]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - arch/x86/kvm/emulate.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: x86: Fix defines in emulator.c
[mirror_ubuntu-bionic-kernel.git] / arch / x86 / kvm / emulate.c
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <linux/module.h>
26 #include <asm/kvm_emulate.h>
27 #include <linux/stringify.h>
28
29 #include "x86.h"
30 #include "tss.h"
31
32 /*
33 * Operand types
34 */
35 #define OpNone 0ull
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
64 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
65 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
66
67 #define OpBits 5 /* Width of operand field */
68 #define OpMask ((1ull << OpBits) - 1)
69
70 /*
71 * Opcode effective-address decode tables.
72 * Note that we only emulate instructions that have at least one memory
73 * operand (excluding implicit stack references). We assume that stack
74 * references and instruction fetches will never occur in special memory
75 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
76 * not be handled.
77 */
78
79 /* Operand sizes: 8-bit operands or specified/overridden size. */
80 #define ByteOp (1<<0) /* 8-bit operands. */
81 /* Destination operand type. */
82 #define DstShift 1
83 #define ImplicitOps (OpImplicit << DstShift)
84 #define DstReg (OpReg << DstShift)
85 #define DstMem (OpMem << DstShift)
86 #define DstAcc (OpAcc << DstShift)
87 #define DstDI (OpDI << DstShift)
88 #define DstMem64 (OpMem64 << DstShift)
89 #define DstMem16 (OpMem16 << DstShift)
90 #define DstImmUByte (OpImmUByte << DstShift)
91 #define DstDX (OpDX << DstShift)
92 #define DstAccLo (OpAccLo << DstShift)
93 #define DstMask (OpMask << DstShift)
94 /* Source operand type. */
95 #define SrcShift 6
96 #define SrcNone (OpNone << SrcShift)
97 #define SrcReg (OpReg << SrcShift)
98 #define SrcMem (OpMem << SrcShift)
99 #define SrcMem16 (OpMem16 << SrcShift)
100 #define SrcMem32 (OpMem32 << SrcShift)
101 #define SrcImm (OpImm << SrcShift)
102 #define SrcImmByte (OpImmByte << SrcShift)
103 #define SrcOne (OpOne << SrcShift)
104 #define SrcImmUByte (OpImmUByte << SrcShift)
105 #define SrcImmU (OpImmU << SrcShift)
106 #define SrcSI (OpSI << SrcShift)
107 #define SrcXLat (OpXLat << SrcShift)
108 #define SrcImmFAddr (OpImmFAddr << SrcShift)
109 #define SrcMemFAddr (OpMemFAddr << SrcShift)
110 #define SrcAcc (OpAcc << SrcShift)
111 #define SrcImmU16 (OpImmU16 << SrcShift)
112 #define SrcImm64 (OpImm64 << SrcShift)
113 #define SrcDX (OpDX << SrcShift)
114 #define SrcMem8 (OpMem8 << SrcShift)
115 #define SrcAccHi (OpAccHi << SrcShift)
116 #define SrcMask (OpMask << SrcShift)
117 #define BitOp (1<<11)
118 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
119 #define String (1<<13) /* String instruction (rep capable) */
120 #define Stack (1<<14) /* Stack instruction (push/pop) */
121 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
122 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
123 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
124 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
125 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
126 #define Escape (5<<15) /* Escape to coprocessor instruction */
127 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
128 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
129 #define Sse (1<<18) /* SSE Vector instruction */
130 /* Generic ModRM decode. */
131 #define ModRM (1<<19)
132 /* Destination is only written; never read. */
133 #define Mov (1<<20)
134 /* Misc flags */
135 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
136 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
137 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
138 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
139 #define Undefined (1<<25) /* No Such Instruction */
140 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
141 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
142 #define No64 (1<<28)
143 #define PageTable (1 << 29) /* instruction used to write page table */
144 #define NotImpl (1 << 30) /* instruction is not implemented */
145 /* Source 2 operand type */
146 #define Src2Shift (31)
147 #define Src2None (OpNone << Src2Shift)
148 #define Src2Mem (OpMem << Src2Shift)
149 #define Src2CL (OpCL << Src2Shift)
150 #define Src2ImmByte (OpImmByte << Src2Shift)
151 #define Src2One (OpOne << Src2Shift)
152 #define Src2Imm (OpImm << Src2Shift)
153 #define Src2ES (OpES << Src2Shift)
154 #define Src2CS (OpCS << Src2Shift)
155 #define Src2SS (OpSS << Src2Shift)
156 #define Src2DS (OpDS << Src2Shift)
157 #define Src2FS (OpFS << Src2Shift)
158 #define Src2GS (OpGS << Src2Shift)
159 #define Src2Mask (OpMask << Src2Shift)
160 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
161 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
162 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
163 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
164 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
165 #define NoWrite ((u64)1 << 45) /* No writeback */
166 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
167 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
168 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
169 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
170 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
171 #define NearBranch ((u64)1 << 52) /* Near branches */
172 #define No16 ((u64)1 << 53) /* No 16 bit operand */
173 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
174
175 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
176
177 #define X2(x...) x, x
178 #define X3(x...) X2(x), x
179 #define X4(x...) X2(x), X2(x)
180 #define X5(x...) X4(x), x
181 #define X6(x...) X4(x), X2(x)
182 #define X7(x...) X4(x), X3(x)
183 #define X8(x...) X4(x), X4(x)
184 #define X16(x...) X8(x), X8(x)
185
186 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
187 #define FASTOP_SIZE 8
188
189 /*
190 * fastop functions have a special calling convention:
191 *
192 * dst: rax (in/out)
193 * src: rdx (in/out)
194 * src2: rcx (in)
195 * flags: rflags (in/out)
196 * ex: rsi (in:fastop pointer, out:zero if exception)
197 *
198 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
199 * different operand sizes can be reached by calculation, rather than a jump
200 * table (which would be bigger than the code).
201 *
202 * fastop functions are declared as taking a never-defined fastop parameter,
203 * so they can't be called from C directly.
204 */
205
206 struct fastop;
207
208 struct opcode {
209 u64 flags : 56;
210 u64 intercept : 8;
211 union {
212 int (*execute)(struct x86_emulate_ctxt *ctxt);
213 const struct opcode *group;
214 const struct group_dual *gdual;
215 const struct gprefix *gprefix;
216 const struct escape *esc;
217 const struct instr_dual *idual;
218 const struct mode_dual *mdual;
219 void (*fastop)(struct fastop *fake);
220 } u;
221 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
222 };
223
224 struct group_dual {
225 struct opcode mod012[8];
226 struct opcode mod3[8];
227 };
228
229 struct gprefix {
230 struct opcode pfx_no;
231 struct opcode pfx_66;
232 struct opcode pfx_f2;
233 struct opcode pfx_f3;
234 };
235
236 struct escape {
237 struct opcode op[8];
238 struct opcode high[64];
239 };
240
241 struct instr_dual {
242 struct opcode mod012;
243 struct opcode mod3;
244 };
245
246 struct mode_dual {
247 struct opcode mode32;
248 struct opcode mode64;
249 };
250
251 /* EFLAGS bit definitions. */
252 #define EFLG_ID (1<<21)
253 #define EFLG_VIP (1<<20)
254 #define EFLG_VIF (1<<19)
255 #define EFLG_AC (1<<18)
256 #define EFLG_VM (1<<17)
257 #define EFLG_RF (1<<16)
258 #define EFLG_IOPL (3<<12)
259 #define EFLG_NT (1<<14)
260 #define EFLG_OF (1<<11)
261 #define EFLG_DF (1<<10)
262 #define EFLG_IF (1<<9)
263 #define EFLG_TF (1<<8)
264 #define EFLG_SF (1<<7)
265 #define EFLG_ZF (1<<6)
266 #define EFLG_AF (1<<4)
267 #define EFLG_PF (1<<2)
268 #define EFLG_CF (1<<0)
269
270 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
271 #define EFLG_RESERVED_ONE_MASK 2
272
273 enum x86_transfer_type {
274 X86_TRANSFER_NONE,
275 X86_TRANSFER_CALL_JMP,
276 X86_TRANSFER_RET,
277 X86_TRANSFER_TASK_SWITCH,
278 };
279
280 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
281 {
282 if (!(ctxt->regs_valid & (1 << nr))) {
283 ctxt->regs_valid |= 1 << nr;
284 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
285 }
286 return ctxt->_regs[nr];
287 }
288
289 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
290 {
291 ctxt->regs_valid |= 1 << nr;
292 ctxt->regs_dirty |= 1 << nr;
293 return &ctxt->_regs[nr];
294 }
295
296 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
297 {
298 reg_read(ctxt, nr);
299 return reg_write(ctxt, nr);
300 }
301
302 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
303 {
304 unsigned reg;
305
306 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
307 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
308 }
309
310 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
311 {
312 ctxt->regs_dirty = 0;
313 ctxt->regs_valid = 0;
314 }
315
316 /*
317 * These EFLAGS bits are restored from saved value during emulation, and
318 * any changes are written back to the saved value after emulation.
319 */
320 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
321
322 #ifdef CONFIG_X86_64
323 #define ON64(x) x
324 #else
325 #define ON64(x)
326 #endif
327
328 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
329
330 #define FOP_ALIGN ".align " __stringify(FASTOP_SIZE) " \n\t"
331 #define FOP_RET "ret \n\t"
332
333 #define FOP_START(op) \
334 extern void em_##op(struct fastop *fake); \
335 asm(".pushsection .text, \"ax\" \n\t" \
336 ".global em_" #op " \n\t" \
337 FOP_ALIGN \
338 "em_" #op ": \n\t"
339
340 #define FOP_END \
341 ".popsection")
342
343 #define FOPNOP() FOP_ALIGN FOP_RET
344
345 #define FOP1E(op, dst) \
346 FOP_ALIGN "10: " #op " %" #dst " \n\t" FOP_RET
347
348 #define FOP1EEX(op, dst) \
349 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
350
351 #define FASTOP1(op) \
352 FOP_START(op) \
353 FOP1E(op##b, al) \
354 FOP1E(op##w, ax) \
355 FOP1E(op##l, eax) \
356 ON64(FOP1E(op##q, rax)) \
357 FOP_END
358
359 /* 1-operand, using src2 (for MUL/DIV r/m) */
360 #define FASTOP1SRC2(op, name) \
361 FOP_START(name) \
362 FOP1E(op, cl) \
363 FOP1E(op, cx) \
364 FOP1E(op, ecx) \
365 ON64(FOP1E(op, rcx)) \
366 FOP_END
367
368 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
369 #define FASTOP1SRC2EX(op, name) \
370 FOP_START(name) \
371 FOP1EEX(op, cl) \
372 FOP1EEX(op, cx) \
373 FOP1EEX(op, ecx) \
374 ON64(FOP1EEX(op, rcx)) \
375 FOP_END
376
377 #define FOP2E(op, dst, src) \
378 FOP_ALIGN #op " %" #src ", %" #dst " \n\t" FOP_RET
379
380 #define FASTOP2(op) \
381 FOP_START(op) \
382 FOP2E(op##b, al, dl) \
383 FOP2E(op##w, ax, dx) \
384 FOP2E(op##l, eax, edx) \
385 ON64(FOP2E(op##q, rax, rdx)) \
386 FOP_END
387
388 /* 2 operand, word only */
389 #define FASTOP2W(op) \
390 FOP_START(op) \
391 FOPNOP() \
392 FOP2E(op##w, ax, dx) \
393 FOP2E(op##l, eax, edx) \
394 ON64(FOP2E(op##q, rax, rdx)) \
395 FOP_END
396
397 /* 2 operand, src is CL */
398 #define FASTOP2CL(op) \
399 FOP_START(op) \
400 FOP2E(op##b, al, cl) \
401 FOP2E(op##w, ax, cl) \
402 FOP2E(op##l, eax, cl) \
403 ON64(FOP2E(op##q, rax, cl)) \
404 FOP_END
405
406 /* 2 operand, src and dest are reversed */
407 #define FASTOP2R(op, name) \
408 FOP_START(name) \
409 FOP2E(op##b, dl, al) \
410 FOP2E(op##w, dx, ax) \
411 FOP2E(op##l, edx, eax) \
412 ON64(FOP2E(op##q, rdx, rax)) \
413 FOP_END
414
415 #define FOP3E(op, dst, src, src2) \
416 FOP_ALIGN #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
417
418 /* 3-operand, word-only, src2=cl */
419 #define FASTOP3WCL(op) \
420 FOP_START(op) \
421 FOPNOP() \
422 FOP3E(op##w, ax, dx, cl) \
423 FOP3E(op##l, eax, edx, cl) \
424 ON64(FOP3E(op##q, rax, rdx, cl)) \
425 FOP_END
426
427 /* Special case for SETcc - 1 instruction per cc */
428 #define FOP_SETCC(op) ".align 4; " #op " %al; ret \n\t"
429
430 asm(".global kvm_fastop_exception \n"
431 "kvm_fastop_exception: xor %esi, %esi; ret");
432
433 FOP_START(setcc)
434 FOP_SETCC(seto)
435 FOP_SETCC(setno)
436 FOP_SETCC(setc)
437 FOP_SETCC(setnc)
438 FOP_SETCC(setz)
439 FOP_SETCC(setnz)
440 FOP_SETCC(setbe)
441 FOP_SETCC(setnbe)
442 FOP_SETCC(sets)
443 FOP_SETCC(setns)
444 FOP_SETCC(setp)
445 FOP_SETCC(setnp)
446 FOP_SETCC(setl)
447 FOP_SETCC(setnl)
448 FOP_SETCC(setle)
449 FOP_SETCC(setnle)
450 FOP_END;
451
452 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
453 FOP_END;
454
455 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
456 enum x86_intercept intercept,
457 enum x86_intercept_stage stage)
458 {
459 struct x86_instruction_info info = {
460 .intercept = intercept,
461 .rep_prefix = ctxt->rep_prefix,
462 .modrm_mod = ctxt->modrm_mod,
463 .modrm_reg = ctxt->modrm_reg,
464 .modrm_rm = ctxt->modrm_rm,
465 .src_val = ctxt->src.val64,
466 .dst_val = ctxt->dst.val64,
467 .src_bytes = ctxt->src.bytes,
468 .dst_bytes = ctxt->dst.bytes,
469 .ad_bytes = ctxt->ad_bytes,
470 .next_rip = ctxt->eip,
471 };
472
473 return ctxt->ops->intercept(ctxt, &info, stage);
474 }
475
476 static void assign_masked(ulong *dest, ulong src, ulong mask)
477 {
478 *dest = (*dest & ~mask) | (src & mask);
479 }
480
481 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
482 {
483 return (1UL << (ctxt->ad_bytes << 3)) - 1;
484 }
485
486 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
487 {
488 u16 sel;
489 struct desc_struct ss;
490
491 if (ctxt->mode == X86EMUL_MODE_PROT64)
492 return ~0UL;
493 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
494 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
495 }
496
497 static int stack_size(struct x86_emulate_ctxt *ctxt)
498 {
499 return (__fls(stack_mask(ctxt)) + 1) >> 3;
500 }
501
502 /* Access/update address held in a register, based on addressing mode. */
503 static inline unsigned long
504 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
505 {
506 if (ctxt->ad_bytes == sizeof(unsigned long))
507 return reg;
508 else
509 return reg & ad_mask(ctxt);
510 }
511
512 static inline unsigned long
513 register_address(struct x86_emulate_ctxt *ctxt, int reg)
514 {
515 return address_mask(ctxt, reg_read(ctxt, reg));
516 }
517
518 static void masked_increment(ulong *reg, ulong mask, int inc)
519 {
520 assign_masked(reg, *reg + inc, mask);
521 }
522
523 static inline void
524 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
525 {
526 ulong mask;
527
528 if (ctxt->ad_bytes == sizeof(unsigned long))
529 mask = ~0UL;
530 else
531 mask = ad_mask(ctxt);
532 masked_increment(reg_rmw(ctxt, reg), mask, inc);
533 }
534
535 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
536 {
537 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
538 }
539
540 static u32 desc_limit_scaled(struct desc_struct *desc)
541 {
542 u32 limit = get_desc_limit(desc);
543
544 return desc->g ? (limit << 12) | 0xfff : limit;
545 }
546
547 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
548 {
549 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
550 return 0;
551
552 return ctxt->ops->get_cached_segment_base(ctxt, seg);
553 }
554
555 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
556 u32 error, bool valid)
557 {
558 WARN_ON(vec > 0x1f);
559 ctxt->exception.vector = vec;
560 ctxt->exception.error_code = error;
561 ctxt->exception.error_code_valid = valid;
562 return X86EMUL_PROPAGATE_FAULT;
563 }
564
565 static int emulate_db(struct x86_emulate_ctxt *ctxt)
566 {
567 return emulate_exception(ctxt, DB_VECTOR, 0, false);
568 }
569
570 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
571 {
572 return emulate_exception(ctxt, GP_VECTOR, err, true);
573 }
574
575 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
576 {
577 return emulate_exception(ctxt, SS_VECTOR, err, true);
578 }
579
580 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
581 {
582 return emulate_exception(ctxt, UD_VECTOR, 0, false);
583 }
584
585 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
586 {
587 return emulate_exception(ctxt, TS_VECTOR, err, true);
588 }
589
590 static int emulate_de(struct x86_emulate_ctxt *ctxt)
591 {
592 return emulate_exception(ctxt, DE_VECTOR, 0, false);
593 }
594
595 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
596 {
597 return emulate_exception(ctxt, NM_VECTOR, 0, false);
598 }
599
600 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
601 {
602 u16 selector;
603 struct desc_struct desc;
604
605 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
606 return selector;
607 }
608
609 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
610 unsigned seg)
611 {
612 u16 dummy;
613 u32 base3;
614 struct desc_struct desc;
615
616 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
617 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
618 }
619
620 /*
621 * x86 defines three classes of vector instructions: explicitly
622 * aligned, explicitly unaligned, and the rest, which change behaviour
623 * depending on whether they're AVX encoded or not.
624 *
625 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
626 * subject to the same check.
