
4761 op->type = OP_MEM;
4762 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4763 op->addr.mem.ea =
4764 address_mask(ctxt,
4765 reg_read(ctxt, VCPU_REGS_RBX) +
4766 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4767 op->addr.mem.seg = ctxt->seg_override;
4768 op->val = 0;
4769 break;
4770 case OpImmFAddr:
4771 op->type = OP_IMM;
4772 op->addr.mem.ea = ctxt->_eip;
4773 op->bytes = ctxt->op_bytes + 2;
4774 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4775 break;
4776 case OpMemFAddr:
4777 ctxt->memop.bytes = ctxt->op_bytes + 2;
4778 goto mem_common;
4779 case OpES:
4780 op->type = OP_IMM;
4781 op->val = VCPU_SREG_ES;
4782 break;
4783 case OpCS:
4784 op->type = OP_IMM;
4785 op->val = VCPU_SREG_CS;
4786 break;
4787 case OpSS:
4788 op->type = OP_IMM;
4789 op->val = VCPU_SREG_SS;
4790 break;
4791 case OpDS:
4792 op->type = OP_IMM;
4793 op->val = VCPU_SREG_DS;
4794 break;
4795 case OpFS:
4796 op->type = OP_IMM;
4797 op->val = VCPU_SREG_FS;
4798 break;
4799 case OpGS:
4800 op->type = OP_IMM;
4801 op->val = VCPU_SREG_GS;
4802 break;
4803 case OpImplicit:
4804 /* Special instructions do their own operand decoding. */
4805 default:
4806 op->type = OP_NONE; /* Disable writeback. */
4807 break;
4808 }
4809
4810 done:
4811 return rc;
4812 }
4813
4814 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4815 {
4816 int rc = X86EMUL_CONTINUE;
4817 int mode = ctxt->mode;
4818 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4819 bool op_prefix = false;
4820 bool has_seg_override = false;
4821 struct opcode opcode;
4822
4823 ctxt->memop.type = OP_NONE;
4824 ctxt->memopp = NULL;
4825 ctxt->_eip = ctxt->eip;
4826 ctxt->fetch.ptr = ctxt->fetch.data;
4827 ctxt->fetch.end = ctxt->fetch.data + insn_len;
4828 ctxt->opcode_len = 1;
4829 if (insn_len > 0)
4830 memcpy(ctxt->fetch.data, insn, insn_len);
4831 else {
4832 rc = __do_insn_fetch_bytes(ctxt, 1);
4833 if (rc != X86EMUL_CONTINUE)
4834 return rc;
4835 }
4836
4837 switch (mode) {
4838 case X86EMUL_MODE_REAL:
4839 case X86EMUL_MODE_VM86:
4840 case X86EMUL_MODE_PROT16:
4841 def_op_bytes = def_ad_bytes = 2;
4842 break;
4843 case X86EMUL_MODE_PROT32:
4844 def_op_bytes = def_ad_bytes = 4;
4845 break;
4846 #ifdef CONFIG_X86_64
4847 case X86EMUL_MODE_PROT64:
4848 def_op_bytes = 4;
4849 def_ad_bytes = 8;
4850 break;
4851 #endif
4852 default:
4853 return EMULATION_FAILED;
4854 }
4855
4856 ctxt->op_bytes = def_op_bytes;
4857 ctxt->ad_bytes = def_ad_bytes;
4858
4859 /* Legacy prefixes. */
4860 for (;;) {
4861 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4862 case 0x66: /* operand-size override */
4863 op_prefix = true;
4864 /* switch between 2/4 bytes */
4865 ctxt->op_bytes = def_op_bytes ^ 6;
4866 break;
4867 case 0x67: /* address-size override */
4868 if (mode == X86EMUL_MODE_PROT64)
4869 /* switch between 4/8 bytes */
4870 ctxt->ad_bytes = def_ad_bytes ^ 12;
4871 else
4872 /* switch between 2/4 bytes */
4873 ctxt->ad_bytes = def_ad_bytes ^ 6;
4874 break;
4875 case 0x26: /* ES override */
4876 case 0x2e: /* CS override */
4877 case 0x36: /* SS override */
4878 case 0x3e: /* DS override */
4879 has_seg_override = true;
4880 ctxt->seg_override = (ctxt->b >> 3) & 3;
4881 break;
4882 case 0x64: /* FS override */
4883 case 0x65: /* GS override */
4884 has_seg_override = true;
4885 ctxt->seg_override = ctxt->b & 7;
