]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - arch/x86/kvm/emulate.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: x86: add Align16 instruction flag
[mirror_ubuntu-artful-kernel.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <asm/kvm_emulate.h>
26 #include <linux/stringify.h>
27 #include <asm/debugreg.h>
28
29 #include "x86.h"
30 #include "tss.h"
31
32 /*
33 * Operand types
34 */
35 #define OpNone 0ull
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
64 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
65 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
66
67 #define OpBits 5 /* Width of operand field */
68 #define OpMask ((1ull << OpBits) - 1)
69
70 /*
71 * Opcode effective-address decode tables.
72 * Note that we only emulate instructions that have at least one memory
73 * operand (excluding implicit stack references). We assume that stack
74 * references and instruction fetches will never occur in special memory
75 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
76 * not be handled.
77 */
78
79 /* Operand sizes: 8-bit operands or specified/overridden size. */
80 #define ByteOp (1<<0) /* 8-bit operands. */
81 /* Destination operand type. */
82 #define DstShift 1
83 #define ImplicitOps (OpImplicit << DstShift)
84 #define DstReg (OpReg << DstShift)
85 #define DstMem (OpMem << DstShift)
86 #define DstAcc (OpAcc << DstShift)
87 #define DstDI (OpDI << DstShift)
88 #define DstMem64 (OpMem64 << DstShift)
89 #define DstMem16 (OpMem16 << DstShift)
90 #define DstImmUByte (OpImmUByte << DstShift)
91 #define DstDX (OpDX << DstShift)
92 #define DstAccLo (OpAccLo << DstShift)
93 #define DstMask (OpMask << DstShift)
94 /* Source operand type. */
95 #define SrcShift 6
96 #define SrcNone (OpNone << SrcShift)
97 #define SrcReg (OpReg << SrcShift)
98 #define SrcMem (OpMem << SrcShift)
99 #define SrcMem16 (OpMem16 << SrcShift)
100 #define SrcMem32 (OpMem32 << SrcShift)
101 #define SrcImm (OpImm << SrcShift)
102 #define SrcImmByte (OpImmByte << SrcShift)
103 #define SrcOne (OpOne << SrcShift)
104 #define SrcImmUByte (OpImmUByte << SrcShift)
105 #define SrcImmU (OpImmU << SrcShift)
106 #define SrcSI (OpSI << SrcShift)
107 #define SrcXLat (OpXLat << SrcShift)
108 #define SrcImmFAddr (OpImmFAddr << SrcShift)
109 #define SrcMemFAddr (OpMemFAddr << SrcShift)
110 #define SrcAcc (OpAcc << SrcShift)
111 #define SrcImmU16 (OpImmU16 << SrcShift)
112 #define SrcImm64 (OpImm64 << SrcShift)
113 #define SrcDX (OpDX << SrcShift)
114 #define SrcMem8 (OpMem8 << SrcShift)
115 #define SrcAccHi (OpAccHi << SrcShift)
116 #define SrcMask (OpMask << SrcShift)
117 #define BitOp (1<<11)
118 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
119 #define String (1<<13) /* String instruction (rep capable) */
120 #define Stack (1<<14) /* Stack instruction (push/pop) */
121 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
122 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
123 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
124 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
125 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
126 #define Escape (5<<15) /* Escape to coprocessor instruction */
127 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
128 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
129 #define Sse (1<<18) /* SSE Vector instruction */
130 /* Generic ModRM decode. */
131 #define ModRM (1<<19)
132 /* Destination is only written; never read. */
133 #define Mov (1<<20)
134 /* Misc flags */
135 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
136 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
137 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
138 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
139 #define Undefined (1<<25) /* No Such Instruction */
140 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
141 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
142 #define No64 (1<<28)
143 #define PageTable (1 << 29) /* instruction used to write page table */
144 #define NotImpl (1 << 30) /* instruction is not implemented */
145 /* Source 2 operand type */
146 #define Src2Shift (31)
147 #define Src2None (OpNone << Src2Shift)
148 #define Src2Mem (OpMem << Src2Shift)
149 #define Src2CL (OpCL << Src2Shift)
150 #define Src2ImmByte (OpImmByte << Src2Shift)
151 #define Src2One (OpOne << Src2Shift)
152 #define Src2Imm (OpImm << Src2Shift)
153 #define Src2ES (OpES << Src2Shift)
154 #define Src2CS (OpCS << Src2Shift)
155 #define Src2SS (OpSS << Src2Shift)
156 #define Src2DS (OpDS << Src2Shift)
157 #define Src2FS (OpFS << Src2Shift)
158 #define Src2GS (OpGS << Src2Shift)
159 #define Src2Mask (OpMask << Src2Shift)
160 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
161 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
162 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
163 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
164 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
165 #define NoWrite ((u64)1 << 45) /* No writeback */
166 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
167 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
168 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
169 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
170 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
171 #define NearBranch ((u64)1 << 52) /* Near branches */
172 #define No16 ((u64)1 << 53) /* No 16 bit operand */
173 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
174 #define Aligned16 ((u64)1 << 55) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
175
176 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
177
178 #define X2(x...) x, x
179 #define X3(x...) X2(x), x
180 #define X4(x...) X2(x), X2(x)
181 #define X5(x...) X4(x), x
182 #define X6(x...) X4(x), X2(x)
183 #define X7(x...) X4(x), X3(x)
184 #define X8(x...) X4(x), X4(x)
185 #define X16(x...) X8(x), X8(x)
186
187 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
188 #define FASTOP_SIZE 8
189
190 /*
191 * fastop functions have a special calling convention:
192 *
193 * dst: rax (in/out)
194 * src: rdx (in/out)
195 * src2: rcx (in)
196 * flags: rflags (in/out)
197 * ex: rsi (in:fastop pointer, out:zero if exception)
198 *
199 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
200 * different operand sizes can be reached by calculation, rather than a jump
201 * table (which would be bigger than the code).
202 *
203 * fastop functions are declared as taking a never-defined fastop parameter,
204 * so they can't be called from C directly.
205 */
206
207 struct fastop;
208
209 struct opcode {
210 u64 flags : 56;
211 u64 intercept : 8;
212 union {
213 int (*execute)(struct x86_emulate_ctxt *ctxt);
214 const struct opcode *group;
215 const struct group_dual *gdual;
216 const struct gprefix *gprefix;
217 const struct escape *esc;
218 const struct instr_dual *idual;
219 const struct mode_dual *mdual;
220 void (*fastop)(struct fastop *fake);
221 } u;
222 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
223 };
224
225 struct group_dual {
226 struct opcode mod012[8];
227 struct opcode mod3[8];
228 };
229
230 struct gprefix {
231 struct opcode pfx_no;
232 struct opcode pfx_66;
233 struct opcode pfx_f2;
234 struct opcode pfx_f3;
235 };
236
237 struct escape {
238 struct opcode op[8];
239 struct opcode high[64];
240 };
241
242 struct instr_dual {
243 struct opcode mod012;
244 struct opcode mod3;
245 };
246
247 struct mode_dual {
248 struct opcode mode32;
249 struct opcode mode64;
250 };
251
252 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
253
254 enum x86_transfer_type {
255 X86_TRANSFER_NONE,
256 X86_TRANSFER_CALL_JMP,
257 X86_TRANSFER_RET,
258 X86_TRANSFER_TASK_SWITCH,
259 };
260
261 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
262 {
263 if (!(ctxt->regs_valid & (1 << nr))) {
264 ctxt->regs_valid |= 1 << nr;
265 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
266 }
267 return ctxt->_regs[nr];
268 }
269
270 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
271 {
272 ctxt->regs_valid |= 1 << nr;
273 ctxt->regs_dirty |= 1 << nr;
274 return &ctxt->_regs[nr];
275 }
276
277 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
278 {
279 reg_read(ctxt, nr);
280 return reg_write(ctxt, nr);
281 }
282
283 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
284 {
285 unsigned reg;
286
287 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
288 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
289 }
290
291 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
292 {
293 ctxt->regs_dirty = 0;
294 ctxt->regs_valid = 0;
295 }
296
297 /*
298 * These EFLAGS bits are restored from saved value during emulation, and
299 * any changes are written back to the saved value after emulation.
300 */
301 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
302 X86_EFLAGS_PF|X86_EFLAGS_CF)
303
304 #ifdef CONFIG_X86_64
305 #define ON64(x) x
306 #else
307 #define ON64(x)
308 #endif
309
310 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
311
312 #define FOP_FUNC(name) \
313 ".align " __stringify(FASTOP_SIZE) " \n\t" \
314 ".type " name ", @function \n\t" \
315 name ":\n\t"
316
317 #define FOP_RET "ret \n\t"
318
319 #define FOP_START(op) \
320 extern void em_##op(struct fastop *fake); \
321 asm(".pushsection .text, \"ax\" \n\t" \
322 ".global em_" #op " \n\t" \
323 FOP_FUNC("em_" #op)
324
325 #define FOP_END \
326 ".popsection")
327
328 #define FOPNOP() \
329 FOP_FUNC(__stringify(__UNIQUE_ID(nop))) \
330 FOP_RET
331
332 #define FOP1E(op, dst) \
333 FOP_FUNC(#op "_" #dst) \
334 "10: " #op " %" #dst " \n\t" FOP_RET
335
336 #define FOP1EEX(op, dst) \
337 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
338
339 #define FASTOP1(op) \
340 FOP_START(op) \
341 FOP1E(op##b, al) \
342 FOP1E(op##w, ax) \
343 FOP1E(op##l, eax) \
344 ON64(FOP1E(op##q, rax)) \
345 FOP_END
346
347 /* 1-operand, using src2 (for MUL/DIV r/m) */
348 #define FASTOP1SRC2(op, name) \
349 FOP_START(name) \
350 FOP1E(op, cl) \
351 FOP1E(op, cx) \
352 FOP1E(op, ecx) \
353 ON64(FOP1E(op, rcx)) \
354 FOP_END
355
356 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
357 #define FASTOP1SRC2EX(op, name) \
358 FOP_START(name) \
359 FOP1EEX(op, cl) \
360 FOP1EEX(op, cx) \
361 FOP1EEX(op, ecx) \
362 ON64(FOP1EEX(op, rcx)) \
363 FOP_END
364
365 #define FOP2E(op, dst, src) \
366 FOP_FUNC(#op "_" #dst "_" #src) \
367 #op " %" #src ", %" #dst " \n\t" FOP_RET
368
369 #define FASTOP2(op) \
370 FOP_START(op) \
371 FOP2E(op##b, al, dl) \
372 FOP2E(op##w, ax, dx) \
373 FOP2E(op##l, eax, edx) \
374 ON64(FOP2E(op##q, rax, rdx)) \
375 FOP_END
376
377 /* 2 operand, word only */
378 #define FASTOP2W(op) \
379 FOP_START(op) \
380 FOPNOP() \
381 FOP2E(op##w, ax, dx) \
382 FOP2E(op##l, eax, edx) \
383 ON64(FOP2E(op##q, rax, rdx)) \
384 FOP_END
385
386 /* 2 operand, src is CL */
387 #define FASTOP2CL(op) \
388 FOP_START(op) \
389 FOP2E(op##b, al, cl) \
390 FOP2E(op##w, ax, cl) \
391 FOP2E(op##l, eax, cl) \
392 ON64(FOP2E(op##q, rax, cl)) \
393 FOP_END
394
395 /* 2 operand, src and dest are reversed */
396 #define FASTOP2R(op, name) \
397 FOP_START(name) \
398 FOP2E(op##b, dl, al) \
399 FOP2E(op##w, dx, ax) \
400 FOP2E(op##l, edx, eax) \
401 ON64(FOP2E(op##q, rdx, rax)) \
402 FOP_END
403
404 #define FOP3E(op, dst, src, src2) \
405 FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
406 #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
407
408 /* 3-operand, word-only, src2=cl */
409 #define FASTOP3WCL(op) \
410 FOP_START(op) \
411 FOPNOP() \
412 FOP3E(op##w, ax, dx, cl) \
413 FOP3E(op##l, eax, edx, cl) \
414 ON64(FOP3E(op##q, rax, rdx, cl)) \
415 FOP_END
416
417 /* Special case for SETcc - 1 instruction per cc */
418 #define FOP_SETCC(op) \
419 ".align 4 \n\t" \
420 ".type " #op ", @function \n\t" \
421 #op ": \n\t" \
422 #op " %al \n\t" \
423 FOP_RET
424
425 asm(".global kvm_fastop_exception \n"
426 "kvm_fastop_exception: xor %esi, %esi; ret");
427
428 FOP_START(setcc)
429 FOP_SETCC(seto)
430 FOP_SETCC(setno)
431 FOP_SETCC(setc)
432 FOP_SETCC(setnc)
433 FOP_SETCC(setz)
434 FOP_SETCC(setnz)
435 FOP_SETCC(setbe)
436 FOP_SETCC(setnbe)
437 FOP_SETCC(sets)
438 FOP_SETCC(setns)
439 FOP_SETCC(setp)
440 FOP_SETCC(setnp)
441 FOP_SETCC(setl)
442 FOP_SETCC(setnl)
443 FOP_SETCC(setle)
444 FOP_SETCC(setnle)
445 FOP_END;
446
447 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
448 FOP_END;
449
450 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
451 enum x86_intercept intercept,
452 enum x86_intercept_stage stage)
453 {
454 struct x86_instruction_info info = {
455 .intercept = intercept,
456 .rep_prefix = ctxt->rep_prefix,
457 .modrm_mod = ctxt->modrm_mod,
458 .modrm_reg = ctxt->modrm_reg,
459 .modrm_rm = ctxt->modrm_rm,
460 .src_val = ctxt->src.val64,
461 .dst_val = ctxt->dst.val64,
462 .src_bytes = ctxt->src.bytes,
463 .dst_bytes = ctxt->dst.bytes,
464 .ad_bytes = ctxt->ad_bytes,
465 .next_rip = ctxt->eip,
466 };
467
468 return ctxt->ops->intercept(ctxt, &info, stage);
469 }
470
471 static void assign_masked(ulong *dest, ulong src, ulong mask)
472 {
473 *dest = (*dest & ~mask) | (src & mask);
474 }
475
476 static void assign_register(unsigned long *reg, u64 val, int bytes)
477 {
478 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
479 switch (bytes) {
480 case 1:
481 *(u8 *)reg = (u8)val;
482 break;
483 case 2:
484 *(u16 *)reg = (u16)val;
485 break;
486 case 4:
487 *reg = (u32)val;
488 break; /* 64b: zero-extend */
489 case 8:
490 *reg = val;
491 break;
492 }
493 }
494
495 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
496 {
497 return (1UL << (ctxt->ad_bytes << 3)) - 1;
498 }
499
500 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
501 {
502 u16 sel;
503 struct desc_struct ss;
504
505 if (ctxt->mode == X86EMUL_MODE_PROT64)
506 return ~0UL;
507 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
508 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
509 }
510
511 static int stack_size(struct x86_emulate_ctxt *ctxt)
512 {
513 return (__fls(stack_mask(ctxt)) + 1) >> 3;
514 }
515
516 /* Access/update address held in a register, based on addressing mode. */
517 static inline unsigned long
518 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
519 {
520 if (ctxt->ad_bytes == sizeof(unsigned long))
521 return reg;
522 else
523 return reg & ad_mask(ctxt);
524 }
525
526 static inline unsigned long
527 register_address(struct x86_emulate_ctxt *ctxt, int reg)
528 {
529 return address_mask(ctxt, reg_read(ctxt, reg));
530 }
531
532 static void masked_increment(ulong *reg, ulong mask, int inc)
533 {
534 assign_masked(reg, *reg + inc, mask);
535 }
536
537 static inline void
538 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
539 {
540 ulong *preg = reg_rmw(ctxt, reg);
541
542 assign_register(preg, *preg + inc, ctxt->ad_bytes);
543 }
544
545 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
546 {
547 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
548 }
549
550 static u32 desc_limit_scaled(struct desc_struct *desc)
551 {
552 u32 limit = get_desc_limit(desc);
553
554 return desc->g ? (limit << 12) | 0xfff : limit;
555 }
556
557 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
558 {
559 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
560 return 0;
561
562 return ctxt->ops->get_cached_segment_base(ctxt, seg);
563 }
564
565 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
566 u32 error, bool valid)
567 {
568 WARN_ON(vec > 0x1f);
569 ctxt->exception.vector = vec;
570 ctxt->exception.error_code = error;
571 ctxt->exception.error_code_valid = valid;
572 return X86EMUL_PROPAGATE_FAULT;
573 }
574
575 static int emulate_db(struct x86_emulate_ctxt *ctxt)
576 {
577 return emulate_exception(ctxt, DB_VECTOR, 0, false);
578 }
579
580 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
581 {
582 return emulate_exception(ctxt, GP_VECTOR, err, true);
583 }
584
585 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
586 {
587 return emulate_exception(ctxt, SS_VECTOR, err, true);
588 }
589
590 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
591 {
592 return emulate_exception(ctxt, UD_VECTOR, 0, false);
593 }
594
595 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
596 {
597 return emulate_exception(ctxt, TS_VECTOR, err, true);
598 }
599
600 static int emulate_de(struct x86_emulate_ctxt *ctxt)
601 {
602 return emulate_exception(ctxt, DE_VECTOR, 0, false);
603 }
604
605 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
606 {
607 return emulate_exception(ctxt, NM_VECTOR, 0, false);
608 }
609
610 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
611 {
612 u16 selector;
613 struct desc_struct desc;
614
615 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
616 return selector;
617 }
618
619 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
620 unsigned seg)
621 {
622 u16 dummy;
623 u32 base3;
624 struct desc_struct desc;
625
626 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
627 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
628 }
629
630 /*
631 * x86 defines three classes of vector instructions: explicitly
632 * aligned, explicitly unaligned, and the rest, which change behaviour
633 * depending on whether they're AVX encoded or not.
634 *
635 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
636 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
637 * 512 bytes of data must be aligned to a 16 byte boundary.