627 */
628 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
629 {
630 if (likely(size < 16))
631 return false;
632
633 if (ctxt->d & Aligned)
634 return true;
635 else if (ctxt->d & Unaligned)
636 return false;
637 else if (ctxt->d & Avx)
638 return false;
639 else
640 return true;
641 }
642
643 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
644 struct segmented_address addr,
645 unsigned *max_size, unsigned size,
646 bool write, bool fetch,
647 enum x86emul_mode mode, ulong *linear)
648 {
649 struct desc_struct desc;
650 bool usable;
651 ulong la;
652 u32 lim;
653 u16 sel;
654
655 la = seg_base(ctxt, addr.seg) + addr.ea;
656 *max_size = 0;
657 switch (mode) {
658 case X86EMUL_MODE_PROT64:
659 if (is_noncanonical_address(la))
660 goto bad;
661
662 *max_size = min_t(u64, ~0u, (1ull << 48) - la);
663 if (size > *max_size)
664 goto bad;
665 break;
666 default:
667 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
668 addr.seg);
669 if (!usable)
670 goto bad;
671 /* code segment in protected mode or read-only data segment */
672 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
673 || !(desc.type & 2)) && write)
674 goto bad;
675 /* unreadable code segment */
676 if (!fetch && (desc.type & 8) && !(desc.type & 2))
677 goto bad;
678 lim = desc_limit_scaled(&desc);
679 if (!(desc.type & 8) && (desc.type & 4)) {
680 /* expand-down segment */
681 if (addr.ea <= lim)
682 goto bad;
683 lim = desc.d ? 0xffffffff : 0xffff;
684 }
685 if (addr.ea > lim)
686 goto bad;
687 *max_size = min_t(u64, ~0u, (u64)lim + 1 - addr.ea);
688 if (size > *max_size)
689 goto bad;
690 la &= (u32)-1;
691 break;
692 }
693 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
694 return emulate_gp(ctxt, 0);
695 *linear = la;
696 return X86EMUL_CONTINUE;
697 bad:
698 if (addr.seg == VCPU_SREG_SS)
699 return emulate_ss(ctxt, 0);
700 else
701 return emulate_gp(ctxt, 0);
702 }
703
704 static int linearize(struct x86_emulate_ctxt *ctxt,
705 struct segmented_address addr,
706 unsigned size, bool write,
707 ulong *linear)
708 {
709 unsigned max_size;
710 return __linearize(ctxt, addr, &max_size, size, write, false,
711 ctxt->mode, linear);
712 }
713
714 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
715 enum x86emul_mode mode)
716 {
717 ulong linear;
718 int rc;
719 unsigned max_size;
720 struct segmented_address addr = { .seg = VCPU_SREG_CS,
721 .ea = dst };
722
723 if (ctxt->op_bytes != sizeof(unsigned long))
724 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
725 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
726 if (rc == X86EMUL_CONTINUE)
727 ctxt->_eip = addr.ea;
728 return rc;
729 }
730
731 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
732 {
733 return assign_eip(ctxt, dst, ctxt->mode);
734 }
735
736 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
737 const struct desc_struct *cs_desc)
738 {
739 enum x86emul_mode mode = ctxt->mode;
740
741 #ifdef CONFIG_X86_64
742 if (ctxt->mode >= X86EMUL_MODE_PROT32 && cs_desc->l) {
743 u64 efer = 0;
744
745 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
746 if (efer & EFER_LMA)
747 mode = X86EMUL_MODE_PROT64;
748 }
749 #endif
750 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
751 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
752 return assign_eip(ctxt, dst, mode);
753 }
754
755 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
756 {
757 return assign_eip_near(ctxt, ctxt->_eip + rel);
758 }
759
760 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
761 struct segmented_address addr,
762 void *data,
763 unsigned size)
764 {
765 int rc;
766 ulong linear;
767
768 rc = linearize(ctxt, addr, size, false, &linear);
769 if (rc != X86EMUL_CONTINUE)
770 return rc;
771 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
772 }
773
774 /*
775 * Prefetch the remaining bytes of the instruction without crossing page
776 * boundary if they are not in fetch_cache yet.
777 */
778 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
779 {
780 int rc;
781 unsigned size, max_size;
782 unsigned long linear;
783 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
784 struct segmented_address addr = { .seg = VCPU_SREG_CS,
785 .ea = ctxt->eip + cur_size };
786
787 /*
788 * We do not know exactly how many bytes will be needed, and
789 * __linearize is expensive, so fetch as much as possible. We
790 * just have to avoid going beyond the 15 byte limit, the end
791 * of the segment, or the end of the page.
792 *
793 * __linearize is called with size 0 so that it does not do any
794 * boundary check itself. Instead, we use max_size to check
795 * against op_size.
796 */
797 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
798 &linear);
799 if (unlikely(rc != X86EMUL_CONTINUE))
800 return rc;
801
802 size = min_t(unsigned, 15UL ^ cur_size, max_size);
803 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
804
805 /*
806 * One instruction can only straddle two pages,
807 * and one has been loaded at the beginning of
808 * x86_decode_insn. So, if not enough bytes
809 * still, we must have hit the 15-byte boundary.
810 */
811 if (unlikely(size < op_size))
812 return emulate_gp(ctxt, 0);
813
814 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
815 size, &ctxt->exception);
816 if (unlikely(rc != X86EMUL_CONTINUE))
817 return rc;
818 ctxt->fetch.end += size;
819 return X86EMUL_CONTINUE;
820 }
821
822 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
823 unsigned size)
824 {
825 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
826
827 if (unlikely(done_size < size))
828 return __do_insn_fetch_bytes(ctxt, size - done_size);
829 else
830 return X86EMUL_CONTINUE;
831 }
832
833 /* Fetch next part of the instruction being emulated. */
834 #define insn_fetch(_type, _ctxt) \
835 ({ _type _x; \
836 \
837 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
838 if (rc != X86EMUL_CONTINUE) \
839 goto done; \
840 ctxt->_eip += sizeof(_type); \
841 _x = *(_type __aligned(1) *) ctxt->fetch.ptr; \
842 ctxt->fetch.ptr += sizeof(_type); \
843 _x; \
844 })
845
846 #define insn_fetch_arr(_arr, _size, _ctxt) \
847 ({ \
848 rc = do_insn_fetch_bytes(_ctxt, _size); \
849 if (rc != X86EMUL_CONTINUE) \
850 goto done; \
851 ctxt->_eip += (_size); \
852 memcpy(_arr, ctxt->fetch.ptr, _size); \
853 ctxt->fetch.ptr += (_size); \
854 })
855
856 /*
857 * Given the 'reg' portion of a ModRM byte, and a register block, return a
858 * pointer into the block that addresses the relevant register.
859 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
860 */
861 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
862 int byteop)
863 {
864 void *p;
865 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
866
867 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
868 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
869 else
870 p = reg_rmw(ctxt, modrm_reg);
871 return p;
872 }
873
874 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
875 struct segmented_address addr,
876 u16 *size, unsigned long *address, int op_bytes)
877 {
878 int rc;
879
880 if (op_bytes == 2)
881 op_bytes = 3;
882 *address = 0;
883 rc = segmented_read_std(ctxt, addr, size, 2);
884 if (rc != X86EMUL_CONTINUE)
885 return rc;
886 addr.ea += 2;
887 rc = segmented_read_std(ctxt, addr, address, op_bytes);
888 return rc;
889 }
890
891 FASTOP2(add);
892 FASTOP2(or);
893 FASTOP2(adc);
894 FASTOP2(sbb);
895 FASTOP2(and);
896 FASTOP2(sub);
897 FASTOP2(xor);
898 FASTOP2(cmp);
899 FASTOP2(test);
900
901 FASTOP1SRC2(mul, mul_ex);
902 FASTOP1SRC2(imul, imul_ex);
903 FASTOP1SRC2EX(div, div_ex);
904 FASTOP1SRC2EX(idiv, idiv_ex);
905
906 FASTOP3WCL(shld);
907 FASTOP3WCL(shrd);
908
909 FASTOP2W(imul);
910
911 FASTOP1(not);
912 FASTOP1(neg);
913 FASTOP1(inc);
914 FASTOP1(dec);
915
916 FASTOP2CL(rol);
917 FASTOP2CL(ror);
918 FASTOP2CL(rcl);
919 FASTOP2CL(rcr);
920 FASTOP2CL(shl);
921 FASTOP2CL(shr);
922 FASTOP2CL(sar);
923
924 FASTOP2W(bsf);
925 FASTOP2W(bsr);
926 FASTOP2W(bt);
927 FASTOP2W(bts);
928 FASTOP2W(btr);
929 FASTOP2W(btc);
930
931 FASTOP2(xadd);
932
933 FASTOP2R(cmp, cmp_r);
934
935 static u8 test_cc(unsigned int condition, unsigned long flags)
936 {
937 u8 rc;
938 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
939
940 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
941 asm("push %[flags]; popf; call *%[fastop]"
942 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
943 return rc;
944 }
945
946 static void fetch_register_operand(struct operand *op)
947 {
948 switch (op->bytes) {
949 case 1:
950 op->val = *(u8 *)op->addr.reg;
951 break;
952 case 2:
953 op->val = *(u16 *)op->addr.reg;
954 break;
955 case 4:
956 op->val = *(u32 *)op->addr.reg;
957 break;
958 case 8:
959 op->val = *(u64 *)op->addr.reg;
960 break;
961 }
962 }
963
964 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
965 {
966 ctxt->ops->get_fpu(ctxt);
967 switch (reg) {
968 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
969 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
970 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
971 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
972 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
973 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
974 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
975 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
976 #ifdef CONFIG_X86_64
977 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
978 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
979 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
980 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
981 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
982 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
983 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
984 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
985 #endif
986 default: BUG();
987 }
988 ctxt->ops->put_fpu(ctxt);
989 }
990
991 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
992 int reg)
993 {
994 ctxt->ops->get_fpu(ctxt);
995 switch (reg) {
996 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
997 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
998 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
999 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1000 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1001 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1002 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1003 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1004 #ifdef CONFIG_X86_64
1005 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1006 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1007 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1008 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1009 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1010 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1011 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1012 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1013 #endif
1014 default: BUG();
1015 }
1016 ctxt->ops->put_fpu(ctxt);
1017 }
1018
1019 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1020 {
1021 ctxt->ops->get_fpu(ctxt);
1022 switch (reg) {
1023 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1024 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1025 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1026 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1027 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1028 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1029 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1030 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1031 default: BUG();
1032 }
1033 ctxt->ops->put_fpu(ctxt);
1034 }
1035
1036 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1037 {
1038 ctxt->ops->get_fpu(ctxt);
1039 switch (reg) {
1040 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1041 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1042 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1043 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1044 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1045 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1046 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1047 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1048 default: BUG();
1049 }
1050 ctxt->ops->put_fpu(ctxt);
1051 }
1052
1053 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1054 {
1055 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1056 return emulate_nm(ctxt);
1057
1058 ctxt->ops->get_fpu(ctxt);
1059 asm volatile("fninit");
1060 ctxt->ops->put_fpu(ctxt);
1061 return X86EMUL_CONTINUE;
1062 }
1063
1064 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1065 {
1066 u16 fcw;
1067
1068 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1069 return emulate_nm(ctxt);
1070
1071 ctxt->ops->get_fpu(ctxt);
1072 asm volatile("fnstcw %0": "+m"(fcw));
1073 ctxt->ops->put_fpu(ctxt);
1074
1075 ctxt->dst.val = fcw;
1076
1077 return X86EMUL_CONTINUE;
1078 }
1079
1080 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1081 {
1082 u16 fsw;
1083
1084 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1085 return emulate_nm(ctxt);
1086
1087 ctxt->ops->get_fpu(ctxt);
1088 asm volatile("fnstsw %0": "+m"(fsw));
1089 ctxt->ops->put_fpu(ctxt);
1090
1091 ctxt->dst.val = fsw;
1092
1093 return X86EMUL_CONTINUE;
1094 }
1095
1096 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1097 struct operand *op)
1098 {
1099 unsigned reg = ctxt->modrm_reg;
1100
1101 if (!(ctxt->d & ModRM))
1102 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1103
1104 if (ctxt->d & Sse) {
1105 op->type = OP_XMM;
1106 op->bytes = 16;
1107 op->addr.xmm = reg;
1108 read_sse_reg(ctxt, &op->vec_val, reg);
1109 return;
1110 }
1111 if (ctxt->d & Mmx) {
1112 reg &= 7;
1113 op->type = OP_MM;
1114 op->bytes = 8;
1115 op->addr.mm = reg;
1116 return;
1117 }
1118
1119 op->type = OP_REG;
1120 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1121 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1122
1123 fetch_register_operand(op);
1124 op->orig_val = op->val;
1125 }
1126
1127 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1128 {
1129 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1130 ctxt->modrm_seg = VCPU_SREG_SS;
1131 }
1132
1133 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1134 struct operand *op)
1135 {
1136 u8 sib;
1137 int index_reg, base_reg, scale;
1138 int rc = X86EMUL_CONTINUE;
1139 ulong modrm_ea = 0;
1140
1141 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1142 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1143 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1144
1145 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1146 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1147 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1148 ctxt->modrm_seg = VCPU_SREG_DS;
1149
1150 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1151 op->type = OP_REG;
1152 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1153 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1154 ctxt->d & ByteOp);
1155 if (ctxt->d & Sse) {
1156 op->type = OP_XMM;
1157 op->bytes = 16;
1158 op->addr.xmm = ctxt->modrm_rm;
1159 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1160 return rc;
1161 }
1162 if (ctxt->d & Mmx) {
1163 op->type = OP_MM;
1164 op->bytes = 8;
1165 op->addr.mm = ctxt->modrm_rm & 7;
1166 return rc;
1167 }
1168 fetch_register_operand(op);
1169 return rc;
1170 }
1171
1172 op->type = OP_MEM;
1173
1174 if (ctxt->ad_bytes == 2) {
1175 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1176 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1177 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1178 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1179
1180 /* 16-bit ModR/M decode. */
1181 switch (ctxt->modrm_mod) {
1182 case 0:
1183 if (ctxt->modrm_rm == 6)
1184 modrm_ea += insn_fetch(u16, ctxt);
1185 break;
1186 case 1:
1187 modrm_ea += insn_fetch(s8, ctxt);
1188 break;
1189 case 2:
1190 modrm_ea += insn_fetch(u16, ctxt);
1191 break;
1192 }
1193 switch (ctxt->modrm_rm) {
1194 case 0:
1195 modrm_ea += bx + si;
1196 break;
1197 case 1:
1198 modrm_ea += bx + di;
1199 break;
1200 case 2:
1201 modrm_ea += bp + si;
1202 break;
1203 case 3:
1204 modrm_ea += bp + di;
1205 break;
1206 case 4:
1207 modrm_ea += si;
1208 break;
1209 case 5:
1210 modrm_ea += di;
1211 break;
1212 case 6:
1213 if (ctxt->modrm_mod != 0)
1214 modrm_ea += bp;
1215 break;
1216 case 7:
1217 modrm_ea += bx;
1218 break;
1219 }
1220 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1221 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1222 ctxt->modrm_seg = VCPU_SREG_SS;
1223 modrm_ea = (u16)modrm_ea;
1224 } else {
1225 /* 32/64-bit ModR/M decode. */
1226 if ((ctxt->modrm_rm & 7) == 4) {
1227 sib = insn_fetch(u8, ctxt);
1228 index_reg |= (sib >> 3) & 7;
1229 base_reg |= sib & 7;
1230 scale = sib >> 6;
1231
1232 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1233 modrm_ea += insn_fetch(s32, ctxt);
1234 else {
1235 modrm_ea += reg_read(ctxt, base_reg);
1236 adjust_modrm_seg(ctxt, base_reg);
1237 /* Increment ESP on POP [ESP] */
1238 if ((ctxt->d & IncSP) &&
1239 base_reg == VCPU_REGS_RSP)
1240 modrm_ea += ctxt->op_bytes;
1241 }
1242 if (index_reg != 4)
1243 modrm_ea += reg_read(ctxt, index_reg) << scale;
1244 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1245 modrm_ea += insn_fetch(s32, ctxt);
1246 if (ctxt->mode == X86EMUL_MODE_PROT64)
1247 ctxt->rip_relative = 1;
1248 } else {
1249 base_reg = ctxt->modrm_rm;
1250 modrm_ea += reg_read(ctxt, base_reg);
1251 adjust_modrm_seg(ctxt, base_reg);
1252 }
1253 switch (ctxt->modrm_mod) {
1254 case 1:
1255 modrm_ea += insn_fetch(s8, ctxt);
1256 break;
1257 case 2:
1258 modrm_ea += insn_fetch(s32, ctxt);
1259 break;
1260 }
1261 }
1262 op->addr.mem.ea = modrm_ea;
1263 if (ctxt->ad_bytes != 8)
1264 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1265
1266 done:
1267 return rc;
1268 }
1269
1270 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1271 struct operand *op)
1272 {
1273 int rc = X86EMUL_CONTINUE;
1274
1275 op->type = OP_MEM;
1276 switch (ctxt->ad_bytes) {
1277 case 2:
1278 op->addr.mem.ea = insn_fetch(u16, ctxt);
1279 break;
1280 case 4:
1281 op->addr.mem.ea = insn_fetch(u32, ctxt);
1282 break;
1283 case 8:
1284 op->addr.mem.ea = insn_fetch(u64, ctxt);
1285 break;
1286 }
1287 done:
1288 return rc;
1289 }
1290
1291 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1292 {
1293 long sv = 0, mask;
1294
1295 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1296 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1297
1298 if (ctxt->src.bytes == 2)
1299 sv = (s16)ctxt->src.val & (s16)mask;
1300 else if (ctxt->src.bytes == 4)
1301 sv = (s32)ctxt->src.val & (s32)mask;
1302 else
1303 sv = (s64)ctxt->src.val & (s64)mask;
1304
1305 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1306 ctxt->dst.addr.mem.ea + (sv >> 3));
1307 }
1308
1309 /* only subword offset */
1310 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1311 }
1312
1313 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1314 unsigned long addr, void *dest, unsigned size)
1315 {
1316 int rc;
1317 struct read_cache *mc = &ctxt->mem_read;
1318
1319 if (mc->pos < mc->end)
1320 goto read_cached;
1321
1322 WARN_ON((mc->end + size) >= sizeof(mc->data));
1323
1324 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1325 &ctxt->exception);
1326 if (rc != X86EMUL_CONTINUE)
1327 return rc;
1328
1329 mc->end += size;
1330
1331 read_cached:
1332 memcpy(dest, mc->data + mc->pos, size);
1333 mc->pos += size;
1334 return X86EMUL_CONTINUE;
1335 }
1336
1337 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1338 struct segmented_address addr,
1339 void *data,
1340 unsigned size)
1341 {
1342 int rc;
1343 ulong linear;
1344
1345 rc = linearize(ctxt, addr, size, false, &linear);
1346 if (rc != X86EMUL_CONTINUE)
1347 return rc;
1348 return read_emulated(ctxt, linear, data, size);
1349 }
1350
1351 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1352 struct segmented_address addr,
1353 const void *data,
1354 unsigned size)
1355 {
1356 int rc;
1357 ulong linear;
1358
1359 rc = linearize(ctxt, addr, size, true, &linear);
1360 if (rc != X86EMUL_CONTINUE)
1361 return rc;
1362 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1363 &ctxt->exception);
1364 }
1365
1366 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1367 struct segmented_address addr,
1368 const void *orig_data, const void *data,
1369 unsigned size)
1370 {
1371 int rc;
1372 ulong linear;
1373
1374 rc = linearize(ctxt, addr, size, true, &linear);
1375 if (rc != X86EMUL_CONTINUE)
1376 return rc;
1377 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1378 size, &ctxt->exception);
1379 }
1380
1381 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1382 unsigned int size, unsigned short port,
1383 void *dest)
1384 {
1385 struct read_cache *rc = &ctxt->io_read;
1386
1387 if (rc->pos == rc->end) { /* refill pio read ahead */
1388 unsigned int in_page, n;
1389 unsigned int count = ctxt->rep_prefix ?
