search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drm/rockchip: vop2: Fix the windows switch between different layers
[drm/drm-misc.git] / arch / x86 / kvm / emulate.c
blob60986f67c35a886f07c8556d7d3511408f9567d3
1 // SPDX-License-Identifier: GPL-2.0-only
2 /******************************************************************************
3 * emulate.c
4 *
5 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 *
7 * Copyright (c) 2005 Keir Fraser
8 *
9 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
10 * privileged instructions:
11 *
12 * Copyright (C) 2006 Qumranet
13 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 *
15 * Avi Kivity <avi@qumranet.com>
16 * Yaniv Kamay <yaniv@qumranet.com>
17 *
18 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
19 */
20 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
21
22 #include <linux/kvm_host.h>
23 #include "kvm_cache_regs.h"
24 #include "kvm_emulate.h"
25 #include <linux/stringify.h>
26 #include <asm/debugreg.h>
27 #include <asm/nospec-branch.h>
28 #include <asm/ibt.h>
29
30 #include "x86.h"
31 #include "tss.h"
32 #include "mmu.h"
33 #include "pmu.h"
34
35 /*
36 * Operand types
37 */
38 #define OpNone 0ull
39 #define OpImplicit 1ull /* No generic decode */
40 #define OpReg 2ull /* Register */
41 #define OpMem 3ull /* Memory */
42 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
43 #define OpDI 5ull /* ES:DI/EDI/RDI */
44 #define OpMem64 6ull /* Memory, 64-bit */
45 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
46 #define OpDX 8ull /* DX register */
47 #define OpCL 9ull /* CL register (for shifts) */
48 #define OpImmByte 10ull /* 8-bit sign extended immediate */
49 #define OpOne 11ull /* Implied 1 */
50 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
51 #define OpMem16 13ull /* Memory operand (16-bit). */
52 #define OpMem32 14ull /* Memory operand (32-bit). */
53 #define OpImmU 15ull /* Immediate operand, zero extended */
54 #define OpSI 16ull /* SI/ESI/RSI */
55 #define OpImmFAddr 17ull /* Immediate far address */
56 #define OpMemFAddr 18ull /* Far address in memory */
57 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
58 #define OpES 20ull /* ES */
59 #define OpCS 21ull /* CS */
60 #define OpSS 22ull /* SS */
61 #define OpDS 23ull /* DS */
62 #define OpFS 24ull /* FS */
63 #define OpGS 25ull /* GS */
64 #define OpMem8 26ull /* 8-bit zero extended memory operand */
65 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
66 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
67 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
68 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
69
70 #define OpBits 5 /* Width of operand field */
71 #define OpMask ((1ull << OpBits) - 1)
72
73 /*
74 * Opcode effective-address decode tables.
75 * Note that we only emulate instructions that have at least one memory
76 * operand (excluding implicit stack references). We assume that stack
77 * references and instruction fetches will never occur in special memory
78 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
79 * not be handled.
80 */
81
82 /* Operand sizes: 8-bit operands or specified/overridden size. */
83 #define ByteOp (1<<0) /* 8-bit operands. */
84 /* Destination operand type. */
85 #define DstShift 1
86 #define ImplicitOps (OpImplicit << DstShift)
87 #define DstReg (OpReg << DstShift)
88 #define DstMem (OpMem << DstShift)
89 #define DstAcc (OpAcc << DstShift)
90 #define DstDI (OpDI << DstShift)
91 #define DstMem64 (OpMem64 << DstShift)
92 #define DstMem16 (OpMem16 << DstShift)
93 #define DstImmUByte (OpImmUByte << DstShift)
94 #define DstDX (OpDX << DstShift)
95 #define DstAccLo (OpAccLo << DstShift)
96 #define DstMask (OpMask << DstShift)
97 /* Source operand type. */
98 #define SrcShift 6
99 #define SrcNone (OpNone << SrcShift)
100 #define SrcReg (OpReg << SrcShift)
101 #define SrcMem (OpMem << SrcShift)
102 #define SrcMem16 (OpMem16 << SrcShift)
103 #define SrcMem32 (OpMem32 << SrcShift)
104 #define SrcImm (OpImm << SrcShift)
105 #define SrcImmByte (OpImmByte << SrcShift)
106 #define SrcOne (OpOne << SrcShift)
107 #define SrcImmUByte (OpImmUByte << SrcShift)
108 #define SrcImmU (OpImmU << SrcShift)
109 #define SrcSI (OpSI << SrcShift)
110 #define SrcXLat (OpXLat << SrcShift)
111 #define SrcImmFAddr (OpImmFAddr << SrcShift)
112 #define SrcMemFAddr (OpMemFAddr << SrcShift)
113 #define SrcAcc (OpAcc << SrcShift)
114 #define SrcImmU16 (OpImmU16 << SrcShift)
115 #define SrcImm64 (OpImm64 << SrcShift)
116 #define SrcDX (OpDX << SrcShift)
117 #define SrcMem8 (OpMem8 << SrcShift)
118 #define SrcAccHi (OpAccHi << SrcShift)
119 #define SrcMask (OpMask << SrcShift)
120 #define BitOp (1<<11)
121 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
122 #define String (1<<13) /* String instruction (rep capable) */
123 #define Stack (1<<14) /* Stack instruction (push/pop) */
