]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - arch/x86/kvm/emulate.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: x86 emulator: do not call writeback if msr access fails.
[mirror_ubuntu-zesty-kernel.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
27 #else
28 #include <linux/kvm_host.h>
29 #include "kvm_cache_regs.h"
30 #define DPRINTF(x...) do {} while (0)
31 #endif
32 #include <linux/module.h>
33 #include <asm/kvm_emulate.h>
34
35 #include "x86.h"
36
37 /*
38 * Opcode effective-address decode tables.
39 * Note that we only emulate instructions that have at least one memory
40 * operand (excluding implicit stack references). We assume that stack
41 * references and instruction fetches will never occur in special memory
42 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
43 * not be handled.
44 */
45
46 /* Operand sizes: 8-bit operands or specified/overridden size. */
47 #define ByteOp (1<<0) /* 8-bit operands. */
48 /* Destination operand type. */
49 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
50 #define DstReg (2<<1) /* Register operand. */
51 #define DstMem (3<<1) /* Memory operand. */
52 #define DstAcc (4<<1) /* Destination Accumulator */
53 #define DstMask (7<<1)
54 /* Source operand type. */
55 #define SrcNone (0<<4) /* No source operand. */
56 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
57 #define SrcReg (1<<4) /* Register operand. */
58 #define SrcMem (2<<4) /* Memory operand. */
59 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
60 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
61 #define SrcImm (5<<4) /* Immediate operand. */
62 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
63 #define SrcOne (7<<4) /* Implied '1' */
64 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
65 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
66 #define SrcMask (0xf<<4)
67 /* Generic ModRM decode. */
68 #define ModRM (1<<8)
69 /* Destination is only written; never read. */
70 #define Mov (1<<9)
71 #define BitOp (1<<10)
72 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
73 #define String (1<<12) /* String instruction (rep capable) */
74 #define Stack (1<<13) /* Stack instruction (push/pop) */
75 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
76 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
77 #define GroupMask 0xff /* Group number stored in bits 0:7 */
78 /* Misc flags */
79 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
80 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
81 #define No64 (1<<28)
82 /* Source 2 operand type */
83 #define Src2None (0<<29)
84 #define Src2CL (1<<29)
85 #define Src2ImmByte (2<<29)
86 #define Src2One (3<<29)
87 #define Src2Imm16 (4<<29)
88 #define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
89 in memory and second argument is located
90 immediately after the first one in memory. */
91 #define Src2Mask (7<<29)
92
93 enum {
94 Group1_80, Group1_81, Group1_82, Group1_83,
95 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
96 Group8, Group9,
97 };
98
99 static u32 opcode_table[256] = {
100 /* 0x00 - 0x07 */
101 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
102 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
103 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
104 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
105 /* 0x08 - 0x0F */
106 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
107 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
108 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
109 ImplicitOps | Stack | No64, 0,
110 /* 0x10 - 0x17 */
111 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
112 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
113 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
114 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
115 /* 0x18 - 0x1F */
116 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
117 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
118 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
119 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
120 /* 0x20 - 0x27 */
121 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
122 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
123 DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
124 /* 0x28 - 0x2F */
125 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
126 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
127 0, 0, 0, 0,
128 /* 0x30 - 0x37 */
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 0, 0, 0, 0,
132 /* 0x38 - 0x3F */
133 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
134 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
135 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
136 0, 0,
137 /* 0x40 - 0x47 */
138 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
139 /* 0x48 - 0x4F */
140 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
141 /* 0x50 - 0x57 */
142 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
143 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
144 /* 0x58 - 0x5F */
145 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
146 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
147 /* 0x60 - 0x67 */
148 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
149 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
150 0, 0, 0, 0,
151 /* 0x68 - 0x6F */
152 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
153 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* insb, insw/insd */
154 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* outsb, outsw/outsd */
155 /* 0x70 - 0x77 */
156 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
157 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
158 /* 0x78 - 0x7F */
159 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 /* 0x80 - 0x87 */
162 Group | Group1_80, Group | Group1_81,
163 Group | Group1_82, Group | Group1_83,
164 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
165 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
166 /* 0x88 - 0x8F */
167 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
168 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
169 DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
170 DstReg | SrcMem | ModRM | Mov, Group | Group1A,
171 /* 0x90 - 0x97 */
172 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
173 /* 0x98 - 0x9F */
174 0, 0, SrcImm | Src2Imm16 | No64, 0,
175 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
176 /* 0xA0 - 0xA7 */
177 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
178 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
179 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
180 ByteOp | ImplicitOps | String, ImplicitOps | String,
181 /* 0xA8 - 0xAF */
182 0, 0, ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
183 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
184 ByteOp | ImplicitOps | String, ImplicitOps | String,
185 /* 0xB0 - 0xB7 */
186 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
187 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
188 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
189 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
190 /* 0xB8 - 0xBF */
191 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
192 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
193 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
194 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
195 /* 0xC0 - 0xC7 */
196 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
197 0, ImplicitOps | Stack, 0, 0,
198 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
199 /* 0xC8 - 0xCF */
200 0, 0, 0, ImplicitOps | Stack,
201 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
202 /* 0xD0 - 0xD7 */
203 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
204 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
205 0, 0, 0, 0,
206 /* 0xD8 - 0xDF */
207 0, 0, 0, 0, 0, 0, 0, 0,
208 /* 0xE0 - 0xE7 */
209 0, 0, 0, 0,
210 ByteOp | SrcImmUByte, SrcImmUByte,
211 ByteOp | SrcImmUByte, SrcImmUByte,
212 /* 0xE8 - 0xEF */
213 SrcImm | Stack, SrcImm | ImplicitOps,
214 SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
215 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
216 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
217 /* 0xF0 - 0xF7 */
218 0, 0, 0, 0,
219 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
220 /* 0xF8 - 0xFF */
221 ImplicitOps, 0, ImplicitOps, ImplicitOps,
222 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
223 };
224
225 static u32 twobyte_table[256] = {
226 /* 0x00 - 0x0F */
227 0, Group | GroupDual | Group7, 0, 0,
228 0, ImplicitOps, ImplicitOps | Priv, 0,
229 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
230 0, ImplicitOps | ModRM, 0, 0,
231 /* 0x10 - 0x1F */
232 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
233 /* 0x20 - 0x2F */
234 ModRM | ImplicitOps | Priv, ModRM | Priv,
235 ModRM | ImplicitOps | Priv, ModRM | Priv,
236 0, 0, 0, 0,
237 0, 0, 0, 0, 0, 0, 0, 0,
238 /* 0x30 - 0x3F */
239 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
240 ImplicitOps, ImplicitOps | Priv, 0, 0,
241 0, 0, 0, 0, 0, 0, 0, 0,
242 /* 0x40 - 0x47 */
243 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
244 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
245 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
246 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
247 /* 0x48 - 0x4F */
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
251 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 /* 0x50 - 0x5F */
253 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
254 /* 0x60 - 0x6F */
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 /* 0x70 - 0x7F */
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
258 /* 0x80 - 0x8F */
259 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
260 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
261 /* 0x90 - 0x9F */
262 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
263 /* 0xA0 - 0xA7 */
264 ImplicitOps | Stack, ImplicitOps | Stack,
265 0, DstMem | SrcReg | ModRM | BitOp,
266 DstMem | SrcReg | Src2ImmByte | ModRM,
267 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
268 /* 0xA8 - 0xAF */
269 ImplicitOps | Stack, ImplicitOps | Stack,
270 0, DstMem | SrcReg | ModRM | BitOp | Lock,
271 DstMem | SrcReg | Src2ImmByte | ModRM,
272 DstMem | SrcReg | Src2CL | ModRM,
273 ModRM, 0,
274 /* 0xB0 - 0xB7 */
275 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
276 0, DstMem | SrcReg | ModRM | BitOp | Lock,
277 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
278 DstReg | SrcMem16 | ModRM | Mov,
279 /* 0xB8 - 0xBF */
280 0, 0,
281 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
282 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
283 DstReg | SrcMem16 | ModRM | Mov,
284 /* 0xC0 - 0xCF */
285 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
286 0, 0, 0, Group | GroupDual | Group9,
287 0, 0, 0, 0, 0, 0, 0, 0,
288 /* 0xD0 - 0xDF */
289 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
290 /* 0xE0 - 0xEF */
291 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
292 /* 0xF0 - 0xFF */
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
294 };
295
296 static u32 group_table[] = {
297 [Group1_80*8] =
298 ByteOp | DstMem | SrcImm | ModRM | Lock,
299 ByteOp | DstMem | SrcImm | ModRM | Lock,
300 ByteOp | DstMem | SrcImm | ModRM | Lock,
301 ByteOp | DstMem | SrcImm | ModRM | Lock,
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM,
306 [Group1_81*8] =
307 DstMem | SrcImm | ModRM | Lock,
308 DstMem | SrcImm | ModRM | Lock,
309 DstMem | SrcImm | ModRM | Lock,
310 DstMem | SrcImm | ModRM | Lock,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM,
315 [Group1_82*8] =
316 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
317 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
318 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
319 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64,
324 [Group1_83*8] =
325 DstMem | SrcImmByte | ModRM | Lock,
326 DstMem | SrcImmByte | ModRM | Lock,
327 DstMem | SrcImmByte | ModRM | Lock,
328 DstMem | SrcImmByte | ModRM | Lock,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM,
333 [Group1A*8] =
334 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
335 [Group3_Byte*8] =
336 ByteOp | SrcImm | DstMem | ModRM, 0,
337 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
338 0, 0, 0, 0,
339 [Group3*8] =
340 DstMem | SrcImm | ModRM, 0,
341 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
342 0, 0, 0, 0,
343 [Group4*8] =
344 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
345 0, 0, 0, 0, 0, 0,
346 [Group5*8] =
347 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
348 SrcMem | ModRM | Stack, 0,
349 SrcMem | ModRM | Stack, SrcMem | ModRM | Src2Mem16 | ImplicitOps,
350 SrcMem | ModRM | Stack, 0,
351 [Group7*8] =
352 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
353 SrcNone | ModRM | DstMem | Mov, 0,
354 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
355 [Group8*8] =
356 0, 0, 0, 0,
357 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
358 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
359 [Group9*8] =
360 0, ImplicitOps | ModRM | Lock, 0, 0, 0, 0, 0, 0,
361 };
362
363 static u32 group2_table[] = {
364 [Group7*8] =
365 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
366 SrcNone | ModRM | DstMem | Mov, 0,
367 SrcMem16 | ModRM | Mov | Priv, 0,
368 [Group9*8] =
369 0, 0, 0, 0, 0, 0, 0, 0,
370 };
371
372 /* EFLAGS bit definitions. */
373 #define EFLG_ID (1<<21)
374 #define EFLG_VIP (1<<20)
375 #define EFLG_VIF (1<<19)
376 #define EFLG_AC (1<<18)
377 #define EFLG_VM (1<<17)
378 #define EFLG_RF (1<<16)
379 #define EFLG_IOPL (3<<12)
380 #define EFLG_NT (1<<14)
381 #define EFLG_OF (1<<11)
382 #define EFLG_DF (1<<10)
383 #define EFLG_IF (1<<9)
384 #define EFLG_TF (1<<8)
385 #define EFLG_SF (1<<7)
386 #define EFLG_ZF (1<<6)
387 #define EFLG_AF (1<<4)
388 #define EFLG_PF (1<<2)
389 #define EFLG_CF (1<<0)
390
391 /*
392 * Instruction emulation:
393 * Most instructions are emulated directly via a fragment of inline assembly
394 * code. This allows us to save/restore EFLAGS and thus very easily pick up
395 * any modified flags.