638 */
639 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
640 {
641 if (likely(size < 16))
642 return 1;
643
644 if (ctxt->d & Aligned)
645 return size;
646 else if (ctxt->d & Unaligned)
647 return 1;
648 else if (ctxt->d & Avx)
649 return 1;
650 else if (ctxt->d & Aligned16)
651 return 16;
652 else
653 return size;
654 }
655
656 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
657 struct segmented_address addr,
658 unsigned *max_size, unsigned size,
659 bool write, bool fetch,
660 enum x86emul_mode mode, ulong *linear)
661 {
662 struct desc_struct desc;
663 bool usable;
664 ulong la;
665 u32 lim;
666 u16 sel;
667
668 la = seg_base(ctxt, addr.seg) + addr.ea;
669 *max_size = 0;
670 switch (mode) {
671 case X86EMUL_MODE_PROT64:
672 *linear = la;
673 if (is_noncanonical_address(la))
674 goto bad;
675
676 *max_size = min_t(u64, ~0u, (1ull << 48) - la);
677 if (size > *max_size)
678 goto bad;
679 break;
680 default:
681 *linear = la = (u32)la;
682 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
683 addr.seg);
684 if (!usable)
685 goto bad;
686 /* code segment in protected mode or read-only data segment */
687 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
688 || !(desc.type & 2)) && write)
689 goto bad;
690 /* unreadable code segment */
691 if (!fetch && (desc.type & 8) && !(desc.type & 2))
692 goto bad;
693 lim = desc_limit_scaled(&desc);
694 if (!(desc.type & 8) && (desc.type & 4)) {
695 /* expand-down segment */
696 if (addr.ea <= lim)
697 goto bad;
698 lim = desc.d ? 0xffffffff : 0xffff;
699 }
700 if (addr.ea > lim)
701 goto bad;
702 if (lim == 0xffffffff)
703 *max_size = ~0u;
704 else {
705 *max_size = (u64)lim + 1 - addr.ea;
706 if (size > *max_size)
707 goto bad;
708 }
709 break;
710 }
711 if (la & (insn_alignment(ctxt, size) - 1))
712 return emulate_gp(ctxt, 0);
713 return X86EMUL_CONTINUE;
714 bad:
715 if (addr.seg == VCPU_SREG_SS)
716 return emulate_ss(ctxt, 0);
717 else
718 return emulate_gp(ctxt, 0);
719 }
720
721 static int linearize(struct x86_emulate_ctxt *ctxt,
722 struct segmented_address addr,
723 unsigned size, bool write,
724 ulong *linear)
725 {
726 unsigned max_size;
727 return __linearize(ctxt, addr, &max_size, size, write, false,
728 ctxt->mode, linear);
729 }
730
731 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
732 enum x86emul_mode mode)
733 {
734 ulong linear;
735 int rc;
736 unsigned max_size;
737 struct segmented_address addr = { .seg = VCPU_SREG_CS,
738 .ea = dst };
739
740 if (ctxt->op_bytes != sizeof(unsigned long))
741 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
742 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
743 if (rc == X86EMUL_CONTINUE)
744 ctxt->_eip = addr.ea;
745 return rc;
746 }
747
748 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
749 {
750 return assign_eip(ctxt, dst, ctxt->mode);
751 }
752
753 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
754 const struct desc_struct *cs_desc)
755 {
756 enum x86emul_mode mode = ctxt->mode;
757 int rc;
758
759 #ifdef CONFIG_X86_64
760 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
761 if (cs_desc->l) {
762 u64 efer = 0;
763
764 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
765 if (efer & EFER_LMA)
766 mode = X86EMUL_MODE_PROT64;
767 } else
768 mode = X86EMUL_MODE_PROT32; /* temporary value */
769 }
770 #endif
771 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
772 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
773 rc = assign_eip(ctxt, dst, mode);
774 if (rc == X86EMUL_CONTINUE)
775 ctxt->mode = mode;
776 return rc;
777 }
778
779 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
780 {
781 return assign_eip_near(ctxt, ctxt->_eip + rel);
782 }
783
784 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
785 struct segmented_address addr,
786 void *data,
787 unsigned size)
788 {
789 int rc;
790 ulong linear;
791
792 rc = linearize(ctxt, addr, size, false, &linear);
793 if (rc != X86EMUL_CONTINUE)
794 return rc;
795 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
796 }
797
798 /*
799 * Prefetch the remaining bytes of the instruction without crossing page
800 * boundary if they are not in fetch_cache yet.
801 */
802 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
803 {
804 int rc;
805 unsigned size, max_size;
806 unsigned long linear;
807 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
808 struct segmented_address addr = { .seg = VCPU_SREG_CS,
809 .ea = ctxt->eip + cur_size };
810
811 /*
812 * We do not know exactly how many bytes will be needed, and
813 * __linearize is expensive, so fetch as much as possible. We
814 * just have to avoid going beyond the 15 byte limit, the end
815 * of the segment, or the end of the page.
816 *
817 * __linearize is called with size 0 so that it does not do any
818 * boundary check itself. Instead, we use max_size to check
819 * against op_size.
820 */
821 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
822 &linear);
823 if (unlikely(rc != X86EMUL_CONTINUE))
824 return rc;
825
826 size = min_t(unsigned, 15UL ^ cur_size, max_size);
827 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
828
829 /*
830 * One instruction can only straddle two pages,
831 * and one has been loaded at the beginning of
832 * x86_decode_insn. So, if not enough bytes
833 * still, we must have hit the 15-byte boundary.
834 */
835 if (unlikely(size < op_size))
836 return emulate_gp(ctxt, 0);
837
838 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
839 size, &ctxt->exception);
840 if (unlikely(rc != X86EMUL_CONTINUE))
841 return rc;
842 ctxt->fetch.end += size;
843 return X86EMUL_CONTINUE;
844 }
845
846 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
847 unsigned size)
848 {
849 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
850
851 if (unlikely(done_size < size))
852 return __do_insn_fetch_bytes(ctxt, size - done_size);
853 else
854 return X86EMUL_CONTINUE;
855 }
856
857 /* Fetch next part of the instruction being emulated. */
858 #define insn_fetch(_type, _ctxt) \
859 ({ _type _x; \
860 \
861 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
862 if (rc != X86EMUL_CONTINUE) \
863 goto done; \
864 ctxt->_eip += sizeof(_type); \
865 _x = *(_type __aligned(1) *) ctxt->fetch.ptr; \
866 ctxt->fetch.ptr += sizeof(_type); \
867 _x; \
868 })
869
870 #define insn_fetch_arr(_arr, _size, _ctxt) \
871 ({ \
872 rc = do_insn_fetch_bytes(_ctxt, _size); \
873 if (rc != X86EMUL_CONTINUE) \
874 goto done; \
875 ctxt->_eip += (_size); \
876 memcpy(_arr, ctxt->fetch.ptr, _size); \
877 ctxt->fetch.ptr += (_size); \
878 })
879
880 /*
881 * Given the 'reg' portion of a ModRM byte, and a register block, return a
882 * pointer into the block that addresses the relevant register.
883 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
884 */
885 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
886 int byteop)
887 {
888 void *p;
889 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
890
891 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
892 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
893 else
894 p = reg_rmw(ctxt, modrm_reg);
895 return p;
896 }
897
898 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
899 struct segmented_address addr,
900 u16 *size, unsigned long *address, int op_bytes)
901 {
902 int rc;
903
904 if (op_bytes == 2)
905 op_bytes = 3;
906 *address = 0;
907 rc = segmented_read_std(ctxt, addr, size, 2);
908 if (rc != X86EMUL_CONTINUE)
909 return rc;
910 addr.ea += 2;
911 rc = segmented_read_std(ctxt, addr, address, op_bytes);
912 return rc;
913 }
914
915 FASTOP2(add);
916 FASTOP2(or);
917 FASTOP2(adc);
918 FASTOP2(sbb);
919 FASTOP2(and);
920 FASTOP2(sub);
921 FASTOP2(xor);
922 FASTOP2(cmp);
923 FASTOP2(test);
924
925 FASTOP1SRC2(mul, mul_ex);
926 FASTOP1SRC2(imul, imul_ex);
927 FASTOP1SRC2EX(div, div_ex);
928 FASTOP1SRC2EX(idiv, idiv_ex);
929
930 FASTOP3WCL(shld);
931 FASTOP3WCL(shrd);
932
933 FASTOP2W(imul);
934
935 FASTOP1(not);
936 FASTOP1(neg);
937 FASTOP1(inc);
938 FASTOP1(dec);
939
940 FASTOP2CL(rol);
941 FASTOP2CL(ror);
942 FASTOP2CL(rcl);
943 FASTOP2CL(rcr);
944 FASTOP2CL(shl);
945 FASTOP2CL(shr);
946 FASTOP2CL(sar);
947
948 FASTOP2W(bsf);
949 FASTOP2W(bsr);
950 FASTOP2W(bt);
951 FASTOP2W(bts);
952 FASTOP2W(btr);
953 FASTOP2W(btc);
954
955 FASTOP2(xadd);
956
957 FASTOP2R(cmp, cmp_r);
958
959 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
960 {
961 /* If src is zero, do not writeback, but update flags */
962 if (ctxt->src.val == 0)
963 ctxt->dst.type = OP_NONE;
964 return fastop(ctxt, em_bsf);
965 }
966
967 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
968 {
969 /* If src is zero, do not writeback, but update flags */
970 if (ctxt->src.val == 0)
971 ctxt->dst.type = OP_NONE;
972 return fastop(ctxt, em_bsr);
973 }
974
975 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
976 {
977 u8 rc;
978 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
979
980 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
981 asm("push %[flags]; popf; call *%[fastop]"
982 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
983 return rc;
984 }
985
986 static void fetch_register_operand(struct operand *op)
987 {
988 switch (op->bytes) {
989 case 1:
990 op->val = *(u8 *)op->addr.reg;
991 break;
992 case 2:
993 op->val = *(u16 *)op->addr.reg;
994 break;
995 case 4:
996 op->val = *(u32 *)op->addr.reg;
997 break;
998 case 8:
999 op->val = *(u64 *)op->addr.reg;
1000 break;
1001 }
1002 }
1003
1004 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1005 {
1006 ctxt->ops->get_fpu(ctxt);
1007 switch (reg) {
1008 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1009 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1010 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1011 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1012 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1013 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1014 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1015 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1016 #ifdef CONFIG_X86_64
1017 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1018 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1019 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1020 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1021 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1022 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1023 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1024 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1025 #endif
1026 default: BUG();
1027 }
1028 ctxt->ops->put_fpu(ctxt);
1029 }
1030
1031 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1032 int reg)
1033 {
1034 ctxt->ops->get_fpu(ctxt);
1035 switch (reg) {
1036 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1037 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1038 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1039 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1040 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1041 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1042 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1043 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1044 #ifdef CONFIG_X86_64
1045 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1046 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1047 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1048 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1049 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1050 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1051 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1052 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1053 #endif
1054 default: BUG();
1055 }
1056 ctxt->ops->put_fpu(ctxt);
1057 }
1058
1059 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1060 {
1061 ctxt->ops->get_fpu(ctxt);
1062 switch (reg) {
1063 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1064 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1065 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1066 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1067 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1068 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1069 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1070 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1071 default: BUG();
1072 }
1073 ctxt->ops->put_fpu(ctxt);
1074 }
1075
1076 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1077 {
1078 ctxt->ops->get_fpu(ctxt);
1079 switch (reg) {
1080 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1081 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1082 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1083 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1084 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1085 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1086 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1087 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1088 default: BUG();
1089 }
1090 ctxt->ops->put_fpu(ctxt);
1091 }
1092
1093 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1094 {
1095 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1096 return emulate_nm(ctxt);
1097
1098 ctxt->ops->get_fpu(ctxt);
1099 asm volatile("fninit");
1100 ctxt->ops->put_fpu(ctxt);
1101 return X86EMUL_CONTINUE;
1102 }
1103
1104 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1105 {
1106 u16 fcw;
1107
1108 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1109 return emulate_nm(ctxt);
1110
1111 ctxt->ops->get_fpu(ctxt);
1112 asm volatile("fnstcw %0": "+m"(fcw));
1113 ctxt->ops->put_fpu(ctxt);
1114
1115 ctxt->dst.val = fcw;
1116
1117 return X86EMUL_CONTINUE;
1118 }
1119
1120 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1121 {
1122 u16 fsw;
1123
1124 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1125 return emulate_nm(ctxt);
1126
1127 ctxt->ops->get_fpu(ctxt);
1128 asm volatile("fnstsw %0": "+m"(fsw));
1129 ctxt->ops->put_fpu(ctxt);
1130
1131 ctxt->dst.val = fsw;
1132
1133 return X86EMUL_CONTINUE;
1134 }
1135
1136 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1137 struct operand *op)
1138 {
1139 unsigned reg = ctxt->modrm_reg;
1140
1141 if (!(ctxt->d & ModRM))
1142 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1143
1144 if (ctxt->d & Sse) {
1145 op->type = OP_XMM;
1146 op->bytes = 16;
1147 op->addr.xmm = reg;
1148 read_sse_reg(ctxt, &op->vec_val, reg);
1149 return;
1150 }
1151 if (ctxt->d & Mmx) {
1152 reg &= 7;
1153 op->type = OP_MM;
1154 op->bytes = 8;
1155 op->addr.mm = reg;
1156 return;
1157 }
1158
1159 op->type = OP_REG;
1160 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1161 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1162
1163 fetch_register_operand(op);
1164 op->orig_val = op->val;
1165 }
1166
1167 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1168 {
1169 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1170 ctxt->modrm_seg = VCPU_SREG_SS;
1171 }
1172
1173 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1174 struct operand *op)
1175 {
1176 u8 sib;
1177 int index_reg, base_reg, scale;
1178 int rc = X86EMUL_CONTINUE;
1179 ulong modrm_ea = 0;
1180
1181 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1182 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1183 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1184
1185 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1186 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1187 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1188 ctxt->modrm_seg = VCPU_SREG_DS;
1189
1190 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1191 op->type = OP_REG;
1192 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1193 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1194 ctxt->d & ByteOp);
1195 if (ctxt->d & Sse) {
1196 op->type = OP_XMM;
1197 op->bytes = 16;
1198 op->addr.xmm = ctxt->modrm_rm;
1199 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1200 return rc;
1201 }
1202 if (ctxt->d & Mmx) {
1203 op->type = OP_MM;
1204 op->bytes = 8;
1205 op->addr.mm = ctxt->modrm_rm & 7;
1206 return rc;
1207 }
1208 fetch_register_operand(op);
1209 return rc;
1210 }
1211
1212 op->type = OP_MEM;
1213
1214 if (ctxt->ad_bytes == 2) {
1215 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1216 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1217 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1218 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1219
1220 /* 16-bit ModR/M decode. */
1221 switch (ctxt->modrm_mod) {
1222 case 0:
1223 if (ctxt->modrm_rm == 6)
1224 modrm_ea += insn_fetch(u16, ctxt);
1225 break;
1226 case 1:
1227 modrm_ea += insn_fetch(s8, ctxt);
1228 break;
1229 case 2:
1230 modrm_ea += insn_fetch(u16, ctxt);
1231 break;
1232 }
1233 switch (ctxt->modrm_rm) {
1234 case 0:
1235 modrm_ea += bx + si;
1236 break;
1237 case 1:
1238 modrm_ea += bx + di;
1239 break;
1240 case 2:
1241 modrm_ea += bp + si;
1242 break;
1243 case 3:
1244 modrm_ea += bp + di;
1245 break;
1246 case 4:
1247 modrm_ea += si;
1248 break;
1249 case 5:
1250 modrm_ea += di;
1251 break;
1252 case 6:
1253 if (ctxt->modrm_mod != 0)
1254 modrm_ea += bp;
1255 break;
1256 case 7:
1257 modrm_ea += bx;
1258 break;
1259 }
1260 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1261 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1262 ctxt->modrm_seg = VCPU_SREG_SS;
1263 modrm_ea = (u16)modrm_ea;
1264 } else {
1265 /* 32/64-bit ModR/M decode. */
1266 if ((ctxt->modrm_rm & 7) == 4) {
1267 sib = insn_fetch(u8, ctxt);
1268 index_reg |= (sib >> 3) & 7;
1269 base_reg |= sib & 7;
1270 scale = sib >> 6;
1271
1272 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1273 modrm_ea += insn_fetch(s32, ctxt);
1274 else {
1275 modrm_ea += reg_read(ctxt, base_reg);
1276 adjust_modrm_seg(ctxt, base_reg);
1277 /* Increment ESP on POP [ESP] */
1278 if ((ctxt->d & IncSP) &&
1279 base_reg == VCPU_REGS_RSP)
1280 modrm_ea += ctxt->op_bytes;
1281 }
1282 if (index_reg != 4)
1283 modrm_ea += reg_read(ctxt, index_reg) << scale;
1284 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1285 modrm_ea += insn_fetch(s32, ctxt);
1286 if (ctxt->mode == X86EMUL_MODE_PROT64)
1287 ctxt->rip_relative = 1;
1288 } else {
1289 base_reg = ctxt->modrm_rm;
1290 modrm_ea += reg_read(ctxt, base_reg);
1291 adjust_modrm_seg(ctxt, base_reg);
1292 }
1293 switch (ctxt->modrm_mod) {
1294 case 1:
1295 modrm_ea += insn_fetch(s8, ctxt);
1296 break;
1297 case 2:
1298 modrm_ea += insn_fetch(s32, ctxt);
1299 break;
1300 }
1301 }
1302 op->addr.mem.ea = modrm_ea;
1303 if (ctxt->ad_bytes != 8)
1304 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1305
1306 done:
1307 return rc;
1308 }
1309
1310 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1311 struct operand *op)
1312 {
1313 int rc = X86EMUL_CONTINUE;
1314
1315 op->type = OP_MEM;
1316 switch (ctxt->ad_bytes) {
1317 case 2:
1318 op->addr.mem.ea = insn_fetch(u16, ctxt);
1319 break;
1320 case 4:
1321 op->addr.mem.ea = insn_fetch(u32, ctxt);
1322 break;
1323 case 8:
1324 op->addr.mem.ea = insn_fetch(u64, ctxt);
1325 break;
1326 }
1327 done:
1328 return rc;
1329 }
1330
1331 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1332 {
1333 long sv = 0, mask;
1334
1335 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1336 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1337
1338 if (ctxt->src.bytes == 2)
1339 sv = (s16)ctxt->src.val & (s16)mask;
1340 else if (ctxt->src.bytes == 4)
1341 sv = (s32)ctxt->src.val & (s32)mask;
1342 else
1343 sv = (s64)ctxt->src.val & (s64)mask;
1344
1345 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1346 ctxt->dst.addr.mem.ea + (sv >> 3));
1347 }
1348
1349 /* only subword offset */
1350 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1351 }
1352
1353 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1354 unsigned long addr, void *dest, unsigned size)
1355 {
1356 int rc;
1357 struct read_cache *mc = &ctxt->mem_read;
1358
1359 if (mc->pos < mc->end)
1360 goto read_cached;
1361
1362 WARN_ON((mc->end + size) >= sizeof(mc->data));
1363
1364 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1365 &ctxt->exception);
1366 if (rc != X86EMUL_CONTINUE)
1367 return rc;
1368
1369 mc->end += size;
1370
1371 read_cached:
1372 memcpy(dest, mc->data + mc->pos, size);
1373 mc->pos += size;
1374 return X86EMUL_CONTINUE;
1375 }
1376
1377 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1378 struct segmented_address addr,
1379 void *data,
1380 unsigned size)
1381 {
1382 int rc;
1383 ulong linear;
1384
1385 rc = linearize(ctxt, addr, size, false, &linear);
1386 if (rc != X86EMUL_CONTINUE)
1387 return rc;
1388 return read_emulated(ctxt, linear, data, size);
1389 }
1390
1391 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1392 struct segmented_address addr,
1393 const void *data,
1394 unsigned size)
1395 {
1396 int rc;
1397 ulong linear;
1398
1399 rc = linearize(ctxt, addr, size, true, &linear);
1400 if (rc != X86EMUL_CONTINUE)
1401 return rc;
1402 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1403 &ctxt->exception);
1404 }
1405
1406 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1407 struct segmented_address addr,
1408 const void *orig_data, const void *data,
1409 unsigned size)
1410 {
1411 int rc;
1412 ulong linear;
1413
1414 rc = linearize(ctxt, addr, size, true, &linear);
1415 if (rc != X86EMUL_CONTINUE)
1416 return rc;
1417 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1418 size, &ctxt->exception);
1419 }
1420
1421 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1422 unsigned int size, unsigned short port,
1423 void *dest)
1424 {
1425 struct read_cache *rc = &ctxt->io_read;
1426
1427 if (rc->pos == rc->end) { /* refill pio read ahead */
1428 unsigned int in_page, n;
1429 unsigned int count = ctxt->rep_prefix ?
