search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
[cris-mirror.git] / arch / x86 / kvm / emulate.c
blobd91eaeb010347b2e013702441ae25032747c0918
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <asm/kvm_emulate.h>
26 #include <linux/stringify.h>
27 #include <asm/debugreg.h>
28 #include <asm/nospec-branch.h>
29
30 #include "x86.h"
31 #include "tss.h"
32 #include "mmu.h"
33
34 /*
35 * Operand types
36 */
37 #define OpNone 0ull
38 #define OpImplicit 1ull /* No generic decode */
39 #define OpReg 2ull /* Register */
40 #define OpMem 3ull /* Memory */
41 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
42 #define OpDI 5ull /* ES:DI/EDI/RDI */
43 #define OpMem64 6ull /* Memory, 64-bit */
44 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
45 #define OpDX 8ull /* DX register */
46 #define OpCL 9ull /* CL register (for shifts) */
47 #define OpImmByte 10ull /* 8-bit sign extended immediate */
48 #define OpOne 11ull /* Implied 1 */
49 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
50 #define OpMem16 13ull /* Memory operand (16-bit). */
51 #define OpMem32 14ull /* Memory operand (32-bit). */
52 #define OpImmU 15ull /* Immediate operand, zero extended */
53 #define OpSI 16ull /* SI/ESI/RSI */
54 #define OpImmFAddr 17ull /* Immediate far address */
55 #define OpMemFAddr 18ull /* Far address in memory */
56 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
57 #define OpES 20ull /* ES */
58 #define OpCS 21ull /* CS */
59 #define OpSS 22ull /* SS */
60 #define OpDS 23ull /* DS */
61 #define OpFS 24ull /* FS */
62 #define OpGS 25ull /* GS */
63 #define OpMem8 26ull /* 8-bit zero extended memory operand */
64 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
65 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
66 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
67 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
68
69 #define OpBits 5 /* Width of operand field */
70 #define OpMask ((1ull << OpBits) - 1)
71
72 /*
73 * Opcode effective-address decode tables.
74 * Note that we only emulate instructions that have at least one memory
75 * operand (excluding implicit stack references). We assume that stack
76 * references and instruction fetches will never occur in special memory
77 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
78 * not be handled.
79 */
80
81 /* Operand sizes: 8-bit operands or specified/overridden size. */
82 #define ByteOp (1<<0) /* 8-bit operands. */
83 /* Destination operand type. */
84 #define DstShift 1
85 #define ImplicitOps (OpImplicit << DstShift)
86 #define DstReg (OpReg << DstShift)
87 #define DstMem (OpMem << DstShift)
88 #define DstAcc (OpAcc << DstShift)
89 #define DstDI (OpDI << DstShift)
90 #define DstMem64 (OpMem64 << DstShift)
91 #define DstMem16 (OpMem16 << DstShift)
92 #define DstImmUByte (OpImmUByte << DstShift)
93 #define DstDX (OpDX << DstShift)
94 #define DstAccLo (OpAccLo << DstShift)
95 #define DstMask (OpMask << DstShift)
96 /* Source operand type. */
97 #define SrcShift 6
98 #define SrcNone (OpNone << SrcShift)
99 #define SrcReg (OpReg << SrcShift)
100 #define SrcMem (OpMem << SrcShift)
101 #define SrcMem16 (OpMem16 << SrcShift)
102 #define SrcMem32 (OpMem32 << SrcShift)
103 #define SrcImm (OpImm << SrcShift)
104 #define SrcImmByte (OpImmByte << SrcShift)
105 #define SrcOne (OpOne << SrcShift)
106 #define SrcImmUByte (OpImmUByte << SrcShift)
107 #define SrcImmU (OpImmU << SrcShift)
108 #define SrcSI (OpSI << SrcShift)
109 #define SrcXLat (OpXLat << SrcShift)
110 #define SrcImmFAddr (OpImmFAddr << SrcShift)
111 #define SrcMemFAddr (OpMemFAddr << SrcShift)
112 #define SrcAcc (OpAcc << SrcShift)
113 #define SrcImmU16 (OpImmU16 << SrcShift)
114 #define SrcImm64 (OpImm64 << SrcShift)
115 #define SrcDX (OpDX << SrcShift)
116 #define SrcMem8 (OpMem8 << SrcShift)
117 #define SrcAccHi (OpAccHi << SrcShift)
118 #define SrcMask (OpMask << SrcShift)
119 #define BitOp (1<<11)
120 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
121 #define String (1<<13) /* String instruction (rep capable) */
122 #define Stack (1<<14) /* Stack instruction (push/pop) */
123 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
124 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
125 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
126 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
127 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
128 #define Escape (5<<15) /* Escape to coprocessor instruction */
129 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
130 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
131 #define Sse (1<<18) /* SSE Vector instruction */
132 /* Generic ModRM decode. */
133 #define ModRM (1<<19)
134 /* Destination is only written; never read. */
135 #define Mov (1<<20)
136 /* Misc flags */
137 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
138 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
139 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
140 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
141 #define Undefined (1<<25) /* No Such Instruction */
142 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
143 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
144 #define No64 (1<<28)
145 #define PageTable (1 << 29) /* instruction used to write page table */
146 #define NotImpl (1 << 30) /* instruction is not implemented */
147 /* Source 2 operand type */
148 #define Src2Shift (31)
149 #define Src2None (OpNone << Src2Shift)
150 #define Src2Mem (OpMem << Src2Shift)
151 #define Src2CL (OpCL << Src2Shift)
152 #define Src2ImmByte (OpImmByte << Src2Shift)
153 #define Src2One (OpOne << Src2Shift)
154 #define Src2Imm (OpImm << Src2Shift)
155 #define Src2ES (OpES << Src2Shift)
156 #define Src2CS (OpCS << Src2Shift)
157 #define Src2SS (OpSS << Src2Shift)
158 #define Src2DS (OpDS << Src2Shift)
159 #define Src2FS (OpFS << Src2Shift)
160 #define Src2GS (OpGS << Src2Shift)
161 #define Src2Mask (OpMask << Src2Shift)
162 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
163 #define AlignMask ((u64)7 << 41)
164 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
165 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
166 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
167 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
168 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
169 #define NoWrite ((u64)1 << 45) /* No writeback */
170 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
171 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
172 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
173 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
174 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
175 #define NearBranch ((u64)1 << 52) /* Near branches */
176 #define No16 ((u64)1 << 53) /* No 16 bit operand */
177 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
178 #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand */
179
180 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
181
182 #define X2(x...) x, x
183 #define X3(x...) X2(x), x
184 #define X4(x...) X2(x), X2(x)
185 #define X5(x...) X4(x), x
186 #define X6(x...) X4(x), X2(x)
187 #define X7(x...) X4(x), X3(x)
188 #define X8(x...) X4(x), X4(x)
189 #define X16(x...) X8(x), X8(x)
190
191 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
192 #define FASTOP_SIZE 8
193
194 /*
195 * fastop functions have a special calling convention:
196 *
197 * dst: rax (in/out)
198 * src: rdx (in/out)
199 * src2: rcx (in)
200 * flags: rflags (in/out)
201 * ex: rsi (in:fastop pointer, out:zero if exception)
202 *
203 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
204 * different operand sizes can be reached by calculation, rather than a jump
205 * table (which would be bigger than the code).
206 *
207 * fastop functions are declared as taking a never-defined fastop parameter,
208 * so they can't be called from C directly.
209 */
210
211 struct fastop;
212
213 struct opcode {
214 u64 flags : 56;
215 u64 intercept : 8;
216 union {
217 int (*execute)(struct x86_emulate_ctxt *ctxt);
218 const struct opcode *group;
219 const struct group_dual *gdual;
220 const struct gprefix *gprefix;
221 const struct escape *esc;
222 const struct instr_dual *idual;
223 const struct mode_dual *mdual;
224 void (*fastop)(struct fastop *fake);
225 } u;
226 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
227 };
228
229 struct group_dual {
230 struct opcode mod012[8];
231 struct opcode mod3[8];
232 };
233
234 struct gprefix {
235 struct opcode pfx_no;
236 struct opcode pfx_66;
237 struct opcode pfx_f2;
238 struct opcode pfx_f3;
239 };
240
241 struct escape {
242 struct opcode op[8];
243 struct opcode high[64];
244 };
245
246 struct instr_dual {
247 struct opcode mod012;
248 struct opcode mod3;
249 };
250
251 struct mode_dual {
252 struct opcode mode32;
253 struct opcode mode64;
254 };
255
256 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
257
258 enum x86_transfer_type {
259 X86_TRANSFER_NONE,
260 X86_TRANSFER_CALL_JMP,
261 X86_TRANSFER_RET,
262 X86_TRANSFER_TASK_SWITCH,
263 };
264
265 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
266 {
267 if (!(ctxt->regs_valid & (1 << nr))) {
268 ctxt->regs_valid |= 1 << nr;
269 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
270 }
271 return ctxt->_regs[nr];
272 }
273
274 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
275 {
276 ctxt->regs_valid |= 1 << nr;
277 ctxt->regs_dirty |= 1 << nr;
278 return &ctxt->_regs[nr];
279 }
280
281 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
282 {
283 reg_read(ctxt, nr);
284 return reg_write(ctxt, nr);
285 }
286
287 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
288 {
289 unsigned reg;
290
291 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
292 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
293 }
294
295 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
296 {
297 ctxt->regs_dirty = 0;
298 ctxt->regs_valid = 0;
299 }
300
301 /*
302 * These EFLAGS bits are restored from saved value during emulation, and
303 * any changes are written back to the saved value after emulation.
304 */
305 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
306 X86_EFLAGS_PF|X86_EFLAGS_CF)
307
308 #ifdef CONFIG_X86_64
309 #define ON64(x) x
310 #else
311 #define ON64(x)
312 #endif
313
314 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
315
316 #define FOP_FUNC(name) \
317 ".align " __stringify(FASTOP_SIZE) " \n\t" \
318 ".type " name ", @function \n\t" \
319 name ":\n\t"
320
321 #define FOP_RET "ret \n\t"
322
323 #define FOP_START(op) \
324 extern void em_##op(struct fastop *fake); \
325 asm(".pushsection .text, \"ax\" \n\t" \
326 ".global em_" #op " \n\t" \
327 FOP_FUNC("em_" #op)
328
329 #define FOP_END \
330 ".popsection")
331
332 #define FOPNOP() \
333 FOP_FUNC(__stringify(__UNIQUE_ID(nop))) \
334 FOP_RET
335
336 #define FOP1E(op, dst) \
337 FOP_FUNC(#op "_" #dst) \
338 "10: " #op " %" #dst " \n\t" FOP_RET
339
340 #define FOP1EEX(op, dst) \
341 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
342
343 #define FASTOP1(op) \
344 FOP_START(op) \
345 FOP1E(op##b, al) \
346 FOP1E(op##w, ax) \
347 FOP1E(op##l, eax) \
348 ON64(FOP1E(op##q, rax)) \
349 FOP_END
350
351 /* 1-operand, using src2 (for MUL/DIV r/m) */
352 #define FASTOP1SRC2(op, name) \
353 FOP_START(name) \
354 FOP1E(op, cl) \
355 FOP1E(op, cx) \
356 FOP1E(op, ecx) \
357 ON64(FOP1E(op, rcx)) \
358 FOP_END
359
360 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
361 #define FASTOP1SRC2EX(op, name) \
362 FOP_START(name) \
363 FOP1EEX(op, cl) \
364 FOP1EEX(op, cx) \
365 FOP1EEX(op, ecx) \
366 ON64(FOP1EEX(op, rcx)) \
367 FOP_END
368
369 #define FOP2E(op, dst, src) \
370 FOP_FUNC(#op "_" #dst "_" #src) \
371 #op " %" #src ", %" #dst " \n\t" FOP_RET
372
373 #define FASTOP2(op) \
374 FOP_START(op) \
375 FOP2E(op##b, al, dl) \
376 FOP2E(op##w, ax, dx) \
377 FOP2E(op##l, eax, edx) \
378 ON64(FOP2E(op##q, rax, rdx)) \
379 FOP_END
380
381 /* 2 operand, word only */
382 #define FASTOP2W(op) \
383 FOP_START(op) \
384 FOPNOP() \
385 FOP2E(op##w, ax, dx) \
386 FOP2E(op##l, eax, edx) \
387 ON64(FOP2E(op##q, rax, rdx)) \
388 FOP_END
389
390 /* 2 operand, src is CL */
391 #define FASTOP2CL(op) \
392 FOP_START(op) \
393 FOP2E(op##b, al, cl) \
394 FOP2E(op##w, ax, cl) \
395 FOP2E(op##l, eax, cl) \
396 ON64(FOP2E(op##q, rax, cl)) \
397 FOP_END
398
399 /* 2 operand, src and dest are reversed */
400 #define FASTOP2R(op, name) \
401 FOP_START(name) \
402 FOP2E(op##b, dl, al) \
403 FOP2E(op##w, dx, ax) \
404 FOP2E(op##l, edx, eax) \
405 ON64(FOP2E(op##q, rdx, rax)) \
406 FOP_END
407
408 #define FOP3E(op, dst, src, src2) \
409 FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
410 #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
411
412 /* 3-operand, word-only, src2=cl */
413 #define FASTOP3WCL(op) \
414 FOP_START(op) \
415 FOPNOP() \
416 FOP3E(op##w, ax, dx, cl) \
417 FOP3E(op##l, eax, edx, cl) \
418 ON64(FOP3E(op##q, rax, rdx, cl)) \
419 FOP_END
420
421 /* Special case for SETcc - 1 instruction per cc */
422 #define FOP_SETCC(op) \
423 ".align 4 \n\t" \
424 ".type " #op ", @function \n\t" \
425 #op ": \n\t" \
426 #op " %al \n\t" \
427 FOP_RET
428
429 asm(".pushsection .fixup, \"ax\"\n"
430 ".global kvm_fastop_exception \n"
431 "kvm_fastop_exception: xor %esi, %esi; ret\n"
432 ".popsection");
433
434 FOP_START(setcc)
435 FOP_SETCC(seto)
436 FOP_SETCC(setno)
437 FOP_SETCC(setc)
438 FOP_SETCC(setnc)
439 FOP_SETCC(setz)
440 FOP_SETCC(setnz)
441 FOP_SETCC(setbe)
442 FOP_SETCC(setnbe)
443 FOP_SETCC(sets)
444 FOP_SETCC(setns)
445 FOP_SETCC(setp)
446 FOP_SETCC(setnp)
447 FOP_SETCC(setl)
448 FOP_SETCC(setnl)
449 FOP_SETCC(setle)
450 FOP_SETCC(setnle)
451 FOP_END;
452
453 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
454 FOP_END;
455
456 /*
457 * XXX: inoutclob user must know where the argument is being expanded.
458 * Relying on CC_HAVE_ASM_GOTO would allow us to remove _fault.
459 */
460 #define asm_safe(insn, inoutclob...) \
461 ({ \
462 int _fault = 0; \
463 \
464 asm volatile("1:" insn "\n" \
465 "2:\n" \
466 ".pushsection .fixup, \"ax\"\n" \
467 "3: movl $1, %[_fault]\n" \
468 " jmp 2b\n" \
469 ".popsection\n" \
470 _ASM_EXTABLE(1b, 3b) \
471 : [_fault] "+qm"(_fault) inoutclob ); \
472 \
473 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
474 })
475
476 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
477 enum x86_intercept intercept,
478 enum x86_intercept_stage stage)
479 {
480 struct x86_instruction_info info = {
481 .intercept = intercept,
482 .rep_prefix = ctxt->rep_prefix,
483 .modrm_mod = ctxt->modrm_mod,
484 .modrm_reg = ctxt->modrm_reg,
485 .modrm_rm = ctxt->modrm_rm,
486 .src_val = ctxt->src.val64,
487 .dst_val = ctxt->dst.val64,
488 .src_bytes = ctxt->src.bytes,
489 .dst_bytes = ctxt->dst.bytes,
490 .ad_bytes = ctxt->ad_bytes,
491 .next_rip = ctxt->eip,
492 };
493
494 return ctxt->ops->intercept(ctxt, &info, stage);
495 }
496
497 static void assign_masked(ulong *dest, ulong src, ulong mask)
498 {
499 *dest = (*dest & ~mask) | (src & mask);
500 }
501
502 static void assign_register(unsigned long *reg, u64 val, int bytes)
503 {
504 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
505 switch (bytes) {
506 case 1:
507 *(u8 *)reg = (u8)val;
508 break;
509 case 2:
510 *(u16 *)reg = (u16)val;
511 break;
512 case 4:
513 *reg = (u32)val;
514 break; /* 64b: zero-extend */
515 case 8:
516 *reg = val;
517 break;
518 }
519 }
520
521 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
522 {
523 return (1UL << (ctxt->ad_bytes << 3)) - 1;
524 }
525
526 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
527 {
528 u16 sel;
529 struct desc_struct ss;
530
531 if (ctxt->mode == X86EMUL_MODE_PROT64)
532 return ~0UL;
533 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
534 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
535 }
536
537 static int stack_size(struct x86_emulate_ctxt *ctxt)
538 {
539 return (__fls(stack_mask(ctxt)) + 1) >> 3;
540 }
541
542 /* Access/update address held in a register, based on addressing mode. */
543 static inline unsigned long
544 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
545 {
546 if (ctxt->ad_bytes == sizeof(unsigned long))
547 return reg;
548 else
549 return reg & ad_mask(ctxt);
550 }
551
552 static inline unsigned long
553 register_address(struct x86_emulate_ctxt *ctxt, int reg)
554 {
555 return address_mask(ctxt, reg_read(ctxt, reg));
556 }
557
558 static void masked_increment(ulong *reg, ulong mask, int inc)
559 {
560 assign_masked(reg, *reg + inc, mask);
561 }
562
563 static inline void
564 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
565 {
566 ulong *preg = reg_rmw(ctxt, reg);
567
568 assign_register(preg, *preg + inc, ctxt->ad_bytes);
569 }
570
571 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
572 {
573 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
574 }
575
576 static u32 desc_limit_scaled(struct desc_struct *desc)
577 {
578 u32 limit = get_desc_limit(desc);
579
580 return desc->g ? (limit << 12) | 0xfff : limit;
581 }
582
583 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
584 {
585 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
586 return 0;
587
588 return ctxt->ops->get_cached_segment_base(ctxt, seg);
589 }
590
591 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
592 u32 error, bool valid)
593 {
594 WARN_ON(vec > 0x1f);
595 ctxt->exception.vector = vec;
596 ctxt->exception.error_code = error;
597 ctxt->exception.error_code_valid = valid;
598 return X86EMUL_PROPAGATE_FAULT;
599 }
600
601 static int emulate_db(struct x86_emulate_ctxt *ctxt)
602 {
603 return emulate_exception(ctxt, DB_VECTOR, 0, false);
604 }
605
606 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
607 {
608 return emulate_exception(ctxt, GP_VECTOR, err, true);
609 }
610
611 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
612 {
613 return emulate_exception(ctxt, SS_VECTOR, err, true);
614 }
615
616 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
617 {
618 return emulate_exception(ctxt, UD_VECTOR, 0, false);
619 }
620
621 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
622 {
623 return emulate_exception(ctxt, TS_VECTOR, err, true);
624 }
625
626 static int emulate_de(struct x86_emulate_ctxt *ctxt)
627 {
628 return emulate_exception(ctxt, DE_VECTOR, 0, false);
629 }
630
631 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
632 {
633 return emulate_exception(ctxt, NM_VECTOR, 0, false);
634 }
635
636 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
637 {
638 u16 selector;
639 struct desc_struct desc;
640
641 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
642 return selector;
643 }
644
645 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
646 unsigned seg)
647 {
648 u16 dummy;
649 u32 base3;
650 struct desc_struct desc;
651
652 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
653 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
654 }
655
656 /*
657 * x86 defines three classes of vector instructions: explicitly
658 * aligned, explicitly unaligned, and the rest, which change behaviour
659 * depending on whether they're AVX encoded or not.
660 *
661 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
662 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
663 * 512 bytes of data must be aligned to a 16 byte boundary.