396 */
397
398 #if defined(CONFIG_X86_64)
399 #define _LO32 "k" /* force 32-bit operand */
400 #define _STK "%%rsp" /* stack pointer */
401 #elif defined(__i386__)
402 #define _LO32 "" /* force 32-bit operand */
403 #define _STK "%%esp" /* stack pointer */
404 #endif
405
406 /*
407 * These EFLAGS bits are restored from saved value during emulation, and
408 * any changes are written back to the saved value after emulation.
409 */
410 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
411
412 /* Before executing instruction: restore necessary bits in EFLAGS. */
413 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
414 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
415 "movl %"_sav",%"_LO32 _tmp"; " \
416 "push %"_tmp"; " \
417 "push %"_tmp"; " \
418 "movl %"_msk",%"_LO32 _tmp"; " \
419 "andl %"_LO32 _tmp",("_STK"); " \
420 "pushf; " \
421 "notl %"_LO32 _tmp"; " \
422 "andl %"_LO32 _tmp",("_STK"); " \
423 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
424 "pop %"_tmp"; " \
425 "orl %"_LO32 _tmp",("_STK"); " \
426 "popf; " \
427 "pop %"_sav"; "
428
429 /* After executing instruction: write-back necessary bits in EFLAGS. */
430 #define _POST_EFLAGS(_sav, _msk, _tmp) \
431 /* _sav |= EFLAGS & _msk; */ \
432 "pushf; " \
433 "pop %"_tmp"; " \
434 "andl %"_msk",%"_LO32 _tmp"; " \
435 "orl %"_LO32 _tmp",%"_sav"; "
436
437 #ifdef CONFIG_X86_64
438 #define ON64(x) x
439 #else
440 #define ON64(x)
441 #endif
442
443 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
444 do { \
445 __asm__ __volatile__ ( \
446 _PRE_EFLAGS("0", "4", "2") \
447 _op _suffix " %"_x"3,%1; " \
448 _POST_EFLAGS("0", "4", "2") \
449 : "=m" (_eflags), "=m" ((_dst).val), \
450 "=&r" (_tmp) \
451 : _y ((_src).val), "i" (EFLAGS_MASK)); \
452 } while (0)
453
454
455 /* Raw emulation: instruction has two explicit operands. */
456 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
457 do { \
458 unsigned long _tmp; \
459 \
460 switch ((_dst).bytes) { \
461 case 2: \
462 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
463 break; \
464 case 4: \
465 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
466 break; \
467 case 8: \
468 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
469 break; \
470 } \
471 } while (0)
472
473 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
474 do { \
475 unsigned long _tmp; \
476 switch ((_dst).bytes) { \
477 case 1: \
478 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
479 break; \
480 default: \
481 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
482 _wx, _wy, _lx, _ly, _qx, _qy); \
483 break; \
484 } \
485 } while (0)
486
487 /* Source operand is byte-sized and may be restricted to just %cl. */
488 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
489 __emulate_2op(_op, _src, _dst, _eflags, \
490 "b", "c", "b", "c", "b", "c", "b", "c")
491
492 /* Source operand is byte, word, long or quad sized. */
493 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
494 __emulate_2op(_op, _src, _dst, _eflags, \
495 "b", "q", "w", "r", _LO32, "r", "", "r")
496
497 /* Source operand is word, long or quad sized. */
498 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
499 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
500 "w", "r", _LO32, "r", "", "r")
501
502 /* Instruction has three operands and one operand is stored in ECX register */
503 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
504 do { \
505 unsigned long _tmp; \
506 _type _clv = (_cl).val; \
507 _type _srcv = (_src).val; \
508 _type _dstv = (_dst).val; \
509 \
510 __asm__ __volatile__ ( \
511 _PRE_EFLAGS("0", "5", "2") \
512 _op _suffix " %4,%1 \n" \
513 _POST_EFLAGS("0", "5", "2") \
514 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
515 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
516 ); \
517 \
518 (_cl).val = (unsigned long) _clv; \
519 (_src).val = (unsigned long) _srcv; \
520 (_dst).val = (unsigned long) _dstv; \
521 } while (0)
522
523 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
524 do { \
525 switch ((_dst).bytes) { \
526 case 2: \
527 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
528 "w", unsigned short); \
529 break; \
530 case 4: \
531 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
532 "l", unsigned int); \
533 break; \
534 case 8: \
535 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
536 "q", unsigned long)); \
537 break; \
538 } \
539 } while (0)
540
541 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
542 do { \
543 unsigned long _tmp; \
544 \
545 __asm__ __volatile__ ( \
546 _PRE_EFLAGS("0", "3", "2") \
547 _op _suffix " %1; " \
548 _POST_EFLAGS("0", "3", "2") \
549 : "=m" (_eflags), "+m" ((_dst).val), \
550 "=&r" (_tmp) \
551 : "i" (EFLAGS_MASK)); \
552 } while (0)
553
554 /* Instruction has only one explicit operand (no source operand). */
555 #define emulate_1op(_op, _dst, _eflags) \
556 do { \
557 switch ((_dst).bytes) { \
558 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
559 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
560 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
561 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
562 } \
563 } while (0)
564
565 /* Fetch next part of the instruction being emulated. */
566 #define insn_fetch(_type, _size, _eip) \
567 ({ unsigned long _x; \
568 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
569 if (rc != X86EMUL_CONTINUE) \
570 goto done; \
571 (_eip) += (_size); \
572 (_type)_x; \
573 })
574
575 static inline unsigned long ad_mask(struct decode_cache *c)
576 {
577 return (1UL << (c->ad_bytes << 3)) - 1;
578 }
579
580 /* Access/update address held in a register, based on addressing mode. */
581 static inline unsigned long
582 address_mask(struct decode_cache *c, unsigned long reg)
583 {
584 if (c->ad_bytes == sizeof(unsigned long))
585 return reg;
586 else
587 return reg & ad_mask(c);
588 }
589
590 static inline unsigned long
591 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
592 {
593 return base + address_mask(c, reg);
594 }
595
596 static inline void
597 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
598 {
599 if (c->ad_bytes == sizeof(unsigned long))
600 *reg += inc;
601 else
602 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
603 }
604
605 static inline void jmp_rel(struct decode_cache *c, int rel)
606 {
607 register_address_increment(c, &c->eip, rel);
608 }
609
610 static void set_seg_override(struct decode_cache *c, int seg)
611 {
612 c->has_seg_override = true;
613 c->seg_override = seg;
614 }
615
616 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
617 {
618 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
619 return 0;
620
621 return kvm_x86_ops->get_segment_base(ctxt->vcpu, seg);
622 }
623
624 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
625 struct decode_cache *c)
626 {
627 if (!c->has_seg_override)
628 return 0;
629
630 return seg_base(ctxt, c->seg_override);
631 }
632
633 static unsigned long es_base(struct x86_emulate_ctxt *ctxt)
634 {
635 return seg_base(ctxt, VCPU_SREG_ES);
636 }
637
638 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt)
639 {
640 return seg_base(ctxt, VCPU_SREG_SS);
641 }
642
643 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
644 struct x86_emulate_ops *ops,
645 unsigned long linear, u8 *dest)
646 {
647 struct fetch_cache *fc = &ctxt->decode.fetch;
648 int rc;
649 int size;
650
651 if (linear < fc->start || linear >= fc->end) {
652 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
653 rc = ops->fetch(linear, fc->data, size, ctxt->vcpu, NULL);
654 if (rc != X86EMUL_CONTINUE)
655 return rc;
656 fc->start = linear;
657 fc->end = linear + size;
658 }
659 *dest = fc->data[linear - fc->start];
660 return X86EMUL_CONTINUE;
661 }
662
663 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
664 struct x86_emulate_ops *ops,
665 unsigned long eip, void *dest, unsigned size)
666 {
667 int rc;
668
669 /* x86 instructions are limited to 15 bytes. */
670 if (eip + size - ctxt->eip > 15)
671 return X86EMUL_UNHANDLEABLE;
672 eip += ctxt->cs_base;
673 while (size--) {
674 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
675 if (rc != X86EMUL_CONTINUE)
676 return rc;
677 }
678 return X86EMUL_CONTINUE;
679 }
680
681 /*
682 * Given the 'reg' portion of a ModRM byte, and a register block, return a
683 * pointer into the block that addresses the relevant register.