1390 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1391 in_page = (ctxt->eflags & EFLG_DF) ?
1392 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1393 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1394 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1395 if (n == 0)
1396 n = 1;
1397 rc->pos = rc->end = 0;
1398 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1399 return 0;
1400 rc->end = n * size;
1401 }
1402
1403 if (ctxt->rep_prefix && (ctxt->d & String) &&
1404 !(ctxt->eflags & EFLG_DF)) {
1405 ctxt->dst.data = rc->data + rc->pos;
1406 ctxt->dst.type = OP_MEM_STR;
1407 ctxt->dst.count = (rc->end - rc->pos) / size;
1408 rc->pos = rc->end;
1409 } else {
1410 memcpy(dest, rc->data + rc->pos, size);
1411 rc->pos += size;
1412 }
1413 return 1;
1414 }
1415
1416 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1417 u16 index, struct desc_struct *desc)
1418 {
1419 struct desc_ptr dt;
1420 ulong addr;
1421
1422 ctxt->ops->get_idt(ctxt, &dt);
1423
1424 if (dt.size < index * 8 + 7)
1425 return emulate_gp(ctxt, index << 3 | 0x2);
1426
1427 addr = dt.address + index * 8;
1428 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1429 &ctxt->exception);
1430 }
1431
1432 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1433 u16 selector, struct desc_ptr *dt)
1434 {
1435 const struct x86_emulate_ops *ops = ctxt->ops;
1436 u32 base3 = 0;
1437
1438 if (selector & 1 << 2) {
1439 struct desc_struct desc;
1440 u16 sel;
1441
1442 memset (dt, 0, sizeof *dt);
1443 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1444 VCPU_SREG_LDTR))
1445 return;
1446
1447 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1448 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1449 } else
1450 ops->get_gdt(ctxt, dt);
1451 }
1452
1453 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1454 u16 selector, ulong *desc_addr_p)
1455 {
1456 struct desc_ptr dt;
1457 u16 index = selector >> 3;
1458 ulong addr;
1459
1460 get_descriptor_table_ptr(ctxt, selector, &dt);
1461
1462 if (dt.size < index * 8 + 7)
1463 return emulate_gp(ctxt, selector & 0xfffc);
1464
1465 addr = dt.address + index * 8;
1466
1467 #ifdef CONFIG_X86_64
1468 if (addr >> 32 != 0) {
1469 u64 efer = 0;
1470
1471 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1472 if (!(efer & EFER_LMA))
1473 addr &= (u32)-1;
1474 }
1475 #endif
1476
1477 *desc_addr_p = addr;
1478 return X86EMUL_CONTINUE;
1479 }
1480
1481 /* allowed just for 8 bytes segments */
1482 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1483 u16 selector, struct desc_struct *desc,
1484 ulong *desc_addr_p)
1485 {
1486 int rc;
1487
1488 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1489 if (rc != X86EMUL_CONTINUE)
1490 return rc;
1491
1492 return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
1493 &ctxt->exception);
1494 }
1495
1496 /* allowed just for 8 bytes segments */
1497 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1498 u16 selector, struct desc_struct *desc)
1499 {
1500 int rc;
1501 ulong addr;
1502
1503 rc = get_descriptor_ptr(ctxt, selector, &addr);
1504 if (rc != X86EMUL_CONTINUE)
1505 return rc;
1506
1507 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1508 &ctxt->exception);
1509 }
1510
1511 /* Does not support long mode */
1512 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1513 u16 selector, int seg, u8 cpl,
1514 enum x86_transfer_type transfer,
1515 struct desc_struct *desc)
1516 {
1517 struct desc_struct seg_desc, old_desc;
1518 u8 dpl, rpl;
1519 unsigned err_vec = GP_VECTOR;
1520 u32 err_code = 0;
1521 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1522 ulong desc_addr;
1523 int ret;
1524 u16 dummy;
1525 u32 base3 = 0;
1526
1527 memset(&seg_desc, 0, sizeof seg_desc);
1528
1529 if (ctxt->mode == X86EMUL_MODE_REAL) {
1530 /* set real mode segment descriptor (keep limit etc. for
1531 * unreal mode) */
1532 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1533 set_desc_base(&seg_desc, selector << 4);
1534 goto load;
1535 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1536 /* VM86 needs a clean new segment descriptor */
1537 set_desc_base(&seg_desc, selector << 4);
1538 set_desc_limit(&seg_desc, 0xffff);
1539 seg_desc.type = 3;
1540 seg_desc.p = 1;
1541 seg_desc.s = 1;
1542 seg_desc.dpl = 3;
1543 goto load;
1544 }
1545
1546 rpl = selector & 3;
1547
1548 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1549 if ((seg == VCPU_SREG_CS
1550 || (seg == VCPU_SREG_SS
1551 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1552 || seg == VCPU_SREG_TR)
1553 && null_selector)
1554 goto exception;
1555
1556 /* TR should be in GDT only */
1557 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1558 goto exception;
1559
1560 if (null_selector) /* for NULL selector skip all following checks */
1561 goto load;
1562
1563 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1564 if (ret != X86EMUL_CONTINUE)
1565 return ret;
1566
1567 err_code = selector & 0xfffc;
1568 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1569 GP_VECTOR;
1570
1571 /* can't load system descriptor into segment selector */
1572 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1573 if (transfer == X86_TRANSFER_CALL_JMP)
1574 return X86EMUL_UNHANDLEABLE;
1575 goto exception;
1576 }
1577
1578 if (!seg_desc.p) {
1579 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1580 goto exception;
1581 }
1582
1583 dpl = seg_desc.dpl;
1584
1585 switch (seg) {
1586 case VCPU_SREG_SS:
1587 /*
1588 * segment is not a writable data segment or segment
1589 * selector's RPL != CPL or segment selector's RPL != CPL
1590 */
1591 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1592 goto exception;
1593 break;
1594 case VCPU_SREG_CS:
1595 if (!(seg_desc.type & 8))
1596 goto exception;
1597
1598 if (seg_desc.type & 4) {
1599 /* conforming */
1600 if (dpl > cpl)
1601 goto exception;
1602 } else {
1603 /* nonconforming */
1604 if (rpl > cpl || dpl != cpl)
1605 goto exception;
1606 }
1607 /* in long-mode d/b must be clear if l is set */
1608 if (seg_desc.d && seg_desc.l) {
1609 u64 efer = 0;
1610
1611 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1612 if (efer & EFER_LMA)
1613 goto exception;
1614 }
1615
1616 /* CS(RPL) <- CPL */
1617 selector = (selector & 0xfffc) | cpl;
1618 break;
1619 case VCPU_SREG_TR:
1620 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1621 goto exception;
1622 old_desc = seg_desc;
1623 seg_desc.type |= 2; /* busy */
1624 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1625 sizeof(seg_desc), &ctxt->exception);
1626 if (ret != X86EMUL_CONTINUE)
1627 return ret;
1628 break;
1629 case VCPU_SREG_LDTR:
1630 if (seg_desc.s || seg_desc.type != 2)
1631 goto exception;
1632 break;
1633 default: /* DS, ES, FS, or GS */
1634 /*
1635 * segment is not a data or readable code segment or
1636 * ((segment is a data or nonconforming code segment)
1637 * and (both RPL and CPL > DPL))
1638 */
1639 if ((seg_desc.type & 0xa) == 0x8 ||
1640 (((seg_desc.type & 0xc) != 0xc) &&
1641 (rpl > dpl && cpl > dpl)))
1642 goto exception;
1643 break;
1644 }
1645
1646 if (seg_desc.s) {
1647 /* mark segment as accessed */
1648 if (!(seg_desc.type & 1)) {
1649 seg_desc.type |= 1;
1650 ret = write_segment_descriptor(ctxt, selector,
1651 &seg_desc);
1652 if (ret != X86EMUL_CONTINUE)
1653 return ret;
1654 }
1655 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1656 ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
1657 sizeof(base3), &ctxt->exception);
1658 if (ret != X86EMUL_CONTINUE)
1659 return ret;
1660 if (is_noncanonical_address(get_desc_base(&seg_desc) |
1661 ((u64)base3 << 32)))
1662 return emulate_gp(ctxt, 0);
1663 }
1664 load:
1665 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1666 if (desc)
1667 *desc = seg_desc;
1668 return X86EMUL_CONTINUE;
1669 exception:
1670 return emulate_exception(ctxt, err_vec, err_code, true);
1671 }
1672
1673 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1674 u16 selector, int seg)
1675 {
1676 u8 cpl = ctxt->ops->cpl(ctxt);
1677 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1678 X86_TRANSFER_NONE, NULL);
1679 }
1680
1681 static void write_register_operand(struct operand *op)
1682 {
1683 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1684 switch (op->bytes) {
1685 case 1:
1686 *(u8 *)op->addr.reg = (u8)op->val;
1687 break;
1688 case 2:
1689 *(u16 *)op->addr.reg = (u16)op->val;
1690 break;
1691 case 4:
1692 *op->addr.reg = (u32)op->val;
1693 break; /* 64b: zero-extend */
1694 case 8:
1695 *op->addr.reg = op->val;
1696 break;
1697 }
1698 }
1699
1700 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1701 {
1702 switch (op->type) {
1703 case OP_REG:
1704 write_register_operand(op);
1705 break;
1706 case OP_MEM:
1707 if (ctxt->lock_prefix)
1708 return segmented_cmpxchg(ctxt,
1709 op->addr.mem,
1710 &op->orig_val,
1711 &op->val,
1712 op->bytes);
1713 else
1714 return segmented_write(ctxt,
1715 op->addr.mem,
1716 &op->val,
1717 op->bytes);
1718 break;
1719 case OP_MEM_STR:
1720 return segmented_write(ctxt,
1721 op->addr.mem,
1722 op->data,
1723 op->bytes * op->count);
1724 break;
1725 case OP_XMM:
1726 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1727 break;
1728 case OP_MM:
1729 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1730 break;
1731 case OP_NONE:
1732 /* no writeback */
1733 break;
1734 default:
1735 break;
1736 }
1737 return X86EMUL_CONTINUE;
1738 }
1739
1740 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1741 {
1742 struct segmented_address addr;
1743
1744 rsp_increment(ctxt, -bytes);
1745 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1746 addr.seg = VCPU_SREG_SS;
1747
1748 return segmented_write(ctxt, addr, data, bytes);
1749 }
1750
1751 static int em_push(struct x86_emulate_ctxt *ctxt)
1752 {
1753 /* Disable writeback. */
1754 ctxt->dst.type = OP_NONE;
1755 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1756 }
1757
1758 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1759 void *dest, int len)
1760 {
1761 int rc;
1762 struct segmented_address addr;
1763
1764 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1765 addr.seg = VCPU_SREG_SS;
1766 rc = segmented_read(ctxt, addr, dest, len);
1767 if (rc != X86EMUL_CONTINUE)
1768 return rc;
1769
1770 rsp_increment(ctxt, len);
1771 return rc;
1772 }
1773
1774 static int em_pop(struct x86_emulate_ctxt *ctxt)
1775 {
1776 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1777 }
1778
1779 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1780 void *dest, int len)
1781 {
1782 int rc;
1783 unsigned long val, change_mask;
1784 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1785 int cpl = ctxt->ops->cpl(ctxt);
1786
1787 rc = emulate_pop(ctxt, &val, len);
1788 if (rc != X86EMUL_CONTINUE)
1789 return rc;
1790
1791 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1792 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_AC | EFLG_ID;
1793
1794 switch(ctxt->mode) {
1795 case X86EMUL_MODE_PROT64:
1796 case X86EMUL_MODE_PROT32:
1797 case X86EMUL_MODE_PROT16:
1798 if (cpl == 0)
1799 change_mask |= EFLG_IOPL;
1800 if (cpl <= iopl)
1801 change_mask |= EFLG_IF;
1802 break;
1803 case X86EMUL_MODE_VM86:
1804 if (iopl < 3)
1805 return emulate_gp(ctxt, 0);
1806 change_mask |= EFLG_IF;
1807 break;
1808 default: /* real mode */
1809 change_mask |= (EFLG_IOPL | EFLG_IF);
1810 break;
1811 }
1812
1813 *(unsigned long *)dest =
1814 (ctxt->eflags & ~change_mask) | (val & change_mask);
1815
1816 return rc;
1817 }
1818
1819 static int em_popf(struct x86_emulate_ctxt *ctxt)
1820 {
1821 ctxt->dst.type = OP_REG;
1822 ctxt->dst.addr.reg = &ctxt->eflags;
1823 ctxt->dst.bytes = ctxt->op_bytes;
1824 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1825 }
1826
1827 static int em_enter(struct x86_emulate_ctxt *ctxt)
1828 {
1829 int rc;
1830 unsigned frame_size = ctxt->src.val;
1831 unsigned nesting_level = ctxt->src2.val & 31;
1832 ulong rbp;
1833
1834 if (nesting_level)
1835 return X86EMUL_UNHANDLEABLE;
1836
1837 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1838 rc = push(ctxt, &rbp, stack_size(ctxt));
1839 if (rc != X86EMUL_CONTINUE)
1840 return rc;
1841 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1842 stack_mask(ctxt));
1843 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1844 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1845 stack_mask(ctxt));
1846 return X86EMUL_CONTINUE;
1847 }
1848
1849 static int em_leave(struct x86_emulate_ctxt *ctxt)
1850 {
1851 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1852 stack_mask(ctxt));
1853 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1854 }
1855
1856 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1857 {
1858 int seg = ctxt->src2.val;
1859
1860 ctxt->src.val = get_segment_selector(ctxt, seg);
1861 if (ctxt->op_bytes == 4) {
1862 rsp_increment(ctxt, -2);
1863 ctxt->op_bytes = 2;
1864 }
1865
1866 return em_push(ctxt);
1867 }
1868
1869 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1870 {
1871 int seg = ctxt->src2.val;
1872 unsigned long selector;
1873 int rc;
1874
1875 rc = emulate_pop(ctxt, &selector, 2);
1876 if (rc != X86EMUL_CONTINUE)
1877 return rc;
1878
1879 if (ctxt->modrm_reg == VCPU_SREG_SS)
1880 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1881 if (ctxt->op_bytes > 2)
1882 rsp_increment(ctxt, ctxt->op_bytes - 2);
1883
1884 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1885 return rc;
1886 }
1887
1888 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1889 {
1890 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1891 int rc = X86EMUL_CONTINUE;
1892 int reg = VCPU_REGS_RAX;
1893
1894 while (reg <= VCPU_REGS_RDI) {
1895 (reg == VCPU_REGS_RSP) ?