664 */
665 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
666 {
667 u64 alignment = ctxt->d & AlignMask;
668
669 if (likely(size < 16))
670 return 1;
671
672 switch (alignment) {
673 case Unaligned:
674 case Avx:
675 return 1;
676 case Aligned16:
677 return 16;
678 case Aligned:
679 default:
680 return size;
681 }
682 }
683
684 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
685 struct segmented_address addr,
686 unsigned *max_size, unsigned size,
687 bool write, bool fetch,
688 enum x86emul_mode mode, ulong *linear)
689 {
690 struct desc_struct desc;
691 bool usable;
692 ulong la;
693 u32 lim;
694 u16 sel;
695 u8 va_bits;
696
697 la = seg_base(ctxt, addr.seg) + addr.ea;
698 *max_size = 0;
699 switch (mode) {
700 case X86EMUL_MODE_PROT64:
701 *linear = la;
702 va_bits = ctxt_virt_addr_bits(ctxt);
703 if (get_canonical(la, va_bits) != la)
704 goto bad;
705
706 *max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
707 if (size > *max_size)
708 goto bad;
709 break;
710 default:
711 *linear = la = (u32)la;
712 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
713 addr.seg);
714 if (!usable)
715 goto bad;
716 /* code segment in protected mode or read-only data segment */
717 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
718 || !(desc.type & 2)) && write)
719 goto bad;
720 /* unreadable code segment */
721 if (!fetch && (desc.type & 8) && !(desc.type & 2))
722 goto bad;
723 lim = desc_limit_scaled(&desc);
724 if (!(desc.type & 8) && (desc.type & 4)) {
725 /* expand-down segment */
726 if (addr.ea <= lim)
727 goto bad;
728 lim = desc.d ? 0xffffffff : 0xffff;
729 }
730 if (addr.ea > lim)
731 goto bad;
732 if (lim == 0xffffffff)
733 *max_size = ~0u;
734 else {
735 *max_size = (u64)lim + 1 - addr.ea;
736 if (size > *max_size)
737 goto bad;
738 }
739 break;
740 }
741 if (la & (insn_alignment(ctxt, size) - 1))
742 return emulate_gp(ctxt, 0);
743 return X86EMUL_CONTINUE;
744 bad:
745 if (addr.seg == VCPU_SREG_SS)
746 return emulate_ss(ctxt, 0);
747 else
748 return emulate_gp(ctxt, 0);
749 }
750
751 static int linearize(struct x86_emulate_ctxt *ctxt,
752 struct segmented_address addr,
753 unsigned size, bool write,
754 ulong *linear)
755 {
756 unsigned max_size;
757 return __linearize(ctxt, addr, &max_size, size, write, false,
758 ctxt->mode, linear);
759 }
760
761 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
762 enum x86emul_mode mode)
763 {
764 ulong linear;
765 int rc;
766 unsigned max_size;
767 struct segmented_address addr = { .seg = VCPU_SREG_CS,
768 .ea = dst };
769
770 if (ctxt->op_bytes != sizeof(unsigned long))
771 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
772 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
773 if (rc == X86EMUL_CONTINUE)
774 ctxt->_eip = addr.ea;
775 return rc;
776 }
777
778 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
779 {
780 return assign_eip(ctxt, dst, ctxt->mode);
781 }
782
783 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
784 const struct desc_struct *cs_desc)
785 {
786 enum x86emul_mode mode = ctxt->mode;
787 int rc;
788
789 #ifdef CONFIG_X86_64
790 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
791 if (cs_desc->l) {
792 u64 efer = 0;
793
794 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
795 if (efer & EFER_LMA)
796 mode = X86EMUL_MODE_PROT64;
797 } else
798 mode = X86EMUL_MODE_PROT32; /* temporary value */
799 }
800 #endif
801 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
802 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
803 rc = assign_eip(ctxt, dst, mode);
804 if (rc == X86EMUL_CONTINUE)
805 ctxt->mode = mode;
806 return rc;
807 }
808
809 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
810 {
811 return assign_eip_near(ctxt, ctxt->_eip + rel);
812 }
813
814 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
815 struct segmented_address addr,
816 void *data,
817 unsigned size)
818 {
819 int rc;
820 ulong linear;
821
822 rc = linearize(ctxt, addr, size, false, &linear);
823 if (rc != X86EMUL_CONTINUE)
824 return rc;
825 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
826 }
827
828 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
829 struct segmented_address addr,
830 void *data,
831 unsigned int size)
832 {
833 int rc;
834 ulong linear;
835
836 rc = linearize(ctxt, addr, size, true, &linear);
837 if (rc != X86EMUL_CONTINUE)
838 return rc;
839 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
840 }
841
842 /*
843 * Prefetch the remaining bytes of the instruction without crossing page
844 * boundary if they are not in fetch_cache yet.
845 */
846 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
847 {
848 int rc;
849 unsigned size, max_size;
850 unsigned long linear;
851 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
852 struct segmented_address addr = { .seg = VCPU_SREG_CS,
853 .ea = ctxt->eip + cur_size };
854
855 /*
856 * We do not know exactly how many bytes will be needed, and
857 * __linearize is expensive, so fetch as much as possible. We
858 * just have to avoid going beyond the 15 byte limit, the end
859 * of the segment, or the end of the page.
860 *
861 * __linearize is called with size 0 so that it does not do any
862 * boundary check itself. Instead, we use max_size to check
863 * against op_size.
864 */
865 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
866 &linear);
867 if (unlikely(rc != X86EMUL_CONTINUE))
868 return rc;
869
870 size = min_t(unsigned, 15UL ^ cur_size, max_size);
871 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
872
873 /*
874 * One instruction can only straddle two pages,
875 * and one has been loaded at the beginning of
876 * x86_decode_insn. So, if not enough bytes
877 * still, we must have hit the 15-byte boundary.
878 */
879 if (unlikely(size < op_size))
880 return emulate_gp(ctxt, 0);
881
882 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
883 size, &ctxt->exception);
884 if (unlikely(rc != X86EMUL_CONTINUE))
885 return rc;
886 ctxt->fetch.end += size;
887 return X86EMUL_CONTINUE;
888 }
889
890 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
891 unsigned size)
892 {
893 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
894
895 if (unlikely(done_size < size))
896 return __do_insn_fetch_bytes(ctxt, size - done_size);
897 else
898 return X86EMUL_CONTINUE;
899 }
900
901 /* Fetch next part of the instruction being emulated. */
902 #define insn_fetch(_type, _ctxt) \
903 ({ _type _x; \
904 \
905 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
906 if (rc != X86EMUL_CONTINUE) \
907 goto done; \
908 ctxt->_eip += sizeof(_type); \
909 memcpy(&_x, ctxt->fetch.ptr, sizeof(_type)); \
910 ctxt->fetch.ptr += sizeof(_type); \
911 _x; \
912 })
913
914 #define insn_fetch_arr(_arr, _size, _ctxt) \
915 ({ \
916 rc = do_insn_fetch_bytes(_ctxt, _size); \
917 if (rc != X86EMUL_CONTINUE) \
918 goto done; \
919 ctxt->_eip += (_size); \
920 memcpy(_arr, ctxt->fetch.ptr, _size); \
921 ctxt->fetch.ptr += (_size); \
922 })
923
924 /*
925 * Given the 'reg' portion of a ModRM byte, and a register block, return a
926 * pointer into the block that addresses the relevant register.
927 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
928 */
929 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
930 int byteop)
931 {
932 void *p;
933 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
934
935 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
936 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
937 else
938 p = reg_rmw(ctxt, modrm_reg);
939 return p;
940 }
941
942 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
943 struct segmented_address addr,
944 u16 *size, unsigned long *address, int op_bytes)
945 {
946 int rc;
947
948 if (op_bytes == 2)
949 op_bytes = 3;
950 *address = 0;
951 rc = segmented_read_std(ctxt, addr, size, 2);
952 if (rc != X86EMUL_CONTINUE)
953 return rc;
954 addr.ea += 2;
955 rc = segmented_read_std(ctxt, addr, address, op_bytes);
956 return rc;
957 }
958
959 FASTOP2(add);
960 FASTOP2(or);
961 FASTOP2(adc);
962 FASTOP2(sbb);
963 FASTOP2(and);
964 FASTOP2(sub);
965 FASTOP2(xor);
966 FASTOP2(cmp);
967 FASTOP2(test);
968
969 FASTOP1SRC2(mul, mul_ex);
970 FASTOP1SRC2(imul, imul_ex);
971 FASTOP1SRC2EX(div, div_ex);
972 FASTOP1SRC2EX(idiv, idiv_ex);
973
974 FASTOP3WCL(shld);
975 FASTOP3WCL(shrd);
976
977 FASTOP2W(imul);
978
979 FASTOP1(not);
980 FASTOP1(neg);
981 FASTOP1(inc);
982 FASTOP1(dec);
983
984 FASTOP2CL(rol);
985 FASTOP2CL(ror);
986 FASTOP2CL(rcl);
987 FASTOP2CL(rcr);
988 FASTOP2CL(shl);
989 FASTOP2CL(shr);
990 FASTOP2CL(sar);
991
992 FASTOP2W(bsf);
993 FASTOP2W(bsr);
994 FASTOP2W(bt);
995 FASTOP2W(bts);
996 FASTOP2W(btr);
997 FASTOP2W(btc);
998
999 FASTOP2(xadd);
1000
1001 FASTOP2R(cmp, cmp_r);
1002
1003 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1004 {
1005 /* If src is zero, do not writeback, but update flags */
1006 if (ctxt->src.val == 0)
1007 ctxt->dst.type = OP_NONE;
1008 return fastop(ctxt, em_bsf);
1009 }
1010
1011 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1012 {
1013 /* If src is zero, do not writeback, but update flags */
1014 if (ctxt->src.val == 0)
1015 ctxt->dst.type = OP_NONE;
1016 return fastop(ctxt, em_bsr);
1017 }
1018
1019 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1020 {
1021 u8 rc;
1022 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
1023
1024 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1025 asm("push %[flags]; popf; " CALL_NOSPEC
1026 : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
1027 return rc;
1028 }
1029
1030 static void fetch_register_operand(struct operand *op)
1031 {
1032 switch (op->bytes) {
1033 case 1:
1034 op->val = *(u8 *)op->addr.reg;
1035 break;
1036 case 2:
1037 op->val = *(u16 *)op->addr.reg;
1038 break;
1039 case 4:
1040 op->val = *(u32 *)op->addr.reg;
1041 break;
1042 case 8:
1043 op->val = *(u64 *)op->addr.reg;
1044 break;
1045 }
1046 }
1047
1048 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1049 {
1050 switch (reg) {
1051 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1052 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1053 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1054 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1055 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1056 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1057 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1058 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1059 #ifdef CONFIG_X86_64
1060 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1061 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1062 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1063 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1064 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1065 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1066 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1067 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1068 #endif
1069 default: BUG();
1070 }
1071 }
1072
1073 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1074 int reg)
1075 {
1076 switch (reg) {
1077 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1078 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1079 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1080 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1081 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1082 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1083 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1084 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1085 #ifdef CONFIG_X86_64
1086 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1087 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1088 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1089 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1090 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1091 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1092 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1093 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1094 #endif
1095 default: BUG();
1096 }
1097 }
1098
1099 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1100 {
1101 switch (reg) {
1102 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1103 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1104 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1105 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1106 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1107 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1108 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1109 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1110 default: BUG();
1111 }
1112 }
1113
1114 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1115 {
1116 switch (reg) {
1117 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1118 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1119 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1120 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1121 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1122 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1123 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1124 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1125 default: BUG();
1126 }
1127 }
1128
1129 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1130 {
1131 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1132 return emulate_nm(ctxt);
1133
1134 asm volatile("fninit");
1135 return X86EMUL_CONTINUE;
1136 }
1137
1138 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1139 {
1140 u16 fcw;
1141
1142 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1143 return emulate_nm(ctxt);
1144
1145 asm volatile("fnstcw %0": "+m"(fcw));
1146
1147 ctxt->dst.val = fcw;
1148
1149 return X86EMUL_CONTINUE;
1150 }
1151
1152 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1153 {
1154 u16 fsw;
1155
1156 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1157 return emulate_nm(ctxt);
1158
1159 asm volatile("fnstsw %0": "+m"(fsw));
1160
1161 ctxt->dst.val = fsw;
1162
1163 return X86EMUL_CONTINUE;
1164 }
1165
1166 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1167 struct operand *op)
1168 {
1169 unsigned reg = ctxt->modrm_reg;
1170
1171 if (!(ctxt->d & ModRM))
1172 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1173
1174 if (ctxt->d & Sse) {
1175 op->type = OP_XMM;
1176 op->bytes = 16;
1177 op->addr.xmm = reg;
1178 read_sse_reg(ctxt, &op->vec_val, reg);
1179 return;
1180 }
1181 if (ctxt->d & Mmx) {
1182 reg &= 7;
1183 op->type = OP_MM;
1184 op->bytes = 8;
1185 op->addr.mm = reg;
1186 return;
1187 }
1188
1189 op->type = OP_REG;
1190 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1191 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1192
1193 fetch_register_operand(op);
1194 op->orig_val = op->val;
1195 }
1196
1197 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1198 {
1199 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1200 ctxt->modrm_seg = VCPU_SREG_SS;
1201 }
1202
1203 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1204 struct operand *op)
1205 {
1206 u8 sib;
1207 int index_reg, base_reg, scale;
1208 int rc = X86EMUL_CONTINUE;
1209 ulong modrm_ea = 0;
1210
1211 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1212 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1213 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1214
1215 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1216 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1217 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1218 ctxt->modrm_seg = VCPU_SREG_DS;
1219
1220 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1221 op->type = OP_REG;
1222 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1223 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1224 ctxt->d & ByteOp);
1225 if (ctxt->d & Sse) {
1226 op->type = OP_XMM;
1227 op->bytes = 16;
1228 op->addr.xmm = ctxt->modrm_rm;
1229 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1230 return rc;
1231 }
1232 if (ctxt->d & Mmx) {
1233 op->type = OP_MM;
1234 op->bytes = 8;
1235 op->addr.mm = ctxt->modrm_rm & 7;
1236 return rc;
1237 }
1238 fetch_register_operand(op);
1239 return rc;
1240 }
1241
1242 op->type = OP_MEM;
1243
1244 if (ctxt->ad_bytes == 2) {
1245 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1246 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1247 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1248 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1249
1250 /* 16-bit ModR/M decode. */
1251 switch (ctxt->modrm_mod) {
1252 case 0:
1253 if (ctxt->modrm_rm == 6)
1254 modrm_ea += insn_fetch(u16, ctxt);
1255 break;
1256 case 1:
1257 modrm_ea += insn_fetch(s8, ctxt);
1258 break;
1259 case 2:
1260 modrm_ea += insn_fetch(u16, ctxt);
1261 break;
1262 }
1263 switch (ctxt->modrm_rm) {
1264 case 0:
1265 modrm_ea += bx + si;
1266 break;
1267 case 1:
1268 modrm_ea += bx + di;
1269 break;
1270 case 2:
1271 modrm_ea += bp + si;
1272 break;
1273 case 3:
1274 modrm_ea += bp + di;
1275 break;
1276 case 4:
1277 modrm_ea += si;
1278 break;
1279 case 5:
1280 modrm_ea += di;
1281 break;
1282 case 6:
1283 if (ctxt->modrm_mod != 0)
1284 modrm_ea += bp;
1285 break;
1286 case 7:
1287 modrm_ea += bx;
1288 break;
1289 }
1290 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1291 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1292 ctxt->modrm_seg = VCPU_SREG_SS;
1293 modrm_ea = (u16)modrm_ea;
1294 } else {
1295 /* 32/64-bit ModR/M decode. */
1296 if ((ctxt->modrm_rm & 7) == 4) {
1297 sib = insn_fetch(u8, ctxt);
1298 index_reg |= (sib >> 3) & 7;
1299 base_reg |= sib & 7;
1300 scale = sib >> 6;
1301
1302 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1303 modrm_ea += insn_fetch(s32, ctxt);
1304 else {
1305 modrm_ea += reg_read(ctxt, base_reg);
1306 adjust_modrm_seg(ctxt, base_reg);
1307 /* Increment ESP on POP [ESP] */
1308 if ((ctxt->d & IncSP) &&
1309 base_reg == VCPU_REGS_RSP)
1310 modrm_ea += ctxt->op_bytes;
1311 }
1312 if (index_reg != 4)
1313 modrm_ea += reg_read(ctxt, index_reg) << scale;
1314 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1315 modrm_ea += insn_fetch(s32, ctxt);
1316 if (ctxt->mode == X86EMUL_MODE_PROT64)
1317 ctxt->rip_relative = 1;
1318 } else {
1319 base_reg = ctxt->modrm_rm;
1320 modrm_ea += reg_read(ctxt, base_reg);
1321 adjust_modrm_seg(ctxt, base_reg);
1322 }
1323 switch (ctxt->modrm_mod) {
1324 case 1:
1325 modrm_ea += insn_fetch(s8, ctxt);
1326 break;
1327 case 2:
1328 modrm_ea += insn_fetch(s32, ctxt);
1329 break;
1330 }
1331 }
1332 op->addr.mem.ea = modrm_ea;
1333 if (ctxt->ad_bytes != 8)
1334 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1335
1336 done:
1337 return rc;
1338 }
1339
1340 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1341 struct operand *op)
1342 {
1343 int rc = X86EMUL_CONTINUE;
1344
1345 op->type = OP_MEM;
1346 switch (ctxt->ad_bytes) {
1347 case 2:
1348 op->addr.mem.ea = insn_fetch(u16, ctxt);
1349 break;
1350 case 4:
1351 op->addr.mem.ea = insn_fetch(u32, ctxt);
1352 break;
1353 case 8:
1354 op->addr.mem.ea = insn_fetch(u64, ctxt);
1355 break;
1356 }
1357 done:
1358 return rc;
1359 }
1360
1361 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1362 {
1363 long sv = 0, mask;
1364
1365 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1366 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1367
1368 if (ctxt->src.bytes == 2)
1369 sv = (s16)ctxt->src.val & (s16)mask;
1370 else if (ctxt->src.bytes == 4)
1371 sv = (s32)ctxt->src.val & (s32)mask;
1372 else
1373 sv = (s64)ctxt->src.val & (s64)mask;
1374
1375 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1376 ctxt->dst.addr.mem.ea + (sv >> 3));
1377 }
1378
1379 /* only subword offset */
1380 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1381 }
1382
1383 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1384 unsigned long addr, void *dest, unsigned size)
1385 {
1386 int rc;
1387 struct read_cache *mc = &ctxt->mem_read;
1388
1389 if (mc->pos < mc->end)
1390 goto read_cached;
1391
1392 WARN_ON((mc->end + size) >= sizeof(mc->data));
1393
1394 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1395 &ctxt->exception);
1396 if (rc != X86EMUL_CONTINUE)
1397 return rc;
1398
1399 mc->end += size;
1400
1401 read_cached:
1402 memcpy(dest, mc->data + mc->pos, size);
1403 mc->pos += size;
1404 return X86EMUL_CONTINUE;
1405 }
1406
1407 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1408 struct segmented_address addr,
1409 void *data,
1410 unsigned size)
1411 {
1412 int rc;
1413 ulong linear;
1414
1415 rc = linearize(ctxt, addr, size, false, &linear);
1416 if (rc != X86EMUL_CONTINUE)
1417 return rc;
1418 return read_emulated(ctxt, linear, data, size);
1419 }
1420
1421 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1422 struct segmented_address addr,
1423 const void *data,
1424 unsigned size)
1425 {
1426 int rc;
1427 ulong linear;
1428
1429 rc = linearize(ctxt, addr, size, true, &linear);
1430 if (rc != X86EMUL_CONTINUE)
1431 return rc;
1432 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1433 &ctxt->exception);
1434 }
1435
1436 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1437 struct segmented_address addr,
1438 const void *orig_data, const void *data,
1439 unsigned size)
1440 {
1441 int rc;
1442 ulong linear;
1443
1444 rc = linearize(ctxt, addr, size, true, &linear);
1445 if (rc != X86EMUL_CONTINUE)
1446 return rc;
1447 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1448 size, &ctxt->exception);
1449 }
1450
1451 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1452 unsigned int size, unsigned short port,
1453 void *dest)
1454 {
1455 struct read_cache *rc = &ctxt->io_read;
1456
1457 if (rc->pos == rc->end) { /* refill pio read ahead */
1458 unsigned int in_page, n;
1459 unsigned int count = ctxt->rep_prefix ?