684 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
685 */
686 static void *decode_register(u8 modrm_reg, unsigned long *regs,
687 int highbyte_regs)
688 {
689 void *p;
690
691 p = &regs[modrm_reg];
692 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
693 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
694 return p;
695 }
696
697 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
698 struct x86_emulate_ops *ops,
699 void *ptr,
700 u16 *size, unsigned long *address, int op_bytes)
701 {
702 int rc;
703
704 if (op_bytes == 2)
705 op_bytes = 3;
706 *address = 0;
707 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
708 ctxt->vcpu, NULL);
709 if (rc != X86EMUL_CONTINUE)
710 return rc;
711 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
712 ctxt->vcpu, NULL);
713 return rc;
714 }
715
716 static int test_cc(unsigned int condition, unsigned int flags)
717 {
718 int rc = 0;
719
720 switch ((condition & 15) >> 1) {
721 case 0: /* o */
722 rc |= (flags & EFLG_OF);
723 break;
724 case 1: /* b/c/nae */
725 rc |= (flags & EFLG_CF);
726 break;
727 case 2: /* z/e */
728 rc |= (flags & EFLG_ZF);
729 break;
730 case 3: /* be/na */
731 rc |= (flags & (EFLG_CF|EFLG_ZF));
732 break;
733 case 4: /* s */
734 rc |= (flags & EFLG_SF);
735 break;
736 case 5: /* p/pe */
737 rc |= (flags & EFLG_PF);
738 break;
739 case 7: /* le/ng */
740 rc |= (flags & EFLG_ZF);
741 /* fall through */
742 case 6: /* l/nge */
743 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
744 break;
745 }
746
747 /* Odd condition identifiers (lsb == 1) have inverted sense. */
748 return (!!rc ^ (condition & 1));
749 }
750
751 static void decode_register_operand(struct operand *op,
752 struct decode_cache *c,
753 int inhibit_bytereg)
754 {
755 unsigned reg = c->modrm_reg;
756 int highbyte_regs = c->rex_prefix == 0;
757
758 if (!(c->d & ModRM))
759 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
760 op->type = OP_REG;
761 if ((c->d & ByteOp) && !inhibit_bytereg) {
762 op->ptr = decode_register(reg, c->regs, highbyte_regs);
763 op->val = *(u8 *)op->ptr;
764 op->bytes = 1;
765 } else {
766 op->ptr = decode_register(reg, c->regs, 0);
767 op->bytes = c->op_bytes;
768 switch (op->bytes) {
769 case 2:
770 op->val = *(u16 *)op->ptr;
771 break;
772 case 4:
773 op->val = *(u32 *)op->ptr;
774 break;
775 case 8:
776 op->val = *(u64 *) op->ptr;
777 break;
778 }
779 }
780 op->orig_val = op->val;
781 }
782
783 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
784 struct x86_emulate_ops *ops)
785 {
786 struct decode_cache *c = &ctxt->decode;
787 u8 sib;
788 int index_reg = 0, base_reg = 0, scale;
789 int rc = X86EMUL_CONTINUE;
790
791 if (c->rex_prefix) {
792 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
793 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
794 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
795 }
796
797 c->modrm = insn_fetch(u8, 1, c->eip);
798 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
799 c->modrm_reg |= (c->modrm & 0x38) >> 3;
800 c->modrm_rm |= (c->modrm & 0x07);
801 c->modrm_ea = 0;
802 c->use_modrm_ea = 1;
803
804 if (c->modrm_mod == 3) {
805 c->modrm_ptr = decode_register(c->modrm_rm,
806 c->regs, c->d & ByteOp);
807 c->modrm_val = *(unsigned long *)c->modrm_ptr;
808 return rc;
809 }
810
811 if (c->ad_bytes == 2) {
812 unsigned bx = c->regs[VCPU_REGS_RBX];
813 unsigned bp = c->regs[VCPU_REGS_RBP];
814 unsigned si = c->regs[VCPU_REGS_RSI];
815 unsigned di = c->regs[VCPU_REGS_RDI];
816
817 /* 16-bit ModR/M decode. */
818 switch (c->modrm_mod) {
819 case 0:
820 if (c->modrm_rm == 6)
821 c->modrm_ea += insn_fetch(u16, 2, c->eip);
822 break;
823 case 1:
824 c->modrm_ea += insn_fetch(s8, 1, c->eip);
825 break;
826 case 2:
827 c->modrm_ea += insn_fetch(u16, 2, c->eip);
828 break;
829 }
830 switch (c->modrm_rm) {
831 case 0:
832 c->modrm_ea += bx + si;
833 break;
834 case 1:
835 c->modrm_ea += bx + di;
836 break;
837 case 2:
838 c->modrm_ea += bp + si;
839 break;
840 case 3:
841 c->modrm_ea += bp + di;
842 break;
843 case 4:
844 c->modrm_ea += si;
845 break;
846 case 5:
847 c->modrm_ea += di;
848 break;
849 case 6:
850 if (c->modrm_mod != 0)
851 c->modrm_ea += bp;
852 break;
853 case 7:
854 c->modrm_ea += bx;
855 break;
856 }
857 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
858 (c->modrm_rm == 6 && c->modrm_mod != 0))
859 if (!c->has_seg_override)
860 set_seg_override(c, VCPU_SREG_SS);
861 c->modrm_ea = (u16)c->modrm_ea;
862 } else {
863 /* 32/64-bit ModR/M decode. */
864 if ((c->modrm_rm & 7) == 4) {
865 sib = insn_fetch(u8, 1, c->eip);
866 index_reg |= (sib >> 3) & 7;
867 base_reg |= sib & 7;
868 scale = sib >> 6;
869
870 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
871 c->modrm_ea += insn_fetch(s32, 4, c->eip);
872 else
873 c->modrm_ea += c->regs[base_reg];
874 if (index_reg != 4)
875 c->modrm_ea += c->regs[index_reg] << scale;
876 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
877 if (ctxt->mode == X86EMUL_MODE_PROT64)
878 c->rip_relative = 1;
879 } else
880 c->modrm_ea += c->regs[c->modrm_rm];
881 switch (c->modrm_mod) {
882 case 0:
883 if (c->modrm_rm == 5)
884 c->modrm_ea += insn_fetch(s32, 4, c->eip);
885 break;
886 case 1:
887 c->modrm_ea += insn_fetch(s8, 1, c->eip);
888 break;
889 case 2:
890 c->modrm_ea += insn_fetch(s32, 4, c->eip);
891 break;
892 }
893 }
894 done:
895 return rc;
896 }
897
898 static int decode_abs(struct x86_emulate_ctxt *ctxt,
899 struct x86_emulate_ops *ops)
900 {
901 struct decode_cache *c = &ctxt->decode;
902 int rc = X86EMUL_CONTINUE;
903
904 switch (c->ad_bytes) {
905 case 2:
906 c->modrm_ea = insn_fetch(u16, 2, c->eip);
907 break;
908 case 4:
909 c->modrm_ea = insn_fetch(u32, 4, c->eip);
910 break;
911 case 8:
912 c->modrm_ea = insn_fetch(u64, 8, c->eip);
913 break;
914 }
915 done:
916 return rc;
917 }
918
919 int
920 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
921 {
922 struct decode_cache *c = &ctxt->decode;
923 int rc = X86EMUL_CONTINUE;
924 int mode = ctxt->mode;
925 int def_op_bytes, def_ad_bytes, group;
926
927 /* Shadow copy of register state. Committed on successful emulation. */
928
929 memset(c, 0, sizeof(struct decode_cache));
930 c->eip = ctxt->eip;
931 ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
932 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
933
934 switch (mode) {
935 case X86EMUL_MODE_REAL:
936 case X86EMUL_MODE_VM86:
937 case X86EMUL_MODE_PROT16:
938 def_op_bytes = def_ad_bytes = 2;
939 break;
940 case X86EMUL_MODE_PROT32:
941 def_op_bytes = def_ad_bytes = 4;
942 break;
943 #ifdef CONFIG_X86_64
944 case X86EMUL_MODE_PROT64:
945 def_op_bytes = 4;
946 def_ad_bytes = 8;
947 break;
948 #endif
949 default:
950 return -1;
951 }
952
953 c->op_bytes = def_op_bytes;
954 c->ad_bytes = def_ad_bytes;
955
956 /* Legacy prefixes. */
957 for (;;) {
958 switch (c->b = insn_fetch(u8, 1, c->eip)) {
959 case 0x66: /* operand-size override */
960 /* switch between 2/4 bytes */
961 c->op_bytes = def_op_bytes ^ 6;
962 break;
963 case 0x67: /* address-size override */
964 if (mode == X86EMUL_MODE_PROT64)
965 /* switch between 4/8 bytes */
966 c->ad_bytes = def_ad_bytes ^ 12;
967 else
968 /* switch between 2/4 bytes */
969 c->ad_bytes = def_ad_bytes ^ 6;
970 break;
971 case 0x26: /* ES override */
972 case 0x2e: /* CS override */
973 case 0x36: /* SS override */
974 case 0x3e: /* DS override */
975 set_seg_override(c, (c->b >> 3) & 3);
976 break;
977 case 0x64: /* FS override */
978 case 0x65: /* GS override */
979 set_seg_override(c, c->b & 7);
980 break;
981 case 0x40 ... 0x4f: /* REX */
982 if (mode != X86EMUL_MODE_PROT64)
983 goto done_prefixes;
984 c->rex_prefix = c->b;
985 continue;
986 case 0xf0: /* LOCK */
987 c->lock_prefix = 1;
988 break;
989 case 0xf2: /* REPNE/REPNZ */
990 c->rep_prefix = REPNE_PREFIX;
991 break;
992 case 0xf3: /* REP/REPE/REPZ */
993 c->rep_prefix = REPE_PREFIX;
994 break;
995 default:
996 goto done_prefixes;
997 }
998
999 /* Any legacy prefix after a REX prefix nullifies its effect. */
1000
1001 c->rex_prefix = 0;
1002 }
1003
1004 done_prefixes:
1005
1006 /* REX prefix. */
1007 if (c->rex_prefix)
1008 if (c->rex_prefix & 8)
1009 c->op_bytes = 8; /* REX.W */
1010
1011 /* Opcode byte(s). */
1012 c->d = opcode_table[c->b];
1013 if (c->d == 0) {
1014 /* Two-byte opcode? */
1015 if (c->b == 0x0f) {
1016 c->twobyte = 1;
1017 c->b = insn_fetch(u8, 1, c->eip);
1018 c->d = twobyte_table[c->b];
1019 }
1020 }
1021
1022 if (c->d & Group) {
1023 group = c->d & GroupMask;
1024 c->modrm = insn_fetch(u8, 1, c->eip);
1025 --c->eip;
1026
1027 group = (group << 3) + ((c->modrm >> 3) & 7);
1028 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1029 c->d = group2_table[group];
1030 else
1031 c->d = group_table[group];
1032 }
1033
1034 /* Unrecognised? */
1035 if (c->d == 0) {
1036 DPRINTF("Cannot emulate %02x\n", c->b);
1037 return -1;
1038 }
1039
1040 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1041 c->op_bytes = 8;
1042
1043 /* ModRM and SIB bytes. */
1044 if (c->d & ModRM)
1045 rc = decode_modrm(ctxt, ops);
1046 else if (c->d & MemAbs)
1047 rc = decode_abs(ctxt, ops);
1048 if (rc != X86EMUL_CONTINUE)
1049 goto done;
1050
1051 if (!c->has_seg_override)
1052 set_seg_override(c, VCPU_SREG_DS);
1053
1054 if (!(!c->twobyte && c->b == 0x8d))
1055 c->modrm_ea += seg_override_base(ctxt, c);
1056
1057 if (c->ad_bytes != 8)
1058 c->modrm_ea = (u32)c->modrm_ea;
1059 /*
1060 * Decode and fetch the source operand: register, memory
1061 * or immediate.
1062 */
1063 switch (c->d & SrcMask) {
1064 case SrcNone:
1065 break;
1066 case SrcReg:
1067 decode_register_operand(&c->src, c, 0);
1068 break;
1069 case SrcMem16:
1070 c->src.bytes = 2;
1071 goto srcmem_common;
1072 case SrcMem32:
1073 c->src.bytes = 4;
1074 goto srcmem_common;
1075 case SrcMem:
1076 c->src.bytes = (c->d & ByteOp) ? 1 :
1077 c->op_bytes;
1078 /* Don't fetch the address for invlpg: it could be unmapped. */
1079 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1080 break;
1081 srcmem_common:
1082 /*
1083 * For instructions with a ModR/M byte, switch to register
1084 * access if Mod = 3.