4886 break;
4887 case 0x40 ... 0x4f: /* REX */
4888 if (mode != X86EMUL_MODE_PROT64)
4889 goto done_prefixes;
4890 ctxt->rex_prefix = ctxt->b;
4891 continue;
4892 case 0xf0: /* LOCK */
4893 ctxt->lock_prefix = 1;
4894 break;
4895 case 0xf2: /* REPNE/REPNZ */
4896 case 0xf3: /* REP/REPE/REPZ */
4897 ctxt->rep_prefix = ctxt->b;
4898 break;
4899 default:
4900 goto done_prefixes;
4901 }
4902
4903 /* Any legacy prefix after a REX prefix nullifies its effect. */
4904
4905 ctxt->rex_prefix = 0;
4906 }
4907
4908 done_prefixes:
4909
4910 /* REX prefix. */
4911 if (ctxt->rex_prefix & 8)
4912 ctxt->op_bytes = 8; /* REX.W */
4913
4914 /* Opcode byte(s). */
4915 opcode = opcode_table[ctxt->b];
4916 /* Two-byte opcode? */
4917 if (ctxt->b == 0x0f) {
4918 ctxt->opcode_len = 2;
4919 ctxt->b = insn_fetch(u8, ctxt);
4920 opcode = twobyte_table[ctxt->b];
4921
4922 /* 0F_38 opcode map */
4923 if (ctxt->b == 0x38) {
4924 ctxt->opcode_len = 3;
4925 ctxt->b = insn_fetch(u8, ctxt);
4926 opcode = opcode_map_0f_38[ctxt->b];
4927 }
4928 }
4929 ctxt->d = opcode.flags;
4930
4931 if (ctxt->d & ModRM)
4932 ctxt->modrm = insn_fetch(u8, ctxt);
4933
4934 /* vex-prefix instructions are not implemented */
4935 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4936 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4937 ctxt->d = NotImpl;
4938 }
4939
4940 while (ctxt->d & GroupMask) {
4941 switch (ctxt->d & GroupMask) {
4942 case Group:
4943 goffset = (ctxt->modrm >> 3) & 7;
4944 opcode = opcode.u.group[goffset];
4945 break;
4946 case GroupDual:
4947 goffset = (ctxt->modrm >> 3) & 7;
4948 if ((ctxt->modrm >> 6) == 3)
4949 opcode = opcode.u.gdual->mod3[goffset];
4950 else
4951 opcode = opcode.u.gdual->mod012[goffset];
4952 break;
4953 case RMExt:
4954 goffset = ctxt->modrm & 7;
4955 opcode = opcode.u.group[goffset];
4956 break;
4957 case Prefix:
4958 if (ctxt->rep_prefix && op_prefix)
4959 return EMULATION_FAILED;
4960 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4961 switch (simd_prefix) {
4962 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4963 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4964 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4965 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4966 }
4967 break;
4968 case Escape:
4969 if (ctxt->modrm > 0xbf)
4970 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4971 else
4972 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4973 break;
4974 case InstrDual:
4975 if ((ctxt->modrm >> 6) == 3)
4976 opcode = opcode.u.idual->mod3;
4977 else
4978 opcode = opcode.u.idual->mod012;
4979 break;
4980 case ModeDual:
4981 if (ctxt->mode == X86EMUL_MODE_PROT64)
4982 opcode = opcode.u.mdual->mode64;
4983 else
4984 opcode = opcode.u.mdual->mode32;
4985 break;
4986 default:
4987 return EMULATION_FAILED;
4988 }
4989
4990 ctxt->d &= ~(u64)GroupMask;
4991 ctxt->d |= opcode.flags;
4992 }
4993
4994 /* Unrecognised? */
4995 if (ctxt->d == 0)
4996 return EMULATION_FAILED;
4997
4998 ctxt->execute = opcode.u.execute;
4999
5000 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
5001 return EMULATION_FAILED;
5002
5003 if (unlikely(ctxt->d &
5004 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
5005 No16))) {
5006 /*
5007 * These are copied unconditionally here, and checked unconditionally
5008 * in x86_emulate_insn.