1460 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1461 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1462 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1463 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1464 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1465 if (n == 0)
1466 n = 1;
1467 rc->pos = rc->end = 0;
1468 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1469 return 0;
1470 rc->end = n * size;
1471 }
1472
1473 if (ctxt->rep_prefix && (ctxt->d & String) &&
1474 !(ctxt->eflags & X86_EFLAGS_DF)) {
1475 ctxt->dst.data = rc->data + rc->pos;
1476 ctxt->dst.type = OP_MEM_STR;
1477 ctxt->dst.count = (rc->end - rc->pos) / size;
1478 rc->pos = rc->end;
1479 } else {
1480 memcpy(dest, rc->data + rc->pos, size);
1481 rc->pos += size;
1482 }
1483 return 1;
1484 }
1485
1486 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1487 u16 index, struct desc_struct *desc)
1488 {
1489 struct desc_ptr dt;
1490 ulong addr;
1491
1492 ctxt->ops->get_idt(ctxt, &dt);
1493
1494 if (dt.size < index * 8 + 7)
1495 return emulate_gp(ctxt, index << 3 | 0x2);
1496
1497 addr = dt.address + index * 8;
1498 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1499 &ctxt->exception);
1500 }
1501
1502 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1503 u16 selector, struct desc_ptr *dt)
1504 {
1505 const struct x86_emulate_ops *ops = ctxt->ops;
1506 u32 base3 = 0;
1507
1508 if (selector & 1 << 2) {
1509 struct desc_struct desc;
1510 u16 sel;
1511
1512 memset (dt, 0, sizeof *dt);
1513 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1514 VCPU_SREG_LDTR))
1515 return;
1516
1517 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1518 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1519 } else
1520 ops->get_gdt(ctxt, dt);
1521 }
1522
1523 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1524 u16 selector, ulong *desc_addr_p)
1525 {
1526 struct desc_ptr dt;
1527 u16 index = selector >> 3;
1528 ulong addr;
1529
1530 get_descriptor_table_ptr(ctxt, selector, &dt);
1531
1532 if (dt.size < index * 8 + 7)
1533 return emulate_gp(ctxt, selector & 0xfffc);
1534
1535 addr = dt.address + index * 8;
1536
1537 #ifdef CONFIG_X86_64
1538 if (addr >> 32 != 0) {
1539 u64 efer = 0;
1540
1541 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1542 if (!(efer & EFER_LMA))
1543 addr &= (u32)-1;
1544 }
1545 #endif
1546
1547 *desc_addr_p = addr;
1548 return X86EMUL_CONTINUE;
1549 }
1550
1551 /* allowed just for 8 bytes segments */
1552 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1553 u16 selector, struct desc_struct *desc,
1554 ulong *desc_addr_p)
1555 {
1556 int rc;
1557
1558 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1559 if (rc != X86EMUL_CONTINUE)
1560 return rc;
1561
1562 return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
1563 &ctxt->exception);
1564 }
1565
1566 /* allowed just for 8 bytes segments */
1567 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1568 u16 selector, struct desc_struct *desc)
1569 {
1570 int rc;
1571 ulong addr;
1572
1573 rc = get_descriptor_ptr(ctxt, selector, &addr);
1574 if (rc != X86EMUL_CONTINUE)
1575 return rc;
1576
1577 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1578 &ctxt->exception);
1579 }
1580
1581 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1582 u16 selector, int seg, u8 cpl,
1583 enum x86_transfer_type transfer,
1584 struct desc_struct *desc)
1585 {
1586 struct desc_struct seg_desc, old_desc;
1587 u8 dpl, rpl;
1588 unsigned err_vec = GP_VECTOR;
1589 u32 err_code = 0;
1590 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1591 ulong desc_addr;
1592 int ret;
1593 u16 dummy;
1594 u32 base3 = 0;
1595
1596 memset(&seg_desc, 0, sizeof seg_desc);
1597
1598 if (ctxt->mode == X86EMUL_MODE_REAL) {
1599 /* set real mode segment descriptor (keep limit etc. for
1600 * unreal mode) */
1601 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1602 set_desc_base(&seg_desc, selector << 4);
1603 goto load;
1604 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1605 /* VM86 needs a clean new segment descriptor */
1606 set_desc_base(&seg_desc, selector << 4);
1607 set_desc_limit(&seg_desc, 0xffff);
1608 seg_desc.type = 3;
1609 seg_desc.p = 1;
1610 seg_desc.s = 1;
1611 seg_desc.dpl = 3;
1612 goto load;
1613 }
1614
1615 rpl = selector & 3;
1616
1617 /* TR should be in GDT only */
1618 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1619 goto exception;
1620
1621 /* NULL selector is not valid for TR, CS and (except for long mode) SS */
1622 if (null_selector) {
1623 if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1624 goto exception;
1625
1626 if (seg == VCPU_SREG_SS) {
1627 if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1628 goto exception;
1629
1630 /*
1631 * ctxt->ops->set_segment expects the CPL to be in
1632 * SS.DPL, so fake an expand-up 32-bit data segment.
1633 */
1634 seg_desc.type = 3;
1635 seg_desc.p = 1;
1636 seg_desc.s = 1;
1637 seg_desc.dpl = cpl;
1638 seg_desc.d = 1;
1639 seg_desc.g = 1;
1640 }
1641
1642 /* Skip all following checks */
1643 goto load;
1644 }
1645
1646 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1647 if (ret != X86EMUL_CONTINUE)
1648 return ret;
1649
1650 err_code = selector & 0xfffc;
1651 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1652 GP_VECTOR;
1653
1654 /* can't load system descriptor into segment selector */
1655 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1656 if (transfer == X86_TRANSFER_CALL_JMP)
1657 return X86EMUL_UNHANDLEABLE;
1658 goto exception;
1659 }
1660
1661 if (!seg_desc.p) {
1662 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1663 goto exception;
1664 }
1665
1666 dpl = seg_desc.dpl;
1667
1668 switch (seg) {
1669 case VCPU_SREG_SS:
1670 /*
1671 * segment is not a writable data segment or segment
1672 * selector's RPL != CPL or segment selector's RPL != CPL
1673 */
1674 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1675 goto exception;
1676 break;
1677 case VCPU_SREG_CS:
1678 if (!(seg_desc.type & 8))
1679 goto exception;
1680
1681 if (seg_desc.type & 4) {
1682 /* conforming */
1683 if (dpl > cpl)
1684 goto exception;
1685 } else {
1686 /* nonconforming */
1687 if (rpl > cpl || dpl != cpl)
1688 goto exception;
1689 }
1690 /* in long-mode d/b must be clear if l is set */
1691 if (seg_desc.d && seg_desc.l) {
1692 u64 efer = 0;
1693
1694 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1695 if (efer & EFER_LMA)
1696 goto exception;
1697 }
1698
1699 /* CS(RPL) <- CPL */
1700 selector = (selector & 0xfffc) | cpl;
1701 break;
1702 case VCPU_SREG_TR:
1703 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1704 goto exception;
1705 old_desc = seg_desc;
1706 seg_desc.type |= 2; /* busy */
1707 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1708 sizeof(seg_desc), &ctxt->exception);
1709 if (ret != X86EMUL_CONTINUE)
1710 return ret;
1711 break;
1712 case VCPU_SREG_LDTR:
1713 if (seg_desc.s || seg_desc.type != 2)
1714 goto exception;
1715 break;
1716 default: /* DS, ES, FS, or GS */
1717 /*
1718 * segment is not a data or readable code segment or
1719 * ((segment is a data or nonconforming code segment)
1720 * and (both RPL and CPL > DPL))
1721 */
1722 if ((seg_desc.type & 0xa) == 0x8 ||
1723 (((seg_desc.type & 0xc) != 0xc) &&
1724 (rpl > dpl && cpl > dpl)))
1725 goto exception;
1726 break;
1727 }
1728
1729 if (seg_desc.s) {
1730 /* mark segment as accessed */
1731 if (!(seg_desc.type & 1)) {
1732 seg_desc.type |= 1;
1733 ret = write_segment_descriptor(ctxt, selector,
1734 &seg_desc);
1735 if (ret != X86EMUL_CONTINUE)
1736 return ret;
1737 }
1738 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1739 ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
1740 sizeof(base3), &ctxt->exception);
1741 if (ret != X86EMUL_CONTINUE)
1742 return ret;
1743 if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1744 ((u64)base3 << 32), ctxt))
1745 return emulate_gp(ctxt, 0);
1746 }
1747 load:
1748 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1749 if (desc)
1750 *desc = seg_desc;
1751 return X86EMUL_CONTINUE;
1752 exception:
1753 return emulate_exception(ctxt, err_vec, err_code, true);
1754 }
1755
1756 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1757 u16 selector, int seg)
1758 {
1759 u8 cpl = ctxt->ops->cpl(ctxt);
1760
1761 /*
1762 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1763 * they can load it at CPL<3 (Intel's manual says only LSS can,
1764 * but it's wrong).
1765 *
1766 * However, the Intel manual says that putting IST=1/DPL=3 in
1767 * an interrupt gate will result in SS=3 (the AMD manual instead
1768 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1769 * and only forbid it here.
1770 */
1771 if (seg == VCPU_SREG_SS && selector == 3 &&
1772 ctxt->mode == X86EMUL_MODE_PROT64)
1773 return emulate_exception(ctxt, GP_VECTOR, 0, true);
1774
1775 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1776 X86_TRANSFER_NONE, NULL);
1777 }
1778
1779 static void write_register_operand(struct operand *op)
1780 {
1781 return assign_register(op->addr.reg, op->val, op->bytes);
1782 }
1783
1784 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1785 {
1786 switch (op->type) {
1787 case OP_REG:
1788 write_register_operand(op);
1789 break;
1790 case OP_MEM:
1791 if (ctxt->lock_prefix)
1792 return segmented_cmpxchg(ctxt,
1793 op->addr.mem,
1794 &op->orig_val,
1795 &op->val,
1796 op->bytes);
1797 else
1798 return segmented_write(ctxt,
1799 op->addr.mem,
1800 &op->val,
1801 op->bytes);
1802 break;
1803 case OP_MEM_STR:
1804 return segmented_write(ctxt,
1805 op->addr.mem,
1806 op->data,
1807 op->bytes * op->count);
1808 break;
1809 case OP_XMM:
1810 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1811 break;
1812 case OP_MM:
1813 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1814 break;
1815 case OP_NONE:
1816 /* no writeback */
1817 break;
1818 default:
1819 break;
1820 }
1821 return X86EMUL_CONTINUE;
1822 }
1823
1824 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1825 {
1826 struct segmented_address addr;
1827
1828 rsp_increment(ctxt, -bytes);
1829 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1830 addr.seg = VCPU_SREG_SS;
1831
1832 return segmented_write(ctxt, addr, data, bytes);
1833 }
1834
1835 static int em_push(struct x86_emulate_ctxt *ctxt)
1836 {
1837 /* Disable writeback. */
1838 ctxt->dst.type = OP_NONE;
1839 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1840 }
1841
1842 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1843 void *dest, int len)
1844 {
1845 int rc;
1846 struct segmented_address addr;
1847
1848 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1849 addr.seg = VCPU_SREG_SS;
1850 rc = segmented_read(ctxt, addr, dest, len);
1851 if (rc != X86EMUL_CONTINUE)
1852 return rc;
1853
1854 rsp_increment(ctxt, len);
1855 return rc;
1856 }
1857
1858 static int em_pop(struct x86_emulate_ctxt *ctxt)
1859 {
1860 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1861 }
1862
1863 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1864 void *dest, int len)
1865 {
1866 int rc;
1867 unsigned long val, change_mask;
1868 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1869 int cpl = ctxt->ops->cpl(ctxt);
1870
1871 rc = emulate_pop(ctxt, &val, len);
1872 if (rc != X86EMUL_CONTINUE)
1873 return rc;
1874
1875 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1876 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1877 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1878 X86_EFLAGS_AC | X86_EFLAGS_ID;
1879
1880 switch(ctxt->mode) {
1881 case X86EMUL_MODE_PROT64:
1882 case X86EMUL_MODE_PROT32:
1883 case X86EMUL_MODE_PROT16:
1884 if (cpl == 0)
1885 change_mask |= X86_EFLAGS_IOPL;
1886 if (cpl <= iopl)
1887 change_mask |= X86_EFLAGS_IF;
1888 break;
1889 case X86EMUL_MODE_VM86:
1890 if (iopl < 3)
1891 return emulate_gp(ctxt, 0);
1892 change_mask |= X86_EFLAGS_IF;
1893 break;
1894 default: /* real mode */
1895 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1896 break;
1897 }
1898
1899 *(unsigned long *)dest =
1900 (ctxt->eflags & ~change_mask) | (val & change_mask);
1901
1902 return rc;
1903 }
1904
1905 static int em_popf(struct x86_emulate_ctxt *ctxt)
1906 {
1907 ctxt->dst.type = OP_REG;
1908 ctxt->dst.addr.reg = &ctxt->eflags;
1909 ctxt->dst.bytes = ctxt->op_bytes;
1910 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1911 }
1912
1913 static int em_enter(struct x86_emulate_ctxt *ctxt)
1914 {
1915 int rc;
1916 unsigned frame_size = ctxt->src.val;
1917 unsigned nesting_level = ctxt->src2.val & 31;
1918 ulong rbp;
1919
1920 if (nesting_level)
1921 return X86EMUL_UNHANDLEABLE;
1922
1923 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1924 rc = push(ctxt, &rbp, stack_size(ctxt));
1925 if (rc != X86EMUL_CONTINUE)
1926 return rc;
1927 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1928 stack_mask(ctxt));
1929 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1930 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1931 stack_mask(ctxt));
1932 return X86EMUL_CONTINUE;
1933 }
1934
1935 static int em_leave(struct x86_emulate_ctxt *ctxt)
1936 {
1937 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1938 stack_mask(ctxt));
1939 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1940 }
1941
1942 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1943 {
1944 int seg = ctxt->src2.val;
1945
1946 ctxt->src.val = get_segment_selector(ctxt, seg);
1947 if (ctxt->op_bytes == 4) {
1948 rsp_increment(ctxt, -2);
1949 ctxt->op_bytes = 2;
1950 }
1951
1952 return em_push(ctxt);
1953 }
1954
1955 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1956 {
1957 int seg = ctxt->src2.val;
1958 unsigned long selector;
1959 int rc;
1960
1961 rc = emulate_pop(ctxt, &selector, 2);
1962 if (rc != X86EMUL_CONTINUE)
1963 return rc;
1964
1965 if (ctxt->modrm_reg == VCPU_SREG_SS)
1966 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1967 if (ctxt->op_bytes > 2)
1968 rsp_increment(ctxt, ctxt->op_bytes - 2);
1969
1970 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1971 return rc;
1972 }
1973
1974 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1975 {
1976 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1977 int rc = X86EMUL_CONTINUE;
1978 int reg = VCPU_REGS_RAX;
1979
1980 while (reg <= VCPU_REGS_RDI) {
1981 (reg == VCPU_REGS_RSP) ?
1982 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1983
1984 rc = em_push(ctxt);
1985 if (rc != X86EMUL_CONTINUE)
1986 return rc;
1987
1988 ++reg;
1989 }
1990
1991 return rc;
1992 }
1993
1994 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1995 {
1996 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1997 return em_push(ctxt);
1998 }
1999
2000 static int em_popa(struct x86_emulate_ctxt *ctxt)
2001 {
2002 int rc = X86EMUL_CONTINUE;
2003 int reg = VCPU_REGS_RDI;
2004 u32 val;
2005
2006 while (reg >= VCPU_REGS_RAX) {
2007 if (reg == VCPU_REGS_RSP) {
2008 rsp_increment(ctxt, ctxt->op_bytes);
2009 --reg;
2010 }
2011
2012 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2013 if (rc != X86EMUL_CONTINUE)
2014 break;
2015 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2016 --reg;
2017 }
2018 return rc;
2019 }
2020
2021 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2022 {
2023 const struct x86_emulate_ops *ops = ctxt->ops;
2024 int rc;
2025 struct desc_ptr dt;
2026 gva_t cs_addr;
2027 gva_t eip_addr;
2028 u16 cs, eip;
2029
2030 /* TODO: Add limit checks */
2031 ctxt->src.val = ctxt->eflags;
2032 rc = em_push(ctxt);
2033 if (rc != X86EMUL_CONTINUE)
2034 return rc;
2035
2036 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2037
2038 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2039 rc = em_push(ctxt);
2040 if (rc != X86EMUL_CONTINUE)
2041 return rc;
2042
2043 ctxt->src.val = ctxt->_eip;
2044 rc = em_push(ctxt);
2045 if (rc != X86EMUL_CONTINUE)
2046 return rc;
2047
2048 ops->get_idt(ctxt, &dt);
2049
2050 eip_addr = dt.address + (irq << 2);
2051 cs_addr = dt.address + (irq << 2) + 2;
2052
2053 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
2054 if (rc != X86EMUL_CONTINUE)
2055 return rc;
2056
2057 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
2058 if (rc != X86EMUL_CONTINUE)
2059 return rc;
2060
2061 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2062 if (rc != X86EMUL_CONTINUE)
2063 return rc;
2064
2065 ctxt->_eip = eip;
2066
2067 return rc;
2068 }
2069
2070 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2071 {
2072 int rc;
2073
2074 invalidate_registers(ctxt);
2075 rc = __emulate_int_real(ctxt, irq);
2076 if (rc == X86EMUL_CONTINUE)
2077 writeback_registers(ctxt);
2078 return rc;
2079 }
2080
2081 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2082 {
2083 switch(ctxt->mode) {
2084 case X86EMUL_MODE_REAL:
2085 return __emulate_int_real(ctxt, irq);
2086 case X86EMUL_MODE_VM86:
2087 case X86EMUL_MODE_PROT16:
2088 case X86EMUL_MODE_PROT32:
2089 case X86EMUL_MODE_PROT64:
2090 default:
2091 /* Protected mode interrupts unimplemented yet */
2092 return X86EMUL_UNHANDLEABLE;
2093 }
2094 }
2095
2096 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2097 {
2098 int rc = X86EMUL_CONTINUE;
2099 unsigned long temp_eip = 0;
2100 unsigned long temp_eflags = 0;
2101 unsigned long cs = 0;
2102 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2103 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2104 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2105 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2106 X86_EFLAGS_AC | X86_EFLAGS_ID |
2107 X86_EFLAGS_FIXED;
2108 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2109 X86_EFLAGS_VIP;
2110
2111 /* TODO: Add stack limit check */
2112
2113 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2114
2115 if (rc != X86EMUL_CONTINUE)
2116 return rc;
2117
2118 if (temp_eip & ~0xffff)
2119 return emulate_gp(ctxt, 0);
2120
2121 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2122
2123 if (rc != X86EMUL_CONTINUE)
2124 return rc;
2125
2126 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2127
2128 if (rc != X86EMUL_CONTINUE)
2129 return rc;
2130
2131 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2132
2133 if (rc != X86EMUL_CONTINUE)
2134 return rc;
2135
2136 ctxt->_eip = temp_eip;
2137
2138 if (ctxt->op_bytes == 4)
2139 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2140 else if (ctxt->op_bytes == 2) {
2141 ctxt->eflags &= ~0xffff;
2142 ctxt->eflags |= temp_eflags;
2143 }
2144
2145 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2146 ctxt->eflags |= X86_EFLAGS_FIXED;
2147 ctxt->ops->set_nmi_mask(ctxt, false);
2148
2149 return rc;
2150 }
2151
2152 static int em_iret(struct x86_emulate_ctxt *ctxt)
2153 {
2154 switch(ctxt->mode) {
2155 case X86EMUL_MODE_REAL:
2156 return emulate_iret_real(ctxt);
2157 case X86EMUL_MODE_VM86:
2158 case X86EMUL_MODE_PROT16:
2159 case X86EMUL_MODE_PROT32:
2160 case X86EMUL_MODE_PROT64:
2161 default:
2162 /* iret from protected mode unimplemented yet */
2163 return X86EMUL_UNHANDLEABLE;
2164 }
2165 }
2166
2167 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2168 {
2169 int rc;
2170 unsigned short sel;
2171 struct desc_struct new_desc;
2172 u8 cpl = ctxt->ops->cpl(ctxt);
2173
2174 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2175
2176 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2177 X86_TRANSFER_CALL_JMP,
2178 &new_desc);
2179 if (rc != X86EMUL_CONTINUE)
2180 return rc;
2181
2182 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2183 /* Error handling is not implemented. */
2184 if (rc != X86EMUL_CONTINUE)
2185 return X86EMUL_UNHANDLEABLE;
2186
2187 return rc;
2188 }
2189
2190 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2191 {
2192 return assign_eip_near(ctxt, ctxt->src.val);
2193 }
2194
2195 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2196 {
2197 int rc;
2198 long int old_eip;
2199
2200 old_eip = ctxt->_eip;
2201 rc = assign_eip_near(ctxt, ctxt->src.val);
2202 if (rc != X86EMUL_CONTINUE)
2203 return rc;
2204 ctxt->src.val = old_eip;
2205 rc = em_push(ctxt);
2206 return rc;
2207 }
2208
2209 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2210 {
2211 u64 old = ctxt->dst.orig_val64;
2212
2213 if (ctxt->dst.bytes == 16)
2214 return X86EMUL_UNHANDLEABLE;
2215
2216 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2217 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2218 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2219 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2220 ctxt->eflags &= ~X86_EFLAGS_ZF;
2221 } else {
2222 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2223 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2224
2225 ctxt->eflags |= X86_EFLAGS_ZF;
2226 }
2227 return X86EMUL_CONTINUE;
2228 }
2229
2230 static int em_ret(struct x86_emulate_ctxt *ctxt)
2231 {
2232 int rc;
2233 unsigned long eip;
2234
2235 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2236 if (rc != X86EMUL_CONTINUE)
2237 return rc;
2238
2239 return assign_eip_near(ctxt, eip);
2240 }
2241
2242 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2243 {
2244 int rc;
2245 unsigned long eip, cs;
2246 int cpl = ctxt->ops->cpl(ctxt);
2247 struct desc_struct new_desc;
2248
2249 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2250 if (rc != X86EMUL_CONTINUE)
2251 return rc;
2252 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2253 if (rc != X86EMUL_CONTINUE)
2254 return rc;
2255 /* Outer-privilege level return is not implemented */
2256 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2257 return X86EMUL_UNHANDLEABLE;
2258 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2259 X86_TRANSFER_RET,
2260 &new_desc);
2261 if (rc != X86EMUL_CONTINUE)
2262 return rc;
2263 rc = assign_eip_far(ctxt, eip, &new_desc);
2264 /* Error handling is not implemented. */
2265 if (rc != X86EMUL_CONTINUE)
2266 return X86EMUL_UNHANDLEABLE;
2267
2268 return rc;
2269 }
2270
2271 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2272 {
2273 int rc;
2274
2275 rc = em_ret_far(ctxt);
2276 if (rc != X86EMUL_CONTINUE)
2277 return rc;
2278 rsp_increment(ctxt, ctxt->src.val);
2279 return X86EMUL_CONTINUE;
2280 }
2281
2282 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2283 {
2284 /* Save real source value, then compare EAX against destination. */
2285 ctxt->dst.orig_val = ctxt->dst.val;
2286 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2287 ctxt->src.orig_val = ctxt->src.val;
2288 ctxt->src.val = ctxt->dst.orig_val;
2289 fastop(ctxt, em_cmp);
2290
2291 if (ctxt->eflags & X86_EFLAGS_ZF) {
2292 /* Success: write back to memory; no update of EAX */
2293 ctxt->src.type = OP_NONE;
2294 ctxt->dst.val = ctxt->src.orig_val;
2295 } else {
2296 /* Failure: write the value we saw to EAX. */
2297 ctxt->src.type = OP_REG;
2298 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2299 ctxt->src.val = ctxt->dst.orig_val;
2300 /* Create write-cycle to dest by writing the same value */
2301 ctxt->dst.val = ctxt->dst.orig_val;
2302 }
2303 return X86EMUL_CONTINUE;
2304 }
2305
2306 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2307 {
2308 int seg = ctxt->src2.val;
2309 unsigned short sel;
2310 int rc;
2311
2312 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2313
2314 rc = load_segment_descriptor(ctxt, sel, seg);
2315 if (rc != X86EMUL_CONTINUE)
2316 return rc;
2317
2318 ctxt->dst.val = ctxt->src.val;
2319 return rc;
2320 }
2321
2322 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2323 {
2324 u32 eax, ebx, ecx, edx;
2325
2326 eax = 0x80000001;
2327 ecx = 0;
2328 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2329 return edx & bit(X86_FEATURE_LM);
2330 }
2331
2332 #define GET_SMSTATE(type, smbase, offset) \
2333 ({ \
2334 type __val; \
2335 int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
2336 sizeof(__val)); \
2337 if (r != X86EMUL_CONTINUE) \
2338 return X86EMUL_UNHANDLEABLE; \
2339 __val; \
2340 })
2341
2342 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2343 {
2344 desc->g = (flags >> 23) & 1;
2345 desc->d = (flags >> 22) & 1;
2346 desc->l = (flags >> 21) & 1;
2347 desc->avl = (flags >> 20) & 1;
2348 desc->p = (flags >> 15) & 1;
2349 desc->dpl = (flags >> 13) & 3;
2350 desc->s = (flags >> 12) & 1;
2351 desc->type = (flags >> 8) & 15;
2352 }
2353
2354 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2355 {
2356 struct desc_struct desc;
2357 int offset;
2358 u16 selector;
2359
2360 selector = GET_SMSTATE(u32, smbase, 0x7fa8 + n * 4);
2361
2362 if (n < 3)
2363 offset = 0x7f84 + n * 12;
2364 else
2365 offset = 0x7f2c + (n - 3) * 12;
2366
2367 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2368 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2369 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, offset));
2370 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2371 return X86EMUL_CONTINUE;
2372 }
2373
2374 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2375 {
2376 struct desc_struct desc;
2377 int offset;
2378 u16 selector;
2379 u32 base3;
2380
2381 offset = 0x7e00 + n * 16;
2382
2383 selector = GET_SMSTATE(u16, smbase, offset);
2384 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smbase, offset + 2) << 8);
2385 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2386 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2387 base3 = GET_SMSTATE(u32, smbase, offset + 12);
2388
2389 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2390 return X86EMUL_CONTINUE;
2391 }
2392
2393 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2394 u64 cr0, u64 cr3, u64 cr4)
2395 {
2396 int bad;
2397 u64 pcid;
2398
2399 /* In order to later set CR4.PCIDE, CR3[11:0] must be zero. */
2400 pcid = 0;
2401 if (cr4 & X86_CR4_PCIDE) {
2402 pcid = cr3 & 0xfff;
2403 cr3 &= ~0xfff;
2404 }
2405
2406 bad = ctxt->ops->set_cr(ctxt, 3, cr3);
2407 if (bad)
2408 return X86EMUL_UNHANDLEABLE;
2409
2410 /*
2411 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2412 * Then enable protected mode. However, PCID cannot be enabled
2413 * if EFER.LMA=0, so set it separately.