1085 */
1086 if ((c->d & ModRM) && c->modrm_mod == 3) {
1087 c->src.type = OP_REG;
1088 c->src.val = c->modrm_val;
1089 c->src.ptr = c->modrm_ptr;
1090 break;
1091 }
1092 c->src.type = OP_MEM;
1093 break;
1094 case SrcImm:
1095 case SrcImmU:
1096 c->src.type = OP_IMM;
1097 c->src.ptr = (unsigned long *)c->eip;
1098 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1099 if (c->src.bytes == 8)
1100 c->src.bytes = 4;
1101 /* NB. Immediates are sign-extended as necessary. */
1102 switch (c->src.bytes) {
1103 case 1:
1104 c->src.val = insn_fetch(s8, 1, c->eip);
1105 break;
1106 case 2:
1107 c->src.val = insn_fetch(s16, 2, c->eip);
1108 break;
1109 case 4:
1110 c->src.val = insn_fetch(s32, 4, c->eip);
1111 break;
1112 }
1113 if ((c->d & SrcMask) == SrcImmU) {
1114 switch (c->src.bytes) {
1115 case 1:
1116 c->src.val &= 0xff;
1117 break;
1118 case 2:
1119 c->src.val &= 0xffff;
1120 break;
1121 case 4:
1122 c->src.val &= 0xffffffff;
1123 break;
1124 }
1125 }
1126 break;
1127 case SrcImmByte:
1128 case SrcImmUByte:
1129 c->src.type = OP_IMM;
1130 c->src.ptr = (unsigned long *)c->eip;
1131 c->src.bytes = 1;
1132 if ((c->d & SrcMask) == SrcImmByte)
1133 c->src.val = insn_fetch(s8, 1, c->eip);
1134 else
1135 c->src.val = insn_fetch(u8, 1, c->eip);
1136 break;
1137 case SrcOne:
1138 c->src.bytes = 1;
1139 c->src.val = 1;
1140 break;
1141 }
1142
1143 /*
1144 * Decode and fetch the second source operand: register, memory
1145 * or immediate.
1146 */
1147 switch (c->d & Src2Mask) {
1148 case Src2None:
1149 break;
1150 case Src2CL:
1151 c->src2.bytes = 1;
1152 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1153 break;
1154 case Src2ImmByte:
1155 c->src2.type = OP_IMM;
1156 c->src2.ptr = (unsigned long *)c->eip;
1157 c->src2.bytes = 1;
1158 c->src2.val = insn_fetch(u8, 1, c->eip);
1159 break;
1160 case Src2Imm16:
1161 c->src2.type = OP_IMM;
1162 c->src2.ptr = (unsigned long *)c->eip;
1163 c->src2.bytes = 2;
1164 c->src2.val = insn_fetch(u16, 2, c->eip);
1165 break;
1166 case Src2One:
1167 c->src2.bytes = 1;
1168 c->src2.val = 1;
1169 break;
1170 case Src2Mem16:
1171 c->src2.bytes = 2;
1172 c->src2.type = OP_MEM;
1173 break;
1174 }
1175
1176 /* Decode and fetch the destination operand: register or memory. */
1177 switch (c->d & DstMask) {
1178 case ImplicitOps:
1179 /* Special instructions do their own operand decoding. */
1180 return 0;
1181 case DstReg:
1182 decode_register_operand(&c->dst, c,
1183 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1184 break;
1185 case DstMem:
1186 if ((c->d & ModRM) && c->modrm_mod == 3) {
1187 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1188 c->dst.type = OP_REG;
1189 c->dst.val = c->dst.orig_val = c->modrm_val;
1190 c->dst.ptr = c->modrm_ptr;
1191 break;
1192 }
1193 c->dst.type = OP_MEM;
1194 break;
1195 case DstAcc:
1196 c->dst.type = OP_REG;
1197 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1198 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1199 switch (c->dst.bytes) {
1200 case 1:
1201 c->dst.val = *(u8 *)c->dst.ptr;
1202 break;
1203 case 2:
1204 c->dst.val = *(u16 *)c->dst.ptr;
1205 break;
1206 case 4:
1207 c->dst.val = *(u32 *)c->dst.ptr;
1208 break;
1209 case 8:
1210 c->dst.val = *(u64 *)c->dst.ptr;
1211 break;
1212 }
1213 c->dst.orig_val = c->dst.val;
1214 break;
1215 }
1216
1217 if (c->rip_relative)
1218 c->modrm_ea += c->eip;
1219
1220 done:
1221 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1222 }
1223
1224 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1225 {
1226 struct decode_cache *c = &ctxt->decode;
1227
1228 c->dst.type = OP_MEM;
1229 c->dst.bytes = c->op_bytes;
1230 c->dst.val = c->src.val;
1231 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1232 c->dst.ptr = (void *) register_address(c, ss_base(ctxt),
1233 c->regs[VCPU_REGS_RSP]);
1234 }
1235
1236 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1237 struct x86_emulate_ops *ops,
1238 void *dest, int len)
1239 {
1240 struct decode_cache *c = &ctxt->decode;
1241 int rc;
1242
1243 rc = ops->read_emulated(register_address(c, ss_base(ctxt),
1244 c->regs[VCPU_REGS_RSP]),
1245 dest, len, ctxt->vcpu);
1246 if (rc != X86EMUL_CONTINUE)
1247 return rc;
1248
1249 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1250 return rc;
1251 }
1252
1253 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1254 struct x86_emulate_ops *ops,
1255 void *dest, int len)
1256 {
1257 int rc;
1258 unsigned long val, change_mask;
1259 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1260 int cpl = ops->cpl(ctxt->vcpu);
1261
1262 rc = emulate_pop(ctxt, ops, &val, len);
1263 if (rc != X86EMUL_CONTINUE)
1264 return rc;
1265
1266 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1267 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1268
1269 switch(ctxt->mode) {
1270 case X86EMUL_MODE_PROT64:
1271 case X86EMUL_MODE_PROT32:
1272 case X86EMUL_MODE_PROT16:
1273 if (cpl == 0)
1274 change_mask |= EFLG_IOPL;
1275 if (cpl <= iopl)
1276 change_mask |= EFLG_IF;
1277 break;
1278 case X86EMUL_MODE_VM86:
1279 if (iopl < 3) {
1280 kvm_inject_gp(ctxt->vcpu, 0);
1281 return X86EMUL_PROPAGATE_FAULT;
1282 }
1283 change_mask |= EFLG_IF;
1284 break;
1285 default: /* real mode */
1286 change_mask |= (EFLG_IOPL | EFLG_IF);
1287 break;
1288 }
1289
1290 *(unsigned long *)dest =
1291 (ctxt->eflags & ~change_mask) | (val & change_mask);
1292
1293 return rc;
1294 }
1295
1296 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
1297 {
1298 struct decode_cache *c = &ctxt->decode;
1299 struct kvm_segment segment;
1300
1301 kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
1302
1303 c->src.val = segment.selector;
1304 emulate_push(ctxt);
1305 }
1306
1307 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1308 struct x86_emulate_ops *ops, int seg)
1309 {
1310 struct decode_cache *c = &ctxt->decode;
1311 unsigned long selector;
1312 int rc;
1313
1314 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1315 if (rc != X86EMUL_CONTINUE)
1316 return rc;
1317
1318 rc = kvm_load_segment_descriptor(ctxt->vcpu, (u16)selector, seg);
1319 return rc;
1320 }
1321
1322 static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
1323 {
1324 struct decode_cache *c = &ctxt->decode;
1325 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1326 int reg = VCPU_REGS_RAX;
1327
1328 while (reg <= VCPU_REGS_RDI) {
1329 (reg == VCPU_REGS_RSP) ?
1330 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1331
1332 emulate_push(ctxt);
1333 ++reg;
1334 }
1335 }
1336
1337 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1338 struct x86_emulate_ops *ops)
1339 {
1340 struct decode_cache *c = &ctxt->decode;
1341 int rc = X86EMUL_CONTINUE;
1342 int reg = VCPU_REGS_RDI;
1343
1344 while (reg >= VCPU_REGS_RAX) {
1345 if (reg == VCPU_REGS_RSP) {
1346 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1347 c->op_bytes);
1348 --reg;
1349 }
1350
1351 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1352 if (rc != X86EMUL_CONTINUE)
1353 break;
1354 --reg;
1355 }
1356 return rc;
1357 }
1358
1359 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1360 struct x86_emulate_ops *ops)
1361 {
1362 struct decode_cache *c = &ctxt->decode;
1363
1364 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1365 }
1366
1367 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1368 {
1369 struct decode_cache *c = &ctxt->decode;
1370 switch (c->modrm_reg) {
1371 case 0: /* rol */
1372 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1373 break;
1374 case 1: /* ror */
1375 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1376 break;
1377 case 2: /* rcl */
1378 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1379 break;
1380 case 3: /* rcr */
1381 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1382 break;
1383 case 4: /* sal/shl */
1384 case 6: /* sal/shl */
1385 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1386 break;
1387 case 5: /* shr */
1388 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1389 break;
1390 case 7: /* sar */
1391 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1392 break;
1393 }
1394 }
1395
1396 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1397 struct x86_emulate_ops *ops)
1398 {
1399 struct decode_cache *c = &ctxt->decode;
1400 int rc = X86EMUL_CONTINUE;
1401
1402 switch (c->modrm_reg) {
1403 case 0 ... 1: /* test */
1404 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1405 break;
1406 case 2: /* not */
1407 c->dst.val = ~c->dst.val;
1408 break;
1409 case 3: /* neg */
1410 emulate_1op("neg", c->dst, ctxt->eflags);
1411 break;
1412 default:
1413 DPRINTF("Cannot emulate %02x\n", c->b);
1414 rc = X86EMUL_UNHANDLEABLE;
1415 break;
1416 }
1417 return rc;
1418 }
1419
1420 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1421 struct x86_emulate_ops *ops)
1422 {
1423 struct decode_cache *c = &ctxt->decode;
1424
1425 switch (c->modrm_reg) {
1426 case 0: /* inc */
1427 emulate_1op("inc", c->dst, ctxt->eflags);
1428 break;
1429 case 1: /* dec */
1430 emulate_1op("dec", c->dst, ctxt->eflags);
1431 break;
1432 case 2: /* call near abs */ {
1433 long int old_eip;
1434 old_eip = c->eip;
1435 c->eip = c->src.val;
1436 c->src.val = old_eip;
1437 emulate_push(ctxt);
1438 break;
1439 }
1440 case 4: /* jmp abs */
1441 c->eip = c->src.val;
1442 break;
1443 case 6: /* push */
1444 emulate_push(ctxt);
1445 break;
1446 }
1447 return X86EMUL_CONTINUE;
1448 }
1449
1450 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1451 struct x86_emulate_ops *ops,
1452 unsigned long memop)
1453 {
1454 struct decode_cache *c = &ctxt->decode;
1455 u64 old, new;
1456 int rc;
1457
1458 rc = ops->read_emulated(memop, &old, 8, ctxt->vcpu);
1459 if (rc != X86EMUL_CONTINUE)
1460 return rc;
1461
1462 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1463 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1464
1465 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1466 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1467 ctxt->eflags &= ~EFLG_ZF;
1468
1469 } else {
1470 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1471 (u32) c->regs[VCPU_REGS_RBX];
1472
1473 rc = ops->cmpxchg_emulated(memop, &old, &new, 8, ctxt->vcpu);
1474 if (rc != X86EMUL_CONTINUE)
1475 return rc;
1476 ctxt->eflags |= EFLG_ZF;
1477 }
1478 return X86EMUL_CONTINUE;
1479 }
1480
1481 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1482 struct x86_emulate_ops *ops)
1483 {
1484 struct decode_cache *c = &ctxt->decode;
1485 int rc;
1486 unsigned long cs;
1487
1488 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1489 if (rc != X86EMUL_CONTINUE)
1490 return rc;
1491 if (c->op_bytes == 4)
1492 c->eip = (u32)c->eip;
1493 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1494 if (rc != X86EMUL_CONTINUE)
1495 return rc;
1496 rc = kvm_load_segment_descriptor(ctxt->vcpu, (u16)cs, VCPU_SREG_CS);
1497 return rc;
1498 }
1499
1500 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1501 struct x86_emulate_ops *ops)
1502 {
1503 int rc;
1504 struct decode_cache *c = &ctxt->decode;
1505
1506 switch (c->dst.type) {
1507 case OP_REG:
1508 /* The 4-byte case *is* correct:
1509 * in 64-bit mode we zero-extend.