5009 */
5010 ctxt->check_perm = opcode.check_perm;
5011 ctxt->intercept = opcode.intercept;
5012
5013 if (ctxt->d & NotImpl)
5014 return EMULATION_FAILED;
5015
5016 if (mode == X86EMUL_MODE_PROT64) {
5017 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
5018 ctxt->op_bytes = 8;
5019 else if (ctxt->d & NearBranch)
5020 ctxt->op_bytes = 8;
5021 }
5022
5023 if (ctxt->d & Op3264) {
5024 if (mode == X86EMUL_MODE_PROT64)
5025 ctxt->op_bytes = 8;
5026 else
5027 ctxt->op_bytes = 4;
5028 }
5029
5030 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5031 ctxt->op_bytes = 4;
5032
5033 if (ctxt->d & Sse)
5034 ctxt->op_bytes = 16;
5035 else if (ctxt->d & Mmx)
5036 ctxt->op_bytes = 8;
5037 }
5038
5039 /* ModRM and SIB bytes. */
5040 if (ctxt->d & ModRM) {
5041 rc = decode_modrm(ctxt, &ctxt->memop);
5042 if (!has_seg_override) {
5043 has_seg_override = true;
5044 ctxt->seg_override = ctxt->modrm_seg;
5045 }
5046 } else if (ctxt->d & MemAbs)
5047 rc = decode_abs(ctxt, &ctxt->memop);
5048 if (rc != X86EMUL_CONTINUE)
5049 goto done;
5050
5051 if (!has_seg_override)
5052 ctxt->seg_override = VCPU_SREG_DS;
5053
5054 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5055
5056 /*
5057 * Decode and fetch the source operand: register, memory
5058 * or immediate.
5059 */
5060 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5061 if (rc != X86EMUL_CONTINUE)
5062 goto done;
5063
5064 /*
5065 * Decode and fetch the second source operand: register, memory
5066 * or immediate.
5067 */
5068 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5069 if (rc != X86EMUL_CONTINUE)
5070 goto done;
5071
5072 /* Decode and fetch the destination operand: register or memory. */
5073 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5074
5075 if (ctxt->rip_relative && likely(ctxt->memopp))
5076 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5077 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5078
5079 done:
5080 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5081 }
5082
5083 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5084 {
5085 return ctxt->d & PageTable;
5086 }
5087
5088 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5089 {
5090 /* The second termination condition only applies for REPE
5091 * and REPNE. Test if the repeat string operation prefix is
5092 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5093 * corresponding termination condition according to:
5094 * - if REPE/REPZ and ZF = 0 then done
5095 * - if REPNE/REPNZ and ZF = 1 then done
5096 */
5097 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5098 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5099 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5100 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5101 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5102 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5103 return true;
5104
5105 return false;
5106 }
5107
5108 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5109 {
5110 int rc;
5111
5112 ctxt->ops->get_fpu(ctxt);
5113 rc = asm_safe("fwait");
5114 ctxt->ops->put_fpu(ctxt);
5115
5116 if (unlikely(rc != X86EMUL_CONTINUE))
5117 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5118
5119 return X86EMUL_CONTINUE;
5120 }
5121
5122 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
5123 struct operand *op)
5124 {
5125 if (op->type == OP_MM)
5126 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
5127 }
5128
5129 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
5130 {
5131 register void *__sp asm(_ASM_SP);
5132 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5133
5134 if (!(ctxt->d & ByteOp))
5135 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5136
5137 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
5138 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5139 [fastop]"+S"(fop), "+r"(__sp)
5140 : "c"(ctxt->src2.val));
5141
5142 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5143 if (!fop) /* exception is returned in fop variable */