1430 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1431 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1432 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1433 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1434 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1435 if (n == 0)
1436 n = 1;
1437 rc->pos = rc->end = 0;
1438 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1439 return 0;
1440 rc->end = n * size;
1441 }
1442
1443 if (ctxt->rep_prefix && (ctxt->d & String) &&
1444 !(ctxt->eflags & X86_EFLAGS_DF)) {
1445 ctxt->dst.data = rc->data + rc->pos;
1446 ctxt->dst.type = OP_MEM_STR;
1447 ctxt->dst.count = (rc->end - rc->pos) / size;
1448 rc->pos = rc->end;
1449 } else {
1450 memcpy(dest, rc->data + rc->pos, size);
1451 rc->pos += size;
1452 }
1453 return 1;
1454 }
1455
1456 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1457 u16 index, struct desc_struct *desc)
1458 {
1459 struct desc_ptr dt;
1460 ulong addr;
1461
1462 ctxt->ops->get_idt(ctxt, &dt);
1463
1464 if (dt.size < index * 8 + 7)
1465 return emulate_gp(ctxt, index << 3 | 0x2);
1466
1467 addr = dt.address + index * 8;
1468 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1469 &ctxt->exception);
1470 }
1471
1472 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1473 u16 selector, struct desc_ptr *dt)
1474 {
1475 const struct x86_emulate_ops *ops = ctxt->ops;
1476 u32 base3 = 0;
1477
1478 if (selector & 1 << 2) {
1479 struct desc_struct desc;
1480 u16 sel;
1481
1482 memset (dt, 0, sizeof *dt);
1483 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1484 VCPU_SREG_LDTR))
1485 return;
1486
1487 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1488 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1489 } else
1490 ops->get_gdt(ctxt, dt);
1491 }
1492
1493 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1494 u16 selector, ulong *desc_addr_p)
1495 {
1496 struct desc_ptr dt;
1497 u16 index = selector >> 3;
1498 ulong addr;
1499
1500 get_descriptor_table_ptr(ctxt, selector, &dt);
1501
1502 if (dt.size < index * 8 + 7)
1503 return emulate_gp(ctxt, selector & 0xfffc);
1504
1505 addr = dt.address + index * 8;
1506
1507 #ifdef CONFIG_X86_64
1508 if (addr >> 32 != 0) {
1509 u64 efer = 0;
1510
1511 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1512 if (!(efer & EFER_LMA))
1513 addr &= (u32)-1;
1514 }
1515 #endif
1516
1517 *desc_addr_p = addr;
1518 return X86EMUL_CONTINUE;
1519 }
1520
1521 /* allowed just for 8 bytes segments */
1522 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1523 u16 selector, struct desc_struct *desc,
1524 ulong *desc_addr_p)
1525 {
1526 int rc;
1527
1528 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1529 if (rc != X86EMUL_CONTINUE)
1530 return rc;
1531
1532 return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
1533 &ctxt->exception);
1534 }
1535
1536 /* allowed just for 8 bytes segments */
1537 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1538 u16 selector, struct desc_struct *desc)
1539 {
1540 int rc;
1541 ulong addr;
1542
1543 rc = get_descriptor_ptr(ctxt, selector, &addr);
1544 if (rc != X86EMUL_CONTINUE)
1545 return rc;
1546
1547 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1548 &ctxt->exception);
1549 }
1550
1551 /* Does not support long mode */
1552 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1553 u16 selector, int seg, u8 cpl,
1554 enum x86_transfer_type transfer,
1555 struct desc_struct *desc)
1556 {
1557 struct desc_struct seg_desc, old_desc;
1558 u8 dpl, rpl;
1559 unsigned err_vec = GP_VECTOR;
1560 u32 err_code = 0;
1561 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1562 ulong desc_addr;
1563 int ret;
1564 u16 dummy;
1565 u32 base3 = 0;
1566
1567 memset(&seg_desc, 0, sizeof seg_desc);
1568
1569 if (ctxt->mode == X86EMUL_MODE_REAL) {
1570 /* set real mode segment descriptor (keep limit etc. for
1571 * unreal mode) */
1572 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1573 set_desc_base(&seg_desc, selector << 4);
1574 goto load;
1575 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1576 /* VM86 needs a clean new segment descriptor */
1577 set_desc_base(&seg_desc, selector << 4);
1578 set_desc_limit(&seg_desc, 0xffff);
1579 seg_desc.type = 3;
1580 seg_desc.p = 1;
1581 seg_desc.s = 1;
1582 seg_desc.dpl = 3;
1583 goto load;
1584 }
1585
1586 rpl = selector & 3;
1587
1588 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1589 if ((seg == VCPU_SREG_CS
1590 || (seg == VCPU_SREG_SS
1591 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1592 || seg == VCPU_SREG_TR)
1593 && null_selector)
1594 goto exception;
1595
1596 /* TR should be in GDT only */
1597 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1598 goto exception;
1599
1600 if (null_selector) /* for NULL selector skip all following checks */
1601 goto load;
1602
1603 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1604 if (ret != X86EMUL_CONTINUE)
1605 return ret;
1606
1607 err_code = selector & 0xfffc;
1608 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1609 GP_VECTOR;
1610
1611 /* can't load system descriptor into segment selector */
1612 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1613 if (transfer == X86_TRANSFER_CALL_JMP)
1614 return X86EMUL_UNHANDLEABLE;
1615 goto exception;
1616 }
1617
1618 if (!seg_desc.p) {
1619 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1620 goto exception;
1621 }
1622
1623 dpl = seg_desc.dpl;
1624
1625 switch (seg) {
1626 case VCPU_SREG_SS:
1627 /*
1628 * segment is not a writable data segment or segment
1629 * selector's RPL != CPL or segment selector's RPL != CPL
1630 */
1631 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1632 goto exception;
1633 break;
1634 case VCPU_SREG_CS:
1635 if (!(seg_desc.type & 8))
1636 goto exception;
1637
1638 if (seg_desc.type & 4) {
1639 /* conforming */
1640 if (dpl > cpl)
1641 goto exception;
1642 } else {
1643 /* nonconforming */
1644 if (rpl > cpl || dpl != cpl)
1645 goto exception;
1646 }
1647 /* in long-mode d/b must be clear if l is set */
1648 if (seg_desc.d && seg_desc.l) {
1649 u64 efer = 0;
1650
1651 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1652 if (efer & EFER_LMA)
1653 goto exception;
1654 }
1655
1656 /* CS(RPL) <- CPL */
1657 selector = (selector & 0xfffc) | cpl;
1658 break;
1659 case VCPU_SREG_TR:
1660 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1661 goto exception;
1662 old_desc = seg_desc;
1663 seg_desc.type |= 2; /* busy */
1664 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1665 sizeof(seg_desc), &ctxt->exception);
1666 if (ret != X86EMUL_CONTINUE)
1667 return ret;
1668 break;
1669 case VCPU_SREG_LDTR:
1670 if (seg_desc.s || seg_desc.type != 2)
1671 goto exception;
1672 break;
1673 default: /* DS, ES, FS, or GS */
1674 /*
1675 * segment is not a data or readable code segment or
1676 * ((segment is a data or nonconforming code segment)
1677 * and (both RPL and CPL > DPL))
1678 */
1679 if ((seg_desc.type & 0xa) == 0x8 ||
1680 (((seg_desc.type & 0xc) != 0xc) &&
1681 (rpl > dpl && cpl > dpl)))
1682 goto exception;
1683 break;
1684 }
1685
1686 if (seg_desc.s) {
1687 /* mark segment as accessed */
1688 if (!(seg_desc.type & 1)) {
1689 seg_desc.type |= 1;
1690 ret = write_segment_descriptor(ctxt, selector,
1691 &seg_desc);
1692 if (ret != X86EMUL_CONTINUE)
1693 return ret;
1694 }
1695 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1696 ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
1697 sizeof(base3), &ctxt->exception);
1698 if (ret != X86EMUL_CONTINUE)
1699 return ret;
1700 if (is_noncanonical_address(get_desc_base(&seg_desc) |
1701 ((u64)base3 << 32)))
1702 return emulate_gp(ctxt, 0);
1703 }
1704 load:
1705 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1706 if (desc)
1707 *desc = seg_desc;
1708 return X86EMUL_CONTINUE;
1709 exception:
1710 return emulate_exception(ctxt, err_vec, err_code, true);
1711 }
1712
1713 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1714 u16 selector, int seg)
1715 {
1716 u8 cpl = ctxt->ops->cpl(ctxt);
1717 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1718 X86_TRANSFER_NONE, NULL);
1719 }
1720
1721 static void write_register_operand(struct operand *op)
1722 {
1723 return assign_register(op->addr.reg, op->val, op->bytes);
1724 }
1725
1726 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1727 {
1728 switch (op->type) {
1729 case OP_REG:
1730 write_register_operand(op);
1731 break;
1732 case OP_MEM:
1733 if (ctxt->lock_prefix)
1734 return segmented_cmpxchg(ctxt,
1735 op->addr.mem,
1736 &op->orig_val,
1737 &op->val,
1738 op->bytes);
1739 else
1740 return segmented_write(ctxt,
1741 op->addr.mem,
1742 &op->val,
1743 op->bytes);
1744 break;
1745 case OP_MEM_STR:
1746 return segmented_write(ctxt,
1747 op->addr.mem,
1748 op->data,
1749 op->bytes * op->count);
1750 break;
1751 case OP_XMM:
1752 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1753 break;
1754 case OP_MM:
1755 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1756 break;
1757 case OP_NONE:
1758 /* no writeback */
1759 break;
1760 default:
1761 break;
1762 }
1763 return X86EMUL_CONTINUE;
1764 }
1765
1766 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1767 {
1768 struct segmented_address addr;
1769
1770 rsp_increment(ctxt, -bytes);
1771 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1772 addr.seg = VCPU_SREG_SS;
1773
1774 return segmented_write(ctxt, addr, data, bytes);
1775 }
1776
1777 static int em_push(struct x86_emulate_ctxt *ctxt)
1778 {
1779 /* Disable writeback. */
1780 ctxt->dst.type = OP_NONE;
1781 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1782 }
1783
1784 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1785 void *dest, int len)
1786 {
1787 int rc;
1788 struct segmented_address addr;
1789
1790 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1791 addr.seg = VCPU_SREG_SS;
1792 rc = segmented_read(ctxt, addr, dest, len);
1793 if (rc != X86EMUL_CONTINUE)
1794 return rc;
1795
1796 rsp_increment(ctxt, len);
1797 return rc;
1798 }
1799
1800 static int em_pop(struct x86_emulate_ctxt *ctxt)
1801 {
1802 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1803 }
1804
1805 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1806 void *dest, int len)
1807 {
1808 int rc;
1809 unsigned long val, change_mask;
1810 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1811 int cpl = ctxt->ops->cpl(ctxt);
1812
1813 rc = emulate_pop(ctxt, &val, len);
1814 if (rc != X86EMUL_CONTINUE)
1815 return rc;
1816
1817 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1818 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1819 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1820 X86_EFLAGS_AC | X86_EFLAGS_ID;
1821
1822 switch(ctxt->mode) {
1823 case X86EMUL_MODE_PROT64:
1824 case X86EMUL_MODE_PROT32:
1825 case X86EMUL_MODE_PROT16:
1826 if (cpl == 0)
1827 change_mask |= X86_EFLAGS_IOPL;
1828 if (cpl <= iopl)
1829 change_mask |= X86_EFLAGS_IF;
1830 break;
1831 case X86EMUL_MODE_VM86:
1832 if (iopl < 3)
1833 return emulate_gp(ctxt, 0);
1834 change_mask |= X86_EFLAGS_IF;
1835 break;
1836 default: /* real mode */
1837 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1838 break;
1839 }
1840
1841 *(unsigned long *)dest =
1842 (ctxt->eflags & ~change_mask) | (val & change_mask);
1843
1844 return rc;
1845 }
1846
1847 static int em_popf(struct x86_emulate_ctxt *ctxt)
1848 {
1849 ctxt->dst.type = OP_REG;
1850 ctxt->dst.addr.reg = &ctxt->eflags;
1851 ctxt->dst.bytes = ctxt->op_bytes;
1852 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1853 }
1854
1855 static int em_enter(struct x86_emulate_ctxt *ctxt)
1856 {
1857 int rc;
1858 unsigned frame_size = ctxt->src.val;
1859 unsigned nesting_level = ctxt->src2.val & 31;
1860 ulong rbp;
1861
1862 if (nesting_level)
1863 return X86EMUL_UNHANDLEABLE;
1864
1865 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1866 rc = push(ctxt, &rbp, stack_size(ctxt));
1867 if (rc != X86EMUL_CONTINUE)
1868 return rc;
1869 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1870 stack_mask(ctxt));
1871 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1872 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1873 stack_mask(ctxt));
1874 return X86EMUL_CONTINUE;
1875 }
1876
1877 static int em_leave(struct x86_emulate_ctxt *ctxt)
1878 {
1879 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1880 stack_mask(ctxt));
1881 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1882 }
1883
1884 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1885 {
1886 int seg = ctxt->src2.val;
1887
1888 ctxt->src.val = get_segment_selector(ctxt, seg);
1889 if (ctxt->op_bytes == 4) {
1890 rsp_increment(ctxt, -2);
1891 ctxt->op_bytes = 2;
1892 }
1893
1894 return em_push(ctxt);
1895 }
1896
1897 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1898 {
1899 int seg = ctxt->src2.val;
1900 unsigned long selector;
1901 int rc;
1902
1903 rc = emulate_pop(ctxt, &selector, 2);
1904 if (rc != X86EMUL_CONTINUE)
1905 return rc;
1906
1907 if (ctxt->modrm_reg == VCPU_SREG_SS)
1908 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1909 if (ctxt->op_bytes > 2)
1910 rsp_increment(ctxt, ctxt->op_bytes - 2);
1911
1912 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1913 return rc;
1914 }
1915
1916 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1917 {
1918 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1919 int rc = X86EMUL_CONTINUE;
1920 int reg = VCPU_REGS_RAX;
1921
1922 while (reg <= VCPU_REGS_RDI) {
1923 (reg == VCPU_REGS_RSP) ?
1924 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1925
1926 rc = em_push(ctxt);
1927 if (rc != X86EMUL_CONTINUE)
1928 return rc;
1929
1930 ++reg;
1931 }
1932
1933 return rc;
1934 }
1935
1936 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1937 {
1938 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1939 return em_push(ctxt);
1940 }
1941
1942 static int em_popa(struct x86_emulate_ctxt *ctxt)
1943 {
1944 int rc = X86EMUL_CONTINUE;
1945 int reg = VCPU_REGS_RDI;
1946 u32 val;
1947
1948 while (reg >= VCPU_REGS_RAX) {
1949 if (reg == VCPU_REGS_RSP) {
1950 rsp_increment(ctxt, ctxt->op_bytes);
1951 --reg;
1952 }
1953
1954 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
1955 if (rc != X86EMUL_CONTINUE)
1956 break;
1957 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
1958 --reg;
1959 }
1960 return rc;
1961 }
1962
1963 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1964 {
1965 const struct x86_emulate_ops *ops = ctxt->ops;
1966 int rc;
1967 struct desc_ptr dt;
1968 gva_t cs_addr;
1969 gva_t eip_addr;
1970 u16 cs, eip;
1971
1972 /* TODO: Add limit checks */
1973 ctxt->src.val = ctxt->eflags;
1974 rc = em_push(ctxt);
1975 if (rc != X86EMUL_CONTINUE)
1976 return rc;
1977
1978 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
1979
1980 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1981 rc = em_push(ctxt);
1982 if (rc != X86EMUL_CONTINUE)
1983 return rc;
1984
1985 ctxt->src.val = ctxt->_eip;
1986 rc = em_push(ctxt);
1987 if (rc != X86EMUL_CONTINUE)
1988 return rc;
1989
1990 ops->get_idt(ctxt, &dt);
1991
1992 eip_addr = dt.address + (irq << 2);
1993 cs_addr = dt.address + (irq << 2) + 2;
1994
1995 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1996 if (rc != X86EMUL_CONTINUE)
1997 return rc;
1998
1999 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
2000 if (rc != X86EMUL_CONTINUE)
2001 return rc;
2002
2003 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2004 if (rc != X86EMUL_CONTINUE)
2005 return rc;
2006
2007 ctxt->_eip = eip;
2008
2009 return rc;
2010 }
2011
2012 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2013 {
2014 int rc;
2015
2016 invalidate_registers(ctxt);
2017 rc = __emulate_int_real(ctxt, irq);
2018 if (rc == X86EMUL_CONTINUE)
2019 writeback_registers(ctxt);
2020 return rc;
2021 }
2022
2023 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2024 {
2025 switch(ctxt->mode) {
2026 case X86EMUL_MODE_REAL:
2027 return __emulate_int_real(ctxt, irq);
2028 case X86EMUL_MODE_VM86:
2029 case X86EMUL_MODE_PROT16:
2030 case X86EMUL_MODE_PROT32:
2031 case X86EMUL_MODE_PROT64:
2032 default:
2033 /* Protected mode interrupts unimplemented yet */
2034 return X86EMUL_UNHANDLEABLE;
2035 }
2036 }
2037
2038 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2039 {
2040 int rc = X86EMUL_CONTINUE;
2041 unsigned long temp_eip = 0;
2042 unsigned long temp_eflags = 0;
2043 unsigned long cs = 0;
2044 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2045 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2046 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2047 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2048 X86_EFLAGS_AC | X86_EFLAGS_ID |
2049 X86_EFLAGS_FIXED;
2050 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2051 X86_EFLAGS_VIP;
2052
2053 /* TODO: Add stack limit check */
2054
2055 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2056
2057 if (rc != X86EMUL_CONTINUE)
2058 return rc;
2059
2060 if (temp_eip & ~0xffff)
2061 return emulate_gp(ctxt, 0);
2062
2063 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2064
2065 if (rc != X86EMUL_CONTINUE)
2066 return rc;
2067
2068 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2069
2070 if (rc != X86EMUL_CONTINUE)
2071 return rc;
2072
2073 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2074
2075 if (rc != X86EMUL_CONTINUE)
2076 return rc;
2077
2078 ctxt->_eip = temp_eip;
2079
2080 if (ctxt->op_bytes == 4)
2081 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2082 else if (ctxt->op_bytes == 2) {
2083 ctxt->eflags &= ~0xffff;
2084 ctxt->eflags |= temp_eflags;
2085 }
2086
2087 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2088 ctxt->eflags |= X86_EFLAGS_FIXED;
2089 ctxt->ops->set_nmi_mask(ctxt, false);
2090
2091 return rc;
2092 }
2093
2094 static int em_iret(struct x86_emulate_ctxt *ctxt)
2095 {
2096 switch(ctxt->mode) {
2097 case X86EMUL_MODE_REAL:
2098 return emulate_iret_real(ctxt);
2099 case X86EMUL_MODE_VM86:
2100 case X86EMUL_MODE_PROT16:
2101 case X86EMUL_MODE_PROT32:
2102 case X86EMUL_MODE_PROT64:
2103 default:
2104 /* iret from protected mode unimplemented yet */
2105 return X86EMUL_UNHANDLEABLE;
2106 }
2107 }
2108
2109 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2110 {
2111 int rc;
2112 unsigned short sel, old_sel;
2113 struct desc_struct old_desc, new_desc;
2114 const struct x86_emulate_ops *ops = ctxt->ops;
2115 u8 cpl = ctxt->ops->cpl(ctxt);
2116
2117 /* Assignment of RIP may only fail in 64-bit mode */
2118 if (ctxt->mode == X86EMUL_MODE_PROT64)
2119 ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
2120 VCPU_SREG_CS);
2121
2122 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2123
2124 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2125 X86_TRANSFER_CALL_JMP,
2126 &new_desc);
2127 if (rc != X86EMUL_CONTINUE)
2128 return rc;
2129
2130 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2131 if (rc != X86EMUL_CONTINUE) {
2132 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2133 /* assigning eip failed; restore the old cs */
2134 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
2135 return rc;
2136 }
2137 return rc;
2138 }
2139
2140 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2141 {
2142 return assign_eip_near(ctxt, ctxt->src.val);
2143 }
2144
2145 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2146 {
2147 int rc;
2148 long int old_eip;
2149
2150 old_eip = ctxt->_eip;
2151 rc = assign_eip_near(ctxt, ctxt->src.val);
2152 if (rc != X86EMUL_CONTINUE)
2153 return rc;
2154 ctxt->src.val = old_eip;
2155 rc = em_push(ctxt);
2156 return rc;
2157 }
2158
2159 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2160 {
2161 u64 old = ctxt->dst.orig_val64;
2162
2163 if (ctxt->dst.bytes == 16)
2164 return X86EMUL_UNHANDLEABLE;
2165
2166 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2167 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2168 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2169 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2170 ctxt->eflags &= ~X86_EFLAGS_ZF;
2171 } else {
2172 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2173 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2174
2175 ctxt->eflags |= X86_EFLAGS_ZF;
2176 }
2177 return X86EMUL_CONTINUE;
2178 }
2179
2180 static int em_ret(struct x86_emulate_ctxt *ctxt)
2181 {
2182 int rc;
2183 unsigned long eip;
2184
2185 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2186 if (rc != X86EMUL_CONTINUE)
2187 return rc;
2188
2189 return assign_eip_near(ctxt, eip);
2190 }
2191
2192 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2193 {
2194 int rc;
2195 unsigned long eip, cs;
2196 u16 old_cs;
2197 int cpl = ctxt->ops->cpl(ctxt);
2198 struct desc_struct old_desc, new_desc;
2199 const struct x86_emulate_ops *ops = ctxt->ops;
2200
2201 if (ctxt->mode == X86EMUL_MODE_PROT64)
2202 ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
2203 VCPU_SREG_CS);
2204
2205 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2206 if (rc != X86EMUL_CONTINUE)
2207 return rc;
2208 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2209 if (rc != X86EMUL_CONTINUE)
2210 return rc;
2211 /* Outer-privilege level return is not implemented */
2212 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2213 return X86EMUL_UNHANDLEABLE;
2214 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2215 X86_TRANSFER_RET,
2216 &new_desc);
2217 if (rc != X86EMUL_CONTINUE)
2218 return rc;
2219 rc = assign_eip_far(ctxt, eip, &new_desc);
2220 if (rc != X86EMUL_CONTINUE) {
2221 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2222 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
2223 }
2224 return rc;
2225 }
2226
2227 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2228 {
2229 int rc;
2230
2231 rc = em_ret_far(ctxt);
2232 if (rc != X86EMUL_CONTINUE)
2233 return rc;
2234 rsp_increment(ctxt, ctxt->src.val);
2235 return X86EMUL_CONTINUE;
2236 }
2237
2238 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2239 {
2240 /* Save real source value, then compare EAX against destination. */
2241 ctxt->dst.orig_val = ctxt->dst.val;
2242 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2243 ctxt->src.orig_val = ctxt->src.val;
2244 ctxt->src.val = ctxt->dst.orig_val;
2245 fastop(ctxt, em_cmp);
2246
2247 if (ctxt->eflags & X86_EFLAGS_ZF) {
2248 /* Success: write back to memory; no update of EAX */
2249 ctxt->src.type = OP_NONE;
2250 ctxt->dst.val = ctxt->src.orig_val;
2251 } else {
2252 /* Failure: write the value we saw to EAX. */
2253 ctxt->src.type = OP_REG;
2254 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2255 ctxt->src.val = ctxt->dst.orig_val;
2256 /* Create write-cycle to dest by writing the same value */
2257 ctxt->dst.val = ctxt->dst.orig_val;
2258 }
2259 return X86EMUL_CONTINUE;
2260 }
2261
2262 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2263 {
2264 int seg = ctxt->src2.val;
2265 unsigned short sel;
2266 int rc;
2267
2268 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2269
2270 rc = load_segment_descriptor(ctxt, sel, seg);
2271 if (rc != X86EMUL_CONTINUE)
2272 return rc;
2273
2274 ctxt->dst.val = ctxt->src.val;
2275 return rc;
2276 }
2277
2278 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2279 {
2280 u32 eax, ebx, ecx, edx;
2281
2282 eax = 0x80000001;
2283 ecx = 0;
2284 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2285 return edx & bit(X86_FEATURE_LM);
2286 }
2287
2288 #define GET_SMSTATE(type, smbase, offset) \
2289 ({ \
2290 type __val; \
2291 int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
2292 sizeof(__val)); \
2293 if (r != X86EMUL_CONTINUE) \
2294 return X86EMUL_UNHANDLEABLE; \
2295 __val; \
2296 })
2297
2298 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2299 {
2300 desc->g = (flags >> 23) & 1;
2301 desc->d = (flags >> 22) & 1;
2302 desc->l = (flags >> 21) & 1;
2303 desc->avl = (flags >> 20) & 1;
2304 desc->p = (flags >> 15) & 1;
2305 desc->dpl = (flags >> 13) & 3;
2306 desc->s = (flags >> 12) & 1;
2307 desc->type = (flags >> 8) & 15;
2308 }
2309
2310 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2311 {
2312 struct desc_struct desc;
2313 int offset;
2314 u16 selector;
2315
2316 selector = GET_SMSTATE(u32, smbase, 0x7fa8 + n * 4);
2317
2318 if (n < 3)
2319 offset = 0x7f84 + n * 12;
2320 else
2321 offset = 0x7f2c + (n - 3) * 12;
2322
2323 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2324 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2325 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, offset));
2326 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2327 return X86EMUL_CONTINUE;
2328 }
2329
2330 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2331 {
2332 struct desc_struct desc;
2333 int offset;
2334 u16 selector;
2335 u32 base3;
2336
2337 offset = 0x7e00 + n * 16;
2338
2339 selector = GET_SMSTATE(u16, smbase, offset);
2340 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smbase, offset + 2) << 8);
2341 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2342 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2343 base3 = GET_SMSTATE(u32, smbase, offset + 12);
2344
2345 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2346 return X86EMUL_CONTINUE;
2347 }
2348
2349 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2350 u64 cr0, u64 cr4)
2351 {
2352 int bad;
2353
2354 /*
2355 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2356 * Then enable protected mode. However, PCID cannot be enabled
2357 * if EFER.LMA=0, so set it separately.