1510 */
1511 switch (c->dst.bytes) {
1512 case 1:
1513 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1514 break;
1515 case 2:
1516 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1517 break;
1518 case 4:
1519 *c->dst.ptr = (u32)c->dst.val;
1520 break; /* 64b: zero-ext */
1521 case 8:
1522 *c->dst.ptr = c->dst.val;
1523 break;
1524 }
1525 break;
1526 case OP_MEM:
1527 if (c->lock_prefix)
1528 rc = ops->cmpxchg_emulated(
1529 (unsigned long)c->dst.ptr,
1530 &c->dst.orig_val,
1531 &c->dst.val,
1532 c->dst.bytes,
1533 ctxt->vcpu);
1534 else
1535 rc = ops->write_emulated(
1536 (unsigned long)c->dst.ptr,
1537 &c->dst.val,
1538 c->dst.bytes,
1539 ctxt->vcpu);
1540 if (rc != X86EMUL_CONTINUE)
1541 return rc;
1542 break;
1543 case OP_NONE:
1544 /* no writeback */
1545 break;
1546 default:
1547 break;
1548 }
1549 return X86EMUL_CONTINUE;
1550 }
1551
1552 static void toggle_interruptibility(struct x86_emulate_ctxt *ctxt, u32 mask)
1553 {
1554 u32 int_shadow = kvm_x86_ops->get_interrupt_shadow(ctxt->vcpu, mask);
1555 /*
1556 * an sti; sti; sequence only disable interrupts for the first
1557 * instruction. So, if the last instruction, be it emulated or
1558 * not, left the system with the INT_STI flag enabled, it
1559 * means that the last instruction is an sti. We should not
1560 * leave the flag on in this case. The same goes for mov ss
1561 */
1562 if (!(int_shadow & mask))
1563 ctxt->interruptibility = mask;
1564 }
1565
1566 static inline void
1567 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1568 struct kvm_segment *cs, struct kvm_segment *ss)
1569 {
1570 memset(cs, 0, sizeof(struct kvm_segment));
1571 kvm_x86_ops->get_segment(ctxt->vcpu, cs, VCPU_SREG_CS);
1572 memset(ss, 0, sizeof(struct kvm_segment));
1573
1574 cs->l = 0; /* will be adjusted later */
1575 cs->base = 0; /* flat segment */
1576 cs->g = 1; /* 4kb granularity */
1577 cs->limit = 0xffffffff; /* 4GB limit */
1578 cs->type = 0x0b; /* Read, Execute, Accessed */
1579 cs->s = 1;
1580 cs->dpl = 0; /* will be adjusted later */
1581 cs->present = 1;
1582 cs->db = 1;
1583
1584 ss->unusable = 0;
1585 ss->base = 0; /* flat segment */
1586 ss->limit = 0xffffffff; /* 4GB limit */
1587 ss->g = 1; /* 4kb granularity */
1588 ss->s = 1;
1589 ss->type = 0x03; /* Read/Write, Accessed */
1590 ss->db = 1; /* 32bit stack segment */
1591 ss->dpl = 0;
1592 ss->present = 1;
1593 }
1594
1595 static int
1596 emulate_syscall(struct x86_emulate_ctxt *ctxt)
1597 {
1598 struct decode_cache *c = &ctxt->decode;
1599 struct kvm_segment cs, ss;
1600 u64 msr_data;
1601
1602 /* syscall is not available in real mode */
1603 if (ctxt->mode == X86EMUL_MODE_REAL ||
1604 ctxt->mode == X86EMUL_MODE_VM86) {
1605 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1606 return X86EMUL_PROPAGATE_FAULT;
1607 }
1608
1609 setup_syscalls_segments(ctxt, &cs, &ss);
1610
1611 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1612 msr_data >>= 32;
1613 cs.selector = (u16)(msr_data & 0xfffc);
1614 ss.selector = (u16)(msr_data + 8);
1615
1616 if (is_long_mode(ctxt->vcpu)) {
1617 cs.db = 0;
1618 cs.l = 1;
1619 }
1620 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1621 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1622
1623 c->regs[VCPU_REGS_RCX] = c->eip;
1624 if (is_long_mode(ctxt->vcpu)) {
1625 #ifdef CONFIG_X86_64
1626 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1627
1628 kvm_x86_ops->get_msr(ctxt->vcpu,
1629 ctxt->mode == X86EMUL_MODE_PROT64 ?
1630 MSR_LSTAR : MSR_CSTAR, &msr_data);
1631 c->eip = msr_data;
1632
1633 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1634 ctxt->eflags &= ~(msr_data | EFLG_RF);
1635 #endif
1636 } else {
1637 /* legacy mode */
1638 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1639 c->eip = (u32)msr_data;
1640
1641 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1642 }
1643
1644 return X86EMUL_CONTINUE;
1645 }
1646
1647 static int
1648 emulate_sysenter(struct x86_emulate_ctxt *ctxt)
1649 {
1650 struct decode_cache *c = &ctxt->decode;
1651 struct kvm_segment cs, ss;
1652 u64 msr_data;
1653
1654 /* inject #GP if in real mode */
1655 if (ctxt->mode == X86EMUL_MODE_REAL) {
1656 kvm_inject_gp(ctxt->vcpu, 0);
1657 return X86EMUL_PROPAGATE_FAULT;
1658 }
1659
1660 /* XXX sysenter/sysexit have not been tested in 64bit mode.
1661 * Therefore, we inject an #UD.
1662 */
1663 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1664 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1665 return X86EMUL_PROPAGATE_FAULT;
1666 }
1667
1668 setup_syscalls_segments(ctxt, &cs, &ss);
1669
1670 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1671 switch (ctxt->mode) {
1672 case X86EMUL_MODE_PROT32:
1673 if ((msr_data & 0xfffc) == 0x0) {
1674 kvm_inject_gp(ctxt->vcpu, 0);
1675 return X86EMUL_PROPAGATE_FAULT;
1676 }
1677 break;
1678 case X86EMUL_MODE_PROT64:
1679 if (msr_data == 0x0) {
1680 kvm_inject_gp(ctxt->vcpu, 0);
1681 return X86EMUL_PROPAGATE_FAULT;
1682 }
1683 break;
1684 }
1685
1686 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1687 cs.selector = (u16)msr_data;
1688 cs.selector &= ~SELECTOR_RPL_MASK;
1689 ss.selector = cs.selector + 8;
1690 ss.selector &= ~SELECTOR_RPL_MASK;
1691 if (ctxt->mode == X86EMUL_MODE_PROT64
1692 || is_long_mode(ctxt->vcpu)) {
1693 cs.db = 0;
1694 cs.l = 1;
1695 }
1696
1697 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1698 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1699
1700 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
1701 c->eip = msr_data;
1702
1703 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
1704 c->regs[VCPU_REGS_RSP] = msr_data;
1705
1706 return X86EMUL_CONTINUE;
1707 }
1708
1709 static int
1710 emulate_sysexit(struct x86_emulate_ctxt *ctxt)
1711 {
1712 struct decode_cache *c = &ctxt->decode;
1713 struct kvm_segment cs, ss;
1714 u64 msr_data;
1715 int usermode;
1716
1717 /* inject #GP if in real mode or Virtual 8086 mode */
1718 if (ctxt->mode == X86EMUL_MODE_REAL ||
1719 ctxt->mode == X86EMUL_MODE_VM86) {
1720 kvm_inject_gp(ctxt->vcpu, 0);
1721 return X86EMUL_PROPAGATE_FAULT;
1722 }
1723
1724 setup_syscalls_segments(ctxt, &cs, &ss);
1725
1726 if ((c->rex_prefix & 0x8) != 0x0)
1727 usermode = X86EMUL_MODE_PROT64;
1728 else
1729 usermode = X86EMUL_MODE_PROT32;
1730
1731 cs.dpl = 3;
1732 ss.dpl = 3;
1733 kvm_x86_ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1734 switch (usermode) {
1735 case X86EMUL_MODE_PROT32:
1736 cs.selector = (u16)(msr_data + 16);
1737 if ((msr_data & 0xfffc) == 0x0) {
1738 kvm_inject_gp(ctxt->vcpu, 0);
1739 return X86EMUL_PROPAGATE_FAULT;
1740 }
1741 ss.selector = (u16)(msr_data + 24);
1742 break;
1743 case X86EMUL_MODE_PROT64:
1744 cs.selector = (u16)(msr_data + 32);
1745 if (msr_data == 0x0) {
1746 kvm_inject_gp(ctxt->vcpu, 0);
1747 return X86EMUL_PROPAGATE_FAULT;
1748 }
1749 ss.selector = cs.selector + 8;
1750 cs.db = 0;
1751 cs.l = 1;
1752 break;
1753 }
1754 cs.selector |= SELECTOR_RPL_MASK;
1755 ss.selector |= SELECTOR_RPL_MASK;
1756
1757 kvm_x86_ops->set_segment(ctxt->vcpu, &cs, VCPU_SREG_CS);
1758 kvm_x86_ops->set_segment(ctxt->vcpu, &ss, VCPU_SREG_SS);
1759
1760 c->eip = ctxt->vcpu->arch.regs[VCPU_REGS_RDX];
1761 c->regs[VCPU_REGS_RSP] = ctxt->vcpu->arch.regs[VCPU_REGS_RCX];
1762
1763 return X86EMUL_CONTINUE;
1764 }
1765
1766 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
1767 struct x86_emulate_ops *ops)
1768 {
1769 int iopl;
1770 if (ctxt->mode == X86EMUL_MODE_REAL)
1771 return false;
1772 if (ctxt->mode == X86EMUL_MODE_VM86)
1773 return true;
1774 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1775 return ops->cpl(ctxt->vcpu) > iopl;
1776 }
1777
1778 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
1779 struct x86_emulate_ops *ops,
1780 u16 port, u16 len)
1781 {
1782 struct kvm_segment tr_seg;
1783 int r;
1784 u16 io_bitmap_ptr;
1785 u8 perm, bit_idx = port & 0x7;
1786 unsigned mask = (1 << len) - 1;
1787
1788 kvm_get_segment(ctxt->vcpu, &tr_seg, VCPU_SREG_TR);
1789 if (tr_seg.unusable)
1790 return false;
1791 if (tr_seg.limit < 103)
1792 return false;
1793 r = ops->read_std(tr_seg.base + 102, &io_bitmap_ptr, 2, ctxt->vcpu,
1794 NULL);
1795 if (r != X86EMUL_CONTINUE)
1796 return false;
1797 if (io_bitmap_ptr + port/8 > tr_seg.limit)
1798 return false;
1799 r = ops->read_std(tr_seg.base + io_bitmap_ptr + port/8, &perm, 1,
1800 ctxt->vcpu, NULL);
1801 if (r != X86EMUL_CONTINUE)
1802 return false;
1803 if ((perm >> bit_idx) & mask)
1804 return false;
1805 return true;
1806 }
1807
1808 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
1809 struct x86_emulate_ops *ops,
1810 u16 port, u16 len)
1811 {
1812 if (emulator_bad_iopl(ctxt, ops))
1813 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
1814 return false;
1815 return true;
1816 }
1817
1818 int
1819 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1820 {
1821 unsigned long memop = 0;
1822 u64 msr_data;
1823 unsigned long saved_eip = 0;
1824 struct decode_cache *c = &ctxt->decode;
1825 unsigned int port;
1826 int io_dir_in;
1827 int rc = X86EMUL_CONTINUE;
1828
1829 ctxt->interruptibility = 0;
1830
1831 /* Shadow copy of register state. Committed on successful emulation.