5144 return emulate_de(ctxt);
5145 return X86EMUL_CONTINUE;
5146 }
5147
5148 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5149 {
5150 memset(&ctxt->rip_relative, 0,
5151 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5152
5153 ctxt->io_read.pos = 0;
5154 ctxt->io_read.end = 0;
5155 ctxt->mem_read.end = 0;
5156 }
5157
5158 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5159 {
5160 const struct x86_emulate_ops *ops = ctxt->ops;
5161 int rc = X86EMUL_CONTINUE;
5162 int saved_dst_type = ctxt->dst.type;
5163
5164 ctxt->mem_read.pos = 0;
5165
5166 /* LOCK prefix is allowed only with some instructions */
5167 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5168 rc = emulate_ud(ctxt);
5169 goto done;
5170 }
5171
5172 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5173 rc = emulate_ud(ctxt);
5174 goto done;
5175 }
5176
5177 if (unlikely(ctxt->d &
5178 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5179 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5180 (ctxt->d & Undefined)) {
5181 rc = emulate_ud(ctxt);
5182 goto done;
5183 }
5184
5185 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5186 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5187 rc = emulate_ud(ctxt);
5188 goto done;
5189 }
5190
5191 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5192 rc = emulate_nm(ctxt);
5193 goto done;
5194 }
5195
5196 if (ctxt->d & Mmx) {
5197 rc = flush_pending_x87_faults(ctxt);
5198 if (rc != X86EMUL_CONTINUE)
5199 goto done;
5200 /*
5201 * Now that we know the fpu is exception safe, we can fetch
5202 * operands from it.
5203 */
5204 fetch_possible_mmx_operand(ctxt, &ctxt->src);
5205 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
5206 if (!(ctxt->d & Mov))
5207 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
5208 }
5209
5210 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5211 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5212 X86_ICPT_PRE_EXCEPT);
5213 if (rc != X86EMUL_CONTINUE)
5214 goto done;
5215 }
5216
5217 /* Instruction can only be executed in protected mode */
5218 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5219 rc = emulate_ud(ctxt);
5220 goto done;
5221 }
5222
5223 /* Privileged instruction can be executed only in CPL=0 */
5224 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5225 if (ctxt->d & PrivUD)
5226 rc = emulate_ud(ctxt);
5227 else
5228 rc = emulate_gp(ctxt, 0);
5229 goto done;
5230 }
5231
5232 /* Do instruction specific permission checks */
5233 if (ctxt->d & CheckPerm) {
5234 rc = ctxt->check_perm(ctxt);
5235 if (rc != X86EMUL_CONTINUE)
5236 goto done;
5237 }
5238
5239 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5240 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5241 X86_ICPT_POST_EXCEPT);
5242 if (rc != X86EMUL_CONTINUE)
5243 goto done;
5244 }
5245
5246 if (ctxt->rep_prefix && (ctxt->d & String)) {
5247 /* All REP prefixes have the same first termination condition */
5248 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5249 string_registers_quirk(ctxt);
5250 ctxt->eip = ctxt->_eip;
5251 ctxt->eflags &= ~X86_EFLAGS_RF;
5252 goto done;
5253 }
5254 }
5255 }
5256
5257 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5258 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5259 ctxt->src.valptr, ctxt->src.bytes);
5260 if (rc != X86EMUL_CONTINUE)
5261 goto done;
5262 ctxt->src.orig_val64 = ctxt->src.val64;
5263 }
5264
5265 if (ctxt->src2.type == OP_MEM) {
5266 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5267 &ctxt->src2.val, ctxt->src2.bytes);
5268 if (rc != X86EMUL_CONTINUE)
5269 goto done;
5270 }
5271
5272 if ((ctxt->d & DstMask) == ImplicitOps)
5273 goto special_insn;
5274
5275
5276 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5277 /* optimisation - avoid slow emulated read if Mov */
5278 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5279 &ctxt->dst.val, ctxt->dst.bytes);
5280 if (rc != X86EMUL_CONTINUE) {
5281 if (!(ctxt->d & NoWrite) &&