2358 */
2359 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2360 if (bad)
2361 return X86EMUL_UNHANDLEABLE;
2362
2363 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2364 if (bad)
2365 return X86EMUL_UNHANDLEABLE;
2366
2367 if (cr4 & X86_CR4_PCIDE) {
2368 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2369 if (bad)
2370 return X86EMUL_UNHANDLEABLE;
2371 }
2372
2373 return X86EMUL_CONTINUE;
2374 }
2375
2376 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
2377 {
2378 struct desc_struct desc;
2379 struct desc_ptr dt;
2380 u16 selector;
2381 u32 val, cr0, cr4;
2382 int i;
2383
2384 cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
2385 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u32, smbase, 0x7ff8));
2386 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
2387 ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
2388
2389 for (i = 0; i < 8; i++)
2390 *reg_write(ctxt, i) = GET_SMSTATE(u32, smbase, 0x7fd0 + i * 4);
2391
2392 val = GET_SMSTATE(u32, smbase, 0x7fcc);
2393 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2394 val = GET_SMSTATE(u32, smbase, 0x7fc8);
2395 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2396
2397 selector = GET_SMSTATE(u32, smbase, 0x7fc4);
2398 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f64));
2399 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f60));
2400 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f5c));
2401 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2402
2403 selector = GET_SMSTATE(u32, smbase, 0x7fc0);
2404 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f80));
2405 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f7c));
2406 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f78));
2407 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2408
2409 dt.address = GET_SMSTATE(u32, smbase, 0x7f74);
2410 dt.size = GET_SMSTATE(u32, smbase, 0x7f70);
2411 ctxt->ops->set_gdt(ctxt, &dt);
2412
2413 dt.address = GET_SMSTATE(u32, smbase, 0x7f58);
2414 dt.size = GET_SMSTATE(u32, smbase, 0x7f54);
2415 ctxt->ops->set_idt(ctxt, &dt);
2416
2417 for (i = 0; i < 6; i++) {
2418 int r = rsm_load_seg_32(ctxt, smbase, i);
2419 if (r != X86EMUL_CONTINUE)
2420 return r;
2421 }
2422
2423 cr4 = GET_SMSTATE(u32, smbase, 0x7f14);
2424
2425 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
2426
2427 return rsm_enter_protected_mode(ctxt, cr0, cr4);
2428 }
2429
2430 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
2431 {
2432 struct desc_struct desc;
2433 struct desc_ptr dt;
2434 u64 val, cr0, cr4;
2435 u32 base3;
2436 u16 selector;
2437 int i, r;
2438
2439 for (i = 0; i < 16; i++)
2440 *reg_write(ctxt, i) = GET_SMSTATE(u64, smbase, 0x7ff8 - i * 8);
2441
2442 ctxt->_eip = GET_SMSTATE(u64, smbase, 0x7f78);
2443 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7f70) | X86_EFLAGS_FIXED;
2444
2445 val = GET_SMSTATE(u32, smbase, 0x7f68);
2446 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2447 val = GET_SMSTATE(u32, smbase, 0x7f60);
2448 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2449
2450 cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
2451 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u64, smbase, 0x7f50));
2452 cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
2453 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
2454 val = GET_SMSTATE(u64, smbase, 0x7ed0);
2455 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2456
2457 selector = GET_SMSTATE(u32, smbase, 0x7e90);
2458 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e92) << 8);
2459 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e94));
2460 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e98));
2461 base3 = GET_SMSTATE(u32, smbase, 0x7e9c);
2462 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2463
2464 dt.size = GET_SMSTATE(u32, smbase, 0x7e84);
2465 dt.address = GET_SMSTATE(u64, smbase, 0x7e88);
2466 ctxt->ops->set_idt(ctxt, &dt);
2467
2468 selector = GET_SMSTATE(u32, smbase, 0x7e70);
2469 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e72) << 8);
2470 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e74));
2471 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e78));
2472 base3 = GET_SMSTATE(u32, smbase, 0x7e7c);
2473 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2474
2475 dt.size = GET_SMSTATE(u32, smbase, 0x7e64);
2476 dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
2477 ctxt->ops->set_gdt(ctxt, &dt);
2478
2479 r = rsm_enter_protected_mode(ctxt, cr0, cr4);
2480 if (r != X86EMUL_CONTINUE)
2481 return r;
2482
2483 for (i = 0; i < 6; i++) {
2484 r = rsm_load_seg_64(ctxt, smbase, i);
2485 if (r != X86EMUL_CONTINUE)
2486 return r;
2487 }
2488
2489 return X86EMUL_CONTINUE;
2490 }
2491
2492 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2493 {
2494 unsigned long cr0, cr4, efer;
2495 u64 smbase;
2496 int ret;
2497
2498 if ((ctxt->emul_flags & X86EMUL_SMM_MASK) == 0)
2499 return emulate_ud(ctxt);
2500
2501 /*
2502 * Get back to real mode, to prepare a safe state in which to load
2503 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2504 * supports long mode.
2505 */
2506 cr4 = ctxt->ops->get_cr(ctxt, 4);
2507 if (emulator_has_longmode(ctxt)) {
2508 struct desc_struct cs_desc;
2509
2510 /* Zero CR4.PCIDE before CR0.PG. */
2511 if (cr4 & X86_CR4_PCIDE) {
2512 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2513 cr4 &= ~X86_CR4_PCIDE;
2514 }
2515
2516 /* A 32-bit code segment is required to clear EFER.LMA. */
2517 memset(&cs_desc, 0, sizeof(cs_desc));
2518 cs_desc.type = 0xb;
2519 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2520 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2521 }
2522
2523 /* For the 64-bit case, this will clear EFER.LMA. */
2524 cr0 = ctxt->ops->get_cr(ctxt, 0);
2525 if (cr0 & X86_CR0_PE)
2526 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2527
2528 /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
2529 if (cr4 & X86_CR4_PAE)
2530 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2531
2532 /* And finally go back to 32-bit mode. */
2533 efer = 0;
2534 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2535
2536 smbase = ctxt->ops->get_smbase(ctxt);
2537 if (emulator_has_longmode(ctxt))
2538 ret = rsm_load_state_64(ctxt, smbase + 0x8000);
2539 else
2540 ret = rsm_load_state_32(ctxt, smbase + 0x8000);
2541
2542 if (ret != X86EMUL_CONTINUE) {
2543 /* FIXME: should triple fault */
2544 return X86EMUL_UNHANDLEABLE;
2545 }
2546
2547 if ((ctxt->emul_flags & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2548 ctxt->ops->set_nmi_mask(ctxt, false);
2549
2550 ctxt->emul_flags &= ~X86EMUL_SMM_INSIDE_NMI_MASK;
2551 ctxt->emul_flags &= ~X86EMUL_SMM_MASK;
2552 return X86EMUL_CONTINUE;
2553 }
2554
2555 static void
2556 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2557 struct desc_struct *cs, struct desc_struct *ss)
2558 {
2559 cs->l = 0; /* will be adjusted later */
2560 set_desc_base(cs, 0); /* flat segment */
2561 cs->g = 1; /* 4kb granularity */
2562 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2563 cs->type = 0x0b; /* Read, Execute, Accessed */
2564 cs->s = 1;
2565 cs->dpl = 0; /* will be adjusted later */
2566 cs->p = 1;
2567 cs->d = 1;
2568 cs->avl = 0;
2569
2570 set_desc_base(ss, 0); /* flat segment */
2571 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2572 ss->g = 1; /* 4kb granularity */
2573 ss->s = 1;
2574 ss->type = 0x03; /* Read/Write, Accessed */
2575 ss->d = 1; /* 32bit stack segment */
2576 ss->dpl = 0;
2577 ss->p = 1;
2578 ss->l = 0;
2579 ss->avl = 0;
2580 }
2581
2582 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2583 {
2584 u32 eax, ebx, ecx, edx;
2585
2586 eax = ecx = 0;
2587 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2588 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2589 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2590 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2591 }
2592
2593 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2594 {
2595 const struct x86_emulate_ops *ops = ctxt->ops;
2596 u32 eax, ebx, ecx, edx;
2597
2598 /*
2599 * syscall should always be enabled in longmode - so only become
2600 * vendor specific (cpuid) if other modes are active...
2601 */
2602 if (ctxt->mode == X86EMUL_MODE_PROT64)
2603 return true;
2604
2605 eax = 0x00000000;
2606 ecx = 0x00000000;
2607 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2608 /*
2609 * Intel ("GenuineIntel")
2610 * remark: Intel CPUs only support "syscall" in 64bit
2611 * longmode. Also an 64bit guest with a
2612 * 32bit compat-app running will #UD !! While this
2613 * behaviour can be fixed (by emulating) into AMD
2614 * response - CPUs of AMD can't behave like Intel.
2615 */
2616 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2617 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2618 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2619 return false;
2620
2621 /* AMD ("AuthenticAMD") */
2622 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2623 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2624 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2625 return true;
2626
2627 /* AMD ("AMDisbetter!") */
2628 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2629 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2630 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2631 return true;
2632
2633 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2634 return false;
2635 }
2636
2637 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2638 {
2639 const struct x86_emulate_ops *ops = ctxt->ops;
2640 struct desc_struct cs, ss;
2641 u64 msr_data;
2642 u16 cs_sel, ss_sel;
2643 u64 efer = 0;
2644
2645 /* syscall is not available in real mode */
2646 if (ctxt->mode == X86EMUL_MODE_REAL ||
2647 ctxt->mode == X86EMUL_MODE_VM86)
2648 return emulate_ud(ctxt);
2649
2650 if (!(em_syscall_is_enabled(ctxt)))
2651 return emulate_ud(ctxt);
2652
2653 ops->get_msr(ctxt, MSR_EFER, &efer);
2654 setup_syscalls_segments(ctxt, &cs, &ss);
2655
2656 if (!(efer & EFER_SCE))
2657 return emulate_ud(ctxt);
2658
2659 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2660 msr_data >>= 32;
2661 cs_sel = (u16)(msr_data & 0xfffc);
2662 ss_sel = (u16)(msr_data + 8);
2663
2664 if (efer & EFER_LMA) {
2665 cs.d = 0;
2666 cs.l = 1;
2667 }
2668 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2669 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2670
2671 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2672 if (efer & EFER_LMA) {
2673 #ifdef CONFIG_X86_64
2674 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2675
2676 ops->get_msr(ctxt,
2677 ctxt->mode == X86EMUL_MODE_PROT64 ?
2678 MSR_LSTAR : MSR_CSTAR, &msr_data);
2679 ctxt->_eip = msr_data;
2680
2681 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2682 ctxt->eflags &= ~msr_data;
2683 ctxt->eflags |= X86_EFLAGS_FIXED;
2684 #endif
2685 } else {
2686 /* legacy mode */
2687 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2688 ctxt->_eip = (u32)msr_data;
2689
2690 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2691 }
2692
2693 return X86EMUL_CONTINUE;
2694 }
2695
2696 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2697 {
2698 const struct x86_emulate_ops *ops = ctxt->ops;
2699 struct desc_struct cs, ss;
2700 u64 msr_data;
2701 u16 cs_sel, ss_sel;
2702 u64 efer = 0;
2703
2704 ops->get_msr(ctxt, MSR_EFER, &efer);
2705 /* inject #GP if in real mode */
2706 if (ctxt->mode == X86EMUL_MODE_REAL)
2707 return emulate_gp(ctxt, 0);
2708
2709 /*
2710 * Not recognized on AMD in compat mode (but is recognized in legacy
2711 * mode).
2712 */
2713 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2714 && !vendor_intel(ctxt))
2715 return emulate_ud(ctxt);
2716
2717 /* sysenter/sysexit have not been tested in 64bit mode. */
2718 if (ctxt->mode == X86EMUL_MODE_PROT64)
2719 return X86EMUL_UNHANDLEABLE;
2720
2721 setup_syscalls_segments(ctxt, &cs, &ss);
2722
2723 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2724 if ((msr_data & 0xfffc) == 0x0)
2725 return emulate_gp(ctxt, 0);
2726
2727 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2728 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2729 ss_sel = cs_sel + 8;
2730 if (efer & EFER_LMA) {
2731 cs.d = 0;
2732 cs.l = 1;
2733 }
2734
2735 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2736 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2737
2738 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2739 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2740
2741 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2742 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2743 (u32)msr_data;
2744
2745 return X86EMUL_CONTINUE;
2746 }
2747
2748 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2749 {
2750 const struct x86_emulate_ops *ops = ctxt->ops;
2751 struct desc_struct cs, ss;
2752 u64 msr_data, rcx, rdx;
2753 int usermode;
2754 u16 cs_sel = 0, ss_sel = 0;
2755
2756 /* inject #GP if in real mode or Virtual 8086 mode */
2757 if (ctxt->mode == X86EMUL_MODE_REAL ||
2758 ctxt->mode == X86EMUL_MODE_VM86)
2759 return emulate_gp(ctxt, 0);
2760
2761 setup_syscalls_segments(ctxt, &cs, &ss);
2762
2763 if ((ctxt->rex_prefix & 0x8) != 0x0)
2764 usermode = X86EMUL_MODE_PROT64;
2765 else
2766 usermode = X86EMUL_MODE_PROT32;
2767
2768 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2769 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2770
2771 cs.dpl = 3;
2772 ss.dpl = 3;
2773 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2774 switch (usermode) {
2775 case X86EMUL_MODE_PROT32:
2776 cs_sel = (u16)(msr_data + 16);
2777 if ((msr_data & 0xfffc) == 0x0)
2778 return emulate_gp(ctxt, 0);
2779 ss_sel = (u16)(msr_data + 24);
2780 rcx = (u32)rcx;
2781 rdx = (u32)rdx;
2782 break;
2783 case X86EMUL_MODE_PROT64:
2784 cs_sel = (u16)(msr_data + 32);
2785 if (msr_data == 0x0)
2786 return emulate_gp(ctxt, 0);
2787 ss_sel = cs_sel + 8;
2788 cs.d = 0;
2789 cs.l = 1;
2790 if (is_noncanonical_address(rcx) ||
2791 is_noncanonical_address(rdx))
2792 return emulate_gp(ctxt, 0);
2793 break;
2794 }
2795 cs_sel |= SEGMENT_RPL_MASK;
2796 ss_sel |= SEGMENT_RPL_MASK;
2797
2798 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2799 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2800
2801 ctxt->_eip = rdx;
2802 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2803
2804 return X86EMUL_CONTINUE;
2805 }
2806
2807 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2808 {
2809 int iopl;
2810 if (ctxt->mode == X86EMUL_MODE_REAL)
2811 return false;
2812 if (ctxt->mode == X86EMUL_MODE_VM86)
2813 return true;
2814 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2815 return ctxt->ops->cpl(ctxt) > iopl;
2816 }
2817
2818 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2819 u16 port, u16 len)
2820 {
2821 const struct x86_emulate_ops *ops = ctxt->ops;
2822 struct desc_struct tr_seg;
2823 u32 base3;
2824 int r;
2825 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2826 unsigned mask = (1 << len) - 1;
2827 unsigned long base;
2828
2829 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2830 if (!tr_seg.p)
2831 return false;
2832 if (desc_limit_scaled(&tr_seg) < 103)
2833 return false;
2834 base = get_desc_base(&tr_seg);
2835 #ifdef CONFIG_X86_64
2836 base |= ((u64)base3) << 32;
2837 #endif
2838 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2839 if (r != X86EMUL_CONTINUE)
2840 return false;
2841 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2842 return false;
2843 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2844 if (r != X86EMUL_CONTINUE)
2845 return false;
2846 if ((perm >> bit_idx) & mask)
2847 return false;
2848 return true;
2849 }
2850
2851 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2852 u16 port, u16 len)
2853 {
2854 if (ctxt->perm_ok)
2855 return true;
2856
2857 if (emulator_bad_iopl(ctxt))
2858 if (!emulator_io_port_access_allowed(ctxt, port, len))
2859 return false;
2860
2861 ctxt->perm_ok = true;
2862
2863 return true;
2864 }
2865
2866 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2867 {
2868 /*
2869 * Intel CPUs mask the counter and pointers in quite strange
2870 * manner when ECX is zero due to REP-string optimizations.