1832 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
1833 * modify them.
1834 */
1835
1836 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
1837 saved_eip = c->eip;
1838
1839 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
1840 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1841 goto done;
1842 }
1843
1844 /* LOCK prefix is allowed only with some instructions */
1845 if (c->lock_prefix && !(c->d & Lock)) {
1846 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
1847 goto done;
1848 }
1849
1850 /* Privileged instruction can be executed only in CPL=0 */
1851 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
1852 kvm_inject_gp(ctxt->vcpu, 0);
1853 goto done;
1854 }
1855
1856 if (((c->d & ModRM) && (c->modrm_mod != 3)) || (c->d & MemAbs))
1857 memop = c->modrm_ea;
1858
1859 if (c->rep_prefix && (c->d & String)) {
1860 /* All REP prefixes have the same first termination condition */
1861 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
1862 kvm_rip_write(ctxt->vcpu, c->eip);
1863 goto done;
1864 }
1865 /* The second termination condition only applies for REPE
1866 * and REPNE. Test if the repeat string operation prefix is
1867 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
1868 * corresponding termination condition according to:
1869 * - if REPE/REPZ and ZF = 0 then done
1870 * - if REPNE/REPNZ and ZF = 1 then done
1871 */
1872 if ((c->b == 0xa6) || (c->b == 0xa7) ||
1873 (c->b == 0xae) || (c->b == 0xaf)) {
1874 if ((c->rep_prefix == REPE_PREFIX) &&
1875 ((ctxt->eflags & EFLG_ZF) == 0)) {
1876 kvm_rip_write(ctxt->vcpu, c->eip);
1877 goto done;
1878 }
1879 if ((c->rep_prefix == REPNE_PREFIX) &&
1880 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF)) {
1881 kvm_rip_write(ctxt->vcpu, c->eip);
1882 goto done;
1883 }
1884 }
1885 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
1886 c->eip = ctxt->eip;
1887 }
1888
1889 if (c->src.type == OP_MEM) {
1890 c->src.ptr = (unsigned long *)memop;
1891 c->src.val = 0;
1892 rc = ops->read_emulated((unsigned long)c->src.ptr,
1893 &c->src.val,
1894 c->src.bytes,
1895 ctxt->vcpu);
1896 if (rc != X86EMUL_CONTINUE)
1897 goto done;
1898 c->src.orig_val = c->src.val;
1899 }
1900
1901 if (c->src2.type == OP_MEM) {
1902 c->src2.ptr = (unsigned long *)(memop + c->src.bytes);
1903 c->src2.val = 0;
1904 rc = ops->read_emulated((unsigned long)c->src2.ptr,
1905 &c->src2.val,
1906 c->src2.bytes,
1907 ctxt->vcpu);
1908 if (rc != X86EMUL_CONTINUE)
1909 goto done;
1910 }
1911
1912 if ((c->d & DstMask) == ImplicitOps)
1913 goto special_insn;
1914
1915
1916 if (c->dst.type == OP_MEM) {
1917 c->dst.ptr = (unsigned long *)memop;
1918 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1919 c->dst.val = 0;
1920 if (c->d & BitOp) {
1921 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1922
1923 c->dst.ptr = (void *)c->dst.ptr +
1924 (c->src.val & mask) / 8;
1925 }
1926 if (!(c->d & Mov)) {
1927 /* optimisation - avoid slow emulated read */
1928 rc = ops->read_emulated((unsigned long)c->dst.ptr,
1929 &c->dst.val,
1930 c->dst.bytes,
1931 ctxt->vcpu);
1932 if (rc != X86EMUL_CONTINUE)
1933 goto done;
1934 }
1935 }
1936 c->dst.orig_val = c->dst.val;
1937
1938 special_insn:
1939
1940 if (c->twobyte)
1941 goto twobyte_insn;
1942
1943 switch (c->b) {
1944 case 0x00 ... 0x05:
1945 add: /* add */
1946 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
1947 break;
1948 case 0x06: /* push es */
1949 emulate_push_sreg(ctxt, VCPU_SREG_ES);
1950 break;
1951 case 0x07: /* pop es */
1952 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
1953 if (rc != X86EMUL_CONTINUE)
1954 goto done;
1955 break;
1956 case 0x08 ... 0x0d:
1957 or: /* or */
1958 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
1959 break;
1960 case 0x0e: /* push cs */
1961 emulate_push_sreg(ctxt, VCPU_SREG_CS);
1962 break;
1963 case 0x10 ... 0x15:
1964 adc: /* adc */
1965 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
1966 break;
1967 case 0x16: /* push ss */
1968 emulate_push_sreg(ctxt, VCPU_SREG_SS);
1969 break;
1970 case 0x17: /* pop ss */
1971 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
1972 if (rc != X86EMUL_CONTINUE)
1973 goto done;
1974 break;
1975 case 0x18 ... 0x1d:
1976 sbb: /* sbb */
1977 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
1978 break;
1979 case 0x1e: /* push ds */
1980 emulate_push_sreg(ctxt, VCPU_SREG_DS);
1981 break;
1982 case 0x1f: /* pop ds */
1983 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
1984 if (rc != X86EMUL_CONTINUE)
1985 goto done;
1986 break;
1987 case 0x20 ... 0x25:
1988 and: /* and */
1989 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
1990 break;
1991 case 0x28 ... 0x2d:
1992 sub: /* sub */
1993 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
1994 break;
1995 case 0x30 ... 0x35:
1996 xor: /* xor */
1997 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
1998 break;
1999 case 0x38 ... 0x3d:
2000 cmp: /* cmp */
2001 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2002 break;
2003 case 0x40 ... 0x47: /* inc r16/r32 */
2004 emulate_1op("inc", c->dst, ctxt->eflags);
2005 break;
2006 case 0x48 ... 0x4f: /* dec r16/r32 */
2007 emulate_1op("dec", c->dst, ctxt->eflags);
2008 break;
2009 case 0x50 ... 0x57: /* push reg */
2010 emulate_push(ctxt);
2011 break;
2012 case 0x58 ... 0x5f: /* pop reg */
2013 pop_instruction:
2014 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2015 if (rc != X86EMUL_CONTINUE)
2016 goto done;
2017 break;
2018 case 0x60: /* pusha */
2019 emulate_pusha(ctxt);
2020 break;
2021 case 0x61: /* popa */
2022 rc = emulate_popa(ctxt, ops);
2023 if (rc != X86EMUL_CONTINUE)
2024 goto done;
2025 break;
2026 case 0x63: /* movsxd */
2027 if (ctxt->mode != X86EMUL_MODE_PROT64)
2028 goto cannot_emulate;
2029 c->dst.val = (s32) c->src.val;
2030 break;
2031 case 0x68: /* push imm */
2032 case 0x6a: /* push imm8 */
2033 emulate_push(ctxt);
2034 break;
2035 case 0x6c: /* insb */
2036 case 0x6d: /* insw/insd */
2037 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2038 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2039 kvm_inject_gp(ctxt->vcpu, 0);
2040 goto done;
2041 }
2042 if (kvm_emulate_pio_string(ctxt->vcpu,
2043 1,
2044 (c->d & ByteOp) ? 1 : c->op_bytes,
2045 c->rep_prefix ?
2046 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2047 (ctxt->eflags & EFLG_DF),
2048 register_address(c, es_base(ctxt),
2049 c->regs[VCPU_REGS_RDI]),
2050 c->rep_prefix,
2051 c->regs[VCPU_REGS_RDX]) == 0) {
2052 c->eip = saved_eip;
2053 return -1;
2054 }
2055 return 0;
2056 case 0x6e: /* outsb */
2057 case 0x6f: /* outsw/outsd */
2058 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2059 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2060 kvm_inject_gp(ctxt->vcpu, 0);
2061 goto done;
2062 }
2063 if (kvm_emulate_pio_string(ctxt->vcpu,
2064 0,
2065 (c->d & ByteOp) ? 1 : c->op_bytes,
2066 c->rep_prefix ?
2067 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1,
2068 (ctxt->eflags & EFLG_DF),
2069 register_address(c,
2070 seg_override_base(ctxt, c),
2071 c->regs[VCPU_REGS_RSI]),
2072 c->rep_prefix,
2073 c->regs[VCPU_REGS_RDX]) == 0) {
2074 c->eip = saved_eip;
2075 return -1;
2076 }
2077 return 0;
2078 case 0x70 ... 0x7f: /* jcc (short) */
2079 if (test_cc(c->b, ctxt->eflags))
2080 jmp_rel(c, c->src.val);
2081 break;
2082 case 0x80 ... 0x83: /* Grp1 */
2083 switch (c->modrm_reg) {
2084 case 0:
2085 goto add;
2086 case 1:
2087 goto or;
2088 case 2:
2089 goto adc;
2090 case 3:
2091 goto sbb;
2092 case 4:
2093 goto and;
2094 case 5:
2095 goto sub;
2096 case 6:
2097 goto xor;
2098 case 7:
2099 goto cmp;
2100 }
2101 break;
2102 case 0x84 ... 0x85:
2103 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2104 break;
2105 case 0x86 ... 0x87: /* xchg */
2106 xchg:
2107 /* Write back the register source. */
2108 switch (c->dst.bytes) {
2109 case 1:
2110 *(u8 *) c->src.ptr = (u8) c->dst.val;
2111 break;
2112 case 2:
2113 *(u16 *) c->src.ptr = (u16) c->dst.val;
2114 break;
2115 case 4:
2116 *c->src.ptr = (u32) c->dst.val;
2117 break; /* 64b reg: zero-extend */
2118 case 8:
2119 *c->src.ptr = c->dst.val;
2120 break;
2121 }
2122 /*
2123 * Write back the memory destination with implicit LOCK
2124 * prefix.