2414 */
2415 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2416 if (bad)
2417 return X86EMUL_UNHANDLEABLE;
2418
2419 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2420 if (bad)
2421 return X86EMUL_UNHANDLEABLE;
2422
2423 if (cr4 & X86_CR4_PCIDE) {
2424 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2425 if (bad)
2426 return X86EMUL_UNHANDLEABLE;
2427 if (pcid) {
2428 bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
2429 if (bad)
2430 return X86EMUL_UNHANDLEABLE;
2431 }
2432
2433 }
2434
2435 return X86EMUL_CONTINUE;
2436 }
2437
2438 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
2439 {
2440 struct desc_struct desc;
2441 struct desc_ptr dt;
2442 u16 selector;
2443 u32 val, cr0, cr3, cr4;
2444 int i;
2445
2446 cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
2447 cr3 = GET_SMSTATE(u32, smbase, 0x7ff8);
2448 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
2449 ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
2450
2451 for (i = 0; i < 8; i++)
2452 *reg_write(ctxt, i) = GET_SMSTATE(u32, smbase, 0x7fd0 + i * 4);
2453
2454 val = GET_SMSTATE(u32, smbase, 0x7fcc);
2455 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2456 val = GET_SMSTATE(u32, smbase, 0x7fc8);
2457 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2458
2459 selector = GET_SMSTATE(u32, smbase, 0x7fc4);
2460 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f64));
2461 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f60));
2462 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f5c));
2463 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2464
2465 selector = GET_SMSTATE(u32, smbase, 0x7fc0);
2466 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f80));
2467 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f7c));
2468 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f78));
2469 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2470
2471 dt.address = GET_SMSTATE(u32, smbase, 0x7f74);
2472 dt.size = GET_SMSTATE(u32, smbase, 0x7f70);
2473 ctxt->ops->set_gdt(ctxt, &dt);
2474
2475 dt.address = GET_SMSTATE(u32, smbase, 0x7f58);
2476 dt.size = GET_SMSTATE(u32, smbase, 0x7f54);
2477 ctxt->ops->set_idt(ctxt, &dt);
2478
2479 for (i = 0; i < 6; i++) {
2480 int r = rsm_load_seg_32(ctxt, smbase, i);
2481 if (r != X86EMUL_CONTINUE)
2482 return r;
2483 }
2484
2485 cr4 = GET_SMSTATE(u32, smbase, 0x7f14);
2486
2487 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
2488
2489 return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2490 }
2491
2492 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
2493 {
2494 struct desc_struct desc;
2495 struct desc_ptr dt;
2496 u64 val, cr0, cr3, cr4;
2497 u32 base3;
2498 u16 selector;
2499 int i, r;
2500
2501 for (i = 0; i < 16; i++)
2502 *reg_write(ctxt, i) = GET_SMSTATE(u64, smbase, 0x7ff8 - i * 8);
2503
2504 ctxt->_eip = GET_SMSTATE(u64, smbase, 0x7f78);
2505 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7f70) | X86_EFLAGS_FIXED;
2506
2507 val = GET_SMSTATE(u32, smbase, 0x7f68);
2508 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2509 val = GET_SMSTATE(u32, smbase, 0x7f60);
2510 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2511
2512 cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
2513 cr3 = GET_SMSTATE(u64, smbase, 0x7f50);
2514 cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
2515 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
2516 val = GET_SMSTATE(u64, smbase, 0x7ed0);
2517 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2518
2519 selector = GET_SMSTATE(u32, smbase, 0x7e90);
2520 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e92) << 8);
2521 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e94));
2522 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e98));
2523 base3 = GET_SMSTATE(u32, smbase, 0x7e9c);
2524 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2525
2526 dt.size = GET_SMSTATE(u32, smbase, 0x7e84);
2527 dt.address = GET_SMSTATE(u64, smbase, 0x7e88);
2528 ctxt->ops->set_idt(ctxt, &dt);
2529
2530 selector = GET_SMSTATE(u32, smbase, 0x7e70);
2531 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e72) << 8);
2532 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e74));
2533 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e78));
2534 base3 = GET_SMSTATE(u32, smbase, 0x7e7c);
2535 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2536
2537 dt.size = GET_SMSTATE(u32, smbase, 0x7e64);
2538 dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
2539 ctxt->ops->set_gdt(ctxt, &dt);
2540
2541 r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2542 if (r != X86EMUL_CONTINUE)
2543 return r;
2544
2545 for (i = 0; i < 6; i++) {
2546 r = rsm_load_seg_64(ctxt, smbase, i);
2547 if (r != X86EMUL_CONTINUE)
2548 return r;
2549 }
2550
2551 return X86EMUL_CONTINUE;
2552 }
2553
2554 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2555 {
2556 unsigned long cr0, cr4, efer;
2557 u64 smbase;
2558 int ret;
2559
2560 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
2561 return emulate_ud(ctxt);
2562
2563 /*
2564 * Get back to real mode, to prepare a safe state in which to load
2565 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2566 * supports long mode.
2567 */
2568 cr4 = ctxt->ops->get_cr(ctxt, 4);
2569 if (emulator_has_longmode(ctxt)) {
2570 struct desc_struct cs_desc;
2571
2572 /* Zero CR4.PCIDE before CR0.PG. */
2573 if (cr4 & X86_CR4_PCIDE) {
2574 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2575 cr4 &= ~X86_CR4_PCIDE;
2576 }
2577
2578 /* A 32-bit code segment is required to clear EFER.LMA. */
2579 memset(&cs_desc, 0, sizeof(cs_desc));
2580 cs_desc.type = 0xb;
2581 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2582 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2583 }
2584
2585 /* For the 64-bit case, this will clear EFER.LMA. */
2586 cr0 = ctxt->ops->get_cr(ctxt, 0);
2587 if (cr0 & X86_CR0_PE)
2588 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2589
2590 /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
2591 if (cr4 & X86_CR4_PAE)
2592 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2593
2594 /* And finally go back to 32-bit mode. */
2595 efer = 0;
2596 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2597
2598 smbase = ctxt->ops->get_smbase(ctxt);
2599
2600 /*
2601 * Give pre_leave_smm() a chance to make ISA-specific changes to the
2602 * vCPU state (e.g. enter guest mode) before loading state from the SMM
2603 * state-save area.
2604 */
2605 if (ctxt->ops->pre_leave_smm(ctxt, smbase))
2606 return X86EMUL_UNHANDLEABLE;
2607
2608 if (emulator_has_longmode(ctxt))
2609 ret = rsm_load_state_64(ctxt, smbase + 0x8000);
2610 else
2611 ret = rsm_load_state_32(ctxt, smbase + 0x8000);
2612
2613 if (ret != X86EMUL_CONTINUE) {
2614 /* FIXME: should triple fault */
2615 return X86EMUL_UNHANDLEABLE;
2616 }
2617
2618 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2619 ctxt->ops->set_nmi_mask(ctxt, false);
2620
2621 ctxt->ops->set_hflags(ctxt, ctxt->ops->get_hflags(ctxt) &
2622 ~(X86EMUL_SMM_INSIDE_NMI_MASK | X86EMUL_SMM_MASK));
2623 return X86EMUL_CONTINUE;
2624 }
2625
2626 static void
2627 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2628 struct desc_struct *cs, struct desc_struct *ss)
2629 {
2630 cs->l = 0; /* will be adjusted later */
2631 set_desc_base(cs, 0); /* flat segment */
2632 cs->g = 1; /* 4kb granularity */
2633 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2634 cs->type = 0x0b; /* Read, Execute, Accessed */
2635 cs->s = 1;
2636 cs->dpl = 0; /* will be adjusted later */
2637 cs->p = 1;
2638 cs->d = 1;
2639 cs->avl = 0;
2640
2641 set_desc_base(ss, 0); /* flat segment */
2642 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2643 ss->g = 1; /* 4kb granularity */
2644 ss->s = 1;
2645 ss->type = 0x03; /* Read/Write, Accessed */
2646 ss->d = 1; /* 32bit stack segment */
2647 ss->dpl = 0;
2648 ss->p = 1;
2649 ss->l = 0;
2650 ss->avl = 0;
2651 }
2652
2653 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2654 {
2655 u32 eax, ebx, ecx, edx;
2656
2657 eax = ecx = 0;
2658 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2659 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2660 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2661 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2662 }
2663
2664 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2665 {
2666 const struct x86_emulate_ops *ops = ctxt->ops;
2667 u32 eax, ebx, ecx, edx;
2668
2669 /*
2670 * syscall should always be enabled in longmode - so only become
2671 * vendor specific (cpuid) if other modes are active...
2672 */
2673 if (ctxt->mode == X86EMUL_MODE_PROT64)
2674 return true;
2675
2676 eax = 0x00000000;
2677 ecx = 0x00000000;
2678 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2679 /*
2680 * Intel ("GenuineIntel")
2681 * remark: Intel CPUs only support "syscall" in 64bit
2682 * longmode. Also an 64bit guest with a
2683 * 32bit compat-app running will #UD !! While this
2684 * behaviour can be fixed (by emulating) into AMD
2685 * response - CPUs of AMD can't behave like Intel.
2686 */
2687 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2688 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2689 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2690 return false;
2691
2692 /* AMD ("AuthenticAMD") */
2693 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2694 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2695 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2696 return true;
2697
2698 /* AMD ("AMDisbetter!") */
2699 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2700 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2701 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2702 return true;
2703
2704 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2705 return false;
2706 }
2707
2708 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2709 {
2710 const struct x86_emulate_ops *ops = ctxt->ops;
2711 struct desc_struct cs, ss;
2712 u64 msr_data;
2713 u16 cs_sel, ss_sel;
2714 u64 efer = 0;
2715
2716 /* syscall is not available in real mode */
2717 if (ctxt->mode == X86EMUL_MODE_REAL ||
2718 ctxt->mode == X86EMUL_MODE_VM86)
2719 return emulate_ud(ctxt);
2720
2721 if (!(em_syscall_is_enabled(ctxt)))
2722 return emulate_ud(ctxt);
2723
2724 ops->get_msr(ctxt, MSR_EFER, &efer);
2725 setup_syscalls_segments(ctxt, &cs, &ss);
2726
2727 if (!(efer & EFER_SCE))
2728 return emulate_ud(ctxt);
2729
2730 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2731 msr_data >>= 32;
2732 cs_sel = (u16)(msr_data & 0xfffc);
2733 ss_sel = (u16)(msr_data + 8);
2734
2735 if (efer & EFER_LMA) {
2736 cs.d = 0;
2737 cs.l = 1;
2738 }
2739 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2740 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2741
2742 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2743 if (efer & EFER_LMA) {
2744 #ifdef CONFIG_X86_64
2745 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2746
2747 ops->get_msr(ctxt,
2748 ctxt->mode == X86EMUL_MODE_PROT64 ?
2749 MSR_LSTAR : MSR_CSTAR, &msr_data);
2750 ctxt->_eip = msr_data;
2751
2752 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2753 ctxt->eflags &= ~msr_data;
2754 ctxt->eflags |= X86_EFLAGS_FIXED;
2755 #endif
2756 } else {
2757 /* legacy mode */
2758 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2759 ctxt->_eip = (u32)msr_data;
2760
2761 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2762 }
2763
2764 ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2765 return X86EMUL_CONTINUE;
2766 }
2767
2768 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2769 {
2770 const struct x86_emulate_ops *ops = ctxt->ops;
2771 struct desc_struct cs, ss;
2772 u64 msr_data;
2773 u16 cs_sel, ss_sel;
2774 u64 efer = 0;
2775
2776 ops->get_msr(ctxt, MSR_EFER, &efer);
2777 /* inject #GP if in real mode */
2778 if (ctxt->mode == X86EMUL_MODE_REAL)
2779 return emulate_gp(ctxt, 0);
2780
2781 /*
2782 * Not recognized on AMD in compat mode (but is recognized in legacy
2783 * mode).
2784 */
2785 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2786 && !vendor_intel(ctxt))
2787 return emulate_ud(ctxt);
2788
2789 /* sysenter/sysexit have not been tested in 64bit mode. */
2790 if (ctxt->mode == X86EMUL_MODE_PROT64)
2791 return X86EMUL_UNHANDLEABLE;
2792
2793 setup_syscalls_segments(ctxt, &cs, &ss);
2794
2795 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2796 if ((msr_data & 0xfffc) == 0x0)
2797 return emulate_gp(ctxt, 0);
2798
2799 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2800 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2801 ss_sel = cs_sel + 8;
2802 if (efer & EFER_LMA) {
2803 cs.d = 0;
2804 cs.l = 1;
2805 }
2806
2807 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2808 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2809
2810 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2811 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2812
2813 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2814 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2815 (u32)msr_data;
2816
2817 return X86EMUL_CONTINUE;
2818 }
2819
2820 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2821 {
2822 const struct x86_emulate_ops *ops = ctxt->ops;
2823 struct desc_struct cs, ss;
2824 u64 msr_data, rcx, rdx;
2825 int usermode;
2826 u16 cs_sel = 0, ss_sel = 0;
2827
2828 /* inject #GP if in real mode or Virtual 8086 mode */
2829 if (ctxt->mode == X86EMUL_MODE_REAL ||
2830 ctxt->mode == X86EMUL_MODE_VM86)
2831 return emulate_gp(ctxt, 0);
2832
2833 setup_syscalls_segments(ctxt, &cs, &ss);
2834
2835 if ((ctxt->rex_prefix & 0x8) != 0x0)
2836 usermode = X86EMUL_MODE_PROT64;
2837 else
2838 usermode = X86EMUL_MODE_PROT32;
2839
2840 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2841 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2842
2843 cs.dpl = 3;
2844 ss.dpl = 3;
2845 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2846 switch (usermode) {
2847 case X86EMUL_MODE_PROT32:
2848 cs_sel = (u16)(msr_data + 16);
2849 if ((msr_data & 0xfffc) == 0x0)
2850 return emulate_gp(ctxt, 0);
2851 ss_sel = (u16)(msr_data + 24);
2852 rcx = (u32)rcx;
2853 rdx = (u32)rdx;
2854 break;
2855 case X86EMUL_MODE_PROT64:
2856 cs_sel = (u16)(msr_data + 32);
2857 if (msr_data == 0x0)
2858 return emulate_gp(ctxt, 0);
2859 ss_sel = cs_sel + 8;
2860 cs.d = 0;
2861 cs.l = 1;
2862 if (emul_is_noncanonical_address(rcx, ctxt) ||
2863 emul_is_noncanonical_address(rdx, ctxt))
2864 return emulate_gp(ctxt, 0);
2865 break;
2866 }
2867 cs_sel |= SEGMENT_RPL_MASK;
2868 ss_sel |= SEGMENT_RPL_MASK;
2869
2870 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2871 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2872
2873 ctxt->_eip = rdx;
2874 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2875
2876 return X86EMUL_CONTINUE;
2877 }
2878
2879 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2880 {
2881 int iopl;
2882 if (ctxt->mode == X86EMUL_MODE_REAL)
2883 return false;
2884 if (ctxt->mode == X86EMUL_MODE_VM86)
2885 return true;
2886 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2887 return ctxt->ops->cpl(ctxt) > iopl;
2888 }
2889
2890 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2891 u16 port, u16 len)
2892 {
2893 const struct x86_emulate_ops *ops = ctxt->ops;
2894 struct desc_struct tr_seg;
2895 u32 base3;
2896 int r;
2897 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2898 unsigned mask = (1 << len) - 1;
2899 unsigned long base;
2900
2901 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2902 if (!tr_seg.p)
2903 return false;
2904 if (desc_limit_scaled(&tr_seg) < 103)
2905 return false;
2906 base = get_desc_base(&tr_seg);
2907 #ifdef CONFIG_X86_64
2908 base |= ((u64)base3) << 32;
2909 #endif
2910 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2911 if (r != X86EMUL_CONTINUE)
2912 return false;
2913 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2914 return false;
2915 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2916 if (r != X86EMUL_CONTINUE)
2917 return false;
2918 if ((perm >> bit_idx) & mask)
2919 return false;
2920 return true;
2921 }
2922
2923 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2924 u16 port, u16 len)
2925 {
2926 if (ctxt->perm_ok)
2927 return true;
2928
2929 if (emulator_bad_iopl(ctxt))
2930 if (!emulator_io_port_access_allowed(ctxt, port, len))
2931 return false;
2932
2933 ctxt->perm_ok = true;
2934
2935 return true;
2936 }
2937
2938 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2939 {
2940 /*
2941 * Intel CPUs mask the counter and pointers in quite strange
2942 * manner when ECX is zero due to REP-string optimizations.