2871 */
2872 #ifdef CONFIG_X86_64
2873 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2874 return;
2875
2876 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2877
2878 switch (ctxt->b) {
2879 case 0xa4: /* movsb */
2880 case 0xa5: /* movsd/w */
2881 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2882 /* fall through */
2883 case 0xaa: /* stosb */
2884 case 0xab: /* stosd/w */
2885 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2886 }
2887 #endif
2888 }
2889
2890 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2891 struct tss_segment_16 *tss)
2892 {
2893 tss->ip = ctxt->_eip;
2894 tss->flag = ctxt->eflags;
2895 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2896 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2897 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2898 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2899 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2900 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2901 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2902 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2903
2904 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2905 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2906 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2907 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2908 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2909 }
2910
2911 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2912 struct tss_segment_16 *tss)
2913 {
2914 int ret;
2915 u8 cpl;
2916
2917 ctxt->_eip = tss->ip;
2918 ctxt->eflags = tss->flag | 2;
2919 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2920 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2921 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2922 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2923 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2924 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2925 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2926 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2927
2928 /*
2929 * SDM says that segment selectors are loaded before segment
2930 * descriptors
2931 */
2932 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2933 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2934 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2935 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2936 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2937
2938 cpl = tss->cs & 3;
2939
2940 /*
2941 * Now load segment descriptors. If fault happens at this stage
2942 * it is handled in a context of new task
2943 */
2944 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2945 X86_TRANSFER_TASK_SWITCH, NULL);
2946 if (ret != X86EMUL_CONTINUE)
2947 return ret;
2948 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2949 X86_TRANSFER_TASK_SWITCH, NULL);
2950 if (ret != X86EMUL_CONTINUE)
2951 return ret;
2952 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2953 X86_TRANSFER_TASK_SWITCH, NULL);
2954 if (ret != X86EMUL_CONTINUE)
2955 return ret;
2956 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2957 X86_TRANSFER_TASK_SWITCH, NULL);
2958 if (ret != X86EMUL_CONTINUE)
2959 return ret;
2960 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2961 X86_TRANSFER_TASK_SWITCH, NULL);
2962 if (ret != X86EMUL_CONTINUE)
2963 return ret;
2964
2965 return X86EMUL_CONTINUE;
2966 }
2967
2968 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2969 u16 tss_selector, u16 old_tss_sel,
2970 ulong old_tss_base, struct desc_struct *new_desc)
2971 {
2972 const struct x86_emulate_ops *ops = ctxt->ops;
2973 struct tss_segment_16 tss_seg;
2974 int ret;
2975 u32 new_tss_base = get_desc_base(new_desc);
2976
2977 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2978 &ctxt->exception);
2979 if (ret != X86EMUL_CONTINUE)
2980 return ret;
2981
2982 save_state_to_tss16(ctxt, &tss_seg);
2983
2984 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2985 &ctxt->exception);
2986 if (ret != X86EMUL_CONTINUE)
2987 return ret;
2988
2989 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2990 &ctxt->exception);
2991 if (ret != X86EMUL_CONTINUE)
2992 return ret;
2993
2994 if (old_tss_sel != 0xffff) {
2995 tss_seg.prev_task_link = old_tss_sel;
2996
2997 ret = ops->write_std(ctxt, new_tss_base,
2998 &tss_seg.prev_task_link,
2999 sizeof tss_seg.prev_task_link,
3000 &ctxt->exception);
3001 if (ret != X86EMUL_CONTINUE)
3002 return ret;
3003 }
3004
3005 return load_state_from_tss16(ctxt, &tss_seg);
3006 }
3007
3008 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3009 struct tss_segment_32 *tss)
3010 {
3011 /* CR3 and ldt selector are not saved intentionally */
3012 tss->eip = ctxt->_eip;
3013 tss->eflags = ctxt->eflags;
3014 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3015 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3016 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3017 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3018 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3019 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3020 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3021 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3022
3023 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3024 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3025 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3026 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3027 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3028 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3029 }
3030
3031 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3032 struct tss_segment_32 *tss)
3033 {
3034 int ret;
3035 u8 cpl;
3036
3037 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3038 return emulate_gp(ctxt, 0);
3039 ctxt->_eip = tss->eip;
3040 ctxt->eflags = tss->eflags | 2;
3041
3042 /* General purpose registers */
3043 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3044 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3045 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3046 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3047 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3048 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3049 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3050 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3051
3052 /*
3053 * SDM says that segment selectors are loaded before segment
3054 * descriptors. This is important because CPL checks will
3055 * use CS.RPL.
3056 */
3057 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3058 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3059 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3060 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3061 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3062 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3063 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3064
3065 /*
3066 * If we're switching between Protected Mode and VM86, we need to make
3067 * sure to update the mode before loading the segment descriptors so
3068 * that the selectors are interpreted correctly.
3069 */
3070 if (ctxt->eflags & X86_EFLAGS_VM) {
3071 ctxt->mode = X86EMUL_MODE_VM86;
3072 cpl = 3;
3073 } else {
3074 ctxt->mode = X86EMUL_MODE_PROT32;
3075 cpl = tss->cs & 3;
3076 }
3077
3078 /*
3079 * Now load segment descriptors. If fault happenes at this stage
3080 * it is handled in a context of new task
3081 */
3082 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3083 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3084 if (ret != X86EMUL_CONTINUE)
3085 return ret;
3086 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3087 X86_TRANSFER_TASK_SWITCH, NULL);
3088 if (ret != X86EMUL_CONTINUE)
3089 return ret;
3090 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3091 X86_TRANSFER_TASK_SWITCH, NULL);
3092 if (ret != X86EMUL_CONTINUE)
3093 return ret;
3094 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3095 X86_TRANSFER_TASK_SWITCH, NULL);
3096 if (ret != X86EMUL_CONTINUE)
3097 return ret;
3098 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3099 X86_TRANSFER_TASK_SWITCH, NULL);
3100 if (ret != X86EMUL_CONTINUE)
3101 return ret;
3102 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3103 X86_TRANSFER_TASK_SWITCH, NULL);
3104 if (ret != X86EMUL_CONTINUE)
3105 return ret;
3106 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3107 X86_TRANSFER_TASK_SWITCH, NULL);
3108
3109 return ret;
3110 }
3111
3112 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3113 u16 tss_selector, u16 old_tss_sel,
3114 ulong old_tss_base, struct desc_struct *new_desc)
3115 {
3116 const struct x86_emulate_ops *ops = ctxt->ops;
3117 struct tss_segment_32 tss_seg;
3118 int ret;
3119 u32 new_tss_base = get_desc_base(new_desc);
3120 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3121 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3122
3123 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3124 &ctxt->exception);
3125 if (ret != X86EMUL_CONTINUE)
3126 return ret;
3127
3128 save_state_to_tss32(ctxt, &tss_seg);
3129
3130 /* Only GP registers and segment selectors are saved */
3131 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3132 ldt_sel_offset - eip_offset, &ctxt->exception);
3133 if (ret != X86EMUL_CONTINUE)
3134 return ret;
3135
3136 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3137 &ctxt->exception);
3138 if (ret != X86EMUL_CONTINUE)
3139 return ret;
3140
3141 if (old_tss_sel != 0xffff) {
3142 tss_seg.prev_task_link = old_tss_sel;
3143
3144 ret = ops->write_std(ctxt, new_tss_base,
3145 &tss_seg.prev_task_link,
3146 sizeof tss_seg.prev_task_link,
3147 &ctxt->exception);
3148 if (ret != X86EMUL_CONTINUE)
3149 return ret;
3150 }
3151
3152 return load_state_from_tss32(ctxt, &tss_seg);
3153 }
3154
3155 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3156 u16 tss_selector, int idt_index, int reason,
3157 bool has_error_code, u32 error_code)
3158 {
3159 const struct x86_emulate_ops *ops = ctxt->ops;
3160 struct desc_struct curr_tss_desc, next_tss_desc;
3161 int ret;
3162 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3163 ulong old_tss_base =
3164 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3165 u32 desc_limit;
3166 ulong desc_addr, dr7;
3167
3168 /* FIXME: old_tss_base == ~0 ? */
3169
3170 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3171 if (ret != X86EMUL_CONTINUE)
3172 return ret;
3173 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3174 if (ret != X86EMUL_CONTINUE)
3175 return ret;
3176
3177 /* FIXME: check that next_tss_desc is tss */
3178
3179 /*
3180 * Check privileges. The three cases are task switch caused by...
3181 *
3182 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3183 * 2. Exception/IRQ/iret: No check is performed
3184 * 3. jmp/call to TSS/task-gate: No check is performed since the
3185 * hardware checks it before exiting.
3186 */
3187 if (reason == TASK_SWITCH_GATE) {
3188 if (idt_index != -1) {
3189 /* Software interrupts */
3190 struct desc_struct task_gate_desc;
3191 int dpl;
3192
3193 ret = read_interrupt_descriptor(ctxt, idt_index,
3194 &task_gate_desc);
3195 if (ret != X86EMUL_CONTINUE)
3196 return ret;
3197
3198 dpl = task_gate_desc.dpl;
3199 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3200 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3201 }
3202 }
3203
3204 desc_limit = desc_limit_scaled(&next_tss_desc);
3205 if (!next_tss_desc.p ||
3206 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3207 desc_limit < 0x2b)) {
3208 return emulate_ts(ctxt, tss_selector & 0xfffc);
3209 }
3210
3211 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3212 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3213 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3214 }
3215
3216 if (reason == TASK_SWITCH_IRET)
3217 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3218
3219 /* set back link to prev task only if NT bit is set in eflags
3220 note that old_tss_sel is not used after this point */
3221 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3222 old_tss_sel = 0xffff;
3223
3224 if (next_tss_desc.type & 8)
3225 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3226 old_tss_base, &next_tss_desc);
3227 else
3228 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3229 old_tss_base, &next_tss_desc);
3230 if (ret != X86EMUL_CONTINUE)
3231 return ret;
3232
3233 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3234 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3235
3236 if (reason != TASK_SWITCH_IRET) {
3237 next_tss_desc.type |= (1 << 1); /* set busy flag */
3238 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3239 }
3240
3241 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3242 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3243
3244 if (has_error_code) {
3245 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3246 ctxt->lock_prefix = 0;
3247 ctxt->src.val = (unsigned long) error_code;
3248 ret = em_push(ctxt);
3249 }
3250
3251 ops->get_dr(ctxt, 7, &dr7);
3252 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3253
3254 return ret;
3255 }
3256
3257 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3258 u16 tss_selector, int idt_index, int reason,
3259 bool has_error_code, u32 error_code)
3260 {
3261 int rc;
3262
3263 invalidate_registers(ctxt);
3264 ctxt->_eip = ctxt->eip;
3265 ctxt->dst.type = OP_NONE;
3266
3267 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3268 has_error_code, error_code);
3269
3270 if (rc == X86EMUL_CONTINUE) {
3271 ctxt->eip = ctxt->_eip;
3272 writeback_registers(ctxt);
3273 }
3274
3275 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3276 }
3277
3278 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3279 struct operand *op)
3280 {
3281 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3282
3283 register_address_increment(ctxt, reg, df * op->bytes);
3284 op->addr.mem.ea = register_address(ctxt, reg);
3285 }
3286
3287 static int em_das(struct x86_emulate_ctxt *ctxt)
3288 {
3289 u8 al, old_al;
3290 bool af, cf, old_cf;
3291
3292 cf = ctxt->eflags & X86_EFLAGS_CF;
3293 al = ctxt->dst.val;
3294
3295 old_al = al;
3296 old_cf = cf;
3297 cf = false;
3298 af = ctxt->eflags & X86_EFLAGS_AF;
3299 if ((al & 0x0f) > 9 || af) {
3300 al -= 6;
3301 cf = old_cf | (al >= 250);
3302 af = true;
3303 } else {
3304 af = false;
3305 }
3306 if (old_al > 0x99 || old_cf) {
3307 al -= 0x60;
3308 cf = true;
3309 }
3310
3311 ctxt->dst.val = al;
3312 /* Set PF, ZF, SF */
3313 ctxt->src.type = OP_IMM;
3314 ctxt->src.val = 0;
3315 ctxt->src.bytes = 1;
3316 fastop(ctxt, em_or);
3317 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3318 if (cf)
3319 ctxt->eflags |= X86_EFLAGS_CF;
3320 if (af)
3321 ctxt->eflags |= X86_EFLAGS_AF;
3322 return X86EMUL_CONTINUE;
3323 }
3324
3325 static int em_aam(struct x86_emulate_ctxt *ctxt)
3326 {
3327 u8 al, ah;
3328
3329 if (ctxt->src.val == 0)
3330 return emulate_de(ctxt);
3331
3332 al = ctxt->dst.val & 0xff;
3333 ah = al / ctxt->src.val;
3334 al %= ctxt->src.val;
3335
3336 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3337
3338 /* Set PF, ZF, SF */
3339 ctxt->src.type = OP_IMM;
3340 ctxt->src.val = 0;
3341 ctxt->src.bytes = 1;
3342 fastop(ctxt, em_or);
3343
3344 return X86EMUL_CONTINUE;
3345 }
3346
3347 static int em_aad(struct x86_emulate_ctxt *ctxt)
3348 {
3349 u8 al = ctxt->dst.val & 0xff;
3350 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3351
3352 al = (al + (ah * ctxt->src.val)) & 0xff;
3353
3354 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3355
3356 /* Set PF, ZF, SF */
3357 ctxt->src.type = OP_IMM;
3358 ctxt->src.val = 0;
3359 ctxt->src.bytes = 1;
3360 fastop(ctxt, em_or);
3361
3362 return X86EMUL_CONTINUE;
3363 }
3364
3365 static int em_call(struct x86_emulate_ctxt *ctxt)
3366 {
3367 int rc;
3368 long rel = ctxt->src.val;
3369
3370 ctxt->src.val = (unsigned long)ctxt->_eip;
3371 rc = jmp_rel(ctxt, rel);
3372 if (rc != X86EMUL_CONTINUE)
3373 return rc;
3374 return em_push(ctxt);
3375 }
3376
3377 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3378 {
3379 u16 sel, old_cs;
3380 ulong old_eip;
3381 int rc;
3382 struct desc_struct old_desc, new_desc;
3383 const struct x86_emulate_ops *ops = ctxt->ops;
3384 int cpl = ctxt->ops->cpl(ctxt);
3385 enum x86emul_mode prev_mode = ctxt->mode;
3386
3387 old_eip = ctxt->_eip;
3388 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3389
3390 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3391 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3392 X86_TRANSFER_CALL_JMP, &new_desc);
3393 if (rc != X86EMUL_CONTINUE)
3394 return rc;
3395
3396 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3397 if (rc != X86EMUL_CONTINUE)
3398 goto fail;
3399
3400 ctxt->src.val = old_cs;
3401 rc = em_push(ctxt);
3402 if (rc != X86EMUL_CONTINUE)
3403 goto fail;
3404
3405 ctxt->src.val = old_eip;
3406 rc = em_push(ctxt);
3407 /* If we failed, we tainted the memory, but the very least we should
3408 restore cs */
3409 if (rc != X86EMUL_CONTINUE) {
3410 pr_warn_once("faulting far call emulation tainted memory\n");
3411 goto fail;
3412 }
3413 return rc;
3414 fail:
3415 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3416 ctxt->mode = prev_mode;
3417 return rc;
3418
3419 }
3420
3421 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3422 {
3423 int rc;
3424 unsigned long eip;
3425
3426 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3427 if (rc != X86EMUL_CONTINUE)
3428 return rc;
3429 rc = assign_eip_near(ctxt, eip);
3430 if (rc != X86EMUL_CONTINUE)
3431 return rc;
3432 rsp_increment(ctxt, ctxt->src.val);
3433 return X86EMUL_CONTINUE;
3434 }
3435
3436 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3437 {
3438 /* Write back the register source. */
3439 ctxt->src.val = ctxt->dst.val;
3440 write_register_operand(&ctxt->src);
3441
3442 /* Write back the memory destination with implicit LOCK prefix. */
3443 ctxt->dst.val = ctxt->src.orig_val;
3444 ctxt->lock_prefix = 1;
3445 return X86EMUL_CONTINUE;
3446 }
3447
3448 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3449 {
3450 ctxt->dst.val = ctxt->src2.val;
3451 return fastop(ctxt, em_imul);
3452 }
3453
3454 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3455 {
3456 ctxt->dst.type = OP_REG;
3457 ctxt->dst.bytes = ctxt->src.bytes;
3458 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3459 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3460
3461 return X86EMUL_CONTINUE;
3462 }
3463
3464 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3465 {
3466 u64 tsc = 0;
3467
3468 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3469 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3470 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3471 return X86EMUL_CONTINUE;
3472 }
3473
3474 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3475 {
3476 u64 pmc;
3477
3478 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3479 return emulate_gp(ctxt, 0);
3480 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3481 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3482 return X86EMUL_CONTINUE;
3483 }
3484
3485 static int em_mov(struct x86_emulate_ctxt *ctxt)
3486 {
3487 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3488 return X86EMUL_CONTINUE;
3489 }
3490
3491 #define FFL(x) bit(X86_FEATURE_##x)
3492
3493 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3494 {
3495 u32 ebx, ecx, edx, eax = 1;
3496 u16 tmp;
3497
3498 /*
3499 * Check MOVBE is set in the guest-visible CPUID leaf.