2125 */
2126 c->dst.val = c->src.val;
2127 c->lock_prefix = 1;
2128 break;
2129 case 0x88 ... 0x8b: /* mov */
2130 goto mov;
2131 case 0x8c: { /* mov r/m, sreg */
2132 struct kvm_segment segreg;
2133
2134 if (c->modrm_reg <= VCPU_SREG_GS)
2135 kvm_get_segment(ctxt->vcpu, &segreg, c->modrm_reg);
2136 else {
2137 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2138 goto done;
2139 }
2140 c->dst.val = segreg.selector;
2141 break;
2142 }
2143 case 0x8d: /* lea r16/r32, m */
2144 c->dst.val = c->modrm_ea;
2145 break;
2146 case 0x8e: { /* mov seg, r/m16 */
2147 uint16_t sel;
2148
2149 sel = c->src.val;
2150
2151 if (c->modrm_reg == VCPU_SREG_CS ||
2152 c->modrm_reg > VCPU_SREG_GS) {
2153 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2154 goto done;
2155 }
2156
2157 if (c->modrm_reg == VCPU_SREG_SS)
2158 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_MOV_SS);
2159
2160 rc = kvm_load_segment_descriptor(ctxt->vcpu, sel, c->modrm_reg);
2161
2162 c->dst.type = OP_NONE; /* Disable writeback. */
2163 break;
2164 }
2165 case 0x8f: /* pop (sole member of Grp1a) */
2166 rc = emulate_grp1a(ctxt, ops);
2167 if (rc != X86EMUL_CONTINUE)
2168 goto done;
2169 break;
2170 case 0x90: /* nop / xchg r8,rax */
2171 if (!(c->rex_prefix & 1)) { /* nop */
2172 c->dst.type = OP_NONE;
2173 break;
2174 }
2175 case 0x91 ... 0x97: /* xchg reg,rax */
2176 c->src.type = c->dst.type = OP_REG;
2177 c->src.bytes = c->dst.bytes = c->op_bytes;
2178 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2179 c->src.val = *(c->src.ptr);
2180 goto xchg;
2181 case 0x9c: /* pushf */
2182 c->src.val = (unsigned long) ctxt->eflags;
2183 emulate_push(ctxt);
2184 break;
2185 case 0x9d: /* popf */
2186 c->dst.type = OP_REG;
2187 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2188 c->dst.bytes = c->op_bytes;
2189 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2190 if (rc != X86EMUL_CONTINUE)
2191 goto done;
2192 break;
2193 case 0xa0 ... 0xa1: /* mov */
2194 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2195 c->dst.val = c->src.val;
2196 break;
2197 case 0xa2 ... 0xa3: /* mov */
2198 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
2199 break;
2200 case 0xa4 ... 0xa5: /* movs */
2201 c->dst.type = OP_MEM;
2202 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2203 c->dst.ptr = (unsigned long *)register_address(c,
2204 es_base(ctxt),
2205 c->regs[VCPU_REGS_RDI]);
2206 rc = ops->read_emulated(register_address(c,
2207 seg_override_base(ctxt, c),
2208 c->regs[VCPU_REGS_RSI]),
2209 &c->dst.val,
2210 c->dst.bytes, ctxt->vcpu);
2211 if (rc != X86EMUL_CONTINUE)
2212 goto done;
2213 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2214 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2215 : c->dst.bytes);
2216 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2217 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2218 : c->dst.bytes);
2219 break;
2220 case 0xa6 ... 0xa7: /* cmps */
2221 c->src.type = OP_NONE; /* Disable writeback. */
2222 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2223 c->src.ptr = (unsigned long *)register_address(c,
2224 seg_override_base(ctxt, c),
2225 c->regs[VCPU_REGS_RSI]);
2226 rc = ops->read_emulated((unsigned long)c->src.ptr,
2227 &c->src.val,
2228 c->src.bytes,
2229 ctxt->vcpu);
2230 if (rc != X86EMUL_CONTINUE)
2231 goto done;
2232
2233 c->dst.type = OP_NONE; /* Disable writeback. */
2234 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2235 c->dst.ptr = (unsigned long *)register_address(c,
2236 es_base(ctxt),
2237 c->regs[VCPU_REGS_RDI]);
2238 rc = ops->read_emulated((unsigned long)c->dst.ptr,
2239 &c->dst.val,
2240 c->dst.bytes,
2241 ctxt->vcpu);
2242 if (rc != X86EMUL_CONTINUE)
2243 goto done;
2244
2245 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2246
2247 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2248
2249 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2250 (ctxt->eflags & EFLG_DF) ? -c->src.bytes
2251 : c->src.bytes);
2252 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2253 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2254 : c->dst.bytes);
2255
2256 break;
2257 case 0xaa ... 0xab: /* stos */
2258 c->dst.type = OP_MEM;
2259 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2260 c->dst.ptr = (unsigned long *)register_address(c,
2261 es_base(ctxt),
2262 c->regs[VCPU_REGS_RDI]);
2263 c->dst.val = c->regs[VCPU_REGS_RAX];
2264 register_address_increment(c, &c->regs[VCPU_REGS_RDI],
2265 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2266 : c->dst.bytes);
2267 break;
2268 case 0xac ... 0xad: /* lods */
2269 c->dst.type = OP_REG;
2270 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
2271 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2272 rc = ops->read_emulated(register_address(c,
2273 seg_override_base(ctxt, c),
2274 c->regs[VCPU_REGS_RSI]),
2275 &c->dst.val,
2276 c->dst.bytes,
2277 ctxt->vcpu);
2278 if (rc != X86EMUL_CONTINUE)
2279 goto done;
2280 register_address_increment(c, &c->regs[VCPU_REGS_RSI],
2281 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
2282 : c->dst.bytes);
2283 break;
2284 case 0xae ... 0xaf: /* scas */
2285 DPRINTF("Urk! I don't handle SCAS.\n");
2286 goto cannot_emulate;
2287 case 0xb0 ... 0xbf: /* mov r, imm */
2288 goto mov;
2289 case 0xc0 ... 0xc1:
2290 emulate_grp2(ctxt);
2291 break;
2292 case 0xc3: /* ret */
2293 c->dst.type = OP_REG;
2294 c->dst.ptr = &c->eip;
2295 c->dst.bytes = c->op_bytes;
2296 goto pop_instruction;
2297 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2298 mov:
2299 c->dst.val = c->src.val;
2300 break;
2301 case 0xcb: /* ret far */
2302 rc = emulate_ret_far(ctxt, ops);
2303 if (rc != X86EMUL_CONTINUE)
2304 goto done;
2305 break;
2306 case 0xd0 ... 0xd1: /* Grp2 */
2307 c->src.val = 1;
2308 emulate_grp2(ctxt);
2309 break;
2310 case 0xd2 ... 0xd3: /* Grp2 */
2311 c->src.val = c->regs[VCPU_REGS_RCX];
2312 emulate_grp2(ctxt);
2313 break;
2314 case 0xe4: /* inb */
2315 case 0xe5: /* in */
2316 port = c->src.val;
2317 io_dir_in = 1;
2318 goto do_io;
2319 case 0xe6: /* outb */
2320 case 0xe7: /* out */
2321 port = c->src.val;
2322 io_dir_in = 0;
2323 goto do_io;
2324 case 0xe8: /* call (near) */ {
2325 long int rel = c->src.val;
2326 c->src.val = (unsigned long) c->eip;
2327 jmp_rel(c, rel);
2328 emulate_push(ctxt);
2329 break;
2330 }
2331 case 0xe9: /* jmp rel */
2332 goto jmp;
2333 case 0xea: /* jmp far */
2334 jump_far:
2335 if (kvm_load_segment_descriptor(ctxt->vcpu, c->src2.val,
2336 VCPU_SREG_CS))
2337 goto done;
2338
2339 c->eip = c->src.val;
2340 break;
2341 case 0xeb:
2342 jmp: /* jmp rel short */
2343 jmp_rel(c, c->src.val);
2344 c->dst.type = OP_NONE; /* Disable writeback. */
2345 break;
2346 case 0xec: /* in al,dx */
2347 case 0xed: /* in (e/r)ax,dx */
2348 port = c->regs[VCPU_REGS_RDX];
2349 io_dir_in = 1;
2350 goto do_io;
2351 case 0xee: /* out al,dx */
2352 case 0xef: /* out (e/r)ax,dx */
2353 port = c->regs[VCPU_REGS_RDX];
2354 io_dir_in = 0;
2355 do_io:
2356 if (!emulator_io_permited(ctxt, ops, port,
2357 (c->d & ByteOp) ? 1 : c->op_bytes)) {
2358 kvm_inject_gp(ctxt->vcpu, 0);
2359 goto done;
2360 }
2361 if (kvm_emulate_pio(ctxt->vcpu, io_dir_in,
2362 (c->d & ByteOp) ? 1 : c->op_bytes,
2363 port) != 0) {
2364 c->eip = saved_eip;
2365 goto cannot_emulate;
2366 }
2367 break;
2368 case 0xf4: /* hlt */
2369 ctxt->vcpu->arch.halt_request = 1;
2370 break;
2371 case 0xf5: /* cmc */
2372 /* complement carry flag from eflags reg */
2373 ctxt->eflags ^= EFLG_CF;
2374 c->dst.type = OP_NONE; /* Disable writeback. */
2375 break;
2376 case 0xf6 ... 0xf7: /* Grp3 */
2377 rc = emulate_grp3(ctxt, ops);
2378 if (rc != X86EMUL_CONTINUE)
2379 goto done;
2380 break;
2381 case 0xf8: /* clc */
2382 ctxt->eflags &= ~EFLG_CF;
2383 c->dst.type = OP_NONE; /* Disable writeback. */
2384 break;
2385 case 0xfa: /* cli */
2386 if (emulator_bad_iopl(ctxt, ops))
2387 kvm_inject_gp(ctxt->vcpu, 0);
2388 else {
2389 ctxt->eflags &= ~X86_EFLAGS_IF;
2390 c->dst.type = OP_NONE; /* Disable writeback. */
2391 }
2392 break;
2393 case 0xfb: /* sti */
2394 if (emulator_bad_iopl(ctxt, ops))
2395 kvm_inject_gp(ctxt->vcpu, 0);
2396 else {
2397 toggle_interruptibility(ctxt, KVM_X86_SHADOW_INT_STI);
2398 ctxt->eflags |= X86_EFLAGS_IF;
2399 c->dst.type = OP_NONE; /* Disable writeback. */
2400 }
2401 break;
2402 case 0xfc: /* cld */
2403 ctxt->eflags &= ~EFLG_DF;
2404 c->dst.type = OP_NONE; /* Disable writeback. */
2405 break;
2406 case 0xfd: /* std */
2407 ctxt->eflags |= EFLG_DF;
2408 c->dst.type = OP_NONE; /* Disable writeback. */
2409 break;