124 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
125 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
126 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
127 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
128 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
129 #define Escape (5<<15) /* Escape to coprocessor instruction */
130 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
131 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
132 #define Sse (1<<18) /* SSE Vector instruction */
133 /* Generic ModRM decode. */
134 #define ModRM (1<<19)
135 /* Destination is only written; never read. */
136 #define Mov (1<<20)
137 /* Misc flags */
138 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
139 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
140 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
141 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
142 #define Undefined (1<<25) /* No Such Instruction */
143 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
144 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
145 #define No64 (1<<28)
146 #define PageTable (1 << 29) /* instruction used to write page table */
147 #define NotImpl (1 << 30) /* instruction is not implemented */
148 /* Source 2 operand type */
149 #define Src2Shift (31)
150 #define Src2None (OpNone << Src2Shift)
151 #define Src2Mem (OpMem << Src2Shift)
152 #define Src2CL (OpCL << Src2Shift)
153 #define Src2ImmByte (OpImmByte << Src2Shift)
154 #define Src2One (OpOne << Src2Shift)
155 #define Src2Imm (OpImm << Src2Shift)
156 #define Src2ES (OpES << Src2Shift)
157 #define Src2CS (OpCS << Src2Shift)
158 #define Src2SS (OpSS << Src2Shift)
159 #define Src2DS (OpDS << Src2Shift)
160 #define Src2FS (OpFS << Src2Shift)
161 #define Src2GS (OpGS << Src2Shift)
162 #define Src2Mask (OpMask << Src2Shift)
163 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
164 #define AlignMask ((u64)7 << 41)
165 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
166 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
167 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
168 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
169 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
170 #define NoWrite ((u64)1 << 45) /* No writeback */
171 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
172 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
173 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
174 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
175 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
176 #define NearBranch ((u64)1 << 52) /* Near branches */
177 #define No16 ((u64)1 << 53) /* No 16 bit operand */
178 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
179 #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand */
180 #define IsBranch ((u64)1 << 56) /* Instruction is considered a branch. */
181
182 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
183
184 #define X2(x...) x, x
185 #define X3(x...) X2(x), x
186 #define X4(x...) X2(x), X2(x)
187 #define X5(x...) X4(x), x
188 #define X6(x...) X4(x), X2(x)
189 #define X7(x...) X4(x), X3(x)
190 #define X8(x...) X4(x), X4(x)
191 #define X16(x...) X8(x), X8(x)
192
193 struct opcode {
194 u64 flags;
195 u8 intercept;
196 u8 pad[7];
197 union {
198 int (*execute)(struct x86_emulate_ctxt *ctxt);
199 const struct opcode *group;
200 const struct group_dual *gdual;
201 const struct gprefix *gprefix;
202 const struct escape *esc;
203 const struct instr_dual *idual;
204 const struct mode_dual *mdual;
205 void (*fastop)(struct fastop *fake);
206 } u;
207 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
208 };
209
210 struct group_dual {
211 struct opcode mod012[8];
212 struct opcode mod3[8];
213 };
214
215 struct gprefix {
216 struct opcode pfx_no;
217 struct opcode pfx_66;
218 struct opcode pfx_f2;
219 struct opcode pfx_f3;
220 };
221
222 struct escape {
223 struct opcode op[8];
224 struct opcode high[64];
225 };
226
227 struct instr_dual {
228 struct opcode mod012;
229 struct opcode mod3;
230 };
231
232 struct mode_dual {
233 struct opcode mode32;
234 struct opcode mode64;
235 };
236
237 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
238
239 enum x86_transfer_type {
240 X86_TRANSFER_NONE,
241 X86_TRANSFER_CALL_JMP,
242 X86_TRANSFER_RET,
243 X86_TRANSFER_TASK_SWITCH,
244 };
245
246 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
247 {
248 unsigned long dirty = ctxt->regs_dirty;
249 unsigned reg;
250
251 for_each_set_bit(reg, &dirty, NR_EMULATOR_GPRS)
252 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
253 }
254
255 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
256 {
257 ctxt->regs_dirty = 0;
258 ctxt->regs_valid = 0;
259 }
260
261 /*
262 * These EFLAGS bits are restored from saved value during emulation, and
263 * any changes are written back to the saved value after emulation.