3500 */
3501 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3502 if (!(ecx & FFL(MOVBE)))
3503 return emulate_ud(ctxt);
3504
3505 switch (ctxt->op_bytes) {
3506 case 2:
3507 /*
3508 * From MOVBE definition: "...When the operand size is 16 bits,
3509 * the upper word of the destination register remains unchanged
3510 * ..."
3511 *
3512 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3513 * rules so we have to do the operation almost per hand.
3514 */
3515 tmp = (u16)ctxt->src.val;
3516 ctxt->dst.val &= ~0xffffUL;
3517 ctxt->dst.val |= (unsigned long)swab16(tmp);
3518 break;
3519 case 4:
3520 ctxt->dst.val = swab32((u32)ctxt->src.val);
3521 break;
3522 case 8:
3523 ctxt->dst.val = swab64(ctxt->src.val);
3524 break;
3525 default:
3526 BUG();
3527 }
3528 return X86EMUL_CONTINUE;
3529 }
3530
3531 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3532 {
3533 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3534 return emulate_gp(ctxt, 0);
3535
3536 /* Disable writeback. */
3537 ctxt->dst.type = OP_NONE;
3538 return X86EMUL_CONTINUE;
3539 }
3540
3541 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3542 {
3543 unsigned long val;
3544
3545 if (ctxt->mode == X86EMUL_MODE_PROT64)
3546 val = ctxt->src.val & ~0ULL;
3547 else
3548 val = ctxt->src.val & ~0U;
3549
3550 /* #UD condition is already handled. */
3551 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3552 return emulate_gp(ctxt, 0);
3553
3554 /* Disable writeback. */
3555 ctxt->dst.type = OP_NONE;
3556 return X86EMUL_CONTINUE;
3557 }
3558
3559 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3560 {
3561 u64 msr_data;
3562
3563 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3564 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3565 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3566 return emulate_gp(ctxt, 0);
3567
3568 return X86EMUL_CONTINUE;
3569 }
3570
3571 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3572 {
3573 u64 msr_data;
3574
3575 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3576 return emulate_gp(ctxt, 0);
3577
3578 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3579 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3580 return X86EMUL_CONTINUE;
3581 }
3582
3583 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3584 {
3585 if (ctxt->modrm_reg > VCPU_SREG_GS)
3586 return emulate_ud(ctxt);
3587
3588 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3589 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3590 ctxt->dst.bytes = 2;
3591 return X86EMUL_CONTINUE;
3592 }
3593
3594 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3595 {
3596 u16 sel = ctxt->src.val;
3597
3598 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3599 return emulate_ud(ctxt);
3600
3601 if (ctxt->modrm_reg == VCPU_SREG_SS)
3602 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3603
3604 /* Disable writeback. */
3605 ctxt->dst.type = OP_NONE;
3606 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3607 }
3608
3609 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3610 {
3611 u16 sel = ctxt->src.val;
3612
3613 /* Disable writeback. */
3614 ctxt->dst.type = OP_NONE;
3615 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3616 }
3617
3618 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3619 {
3620 u16 sel = ctxt->src.val;
3621
3622 /* Disable writeback. */
3623 ctxt->dst.type = OP_NONE;
3624 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3625 }
3626
3627 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3628 {
3629 int rc;
3630 ulong linear;
3631
3632 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3633 if (rc == X86EMUL_CONTINUE)
3634 ctxt->ops->invlpg(ctxt, linear);
3635 /* Disable writeback. */
3636 ctxt->dst.type = OP_NONE;
3637 return X86EMUL_CONTINUE;
3638 }
3639
3640 static int em_clts(struct x86_emulate_ctxt *ctxt)
3641 {
3642 ulong cr0;
3643
3644 cr0 = ctxt->ops->get_cr(ctxt, 0);
3645 cr0 &= ~X86_CR0_TS;
3646 ctxt->ops->set_cr(ctxt, 0, cr0);
3647 return X86EMUL_CONTINUE;
3648 }
3649
3650 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3651 {
3652 int rc = ctxt->ops->fix_hypercall(ctxt);
3653
3654 if (rc != X86EMUL_CONTINUE)
3655 return rc;
3656
3657 /* Let the processor re-execute the fixed hypercall */
3658 ctxt->_eip = ctxt->eip;
3659 /* Disable writeback. */
3660 ctxt->dst.type = OP_NONE;
3661 return X86EMUL_CONTINUE;
3662 }
3663
3664 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3665 void (*get)(struct x86_emulate_ctxt *ctxt,
3666 struct desc_ptr *ptr))
3667 {
3668 struct desc_ptr desc_ptr;
3669
3670 if (ctxt->mode == X86EMUL_MODE_PROT64)
3671 ctxt->op_bytes = 8;
3672 get(ctxt, &desc_ptr);
3673 if (ctxt->op_bytes == 2) {
3674 ctxt->op_bytes = 4;
3675 desc_ptr.address &= 0x00ffffff;
3676 }
3677 /* Disable writeback. */
3678 ctxt->dst.type = OP_NONE;
3679 return segmented_write(ctxt, ctxt->dst.addr.mem,
3680 &desc_ptr, 2 + ctxt->op_bytes);
3681 }
3682
3683 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3684 {
3685 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3686 }
3687
3688 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3689 {
3690 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3691 }
3692
3693 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3694 {
3695 struct desc_ptr desc_ptr;
3696 int rc;
3697
3698 if (ctxt->mode == X86EMUL_MODE_PROT64)
3699 ctxt->op_bytes = 8;
3700 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3701 &desc_ptr.size, &desc_ptr.address,
3702 ctxt->op_bytes);
3703 if (rc != X86EMUL_CONTINUE)
3704 return rc;
3705 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3706 is_noncanonical_address(desc_ptr.address))
3707 return emulate_gp(ctxt, 0);
3708 if (lgdt)
3709 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3710 else
3711 ctxt->ops->set_idt(ctxt, &desc_ptr);
3712 /* Disable writeback. */
3713 ctxt->dst.type = OP_NONE;
3714 return X86EMUL_CONTINUE;
3715 }
3716
3717 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3718 {
3719 return em_lgdt_lidt(ctxt, true);
3720 }
3721
3722 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3723 {
3724 return em_lgdt_lidt(ctxt, false);
3725 }
3726
3727 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3728 {
3729 if (ctxt->dst.type == OP_MEM)
3730 ctxt->dst.bytes = 2;
3731 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3732 return X86EMUL_CONTINUE;
3733 }
3734
3735 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3736 {
3737 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3738 | (ctxt->src.val & 0x0f));
3739 ctxt->dst.type = OP_NONE;
3740 return X86EMUL_CONTINUE;
3741 }
3742
3743 static int em_loop(struct x86_emulate_ctxt *ctxt)
3744 {
3745 int rc = X86EMUL_CONTINUE;
3746
3747 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3748 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3749 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3750 rc = jmp_rel(ctxt, ctxt->src.val);
3751
3752 return rc;
3753 }
3754
3755 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3756 {
3757 int rc = X86EMUL_CONTINUE;
3758
3759 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3760 rc = jmp_rel(ctxt, ctxt->src.val);
3761
3762 return rc;
3763 }
3764
3765 static int em_in(struct x86_emulate_ctxt *ctxt)
3766 {
3767 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3768 &ctxt->dst.val))
3769 return X86EMUL_IO_NEEDED;
3770
3771 return X86EMUL_CONTINUE;
3772 }
3773
3774 static int em_out(struct x86_emulate_ctxt *ctxt)
3775 {
3776 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3777 &ctxt->src.val, 1);
3778 /* Disable writeback. */
3779 ctxt->dst.type = OP_NONE;
3780 return X86EMUL_CONTINUE;
3781 }
3782
3783 static int em_cli(struct x86_emulate_ctxt *ctxt)
3784 {
3785 if (emulator_bad_iopl(ctxt))
3786 return emulate_gp(ctxt, 0);
3787
3788 ctxt->eflags &= ~X86_EFLAGS_IF;
3789 return X86EMUL_CONTINUE;
3790 }
3791
3792 static int em_sti(struct x86_emulate_ctxt *ctxt)
3793 {
3794 if (emulator_bad_iopl(ctxt))
3795 return emulate_gp(ctxt, 0);
3796
3797 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3798 ctxt->eflags |= X86_EFLAGS_IF;
3799 return X86EMUL_CONTINUE;
3800 }
3801
3802 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3803 {
3804 u32 eax, ebx, ecx, edx;
3805
3806 eax = reg_read(ctxt, VCPU_REGS_RAX);
3807 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3808 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3809 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3810 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3811 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3812 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3813 return X86EMUL_CONTINUE;
3814 }
3815
3816 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3817 {
3818 u32 flags;
3819
3820 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3821 X86_EFLAGS_SF;
3822 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3823
3824 ctxt->eflags &= ~0xffUL;
3825 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3826 return X86EMUL_CONTINUE;
3827 }
3828
3829 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3830 {
3831 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3832 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3833 return X86EMUL_CONTINUE;
3834 }
3835
3836 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3837 {
3838 switch (ctxt->op_bytes) {
3839 #ifdef CONFIG_X86_64
3840 case 8:
3841 asm("bswap %0" : "+r"(ctxt->dst.val));
3842 break;
3843 #endif
3844 default:
3845 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3846 break;
3847 }
3848 return X86EMUL_CONTINUE;
3849 }
3850
3851 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3852 {
3853 /* emulating clflush regardless of cpuid */
3854 return X86EMUL_CONTINUE;
3855 }
3856
3857 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3858 {
3859 ctxt->dst.val = (s32) ctxt->src.val;
3860 return X86EMUL_CONTINUE;
3861 }
3862
3863 static bool valid_cr(int nr)
3864 {
3865 switch (nr) {
3866 case 0:
3867 case 2 ... 4:
3868 case 8:
3869 return true;
3870 default:
3871 return false;
3872 }
3873 }
3874
3875 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3876 {
3877 if (!valid_cr(ctxt->modrm_reg))
3878 return emulate_ud(ctxt);
3879
3880 return X86EMUL_CONTINUE;
3881 }
3882
3883 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3884 {
3885 u64 new_val = ctxt->src.val64;
3886 int cr = ctxt->modrm_reg;
3887 u64 efer = 0;
3888
3889 static u64 cr_reserved_bits[] = {
3890 0xffffffff00000000ULL,
3891 0, 0, 0, /* CR3 checked later */
3892 CR4_RESERVED_BITS,
3893 0, 0, 0,
3894 CR8_RESERVED_BITS,
3895 };
3896
3897 if (!valid_cr(cr))
3898 return emulate_ud(ctxt);
3899
3900 if (new_val & cr_reserved_bits[cr])
3901 return emulate_gp(ctxt, 0);
3902
3903 switch (cr) {
3904 case 0: {
3905 u64 cr4;
3906 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3907 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3908 return emulate_gp(ctxt, 0);
3909
3910 cr4 = ctxt->ops->get_cr(ctxt, 4);
3911 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3912
3913 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3914 !(cr4 & X86_CR4_PAE))
3915 return emulate_gp(ctxt, 0);
3916
3917 break;
3918 }
3919 case 3: {
3920 u64 rsvd = 0;
3921
3922 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3923 if (efer & EFER_LMA)
3924 rsvd = CR3_L_MODE_RESERVED_BITS & ~CR3_PCID_INVD;
3925
3926 if (new_val & rsvd)
3927 return emulate_gp(ctxt, 0);
3928
3929 break;
3930 }
3931 case 4: {
3932 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3933
3934 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3935 return emulate_gp(ctxt, 0);
3936
3937 break;
3938 }
3939 }
3940
3941 return X86EMUL_CONTINUE;
3942 }
3943
3944 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3945 {
3946 unsigned long dr7;
3947
3948 ctxt->ops->get_dr(ctxt, 7, &dr7);
3949
3950 /* Check if DR7.Global_Enable is set */
3951 return dr7 & (1 << 13);
3952 }
3953
3954 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3955 {
3956 int dr = ctxt->modrm_reg;
3957 u64 cr4;
3958
3959 if (dr > 7)
3960 return emulate_ud(ctxt);
3961
3962 cr4 = ctxt->ops->get_cr(ctxt, 4);
3963 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3964 return emulate_ud(ctxt);
3965
3966 if (check_dr7_gd(ctxt)) {
3967 ulong dr6;
3968
3969 ctxt->ops->get_dr(ctxt, 6, &dr6);
3970 dr6 &= ~15;
3971 dr6 |= DR6_BD | DR6_RTM;
3972 ctxt->ops->set_dr(ctxt, 6, dr6);
3973 return emulate_db(ctxt);
3974 }
3975
3976 return X86EMUL_CONTINUE;
3977 }
3978
3979 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3980 {
3981 u64 new_val = ctxt->src.val64;
3982 int dr = ctxt->modrm_reg;
3983
3984 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3985 return emulate_gp(ctxt, 0);
3986
3987 return check_dr_read(ctxt);
3988 }
3989
3990 static int check_svme(struct x86_emulate_ctxt *ctxt)
3991 {
3992 u64 efer;
3993
3994 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3995
3996 if (!(efer & EFER_SVME))
3997 return emulate_ud(ctxt);
3998
3999 return X86EMUL_CONTINUE;
4000 }
4001
4002 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4003 {
4004 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4005
4006 /* Valid physical address? */
4007 if (rax & 0xffff000000000000ULL)
4008 return emulate_gp(ctxt, 0);
4009
4010 return check_svme(ctxt);
4011 }
4012
4013 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4014 {
4015 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4016
4017 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4018 return emulate_ud(ctxt);
4019
4020 return X86EMUL_CONTINUE;
4021 }
4022
4023 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4024 {
4025 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4026 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4027
4028 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4029 ctxt->ops->check_pmc(ctxt, rcx))
4030 return emulate_gp(ctxt, 0);
4031
4032 return X86EMUL_CONTINUE;
4033 }
4034
4035 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4036 {
4037 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4038 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4039 return emulate_gp(ctxt, 0);
4040
4041 return X86EMUL_CONTINUE;
4042 }
4043
4044 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4045 {
4046 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4047 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4048 return emulate_gp(ctxt, 0);
4049
4050 return X86EMUL_CONTINUE;
4051 }
4052
4053 #define D(_y) { .flags = (_y) }
4054 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4055 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4056 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4057 #define N D(NotImpl)
4058 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4059 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4060 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4061 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4062 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4063 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4064 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4065 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4066 #define II(_f, _e, _i) \
4067 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4068 #define IIP(_f, _e, _i, _p) \
4069 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4070 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4071 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4072
4073 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4074 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4075 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4076 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4077 #define I2bvIP(_f, _e, _i, _p) \
4078 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4079
4080 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4081 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4082 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4083
4084 static const struct opcode group7_rm0[] = {
4085 N,
4086 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4087 N, N, N, N, N, N,
4088 };
4089
4090 static const struct opcode group7_rm1[] = {
4091 DI(SrcNone | Priv, monitor),
4092 DI(SrcNone | Priv, mwait),
4093 N, N, N, N, N, N,
4094 };
4095
4096 static const struct opcode group7_rm3[] = {
4097 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4098 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4099 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4100 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4101 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4102 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4103 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4104 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4105 };
4106
4107 static const struct opcode group7_rm7[] = {
4108 N,
4109 DIP(SrcNone, rdtscp, check_rdtsc),
4110 N, N, N, N, N, N,
4111 };
4112
4113 static const struct opcode group1[] = {
4114 F(Lock, em_add),
4115 F(Lock | PageTable, em_or),
4116 F(Lock, em_adc),
4117 F(Lock, em_sbb),
4118 F(Lock | PageTable, em_and),
4119 F(Lock, em_sub),
4120 F(Lock, em_xor),
4121 F(NoWrite, em_cmp),
4122 };
4123
4124 static const struct opcode group1A[] = {
4125 I(DstMem | SrcNone | Mov | Stack | IncSP, em_pop), N, N, N, N, N, N, N,
4126 };
4127
4128 static const struct opcode group2[] = {
4129 F(DstMem | ModRM, em_rol),
4130 F(DstMem | ModRM, em_ror),
4131 F(DstMem | ModRM, em_rcl),
4132 F(DstMem | ModRM, em_rcr),
4133 F(DstMem | ModRM, em_shl),
4134 F(DstMem | ModRM, em_shr),
4135 F(DstMem | ModRM, em_shl),
4136 F(DstMem | ModRM, em_sar),
4137 };
4138
4139 static const struct opcode group3[] = {
4140 F(DstMem | SrcImm | NoWrite, em_test),
4141 F(DstMem | SrcImm | NoWrite, em_test),
4142 F(DstMem | SrcNone | Lock, em_not),
4143 F(DstMem | SrcNone | Lock, em_neg),
4144 F(DstXacc | Src2Mem, em_mul_ex),
4145 F(DstXacc | Src2Mem, em_imul_ex),
4146 F(DstXacc | Src2Mem, em_div_ex),
4147 F(DstXacc | Src2Mem, em_idiv_ex),
4148 };
4149
4150 static const struct opcode group4[] = {
4151 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4152 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4153 N, N, N, N, N, N,
4154 };
4155
4156 static const struct opcode group5[] = {
4157 F(DstMem | SrcNone | Lock, em_inc),
4158 F(DstMem | SrcNone | Lock, em_dec),
4159 I(SrcMem | NearBranch, em_call_near_abs),
4160 I(SrcMemFAddr | ImplicitOps, em_call_far),
4161 I(SrcMem | NearBranch, em_jmp_abs),
4162 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4163 I(SrcMem | Stack, em_push), D(Undefined),
4164 };
4165
4166 static const struct opcode group6[] = {
4167 DI(Prot | DstMem, sldt),
4168 DI(Prot | DstMem, str),
4169 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4170 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4171 N, N, N, N,
4172 };
4173
4174 static const struct group_dual group7 = { {
4175 II(Mov | DstMem, em_sgdt, sgdt),
4176 II(Mov | DstMem, em_sidt, sidt),
4177 II(SrcMem | Priv, em_lgdt, lgdt),
4178 II(SrcMem | Priv, em_lidt, lidt),
4179 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4180 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4181 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4182 }, {
4183 EXT(0, group7_rm0),
4184 EXT(0, group7_rm1),
4185 N, EXT(0, group7_rm3),
4186 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4187 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4188 EXT(0, group7_rm7),
4189 } };
4190
4191 static const struct opcode group8[] = {
4192 N, N, N, N,
4193 F(DstMem | SrcImmByte | NoWrite, em_bt),
4194 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4195 F(DstMem | SrcImmByte | Lock, em_btr),
4196 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4197 };
4198
4199 static const struct group_dual group9 = { {
4200 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4201 }, {
4202 N, N, N, N, N, N, N, N,
4203 } };
4204
4205 static const struct opcode group11[] = {
4206 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4207 X7(D(Undefined)),
4208 };
4209
4210 static const struct gprefix pfx_0f_ae_7 = {
4211 I(SrcMem | ByteOp, em_clflush), N, N, N,
4212 };
4213
4214 static const struct group_dual group15 = { {
4215 N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4216 }, {
4217 N, N, N, N, N, N, N, N,
4218 } };
4219
4220 static const struct gprefix pfx_0f_6f_0f_7f = {
4221 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4222 };
4223
4224 static const struct instr_dual instr_dual_0f_2b = {
4225 I(0, em_mov), N
4226 };
4227
4228 static const struct gprefix pfx_0f_2b = {
4229 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4230 };
4231
4232 static const struct gprefix pfx_0f_28_0f_29 = {
4233 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4234 };
4235
4236 static const struct gprefix pfx_0f_e7 = {
4237 N, I(Sse, em_mov), N, N,
4238 };
4239
4240 static const struct escape escape_d9 = { {
4241 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4242 }, {
4243 /* 0xC0 - 0xC7 */
4244 N, N, N, N, N, N, N, N,
4245 /* 0xC8 - 0xCF */
4246 N, N, N, N, N, N, N, N,
4247 /* 0xD0 - 0xC7 */
4248 N, N, N, N, N, N, N, N,
4249 /* 0xD8 - 0xDF */
4250 N, N, N, N, N, N, N, N,
4251 /* 0xE0 - 0xE7 */
4252 N, N, N, N, N, N, N, N,
4253 /* 0xE8 - 0xEF */
4254 N, N, N, N, N, N, N, N,
4255 /* 0xF0 - 0xF7 */
4256 N, N, N, N, N, N, N, N,
4257 /* 0xF8 - 0xFF */
4258 N, N, N, N, N, N, N, N,
4259 } };
4260
4261 static const struct escape escape_db = { {
4262 N, N, N, N, N, N, N, N,
4263 }, {
4264 /* 0xC0 - 0xC7 */
4265 N, N, N, N, N, N, N, N,
4266 /* 0xC8 - 0xCF */
4267 N, N, N, N, N, N, N, N,
4268 /* 0xD0 - 0xC7 */
4269 N, N, N, N, N, N, N, N,
4270 /* 0xD8 - 0xDF */
4271 N, N, N, N, N, N, N, N,
4272 /* 0xE0 - 0xE7 */
4273 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4274 /* 0xE8 - 0xEF */
4275 N, N, N, N, N, N, N, N,
4276 /* 0xF0 - 0xF7 */