1896 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1897
1898 rc = em_push(ctxt);
1899 if (rc != X86EMUL_CONTINUE)
1900 return rc;
1901
1902 ++reg;
1903 }
1904
1905 return rc;
1906 }
1907
1908 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1909 {
1910 ctxt->src.val = (unsigned long)ctxt->eflags & ~EFLG_VM;
1911 return em_push(ctxt);
1912 }
1913
1914 static int em_popa(struct x86_emulate_ctxt *ctxt)
1915 {
1916 int rc = X86EMUL_CONTINUE;
1917 int reg = VCPU_REGS_RDI;
1918
1919 while (reg >= VCPU_REGS_RAX) {
1920 if (reg == VCPU_REGS_RSP) {
1921 rsp_increment(ctxt, ctxt->op_bytes);
1922 --reg;
1923 }
1924
1925 rc = emulate_pop(ctxt, reg_rmw(ctxt, reg), ctxt->op_bytes);
1926 if (rc != X86EMUL_CONTINUE)
1927 break;
1928 --reg;
1929 }
1930 return rc;
1931 }
1932
1933 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1934 {
1935 const struct x86_emulate_ops *ops = ctxt->ops;
1936 int rc;
1937 struct desc_ptr dt;
1938 gva_t cs_addr;
1939 gva_t eip_addr;
1940 u16 cs, eip;
1941
1942 /* TODO: Add limit checks */
1943 ctxt->src.val = ctxt->eflags;
1944 rc = em_push(ctxt);
1945 if (rc != X86EMUL_CONTINUE)
1946 return rc;
1947
1948 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1949
1950 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1951 rc = em_push(ctxt);
1952 if (rc != X86EMUL_CONTINUE)
1953 return rc;
1954
1955 ctxt->src.val = ctxt->_eip;
1956 rc = em_push(ctxt);
1957 if (rc != X86EMUL_CONTINUE)
1958 return rc;
1959
1960 ops->get_idt(ctxt, &dt);
1961
1962 eip_addr = dt.address + (irq << 2);
1963 cs_addr = dt.address + (irq << 2) + 2;
1964
1965 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1966 if (rc != X86EMUL_CONTINUE)
1967 return rc;
1968
1969 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1970 if (rc != X86EMUL_CONTINUE)
1971 return rc;
1972
1973 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1974 if (rc != X86EMUL_CONTINUE)
1975 return rc;
1976
1977 ctxt->_eip = eip;
1978
1979 return rc;
1980 }
1981
1982 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1983 {
1984 int rc;
1985
1986 invalidate_registers(ctxt);
1987 rc = __emulate_int_real(ctxt, irq);
1988 if (rc == X86EMUL_CONTINUE)
1989 writeback_registers(ctxt);
1990 return rc;
1991 }
1992
1993 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1994 {
1995 switch(ctxt->mode) {
1996 case X86EMUL_MODE_REAL:
1997 return __emulate_int_real(ctxt, irq);
1998 case X86EMUL_MODE_VM86:
1999 case X86EMUL_MODE_PROT16:
2000 case X86EMUL_MODE_PROT32:
2001 case X86EMUL_MODE_PROT64:
2002 default:
2003 /* Protected mode interrupts unimplemented yet */
2004 return X86EMUL_UNHANDLEABLE;
2005 }
2006 }
2007
2008 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2009 {
2010 int rc = X86EMUL_CONTINUE;
2011 unsigned long temp_eip = 0;
2012 unsigned long temp_eflags = 0;
2013 unsigned long cs = 0;
2014 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
2015 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
2016 EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
2017 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
2018
2019 /* TODO: Add stack limit check */
2020
2021 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2022
2023 if (rc != X86EMUL_CONTINUE)
2024 return rc;
2025
2026 if (temp_eip & ~0xffff)
2027 return emulate_gp(ctxt, 0);
2028
2029 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2030
2031 if (rc != X86EMUL_CONTINUE)
2032 return rc;
2033
2034 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2035
2036 if (rc != X86EMUL_CONTINUE)
2037 return rc;
2038
2039 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2040
2041 if (rc != X86EMUL_CONTINUE)
2042 return rc;
2043
2044 ctxt->_eip = temp_eip;
2045
2046
2047 if (ctxt->op_bytes == 4)
2048 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2049 else if (ctxt->op_bytes == 2) {
2050 ctxt->eflags &= ~0xffff;
2051 ctxt->eflags |= temp_eflags;
2052 }
2053
2054 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2055 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
2056 ctxt->ops->set_nmi_mask(ctxt, false);
2057
2058 return rc;
2059 }
2060
2061 static int em_iret(struct x86_emulate_ctxt *ctxt)
2062 {
2063 switch(ctxt->mode) {
2064 case X86EMUL_MODE_REAL:
2065 return emulate_iret_real(ctxt);
2066 case X86EMUL_MODE_VM86:
2067 case X86EMUL_MODE_PROT16:
2068 case X86EMUL_MODE_PROT32:
2069 case X86EMUL_MODE_PROT64:
2070 default:
2071 /* iret from protected mode unimplemented yet */
2072 return X86EMUL_UNHANDLEABLE;
2073 }
2074 }
2075
2076 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2077 {
2078 int rc;
2079 unsigned short sel, old_sel;
2080 struct desc_struct old_desc, new_desc;
2081 const struct x86_emulate_ops *ops = ctxt->ops;
2082 u8 cpl = ctxt->ops->cpl(ctxt);
2083
2084 /* Assignment of RIP may only fail in 64-bit mode */
2085 if (ctxt->mode == X86EMUL_MODE_PROT64)
2086 ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
2087 VCPU_SREG_CS);
2088
2089 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2090
2091 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2092 X86_TRANSFER_CALL_JMP,
2093 &new_desc);
2094 if (rc != X86EMUL_CONTINUE)
2095 return rc;
2096
2097 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2098 if (rc != X86EMUL_CONTINUE) {
2099 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2100 /* assigning eip failed; restore the old cs */
2101 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
2102 return rc;
2103 }
2104 return rc;
2105 }
2106
2107 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2108 {
2109 return assign_eip_near(ctxt, ctxt->src.val);
2110 }
2111
2112 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2113 {
2114 int rc;
2115 long int old_eip;
2116
2117 old_eip = ctxt->_eip;
2118 rc = assign_eip_near(ctxt, ctxt->src.val);
2119 if (rc != X86EMUL_CONTINUE)
2120 return rc;
2121 ctxt->src.val = old_eip;
2122 rc = em_push(ctxt);
2123 return rc;
2124 }
2125
2126 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2127 {
2128 u64 old = ctxt->dst.orig_val64;
2129
2130 if (ctxt->dst.bytes == 16)
2131 return X86EMUL_UNHANDLEABLE;
2132
2133 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2134 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2135 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2136 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2137 ctxt->eflags &= ~EFLG_ZF;
2138 } else {
2139 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2140 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2141
2142 ctxt->eflags |= EFLG_ZF;
2143 }
2144 return X86EMUL_CONTINUE;
2145 }
2146
2147 static int em_ret(struct x86_emulate_ctxt *ctxt)
2148 {
2149 int rc;
2150 unsigned long eip;
2151
2152 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2153 if (rc != X86EMUL_CONTINUE)
2154 return rc;
2155
2156 return assign_eip_near(ctxt, eip);
2157 }
2158
2159 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2160 {
2161 int rc;
2162 unsigned long eip, cs;
2163 u16 old_cs;
2164 int cpl = ctxt->ops->cpl(ctxt);
2165 struct desc_struct old_desc, new_desc;
2166 const struct x86_emulate_ops *ops = ctxt->ops;
2167
2168 if (ctxt->mode == X86EMUL_MODE_PROT64)
2169 ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
2170 VCPU_SREG_CS);
2171
2172 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2173 if (rc != X86EMUL_CONTINUE)
2174 return rc;
2175 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2176 if (rc != X86EMUL_CONTINUE)
2177 return rc;
2178 /* Outer-privilege level return is not implemented */
2179 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2180 return X86EMUL_UNHANDLEABLE;
2181 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2182 X86_TRANSFER_RET,
2183 &new_desc);
2184 if (rc != X86EMUL_CONTINUE)
2185 return rc;
2186 rc = assign_eip_far(ctxt, eip, &new_desc);
2187 if (rc != X86EMUL_CONTINUE) {
2188 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2189 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
2190 }
2191 return rc;
2192 }
2193
2194 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2195 {
2196 int rc;
2197
2198 rc = em_ret_far(ctxt);
2199 if (rc != X86EMUL_CONTINUE)
2200 return rc;
2201 rsp_increment(ctxt, ctxt->src.val);
2202 return X86EMUL_CONTINUE;
2203 }
2204
2205 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2206 {
2207 /* Save real source value, then compare EAX against destination. */
2208 ctxt->dst.orig_val = ctxt->dst.val;
2209 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2210 ctxt->src.orig_val = ctxt->src.val;
2211 ctxt->src.val = ctxt->dst.orig_val;
2212 fastop(ctxt, em_cmp);
2213
2214 if (ctxt->eflags & EFLG_ZF) {
2215 /* Success: write back to memory; no update of EAX */
2216 ctxt->src.type = OP_NONE;
2217 ctxt->dst.val = ctxt->src.orig_val;
2218 } else {
2219 /* Failure: write the value we saw to EAX. */
2220 ctxt->src.type = OP_REG;
2221 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2222 ctxt->src.val = ctxt->dst.orig_val;
2223 /* Create write-cycle to dest by writing the same value */
2224 ctxt->dst.val = ctxt->dst.orig_val;
2225 }
2226 return X86EMUL_CONTINUE;
2227 }
2228
2229 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2230 {
2231 int seg = ctxt->src2.val;
2232 unsigned short sel;
2233 int rc;
2234
2235 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2236
2237 rc = load_segment_descriptor(ctxt, sel, seg);
2238 if (rc != X86EMUL_CONTINUE)
2239 return rc;
2240
2241 ctxt->dst.val = ctxt->src.val;
2242 return rc;
2243 }
2244
2245 static void
2246 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2247 struct desc_struct *cs, struct desc_struct *ss)
2248 {
2249 cs->l = 0; /* will be adjusted later */
2250 set_desc_base(cs, 0); /* flat segment */
2251 cs->g = 1; /* 4kb granularity */
2252 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2253 cs->type = 0x0b; /* Read, Execute, Accessed */
2254 cs->s = 1;
2255 cs->dpl = 0; /* will be adjusted later */
2256 cs->p = 1;
2257 cs->d = 1;
2258 cs->avl = 0;
2259
2260 set_desc_base(ss, 0); /* flat segment */
2261 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2262 ss->g = 1; /* 4kb granularity */
2263 ss->s = 1;
2264 ss->type = 0x03; /* Read/Write, Accessed */
2265 ss->d = 1; /* 32bit stack segment */
2266 ss->dpl = 0;
2267 ss->p = 1;
2268 ss->l = 0;
2269 ss->avl = 0;
2270 }
2271
2272 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2273 {
2274 u32 eax, ebx, ecx, edx;
2275
2276 eax = ecx = 0;
2277 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2278 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2279 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2280 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2281 }
2282
2283 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2284 {
2285 const struct x86_emulate_ops *ops = ctxt->ops;
2286 u32 eax, ebx, ecx, edx;
2287
2288 /*
2289 * syscall should always be enabled in longmode - so only become
2290 * vendor specific (cpuid) if other modes are active...
2291 */
2292 if (ctxt->mode == X86EMUL_MODE_PROT64)
2293 return true;
2294
2295 eax = 0x00000000;
2296 ecx = 0x00000000;
2297 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2298 /*
2299 * Intel ("GenuineIntel")
2300 * remark: Intel CPUs only support "syscall" in 64bit
2301 * longmode. Also an 64bit guest with a
2302 * 32bit compat-app running will #UD !! While this
2303 * behaviour can be fixed (by emulating) into AMD
2304 * response - CPUs of AMD can't behave like Intel.
2305 */
2306 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2307 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2308 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2309 return false;
2310
2311 /* AMD ("AuthenticAMD") */
2312 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2313 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2314 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2315 return true;
2316
2317 /* AMD ("AMDisbetter!") */
2318 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2319 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2320 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2321 return true;
2322
2323 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2324 return false;
2325 }
2326
2327 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2328 {
2329 const struct x86_emulate_ops *ops = ctxt->ops;
2330 struct desc_struct cs, ss;
2331 u64 msr_data;
2332 u16 cs_sel, ss_sel;
2333 u64 efer = 0;
2334
2335 /* syscall is not available in real mode */
2336 if (ctxt->mode == X86EMUL_MODE_REAL ||
2337 ctxt->mode == X86EMUL_MODE_VM86)
2338 return emulate_ud(ctxt);
2339
2340 if (!(em_syscall_is_enabled(ctxt)))
2341 return emulate_ud(ctxt);
2342
2343 ops->get_msr(ctxt, MSR_EFER, &efer);
2344 setup_syscalls_segments(ctxt, &cs, &ss);
2345
2346 if (!(efer & EFER_SCE))
2347 return emulate_ud(ctxt);
2348
2349 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2350 msr_data >>= 32;
2351 cs_sel = (u16)(msr_data & 0xfffc);
2352 ss_sel = (u16)(msr_data + 8);
2353
2354 if (efer & EFER_LMA) {
2355 cs.d = 0;
2356 cs.l = 1;
2357 }
2358 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2359 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2360
2361 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2362 if (efer & EFER_LMA) {
2363 #ifdef CONFIG_X86_64
2364 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2365
2366 ops->get_msr(ctxt,
2367 ctxt->mode == X86EMUL_MODE_PROT64 ?
2368 MSR_LSTAR : MSR_CSTAR, &msr_data);
2369 ctxt->_eip = msr_data;
2370
2371 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2372 ctxt->eflags &= ~msr_data;
2373 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
2374 #endif
2375 } else {
2376 /* legacy mode */
2377 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2378 ctxt->_eip = (u32)msr_data;
2379
2380 ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
2381 }
2382
2383 return X86EMUL_CONTINUE;
2384 }
2385
2386 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2387 {
2388 const struct x86_emulate_ops *ops = ctxt->ops;
2389 struct desc_struct cs, ss;
2390 u64 msr_data;
2391 u16 cs_sel, ss_sel;
2392 u64 efer = 0;
2393
2394 ops->get_msr(ctxt, MSR_EFER, &efer);
2395 /* inject #GP if in real mode */
2396 if (ctxt->mode == X86EMUL_MODE_REAL)
2397 return emulate_gp(ctxt, 0);
2398
2399 /*
2400 * Not recognized on AMD in compat mode (but is recognized in legacy
2401 * mode).
2402 */
2403 if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2404 && !vendor_intel(ctxt))
2405 return emulate_ud(ctxt);
2406
2407 /* sysenter/sysexit have not been tested in 64bit mode. */
2408 if (ctxt->mode == X86EMUL_MODE_PROT64)
2409 return X86EMUL_UNHANDLEABLE;
2410
2411 setup_syscalls_segments(ctxt, &cs, &ss);
2412
2413 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2414 switch (ctxt->mode) {
2415 case X86EMUL_MODE_PROT32:
2416 if ((msr_data & 0xfffc) == 0x0)
2417 return emulate_gp(ctxt, 0);
2418 break;
2419 case X86EMUL_MODE_PROT64:
2420 if (msr_data == 0x0)
2421 return emulate_gp(ctxt, 0);
2422 break;
2423 default:
2424 break;
2425 }
2426
2427 ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
2428 cs_sel = (u16)msr_data;
2429 cs_sel &= ~SELECTOR_RPL_MASK;
2430 ss_sel = cs_sel + 8;
2431 ss_sel &= ~SELECTOR_RPL_MASK;
2432 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2433 cs.d = 0;
2434 cs.l = 1;
2435 }
2436
2437 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2438 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2439
2440 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2441 ctxt->_eip = msr_data;
2442
2443 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2444 *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
2445
2446 return X86EMUL_CONTINUE;
2447 }
2448
2449 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2450 {
2451 const struct x86_emulate_ops *ops = ctxt->ops;
2452 struct desc_struct cs, ss;
2453 u64 msr_data, rcx, rdx;
2454 int usermode;
2455 u16 cs_sel = 0, ss_sel = 0;
2456
2457 /* inject #GP if in real mode or Virtual 8086 mode */
2458 if (ctxt->mode == X86EMUL_MODE_REAL ||
2459 ctxt->mode == X86EMUL_MODE_VM86)
2460 return emulate_gp(ctxt, 0);
2461
2462 setup_syscalls_segments(ctxt, &cs, &ss);
2463
2464 if ((ctxt->rex_prefix & 0x8) != 0x0)
2465 usermode = X86EMUL_MODE_PROT64;
2466 else
2467 usermode = X86EMUL_MODE_PROT32;
2468
2469 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2470 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2471
2472 cs.dpl = 3;
2473 ss.dpl = 3;
2474 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2475 switch (usermode) {
2476 case X86EMUL_MODE_PROT32:
2477 cs_sel = (u16)(msr_data + 16);
2478 if ((msr_data & 0xfffc) == 0x0)
2479 return emulate_gp(ctxt, 0);
2480 ss_sel = (u16)(msr_data + 24);
2481 rcx = (u32)rcx;
2482 rdx = (u32)rdx;
2483 break;
2484 case X86EMUL_MODE_PROT64:
2485 cs_sel = (u16)(msr_data + 32);
2486 if (msr_data == 0x0)
2487 return emulate_gp(ctxt, 0);
2488 ss_sel = cs_sel + 8;
2489 cs.d = 0;
2490 cs.l = 1;
2491 if (is_noncanonical_address(rcx) ||
2492 is_noncanonical_address(rdx))
2493 return emulate_gp(ctxt, 0);
2494 break;
2495 }
2496 cs_sel |= SELECTOR_RPL_MASK;
2497 ss_sel |= SELECTOR_RPL_MASK;
2498
2499 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2500 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2501
2502 ctxt->_eip = rdx;
2503 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2504
2505 return X86EMUL_CONTINUE;
2506 }
2507
2508 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2509 {
2510 int iopl;
2511 if (ctxt->mode == X86EMUL_MODE_REAL)
2512 return false;
2513 if (ctxt->mode == X86EMUL_MODE_VM86)
2514 return true;
2515 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2516 return ctxt->ops->cpl(ctxt) > iopl;
2517 }
2518
2519 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2520 u16 port, u16 len)
2521 {
2522 const struct x86_emulate_ops *ops = ctxt->ops;
2523 struct desc_struct tr_seg;
2524 u32 base3;
2525 int r;
2526 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2527 unsigned mask = (1 << len) - 1;
2528 unsigned long base;
2529
2530 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2531 if (!tr_seg.p)
2532 return false;
2533 if (desc_limit_scaled(&tr_seg) < 103)
2534 return false;
2535 base = get_desc_base(&tr_seg);
2536 #ifdef CONFIG_X86_64
2537 base |= ((u64)base3) << 32;
2538 #endif
2539 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2540 if (r != X86EMUL_CONTINUE)
2541 return false;
2542 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2543 return false;
2544 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2545 if (r != X86EMUL_CONTINUE)
2546 return false;
2547 if ((perm >> bit_idx) & mask)
2548 return false;
2549 return true;
2550 }
2551
2552 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2553 u16 port, u16 len)
2554 {
2555 if (ctxt->perm_ok)
2556 return true;
2557
2558 if (emulator_bad_iopl(ctxt))
2559 if (!emulator_io_port_access_allowed(ctxt, port, len))
2560 return false;
2561
2562 ctxt->perm_ok = true;
2563
2564 return true;
2565 }
2566
2567 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2568 struct tss_segment_16 *tss)
2569 {
2570 tss->ip = ctxt->_eip;
2571 tss->flag = ctxt->eflags;
2572 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2573 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2574 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2575 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2576 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2577 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2578 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2579 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2580
2581 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2582 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2583 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2584 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2585 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2586 }
2587
2588 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2589 struct tss_segment_16 *tss)
2590 {
2591 int ret;
2592 u8 cpl;
2593
2594 ctxt->_eip = tss->ip;
2595 ctxt->eflags = tss->flag | 2;
2596 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2597 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2598 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2599 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2600 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2601 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2602 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2603 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2604
2605 /*
2606 * SDM says that segment selectors are loaded before segment
2607 * descriptors
2608 */
2609 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2610 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2611 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2612 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2613 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2614
2615 cpl = tss->cs & 3;
2616
2617 /*
2618 * Now load segment descriptors. If fault happens at this stage
2619 * it is handled in a context of new task
2620 */
2621 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2622 X86_TRANSFER_TASK_SWITCH, NULL);
2623 if (ret != X86EMUL_CONTINUE)
2624 return ret;
2625 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2626 X86_TRANSFER_TASK_SWITCH, NULL);
2627 if (ret != X86EMUL_CONTINUE)
2628 return ret;
2629 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2630 X86_TRANSFER_TASK_SWITCH, NULL);
2631 if (ret != X86EMUL_CONTINUE)
2632 return ret;
2633 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2634 X86_TRANSFER_TASK_SWITCH, NULL);
2635 if (ret != X86EMUL_CONTINUE)
2636 return ret;
2637 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2638 X86_TRANSFER_TASK_SWITCH, NULL);
2639 if (ret != X86EMUL_CONTINUE)
2640 return ret;
2641
2642 return X86EMUL_CONTINUE;
2643 }
2644
2645 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2646 u16 tss_selector, u16 old_tss_sel,
2647 ulong old_tss_base, struct desc_struct *new_desc)
2648 {
2649 const struct x86_emulate_ops *ops = ctxt->ops;
2650 struct tss_segment_16 tss_seg;
2651 int ret;
2652 u32 new_tss_base = get_desc_base(new_desc);
2653
2654 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2655 &ctxt->exception);
2656 if (ret != X86EMUL_CONTINUE)
2657 return ret;
2658
2659 save_state_to_tss16(ctxt, &tss_seg);
2660
2661 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2662 &ctxt->exception);
2663 if (ret != X86EMUL_CONTINUE)
2664 return ret;
2665
2666 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2667 &ctxt->exception);
2668 if (ret != X86EMUL_CONTINUE)
2669 return ret;
2670
2671 if (old_tss_sel != 0xffff) {
2672 tss_seg.prev_task_link = old_tss_sel;
2673
2674 ret = ops->write_std(ctxt, new_tss_base,
2675 &tss_seg.prev_task_link,
2676 sizeof tss_seg.prev_task_link,
2677 &ctxt->exception);
2678 if (ret != X86EMUL_CONTINUE)
2679 return ret;
2680 }
2681
2682 return load_state_from_tss16(ctxt, &tss_seg);
2683 }
2684
2685 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2686 struct tss_segment_32 *tss)
2687 {
2688 /* CR3 and ldt selector are not saved intentionally */
2689 tss->eip = ctxt->_eip;
2690 tss->eflags = ctxt->eflags;
2691 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2692 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2693 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2694 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2695 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2696 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2697 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2698 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2699
2700 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2701 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2702 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2703 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2704 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2705 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2706 }
2707
2708 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2709 struct tss_segment_32 *tss)
2710 {
2711 int ret;
2712 u8 cpl;
2713
2714 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2715 return emulate_gp(ctxt, 0);
2716 ctxt->_eip = tss->eip;
2717 ctxt->eflags = tss->eflags | 2;
2718
2719 /* General purpose registers */
2720 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2721 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2722 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2723 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2724 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2725 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2726 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2727 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2728
2729 /*
2730 * SDM says that segment selectors are loaded before segment
2731 * descriptors. This is important because CPL checks will
2732 * use CS.RPL.