2410 case 0xfe: /* Grp4 */
2411 grp45:
2412 rc = emulate_grp45(ctxt, ops);
2413 if (rc != X86EMUL_CONTINUE)
2414 goto done;
2415 break;
2416 case 0xff: /* Grp5 */
2417 if (c->modrm_reg == 5)
2418 goto jump_far;
2419 goto grp45;
2420 }
2421
2422 writeback:
2423 rc = writeback(ctxt, ops);
2424 if (rc != X86EMUL_CONTINUE)
2425 goto done;
2426
2427 /* Commit shadow register state. */
2428 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
2429 kvm_rip_write(ctxt->vcpu, c->eip);
2430
2431 done:
2432 if (rc == X86EMUL_UNHANDLEABLE) {
2433 c->eip = saved_eip;
2434 return -1;
2435 }
2436 return 0;
2437
2438 twobyte_insn:
2439 switch (c->b) {
2440 case 0x01: /* lgdt, lidt, lmsw */
2441 switch (c->modrm_reg) {
2442 u16 size;
2443 unsigned long address;
2444
2445 case 0: /* vmcall */
2446 if (c->modrm_mod != 3 || c->modrm_rm != 1)
2447 goto cannot_emulate;
2448
2449 rc = kvm_fix_hypercall(ctxt->vcpu);
2450 if (rc != X86EMUL_CONTINUE)
2451 goto done;
2452
2453 /* Let the processor re-execute the fixed hypercall */
2454 c->eip = ctxt->eip;
2455 /* Disable writeback. */
2456 c->dst.type = OP_NONE;
2457 break;
2458 case 2: /* lgdt */
2459 rc = read_descriptor(ctxt, ops, c->src.ptr,
2460 &size, &address, c->op_bytes);
2461 if (rc != X86EMUL_CONTINUE)
2462 goto done;
2463 realmode_lgdt(ctxt->vcpu, size, address);
2464 /* Disable writeback. */
2465 c->dst.type = OP_NONE;
2466 break;
2467 case 3: /* lidt/vmmcall */
2468 if (c->modrm_mod == 3) {
2469 switch (c->modrm_rm) {
2470 case 1:
2471 rc = kvm_fix_hypercall(ctxt->vcpu);
2472 if (rc != X86EMUL_CONTINUE)
2473 goto done;
2474 break;
2475 default:
2476 goto cannot_emulate;
2477 }
2478 } else {
2479 rc = read_descriptor(ctxt, ops, c->src.ptr,
2480 &size, &address,
2481 c->op_bytes);
2482 if (rc != X86EMUL_CONTINUE)
2483 goto done;
2484 realmode_lidt(ctxt->vcpu, size, address);
2485 }
2486 /* Disable writeback. */
2487 c->dst.type = OP_NONE;
2488 break;
2489 case 4: /* smsw */
2490 c->dst.bytes = 2;
2491 c->dst.val = ops->get_cr(0, ctxt->vcpu);
2492 break;
2493 case 6: /* lmsw */
2494 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
2495 (c->src.val & 0x0f), ctxt->vcpu);
2496 c->dst.type = OP_NONE;
2497 break;
2498 case 5: /* not defined */
2499 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2500 goto done;
2501 case 7: /* invlpg*/
2502 emulate_invlpg(ctxt->vcpu, memop);
2503 /* Disable writeback. */
2504 c->dst.type = OP_NONE;
2505 break;
2506 default:
2507 goto cannot_emulate;
2508 }
2509 break;
2510 case 0x05: /* syscall */
2511 rc = emulate_syscall(ctxt);
2512 if (rc != X86EMUL_CONTINUE)
2513 goto done;
2514 else
2515 goto writeback;
2516 break;
2517 case 0x06:
2518 emulate_clts(ctxt->vcpu);
2519 c->dst.type = OP_NONE;
2520 break;
2521 case 0x08: /* invd */
2522 case 0x09: /* wbinvd */
2523 case 0x0d: /* GrpP (prefetch) */
2524 case 0x18: /* Grp16 (prefetch/nop) */
2525 c->dst.type = OP_NONE;
2526 break;
2527 case 0x20: /* mov cr, reg */
2528 switch (c->modrm_reg) {
2529 case 1:
2530 case 5 ... 7:
2531 case 9 ... 15:
2532 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2533 goto done;
2534 }
2535 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
2536 c->dst.type = OP_NONE; /* no writeback */
2537 break;
2538 case 0x21: /* mov from dr to reg */
2539 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
2540 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
2541 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2542 goto done;
2543 }
2544 emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
2545 c->dst.type = OP_NONE; /* no writeback */
2546 break;
2547 case 0x22: /* mov reg, cr */
2548 ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu);
2549 c->dst.type = OP_NONE;
2550 break;
2551 case 0x23: /* mov from reg to dr */
2552 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
2553 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
2554 kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
2555 goto done;
2556 }
2557 emulator_set_dr(ctxt, c->modrm_reg, c->regs[c->modrm_rm]);
2558 c->dst.type = OP_NONE; /* no writeback */
2559 break;
2560 case 0x30:
2561 /* wrmsr */
2562 msr_data = (u32)c->regs[VCPU_REGS_RAX]
2563 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
2564 if (kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
2565 kvm_inject_gp(ctxt->vcpu, 0);
2566 goto done;
2567 }
2568 rc = X86EMUL_CONTINUE;
2569 c->dst.type = OP_NONE;
2570 break;
2571 case 0x32:
2572 /* rdmsr */
2573 if (kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
2574 kvm_inject_gp(ctxt->vcpu, 0);
2575 goto done;
2576 } else {
2577 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
2578 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
2579 }
2580 rc = X86EMUL_CONTINUE;
2581 c->dst.type = OP_NONE;
2582 break;
2583 case 0x34: /* sysenter */
2584 rc = emulate_sysenter(ctxt);
2585 if (rc != X86EMUL_CONTINUE)
2586 goto done;
2587 else
2588 goto writeback;
2589 break;
2590 case 0x35: /* sysexit */
2591 rc = emulate_sysexit(ctxt);
2592 if (rc != X86EMUL_CONTINUE)
2593 goto done;
2594 else
2595 goto writeback;
2596 break;
2597 case 0x40 ... 0x4f: /* cmov */
2598 c->dst.val = c->dst.orig_val = c->src.val;
2599 if (!test_cc(c->b, ctxt->eflags))
2600 c->dst.type = OP_NONE; /* no writeback */
2601 break;
2602 case 0x80 ... 0x8f: /* jnz rel, etc*/
2603 if (test_cc(c->b, ctxt->eflags))
2604 jmp_rel(c, c->src.val);
2605 c->dst.type = OP_NONE;
2606 break;
2607 case 0xa0: /* push fs */
2608 emulate_push_sreg(ctxt, VCPU_SREG_FS);
2609 break;
2610 case 0xa1: /* pop fs */
2611 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
2612 if (rc != X86EMUL_CONTINUE)
2613 goto done;
2614 break;
2615 case 0xa3:
2616 bt: /* bt */
2617 c->dst.type = OP_NONE;
2618 /* only subword offset */
2619 c->src.val &= (c->dst.bytes << 3) - 1;
2620 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
2621 break;
2622 case 0xa4: /* shld imm8, r, r/m */
2623 case 0xa5: /* shld cl, r, r/m */
2624 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
2625 break;
2626 case 0xa8: /* push gs */
2627 emulate_push_sreg(ctxt, VCPU_SREG_GS);
2628 break;
2629 case 0xa9: /* pop gs */
2630 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
2631 if (rc != X86EMUL_CONTINUE)
2632 goto done;
2633 break;
2634 case 0xab:
2635 bts: /* bts */
2636 /* only subword offset */
2637 c->src.val &= (c->dst.bytes << 3) - 1;
2638 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
2639 break;
2640 case 0xac: /* shrd imm8, r, r/m */
2641 case 0xad: /* shrd cl, r, r/m */
2642 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
2643 break;
2644 case 0xae: /* clflush */
2645 break;
2646 case 0xb0 ... 0xb1: /* cmpxchg */
2647 /*
2648 * Save real source value, then compare EAX against
2649 * destination.
2650 */
2651 c->src.orig_val = c->src.val;
2652 c->src.val = c->regs[VCPU_REGS_RAX];
2653 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2654 if (ctxt->eflags & EFLG_ZF) {
2655 /* Success: write back to memory. */
2656 c->dst.val = c->src.orig_val;
2657 } else {
2658 /* Failure: write the value we saw to EAX. */
2659 c->dst.type = OP_REG;
2660 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
2661 }
2662 break;
2663 case 0xb3:
2664 btr: /* btr */
2665 /* only subword offset */
2666 c->src.val &= (c->dst.bytes << 3) - 1;
2667 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
2668 break;
2669 case 0xb6 ... 0xb7: /* movzx */
2670 c->dst.bytes = c->op_bytes;
2671 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
2672 : (u16) c->src.val;
2673 break;
2674 case 0xba: /* Grp8 */
2675 switch (c->modrm_reg & 3) {
2676 case 0:
2677 goto bt;
2678 case 1:
2679 goto bts;
2680 case 2:
2681 goto btr;
2682 case 3:
2683 goto btc;
2684 }
2685 break;
2686 case 0xbb:
2687 btc: /* btc */
2688 /* only subword offset */
2689 c->src.val &= (c->dst.bytes << 3) - 1;
2690 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
2691 break;
2692 case 0xbe ... 0xbf: /* movsx */
2693 c->dst.bytes = c->op_bytes;
2694 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
2695 (s16) c->src.val;
2696 break;
2697 case 0xc3: /* movnti */
2698 c->dst.bytes = c->op_bytes;
2699 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
2700 (u64) c->src.val;
2701 break;
2702 case 0xc7: /* Grp9 (cmpxchg8b) */
2703 rc = emulate_grp9(ctxt, ops, memop);
2704 if (rc != X86EMUL_CONTINUE)
2705 goto done;
2706 c->dst.type = OP_NONE;
2707 break;
2708 }
2709 goto writeback;
2710
2711 cannot_emulate:
2712 DPRINTF("Cannot emulate %02x\n", c->b);
2713 c->eip = saved_eip;
2714 return -1;
2715 }
ubuntu-zesty-kernel mirror