2943 */
2944 #ifdef CONFIG_X86_64
2945 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2946 return;
2947
2948 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2949
2950 switch (ctxt->b) {
2951 case 0xa4: /* movsb */
2952 case 0xa5: /* movsd/w */
2953 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2954 /* fall through */
2955 case 0xaa: /* stosb */
2956 case 0xab: /* stosd/w */
2957 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2958 }
2959 #endif
2960 }
2961
2962 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2963 struct tss_segment_16 *tss)
2964 {
2965 tss->ip = ctxt->_eip;
2966 tss->flag = ctxt->eflags;
2967 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2968 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2969 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2970 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2971 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2972 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2973 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2974 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2975
2976 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2977 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2978 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2979 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2980 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2981 }
2982
2983 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2984 struct tss_segment_16 *tss)
2985 {
2986 int ret;
2987 u8 cpl;
2988
2989 ctxt->_eip = tss->ip;
2990 ctxt->eflags = tss->flag | 2;
2991 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2992 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2993 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2994 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2995 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2996 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2997 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2998 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2999
3000 /*
3001 * SDM says that segment selectors are loaded before segment
3002 * descriptors
3003 */
3004 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
3005 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3006 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3007 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3008 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3009
3010 cpl = tss->cs & 3;
3011
3012 /*
3013 * Now load segment descriptors. If fault happens at this stage
3014 * it is handled in a context of new task
3015 */
3016 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
3017 X86_TRANSFER_TASK_SWITCH, NULL);
3018 if (ret != X86EMUL_CONTINUE)
3019 return ret;
3020 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3021 X86_TRANSFER_TASK_SWITCH, NULL);
3022 if (ret != X86EMUL_CONTINUE)
3023 return ret;
3024 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3025 X86_TRANSFER_TASK_SWITCH, NULL);
3026 if (ret != X86EMUL_CONTINUE)
3027 return ret;
3028 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3029 X86_TRANSFER_TASK_SWITCH, NULL);
3030 if (ret != X86EMUL_CONTINUE)
3031 return ret;
3032 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3033 X86_TRANSFER_TASK_SWITCH, NULL);
3034 if (ret != X86EMUL_CONTINUE)
3035 return ret;
3036
3037 return X86EMUL_CONTINUE;
3038 }
3039
3040 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
3041 u16 tss_selector, u16 old_tss_sel,
3042 ulong old_tss_base, struct desc_struct *new_desc)
3043 {
3044 const struct x86_emulate_ops *ops = ctxt->ops;
3045 struct tss_segment_16 tss_seg;
3046 int ret;
3047 u32 new_tss_base = get_desc_base(new_desc);
3048
3049 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3050 &ctxt->exception);
3051 if (ret != X86EMUL_CONTINUE)
3052 return ret;
3053
3054 save_state_to_tss16(ctxt, &tss_seg);
3055
3056 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3057 &ctxt->exception);
3058 if (ret != X86EMUL_CONTINUE)
3059 return ret;
3060
3061 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3062 &ctxt->exception);
3063 if (ret != X86EMUL_CONTINUE)
3064 return ret;
3065
3066 if (old_tss_sel != 0xffff) {
3067 tss_seg.prev_task_link = old_tss_sel;
3068
3069 ret = ops->write_std(ctxt, new_tss_base,
3070 &tss_seg.prev_task_link,
3071 sizeof tss_seg.prev_task_link,
3072 &ctxt->exception);
3073 if (ret != X86EMUL_CONTINUE)
3074 return ret;
3075 }
3076
3077 return load_state_from_tss16(ctxt, &tss_seg);
3078 }
3079
3080 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3081 struct tss_segment_32 *tss)
3082 {
3083 /* CR3 and ldt selector are not saved intentionally */
3084 tss->eip = ctxt->_eip;
3085 tss->eflags = ctxt->eflags;
3086 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3087 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3088 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3089 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3090 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3091 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3092 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3093 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3094
3095 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3096 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3097 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3098 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3099 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3100 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3101 }
3102
3103 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3104 struct tss_segment_32 *tss)
3105 {
3106 int ret;
3107 u8 cpl;
3108
3109 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3110 return emulate_gp(ctxt, 0);
3111 ctxt->_eip = tss->eip;
3112 ctxt->eflags = tss->eflags | 2;
3113
3114 /* General purpose registers */
3115 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3116 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3117 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3118 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3119 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3120 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3121 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3122 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3123
3124 /*
3125 * SDM says that segment selectors are loaded before segment
3126 * descriptors. This is important because CPL checks will
3127 * use CS.RPL.
3128 */
3129 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3130 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3131 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3132 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3133 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3134 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3135 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3136
3137 /*
3138 * If we're switching between Protected Mode and VM86, we need to make
3139 * sure to update the mode before loading the segment descriptors so
3140 * that the selectors are interpreted correctly.
3141 */
3142 if (ctxt->eflags & X86_EFLAGS_VM) {
3143 ctxt->mode = X86EMUL_MODE_VM86;
3144 cpl = 3;
3145 } else {
3146 ctxt->mode = X86EMUL_MODE_PROT32;
3147 cpl = tss->cs & 3;
3148 }
3149
3150 /*
3151 * Now load segment descriptors. If fault happenes at this stage
3152 * it is handled in a context of new task
3153 */
3154 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3155 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3156 if (ret != X86EMUL_CONTINUE)
3157 return ret;
3158 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3159 X86_TRANSFER_TASK_SWITCH, NULL);
3160 if (ret != X86EMUL_CONTINUE)
3161 return ret;
3162 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3163 X86_TRANSFER_TASK_SWITCH, NULL);
3164 if (ret != X86EMUL_CONTINUE)
3165 return ret;
3166 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3167 X86_TRANSFER_TASK_SWITCH, NULL);
3168 if (ret != X86EMUL_CONTINUE)
3169 return ret;
3170 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3171 X86_TRANSFER_TASK_SWITCH, NULL);
3172 if (ret != X86EMUL_CONTINUE)
3173 return ret;
3174 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3175 X86_TRANSFER_TASK_SWITCH, NULL);
3176 if (ret != X86EMUL_CONTINUE)
3177 return ret;
3178 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3179 X86_TRANSFER_TASK_SWITCH, NULL);
3180
3181 return ret;
3182 }
3183
3184 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3185 u16 tss_selector, u16 old_tss_sel,
3186 ulong old_tss_base, struct desc_struct *new_desc)
3187 {
3188 const struct x86_emulate_ops *ops = ctxt->ops;
3189 struct tss_segment_32 tss_seg;
3190 int ret;
3191 u32 new_tss_base = get_desc_base(new_desc);
3192 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3193 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3194
3195 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3196 &ctxt->exception);
3197 if (ret != X86EMUL_CONTINUE)
3198 return ret;
3199
3200 save_state_to_tss32(ctxt, &tss_seg);
3201
3202 /* Only GP registers and segment selectors are saved */
3203 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3204 ldt_sel_offset - eip_offset, &ctxt->exception);
3205 if (ret != X86EMUL_CONTINUE)
3206 return ret;
3207
3208 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3209 &ctxt->exception);
3210 if (ret != X86EMUL_CONTINUE)
3211 return ret;
3212
3213 if (old_tss_sel != 0xffff) {
3214 tss_seg.prev_task_link = old_tss_sel;
3215
3216 ret = ops->write_std(ctxt, new_tss_base,
3217 &tss_seg.prev_task_link,
3218 sizeof tss_seg.prev_task_link,
3219 &ctxt->exception);
3220 if (ret != X86EMUL_CONTINUE)
3221 return ret;
3222 }
3223
3224 return load_state_from_tss32(ctxt, &tss_seg);
3225 }
3226
3227 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3228 u16 tss_selector, int idt_index, int reason,
3229 bool has_error_code, u32 error_code)
3230 {
3231 const struct x86_emulate_ops *ops = ctxt->ops;
3232 struct desc_struct curr_tss_desc, next_tss_desc;
3233 int ret;
3234 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3235 ulong old_tss_base =
3236 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3237 u32 desc_limit;
3238 ulong desc_addr, dr7;
3239
3240 /* FIXME: old_tss_base == ~0 ? */
3241
3242 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3243 if (ret != X86EMUL_CONTINUE)
3244 return ret;
3245 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3246 if (ret != X86EMUL_CONTINUE)
3247 return ret;
3248
3249 /* FIXME: check that next_tss_desc is tss */
3250
3251 /*
3252 * Check privileges. The three cases are task switch caused by...
3253 *
3254 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3255 * 2. Exception/IRQ/iret: No check is performed
3256 * 3. jmp/call to TSS/task-gate: No check is performed since the
3257 * hardware checks it before exiting.
3258 */
3259 if (reason == TASK_SWITCH_GATE) {
3260 if (idt_index != -1) {
3261 /* Software interrupts */
3262 struct desc_struct task_gate_desc;
3263 int dpl;
3264
3265 ret = read_interrupt_descriptor(ctxt, idt_index,
3266 &task_gate_desc);
3267 if (ret != X86EMUL_CONTINUE)
3268 return ret;
3269
3270 dpl = task_gate_desc.dpl;
3271 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3272 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3273 }
3274 }
3275
3276 desc_limit = desc_limit_scaled(&next_tss_desc);
3277 if (!next_tss_desc.p ||
3278 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3279 desc_limit < 0x2b)) {
3280 return emulate_ts(ctxt, tss_selector & 0xfffc);
3281 }
3282
3283 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3284 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3285 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3286 }
3287
3288 if (reason == TASK_SWITCH_IRET)
3289 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3290
3291 /* set back link to prev task only if NT bit is set in eflags
3292 note that old_tss_sel is not used after this point */
3293 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3294 old_tss_sel = 0xffff;
3295
3296 if (next_tss_desc.type & 8)
3297 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3298 old_tss_base, &next_tss_desc);
3299 else
3300 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3301 old_tss_base, &next_tss_desc);
3302 if (ret != X86EMUL_CONTINUE)
3303 return ret;
3304
3305 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3306 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3307
3308 if (reason != TASK_SWITCH_IRET) {
3309 next_tss_desc.type |= (1 << 1); /* set busy flag */
3310 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3311 }
3312
3313 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3314 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3315
3316 if (has_error_code) {
3317 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3318 ctxt->lock_prefix = 0;
3319 ctxt->src.val = (unsigned long) error_code;
3320 ret = em_push(ctxt);
3321 }
3322
3323 ops->get_dr(ctxt, 7, &dr7);
3324 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3325
3326 return ret;
3327 }
3328
3329 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3330 u16 tss_selector, int idt_index, int reason,
3331 bool has_error_code, u32 error_code)
3332 {
3333 int rc;
3334
3335 invalidate_registers(ctxt);
3336 ctxt->_eip = ctxt->eip;
3337 ctxt->dst.type = OP_NONE;
3338
3339 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3340 has_error_code, error_code);
3341
3342 if (rc == X86EMUL_CONTINUE) {
3343 ctxt->eip = ctxt->_eip;
3344 writeback_registers(ctxt);
3345 }
3346
3347 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3348 }
3349
3350 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3351 struct operand *op)
3352 {
3353 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3354
3355 register_address_increment(ctxt, reg, df * op->bytes);
3356 op->addr.mem.ea = register_address(ctxt, reg);
3357 }
3358
3359 static int em_das(struct x86_emulate_ctxt *ctxt)
3360 {
3361 u8 al, old_al;
3362 bool af, cf, old_cf;
3363
3364 cf = ctxt->eflags & X86_EFLAGS_CF;
3365 al = ctxt->dst.val;
3366
3367 old_al = al;
3368 old_cf = cf;
3369 cf = false;
3370 af = ctxt->eflags & X86_EFLAGS_AF;
3371 if ((al & 0x0f) > 9 || af) {
3372 al -= 6;
3373 cf = old_cf | (al >= 250);
3374 af = true;
3375 } else {
3376 af = false;
3377 }
3378 if (old_al > 0x99 || old_cf) {
3379 al -= 0x60;
3380 cf = true;
3381 }
3382
3383 ctxt->dst.val = al;
3384 /* Set PF, ZF, SF */
3385 ctxt->src.type = OP_IMM;
3386 ctxt->src.val = 0;
3387 ctxt->src.bytes = 1;
3388 fastop(ctxt, em_or);
3389 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3390 if (cf)
3391 ctxt->eflags |= X86_EFLAGS_CF;
3392 if (af)
3393 ctxt->eflags |= X86_EFLAGS_AF;
3394 return X86EMUL_CONTINUE;
3395 }
3396
3397 static int em_aam(struct x86_emulate_ctxt *ctxt)
3398 {
3399 u8 al, ah;
3400
3401 if (ctxt->src.val == 0)
3402 return emulate_de(ctxt);
3403
3404 al = ctxt->dst.val & 0xff;
3405 ah = al / ctxt->src.val;
3406 al %= ctxt->src.val;
3407
3408 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3409
3410 /* Set PF, ZF, SF */
3411 ctxt->src.type = OP_IMM;
3412 ctxt->src.val = 0;
3413 ctxt->src.bytes = 1;
3414 fastop(ctxt, em_or);
3415
3416 return X86EMUL_CONTINUE;
3417 }
3418
3419 static int em_aad(struct x86_emulate_ctxt *ctxt)
3420 {
3421 u8 al = ctxt->dst.val & 0xff;
3422 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3423
3424 al = (al + (ah * ctxt->src.val)) & 0xff;
3425
3426 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3427
3428 /* Set PF, ZF, SF */
3429 ctxt->src.type = OP_IMM;
3430 ctxt->src.val = 0;
3431 ctxt->src.bytes = 1;
3432 fastop(ctxt, em_or);
3433
3434 return X86EMUL_CONTINUE;
3435 }
3436
3437 static int em_call(struct x86_emulate_ctxt *ctxt)
3438 {
3439 int rc;
3440 long rel = ctxt->src.val;
3441
3442 ctxt->src.val = (unsigned long)ctxt->_eip;
3443 rc = jmp_rel(ctxt, rel);
3444 if (rc != X86EMUL_CONTINUE)
3445 return rc;
3446 return em_push(ctxt);
3447 }
3448
3449 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3450 {
3451 u16 sel, old_cs;
3452 ulong old_eip;
3453 int rc;
3454 struct desc_struct old_desc, new_desc;
3455 const struct x86_emulate_ops *ops = ctxt->ops;
3456 int cpl = ctxt->ops->cpl(ctxt);
3457 enum x86emul_mode prev_mode = ctxt->mode;
3458
3459 old_eip = ctxt->_eip;
3460 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3461
3462 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3463 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3464 X86_TRANSFER_CALL_JMP, &new_desc);
3465 if (rc != X86EMUL_CONTINUE)
3466 return rc;
3467
3468 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3469 if (rc != X86EMUL_CONTINUE)
3470 goto fail;
3471
3472 ctxt->src.val = old_cs;
3473 rc = em_push(ctxt);
3474 if (rc != X86EMUL_CONTINUE)
3475 goto fail;
3476
3477 ctxt->src.val = old_eip;
3478 rc = em_push(ctxt);
3479 /* If we failed, we tainted the memory, but the very least we should
3480 restore cs */
3481 if (rc != X86EMUL_CONTINUE) {
3482 pr_warn_once("faulting far call emulation tainted memory\n");
3483 goto fail;
3484 }
3485 return rc;
3486 fail:
3487 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3488 ctxt->mode = prev_mode;
3489 return rc;
3490
3491 }
3492
3493 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3494 {
3495 int rc;
3496 unsigned long eip;
3497
3498 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3499 if (rc != X86EMUL_CONTINUE)
3500 return rc;
3501 rc = assign_eip_near(ctxt, eip);
3502 if (rc != X86EMUL_CONTINUE)
3503 return rc;
3504 rsp_increment(ctxt, ctxt->src.val);
3505 return X86EMUL_CONTINUE;
3506 }
3507
3508 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3509 {
3510 /* Write back the register source. */
3511 ctxt->src.val = ctxt->dst.val;
3512 write_register_operand(&ctxt->src);
3513
3514 /* Write back the memory destination with implicit LOCK prefix. */
3515 ctxt->dst.val = ctxt->src.orig_val;
3516 ctxt->lock_prefix = 1;
3517 return X86EMUL_CONTINUE;
3518 }
3519
3520 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3521 {
3522 ctxt->dst.val = ctxt->src2.val;
3523 return fastop(ctxt, em_imul);
3524 }
3525
3526 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3527 {
3528 ctxt->dst.type = OP_REG;
3529 ctxt->dst.bytes = ctxt->src.bytes;
3530 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3531 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3532
3533 return X86EMUL_CONTINUE;
3534 }
3535
3536 static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3537 {
3538 u64 tsc_aux = 0;
3539
3540 if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
3541 return emulate_gp(ctxt, 0);
3542 ctxt->dst.val = tsc_aux;
3543 return X86EMUL_CONTINUE;
3544 }
3545
3546 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3547 {
3548 u64 tsc = 0;
3549
3550 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3551 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3552 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3553 return X86EMUL_CONTINUE;
3554 }
3555
3556 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3557 {
3558 u64 pmc;
3559
3560 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3561 return emulate_gp(ctxt, 0);
3562 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3563 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3564 return X86EMUL_CONTINUE;
3565 }
3566
3567 static int em_mov(struct x86_emulate_ctxt *ctxt)
3568 {
3569 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3570 return X86EMUL_CONTINUE;
3571 }
3572
3573 #define FFL(x) bit(X86_FEATURE_##x)
3574
3575 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3576 {
3577 u32 ebx, ecx, edx, eax = 1;
3578 u16 tmp;
3579
3580 /*
3581 * Check MOVBE is set in the guest-visible CPUID leaf.
3582 */
3583 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3584 if (!(ecx & FFL(MOVBE)))
3585 return emulate_ud(ctxt);
3586
3587 switch (ctxt->op_bytes) {
3588 case 2:
3589 /*
3590 * From MOVBE definition: "...When the operand size is 16 bits,
3591 * the upper word of the destination register remains unchanged
3592 * ..."
3593 *
3594 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3595 * rules so we have to do the operation almost per hand.