5282 rc == X86EMUL_PROPAGATE_FAULT &&
5283 ctxt->exception.vector == PF_VECTOR)
5284 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5285 goto done;
5286 }
5287 }
5288 /* Copy full 64-bit value for CMPXCHG8B. */
5289 ctxt->dst.orig_val64 = ctxt->dst.val64;
5290
5291 special_insn:
5292
5293 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5294 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5295 X86_ICPT_POST_MEMACCESS);
5296 if (rc != X86EMUL_CONTINUE)
5297 goto done;
5298 }
5299
5300 if (ctxt->rep_prefix && (ctxt->d & String))
5301 ctxt->eflags |= X86_EFLAGS_RF;
5302 else
5303 ctxt->eflags &= ~X86_EFLAGS_RF;
5304
5305 if (ctxt->execute) {
5306 if (ctxt->d & Fastop) {
5307 void (*fop)(struct fastop *) = (void *)ctxt->execute;
5308 rc = fastop(ctxt, fop);
5309 if (rc != X86EMUL_CONTINUE)
5310 goto done;
5311 goto writeback;
5312 }
5313 rc = ctxt->execute(ctxt);
5314 if (rc != X86EMUL_CONTINUE)
5315 goto done;
5316 goto writeback;
5317 }
5318
5319 if (ctxt->opcode_len == 2)
5320 goto twobyte_insn;
5321 else if (ctxt->opcode_len == 3)
5322 goto threebyte_insn;
5323
5324 switch (ctxt->b) {
5325 case 0x70 ... 0x7f: /* jcc (short) */
5326 if (test_cc(ctxt->b, ctxt->eflags))
5327 rc = jmp_rel(ctxt, ctxt->src.val);
5328 break;
5329 case 0x8d: /* lea r16/r32, m */
5330 ctxt->dst.val = ctxt->src.addr.mem.ea;
5331 break;
5332 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5333 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5334 ctxt->dst.type = OP_NONE;
5335 else
5336 rc = em_xchg(ctxt);
5337 break;
5338 case 0x98: /* cbw/cwde/cdqe */
5339 switch (ctxt->op_bytes) {
5340 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5341 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5342 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5343 }
5344 break;
5345 case 0xcc: /* int3 */
5346 rc = emulate_int(ctxt, 3);
5347 break;
5348 case 0xcd: /* int n */
5349 rc = emulate_int(ctxt, ctxt->src.val);
5350 break;
5351 case 0xce: /* into */
5352 if (ctxt->eflags & X86_EFLAGS_OF)
5353 rc = emulate_int(ctxt, 4);
5354 break;
5355 case 0xe9: /* jmp rel */
5356 case 0xeb: /* jmp rel short */
5357 rc = jmp_rel(ctxt, ctxt->src.val);
5358 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5359 break;
5360 case 0xf4: /* hlt */
5361 ctxt->ops->halt(ctxt);
5362 break;
5363 case 0xf5: /* cmc */
5364 /* complement carry flag from eflags reg */
5365 ctxt->eflags ^= X86_EFLAGS_CF;
5366 break;
5367 case 0xf8: /* clc */
5368 ctxt->eflags &= ~X86_EFLAGS_CF;
5369 break;
5370 case 0xf9: /* stc */
5371 ctxt->eflags |= X86_EFLAGS_CF;
5372 break;
5373 case 0xfc: /* cld */
5374 ctxt->eflags &= ~X86_EFLAGS_DF;
5375 break;
5376 case 0xfd: /* std */
5377 ctxt->eflags |= X86_EFLAGS_DF;
5378 break;
5379 default:
5380 goto cannot_emulate;
5381 }
5382
5383 if (rc != X86EMUL_CONTINUE)
5384 goto done;
5385
5386 writeback:
5387 if (ctxt->d & SrcWrite) {
5388 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5389 rc = writeback(ctxt, &ctxt->src);
5390 if (rc != X86EMUL_CONTINUE)
5391 goto done;
5392 }
5393 if (!(ctxt->d & NoWrite)) {
5394 rc = writeback(ctxt, &ctxt->dst);
5395 if (rc != X86EMUL_CONTINUE)
5396 goto done;
5397 }
5398
5399 /*
5400 * restore dst type in case the decoding will be reused
5401 * (happens for string instruction )
5402 */
5403 ctxt->dst.type = saved_dst_type;
5404
5405 if ((ctxt->d & SrcMask) == SrcSI)
5406 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5407
5408 if ((ctxt->d & DstMask) == DstDI)
5409 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5410
5411 if (ctxt->rep_prefix && (ctxt->d & String)) {
5412 unsigned int count;
5413 struct read_cache *r = &ctxt->io_read;
5414 if ((ctxt->d & SrcMask) == SrcSI)
5415 count = ctxt->src.count;
5416 else
5417 count = ctxt->dst.count;
5418 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5419
5420 if (!string_insn_completed(ctxt)) {
5421 /*
5422 * Re-enter guest when pio read ahead buffer is empty
5423 * or, if it is not used, after each 1024 iteration.