2733 */
2734 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2735 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2736 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2737 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2738 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2739 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2740 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2741
2742 /*
2743 * If we're switching between Protected Mode and VM86, we need to make
2744 * sure to update the mode before loading the segment descriptors so
2745 * that the selectors are interpreted correctly.
2746 */
2747 if (ctxt->eflags & X86_EFLAGS_VM) {
2748 ctxt->mode = X86EMUL_MODE_VM86;
2749 cpl = 3;
2750 } else {
2751 ctxt->mode = X86EMUL_MODE_PROT32;
2752 cpl = tss->cs & 3;
2753 }
2754
2755 /*
2756 * Now load segment descriptors. If fault happenes at this stage
2757 * it is handled in a context of new task
2758 */
2759 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
2760 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
2761 if (ret != X86EMUL_CONTINUE)
2762 return ret;
2763 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2764 X86_TRANSFER_TASK_SWITCH, NULL);
2765 if (ret != X86EMUL_CONTINUE)
2766 return ret;
2767 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2768 X86_TRANSFER_TASK_SWITCH, NULL);
2769 if (ret != X86EMUL_CONTINUE)
2770 return ret;
2771 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2772 X86_TRANSFER_TASK_SWITCH, NULL);
2773 if (ret != X86EMUL_CONTINUE)
2774 return ret;
2775 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2776 X86_TRANSFER_TASK_SWITCH, NULL);
2777 if (ret != X86EMUL_CONTINUE)
2778 return ret;
2779 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
2780 X86_TRANSFER_TASK_SWITCH, NULL);
2781 if (ret != X86EMUL_CONTINUE)
2782 return ret;
2783 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
2784 X86_TRANSFER_TASK_SWITCH, NULL);
2785 if (ret != X86EMUL_CONTINUE)
2786 return ret;
2787
2788 return X86EMUL_CONTINUE;
2789 }
2790
2791 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2792 u16 tss_selector, u16 old_tss_sel,
2793 ulong old_tss_base, struct desc_struct *new_desc)
2794 {
2795 const struct x86_emulate_ops *ops = ctxt->ops;
2796 struct tss_segment_32 tss_seg;
2797 int ret;
2798 u32 new_tss_base = get_desc_base(new_desc);
2799 u32 eip_offset = offsetof(struct tss_segment_32, eip);
2800 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
2801
2802 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2803 &ctxt->exception);
2804 if (ret != X86EMUL_CONTINUE)
2805 return ret;
2806
2807 save_state_to_tss32(ctxt, &tss_seg);
2808
2809 /* Only GP registers and segment selectors are saved */
2810 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
2811 ldt_sel_offset - eip_offset, &ctxt->exception);
2812 if (ret != X86EMUL_CONTINUE)
2813 return ret;
2814
2815 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2816 &ctxt->exception);
2817 if (ret != X86EMUL_CONTINUE)
2818 return ret;
2819
2820 if (old_tss_sel != 0xffff) {
2821 tss_seg.prev_task_link = old_tss_sel;
2822
2823 ret = ops->write_std(ctxt, new_tss_base,
2824 &tss_seg.prev_task_link,
2825 sizeof tss_seg.prev_task_link,
2826 &ctxt->exception);
2827 if (ret != X86EMUL_CONTINUE)
2828 return ret;
2829 }
2830
2831 return load_state_from_tss32(ctxt, &tss_seg);
2832 }
2833
2834 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2835 u16 tss_selector, int idt_index, int reason,
2836 bool has_error_code, u32 error_code)
2837 {
2838 const struct x86_emulate_ops *ops = ctxt->ops;
2839 struct desc_struct curr_tss_desc, next_tss_desc;
2840 int ret;
2841 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2842 ulong old_tss_base =
2843 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2844 u32 desc_limit;
2845 ulong desc_addr;
2846
2847 /* FIXME: old_tss_base == ~0 ? */
2848
2849 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2850 if (ret != X86EMUL_CONTINUE)
2851 return ret;
2852 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2853 if (ret != X86EMUL_CONTINUE)
2854 return ret;
2855
2856 /* FIXME: check that next_tss_desc is tss */
2857
2858 /*
2859 * Check privileges. The three cases are task switch caused by...
2860 *
2861 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2862 * 2. Exception/IRQ/iret: No check is performed
2863 * 3. jmp/call to TSS/task-gate: No check is performed since the
2864 * hardware checks it before exiting.
2865 */
2866 if (reason == TASK_SWITCH_GATE) {
2867 if (idt_index != -1) {
2868 /* Software interrupts */
2869 struct desc_struct task_gate_desc;
2870 int dpl;
2871
2872 ret = read_interrupt_descriptor(ctxt, idt_index,
2873 &task_gate_desc);
2874 if (ret != X86EMUL_CONTINUE)
2875 return ret;
2876
2877 dpl = task_gate_desc.dpl;
2878 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2879 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2880 }
2881 }
2882
2883 desc_limit = desc_limit_scaled(&next_tss_desc);
2884 if (!next_tss_desc.p ||
2885 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2886 desc_limit < 0x2b)) {
2887 return emulate_ts(ctxt, tss_selector & 0xfffc);
2888 }
2889
2890 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2891 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2892 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2893 }
2894
2895 if (reason == TASK_SWITCH_IRET)
2896 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2897
2898 /* set back link to prev task only if NT bit is set in eflags
2899 note that old_tss_sel is not used after this point */
2900 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2901 old_tss_sel = 0xffff;
2902
2903 if (next_tss_desc.type & 8)
2904 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2905 old_tss_base, &next_tss_desc);
2906 else
2907 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2908 old_tss_base, &next_tss_desc);
2909 if (ret != X86EMUL_CONTINUE)
2910 return ret;
2911
2912 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2913 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2914
2915 if (reason != TASK_SWITCH_IRET) {
2916 next_tss_desc.type |= (1 << 1); /* set busy flag */
2917 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2918 }
2919
2920 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2921 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2922
2923 if (has_error_code) {
2924 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2925 ctxt->lock_prefix = 0;
2926 ctxt->src.val = (unsigned long) error_code;
2927 ret = em_push(ctxt);
2928 }
2929
2930 return ret;
2931 }
2932
2933 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2934 u16 tss_selector, int idt_index, int reason,
2935 bool has_error_code, u32 error_code)
2936 {
2937 int rc;
2938
2939 invalidate_registers(ctxt);
2940 ctxt->_eip = ctxt->eip;
2941 ctxt->dst.type = OP_NONE;
2942
2943 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2944 has_error_code, error_code);
2945
2946 if (rc == X86EMUL_CONTINUE) {
2947 ctxt->eip = ctxt->_eip;
2948 writeback_registers(ctxt);
2949 }
2950
2951 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2952 }
2953
2954 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
2955 struct operand *op)
2956 {
2957 int df = (ctxt->eflags & EFLG_DF) ? -op->count : op->count;
2958
2959 register_address_increment(ctxt, reg, df * op->bytes);
2960 op->addr.mem.ea = register_address(ctxt, reg);
2961 }
2962
2963 static int em_das(struct x86_emulate_ctxt *ctxt)
2964 {
2965 u8 al, old_al;
2966 bool af, cf, old_cf;
2967
2968 cf = ctxt->eflags & X86_EFLAGS_CF;
2969 al = ctxt->dst.val;
2970
2971 old_al = al;
2972 old_cf = cf;
2973 cf = false;
2974 af = ctxt->eflags & X86_EFLAGS_AF;
2975 if ((al & 0x0f) > 9 || af) {
2976 al -= 6;
2977 cf = old_cf | (al >= 250);
2978 af = true;
2979 } else {
2980 af = false;
2981 }
2982 if (old_al > 0x99 || old_cf) {
2983 al -= 0x60;
2984 cf = true;
2985 }
2986
2987 ctxt->dst.val = al;
2988 /* Set PF, ZF, SF */
2989 ctxt->src.type = OP_IMM;
2990 ctxt->src.val = 0;
2991 ctxt->src.bytes = 1;
2992 fastop(ctxt, em_or);
2993 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2994 if (cf)
2995 ctxt->eflags |= X86_EFLAGS_CF;
2996 if (af)
2997 ctxt->eflags |= X86_EFLAGS_AF;
2998 return X86EMUL_CONTINUE;
2999 }
3000
3001 static int em_aam(struct x86_emulate_ctxt *ctxt)
3002 {
3003 u8 al, ah;
3004
3005 if (ctxt->src.val == 0)
3006 return emulate_de(ctxt);
3007
3008 al = ctxt->dst.val & 0xff;
3009 ah = al / ctxt->src.val;
3010 al %= ctxt->src.val;
3011
3012 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3013
3014 /* Set PF, ZF, SF */
3015 ctxt->src.type = OP_IMM;
3016 ctxt->src.val = 0;
3017 ctxt->src.bytes = 1;
3018 fastop(ctxt, em_or);
3019
3020 return X86EMUL_CONTINUE;
3021 }
3022
3023 static int em_aad(struct x86_emulate_ctxt *ctxt)
3024 {
3025 u8 al = ctxt->dst.val & 0xff;
3026 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3027
3028 al = (al + (ah * ctxt->src.val)) & 0xff;
3029
3030 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3031
3032 /* Set PF, ZF, SF */
3033 ctxt->src.type = OP_IMM;
3034 ctxt->src.val = 0;
3035 ctxt->src.bytes = 1;
3036 fastop(ctxt, em_or);
3037
3038 return X86EMUL_CONTINUE;
3039 }
3040
3041 static int em_call(struct x86_emulate_ctxt *ctxt)
3042 {
3043 int rc;
3044 long rel = ctxt->src.val;
3045
3046 ctxt->src.val = (unsigned long)ctxt->_eip;
3047 rc = jmp_rel(ctxt, rel);
3048 if (rc != X86EMUL_CONTINUE)
3049 return rc;
3050 return em_push(ctxt);
3051 }
3052
3053 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3054 {
3055 u16 sel, old_cs;
3056 ulong old_eip;
3057 int rc;
3058 struct desc_struct old_desc, new_desc;
3059 const struct x86_emulate_ops *ops = ctxt->ops;
3060 int cpl = ctxt->ops->cpl(ctxt);
3061
3062 old_eip = ctxt->_eip;
3063 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3064
3065 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3066 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3067 X86_TRANSFER_CALL_JMP, &new_desc);
3068 if (rc != X86EMUL_CONTINUE)
3069 return rc;
3070
3071 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3072 if (rc != X86EMUL_CONTINUE)
3073 goto fail;
3074
3075 ctxt->src.val = old_cs;
3076 rc = em_push(ctxt);
3077 if (rc != X86EMUL_CONTINUE)
3078 goto fail;
3079
3080 ctxt->src.val = old_eip;
3081 rc = em_push(ctxt);
3082 /* If we failed, we tainted the memory, but the very least we should
3083 restore cs */
3084 if (rc != X86EMUL_CONTINUE)
3085 goto fail;
3086 return rc;
3087 fail:
3088 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3089 return rc;
3090
3091 }
3092
3093 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3094 {
3095 int rc;
3096 unsigned long eip;
3097
3098 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3099 if (rc != X86EMUL_CONTINUE)
3100 return rc;
3101 rc = assign_eip_near(ctxt, eip);
3102 if (rc != X86EMUL_CONTINUE)
3103 return rc;
3104 rsp_increment(ctxt, ctxt->src.val);
3105 return X86EMUL_CONTINUE;
3106 }
3107
3108 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3109 {
3110 /* Write back the register source. */
3111 ctxt->src.val = ctxt->dst.val;
3112 write_register_operand(&ctxt->src);
3113
3114 /* Write back the memory destination with implicit LOCK prefix. */
3115 ctxt->dst.val = ctxt->src.orig_val;
3116 ctxt->lock_prefix = 1;
3117 return X86EMUL_CONTINUE;
3118 }
3119
3120 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3121 {
3122 ctxt->dst.val = ctxt->src2.val;
3123 return fastop(ctxt, em_imul);
3124 }
3125
3126 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3127 {
3128 ctxt->dst.type = OP_REG;
3129 ctxt->dst.bytes = ctxt->src.bytes;
3130 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3131 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3132
3133 return X86EMUL_CONTINUE;
3134 }
3135
3136 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3137 {
3138 u64 tsc = 0;
3139
3140 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3141 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3142 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3143 return X86EMUL_CONTINUE;
3144 }
3145
3146 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3147 {
3148 u64 pmc;
3149
3150 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3151 return emulate_gp(ctxt, 0);
3152 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3153 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3154 return X86EMUL_CONTINUE;
3155 }
3156
3157 static int em_mov(struct x86_emulate_ctxt *ctxt)
3158 {
3159 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3160 return X86EMUL_CONTINUE;
3161 }
3162
3163 #define FFL(x) bit(X86_FEATURE_##x)
3164
3165 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3166 {
3167 u32 ebx, ecx, edx, eax = 1;
3168 u16 tmp;
3169
3170 /*
3171 * Check MOVBE is set in the guest-visible CPUID leaf.
3172 */
3173 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3174 if (!(ecx & FFL(MOVBE)))
3175 return emulate_ud(ctxt);
3176
3177 switch (ctxt->op_bytes) {
3178 case 2:
3179 /*
3180 * From MOVBE definition: "...When the operand size is 16 bits,
3181 * the upper word of the destination register remains unchanged
3182 * ..."
3183 *
3184 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3185 * rules so we have to do the operation almost per hand.