3596 */
3597 tmp = (u16)ctxt->src.val;
3598 ctxt->dst.val &= ~0xffffUL;
3599 ctxt->dst.val |= (unsigned long)swab16(tmp);
3600 break;
3601 case 4:
3602 ctxt->dst.val = swab32((u32)ctxt->src.val);
3603 break;
3604 case 8:
3605 ctxt->dst.val = swab64(ctxt->src.val);
3606 break;
3607 default:
3608 BUG();
3609 }
3610 return X86EMUL_CONTINUE;
3611 }
3612
3613 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3614 {
3615 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3616 return emulate_gp(ctxt, 0);
3617
3618 /* Disable writeback. */
3619 ctxt->dst.type = OP_NONE;
3620 return X86EMUL_CONTINUE;
3621 }
3622
3623 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3624 {
3625 unsigned long val;
3626
3627 if (ctxt->mode == X86EMUL_MODE_PROT64)
3628 val = ctxt->src.val & ~0ULL;
3629 else
3630 val = ctxt->src.val & ~0U;
3631
3632 /* #UD condition is already handled. */
3633 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3634 return emulate_gp(ctxt, 0);
3635
3636 /* Disable writeback. */
3637 ctxt->dst.type = OP_NONE;
3638 return X86EMUL_CONTINUE;
3639 }
3640
3641 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3642 {
3643 u64 msr_data;
3644
3645 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3646 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3647 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3648 return emulate_gp(ctxt, 0);
3649
3650 return X86EMUL_CONTINUE;
3651 }
3652
3653 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3654 {
3655 u64 msr_data;
3656
3657 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3658 return emulate_gp(ctxt, 0);
3659
3660 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3661 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3662 return X86EMUL_CONTINUE;
3663 }
3664
3665 static int em_store_sreg(struct x86_emulate_ctxt *ctxt, int segment)
3666 {
3667 if (segment > VCPU_SREG_GS &&
3668 (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3669 ctxt->ops->cpl(ctxt) > 0)
3670 return emulate_gp(ctxt, 0);
3671
3672 ctxt->dst.val = get_segment_selector(ctxt, segment);
3673 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3674 ctxt->dst.bytes = 2;
3675 return X86EMUL_CONTINUE;
3676 }
3677
3678 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3679 {
3680 if (ctxt->modrm_reg > VCPU_SREG_GS)
3681 return emulate_ud(ctxt);
3682
3683 return em_store_sreg(ctxt, ctxt->modrm_reg);
3684 }
3685
3686 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3687 {
3688 u16 sel = ctxt->src.val;
3689
3690 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3691 return emulate_ud(ctxt);
3692
3693 if (ctxt->modrm_reg == VCPU_SREG_SS)
3694 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3695
3696 /* Disable writeback. */
3697 ctxt->dst.type = OP_NONE;
3698 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3699 }
3700
3701 static int em_sldt(struct x86_emulate_ctxt *ctxt)
3702 {
3703 return em_store_sreg(ctxt, VCPU_SREG_LDTR);
3704 }
3705
3706 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3707 {
3708 u16 sel = ctxt->src.val;
3709
3710 /* Disable writeback. */
3711 ctxt->dst.type = OP_NONE;
3712 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3713 }
3714
3715 static int em_str(struct x86_emulate_ctxt *ctxt)
3716 {
3717 return em_store_sreg(ctxt, VCPU_SREG_TR);
3718 }
3719
3720 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3721 {
3722 u16 sel = ctxt->src.val;
3723
3724 /* Disable writeback. */
3725 ctxt->dst.type = OP_NONE;
3726 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3727 }
3728
3729 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3730 {
3731 int rc;
3732 ulong linear;
3733
3734 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3735 if (rc == X86EMUL_CONTINUE)
3736 ctxt->ops->invlpg(ctxt, linear);
3737 /* Disable writeback. */
3738 ctxt->dst.type = OP_NONE;
3739 return X86EMUL_CONTINUE;
3740 }
3741
3742 static int em_clts(struct x86_emulate_ctxt *ctxt)
3743 {
3744 ulong cr0;
3745
3746 cr0 = ctxt->ops->get_cr(ctxt, 0);
3747 cr0 &= ~X86_CR0_TS;
3748 ctxt->ops->set_cr(ctxt, 0, cr0);
3749 return X86EMUL_CONTINUE;
3750 }
3751
3752 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3753 {
3754 int rc = ctxt->ops->fix_hypercall(ctxt);
3755
3756 if (rc != X86EMUL_CONTINUE)
3757 return rc;
3758
3759 /* Let the processor re-execute the fixed hypercall */
3760 ctxt->_eip = ctxt->eip;
3761 /* Disable writeback. */
3762 ctxt->dst.type = OP_NONE;
3763 return X86EMUL_CONTINUE;
3764 }
3765
3766 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3767 void (*get)(struct x86_emulate_ctxt *ctxt,
3768 struct desc_ptr *ptr))
3769 {
3770 struct desc_ptr desc_ptr;
3771
3772 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3773 ctxt->ops->cpl(ctxt) > 0)
3774 return emulate_gp(ctxt, 0);
3775
3776 if (ctxt->mode == X86EMUL_MODE_PROT64)
3777 ctxt->op_bytes = 8;
3778 get(ctxt, &desc_ptr);
3779 if (ctxt->op_bytes == 2) {
3780 ctxt->op_bytes = 4;
3781 desc_ptr.address &= 0x00ffffff;
3782 }
3783 /* Disable writeback. */
3784 ctxt->dst.type = OP_NONE;
3785 return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3786 &desc_ptr, 2 + ctxt->op_bytes);
3787 }
3788
3789 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3790 {
3791 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3792 }
3793
3794 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3795 {
3796 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3797 }
3798
3799 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3800 {
3801 struct desc_ptr desc_ptr;
3802 int rc;
3803
3804 if (ctxt->mode == X86EMUL_MODE_PROT64)
3805 ctxt->op_bytes = 8;
3806 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3807 &desc_ptr.size, &desc_ptr.address,
3808 ctxt->op_bytes);
3809 if (rc != X86EMUL_CONTINUE)
3810 return rc;
3811 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3812 emul_is_noncanonical_address(desc_ptr.address, ctxt))
3813 return emulate_gp(ctxt, 0);
3814 if (lgdt)
3815 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3816 else
3817 ctxt->ops->set_idt(ctxt, &desc_ptr);
3818 /* Disable writeback. */
3819 ctxt->dst.type = OP_NONE;
3820 return X86EMUL_CONTINUE;
3821 }
3822
3823 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3824 {
3825 return em_lgdt_lidt(ctxt, true);
3826 }
3827
3828 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3829 {
3830 return em_lgdt_lidt(ctxt, false);
3831 }
3832
3833 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3834 {
3835 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3836 ctxt->ops->cpl(ctxt) > 0)
3837 return emulate_gp(ctxt, 0);
3838
3839 if (ctxt->dst.type == OP_MEM)
3840 ctxt->dst.bytes = 2;
3841 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3842 return X86EMUL_CONTINUE;
3843 }
3844
3845 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3846 {
3847 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3848 | (ctxt->src.val & 0x0f));
3849 ctxt->dst.type = OP_NONE;
3850 return X86EMUL_CONTINUE;
3851 }
3852
3853 static int em_loop(struct x86_emulate_ctxt *ctxt)
3854 {
3855 int rc = X86EMUL_CONTINUE;
3856
3857 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3858 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3859 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3860 rc = jmp_rel(ctxt, ctxt->src.val);
3861
3862 return rc;
3863 }
3864
3865 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3866 {
3867 int rc = X86EMUL_CONTINUE;
3868
3869 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3870 rc = jmp_rel(ctxt, ctxt->src.val);
3871
3872 return rc;
3873 }
3874
3875 static int em_in(struct x86_emulate_ctxt *ctxt)
3876 {
3877 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3878 &ctxt->dst.val))
3879 return X86EMUL_IO_NEEDED;
3880
3881 return X86EMUL_CONTINUE;
3882 }
3883
3884 static int em_out(struct x86_emulate_ctxt *ctxt)
3885 {
3886 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3887 &ctxt->src.val, 1);
3888 /* Disable writeback. */
3889 ctxt->dst.type = OP_NONE;
3890 return X86EMUL_CONTINUE;
3891 }
3892
3893 static int em_cli(struct x86_emulate_ctxt *ctxt)
3894 {
3895 if (emulator_bad_iopl(ctxt))
3896 return emulate_gp(ctxt, 0);
3897
3898 ctxt->eflags &= ~X86_EFLAGS_IF;
3899 return X86EMUL_CONTINUE;
3900 }
3901
3902 static int em_sti(struct x86_emulate_ctxt *ctxt)
3903 {
3904 if (emulator_bad_iopl(ctxt))
3905 return emulate_gp(ctxt, 0);
3906
3907 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3908 ctxt->eflags |= X86_EFLAGS_IF;
3909 return X86EMUL_CONTINUE;
3910 }
3911
3912 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3913 {
3914 u32 eax, ebx, ecx, edx;
3915 u64 msr = 0;
3916
3917 ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3918 if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3919 ctxt->ops->cpl(ctxt)) {
3920 return emulate_gp(ctxt, 0);
3921 }
3922
3923 eax = reg_read(ctxt, VCPU_REGS_RAX);
3924 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3925 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
3926 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3927 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3928 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3929 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3930 return X86EMUL_CONTINUE;
3931 }
3932
3933 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3934 {
3935 u32 flags;
3936
3937 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3938 X86_EFLAGS_SF;
3939 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3940
3941 ctxt->eflags &= ~0xffUL;
3942 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3943 return X86EMUL_CONTINUE;
3944 }
3945
3946 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3947 {
3948 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3949 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3950 return X86EMUL_CONTINUE;
3951 }
3952
3953 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3954 {
3955 switch (ctxt->op_bytes) {
3956 #ifdef CONFIG_X86_64
3957 case 8:
3958 asm("bswap %0" : "+r"(ctxt->dst.val));
3959 break;
3960 #endif
3961 default:
3962 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3963 break;
3964 }
3965 return X86EMUL_CONTINUE;
3966 }
3967
3968 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3969 {
3970 /* emulating clflush regardless of cpuid */
3971 return X86EMUL_CONTINUE;
3972 }
3973
3974 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3975 {
3976 ctxt->dst.val = (s32) ctxt->src.val;
3977 return X86EMUL_CONTINUE;
3978 }
3979
3980 static int check_fxsr(struct x86_emulate_ctxt *ctxt)
3981 {
3982 u32 eax = 1, ebx, ecx = 0, edx;
3983
3984 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3985 if (!(edx & FFL(FXSR)))
3986 return emulate_ud(ctxt);
3987
3988 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
3989 return emulate_nm(ctxt);
3990
3991 /*
3992 * Don't emulate a case that should never be hit, instead of working
3993 * around a lack of fxsave64/fxrstor64 on old compilers.
3994 */
3995 if (ctxt->mode >= X86EMUL_MODE_PROT64)
3996 return X86EMUL_UNHANDLEABLE;
3997
3998 return X86EMUL_CONTINUE;
3999 }
4000
4001 /*
4002 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
4003 * and restore MXCSR.
4004 */
4005 static size_t __fxstate_size(int nregs)
4006 {
4007 return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
4008 }
4009
4010 static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
4011 {
4012 bool cr4_osfxsr;
4013 if (ctxt->mode == X86EMUL_MODE_PROT64)
4014 return __fxstate_size(16);
4015
4016 cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
4017 return __fxstate_size(cr4_osfxsr ? 8 : 0);
4018 }
4019
4020 /*
4021 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
4022 * 1) 16 bit mode
4023 * 2) 32 bit mode
4024 * - like (1), but FIP and FDP (foo) are only 16 bit. At least Intel CPUs
4025 * preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
4026 * save and restore
4027 * 3) 64-bit mode with REX.W prefix
4028 * - like (2), but XMM 8-15 are being saved and restored
4029 * 4) 64-bit mode without REX.W prefix
4030 * - like (3), but FIP and FDP are 64 bit
4031 *
4032 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
4033 * desired result. (4) is not emulated.
4034 *
4035 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
4036 * and FPU DS) should match.
4037 */
4038 static int em_fxsave(struct x86_emulate_ctxt *ctxt)
4039 {
4040 struct fxregs_state fx_state;
4041 int rc;
4042
4043 rc = check_fxsr(ctxt);
4044 if (rc != X86EMUL_CONTINUE)
4045 return rc;
4046
4047 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
4048
4049 if (rc != X86EMUL_CONTINUE)
4050 return rc;
4051
4052 return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
4053 fxstate_size(ctxt));
4054 }
4055
4056 /*
4057 * FXRSTOR might restore XMM registers not provided by the guest. Fill
4058 * in the host registers (via FXSAVE) instead, so they won't be modified.
4059 * (preemption has to stay disabled until FXRSTOR).
4060 *
4061 * Use noinline to keep the stack for other functions called by callers small.
4062 */
4063 static noinline int fxregs_fixup(struct fxregs_state *fx_state,
4064 const size_t used_size)
4065 {
4066 struct fxregs_state fx_tmp;
4067 int rc;
4068
4069 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
4070 memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
4071 __fxstate_size(16) - used_size);
4072
4073 return rc;
4074 }
4075
4076 static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
4077 {
4078 struct fxregs_state fx_state;
4079 int rc;
4080 size_t size;
4081
4082 rc = check_fxsr(ctxt);
4083 if (rc != X86EMUL_CONTINUE)
4084 return rc;
4085
4086 size = fxstate_size(ctxt);
4087 rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
4088 if (rc != X86EMUL_CONTINUE)
4089 return rc;
4090
4091 if (size < __fxstate_size(16)) {
4092 rc = fxregs_fixup(&fx_state, size);
4093 if (rc != X86EMUL_CONTINUE)
4094 goto out;
4095 }
4096
4097 if (fx_state.mxcsr >> 16) {
4098 rc = emulate_gp(ctxt, 0);
4099 goto out;
4100 }
4101
4102 if (rc == X86EMUL_CONTINUE)
4103 rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
4104
4105 out:
4106 return rc;
4107 }
4108
4109 static bool valid_cr(int nr)
4110 {
4111 switch (nr) {
4112 case 0:
4113 case 2 ... 4:
4114 case 8:
4115 return true;
4116 default:
4117 return false;
4118 }
4119 }
4120
4121 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
4122 {
4123 if (!valid_cr(ctxt->modrm_reg))
4124 return emulate_ud(ctxt);
4125
4126 return X86EMUL_CONTINUE;
4127 }
4128
4129 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4130 {
4131 u64 new_val = ctxt->src.val64;
4132 int cr = ctxt->modrm_reg;
4133 u64 efer = 0;
4134
4135 static u64 cr_reserved_bits[] = {
4136 0xffffffff00000000ULL,
4137 0, 0, 0, /* CR3 checked later */
4138 CR4_RESERVED_BITS,
4139 0, 0, 0,
4140 CR8_RESERVED_BITS,
4141 };
4142
4143 if (!valid_cr(cr))
4144 return emulate_ud(ctxt);
4145
4146 if (new_val & cr_reserved_bits[cr])
4147 return emulate_gp(ctxt, 0);
4148
4149 switch (cr) {
4150 case 0: {
4151 u64 cr4;
4152 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
4153 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
4154 return emulate_gp(ctxt, 0);
4155
4156 cr4 = ctxt->ops->get_cr(ctxt, 4);
4157 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4158
4159 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
4160 !(cr4 & X86_CR4_PAE))
4161 return emulate_gp(ctxt, 0);
4162
4163 break;
4164 }
4165 case 3: {
4166 u64 rsvd = 0;
4167
4168 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4169 if (efer & EFER_LMA) {
4170 u64 maxphyaddr;
4171 u32 eax, ebx, ecx, edx;
4172
4173 eax = 0x80000008;
4174 ecx = 0;
4175 if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx,
4176 &edx, false))
4177 maxphyaddr = eax & 0xff;
4178 else
4179 maxphyaddr = 36;
4180 rsvd = rsvd_bits(maxphyaddr, 62);
4181 }
4182
4183 if (new_val & rsvd)
4184 return emulate_gp(ctxt, 0);
4185
4186 break;
4187 }
4188 case 4: {
4189 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4190
4191 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
4192 return emulate_gp(ctxt, 0);
4193
4194 break;
4195 }
4196 }
4197
4198 return X86EMUL_CONTINUE;
4199 }
4200
4201 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
4202 {
4203 unsigned long dr7;
4204
4205 ctxt->ops->get_dr(ctxt, 7, &dr7);
4206
4207 /* Check if DR7.Global_Enable is set */
4208 return dr7 & (1 << 13);
4209 }
4210
4211 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
4212 {
4213 int dr = ctxt->modrm_reg;
4214 u64 cr4;
4215
4216 if (dr > 7)
4217 return emulate_ud(ctxt);
4218
4219 cr4 = ctxt->ops->get_cr(ctxt, 4);
4220 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
4221 return emulate_ud(ctxt);
4222
4223 if (check_dr7_gd(ctxt)) {
4224 ulong dr6;
4225
4226 ctxt->ops->get_dr(ctxt, 6, &dr6);
4227 dr6 &= ~15;
4228 dr6 |= DR6_BD | DR6_RTM;
4229 ctxt->ops->set_dr(ctxt, 6, dr6);
4230 return emulate_db(ctxt);
4231 }
4232
4233 return X86EMUL_CONTINUE;
4234 }
4235
4236 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
4237 {
4238 u64 new_val = ctxt->src.val64;
4239 int dr = ctxt->modrm_reg;
4240
4241 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
4242 return emulate_gp(ctxt, 0);
4243
4244 return check_dr_read(ctxt);
4245 }
4246
4247 static int check_svme(struct x86_emulate_ctxt *ctxt)
4248 {
4249 u64 efer = 0;
4250
4251 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4252
4253 if (!(efer & EFER_SVME))
4254 return emulate_ud(ctxt);
4255
4256 return X86EMUL_CONTINUE;
4257 }
4258
4259 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4260 {
4261 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4262
4263 /* Valid physical address? */
4264 if (rax & 0xffff000000000000ULL)
4265 return emulate_gp(ctxt, 0);
4266
4267 return check_svme(ctxt);
4268 }
4269
4270 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4271 {
4272 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4273
4274 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4275 return emulate_ud(ctxt);
4276
4277 return X86EMUL_CONTINUE;
4278 }
4279
4280 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4281 {
4282 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4283 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4284
4285 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4286 ctxt->ops->check_pmc(ctxt, rcx))
4287 return emulate_gp(ctxt, 0);
4288
4289 return X86EMUL_CONTINUE;
4290 }
4291
4292 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4293 {
4294 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4295 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4296 return emulate_gp(ctxt, 0);
4297
4298 return X86EMUL_CONTINUE;
4299 }
4300
4301 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4302 {
4303 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4304 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4305 return emulate_gp(ctxt, 0);
4306
4307 return X86EMUL_CONTINUE;
4308 }
4309
4310 #define D(_y) { .flags = (_y) }
4311 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4312 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4313 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4314 #define N D(NotImpl)
4315 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4316 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4317 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4318 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4319 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4320 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4321 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4322 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4323 #define II(_f, _e, _i) \
4324 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4325 #define IIP(_f, _e, _i, _p) \
4326 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4327 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4328 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4329
4330 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4331 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4332 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4333 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4334 #define I2bvIP(_f, _e, _i, _p) \
4335 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4336
4337 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4338 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4339 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4340
4341 static const struct opcode group7_rm0[] = {
4342 N,
4343 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4344 N, N, N, N, N, N,
4345 };
4346
4347 static const struct opcode group7_rm1[] = {
4348 DI(SrcNone | Priv, monitor),
4349 DI(SrcNone | Priv, mwait),
4350 N, N, N, N, N, N,
4351 };
4352
4353 static const struct opcode group7_rm3[] = {
4354 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4355 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4356 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4357 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4358 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4359 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4360 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4361 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4362 };
4363
4364 static const struct opcode group7_rm7[] = {
4365 N,
4366 DIP(SrcNone, rdtscp, check_rdtsc),
4367 N, N, N, N, N, N,
4368 };
4369
4370 static const struct opcode group1[] = {
4371 F(Lock, em_add),
4372 F(Lock | PageTable, em_or),
4373 F(Lock, em_adc),
4374 F(Lock, em_sbb),
4375 F(Lock | PageTable, em_and),
4376 F(Lock, em_sub),
4377 F(Lock, em_xor),
4378 F(NoWrite, em_cmp),
4379 };
4380
4381 static const struct opcode group1A[] = {
4382 I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4383 };
4384
4385 static const struct opcode group2[] = {
4386 F(DstMem | ModRM, em_rol),
4387 F(DstMem | ModRM, em_ror),
4388 F(DstMem | ModRM, em_rcl),
4389 F(DstMem | ModRM, em_rcr),
4390 F(DstMem | ModRM, em_shl),
4391 F(DstMem | ModRM, em_shr),
4392 F(DstMem | ModRM, em_shl),
4393 F(DstMem | ModRM, em_sar),
4394 };
4395
4396 static const struct opcode group3[] = {
4397 F(DstMem | SrcImm | NoWrite, em_test),
4398 F(DstMem | SrcImm | NoWrite, em_test),
4399 F(DstMem | SrcNone | Lock, em_not),
4400 F(DstMem | SrcNone | Lock, em_neg),
4401 F(DstXacc | Src2Mem, em_mul_ex),
4402 F(DstXacc | Src2Mem, em_imul_ex),
4403 F(DstXacc | Src2Mem, em_div_ex),
4404 F(DstXacc | Src2Mem, em_idiv_ex),
4405 };
4406
4407 static const struct opcode group4[] = {
4408 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4409 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4410 N, N, N, N, N, N,
4411 };
4412
4413 static const struct opcode group5[] = {
4414 F(DstMem | SrcNone | Lock, em_inc),
4415 F(DstMem | SrcNone | Lock, em_dec),
4416 I(SrcMem | NearBranch, em_call_near_abs),
4417 I(SrcMemFAddr | ImplicitOps, em_call_far),
4418 I(SrcMem | NearBranch, em_jmp_abs),
4419 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4420 I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined),
4421 };
4422
4423 static const struct opcode group6[] = {
4424 II(Prot | DstMem, em_sldt, sldt),
4425 II(Prot | DstMem, em_str, str),
4426 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4427 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4428 N, N, N, N,
4429 };
4430
4431 static const struct group_dual group7 = { {
4432 II(Mov | DstMem, em_sgdt, sgdt),
4433 II(Mov | DstMem, em_sidt, sidt),
4434 II(SrcMem | Priv, em_lgdt, lgdt),
4435 II(SrcMem | Priv, em_lidt, lidt),
4436 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4437 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4438 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4439 }, {
4440 EXT(0, group7_rm0),
4441 EXT(0, group7_rm1),
4442 N, EXT(0, group7_rm3),
4443 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4444 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4445 EXT(0, group7_rm7),
4446 } };
4447
4448 static const struct opcode group8[] = {
4449 N, N, N, N,
4450 F(DstMem | SrcImmByte | NoWrite, em_bt),
4451 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4452 F(DstMem | SrcImmByte | Lock, em_btr),
4453 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4454 };
4455
4456 /*
4457 * The "memory" destination is actually always a register, since we come
4458 * from the register case of group9.