5424 */
5425 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5426 (r->end == 0 || r->end != r->pos)) {
5427 /*
5428 * Reset read cache. Usually happens before
5429 * decode, but since instruction is restarted
5430 * we have to do it here.
5431 */
5432 ctxt->mem_read.end = 0;
5433 writeback_registers(ctxt);
5434 return EMULATION_RESTART;
5435 }
5436 goto done; /* skip rip writeback */
5437 }
5438 ctxt->eflags &= ~X86_EFLAGS_RF;
5439 }
5440
5441 ctxt->eip = ctxt->_eip;
5442
5443 done:
5444 if (rc == X86EMUL_PROPAGATE_FAULT) {
5445 WARN_ON(ctxt->exception.vector > 0x1f);
5446 ctxt->have_exception = true;
5447 }
5448 if (rc == X86EMUL_INTERCEPTED)
5449 return EMULATION_INTERCEPTED;
5450
5451 if (rc == X86EMUL_CONTINUE)
5452 writeback_registers(ctxt);
5453
5454 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5455
5456 twobyte_insn:
5457 switch (ctxt->b) {
5458 case 0x09: /* wbinvd */
5459 (ctxt->ops->wbinvd)(ctxt);
5460 break;
5461 case 0x08: /* invd */
5462 case 0x0d: /* GrpP (prefetch) */
5463 case 0x18: /* Grp16 (prefetch/nop) */
5464 case 0x1f: /* nop */
5465 break;
5466 case 0x20: /* mov cr, reg */
5467 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5468 break;
5469 case 0x21: /* mov from dr to reg */
5470 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5471 break;
5472 case 0x40 ... 0x4f: /* cmov */
5473 if (test_cc(ctxt->b, ctxt->eflags))
5474 ctxt->dst.val = ctxt->src.val;
5475 else if (ctxt->op_bytes != 4)
5476 ctxt->dst.type = OP_NONE; /* no writeback */
5477 break;
5478 case 0x80 ... 0x8f: /* jnz rel, etc*/
5479 if (test_cc(ctxt->b, ctxt->eflags))
5480 rc = jmp_rel(ctxt, ctxt->src.val);
5481 break;
5482 case 0x90 ... 0x9f: /* setcc r/m8 */
5483 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5484 break;
5485 case 0xb6 ... 0xb7: /* movzx */
5486 ctxt->dst.bytes = ctxt->op_bytes;
5487 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5488 : (u16) ctxt->src.val;
5489 break;
5490 case 0xbe ... 0xbf: /* movsx */
5491 ctxt->dst.bytes = ctxt->op_bytes;
5492 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5493 (s16) ctxt->src.val;
5494 break;
5495 default:
5496 goto cannot_emulate;
5497 }
5498
5499 threebyte_insn:
5500
5501 if (rc != X86EMUL_CONTINUE)
5502 goto done;
5503
5504 goto writeback;
5505
5506 cannot_emulate:
5507 return EMULATION_FAILED;
5508 }
5509
5510 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5511 {
5512 invalidate_registers(ctxt);
5513 }
5514
5515 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5516 {
5517 writeback_registers(ctxt);
5518 }
Ubuntu Artful kernel mirror