4277 N, N, N, N, N, N, N, N,
4278 /* 0xF8 - 0xFF */
4279 N, N, N, N, N, N, N, N,
4280 } };
4281
4282 static const struct escape escape_dd = { {
4283 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4284 }, {
4285 /* 0xC0 - 0xC7 */
4286 N, N, N, N, N, N, N, N,
4287 /* 0xC8 - 0xCF */
4288 N, N, N, N, N, N, N, N,
4289 /* 0xD0 - 0xC7 */
4290 N, N, N, N, N, N, N, N,
4291 /* 0xD8 - 0xDF */
4292 N, N, N, N, N, N, N, N,
4293 /* 0xE0 - 0xE7 */
4294 N, N, N, N, N, N, N, N,
4295 /* 0xE8 - 0xEF */
4296 N, N, N, N, N, N, N, N,
4297 /* 0xF0 - 0xF7 */
4298 N, N, N, N, N, N, N, N,
4299 /* 0xF8 - 0xFF */
4300 N, N, N, N, N, N, N, N,
4301 } };
4302
4303 static const struct instr_dual instr_dual_0f_c3 = {
4304 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4305 };
4306
4307 static const struct mode_dual mode_dual_63 = {
4308 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4309 };
4310
4311 static const struct opcode opcode_table[256] = {
4312 /* 0x00 - 0x07 */
4313 F6ALU(Lock, em_add),
4314 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4315 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4316 /* 0x08 - 0x0F */
4317 F6ALU(Lock | PageTable, em_or),
4318 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4319 N,
4320 /* 0x10 - 0x17 */
4321 F6ALU(Lock, em_adc),
4322 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4323 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4324 /* 0x18 - 0x1F */
4325 F6ALU(Lock, em_sbb),
4326 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4327 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4328 /* 0x20 - 0x27 */
4329 F6ALU(Lock | PageTable, em_and), N, N,
4330 /* 0x28 - 0x2F */
4331 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4332 /* 0x30 - 0x37 */
4333 F6ALU(Lock, em_xor), N, N,
4334 /* 0x38 - 0x3F */
4335 F6ALU(NoWrite, em_cmp), N, N,
4336 /* 0x40 - 0x4F */
4337 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4338 /* 0x50 - 0x57 */
4339 X8(I(SrcReg | Stack, em_push)),
4340 /* 0x58 - 0x5F */
4341 X8(I(DstReg | Stack, em_pop)),
4342 /* 0x60 - 0x67 */
4343 I(ImplicitOps | Stack | No64, em_pusha),
4344 I(ImplicitOps | Stack | No64, em_popa),
4345 N, MD(ModRM, &mode_dual_63),
4346 N, N, N, N,
4347 /* 0x68 - 0x6F */
4348 I(SrcImm | Mov | Stack, em_push),
4349 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4350 I(SrcImmByte | Mov | Stack, em_push),
4351 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4352 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4353 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4354 /* 0x70 - 0x7F */
4355 X16(D(SrcImmByte | NearBranch)),
4356 /* 0x80 - 0x87 */
4357 G(ByteOp | DstMem | SrcImm, group1),
4358 G(DstMem | SrcImm, group1),
4359 G(ByteOp | DstMem | SrcImm | No64, group1),
4360 G(DstMem | SrcImmByte, group1),
4361 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4362 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4363 /* 0x88 - 0x8F */
4364 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4365 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4366 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4367 D(ModRM | SrcMem | NoAccess | DstReg),
4368 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4369 G(0, group1A),
4370 /* 0x90 - 0x97 */
4371 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4372 /* 0x98 - 0x9F */
4373 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4374 I(SrcImmFAddr | No64, em_call_far), N,
4375 II(ImplicitOps | Stack, em_pushf, pushf),
4376 II(ImplicitOps | Stack, em_popf, popf),
4377 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4378 /* 0xA0 - 0xA7 */
4379 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4380 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4381 I2bv(SrcSI | DstDI | Mov | String, em_mov),
4382 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp_r),
4383 /* 0xA8 - 0xAF */
4384 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4385 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4386 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4387 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4388 /* 0xB0 - 0xB7 */
4389 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4390 /* 0xB8 - 0xBF */
4391 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4392 /* 0xC0 - 0xC7 */
4393 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4394 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4395 I(ImplicitOps | NearBranch, em_ret),
4396 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4397 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4398 G(ByteOp, group11), G(0, group11),
4399 /* 0xC8 - 0xCF */
4400 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4401 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4402 I(ImplicitOps, em_ret_far),
4403 D(ImplicitOps), DI(SrcImmByte, intn),
4404 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4405 /* 0xD0 - 0xD7 */
4406 G(Src2One | ByteOp, group2), G(Src2One, group2),
4407 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4408 I(DstAcc | SrcImmUByte | No64, em_aam),
4409 I(DstAcc | SrcImmUByte | No64, em_aad),
4410 F(DstAcc | ByteOp | No64, em_salc),
4411 I(DstAcc | SrcXLat | ByteOp, em_mov),
4412 /* 0xD8 - 0xDF */
4413 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4414 /* 0xE0 - 0xE7 */
4415 X3(I(SrcImmByte | NearBranch, em_loop)),
4416 I(SrcImmByte | NearBranch, em_jcxz),
4417 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4418 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4419 /* 0xE8 - 0xEF */
4420 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4421 I(SrcImmFAddr | No64, em_jmp_far),
4422 D(SrcImmByte | ImplicitOps | NearBranch),
4423 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4424 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4425 /* 0xF0 - 0xF7 */
4426 N, DI(ImplicitOps, icebp), N, N,
4427 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4428 G(ByteOp, group3), G(0, group3),
4429 /* 0xF8 - 0xFF */
4430 D(ImplicitOps), D(ImplicitOps),
4431 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4432 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4433 };
4434
4435 static const struct opcode twobyte_table[256] = {
4436 /* 0x00 - 0x0F */
4437 G(0, group6), GD(0, &group7), N, N,
4438 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4439 II(ImplicitOps | Priv, em_clts, clts), N,
4440 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4441 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4442 /* 0x10 - 0x1F */
4443 N, N, N, N, N, N, N, N,
4444 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4445 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4446 /* 0x20 - 0x2F */
4447 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4448 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4449 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4450 check_cr_write),
4451 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4452 check_dr_write),
4453 N, N, N, N,
4454 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4455 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4456 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4457 N, N, N, N,
4458 /* 0x30 - 0x3F */
4459 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4460 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4461 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4462 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4463 I(ImplicitOps | EmulateOnUD, em_sysenter),
4464 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4465 N, N,
4466 N, N, N, N, N, N, N, N,
4467 /* 0x40 - 0x4F */
4468 X16(D(DstReg | SrcMem | ModRM)),
4469 /* 0x50 - 0x5F */
4470 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4471 /* 0x60 - 0x6F */
4472 N, N, N, N,
4473 N, N, N, N,
4474 N, N, N, N,
4475 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4476 /* 0x70 - 0x7F */
4477 N, N, N, N,
4478 N, N, N, N,
4479 N, N, N, N,
4480 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4481 /* 0x80 - 0x8F */
4482 X16(D(SrcImm | NearBranch)),
4483 /* 0x90 - 0x9F */
4484 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4485 /* 0xA0 - 0xA7 */
4486 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4487 II(ImplicitOps, em_cpuid, cpuid),
4488 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4489 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4490 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4491 /* 0xA8 - 0xAF */
4492 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4493 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4494 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4495 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4496 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4497 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4498 /* 0xB0 - 0xB7 */
4499 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4500 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4501 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4502 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4503 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4504 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4505 /* 0xB8 - 0xBF */
4506 N, N,
4507 G(BitOp, group8),
4508 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4509 I(DstReg | SrcMem | ModRM, em_bsf_c),
4510 I(DstReg | SrcMem | ModRM, em_bsr_c),
4511 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4512 /* 0xC0 - 0xC7 */
4513 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4514 N, ID(0, &instr_dual_0f_c3),
4515 N, N, N, GD(0, &group9),
4516 /* 0xC8 - 0xCF */
4517 X8(I(DstReg, em_bswap)),
4518 /* 0xD0 - 0xDF */
4519 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4520 /* 0xE0 - 0xEF */
4521 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4522 N, N, N, N, N, N, N, N,
4523 /* 0xF0 - 0xFF */
4524 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4525 };
4526
4527 static const struct instr_dual instr_dual_0f_38_f0 = {
4528 I(DstReg | SrcMem | Mov, em_movbe), N
4529 };
4530
4531 static const struct instr_dual instr_dual_0f_38_f1 = {
4532 I(DstMem | SrcReg | Mov, em_movbe), N
4533 };
4534
4535 static const struct gprefix three_byte_0f_38_f0 = {
4536 ID(0, &instr_dual_0f_38_f0), N, N, N
4537 };
4538
4539 static const struct gprefix three_byte_0f_38_f1 = {
4540 ID(0, &instr_dual_0f_38_f1), N, N, N
4541 };
4542
4543 /*
4544 * Insns below are selected by the prefix which indexed by the third opcode
4545 * byte.
4546 */
4547 static const struct opcode opcode_map_0f_38[256] = {
4548 /* 0x00 - 0x7f */
4549 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4550 /* 0x80 - 0xef */
4551 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4552 /* 0xf0 - 0xf1 */
4553 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4554 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4555 /* 0xf2 - 0xff */
4556 N, N, X4(N), X8(N)
4557 };
4558
4559 #undef D
4560 #undef N
4561 #undef G
4562 #undef GD
4563 #undef I
4564 #undef GP
4565 #undef EXT
4566 #undef MD
4567 #undef ID
4568
4569 #undef D2bv
4570 #undef D2bvIP
4571 #undef I2bv
4572 #undef I2bvIP
4573 #undef I6ALU
4574
4575 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4576 {
4577 unsigned size;
4578
4579 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4580 if (size == 8)
4581 size = 4;
4582 return size;
4583 }
4584
4585 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4586 unsigned size, bool sign_extension)
4587 {
4588 int rc = X86EMUL_CONTINUE;
4589
4590 op->type = OP_IMM;
4591 op->bytes = size;
4592 op->addr.mem.ea = ctxt->_eip;
4593 /* NB. Immediates are sign-extended as necessary. */
4594 switch (op->bytes) {
4595 case 1:
4596 op->val = insn_fetch(s8, ctxt);
4597 break;
4598 case 2:
4599 op->val = insn_fetch(s16, ctxt);
4600 break;
4601 case 4:
4602 op->val = insn_fetch(s32, ctxt);
4603 break;
4604 case 8:
4605 op->val = insn_fetch(s64, ctxt);
4606 break;
4607 }
4608 if (!sign_extension) {
4609 switch (op->bytes) {
4610 case 1:
4611 op->val &= 0xff;
4612 break;
4613 case 2:
4614 op->val &= 0xffff;
4615 break;
4616 case 4:
4617 op->val &= 0xffffffff;
4618 break;
4619 }
4620 }
4621 done:
4622 return rc;
4623 }
4624
4625 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4626 unsigned d)
4627 {
4628 int rc = X86EMUL_CONTINUE;
4629
4630 switch (d) {
4631 case OpReg:
4632 decode_register_operand(ctxt, op);
4633 break;
4634 case OpImmUByte:
4635 rc = decode_imm(ctxt, op, 1, false);
4636 break;
4637 case OpMem:
4638 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4639 mem_common:
4640 *op = ctxt->memop;
4641 ctxt->memopp = op;
4642 if (ctxt->d & BitOp)
4643 fetch_bit_operand(ctxt);
4644 op->orig_val = op->val;
4645 break;
4646 case OpMem64:
4647 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4648 goto mem_common;
4649 case OpAcc:
4650 op->type = OP_REG;
4651 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4652 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4653 fetch_register_operand(op);
4654 op->orig_val = op->val;
4655 break;
4656 case OpAccLo:
4657 op->type = OP_REG;
4658 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4659 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4660 fetch_register_operand(op);
4661 op->orig_val = op->val;
4662 break;
4663 case OpAccHi:
4664 if (ctxt->d & ByteOp) {
4665 op->type = OP_NONE;
4666 break;
4667 }
4668 op->type = OP_REG;
4669 op->bytes = ctxt->op_bytes;
4670 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4671 fetch_register_operand(op);
4672 op->orig_val = op->val;
4673 break;
4674 case OpDI:
4675 op->type = OP_MEM;
4676 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4677 op->addr.mem.ea =
4678 register_address(ctxt, VCPU_REGS_RDI);
4679 op->addr.mem.seg = VCPU_SREG_ES;
4680 op->val = 0;
4681 op->count = 1;
4682 break;
4683 case OpDX:
4684 op->type = OP_REG;
4685 op->bytes = 2;
4686 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4687 fetch_register_operand(op);
4688 break;
4689 case OpCL:
4690 op->type = OP_IMM;
4691 op->bytes = 1;
4692 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4693 break;
4694 case OpImmByte:
4695 rc = decode_imm(ctxt, op, 1, true);
4696 break;
4697 case OpOne:
4698 op->type = OP_IMM;
4699 op->bytes = 1;
4700 op->val = 1;
4701 break;
4702 case OpImm:
4703 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4704 break;
4705 case OpImm64:
4706 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4707 break;
4708 case OpMem8:
4709 ctxt->memop.bytes = 1;
4710 if (ctxt->memop.type == OP_REG) {
4711 ctxt->memop.addr.reg = decode_register(ctxt,
4712 ctxt->modrm_rm, true);
4713 fetch_register_operand(&ctxt->memop);
4714 }
4715 goto mem_common;
4716 case OpMem16:
4717 ctxt->memop.bytes = 2;
4718 goto mem_common;
4719 case OpMem32:
4720 ctxt->memop.bytes = 4;
4721 goto mem_common;
4722 case OpImmU16:
4723 rc = decode_imm(ctxt, op, 2, false);
4724 break;
4725 case OpImmU:
4726 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4727 break;
4728 case OpSI:
4729 op->type = OP_MEM;
4730 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4731 op->addr.mem.ea =
4732 register_address(ctxt, VCPU_REGS_RSI);
4733 op->addr.mem.seg = ctxt->seg_override;
4734 op->val = 0;
4735 op->count = 1;
4736 break;
4737 case OpXLat:
4738 op->type = OP_MEM;
4739 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4740 op->addr.mem.ea =
4741 address_mask(ctxt,
4742 reg_read(ctxt, VCPU_REGS_RBX) +
4743 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4744 op->addr.mem.seg = ctxt->seg_override;
4745 op->val = 0;
4746 break;
4747 case OpImmFAddr:
4748 op->type = OP_IMM;
4749 op->addr.mem.ea = ctxt->_eip;
4750 op->bytes = ctxt->op_bytes + 2;
4751 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4752 break;
4753 case OpMemFAddr:
4754 ctxt->memop.bytes = ctxt->op_bytes + 2;
4755 goto mem_common;
4756 case OpES:
4757 op->type = OP_IMM;
4758 op->val = VCPU_SREG_ES;
4759 break;
4760 case OpCS:
4761 op->type = OP_IMM;
4762 op->val = VCPU_SREG_CS;
4763 break;
4764 case OpSS:
4765 op->type = OP_IMM;
4766 op->val = VCPU_SREG_SS;
4767 break;
4768 case OpDS:
4769 op->type = OP_IMM;
4770 op->val = VCPU_SREG_DS;
4771 break;
4772 case OpFS:
4773 op->type = OP_IMM;
4774 op->val = VCPU_SREG_FS;
4775 break;
4776 case OpGS:
4777 op->type = OP_IMM;
4778 op->val = VCPU_SREG_GS;
4779 break;
4780 case OpImplicit:
4781 /* Special instructions do their own operand decoding. */
4782 default:
4783 op->type = OP_NONE; /* Disable writeback. */
4784 break;
4785 }
4786
4787 done:
4788 return rc;
4789 }
4790
4791 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4792 {
4793 int rc = X86EMUL_CONTINUE;
4794 int mode = ctxt->mode;
4795 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4796 bool op_prefix = false;
4797 bool has_seg_override = false;
4798 struct opcode opcode;
4799
4800 ctxt->memop.type = OP_NONE;
4801 ctxt->memopp = NULL;
4802 ctxt->_eip = ctxt->eip;
4803 ctxt->fetch.ptr = ctxt->fetch.data;
4804 ctxt->fetch.end = ctxt->fetch.data + insn_len;
4805 ctxt->opcode_len = 1;
4806 if (insn_len > 0)
4807 memcpy(ctxt->fetch.data, insn, insn_len);
4808 else {
4809 rc = __do_insn_fetch_bytes(ctxt, 1);
4810 if (rc != X86EMUL_CONTINUE)
4811 return rc;
4812 }
4813
4814 switch (mode) {
4815 case X86EMUL_MODE_REAL:
4816 case X86EMUL_MODE_VM86:
4817 case X86EMUL_MODE_PROT16:
4818 def_op_bytes = def_ad_bytes = 2;
4819 break;
4820 case X86EMUL_MODE_PROT32:
4821 def_op_bytes = def_ad_bytes = 4;
4822 break;
4823 #ifdef CONFIG_X86_64
4824 case X86EMUL_MODE_PROT64:
4825 def_op_bytes = 4;
4826 def_ad_bytes = 8;
4827 break;
4828 #endif
4829 default:
4830 return EMULATION_FAILED;
4831 }
4832
4833 ctxt->op_bytes = def_op_bytes;
4834 ctxt->ad_bytes = def_ad_bytes;
4835
4836 /* Legacy prefixes. */
4837 for (;;) {
4838 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4839 case 0x66: /* operand-size override */
4840 op_prefix = true;
4841 /* switch between 2/4 bytes */
4842 ctxt->op_bytes = def_op_bytes ^ 6;
4843 break;
4844 case 0x67: /* address-size override */
4845 if (mode == X86EMUL_MODE_PROT64)
4846 /* switch between 4/8 bytes */
4847 ctxt->ad_bytes = def_ad_bytes ^ 12;
4848 else
4849 /* switch between 2/4 bytes */
4850 ctxt->ad_bytes = def_ad_bytes ^ 6;
4851 break;
4852 case 0x26: /* ES override */
4853 case 0x2e: /* CS override */
4854 case 0x36: /* SS override */
4855 case 0x3e: /* DS override */
4856 has_seg_override = true;
4857 ctxt->seg_override = (ctxt->b >> 3) & 3;
4858 break;
4859 case 0x64: /* FS override */
4860 case 0x65: /* GS override */
4861 has_seg_override = true;
4862 ctxt->seg_override = ctxt->b & 7;
4863 break;
4864 case 0x40 ... 0x4f: /* REX */
4865 if (mode != X86EMUL_MODE_PROT64)
4866 goto done_prefixes;
4867 ctxt->rex_prefix = ctxt->b;
4868 continue;
4869 case 0xf0: /* LOCK */
4870 ctxt->lock_prefix = 1;
4871 break;
4872 case 0xf2: /* REPNE/REPNZ */
4873 case 0xf3: /* REP/REPE/REPZ */
4874 ctxt->rep_prefix = ctxt->b;
4875 break;
4876 default:
4877 goto done_prefixes;
4878 }
4879
4880 /* Any legacy prefix after a REX prefix nullifies its effect. */
4881
4882 ctxt->rex_prefix = 0;
4883 }
4884
4885 done_prefixes:
4886
4887 /* REX prefix. */
4888 if (ctxt->rex_prefix & 8)
4889 ctxt->op_bytes = 8; /* REX.W */
4890
4891 /* Opcode byte(s). */
4892 opcode = opcode_table[ctxt->b];
4893 /* Two-byte opcode? */
4894 if (ctxt->b == 0x0f) {
4895 ctxt->opcode_len = 2;
4896 ctxt->b = insn_fetch(u8, ctxt);
4897 opcode = twobyte_table[ctxt->b];
4898
4899 /* 0F_38 opcode map */
4900 if (ctxt->b == 0x38) {
4901 ctxt->opcode_len = 3;
4902 ctxt->b = insn_fetch(u8, ctxt);
4903 opcode = opcode_map_0f_38[ctxt->b];
4904 }
4905 }
4906 ctxt->d = opcode.flags;
4907
4908 if (ctxt->d & ModRM)
4909 ctxt->modrm = insn_fetch(u8, ctxt);
4910
4911 /* vex-prefix instructions are not implemented */
4912 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4913 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4914 ctxt->d = NotImpl;
4915 }
4916
4917 while (ctxt->d & GroupMask) {
4918 switch (ctxt->d & GroupMask) {
4919 case Group:
4920 goffset = (ctxt->modrm >> 3) & 7;
4921 opcode = opcode.u.group[goffset];
4922 break;
4923 case GroupDual:
4924 goffset = (ctxt->modrm >> 3) & 7;
4925 if ((ctxt->modrm >> 6) == 3)
4926 opcode = opcode.u.gdual->mod3[goffset];
4927 else
4928 opcode = opcode.u.gdual->mod012[goffset];
4929 break;
4930 case RMExt:
4931 goffset = ctxt->modrm & 7;
4932 opcode = opcode.u.group[goffset];
4933 break;
4934 case Prefix:
4935 if (ctxt->rep_prefix && op_prefix)
4936 return EMULATION_FAILED;
4937 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4938 switch (simd_prefix) {
4939 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4940 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4941 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4942 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4943 }
4944 break;
4945 case Escape:
4946 if (ctxt->modrm > 0xbf)
4947 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4948 else
4949 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4950 break;
4951 case InstrDual:
4952 if ((ctxt->modrm >> 6) == 3)
4953 opcode = opcode.u.idual->mod3;
4954 else
4955 opcode = opcode.u.idual->mod012;
4956 break;
4957 case ModeDual:
4958 if (ctxt->mode == X86EMUL_MODE_PROT64)
4959 opcode = opcode.u.mdual->mode64;
4960 else
4961 opcode = opcode.u.mdual->mode32;
4962 break;
4963 default:
4964 return EMULATION_FAILED;
4965 }
4966
4967 ctxt->d &= ~(u64)GroupMask;
4968 ctxt->d |= opcode.flags;
4969 }
4970
4971 /* Unrecognised? */
4972 if (ctxt->d == 0)
4973 return EMULATION_FAILED;
4974
4975 ctxt->execute = opcode.u.execute;
4976
4977 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
4978 return EMULATION_FAILED;
4979
4980 if (unlikely(ctxt->d &
4981 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
4982 No16))) {
4983 /*
4984 * These are copied unconditionally here, and checked unconditionally
4985 * in x86_emulate_insn.