264 */
265 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
266 X86_EFLAGS_PF|X86_EFLAGS_CF)
267
268 #ifdef CONFIG_X86_64
269 #define ON64(x) x
270 #else
271 #define ON64(x)
272 #endif
273
274 /*
275 * fastop functions have a special calling convention:
276 *
277 * dst: rax (in/out)
278 * src: rdx (in/out)
279 * src2: rcx (in)
280 * flags: rflags (in/out)
281 * ex: rsi (in:fastop pointer, out:zero if exception)
282 *
283 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
284 * different operand sizes can be reached by calculation, rather than a jump
285 * table (which would be bigger than the code).
286 *
287 * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR
288 * and 1 for the straight line speculation INT3, leaves 7 bytes for the
289 * body of the function. Currently none is larger than 4.
290 */
291 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
292
293 #define FASTOP_SIZE 16
294
295 #define __FOP_FUNC(name) \
296 ".align " __stringify(FASTOP_SIZE) " \n\t" \
297 ".type " name ", @function \n\t" \
298 name ":\n\t" \
299 ASM_ENDBR \
300 IBT_NOSEAL(name)
301
302 #define FOP_FUNC(name) \
303 __FOP_FUNC(#name)
304
305 #define __FOP_RET(name) \
306 "11: " ASM_RET \
307 ".size " name ", .-" name "\n\t"
308
309 #define FOP_RET(name) \
310 __FOP_RET(#name)
311
312 #define __FOP_START(op, align) \
313 extern void em_##op(struct fastop *fake); \
314 asm(".pushsection .text, \"ax\" \n\t" \
315 ".global em_" #op " \n\t" \
316 ".align " __stringify(align) " \n\t" \
317 "em_" #op ":\n\t"
318
319 #define FOP_START(op) __FOP_START(op, FASTOP_SIZE)
320
321 #define FOP_END \
322 ".popsection")
323
324 #define __FOPNOP(name) \
325 __FOP_FUNC(name) \
326 __FOP_RET(name)
327
328 #define FOPNOP() \
329 __FOPNOP(__stringify(__UNIQUE_ID(nop)))
330
331 #define FOP1E(op, dst) \
332 __FOP_FUNC(#op "_" #dst) \
333 "10: " #op " %" #dst " \n\t" \
334 __FOP_RET(#op "_" #dst)
335
336 #define FOP1EEX(op, dst) \
337 FOP1E(op, dst) _ASM_EXTABLE_TYPE_REG(10b, 11b, EX_TYPE_ZERO_REG, %%esi)
338
339 #define FASTOP1(op) \
340 FOP_START(op) \
341 FOP1E(op##b, al) \
342 FOP1E(op##w, ax) \
343 FOP1E(op##l, eax) \
344 ON64(FOP1E(op##q, rax)) \
345 FOP_END
346
347 /* 1-operand, using src2 (for MUL/DIV r/m) */
348 #define FASTOP1SRC2(op, name) \
349 FOP_START(name) \
350 FOP1E(op, cl) \
351 FOP1E(op, cx) \
352 FOP1E(op, ecx) \
353 ON64(FOP1E(op, rcx)) \
354 FOP_END
355
356 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
357 #define FASTOP1SRC2EX(op, name) \
358 FOP_START(name) \
359 FOP1EEX(op, cl) \
360 FOP1EEX(op, cx) \
361 FOP1EEX(op, ecx) \
362 ON64(FOP1EEX(op, rcx)) \
363 FOP_END
364
365 #define FOP2E(op, dst, src) \
366 __FOP_FUNC(#op "_" #dst "_" #src) \
367 #op " %" #src ", %" #dst " \n\t" \
368 __FOP_RET(#op "_" #dst "_" #src)
369
370 #define FASTOP2(op) \
371 FOP_START(op) \
372 FOP2E(op##b, al, dl) \
373 FOP2E(op##w, ax, dx) \
374 FOP2E(op##l, eax, edx) \
375 ON64(FOP2E(op##q, rax, rdx)) \
376 FOP_END
377
378 /* 2 operand, word only */
379 #define FASTOP2W(op) \
380 FOP_START(op) \
381 FOPNOP() \
382 FOP2E(op##w, ax, dx) \
383 FOP2E(op##l, eax, edx) \
384 ON64(FOP2E(op##q, rax, rdx)) \
385 FOP_END
386
387 /* 2 operand, src is CL */
388 #define FASTOP2CL(op) \
389 FOP_START(op) \
390 FOP2E(op##b, al, cl) \
391 FOP2E(op##w, ax, cl) \
392 FOP2E(op##l, eax, cl) \
393 ON64(FOP2E(op##q, rax, cl)) \
394 FOP_END
395