4459 */
4460 static const struct gprefix pfx_0f_c7_7 = {
4461 N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdtscp),
4462 };
4463
4464
4465 static const struct group_dual group9 = { {
4466 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4467 }, {
4468 N, N, N, N, N, N, N,
4469 GP(0, &pfx_0f_c7_7),
4470 } };
4471
4472 static const struct opcode group11[] = {
4473 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4474 X7(D(Undefined)),
4475 };
4476
4477 static const struct gprefix pfx_0f_ae_7 = {
4478 I(SrcMem | ByteOp, em_clflush), N, N, N,
4479 };
4480
4481 static const struct group_dual group15 = { {
4482 I(ModRM | Aligned16, em_fxsave),
4483 I(ModRM | Aligned16, em_fxrstor),
4484 N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4485 }, {
4486 N, N, N, N, N, N, N, N,
4487 } };
4488
4489 static const struct gprefix pfx_0f_6f_0f_7f = {
4490 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4491 };
4492
4493 static const struct instr_dual instr_dual_0f_2b = {
4494 I(0, em_mov), N
4495 };
4496
4497 static const struct gprefix pfx_0f_2b = {
4498 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4499 };
4500
4501 static const struct gprefix pfx_0f_28_0f_29 = {
4502 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4503 };
4504
4505 static const struct gprefix pfx_0f_e7 = {
4506 N, I(Sse, em_mov), N, N,
4507 };
4508
4509 static const struct escape escape_d9 = { {
4510 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4511 }, {
4512 /* 0xC0 - 0xC7 */
4513 N, N, N, N, N, N, N, N,
4514 /* 0xC8 - 0xCF */
4515 N, N, N, N, N, N, N, N,
4516 /* 0xD0 - 0xC7 */
4517 N, N, N, N, N, N, N, N,
4518 /* 0xD8 - 0xDF */
4519 N, N, N, N, N, N, N, N,
4520 /* 0xE0 - 0xE7 */
4521 N, N, N, N, N, N, N, N,
4522 /* 0xE8 - 0xEF */
4523 N, N, N, N, N, N, N, N,
4524 /* 0xF0 - 0xF7 */
4525 N, N, N, N, N, N, N, N,
4526 /* 0xF8 - 0xFF */
4527 N, N, N, N, N, N, N, N,
4528 } };
4529
4530 static const struct escape escape_db = { {
4531 N, N, N, N, N, N, N, N,
4532 }, {
4533 /* 0xC0 - 0xC7 */
4534 N, N, N, N, N, N, N, N,
4535 /* 0xC8 - 0xCF */
4536 N, N, N, N, N, N, N, N,
4537 /* 0xD0 - 0xC7 */
4538 N, N, N, N, N, N, N, N,
4539 /* 0xD8 - 0xDF */
4540 N, N, N, N, N, N, N, N,
4541 /* 0xE0 - 0xE7 */
4542 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4543 /* 0xE8 - 0xEF */
4544 N, N, N, N, N, N, N, N,
4545 /* 0xF0 - 0xF7 */
4546 N, N, N, N, N, N, N, N,
4547 /* 0xF8 - 0xFF */
4548 N, N, N, N, N, N, N, N,
4549 } };
4550
4551 static const struct escape escape_dd = { {
4552 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4553 }, {
4554 /* 0xC0 - 0xC7 */
4555 N, N, N, N, N, N, N, N,
4556 /* 0xC8 - 0xCF */
4557 N, N, N, N, N, N, N, N,
4558 /* 0xD0 - 0xC7 */
4559 N, N, N, N, N, N, N, N,
4560 /* 0xD8 - 0xDF */
4561 N, N, N, N, N, N, N, N,
4562 /* 0xE0 - 0xE7 */
4563 N, N, N, N, N, N, N, N,
4564 /* 0xE8 - 0xEF */
4565 N, N, N, N, N, N, N, N,
4566 /* 0xF0 - 0xF7 */
4567 N, N, N, N, N, N, N, N,
4568 /* 0xF8 - 0xFF */
4569 N, N, N, N, N, N, N, N,
4570 } };
4571
4572 static const struct instr_dual instr_dual_0f_c3 = {
4573 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4574 };
4575
4576 static const struct mode_dual mode_dual_63 = {
4577 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4578 };
4579
4580 static const struct opcode opcode_table[256] = {
4581 /* 0x00 - 0x07 */
4582 F6ALU(Lock, em_add),
4583 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4584 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4585 /* 0x08 - 0x0F */
4586 F6ALU(Lock | PageTable, em_or),
4587 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4588 N,
4589 /* 0x10 - 0x17 */
4590 F6ALU(Lock, em_adc),
4591 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4592 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4593 /* 0x18 - 0x1F */
4594 F6ALU(Lock, em_sbb),
4595 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4596 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4597 /* 0x20 - 0x27 */
4598 F6ALU(Lock | PageTable, em_and), N, N,
4599 /* 0x28 - 0x2F */
4600 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4601 /* 0x30 - 0x37 */
4602 F6ALU(Lock, em_xor), N, N,
4603 /* 0x38 - 0x3F */
4604 F6ALU(NoWrite, em_cmp), N, N,
4605 /* 0x40 - 0x4F */
4606 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4607 /* 0x50 - 0x57 */
4608 X8(I(SrcReg | Stack, em_push)),
4609 /* 0x58 - 0x5F */
4610 X8(I(DstReg | Stack, em_pop)),
4611 /* 0x60 - 0x67 */
4612 I(ImplicitOps | Stack | No64, em_pusha),
4613 I(ImplicitOps | Stack | No64, em_popa),
4614 N, MD(ModRM, &mode_dual_63),
4615 N, N, N, N,
4616 /* 0x68 - 0x6F */
4617 I(SrcImm | Mov | Stack, em_push),
4618 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4619 I(SrcImmByte | Mov | Stack, em_push),
4620 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4621 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4622 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4623 /* 0x70 - 0x7F */
4624 X16(D(SrcImmByte | NearBranch)),
4625 /* 0x80 - 0x87 */
4626 G(ByteOp | DstMem | SrcImm, group1),
4627 G(DstMem | SrcImm, group1),
4628 G(ByteOp | DstMem | SrcImm | No64, group1),
4629 G(DstMem | SrcImmByte, group1),
4630 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4631 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4632 /* 0x88 - 0x8F */
4633 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4634 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4635 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4636 D(ModRM | SrcMem | NoAccess | DstReg),
4637 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4638 G(0, group1A),
4639 /* 0x90 - 0x97 */
4640 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4641 /* 0x98 - 0x9F */
4642 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4643 I(SrcImmFAddr | No64, em_call_far), N,
4644 II(ImplicitOps | Stack, em_pushf, pushf),
4645 II(ImplicitOps | Stack, em_popf, popf),
4646 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4647 /* 0xA0 - 0xA7 */
4648 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4649 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4650 I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4651 F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4652 /* 0xA8 - 0xAF */
4653 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4654 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4655 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4656 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4657 /* 0xB0 - 0xB7 */
4658 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4659 /* 0xB8 - 0xBF */
4660 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4661 /* 0xC0 - 0xC7 */
4662 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4663 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4664 I(ImplicitOps | NearBranch, em_ret),
4665 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4666 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4667 G(ByteOp, group11), G(0, group11),
4668 /* 0xC8 - 0xCF */
4669 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4670 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4671 I(ImplicitOps, em_ret_far),
4672 D(ImplicitOps), DI(SrcImmByte, intn),
4673 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4674 /* 0xD0 - 0xD7 */
4675 G(Src2One | ByteOp, group2), G(Src2One, group2),
4676 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4677 I(DstAcc | SrcImmUByte | No64, em_aam),
4678 I(DstAcc | SrcImmUByte | No64, em_aad),
4679 F(DstAcc | ByteOp | No64, em_salc),
4680 I(DstAcc | SrcXLat | ByteOp, em_mov),
4681 /* 0xD8 - 0xDF */
4682 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4683 /* 0xE0 - 0xE7 */
4684 X3(I(SrcImmByte | NearBranch, em_loop)),
4685 I(SrcImmByte | NearBranch, em_jcxz),
4686 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4687 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4688 /* 0xE8 - 0xEF */
4689 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4690 I(SrcImmFAddr | No64, em_jmp_far),
4691 D(SrcImmByte | ImplicitOps | NearBranch),
4692 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4693 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4694 /* 0xF0 - 0xF7 */
4695 N, DI(ImplicitOps, icebp), N, N,
4696 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4697 G(ByteOp, group3), G(0, group3),
4698 /* 0xF8 - 0xFF */
4699 D(ImplicitOps), D(ImplicitOps),
4700 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4701 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4702 };
4703
4704 static const struct opcode twobyte_table[256] = {
4705 /* 0x00 - 0x0F */
4706 G(0, group6), GD(0, &group7), N, N,
4707 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4708 II(ImplicitOps | Priv, em_clts, clts), N,
4709 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4710 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4711 /* 0x10 - 0x1F */
4712 N, N, N, N, N, N, N, N,
4713 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4714 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4715 /* 0x20 - 0x2F */
4716 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4717 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4718 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4719 check_cr_write),
4720 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4721 check_dr_write),
4722 N, N, N, N,
4723 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4724 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4725 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4726 N, N, N, N,
4727 /* 0x30 - 0x3F */
4728 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4729 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4730 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4731 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4732 I(ImplicitOps | EmulateOnUD, em_sysenter),
4733 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4734 N, N,
4735 N, N, N, N, N, N, N, N,
4736 /* 0x40 - 0x4F */
4737 X16(D(DstReg | SrcMem | ModRM)),
4738 /* 0x50 - 0x5F */
4739 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4740 /* 0x60 - 0x6F */
4741 N, N, N, N,
4742 N, N, N, N,
4743 N, N, N, N,
4744 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4745 /* 0x70 - 0x7F */
4746 N, N, N, N,
4747 N, N, N, N,
4748 N, N, N, N,
4749 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4750 /* 0x80 - 0x8F */
4751 X16(D(SrcImm | NearBranch)),
4752 /* 0x90 - 0x9F */
4753 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4754 /* 0xA0 - 0xA7 */
4755 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4756 II(ImplicitOps, em_cpuid, cpuid),
4757 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4758 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4759 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4760 /* 0xA8 - 0xAF */
4761 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4762 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4763 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4764 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4765 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4766 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4767 /* 0xB0 - 0xB7 */
4768 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4769 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4770 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4771 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4772 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4773 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4774 /* 0xB8 - 0xBF */
4775 N, N,
4776 G(BitOp, group8),
4777 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4778 I(DstReg | SrcMem | ModRM, em_bsf_c),
4779 I(DstReg | SrcMem | ModRM, em_bsr_c),
4780 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4781 /* 0xC0 - 0xC7 */
4782 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4783 N, ID(0, &instr_dual_0f_c3),
4784 N, N, N, GD(0, &group9),
4785 /* 0xC8 - 0xCF */
4786 X8(I(DstReg, em_bswap)),
4787 /* 0xD0 - 0xDF */
4788 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4789 /* 0xE0 - 0xEF */
4790 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4791 N, N, N, N, N, N, N, N,
4792 /* 0xF0 - 0xFF */
4793 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4794 };
4795
4796 static const struct instr_dual instr_dual_0f_38_f0 = {
4797 I(DstReg | SrcMem | Mov, em_movbe), N
4798 };
4799
4800 static const struct instr_dual instr_dual_0f_38_f1 = {
4801 I(DstMem | SrcReg | Mov, em_movbe), N
4802 };
4803
4804 static const struct gprefix three_byte_0f_38_f0 = {
4805 ID(0, &instr_dual_0f_38_f0), N, N, N
4806 };
4807
4808 static const struct gprefix three_byte_0f_38_f1 = {
4809 ID(0, &instr_dual_0f_38_f1), N, N, N
4810 };
4811
4812 /*
4813 * Insns below are selected by the prefix which indexed by the third opcode
4814 * byte.
4815 */
4816 static const struct opcode opcode_map_0f_38[256] = {
4817 /* 0x00 - 0x7f */
4818 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4819 /* 0x80 - 0xef */
4820 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4821 /* 0xf0 - 0xf1 */
4822 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4823 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4824 /* 0xf2 - 0xff */
4825 N, N, X4(N), X8(N)
4826 };
4827
4828 #undef D
4829 #undef N
4830 #undef G
4831 #undef GD
4832 #undef I
4833 #undef GP
4834 #undef EXT
4835 #undef MD
4836 #undef ID
4837
4838 #undef D2bv
4839 #undef D2bvIP
4840 #undef I2bv
4841 #undef I2bvIP
4842 #undef I6ALU
4843
4844 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4845 {
4846 unsigned size;
4847
4848 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4849 if (size == 8)
4850 size = 4;
4851 return size;
4852 }
4853
4854 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4855 unsigned size, bool sign_extension)
4856 {
4857 int rc = X86EMUL_CONTINUE;
4858
4859 op->type = OP_IMM;
4860 op->bytes = size;
4861 op->addr.mem.ea = ctxt->_eip;
4862 /* NB. Immediates are sign-extended as necessary. */
4863 switch (op->bytes) {
4864 case 1:
4865 op->val = insn_fetch(s8, ctxt);
4866 break;
4867 case 2:
4868 op->val = insn_fetch(s16, ctxt);
4869 break;
4870 case 4:
4871 op->val = insn_fetch(s32, ctxt);
4872 break;
4873 case 8:
4874 op->val = insn_fetch(s64, ctxt);
4875 break;
4876 }
4877 if (!sign_extension) {
4878 switch (op->bytes) {
4879 case 1:
4880 op->val &= 0xff;
4881 break;
4882 case 2:
4883 op->val &= 0xffff;
4884 break;
4885 case 4:
4886 op->val &= 0xffffffff;
4887 break;
4888 }
4889 }
4890 done:
4891 return rc;
4892 }
4893
4894 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4895 unsigned d)
4896 {
4897 int rc = X86EMUL_CONTINUE;
4898
4899 switch (d) {
4900 case OpReg:
4901 decode_register_operand(ctxt, op);
4902 break;
4903 case OpImmUByte:
4904 rc = decode_imm(ctxt, op, 1, false);
4905 break;
4906 case OpMem:
4907 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4908 mem_common:
4909 *op = ctxt->memop;
4910 ctxt->memopp = op;
4911 if (ctxt->d & BitOp)
4912 fetch_bit_operand(ctxt);
4913 op->orig_val = op->val;
4914 break;
4915 case OpMem64:
4916 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4917 goto mem_common;
4918 case OpAcc:
4919 op->type = OP_REG;
4920 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4921 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4922 fetch_register_operand(op);
4923 op->orig_val = op->val;
4924 break;
4925 case OpAccLo:
4926 op->type = OP_REG;
4927 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4928 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4929 fetch_register_operand(op);
4930 op->orig_val = op->val;
4931 break;
4932 case OpAccHi:
4933 if (ctxt->d & ByteOp) {
4934 op->type = OP_NONE;
4935 break;
4936 }
4937 op->type = OP_REG;
4938 op->bytes = ctxt->op_bytes;
4939 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4940 fetch_register_operand(op);
4941 op->orig_val = op->val;
4942 break;
4943 case OpDI:
4944 op->type = OP_MEM;
4945 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4946 op->addr.mem.ea =
4947 register_address(ctxt, VCPU_REGS_RDI);
4948 op->addr.mem.seg = VCPU_SREG_ES;
4949 op->val = 0;
4950 op->count = 1;
4951 break;
4952 case OpDX:
4953 op->type = OP_REG;
4954 op->bytes = 2;
4955 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4956 fetch_register_operand(op);
4957 break;
4958 case OpCL:
4959 op->type = OP_IMM;
4960 op->bytes = 1;
4961 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4962 break;
4963 case OpImmByte:
4964 rc = decode_imm(ctxt, op, 1, true);
4965 break;
4966 case OpOne:
4967 op->type = OP_IMM;
4968 op->bytes = 1;
4969 op->val = 1;
4970 break;
4971 case OpImm:
4972 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4973 break;
4974 case OpImm64:
4975 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4976 break;
4977 case OpMem8:
4978 ctxt->memop.bytes = 1;
4979 if (ctxt->memop.type == OP_REG) {
4980 ctxt->memop.addr.reg = decode_register(ctxt,
4981 ctxt->modrm_rm, true);
4982 fetch_register_operand(&ctxt->memop);
4983 }
4984 goto mem_common;
4985 case OpMem16:
4986 ctxt->memop.bytes = 2;
4987 goto mem_common;
4988 case OpMem32:
4989 ctxt->memop.bytes = 4;
4990 goto mem_common;
4991 case OpImmU16:
4992 rc = decode_imm(ctxt, op, 2, false);
4993 break;
4994 case OpImmU:
4995 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4996 break;
4997 case OpSI:
4998 op->type = OP_MEM;
4999 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5000 op->addr.mem.ea =
5001 register_address(ctxt, VCPU_REGS_RSI);
5002 op->addr.mem.seg = ctxt->seg_override;
5003 op->val = 0;
5004 op->count = 1;
5005 break;
5006 case OpXLat:
5007 op->type = OP_MEM;
5008 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5009 op->addr.mem.ea =
5010 address_mask(ctxt,
5011 reg_read(ctxt, VCPU_REGS_RBX) +
5012 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
5013 op->addr.mem.seg = ctxt->seg_override;
5014 op->val = 0;
5015 break;
5016 case OpImmFAddr:
5017 op->type = OP_IMM;
5018 op->addr.mem.ea = ctxt->_eip;
5019 op->bytes = ctxt->op_bytes + 2;
5020 insn_fetch_arr(op->valptr, op->bytes, ctxt);
5021 break;
5022 case OpMemFAddr:
5023 ctxt->memop.bytes = ctxt->op_bytes + 2;
5024 goto mem_common;
5025 case OpES:
5026 op->type = OP_IMM;
5027 op->val = VCPU_SREG_ES;
5028 break;
5029 case OpCS:
5030 op->type = OP_IMM;
5031 op->val = VCPU_SREG_CS;
5032 break;
5033 case OpSS:
5034 op->type = OP_IMM;
5035 op->val = VCPU_SREG_SS;
5036 break;
5037 case OpDS:
5038 op->type = OP_IMM;
5039 op->val = VCPU_SREG_DS;
5040 break;
5041 case OpFS:
5042 op->type = OP_IMM;
5043 op->val = VCPU_SREG_FS;
5044 break;
5045 case OpGS:
5046 op->type = OP_IMM;
5047 op->val = VCPU_SREG_GS;
5048 break;
5049 case OpImplicit:
5050 /* Special instructions do their own operand decoding. */
5051 default:
5052 op->type = OP_NONE; /* Disable writeback. */
5053 break;
5054 }
5055
5056 done:
5057 return rc;
5058 }
5059
5060 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
5061 {
5062 int rc = X86EMUL_CONTINUE;
5063 int mode = ctxt->mode;
5064 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
5065 bool op_prefix = false;
5066 bool has_seg_override = false;
5067 struct opcode opcode;
5068 u16 dummy;
5069 struct desc_struct desc;
5070
5071 ctxt->memop.type = OP_NONE;
5072 ctxt->memopp = NULL;
5073 ctxt->_eip = ctxt->eip;
5074 ctxt->fetch.ptr = ctxt->fetch.data;
5075 ctxt->fetch.end = ctxt->fetch.data + insn_len;
5076 ctxt->opcode_len = 1;
5077 if (insn_len > 0)
5078 memcpy(ctxt->fetch.data, insn, insn_len);
5079 else {
5080 rc = __do_insn_fetch_bytes(ctxt, 1);
5081 if (rc != X86EMUL_CONTINUE)
5082 return rc;
5083 }
5084
5085 switch (mode) {
5086 case X86EMUL_MODE_REAL:
5087 case X86EMUL_MODE_VM86:
5088 def_op_bytes = def_ad_bytes = 2;
5089 ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
5090 if (desc.d)
5091 def_op_bytes = def_ad_bytes = 4;
5092 break;
5093 case X86EMUL_MODE_PROT16:
5094 def_op_bytes = def_ad_bytes = 2;
5095 break;
5096 case X86EMUL_MODE_PROT32:
5097 def_op_bytes = def_ad_bytes = 4;
5098 break;
5099 #ifdef CONFIG_X86_64
5100 case X86EMUL_MODE_PROT64:
5101 def_op_bytes = 4;
5102 def_ad_bytes = 8;
5103 break;
5104 #endif
5105 default:
5106 return EMULATION_FAILED;
5107 }
5108
5109 ctxt->op_bytes = def_op_bytes;
5110 ctxt->ad_bytes = def_ad_bytes;
5111
5112 /* Legacy prefixes. */
5113 for (;;) {
5114 switch (ctxt->b = insn_fetch(u8, ctxt)) {
5115 case 0x66: /* operand-size override */
5116 op_prefix = true;
5117 /* switch between 2/4 bytes */
5118 ctxt->op_bytes = def_op_bytes ^ 6;
5119 break;
5120 case 0x67: /* address-size override */
5121 if (mode == X86EMUL_MODE_PROT64)
5122 /* switch between 4/8 bytes */
5123 ctxt->ad_bytes = def_ad_bytes ^ 12;
5124 else
5125 /* switch between 2/4 bytes */
5126 ctxt->ad_bytes = def_ad_bytes ^ 6;
5127 break;
5128 case 0x26: /* ES override */
5129 case 0x2e: /* CS override */
5130 case 0x36: /* SS override */
5131 case 0x3e: /* DS override */
5132 has_seg_override = true;
5133 ctxt->seg_override = (ctxt->b >> 3) & 3;
5134 break;
5135 case 0x64: /* FS override */
5136 case 0x65: /* GS override */
5137 has_seg_override = true;
5138 ctxt->seg_override = ctxt->b & 7;
5139 break;
5140 case 0x40 ... 0x4f: /* REX */
5141 if (mode != X86EMUL_MODE_PROT64)
5142 goto done_prefixes;
5143 ctxt->rex_prefix = ctxt->b;
5144 continue;
5145 case 0xf0: /* LOCK */
5146 ctxt->lock_prefix = 1;
5147 break;
5148 case 0xf2: /* REPNE/REPNZ */
5149 case 0xf3: /* REP/REPE/REPZ */
5150 ctxt->rep_prefix = ctxt->b;
5151 break;
5152 default:
5153 goto done_prefixes;
5154 }
5155
5156 /* Any legacy prefix after a REX prefix nullifies its effect. */
5157
5158 ctxt->rex_prefix = 0;
5159 }
5160
5161 done_prefixes:
5162
5163 /* REX prefix. */
5164 if (ctxt->rex_prefix & 8)
5165 ctxt->op_bytes = 8; /* REX.W */
5166
5167 /* Opcode byte(s). */
5168 opcode = opcode_table[ctxt->b];
5169 /* Two-byte opcode? */
5170 if (ctxt->b == 0x0f) {
5171 ctxt->opcode_len = 2;
5172 ctxt->b = insn_fetch(u8, ctxt);
5173 opcode = twobyte_table[ctxt->b];
5174
5175 /* 0F_38 opcode map */
5176 if (ctxt->b == 0x38) {
5177 ctxt->opcode_len = 3;
5178 ctxt->b = insn_fetch(u8, ctxt);
5179 opcode = opcode_map_0f_38[ctxt->b];
5180 }
5181 }
5182 ctxt->d = opcode.flags;
5183
5184 if (ctxt->d & ModRM)
5185 ctxt->modrm = insn_fetch(u8, ctxt);
5186
5187 /* vex-prefix instructions are not implemented */
5188 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
5189 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
5190 ctxt->d = NotImpl;
5191 }
5192
5193 while (ctxt->d & GroupMask) {
5194 switch (ctxt->d & GroupMask) {
5195 case Group:
5196 goffset = (ctxt->modrm >> 3) & 7;
5197 opcode = opcode.u.group[goffset];
5198 break;
5199 case GroupDual:
5200 goffset = (ctxt->modrm >> 3) & 7;
5201 if ((ctxt->modrm >> 6) == 3)
5202 opcode = opcode.u.gdual->mod3[goffset];
5203 else
5204 opcode = opcode.u.gdual->mod012[goffset];
5205 break;
5206 case RMExt:
5207 goffset = ctxt->modrm & 7;
5208 opcode = opcode.u.group[goffset];
5209 break;
5210 case Prefix:
5211 if (ctxt->rep_prefix && op_prefix)
5212 return EMULATION_FAILED;
5213 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
5214 switch (simd_prefix) {
5215 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
5216 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
5217 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
5218 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
5219 }
5220 break;
5221 case Escape:
5222 if (ctxt->modrm > 0xbf)
5223 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
5224 else
5225 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
5226 break;
5227 case InstrDual:
5228 if ((ctxt->modrm >> 6) == 3)
5229 opcode = opcode.u.idual->mod3;
5230 else
5231 opcode = opcode.u.idual->mod012;
5232 break;
5233 case ModeDual:
5234 if (ctxt->mode == X86EMUL_MODE_PROT64)
5235 opcode = opcode.u.mdual->mode64;
5236 else
5237 opcode = opcode.u.mdual->mode32;
5238 break;
5239 default:
5240 return EMULATION_FAILED;
5241 }
5242
5243 ctxt->d &= ~(u64)GroupMask;
5244 ctxt->d |= opcode.flags;
5245 }
5246
5247 /* Unrecognised? */
5248 if (ctxt->d == 0)
5249 return EMULATION_FAILED;
5250
5251 ctxt->execute = opcode.u.execute;
5252
5253 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
5254 return EMULATION_FAILED;
5255
5256 if (unlikely(ctxt->d &
5257 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
5258 No16))) {
5259 /*
5260 * These are copied unconditionally here, and checked unconditionally
5261 * in x86_emulate_insn.