4986 */
4987 ctxt->check_perm = opcode.check_perm;
4988 ctxt->intercept = opcode.intercept;
4989
4990 if (ctxt->d & NotImpl)
4991 return EMULATION_FAILED;
4992
4993 if (mode == X86EMUL_MODE_PROT64) {
4994 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
4995 ctxt->op_bytes = 8;
4996 else if (ctxt->d & NearBranch)
4997 ctxt->op_bytes = 8;
4998 }
4999
5000 if (ctxt->d & Op3264) {
5001 if (mode == X86EMUL_MODE_PROT64)
5002 ctxt->op_bytes = 8;
5003 else
5004 ctxt->op_bytes = 4;
5005 }
5006
5007 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5008 ctxt->op_bytes = 4;
5009
5010 if (ctxt->d & Sse)
5011 ctxt->op_bytes = 16;
5012 else if (ctxt->d & Mmx)
5013 ctxt->op_bytes = 8;
5014 }
5015
5016 /* ModRM and SIB bytes. */
5017 if (ctxt->d & ModRM) {
5018 rc = decode_modrm(ctxt, &ctxt->memop);
5019 if (!has_seg_override) {
5020 has_seg_override = true;
5021 ctxt->seg_override = ctxt->modrm_seg;
5022 }
5023 } else if (ctxt->d & MemAbs)
5024 rc = decode_abs(ctxt, &ctxt->memop);
5025 if (rc != X86EMUL_CONTINUE)
5026 goto done;
5027
5028 if (!has_seg_override)
5029 ctxt->seg_override = VCPU_SREG_DS;
5030
5031 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5032
5033 /*
5034 * Decode and fetch the source operand: register, memory
5035 * or immediate.
5036 */
5037 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5038 if (rc != X86EMUL_CONTINUE)
5039 goto done;
5040
5041 /*
5042 * Decode and fetch the second source operand: register, memory
5043 * or immediate.
5044 */
5045 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5046 if (rc != X86EMUL_CONTINUE)
5047 goto done;
5048
5049 /* Decode and fetch the destination operand: register or memory. */
5050 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5051
5052 if (ctxt->rip_relative && likely(ctxt->memopp))
5053 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5054 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5055
5056 done:
5057 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5058 }
5059
5060 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5061 {
5062 return ctxt->d & PageTable;
5063 }
5064
5065 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5066 {
5067 /* The second termination condition only applies for REPE
5068 * and REPNE. Test if the repeat string operation prefix is
5069 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5070 * corresponding termination condition according to:
5071 * - if REPE/REPZ and ZF = 0 then done
5072 * - if REPNE/REPNZ and ZF = 1 then done
5073 */
5074 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5075 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5076 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5077 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5078 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5079 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5080 return true;
5081
5082 return false;
5083 }
5084
5085 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5086 {
5087 bool fault = false;
5088
5089 ctxt->ops->get_fpu(ctxt);
5090 asm volatile("1: fwait \n\t"
5091 "2: \n\t"
5092 ".pushsection .fixup,\"ax\" \n\t"
5093 "3: \n\t"
5094 "movb $1, %[fault] \n\t"
5095 "jmp 2b \n\t"
5096 ".popsection \n\t"
5097 _ASM_EXTABLE(1b, 3b)
5098 : [fault]"+qm"(fault));
5099 ctxt->ops->put_fpu(ctxt);
5100
5101 if (unlikely(fault))
5102 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5103
5104 return X86EMUL_CONTINUE;
5105 }
5106
5107 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
5108 struct operand *op)
5109 {
5110 if (op->type == OP_MM)
5111 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
5112 }
5113
5114 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
5115 {
5116 register void *__sp asm(_ASM_SP);
5117 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5118
5119 if (!(ctxt->d & ByteOp))
5120 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5121
5122 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
5123 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5124 [fastop]"+S"(fop), "+r"(__sp)
5125 : "c"(ctxt->src2.val));
5126
5127 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5128 if (!fop) /* exception is returned in fop variable */
5129 return emulate_de(ctxt);
5130 return X86EMUL_CONTINUE;
5131 }
5132
5133 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5134 {
5135 memset(&ctxt->rip_relative, 0,
5136 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5137
5138 ctxt->io_read.pos = 0;
5139 ctxt->io_read.end = 0;
5140 ctxt->mem_read.end = 0;
5141 }
5142
5143 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5144 {
5145 const struct x86_emulate_ops *ops = ctxt->ops;
5146 int rc = X86EMUL_CONTINUE;
5147 int saved_dst_type = ctxt->dst.type;
5148
5149 ctxt->mem_read.pos = 0;
5150
5151 /* LOCK prefix is allowed only with some instructions */
5152 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5153 rc = emulate_ud(ctxt);
5154 goto done;
5155 }
5156
5157 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5158 rc = emulate_ud(ctxt);
5159 goto done;
5160 }
5161
5162 if (unlikely(ctxt->d &
5163 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5164 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5165 (ctxt->d & Undefined)) {
5166 rc = emulate_ud(ctxt);
5167 goto done;
5168 }
5169
5170 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5171 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5172 rc = emulate_ud(ctxt);
5173 goto done;
5174 }
5175
5176 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5177 rc = emulate_nm(ctxt);
5178 goto done;
5179 }
5180
5181 if (ctxt->d & Mmx) {
5182 rc = flush_pending_x87_faults(ctxt);
5183 if (rc != X86EMUL_CONTINUE)
5184 goto done;
5185 /*
5186 * Now that we know the fpu is exception safe, we can fetch
5187 * operands from it.
5188 */
5189 fetch_possible_mmx_operand(ctxt, &ctxt->src);
5190 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
5191 if (!(ctxt->d & Mov))
5192 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
5193 }
5194
5195 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5196 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5197 X86_ICPT_PRE_EXCEPT);
5198 if (rc != X86EMUL_CONTINUE)
5199 goto done;
5200 }
5201
5202 /* Instruction can only be executed in protected mode */
5203 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5204 rc = emulate_ud(ctxt);
5205 goto done;
5206 }
5207
5208 /* Privileged instruction can be executed only in CPL=0 */
5209 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5210 if (ctxt->d & PrivUD)
5211 rc = emulate_ud(ctxt);
5212 else
5213 rc = emulate_gp(ctxt, 0);
5214 goto done;
5215 }
5216
5217 /* Do instruction specific permission checks */
5218 if (ctxt->d & CheckPerm) {
5219 rc = ctxt->check_perm(ctxt);
5220 if (rc != X86EMUL_CONTINUE)
5221 goto done;
5222 }
5223
5224 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5225 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5226 X86_ICPT_POST_EXCEPT);
5227 if (rc != X86EMUL_CONTINUE)
5228 goto done;
5229 }
5230
5231 if (ctxt->rep_prefix && (ctxt->d & String)) {
5232 /* All REP prefixes have the same first termination condition */
5233 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5234 string_registers_quirk(ctxt);
5235 ctxt->eip = ctxt->_eip;
5236 ctxt->eflags &= ~X86_EFLAGS_RF;
5237 goto done;
5238 }
5239 }
5240 }
5241
5242 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5243 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5244 ctxt->src.valptr, ctxt->src.bytes);
5245 if (rc != X86EMUL_CONTINUE)
5246 goto done;
5247 ctxt->src.orig_val64 = ctxt->src.val64;
5248 }
5249
5250 if (ctxt->src2.type == OP_MEM) {
5251 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5252 &ctxt->src2.val, ctxt->src2.bytes);
5253 if (rc != X86EMUL_CONTINUE)
5254 goto done;
5255 }
5256
5257 if ((ctxt->d & DstMask) == ImplicitOps)
5258 goto special_insn;
5259
5260
5261 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5262 /* optimisation - avoid slow emulated read if Mov */
5263 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5264 &ctxt->dst.val, ctxt->dst.bytes);
5265 if (rc != X86EMUL_CONTINUE) {
5266 if (!(ctxt->d & NoWrite) &&
5267 rc == X86EMUL_PROPAGATE_FAULT &&
5268 ctxt->exception.vector == PF_VECTOR)
5269 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5270 goto done;
5271 }
5272 }
5273 /* Copy full 64-bit value for CMPXCHG8B. */
5274 ctxt->dst.orig_val64 = ctxt->dst.val64;
5275
5276 special_insn:
5277
5278 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5279 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5280 X86_ICPT_POST_MEMACCESS);
5281 if (rc != X86EMUL_CONTINUE)
5282 goto done;
5283 }
5284
5285 if (ctxt->rep_prefix && (ctxt->d & String))
5286 ctxt->eflags |= X86_EFLAGS_RF;
5287 else
5288 ctxt->eflags &= ~X86_EFLAGS_RF;
5289
5290 if (ctxt->execute) {
5291 if (ctxt->d & Fastop) {
5292 void (*fop)(struct fastop *) = (void *)ctxt->execute;
5293 rc = fastop(ctxt, fop);
5294 if (rc != X86EMUL_CONTINUE)
5295 goto done;
5296 goto writeback;
5297 }
5298 rc = ctxt->execute(ctxt);
5299 if (rc != X86EMUL_CONTINUE)
5300 goto done;
5301 goto writeback;
5302 }
5303
5304 if (ctxt->opcode_len == 2)
5305 goto twobyte_insn;
5306 else if (ctxt->opcode_len == 3)
5307 goto threebyte_insn;
5308
5309 switch (ctxt->b) {
5310 case 0x70 ... 0x7f: /* jcc (short) */
5311 if (test_cc(ctxt->b, ctxt->eflags))
5312 rc = jmp_rel(ctxt, ctxt->src.val);
5313 break;
5314 case 0x8d: /* lea r16/r32, m */
5315 ctxt->dst.val = ctxt->src.addr.mem.ea;
5316 break;
5317 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5318 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5319 ctxt->dst.type = OP_NONE;
5320 else
5321 rc = em_xchg(ctxt);
5322 break;
5323 case 0x98: /* cbw/cwde/cdqe */
5324 switch (ctxt->op_bytes) {
5325 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5326 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5327 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5328 }
5329 break;
5330 case 0xcc: /* int3 */
5331 rc = emulate_int(ctxt, 3);
5332 break;
5333 case 0xcd: /* int n */
5334 rc = emulate_int(ctxt, ctxt->src.val);
5335 break;
5336 case 0xce: /* into */
5337 if (ctxt->eflags & X86_EFLAGS_OF)
5338 rc = emulate_int(ctxt, 4);
5339 break;
5340 case 0xe9: /* jmp rel */
5341 case 0xeb: /* jmp rel short */
5342 rc = jmp_rel(ctxt, ctxt->src.val);
5343 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5344 break;
5345 case 0xf4: /* hlt */
5346 ctxt->ops->halt(ctxt);
5347 break;
5348 case 0xf5: /* cmc */
5349 /* complement carry flag from eflags reg */
5350 ctxt->eflags ^= X86_EFLAGS_CF;
5351 break;
5352 case 0xf8: /* clc */
5353 ctxt->eflags &= ~X86_EFLAGS_CF;
5354 break;
5355 case 0xf9: /* stc */
5356 ctxt->eflags |= X86_EFLAGS_CF;
5357 break;
5358 case 0xfc: /* cld */
5359 ctxt->eflags &= ~X86_EFLAGS_DF;
5360 break;
5361 case 0xfd: /* std */
5362 ctxt->eflags |= X86_EFLAGS_DF;
5363 break;
5364 default:
5365 goto cannot_emulate;
5366 }
5367
5368 if (rc != X86EMUL_CONTINUE)
5369 goto done;
5370
5371 writeback:
5372 if (ctxt->d & SrcWrite) {
5373 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5374 rc = writeback(ctxt, &ctxt->src);
5375 if (rc != X86EMUL_CONTINUE)
5376 goto done;
5377 }
5378 if (!(ctxt->d & NoWrite)) {
5379 rc = writeback(ctxt, &ctxt->dst);
5380 if (rc != X86EMUL_CONTINUE)
5381 goto done;
5382 }
5383
5384 /*
5385 * restore dst type in case the decoding will be reused
5386 * (happens for string instruction )
5387 */
5388 ctxt->dst.type = saved_dst_type;
5389
5390 if ((ctxt->d & SrcMask) == SrcSI)
5391 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5392
5393 if ((ctxt->d & DstMask) == DstDI)
5394 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5395
5396 if (ctxt->rep_prefix && (ctxt->d & String)) {
5397 unsigned int count;
5398 struct read_cache *r = &ctxt->io_read;
5399 if ((ctxt->d & SrcMask) == SrcSI)
5400 count = ctxt->src.count;
5401 else
5402 count = ctxt->dst.count;
5403 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5404
5405 if (!string_insn_completed(ctxt)) {
5406 /*
5407 * Re-enter guest when pio read ahead buffer is empty
5408 * or, if it is not used, after each 1024 iteration.
5409 */
5410 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5411 (r->end == 0 || r->end != r->pos)) {
5412 /*
5413 * Reset read cache. Usually happens before
5414 * decode, but since instruction is restarted
5415 * we have to do it here.
5416 */
5417 ctxt->mem_read.end = 0;
5418 writeback_registers(ctxt);
5419 return EMULATION_RESTART;
5420 }
5421 goto done; /* skip rip writeback */
5422 }
5423 ctxt->eflags &= ~X86_EFLAGS_RF;
5424 }
5425
5426 ctxt->eip = ctxt->_eip;
5427
5428 done:
5429 if (rc == X86EMUL_PROPAGATE_FAULT) {
5430 WARN_ON(ctxt->exception.vector > 0x1f);
5431 ctxt->have_exception = true;
5432 }
5433 if (rc == X86EMUL_INTERCEPTED)
5434 return EMULATION_INTERCEPTED;
5435
5436 if (rc == X86EMUL_CONTINUE)
5437 writeback_registers(ctxt);
5438
5439 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5440
5441 twobyte_insn:
5442 switch (ctxt->b) {
5443 case 0x09: /* wbinvd */
5444 (ctxt->ops->wbinvd)(ctxt);
5445 break;
5446 case 0x08: /* invd */
5447 case 0x0d: /* GrpP (prefetch) */
5448 case 0x18: /* Grp16 (prefetch/nop) */
5449 case 0x1f: /* nop */
5450 break;
5451 case 0x20: /* mov cr, reg */
5452 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5453 break;
5454 case 0x21: /* mov from dr to reg */
5455 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5456 break;
5457 case 0x40 ... 0x4f: /* cmov */
5458 if (test_cc(ctxt->b, ctxt->eflags))
5459 ctxt->dst.val = ctxt->src.val;
5460 else if (ctxt->op_bytes != 4)
5461 ctxt->dst.type = OP_NONE; /* no writeback */
5462 break;
5463 case 0x80 ... 0x8f: /* jnz rel, etc*/
5464 if (test_cc(ctxt->b, ctxt->eflags))
5465 rc = jmp_rel(ctxt, ctxt->src.val);
5466 break;
5467 case 0x90 ... 0x9f: /* setcc r/m8 */
5468 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5469 break;
5470 case 0xb6 ... 0xb7: /* movzx */
5471 ctxt->dst.bytes = ctxt->op_bytes;
5472 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5473 : (u16) ctxt->src.val;
5474 break;
5475 case 0xbe ... 0xbf: /* movsx */
5476 ctxt->dst.bytes = ctxt->op_bytes;
5477 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5478 (s16) ctxt->src.val;
5479 break;
5480 default:
5481 goto cannot_emulate;
5482 }
5483
5484 threebyte_insn:
5485
5486 if (rc != X86EMUL_CONTINUE)
5487 goto done;
5488
5489 goto writeback;
5490
5491 cannot_emulate:
5492 return EMULATION_FAILED;
5493 }
5494
5495 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5496 {
5497 invalidate_registers(ctxt);
5498 }
5499
5500 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5501 {
5502 writeback_registers(ctxt);
5503 }
Ubuntu Artful kernel mirror