3186 */
3187 tmp = (u16)ctxt->src.val;
3188 ctxt->dst.val &= ~0xffffUL;
3189 ctxt->dst.val |= (unsigned long)swab16(tmp);
3190 break;
3191 case 4:
3192 ctxt->dst.val = swab32((u32)ctxt->src.val);
3193 break;
3194 case 8:
3195 ctxt->dst.val = swab64(ctxt->src.val);
3196 break;
3197 default:
3198 BUG();
3199 }
3200 return X86EMUL_CONTINUE;
3201 }
3202
3203 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3204 {
3205 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3206 return emulate_gp(ctxt, 0);
3207
3208 /* Disable writeback. */
3209 ctxt->dst.type = OP_NONE;
3210 return X86EMUL_CONTINUE;
3211 }
3212
3213 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3214 {
3215 unsigned long val;
3216
3217 if (ctxt->mode == X86EMUL_MODE_PROT64)
3218 val = ctxt->src.val & ~0ULL;
3219 else
3220 val = ctxt->src.val & ~0U;
3221
3222 /* #UD condition is already handled. */
3223 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3224 return emulate_gp(ctxt, 0);
3225
3226 /* Disable writeback. */
3227 ctxt->dst.type = OP_NONE;
3228 return X86EMUL_CONTINUE;
3229 }
3230
3231 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3232 {
3233 u64 msr_data;
3234
3235 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3236 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3237 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3238 return emulate_gp(ctxt, 0);
3239
3240 return X86EMUL_CONTINUE;
3241 }
3242
3243 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3244 {
3245 u64 msr_data;
3246
3247 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3248 return emulate_gp(ctxt, 0);
3249
3250 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3251 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3252 return X86EMUL_CONTINUE;
3253 }
3254
3255 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3256 {
3257 if (ctxt->modrm_reg > VCPU_SREG_GS)
3258 return emulate_ud(ctxt);
3259
3260 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3261 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3262 ctxt->dst.bytes = 2;
3263 return X86EMUL_CONTINUE;
3264 }
3265
3266 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3267 {
3268 u16 sel = ctxt->src.val;
3269
3270 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3271 return emulate_ud(ctxt);
3272
3273 if (ctxt->modrm_reg == VCPU_SREG_SS)
3274 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3275
3276 /* Disable writeback. */
3277 ctxt->dst.type = OP_NONE;
3278 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3279 }
3280
3281 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3282 {
3283 u16 sel = ctxt->src.val;
3284
3285 /* Disable writeback. */
3286 ctxt->dst.type = OP_NONE;
3287 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3288 }
3289
3290 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3291 {
3292 u16 sel = ctxt->src.val;
3293
3294 /* Disable writeback. */
3295 ctxt->dst.type = OP_NONE;
3296 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3297 }
3298
3299 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3300 {
3301 int rc;
3302 ulong linear;
3303
3304 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3305 if (rc == X86EMUL_CONTINUE)
3306 ctxt->ops->invlpg(ctxt, linear);
3307 /* Disable writeback. */
3308 ctxt->dst.type = OP_NONE;
3309 return X86EMUL_CONTINUE;
3310 }
3311
3312 static int em_clts(struct x86_emulate_ctxt *ctxt)
3313 {
3314 ulong cr0;
3315
3316 cr0 = ctxt->ops->get_cr(ctxt, 0);
3317 cr0 &= ~X86_CR0_TS;
3318 ctxt->ops->set_cr(ctxt, 0, cr0);
3319 return X86EMUL_CONTINUE;
3320 }
3321
3322 static int em_vmcall(struct x86_emulate_ctxt *ctxt)
3323 {
3324 int rc = ctxt->ops->fix_hypercall(ctxt);
3325
3326 if (rc != X86EMUL_CONTINUE)
3327 return rc;
3328
3329 /* Let the processor re-execute the fixed hypercall */
3330 ctxt->_eip = ctxt->eip;
3331 /* Disable writeback. */
3332 ctxt->dst.type = OP_NONE;
3333 return X86EMUL_CONTINUE;
3334 }
3335
3336 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3337 void (*get)(struct x86_emulate_ctxt *ctxt,
3338 struct desc_ptr *ptr))
3339 {
3340 struct desc_ptr desc_ptr;
3341
3342 if (ctxt->mode == X86EMUL_MODE_PROT64)
3343 ctxt->op_bytes = 8;
3344 get(ctxt, &desc_ptr);
3345 if (ctxt->op_bytes == 2) {
3346 ctxt->op_bytes = 4;
3347 desc_ptr.address &= 0x00ffffff;
3348 }
3349 /* Disable writeback. */
3350 ctxt->dst.type = OP_NONE;
3351 return segmented_write(ctxt, ctxt->dst.addr.mem,
3352 &desc_ptr, 2 + ctxt->op_bytes);
3353 }
3354
3355 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3356 {
3357 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3358 }
3359
3360 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3361 {
3362 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3363 }
3364
3365 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3366 {
3367 struct desc_ptr desc_ptr;
3368 int rc;
3369
3370 if (ctxt->mode == X86EMUL_MODE_PROT64)
3371 ctxt->op_bytes = 8;
3372 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3373 &desc_ptr.size, &desc_ptr.address,
3374 ctxt->op_bytes);
3375 if (rc != X86EMUL_CONTINUE)
3376 return rc;
3377 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3378 is_noncanonical_address(desc_ptr.address))
3379 return emulate_gp(ctxt, 0);
3380 if (lgdt)
3381 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3382 else
3383 ctxt->ops->set_idt(ctxt, &desc_ptr);
3384 /* Disable writeback. */
3385 ctxt->dst.type = OP_NONE;
3386 return X86EMUL_CONTINUE;
3387 }
3388
3389 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3390 {
3391 return em_lgdt_lidt(ctxt, true);
3392 }
3393
3394 static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3395 {
3396 int rc;
3397
3398 rc = ctxt->ops->fix_hypercall(ctxt);
3399
3400 /* Disable writeback. */
3401 ctxt->dst.type = OP_NONE;
3402 return rc;
3403 }
3404
3405 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3406 {
3407 return em_lgdt_lidt(ctxt, false);
3408 }
3409
3410 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3411 {
3412 if (ctxt->dst.type == OP_MEM)
3413 ctxt->dst.bytes = 2;
3414 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3415 return X86EMUL_CONTINUE;
3416 }
3417
3418 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3419 {
3420 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3421 | (ctxt->src.val & 0x0f));
3422 ctxt->dst.type = OP_NONE;
3423 return X86EMUL_CONTINUE;
3424 }
3425
3426 static int em_loop(struct x86_emulate_ctxt *ctxt)
3427 {
3428 int rc = X86EMUL_CONTINUE;
3429
3430 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3431 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3432 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3433 rc = jmp_rel(ctxt, ctxt->src.val);
3434
3435 return rc;
3436 }
3437
3438 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3439 {
3440 int rc = X86EMUL_CONTINUE;
3441
3442 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3443 rc = jmp_rel(ctxt, ctxt->src.val);
3444
3445 return rc;
3446 }
3447
3448 static int em_in(struct x86_emulate_ctxt *ctxt)
3449 {
3450 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3451 &ctxt->dst.val))
3452 return X86EMUL_IO_NEEDED;
3453
3454 return X86EMUL_CONTINUE;
3455 }
3456
3457 static int em_out(struct x86_emulate_ctxt *ctxt)
3458 {
3459 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3460 &ctxt->src.val, 1);
3461 /* Disable writeback. */
3462 ctxt->dst.type = OP_NONE;
3463 return X86EMUL_CONTINUE;
3464 }
3465
3466 static int em_cli(struct x86_emulate_ctxt *ctxt)
3467 {
3468 if (emulator_bad_iopl(ctxt))
3469 return emulate_gp(ctxt, 0);
3470
3471 ctxt->eflags &= ~X86_EFLAGS_IF;
3472 return X86EMUL_CONTINUE;
3473 }
3474
3475 static int em_sti(struct x86_emulate_ctxt *ctxt)
3476 {
3477 if (emulator_bad_iopl(ctxt))
3478 return emulate_gp(ctxt, 0);
3479
3480 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3481 ctxt->eflags |= X86_EFLAGS_IF;
3482 return X86EMUL_CONTINUE;
3483 }
3484
3485 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3486 {
3487 u32 eax, ebx, ecx, edx;
3488
3489 eax = reg_read(ctxt, VCPU_REGS_RAX);
3490 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3491 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3492 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3493 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3494 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3495 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3496 return X86EMUL_CONTINUE;
3497 }
3498
3499 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3500 {
3501 u32 flags;
3502
3503 flags = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF;
3504 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3505
3506 ctxt->eflags &= ~0xffUL;
3507 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3508 return X86EMUL_CONTINUE;
3509 }
3510
3511 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3512 {
3513 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3514 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3515 return X86EMUL_CONTINUE;
3516 }
3517
3518 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3519 {
3520 switch (ctxt->op_bytes) {
3521 #ifdef CONFIG_X86_64
3522 case 8:
3523 asm("bswap %0" : "+r"(ctxt->dst.val));
3524 break;
3525 #endif
3526 default:
3527 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3528 break;
3529 }
3530 return X86EMUL_CONTINUE;
3531 }
3532
3533 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3534 {
3535 /* emulating clflush regardless of cpuid */
3536 return X86EMUL_CONTINUE;
3537 }
3538
3539 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3540 {
3541 ctxt->dst.val = (s32) ctxt->src.val;
3542 return X86EMUL_CONTINUE;
3543 }
3544
3545 static bool valid_cr(int nr)
3546 {
3547 switch (nr) {
3548 case 0:
3549 case 2 ... 4:
3550 case 8:
3551 return true;
3552 default:
3553 return false;
3554 }
3555 }
3556
3557 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3558 {
3559 if (!valid_cr(ctxt->modrm_reg))
3560 return emulate_ud(ctxt);
3561
3562 return X86EMUL_CONTINUE;
3563 }
3564
3565 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3566 {
3567 u64 new_val = ctxt->src.val64;
3568 int cr = ctxt->modrm_reg;
3569 u64 efer = 0;
3570
3571 static u64 cr_reserved_bits[] = {
3572 0xffffffff00000000ULL,
3573 0, 0, 0, /* CR3 checked later */
3574 CR4_RESERVED_BITS,
3575 0, 0, 0,
3576 CR8_RESERVED_BITS,
3577 };
3578
3579 if (!valid_cr(cr))
3580 return emulate_ud(ctxt);
3581
3582 if (new_val & cr_reserved_bits[cr])
3583 return emulate_gp(ctxt, 0);
3584
3585 switch (cr) {
3586 case 0: {
3587 u64 cr4;
3588 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3589 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3590 return emulate_gp(ctxt, 0);
3591
3592 cr4 = ctxt->ops->get_cr(ctxt, 4);
3593 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3594
3595 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3596 !(cr4 & X86_CR4_PAE))
3597 return emulate_gp(ctxt, 0);
3598
3599 break;
3600 }
3601 case 3: {
3602 u64 rsvd = 0;
3603
3604 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3605 if (efer & EFER_LMA)
3606 rsvd = CR3_L_MODE_RESERVED_BITS & ~CR3_PCID_INVD;
3607
3608 if (new_val & rsvd)
3609 return emulate_gp(ctxt, 0);
3610
3611 break;
3612 }
3613 case 4: {
3614 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3615
3616 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3617 return emulate_gp(ctxt, 0);
3618
3619 break;
3620 }
3621 }
3622
3623 return X86EMUL_CONTINUE;
3624 }
3625
3626 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3627 {
3628 unsigned long dr7;
3629
3630 ctxt->ops->get_dr(ctxt, 7, &dr7);
3631
3632 /* Check if DR7.Global_Enable is set */
3633 return dr7 & (1 << 13);
3634 }
3635
3636 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3637 {
3638 int dr = ctxt->modrm_reg;
3639 u64 cr4;
3640
3641 if (dr > 7)
3642 return emulate_ud(ctxt);
3643
3644 cr4 = ctxt->ops->get_cr(ctxt, 4);
3645 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3646 return emulate_ud(ctxt);
3647
3648 if (check_dr7_gd(ctxt)) {
3649 ulong dr6;
3650
3651 ctxt->ops->get_dr(ctxt, 6, &dr6);
3652 dr6 &= ~15;
3653 dr6 |= DR6_BD | DR6_RTM;
3654 ctxt->ops->set_dr(ctxt, 6, dr6);
3655 return emulate_db(ctxt);
3656 }
3657
3658 return X86EMUL_CONTINUE;
3659 }
3660
3661 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3662 {
3663 u64 new_val = ctxt->src.val64;
3664 int dr = ctxt->modrm_reg;
3665
3666 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3667 return emulate_gp(ctxt, 0);
3668
3669 return check_dr_read(ctxt);
3670 }
3671
3672 static int check_svme(struct x86_emulate_ctxt *ctxt)
3673 {
3674 u64 efer;
3675
3676 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3677
3678 if (!(efer & EFER_SVME))
3679 return emulate_ud(ctxt);
3680
3681 return X86EMUL_CONTINUE;
3682 }
3683
3684 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3685 {
3686 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3687
3688 /* Valid physical address? */
3689 if (rax & 0xffff000000000000ULL)
3690 return emulate_gp(ctxt, 0);
3691
3692 return check_svme(ctxt);
3693 }
3694
3695 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3696 {
3697 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3698
3699 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3700 return emulate_ud(ctxt);
3701
3702 return X86EMUL_CONTINUE;
3703 }
3704
3705 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3706 {
3707 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3708 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3709
3710 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3711 ctxt->ops->check_pmc(ctxt, rcx))
3712 return emulate_gp(ctxt, 0);
3713
3714 return X86EMUL_CONTINUE;
3715 }
3716
3717 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3718 {
3719 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3720 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3721 return emulate_gp(ctxt, 0);
3722
3723 return X86EMUL_CONTINUE;
3724 }
3725
3726 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3727 {
3728 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3729 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3730 return emulate_gp(ctxt, 0);
3731
3732 return X86EMUL_CONTINUE;
3733 }
3734
3735 #define D(_y) { .flags = (_y) }
3736 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
3737 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
3738 .intercept = x86_intercept_##_i, .check_perm = (_p) }
3739 #define N D(NotImpl)
3740 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3741 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3742 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3743 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
3744 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
3745 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
3746 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3747 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
3748 #define II(_f, _e, _i) \
3749 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
3750 #define IIP(_f, _e, _i, _p) \
3751 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
3752 .intercept = x86_intercept_##_i, .check_perm = (_p) }
3753 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3754
3755 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3756 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3757 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3758 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
3759 #define I2bvIP(_f, _e, _i, _p) \
3760 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3761
3762 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3763 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3764 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3765
3766 static const struct opcode group7_rm0[] = {
3767 N,
3768 I(SrcNone | Priv | EmulateOnUD, em_vmcall),
3769 N, N, N, N, N, N,
3770 };
3771
3772 static const struct opcode group7_rm1[] = {
3773 DI(SrcNone | Priv, monitor),
3774 DI(SrcNone | Priv, mwait),
3775 N, N, N, N, N, N,
3776 };
3777
3778 static const struct opcode group7_rm3[] = {
3779 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
3780 II(SrcNone | Prot | EmulateOnUD, em_vmmcall, vmmcall),
3781 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
3782 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
3783 DIP(SrcNone | Prot | Priv, stgi, check_svme),
3784 DIP(SrcNone | Prot | Priv, clgi, check_svme),
3785 DIP(SrcNone | Prot | Priv, skinit, check_svme),
3786 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
3787 };
3788
3789 static const struct opcode group7_rm7[] = {
3790 N,
3791 DIP(SrcNone, rdtscp, check_rdtsc),
3792 N, N, N, N, N, N,
3793 };
3794
3795 static const struct opcode group1[] = {
3796 F(Lock, em_add),
3797 F(Lock | PageTable, em_or),
3798 F(Lock, em_adc),
3799 F(Lock, em_sbb),
3800 F(Lock | PageTable, em_and),
3801 F(Lock, em_sub),
3802 F(Lock, em_xor),
3803 F(NoWrite, em_cmp),
3804 };
3805
3806 static const struct opcode group1A[] = {
3807 I(DstMem | SrcNone | Mov | Stack | IncSP, em_pop), N, N, N, N, N, N, N,
3808 };
3809
3810 static const struct opcode group2[] = {
3811 F(DstMem | ModRM, em_rol),
3812 F(DstMem | ModRM, em_ror),
3813 F(DstMem | ModRM, em_rcl),
3814 F(DstMem | ModRM, em_rcr),
3815 F(DstMem | ModRM, em_shl),
3816 F(DstMem | ModRM, em_shr),
3817 F(DstMem | ModRM, em_shl),
3818 F(DstMem | ModRM, em_sar),
3819 };
3820
3821 static const struct opcode group3[] = {
3822 F(DstMem | SrcImm | NoWrite, em_test),
3823 F(DstMem | SrcImm | NoWrite, em_test),
3824 F(DstMem | SrcNone | Lock, em_not),
3825 F(DstMem | SrcNone | Lock, em_neg),
3826 F(DstXacc | Src2Mem, em_mul_ex),
3827 F(DstXacc | Src2Mem, em_imul_ex),
3828 F(DstXacc | Src2Mem, em_div_ex),
3829 F(DstXacc | Src2Mem, em_idiv_ex),
3830 };
3831
3832 static const struct opcode group4[] = {
3833 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
3834 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
3835 N, N, N, N, N, N,
3836 };
3837
3838 static const struct opcode group5[] = {
3839 F(DstMem | SrcNone | Lock, em_inc),
3840 F(DstMem | SrcNone | Lock, em_dec),
3841 I(SrcMem | NearBranch, em_call_near_abs),
3842 I(SrcMemFAddr | ImplicitOps | Stack, em_call_far),
3843 I(SrcMem | NearBranch, em_jmp_abs),
3844 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
3845 I(SrcMem | Stack, em_push), D(Undefined),
3846 };
3847
3848 static const struct opcode group6[] = {
3849 DI(Prot, sldt),
3850 DI(Prot, str),
3851 II(Prot | Priv | SrcMem16, em_lldt, lldt),
3852 II(Prot | Priv | SrcMem16, em_ltr, ltr),
3853 N, N, N, N,
3854 };
3855
3856 static const struct group_dual group7 = { {
3857 II(Mov | DstMem, em_sgdt, sgdt),
3858 II(Mov | DstMem, em_sidt, sidt),
3859 II(SrcMem | Priv, em_lgdt, lgdt),
3860 II(SrcMem | Priv, em_lidt, lidt),
3861 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3862 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3863 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3864 }, {
3865 EXT(0, group7_rm0),
3866 EXT(0, group7_rm1),
3867 N, EXT(0, group7_rm3),
3868 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
3869 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
3870 EXT(0, group7_rm7),
3871 } };
3872
3873 static const struct opcode group8[] = {
3874 N, N, N, N,
3875 F(DstMem | SrcImmByte | NoWrite, em_bt),
3876 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
3877 F(DstMem | SrcImmByte | Lock, em_btr),
3878 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
3879 };
3880
3881 static const struct group_dual group9 = { {
3882 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3883 }, {
3884 N, N, N, N, N, N, N, N,
3885 } };
3886
3887 static const struct opcode group11[] = {
3888 I(DstMem | SrcImm | Mov | PageTable, em_mov),
3889 X7(D(Undefined)),
3890 };
3891
3892 static const struct gprefix pfx_0f_ae_7 = {
3893 I(SrcMem | ByteOp, em_clflush), N, N, N,
3894 };
3895
3896 static const struct group_dual group15 = { {
3897 N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7),
3898 }, {
3899 N, N, N, N, N, N, N, N,
3900 } };
3901
3902 static const struct gprefix pfx_0f_6f_0f_7f = {
3903 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3904 };
3905
3906 static const struct instr_dual instr_dual_0f_2b = {
3907 I(0, em_mov), N
3908 };
3909
3910 static const struct gprefix pfx_0f_2b = {
3911 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
3912 };
3913
3914 static const struct gprefix pfx_0f_28_0f_29 = {
3915 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
3916 };
3917
3918 static const struct gprefix pfx_0f_e7 = {
3919 N, I(Sse, em_mov), N, N,
3920 };
3921
3922 static const struct escape escape_d9 = { {
3923 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
3924 }, {
3925 /* 0xC0 - 0xC7 */
3926 N, N, N, N, N, N, N, N,
3927 /* 0xC8 - 0xCF */
3928 N, N, N, N, N, N, N, N,
3929 /* 0xD0 - 0xC7 */
3930 N, N, N, N, N, N, N, N,
3931 /* 0xD8 - 0xDF */
3932 N, N, N, N, N, N, N, N,
3933 /* 0xE0 - 0xE7 */
3934 N, N, N, N, N, N, N, N,
3935 /* 0xE8 - 0xEF */
3936 N, N, N, N, N, N, N, N,
3937 /* 0xF0 - 0xF7 */
3938 N, N, N, N, N, N, N, N,
3939 /* 0xF8 - 0xFF */
3940 N, N, N, N, N, N, N, N,
3941 } };
3942
3943 static const struct escape escape_db = { {
3944 N, N, N, N, N, N, N, N,
3945 }, {
3946 /* 0xC0 - 0xC7 */
3947 N, N, N, N, N, N, N, N,
3948 /* 0xC8 - 0xCF */
3949 N, N, N, N, N, N, N, N,
3950 /* 0xD0 - 0xC7 */
3951 N, N, N, N, N, N, N, N,
3952 /* 0xD8 - 0xDF */
3953 N, N, N, N, N, N, N, N,
3954 /* 0xE0 - 0xE7 */
3955 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
3956 /* 0xE8 - 0xEF */
3957 N, N, N, N, N, N, N, N,
3958 /* 0xF0 - 0xF7 */
3959 N, N, N, N, N, N, N, N,
3960 /* 0xF8 - 0xFF */
3961 N, N, N, N, N, N, N, N,
3962 } };
3963