5262 */
5263 ctxt->check_perm = opcode.check_perm;
5264 ctxt->intercept = opcode.intercept;
5265
5266 if (ctxt->d & NotImpl)
5267 return EMULATION_FAILED;
5268
5269 if (mode == X86EMUL_MODE_PROT64) {
5270 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
5271 ctxt->op_bytes = 8;
5272 else if (ctxt->d & NearBranch)
5273 ctxt->op_bytes = 8;
5274 }
5275
5276 if (ctxt->d & Op3264) {
5277 if (mode == X86EMUL_MODE_PROT64)
5278 ctxt->op_bytes = 8;
5279 else
5280 ctxt->op_bytes = 4;
5281 }
5282
5283 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5284 ctxt->op_bytes = 4;
5285
5286 if (ctxt->d & Sse)
5287 ctxt->op_bytes = 16;
5288 else if (ctxt->d & Mmx)
5289 ctxt->op_bytes = 8;
5290 }
5291
5292 /* ModRM and SIB bytes. */
5293 if (ctxt->d & ModRM) {
5294 rc = decode_modrm(ctxt, &ctxt->memop);
5295 if (!has_seg_override) {
5296 has_seg_override = true;
5297 ctxt->seg_override = ctxt->modrm_seg;
5298 }
5299 } else if (ctxt->d & MemAbs)
5300 rc = decode_abs(ctxt, &ctxt->memop);
5301 if (rc != X86EMUL_CONTINUE)
5302 goto done;
5303
5304 if (!has_seg_override)
5305 ctxt->seg_override = VCPU_SREG_DS;
5306
5307 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5308
5309 /*
5310 * Decode and fetch the source operand: register, memory
5311 * or immediate.
5312 */
5313 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5314 if (rc != X86EMUL_CONTINUE)
5315 goto done;
5316
5317 /*
5318 * Decode and fetch the second source operand: register, memory
5319 * or immediate.
5320 */
5321 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5322 if (rc != X86EMUL_CONTINUE)
5323 goto done;
5324
5325 /* Decode and fetch the destination operand: register or memory. */
5326 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5327
5328 if (ctxt->rip_relative && likely(ctxt->memopp))
5329 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5330 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5331
5332 done:
5333 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5334 }
5335
5336 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5337 {
5338 return ctxt->d & PageTable;
5339 }
5340
5341 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5342 {
5343 /* The second termination condition only applies for REPE
5344 * and REPNE. Test if the repeat string operation prefix is
5345 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5346 * corresponding termination condition according to:
5347 * - if REPE/REPZ and ZF = 0 then done
5348 * - if REPNE/REPNZ and ZF = 1 then done
5349 */
5350 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5351 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5352 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5353 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5354 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5355 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5356 return true;
5357
5358 return false;
5359 }
5360
5361 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5362 {
5363 int rc;
5364
5365 rc = asm_safe("fwait");
5366
5367 if (unlikely(rc != X86EMUL_CONTINUE))
5368 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5369
5370 return X86EMUL_CONTINUE;
5371 }
5372
5373 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
5374 struct operand *op)
5375 {
5376 if (op->type == OP_MM)
5377 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
5378 }
5379
5380 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
5381 {
5382 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5383
5384 if (!(ctxt->d & ByteOp))
5385 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5386
5387 asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5388 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5389 [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5390 : "c"(ctxt->src2.val));
5391
5392 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5393 if (!fop) /* exception is returned in fop variable */
5394 return emulate_de(ctxt);
5395 return X86EMUL_CONTINUE;
5396 }
5397
5398 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5399 {
5400 memset(&ctxt->rip_relative, 0,
5401 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5402
5403 ctxt->io_read.pos = 0;
5404 ctxt->io_read.end = 0;
5405 ctxt->mem_read.end = 0;
5406 }
5407
5408 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5409 {
5410 const struct x86_emulate_ops *ops = ctxt->ops;
5411 int rc = X86EMUL_CONTINUE;
5412 int saved_dst_type = ctxt->dst.type;
5413 unsigned emul_flags;
5414
5415 ctxt->mem_read.pos = 0;
5416
5417 /* LOCK prefix is allowed only with some instructions */
5418 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5419 rc = emulate_ud(ctxt);
5420 goto done;
5421 }
5422
5423 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5424 rc = emulate_ud(ctxt);
5425 goto done;
5426 }
5427
5428 emul_flags = ctxt->ops->get_hflags(ctxt);
5429 if (unlikely(ctxt->d &
5430 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5431 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5432 (ctxt->d & Undefined)) {
5433 rc = emulate_ud(ctxt);
5434 goto done;
5435 }
5436
5437 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5438 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5439 rc = emulate_ud(ctxt);
5440 goto done;
5441 }
5442
5443 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5444 rc = emulate_nm(ctxt);
5445 goto done;
5446 }
5447
5448 if (ctxt->d & Mmx) {
5449 rc = flush_pending_x87_faults(ctxt);
5450 if (rc != X86EMUL_CONTINUE)
5451 goto done;
5452 /*
5453 * Now that we know the fpu is exception safe, we can fetch
5454 * operands from it.
5455 */
5456 fetch_possible_mmx_operand(ctxt, &ctxt->src);
5457 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
5458 if (!(ctxt->d & Mov))
5459 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
5460 }
5461
5462 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5463 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5464 X86_ICPT_PRE_EXCEPT);
5465 if (rc != X86EMUL_CONTINUE)
5466 goto done;
5467 }
5468
5469 /* Instruction can only be executed in protected mode */
5470 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5471 rc = emulate_ud(ctxt);
5472 goto done;
5473 }
5474
5475 /* Privileged instruction can be executed only in CPL=0 */
5476 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5477 if (ctxt->d & PrivUD)
5478 rc = emulate_ud(ctxt);
5479 else
5480 rc = emulate_gp(ctxt, 0);
5481 goto done;
5482 }
5483
5484 /* Do instruction specific permission checks */
5485 if (ctxt->d & CheckPerm) {
5486 rc = ctxt->check_perm(ctxt);
5487 if (rc != X86EMUL_CONTINUE)
5488 goto done;
5489 }
5490
5491 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5492 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5493 X86_ICPT_POST_EXCEPT);
5494 if (rc != X86EMUL_CONTINUE)
5495 goto done;
5496 }
5497
5498 if (ctxt->rep_prefix && (ctxt->d & String)) {
5499 /* All REP prefixes have the same first termination condition */
5500 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5501 string_registers_quirk(ctxt);
5502 ctxt->eip = ctxt->_eip;
5503 ctxt->eflags &= ~X86_EFLAGS_RF;
5504 goto done;
5505 }
5506 }
5507 }
5508
5509 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5510 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5511 ctxt->src.valptr, ctxt->src.bytes);
5512 if (rc != X86EMUL_CONTINUE)
5513 goto done;
5514 ctxt->src.orig_val64 = ctxt->src.val64;
5515 }
5516
5517 if (ctxt->src2.type == OP_MEM) {
5518 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5519 &ctxt->src2.val, ctxt->src2.bytes);
5520 if (rc != X86EMUL_CONTINUE)
5521 goto done;
5522 }
5523
5524 if ((ctxt->d & DstMask) == ImplicitOps)
5525 goto special_insn;
5526
5527
5528 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5529 /* optimisation - avoid slow emulated read if Mov */
5530 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5531 &ctxt->dst.val, ctxt->dst.bytes);
5532 if (rc != X86EMUL_CONTINUE) {
5533 if (!(ctxt->d & NoWrite) &&
5534 rc == X86EMUL_PROPAGATE_FAULT &&
5535 ctxt->exception.vector == PF_VECTOR)
5536 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5537 goto done;
5538 }
5539 }
5540 /* Copy full 64-bit value for CMPXCHG8B. */
5541 ctxt->dst.orig_val64 = ctxt->dst.val64;
5542
5543 special_insn:
5544
5545 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5546 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5547 X86_ICPT_POST_MEMACCESS);
5548 if (rc != X86EMUL_CONTINUE)
5549 goto done;
5550 }
5551
5552 if (ctxt->rep_prefix && (ctxt->d & String))
5553 ctxt->eflags |= X86_EFLAGS_RF;
5554 else
5555 ctxt->eflags &= ~X86_EFLAGS_RF;
5556
5557 if (ctxt->execute) {
5558 if (ctxt->d & Fastop) {
5559 void (*fop)(struct fastop *) = (void *)ctxt->execute;
5560 rc = fastop(ctxt, fop);
5561 if (rc != X86EMUL_CONTINUE)
5562 goto done;
5563 goto writeback;
5564 }
5565 rc = ctxt->execute(ctxt);
5566 if (rc != X86EMUL_CONTINUE)
5567 goto done;
5568 goto writeback;
5569 }
5570
5571 if (ctxt->opcode_len == 2)
5572 goto twobyte_insn;
5573 else if (ctxt->opcode_len == 3)
5574 goto threebyte_insn;
5575
5576 switch (ctxt->b) {
5577 case 0x70 ... 0x7f: /* jcc (short) */
5578 if (test_cc(ctxt->b, ctxt->eflags))
5579 rc = jmp_rel(ctxt, ctxt->src.val);
5580 break;
5581 case 0x8d: /* lea r16/r32, m */
5582 ctxt->dst.val = ctxt->src.addr.mem.ea;
5583 break;
5584 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5585 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5586 ctxt->dst.type = OP_NONE;
5587 else
5588 rc = em_xchg(ctxt);
5589 break;
5590 case 0x98: /* cbw/cwde/cdqe */
5591 switch (ctxt->op_bytes) {
5592 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5593 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5594 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5595 }
5596 break;
5597 case 0xcc: /* int3 */
5598 rc = emulate_int(ctxt, 3);
5599 break;
5600 case 0xcd: /* int n */
5601 rc = emulate_int(ctxt, ctxt->src.val);
5602 break;
5603 case 0xce: /* into */
5604 if (ctxt->eflags & X86_EFLAGS_OF)
5605 rc = emulate_int(ctxt, 4);
5606 break;
5607 case 0xe9: /* jmp rel */
5608 case 0xeb: /* jmp rel short */
5609 rc = jmp_rel(ctxt, ctxt->src.val);
5610 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5611 break;
5612 case 0xf4: /* hlt */
5613 ctxt->ops->halt(ctxt);
5614 break;
5615 case 0xf5: /* cmc */
5616 /* complement carry flag from eflags reg */
5617 ctxt->eflags ^= X86_EFLAGS_CF;
5618 break;
5619 case 0xf8: /* clc */
5620 ctxt->eflags &= ~X86_EFLAGS_CF;
5621 break;
5622 case 0xf9: /* stc */
5623 ctxt->eflags |= X86_EFLAGS_CF;
5624 break;
5625 case 0xfc: /* cld */
5626 ctxt->eflags &= ~X86_EFLAGS_DF;
5627 break;
5628 case 0xfd: /* std */
5629 ctxt->eflags |= X86_EFLAGS_DF;
5630 break;
5631 default:
5632 goto cannot_emulate;
5633 }
5634
5635 if (rc != X86EMUL_CONTINUE)
5636 goto done;
5637
5638 writeback:
5639 if (ctxt->d & SrcWrite) {
5640 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5641 rc = writeback(ctxt, &ctxt->src);
5642 if (rc != X86EMUL_CONTINUE)
5643 goto done;
5644 }
5645 if (!(ctxt->d & NoWrite)) {
5646 rc = writeback(ctxt, &ctxt->dst);
5647 if (rc != X86EMUL_CONTINUE)
5648 goto done;
5649 }
5650
5651 /*
5652 * restore dst type in case the decoding will be reused
5653 * (happens for string instruction )
5654 */
5655 ctxt->dst.type = saved_dst_type;
5656
5657 if ((ctxt->d & SrcMask) == SrcSI)
5658 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5659
5660 if ((ctxt->d & DstMask) == DstDI)
5661 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5662
5663 if (ctxt->rep_prefix && (ctxt->d & String)) {
5664 unsigned int count;
5665 struct read_cache *r = &ctxt->io_read;
5666 if ((ctxt->d & SrcMask) == SrcSI)
5667 count = ctxt->src.count;
5668 else
5669 count = ctxt->dst.count;
5670 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5671
5672 if (!string_insn_completed(ctxt)) {
5673 /*
5674 * Re-enter guest when pio read ahead buffer is empty
5675 * or, if it is not used, after each 1024 iteration.
5676 */
5677 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5678 (r->end == 0 || r->end != r->pos)) {
5679 /*
5680 * Reset read cache. Usually happens before
5681 * decode, but since instruction is restarted
5682 * we have to do it here.
5683 */
5684 ctxt->mem_read.end = 0;
5685 writeback_registers(ctxt);
5686 return EMULATION_RESTART;
5687 }
5688 goto done; /* skip rip writeback */
5689 }
5690 ctxt->eflags &= ~X86_EFLAGS_RF;
5691 }
5692
5693 ctxt->eip = ctxt->_eip;
5694
5695 done:
5696 if (rc == X86EMUL_PROPAGATE_FAULT) {
5697 WARN_ON(ctxt->exception.vector > 0x1f);
5698 ctxt->have_exception = true;
5699 }
5700 if (rc == X86EMUL_INTERCEPTED)
5701 return EMULATION_INTERCEPTED;
5702
5703 if (rc == X86EMUL_CONTINUE)
5704 writeback_registers(ctxt);
5705
5706 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5707
5708 twobyte_insn:
5709 switch (ctxt->b) {
5710 case 0x09: /* wbinvd */
5711 (ctxt->ops->wbinvd)(ctxt);
5712 break;
5713 case 0x08: /* invd */
5714 case 0x0d: /* GrpP (prefetch) */
5715 case 0x18: /* Grp16 (prefetch/nop) */
5716 case 0x1f: /* nop */
5717 break;
5718 case 0x20: /* mov cr, reg */
5719 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5720 break;
5721 case 0x21: /* mov from dr to reg */
5722 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5723 break;
5724 case 0x40 ... 0x4f: /* cmov */
5725 if (test_cc(ctxt->b, ctxt->eflags))
5726 ctxt->dst.val = ctxt->src.val;
5727 else if (ctxt->op_bytes != 4)
5728 ctxt->dst.type = OP_NONE; /* no writeback */
5729 break;
5730 case 0x80 ... 0x8f: /* jnz rel, etc*/
5731 if (test_cc(ctxt->b, ctxt->eflags))
5732 rc = jmp_rel(ctxt, ctxt->src.val);
5733 break;
5734 case 0x90 ... 0x9f: /* setcc r/m8 */
5735 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5736 break;
5737 case 0xb6 ... 0xb7: /* movzx */
5738 ctxt->dst.bytes = ctxt->op_bytes;
5739 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5740 : (u16) ctxt->src.val;
5741 break;
5742 case 0xbe ... 0xbf: /* movsx */
5743 ctxt->dst.bytes = ctxt->op_bytes;
5744 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5745 (s16) ctxt->src.val;
5746 break;
5747 default:
5748 goto cannot_emulate;
5749 }
5750
5751 threebyte_insn:
5752
5753 if (rc != X86EMUL_CONTINUE)
5754 goto done;
5755
5756 goto writeback;
5757
5758 cannot_emulate:
5759 return EMULATION_FAILED;
5760 }
5761
5762 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5763 {
5764 invalidate_registers(ctxt);
5765 }
5766
5767 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5768 {
5769 writeback_registers(ctxt);
5770 }
5771
5772 bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5773 {
5774 if (ctxt->rep_prefix && (ctxt->d & String))
5775 return false;
5776
5777 if (ctxt->d & TwoMemOp)
5778 return false;
5779
5780 return true;
5781 }
CRIS linux kernel tree