3964 static const struct escape escape_dd = { {
3965 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
3966 }, {
3967 /* 0xC0 - 0xC7 */
3968 N, N, N, N, N, N, N, N,
3969 /* 0xC8 - 0xCF */
3970 N, N, N, N, N, N, N, N,
3971 /* 0xD0 - 0xC7 */
3972 N, N, N, N, N, N, N, N,
3973 /* 0xD8 - 0xDF */
3974 N, N, N, N, N, N, N, N,
3975 /* 0xE0 - 0xE7 */
3976 N, N, N, N, N, N, N, N,
3977 /* 0xE8 - 0xEF */
3978 N, N, N, N, N, N, N, N,
3979 /* 0xF0 - 0xF7 */
3980 N, N, N, N, N, N, N, N,
3981 /* 0xF8 - 0xFF */
3982 N, N, N, N, N, N, N, N,
3983 } };
3984
3985 static const struct instr_dual instr_dual_0f_c3 = {
3986 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
3987 };
3988
3989 static const struct mode_dual mode_dual_63 = {
3990 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
3991 };
3992
3993 static const struct opcode opcode_table[256] = {
3994 /* 0x00 - 0x07 */
3995 F6ALU(Lock, em_add),
3996 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3997 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3998 /* 0x08 - 0x0F */
3999 F6ALU(Lock | PageTable, em_or),
4000 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4001 N,
4002 /* 0x10 - 0x17 */
4003 F6ALU(Lock, em_adc),
4004 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4005 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4006 /* 0x18 - 0x1F */
4007 F6ALU(Lock, em_sbb),
4008 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4009 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4010 /* 0x20 - 0x27 */
4011 F6ALU(Lock | PageTable, em_and), N, N,
4012 /* 0x28 - 0x2F */
4013 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4014 /* 0x30 - 0x37 */
4015 F6ALU(Lock, em_xor), N, N,
4016 /* 0x38 - 0x3F */
4017 F6ALU(NoWrite, em_cmp), N, N,
4018 /* 0x40 - 0x4F */
4019 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4020 /* 0x50 - 0x57 */
4021 X8(I(SrcReg | Stack, em_push)),
4022 /* 0x58 - 0x5F */
4023 X8(I(DstReg | Stack, em_pop)),
4024 /* 0x60 - 0x67 */
4025 I(ImplicitOps | Stack | No64, em_pusha),
4026 I(ImplicitOps | Stack | No64, em_popa),
4027 N, MD(ModRM, &mode_dual_63),
4028 N, N, N, N,
4029 /* 0x68 - 0x6F */
4030 I(SrcImm | Mov | Stack, em_push),
4031 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4032 I(SrcImmByte | Mov | Stack, em_push),
4033 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4034 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4035 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4036 /* 0x70 - 0x7F */
4037 X16(D(SrcImmByte | NearBranch)),
4038 /* 0x80 - 0x87 */
4039 G(ByteOp | DstMem | SrcImm, group1),
4040 G(DstMem | SrcImm, group1),
4041 G(ByteOp | DstMem | SrcImm | No64, group1),
4042 G(DstMem | SrcImmByte, group1),
4043 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4044 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4045 /* 0x88 - 0x8F */
4046 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4047 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4048 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4049 D(ModRM | SrcMem | NoAccess | DstReg),
4050 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4051 G(0, group1A),
4052 /* 0x90 - 0x97 */
4053 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4054 /* 0x98 - 0x9F */
4055 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4056 I(SrcImmFAddr | No64, em_call_far), N,
4057 II(ImplicitOps | Stack, em_pushf, pushf),
4058 II(ImplicitOps | Stack, em_popf, popf),
4059 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4060 /* 0xA0 - 0xA7 */
4061 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4062 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4063 I2bv(SrcSI | DstDI | Mov | String, em_mov),
4064 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp_r),
4065 /* 0xA8 - 0xAF */
4066 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4067 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4068 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4069 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4070 /* 0xB0 - 0xB7 */
4071 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4072 /* 0xB8 - 0xBF */
4073 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4074 /* 0xC0 - 0xC7 */
4075 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4076 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4077 I(ImplicitOps | NearBranch, em_ret),
4078 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4079 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4080 G(ByteOp, group11), G(0, group11),
4081 /* 0xC8 - 0xCF */
4082 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4083 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4084 I(ImplicitOps, em_ret_far),
4085 D(ImplicitOps), DI(SrcImmByte, intn),
4086 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4087 /* 0xD0 - 0xD7 */
4088 G(Src2One | ByteOp, group2), G(Src2One, group2),
4089 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4090 I(DstAcc | SrcImmUByte | No64, em_aam),
4091 I(DstAcc | SrcImmUByte | No64, em_aad),
4092 F(DstAcc | ByteOp | No64, em_salc),
4093 I(DstAcc | SrcXLat | ByteOp, em_mov),
4094 /* 0xD8 - 0xDF */
4095 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4096 /* 0xE0 - 0xE7 */
4097 X3(I(SrcImmByte | NearBranch, em_loop)),
4098 I(SrcImmByte | NearBranch, em_jcxz),
4099 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4100 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4101 /* 0xE8 - 0xEF */
4102 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4103 I(SrcImmFAddr | No64, em_jmp_far),
4104 D(SrcImmByte | ImplicitOps | NearBranch),
4105 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4106 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4107 /* 0xF0 - 0xF7 */
4108 N, DI(ImplicitOps, icebp), N, N,
4109 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4110 G(ByteOp, group3), G(0, group3),
4111 /* 0xF8 - 0xFF */
4112 D(ImplicitOps), D(ImplicitOps),
4113 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4114 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4115 };
4116
4117 static const struct opcode twobyte_table[256] = {
4118 /* 0x00 - 0x0F */
4119 G(0, group6), GD(0, &group7), N, N,
4120 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4121 II(ImplicitOps | Priv, em_clts, clts), N,
4122 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4123 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4124 /* 0x10 - 0x1F */
4125 N, N, N, N, N, N, N, N,
4126 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4127 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4128 /* 0x20 - 0x2F */
4129 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4130 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4131 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4132 check_cr_write),
4133 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4134 check_dr_write),
4135 N, N, N, N,
4136 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4137 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4138 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4139 N, N, N, N,
4140 /* 0x30 - 0x3F */
4141 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4142 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4143 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4144 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4145 I(ImplicitOps | EmulateOnUD, em_sysenter),
4146 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4147 N, N,
4148 N, N, N, N, N, N, N, N,
4149 /* 0x40 - 0x4F */
4150 X16(D(DstReg | SrcMem | ModRM)),
4151 /* 0x50 - 0x5F */
4152 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4153 /* 0x60 - 0x6F */
4154 N, N, N, N,
4155 N, N, N, N,
4156 N, N, N, N,
4157 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4158 /* 0x70 - 0x7F */
4159 N, N, N, N,
4160 N, N, N, N,
4161 N, N, N, N,
4162 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4163 /* 0x80 - 0x8F */
4164 X16(D(SrcImm | NearBranch)),
4165 /* 0x90 - 0x9F */
4166 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4167 /* 0xA0 - 0xA7 */
4168 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4169 II(ImplicitOps, em_cpuid, cpuid),
4170 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4171 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4172 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4173 /* 0xA8 - 0xAF */
4174 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4175 DI(ImplicitOps, rsm),
4176 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4177 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4178 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4179 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4180 /* 0xB0 - 0xB7 */
4181 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4182 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4183 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4184 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4185 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4186 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4187 /* 0xB8 - 0xBF */
4188 N, N,
4189 G(BitOp, group8),
4190 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4191 F(DstReg | SrcMem | ModRM, em_bsf), F(DstReg | SrcMem | ModRM, em_bsr),
4192 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4193 /* 0xC0 - 0xC7 */
4194 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4195 N, ID(0, &instr_dual_0f_c3),
4196 N, N, N, GD(0, &group9),
4197 /* 0xC8 - 0xCF */
4198 X8(I(DstReg, em_bswap)),
4199 /* 0xD0 - 0xDF */
4200 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4201 /* 0xE0 - 0xEF */
4202 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4203 N, N, N, N, N, N, N, N,
4204 /* 0xF0 - 0xFF */
4205 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4206 };
4207
4208 static const struct instr_dual instr_dual_0f_38_f0 = {
4209 I(DstReg | SrcMem | Mov, em_movbe), N
4210 };
4211
4212 static const struct instr_dual instr_dual_0f_38_f1 = {
4213 I(DstMem | SrcReg | Mov, em_movbe), N
4214 };
4215
4216 static const struct gprefix three_byte_0f_38_f0 = {
4217 ID(0, &instr_dual_0f_38_f0), N, N, N
4218 };
4219
4220 static const struct gprefix three_byte_0f_38_f1 = {
4221 ID(0, &instr_dual_0f_38_f1), N, N, N
4222 };
4223
4224 /*
4225 * Insns below are selected by the prefix which indexed by the third opcode
4226 * byte.
4227 */
4228 static const struct opcode opcode_map_0f_38[256] = {
4229 /* 0x00 - 0x7f */
4230 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4231 /* 0x80 - 0xef */
4232 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4233 /* 0xf0 - 0xf1 */
4234 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4235 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4236 /* 0xf2 - 0xff */
4237 N, N, X4(N), X8(N)
4238 };
4239
4240 #undef D
4241 #undef N
4242 #undef G
4243 #undef GD
4244 #undef I
4245 #undef GP
4246 #undef EXT
4247 #undef MD
4248 #undef ID
4249
4250 #undef D2bv
4251 #undef D2bvIP
4252 #undef I2bv
4253 #undef I2bvIP
4254 #undef I6ALU
4255
4256 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4257 {
4258 unsigned size;
4259
4260 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4261 if (size == 8)
4262 size = 4;
4263 return size;
4264 }
4265
4266 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4267 unsigned size, bool sign_extension)
4268 {
4269 int rc = X86EMUL_CONTINUE;
4270
4271 op->type = OP_IMM;
4272 op->bytes = size;
4273 op->addr.mem.ea = ctxt->_eip;
4274 /* NB. Immediates are sign-extended as necessary. */
4275 switch (op->bytes) {
4276 case 1:
4277 op->val = insn_fetch(s8, ctxt);
4278 break;
4279 case 2:
4280 op->val = insn_fetch(s16, ctxt);
4281 break;
4282 case 4:
4283 op->val = insn_fetch(s32, ctxt);
4284 break;
4285 case 8:
4286 op->val = insn_fetch(s64, ctxt);
4287 break;
4288 }
4289 if (!sign_extension) {
4290 switch (op->bytes) {
4291 case 1:
4292 op->val &= 0xff;
4293 break;
4294 case 2:
4295 op->val &= 0xffff;
4296 break;
4297 case 4:
4298 op->val &= 0xffffffff;
4299 break;
4300 }
4301 }
4302 done:
4303 return rc;
4304 }
4305
4306 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4307 unsigned d)
4308 {
4309 int rc = X86EMUL_CONTINUE;
4310
4311 switch (d) {
4312 case OpReg:
4313 decode_register_operand(ctxt, op);
4314 break;
4315 case OpImmUByte:
4316 rc = decode_imm(ctxt, op, 1, false);
4317 break;
4318 case OpMem:
4319 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4320 mem_common:
4321 *op = ctxt->memop;
4322 ctxt->memopp = op;
4323 if (ctxt->d & BitOp)
4324 fetch_bit_operand(ctxt);
4325 op->orig_val = op->val;
4326 break;
4327 case OpMem64:
4328 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4329 goto mem_common;
4330 case OpAcc:
4331 op->type = OP_REG;
4332 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4333 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4334 fetch_register_operand(op);
4335 op->orig_val = op->val;
4336 break;
4337 case OpAccLo:
4338 op->type = OP_REG;
4339 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4340 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4341 fetch_register_operand(op);
4342 op->orig_val = op->val;
4343 break;
4344 case OpAccHi:
4345 if (ctxt->d & ByteOp) {
4346 op->type = OP_NONE;
4347 break;
4348 }
4349 op->type = OP_REG;
4350 op->bytes = ctxt->op_bytes;
4351 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4352 fetch_register_operand(op);
4353 op->orig_val = op->val;
4354 break;
4355 case OpDI:
4356 op->type = OP_MEM;
4357 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4358 op->addr.mem.ea =
4359 register_address(ctxt, VCPU_REGS_RDI);
4360 op->addr.mem.seg = VCPU_SREG_ES;
4361 op->val = 0;
4362 op->count = 1;
4363 break;
4364 case OpDX:
4365 op->type = OP_REG;
4366 op->bytes = 2;
4367 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4368 fetch_register_operand(op);
4369 break;
4370 case OpCL:
4371 op->type = OP_IMM;
4372 op->bytes = 1;
4373 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4374 break;
4375 case OpImmByte:
4376 rc = decode_imm(ctxt, op, 1, true);
4377 break;
4378 case OpOne:
4379 op->type = OP_IMM;
4380 op->bytes = 1;
4381 op->val = 1;
4382 break;
4383 case OpImm:
4384 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4385 break;
4386 case OpImm64:
4387 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4388 break;
4389 case OpMem8:
4390 ctxt->memop.bytes = 1;
4391 if (ctxt->memop.type == OP_REG) {
4392 ctxt->memop.addr.reg = decode_register(ctxt,
4393 ctxt->modrm_rm, true);
4394 fetch_register_operand(&ctxt->memop);
4395 }
4396 goto mem_common;
4397 case OpMem16:
4398 ctxt->memop.bytes = 2;
4399 goto mem_common;
4400 case OpMem32:
4401 ctxt->memop.bytes = 4;
4402 goto mem_common;
4403 case OpImmU16:
4404 rc = decode_imm(ctxt, op, 2, false);
4405 break;
4406 case OpImmU:
4407 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4408 break;
4409 case OpSI:
4410 op->type = OP_MEM;
4411 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4412 op->addr.mem.ea =
4413 register_address(ctxt, VCPU_REGS_RSI);
4414 op->addr.mem.seg = ctxt->seg_override;
4415 op->val = 0;
4416 op->count = 1;
4417 break;
4418 case OpXLat:
4419 op->type = OP_MEM;
4420 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4421 op->addr.mem.ea =
4422 address_mask(ctxt,
4423 reg_read(ctxt, VCPU_REGS_RBX) +
4424 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4425 op->addr.mem.seg = ctxt->seg_override;
4426 op->val = 0;
4427 break;
4428 case OpImmFAddr:
4429 op->type = OP_IMM;
4430 op->addr.mem.ea = ctxt->_eip;
4431 op->bytes = ctxt->op_bytes + 2;
4432 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4433 break;
4434 case OpMemFAddr:
4435 ctxt->memop.bytes = ctxt->op_bytes + 2;
4436 goto mem_common;
4437 case OpES:
4438 op->type = OP_IMM;
4439 op->val = VCPU_SREG_ES;
4440 break;
4441 case OpCS:
4442 op->type = OP_IMM;
4443 op->val = VCPU_SREG_CS;
4444 break;
4445 case OpSS:
4446 op->type = OP_IMM;
4447 op->val = VCPU_SREG_SS;
4448 break;
4449 case OpDS:
4450 op->type = OP_IMM;
4451 op->val = VCPU_SREG_DS;
4452 break;
4453 case OpFS:
4454 op->type = OP_IMM;
4455 op->val = VCPU_SREG_FS;
4456 break;
4457 case OpGS:
4458 op->type = OP_IMM;
4459 op->val = VCPU_SREG_GS;
4460 break;
4461 case OpImplicit:
4462 /* Special instructions do their own operand decoding. */
4463 default:
4464 op->type = OP_NONE; /* Disable writeback. */
4465 break;
4466 }
4467
4468 done:
4469 return rc;
4470 }
4471
4472 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4473 {
4474 int rc = X86EMUL_CONTINUE;
4475 int mode = ctxt->mode;
4476 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4477 bool op_prefix = false;
4478 bool has_seg_override = false;
4479 struct opcode opcode;
4480
4481 ctxt->memop.type = OP_NONE;
4482 ctxt->memopp = NULL;
4483 ctxt->_eip = ctxt->eip;
4484 ctxt->fetch.ptr = ctxt->fetch.data;
4485 ctxt->fetch.end = ctxt->fetch.data + insn_len;
4486 ctxt->opcode_len = 1;
4487 if (insn_len > 0)
4488 memcpy(ctxt->fetch.data, insn, insn_len);
4489 else {
4490 rc = __do_insn_fetch_bytes(ctxt, 1);
4491 if (rc != X86EMUL_CONTINUE)
4492 return rc;
4493 }
4494
4495 switch (mode) {
4496 case X86EMUL_MODE_REAL:
4497 case X86EMUL_MODE_VM86:
4498 case X86EMUL_MODE_PROT16:
4499 def_op_bytes = def_ad_bytes = 2;
4500 break;
4501 case X86EMUL_MODE_PROT32:
4502 def_op_bytes = def_ad_bytes = 4;
4503 break;
4504 #ifdef CONFIG_X86_64
4505 case X86EMUL_MODE_PROT64:
4506 def_op_bytes = 4;
4507 def_ad_bytes = 8;
4508 break;
4509 #endif
4510 default:
4511 return EMULATION_FAILED;
4512 }
4513
4514 ctxt->op_bytes = def_op_bytes;
4515 ctxt->ad_bytes = def_ad_bytes;
4516
4517 /* Legacy prefixes. */
4518 for (;;) {
4519 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4520 case 0x66: /* operand-size override */
4521 op_prefix = true;
4522 /* switch between 2/4 bytes */
4523 ctxt->op_bytes = def_op_bytes ^ 6;
4524 break;
4525 case 0x67: /* address-size override */
4526 if (mode == X86EMUL_MODE_PROT64)
4527 /* switch between 4/8 bytes */
4528 ctxt->ad_bytes = def_ad_bytes ^ 12;
4529 else
4530 /* switch between 2/4 bytes */
4531 ctxt->ad_bytes = def_ad_bytes ^ 6;
4532 break;
4533 case 0x26: /* ES override */
4534 case 0x2e: /* CS override */
4535 case 0x36: /* SS override */
4536 case 0x3e: /* DS override */
4537 has_seg_override = true;
4538 ctxt->seg_override = (ctxt->b >> 3) & 3;
4539 break;
4540 case 0x64: /* FS override */
4541 case 0x65: /* GS override */
4542 has_seg_override = true;
4543 ctxt->seg_override = ctxt->b & 7;
4544 break;
4545 case 0x40 ... 0x4f: /* REX */
4546 if (mode != X86EMUL_MODE_PROT64)
4547 goto done_prefixes;
4548 ctxt->rex_prefix = ctxt->b;
4549 continue;
4550 case 0xf0: /* LOCK */
4551 ctxt->lock_prefix = 1;
4552 break;
4553 case 0xf2: /* REPNE/REPNZ */
4554 case 0xf3: /* REP/REPE/REPZ */
4555 ctxt->rep_prefix = ctxt->b;
4556 break;
4557 default:
4558 goto done_prefixes;
4559 }
4560
4561 /* Any legacy prefix after a REX prefix nullifies its effect. */
4562
4563 ctxt->rex_prefix = 0;
4564 }
4565
4566 done_prefixes:
4567
4568 /* REX prefix. */
4569 if (ctxt->rex_prefix & 8)
4570 ctxt->op_bytes = 8; /* REX.W */
4571
4572 /* Opcode byte(s). */
4573 opcode = opcode_table[ctxt->b];
4574 /* Two-byte opcode? */
4575 if (ctxt->b == 0x0f) {
4576 ctxt->opcode_len = 2;
4577 ctxt->b = insn_fetch(u8, ctxt);
4578 opcode = twobyte_table[ctxt->b];
4579
4580 /* 0F_38 opcode map */
4581 if (ctxt->b == 0x38) {
4582 ctxt->opcode_len = 3;
4583 ctxt->b = insn_fetch(u8, ctxt);
4584 opcode = opcode_map_0f_38[ctxt->b];
4585 }
4586 }
4587 ctxt->d = opcode.flags;
4588
4589 if (ctxt->d & ModRM)
4590 ctxt->modrm = insn_fetch(u8, ctxt);
4591
4592 /* vex-prefix instructions are not implemented */
4593 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4594 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4595 ctxt->d = NotImpl;
4596 }
4597
4598 while (ctxt->d & GroupMask) {
4599 switch (ctxt->d & GroupMask) {
4600 case Group:
4601 goffset = (ctxt->modrm >> 3) & 7;
4602 opcode = opcode.u.group[goffset];
4603 break;
4604 case GroupDual:
4605 goffset = (ctxt->modrm >> 3) & 7;
4606 if ((ctxt->modrm >> 6) == 3)
4607 opcode = opcode.u.gdual->mod3[goffset];
4608 else
4609 opcode = opcode.u.gdual->mod012[goffset];
4610 break;
4611 case RMExt:
4612 goffset = ctxt->modrm & 7;
4613 opcode = opcode.u.group[goffset];
4614 break;
4615 case Prefix:
4616 if (ctxt->rep_prefix && op_prefix)
4617 return EMULATION_FAILED;
4618 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4619 switch (simd_prefix) {
4620 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4621 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4622 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4623 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4624 }
4625 break;
4626 case Escape:
4627 if (ctxt->modrm > 0xbf)
4628 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4629 else
4630 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4631 break;
4632 case InstrDual:
4633 if ((ctxt->modrm >> 6) == 3)
4634 opcode = opcode.u.idual->mod3;
4635 else
4636 opcode = opcode.u.idual->mod012;
4637 break;
4638 case ModeDual:
4639 if (ctxt->mode == X86EMUL_MODE_PROT64)
4640 opcode = opcode.u.mdual->mode64;
4641 else
4642 opcode = opcode.u.mdual->mode32;
4643 break;
4644 default:
4645 return EMULATION_FAILED;
4646 }
4647
4648 ctxt->d &= ~(u64)GroupMask;
4649 ctxt->d |= opcode.flags;
4650 }
4651
4652 /* Unrecognised? */
4653 if (ctxt->d == 0)
4654 return EMULATION_FAILED;
4655
4656 ctxt->execute = opcode.u.execute;
4657
4658 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
4659 return EMULATION_FAILED;
4660
4661 if (unlikely(ctxt->d &
4662 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
4663 No16))) {
4664 /*
4665 * These are copied unconditionally here, and checked unconditionally
4666 * in x86_emulate_insn.
4667 */
4668 ctxt->check_perm = opcode.check_perm;
4669 ctxt->intercept = opcode.intercept;
4670
4671 if (ctxt->d & NotImpl)
4672 return EMULATION_FAILED;
4673
4674 if (mode == X86EMUL_MODE_PROT64) {
4675 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
4676 ctxt->op_bytes = 8;
4677 else if (ctxt->d & NearBranch)
4678 ctxt->op_bytes = 8;
4679 }
4680
4681 if (ctxt->d & Op3264) {
4682 if (mode == X86EMUL_MODE_PROT64)
4683 ctxt->op_bytes = 8;
4684 else
4685 ctxt->op_bytes = 4;
4686 }
4687
4688 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
4689 ctxt->op_bytes = 4;
4690
4691 if (ctxt->d & Sse)
4692 ctxt->op_bytes = 16;
4693 else if (ctxt->d & Mmx)
4694 ctxt->op_bytes = 8;
4695 }
4696
4697 /* ModRM and SIB bytes. */
4698 if (ctxt->d & ModRM) {
4699 rc = decode_modrm(ctxt, &ctxt->memop);
4700 if (!has_seg_override) {
4701 has_seg_override = true;
4702 ctxt->seg_override = ctxt->modrm_seg;
4703 }
4704 } else if (ctxt->d & MemAbs)
4705 rc = decode_abs(ctxt, &ctxt->memop);
4706 if (rc != X86EMUL_CONTINUE)
4707 goto done;
4708
4709 if (!has_seg_override)
4710 ctxt->seg_override = VCPU_SREG_DS;
4711
4712 ctxt->memop.addr.mem.seg = ctxt->seg_override;
4713
4714 /*
4715 * Decode and fetch the source operand: register, memory
4716 * or immediate.
4717 */
4718 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4719 if (rc != X86EMUL_CONTINUE)
4720 goto done;
4721
4722 /*
4723 * Decode and fetch the second source operand: register, memory
4724 * or immediate.
4725 */
4726 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4727 if (rc != X86EMUL_CONTINUE)
4728 goto done;
4729
4730 /* Decode and fetch the destination operand: register or memory. */
4731 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4732
4733 if (ctxt->rip_relative)
4734 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
4735 ctxt->memopp->addr.mem.ea + ctxt->_eip);
4736
4737 done:
4738 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4739 }
4740
4741 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
4742 {
4743 return ctxt->d & PageTable;
4744 }
4745
4746 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
4747 {
4748 /* The second termination condition only applies for REPE
4749 * and REPNE. Test if the repeat string operation prefix is
4750 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
4751 * corresponding termination condition according to:
4752 * - if REPE/REPZ and ZF = 0 then done
4753 * - if REPNE/REPNZ and ZF = 1 then done
4754 */
4755 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
4756 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
4757 && (((ctxt->rep_prefix == REPE_PREFIX) &&
4758 ((ctxt->eflags & EFLG_ZF) == 0))
4759 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
4760 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
4761 return true;
4762
4763 return false;
4764 }
4765
4766 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
4767 {
4768 bool fault = false;
4769
4770 ctxt->ops->get_fpu(ctxt);
4771 asm volatile("1: fwait \n\t"
4772 "2: \n\t"
4773 ".pushsection .fixup,\"ax\" \n\t"
4774 "3: \n\t"
4775 "movb $1, %[fault] \n\t"
4776 "jmp 2b \n\t"
4777 ".popsection \n\t"
4778 _ASM_EXTABLE(1b, 3b)
4779 : [fault]"+qm"(fault));
4780 ctxt->ops->put_fpu(ctxt);
4781
4782 if (unlikely(fault))
4783 return emulate_exception(ctxt, MF_VECTOR, 0, false);
4784
4785 return X86EMUL_CONTINUE;
4786 }
4787
4788 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
4789 struct operand *op)
4790 {
4791 if (op->type == OP_MM)
4792 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
4793 }
4794
4795 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
4796 {
4797 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
4798 if (!(ctxt->d & ByteOp))
4799 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
4800 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
4801 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
4802 [fastop]"+S"(fop)
4803 : "c"(ctxt->src2.val));
4804 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
4805 if (!fop) /* exception is returned in fop variable */
4806 return emulate_de(ctxt);
4807 return X86EMUL_CONTINUE;
4808 }
4809
4810 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
4811 {
4812 memset(&ctxt->rip_relative, 0,
4813 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
4814
4815 ctxt->io_read.pos = 0;
4816 ctxt->io_read.end = 0;
4817 ctxt->mem_read.end = 0;
4818 }
4819
4820 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4821 {
4822 const struct x86_emulate_ops *ops = ctxt->ops;
4823 int rc = X86EMUL_CONTINUE;
4824 int saved_dst_type = ctxt->dst.type;
4825
4826 ctxt->mem_read.pos = 0;
4827
4828 /* LOCK prefix is allowed only with some instructions */
4829 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4830 rc = emulate_ud(ctxt);
4831 goto done;
4832 }
4833
4834 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4835 rc = emulate_ud(ctxt);
4836 goto done;
4837 }
4838
4839 if (unlikely(ctxt->d &
4840 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
4841 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
4842 (ctxt->d & Undefined)) {
4843 rc = emulate_ud(ctxt);
4844 goto done;
4845 }
4846
4847 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
4848 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
4849 rc = emulate_ud(ctxt);
4850 goto done;
4851 }
4852
4853 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
4854 rc = emulate_nm(ctxt);
4855 goto done;
4856 }
4857
4858 if (ctxt->d & Mmx) {
4859 rc = flush_pending_x87_faults(ctxt);
4860 if (rc != X86EMUL_CONTINUE)
4861 goto done;
4862 /*
4863 * Now that we know the fpu is exception safe, we can fetch
4864 * operands from it.
4865 */
4866 fetch_possible_mmx_operand(ctxt, &ctxt->src);
4867 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
4868 if (!(ctxt->d & Mov))
4869 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
4870 }
4871
4872 if (unlikely(ctxt->guest_mode) && (ctxt->d & Intercept)) {
4873 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4874 X86_ICPT_PRE_EXCEPT);
4875 if (rc != X86EMUL_CONTINUE)
4876 goto done;
4877 }
4878
4879 /* Instruction can only be executed in protected mode */
4880 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
4881 rc = emulate_ud(ctxt);
4882 goto done;
4883 }
4884
4885 /* Privileged instruction can be executed only in CPL=0 */
4886 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4887 if (ctxt->d & PrivUD)
4888 rc = emulate_ud(ctxt);
4889 else
4890 rc = emulate_gp(ctxt, 0);
4891 goto done;
4892 }
4893
4894 /* Do instruction specific permission checks */
4895 if (ctxt->d & CheckPerm) {
4896 rc = ctxt->check_perm(ctxt);
4897 if (rc != X86EMUL_CONTINUE)
4898 goto done;
4899 }
4900
4901 if (unlikely(ctxt->guest_mode) && (ctxt->d & Intercept)) {
4902 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4903 X86_ICPT_POST_EXCEPT);
4904 if (rc != X86EMUL_CONTINUE)
4905 goto done;
4906 }
4907
4908 if (ctxt->rep_prefix && (ctxt->d & String)) {
4909 /* All REP prefixes have the same first termination condition */
4910 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
4911 ctxt->eip = ctxt->_eip;
4912 ctxt->eflags &= ~EFLG_RF;
4913 goto done;
4914 }
4915 }
4916 }
4917
4918 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4919 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4920 ctxt->src.valptr, ctxt->src.bytes);
4921 if (rc != X86EMUL_CONTINUE)
4922 goto done;
4923 ctxt->src.orig_val64 = ctxt->src.val64;
4924 }
4925
4926 if (ctxt->src2.type == OP_MEM) {
4927 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4928 &ctxt->src2.val, ctxt->src2.bytes);
4929 if (rc != X86EMUL_CONTINUE)
4930 goto done;
4931 }
4932
4933 if ((ctxt->d & DstMask) == ImplicitOps)
4934 goto special_insn;
4935
4936
4937 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4938 /* optimisation - avoid slow emulated read if Mov */
4939 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4940 &ctxt->dst.val, ctxt->dst.bytes);
4941 if (rc != X86EMUL_CONTINUE) {
4942 if (rc == X86EMUL_PROPAGATE_FAULT &&
4943 ctxt->exception.vector == PF_VECTOR)
4944 ctxt->exception.error_code |= PFERR_WRITE_MASK;
4945 goto done;
4946 }
4947 }
4948 ctxt->dst.orig_val = ctxt->dst.val;
4949
4950 special_insn:
4951
4952 if (unlikely(ctxt->guest_mode) && (ctxt->d & Intercept)) {
4953 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4954 X86_ICPT_POST_MEMACCESS);
4955 if (rc != X86EMUL_CONTINUE)
4956 goto done;
4957 }
4958
4959 if (ctxt->rep_prefix && (ctxt->d & String))
4960 ctxt->eflags |= EFLG_RF;
4961 else
4962 ctxt->eflags &= ~EFLG_RF;
4963
4964 if (ctxt->execute) {
4965 if (ctxt->d & Fastop) {
4966 void (*fop)(struct fastop *) = (void *)ctxt->execute;
4967 rc = fastop(ctxt, fop);
4968 if (rc != X86EMUL_CONTINUE)
4969 goto done;
4970 goto writeback;
4971 }
4972 rc = ctxt->execute(ctxt);
4973 if (rc != X86EMUL_CONTINUE)
4974 goto done;
4975 goto writeback;
4976 }
4977
4978 if (ctxt->opcode_len == 2)
4979 goto twobyte_insn;
4980 else if (ctxt->opcode_len == 3)
4981 goto threebyte_insn;
4982
4983 switch (ctxt->b) {
4984 case 0x70 ... 0x7f: /* jcc (short) */
4985 if (test_cc(ctxt->b, ctxt->eflags))
4986 rc = jmp_rel(ctxt, ctxt->src.val);
4987 break;
4988 case 0x8d: /* lea r16/r32, m */
4989 ctxt->dst.val = ctxt->src.addr.mem.ea;
4990 break;
4991 case 0x90 ... 0x97: /* nop / xchg reg, rax */
4992 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
4993 ctxt->dst.type = OP_NONE;
4994 else
4995 rc = em_xchg(ctxt);
4996 break;
4997 case 0x98: /* cbw/cwde/cdqe */
4998 switch (ctxt->op_bytes) {
4999 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5000 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5001 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5002 }
5003 break;
5004 case 0xcc: /* int3 */
5005 rc = emulate_int(ctxt, 3);
5006 break;
5007 case 0xcd: /* int n */
5008 rc = emulate_int(ctxt, ctxt->src.val);
5009 break;
5010 case 0xce: /* into */
5011 if (ctxt->eflags & EFLG_OF)
5012 rc = emulate_int(ctxt, 4);
5013 break;
5014 case 0xe9: /* jmp rel */
5015 case 0xeb: /* jmp rel short */
5016 rc = jmp_rel(ctxt, ctxt->src.val);
5017 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5018 break;
5019 case 0xf4: /* hlt */
5020 ctxt->ops->halt(ctxt);
5021 break;
5022 case 0xf5: /* cmc */
5023 /* complement carry flag from eflags reg */
5024 ctxt->eflags ^= EFLG_CF;
5025 break;
5026 case 0xf8: /* clc */
5027 ctxt->eflags &= ~EFLG_CF;
5028 break;
5029 case 0xf9: /* stc */
5030 ctxt->eflags |= EFLG_CF;
5031 break;
5032 case 0xfc: /* cld */
5033 ctxt->eflags &= ~EFLG_DF;
5034 break;
5035 case 0xfd: /* std */
5036 ctxt->eflags |= EFLG_DF;
5037 break;
5038 default:
5039 goto cannot_emulate;
5040 }
5041
5042 if (rc != X86EMUL_CONTINUE)
5043 goto done;
5044
5045 writeback:
5046 if (ctxt->d & SrcWrite) {
5047 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5048 rc = writeback(ctxt, &ctxt->src);
5049 if (rc != X86EMUL_CONTINUE)
5050 goto done;
5051 }
5052 if (!(ctxt->d & NoWrite)) {
5053 rc = writeback(ctxt, &ctxt->dst);
5054 if (rc != X86EMUL_CONTINUE)
5055 goto done;
5056 }
5057
5058 /*
5059 * restore dst type in case the decoding will be reused
5060 * (happens for string instruction )
5061 */
5062 ctxt->dst.type = saved_dst_type;
5063
5064 if ((ctxt->d & SrcMask) == SrcSI)
5065 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5066
5067 if ((ctxt->d & DstMask) == DstDI)
5068 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5069
5070 if (ctxt->rep_prefix && (ctxt->d & String)) {
5071 unsigned int count;
5072 struct read_cache *r = &ctxt->io_read;
5073 if ((ctxt->d & SrcMask) == SrcSI)
5074 count = ctxt->src.count;
5075 else
5076 count = ctxt->dst.count;
5077 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5078
5079 if (!string_insn_completed(ctxt)) {
5080 /*
5081 * Re-enter guest when pio read ahead buffer is empty
5082 * or, if it is not used, after each 1024 iteration.
5083 */
5084 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5085 (r->end == 0 || r->end != r->pos)) {
5086 /*
5087 * Reset read cache. Usually happens before
5088 * decode, but since instruction is restarted
5089 * we have to do it here.
5090 */
5091 ctxt->mem_read.end = 0;
5092 writeback_registers(ctxt);
5093 return EMULATION_RESTART;
5094 }
5095 goto done; /* skip rip writeback */
5096 }
5097 ctxt->eflags &= ~EFLG_RF;
5098 }
5099
5100 ctxt->eip = ctxt->_eip;
5101
5102 done:
5103 if (rc == X86EMUL_PROPAGATE_FAULT) {
5104 WARN_ON(ctxt->exception.vector > 0x1f);
5105 ctxt->have_exception = true;
5106 }
5107 if (rc == X86EMUL_INTERCEPTED)
5108 return EMULATION_INTERCEPTED;
5109
5110 if (rc == X86EMUL_CONTINUE)
5111 writeback_registers(ctxt);
5112
5113 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5114
5115 twobyte_insn:
5116 switch (ctxt->b) {
5117 case 0x09: /* wbinvd */
5118 (ctxt->ops->wbinvd)(ctxt);
5119 break;
5120 case 0x08: /* invd */
5121 case 0x0d: /* GrpP (prefetch) */
5122 case 0x18: /* Grp16 (prefetch/nop) */
5123 case 0x1f: /* nop */
5124 break;
5125 case 0x20: /* mov cr, reg */
5126 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5127 break;
5128 case 0x21: /* mov from dr to reg */
5129 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5130 break;
5131 case 0x40 ... 0x4f: /* cmov */
5132 if (test_cc(ctxt->b, ctxt->eflags))
5133 ctxt->dst.val = ctxt->src.val;
5134 else if (ctxt->mode != X86EMUL_MODE_PROT64 ||
5135 ctxt->op_bytes != 4)
5136 ctxt->dst.type = OP_NONE; /* no writeback */
5137 break;
5138 case 0x80 ... 0x8f: /* jnz rel, etc*/
5139 if (test_cc(ctxt->b, ctxt->eflags))
5140 rc = jmp_rel(ctxt, ctxt->src.val);
5141 break;
5142 case 0x90 ... 0x9f: /* setcc r/m8 */
5143 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5144 break;
5145 case 0xb6 ... 0xb7: /* movzx */
5146 ctxt->dst.bytes = ctxt->op_bytes;
5147 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5148 : (u16) ctxt->src.val;
5149 break;
5150 case 0xbe ... 0xbf: /* movsx */
5151 ctxt->dst.bytes = ctxt->op_bytes;
5152 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5153 (s16) ctxt->src.val;
5154 break;
5155 default:
5156 goto cannot_emulate;
5157 }
5158
5159 threebyte_insn:
5160
5161 if (rc != X86EMUL_CONTINUE)
5162 goto done;
5163
5164 goto writeback;
5165
5166 cannot_emulate:
5167 return EMULATION_FAILED;
5168 }
5169
5170 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5171 {
5172 invalidate_registers(ctxt);
5173 }
5174
5175 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5176 {
5177 writeback_registers(ctxt);
5178 }
ubuntu-bionic-kernel mirror