396 /* 2 operand, src and dest are reversed */
397 #define FASTOP2R(op, name) \
398 FOP_START(name) \
399 FOP2E(op##b, dl, al) \
400 FOP2E(op##w, dx, ax) \
401 FOP2E(op##l, edx, eax) \
402 ON64(FOP2E(op##q, rdx, rax)) \
403 FOP_END
404
405 #define FOP3E(op, dst, src, src2) \
406 __FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
407 #op " %" #src2 ", %" #src ", %" #dst " \n\t"\
408 __FOP_RET(#op "_" #dst "_" #src "_" #src2)
409
410 /* 3-operand, word-only, src2=cl */
411 #define FASTOP3WCL(op) \
412 FOP_START(op) \
413 FOPNOP() \
414 FOP3E(op##w, ax, dx, cl) \
415 FOP3E(op##l, eax, edx, cl) \
416 ON64(FOP3E(op##q, rax, rdx, cl)) \
417 FOP_END
418
419 /* Special case for SETcc - 1 instruction per cc */
420 #define FOP_SETCC(op) \
421 FOP_FUNC(op) \
422 #op " %al \n\t" \
423 FOP_RET(op)
424
425 FOP_START(setcc)
426 FOP_SETCC(seto)
427 FOP_SETCC(setno)
428 FOP_SETCC(setc)
429 FOP_SETCC(setnc)
430 FOP_SETCC(setz)
431 FOP_SETCC(setnz)
432 FOP_SETCC(setbe)
433 FOP_SETCC(setnbe)
434 FOP_SETCC(sets)
435 FOP_SETCC(setns)
436 FOP_SETCC(setp)
437 FOP_SETCC(setnp)
438 FOP_SETCC(setl)
439 FOP_SETCC(setnl)
440 FOP_SETCC(setle)
441 FOP_SETCC(setnle)
442 FOP_END;
443
444 FOP_START(salc)
445 FOP_FUNC(salc)
446 "pushf; sbb %al, %al; popf \n\t"
447 FOP_RET(salc)
448 FOP_END;
449
450 /*
451 * XXX: inoutclob user must know where the argument is being expanded.
452 * Using asm goto would allow us to remove _fault.
453 */
454 #define asm_safe(insn, inoutclob...) \
455 ({ \
456 int _fault = 0; \
457 \
458 asm volatile("1:" insn "\n" \
459 "2:\n" \
460 _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_ONE_REG, %[_fault]) \
461 : [_fault] "+r"(_fault) inoutclob ); \
462 \
463 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
464 })
465
466 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
467 enum x86_intercept intercept,
468 enum x86_intercept_stage stage)
469 {
470 struct x86_instruction_info info = {
471 .intercept = intercept,
472 .rep_prefix = ctxt->rep_prefix,
473 .modrm_mod = ctxt->modrm_mod,
474 .modrm_reg = ctxt->modrm_reg,
475 .modrm_rm = ctxt->modrm_rm,
476 .src_val = ctxt->src.val64,
477 .dst_val = ctxt->dst.val64,
478 .src_bytes = ctxt->src.bytes,
479 .dst_bytes = ctxt->dst.bytes,
480 .ad_bytes = ctxt->ad_bytes,
481 .next_rip = ctxt->eip,
482 };
483
484 return ctxt->ops->intercept(ctxt, &info, stage);
485 }
486
487 static void assign_masked(ulong *dest, ulong src, ulong mask)
488 {
489 *dest = (*dest & ~mask) | (src & mask);
490 }
491
492 static void assign_register(unsigned long *reg, u64 val, int bytes)
493 {
494 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
495 switch (bytes) {
496 case 1:
497 *(u8 *)reg = (u8)val;
498 break;
499 case 2:
500 *(u16 *)reg = (u16)val;
501 break;
502 case 4:
503 *reg = (u32)val;
504 break; /* 64b: zero-extend */
505 case 8:
506 *reg = val;
507 break;
508 }
509 }
510
511 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
512 {
513 return (1UL << (ctxt->ad_bytes << 3)) - 1;
514 }
515
516 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
517 {
518 u16 sel;
519 struct desc_struct ss;
520
521 if (ctxt->mode == X86EMUL_MODE_PROT64)
522 return ~0UL;
523 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
524 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
525 }
526
527 static int stack_size(struct x86_emulate_ctxt *ctxt)
528 {
529 return (__fls(stack_mask(ctxt)) + 1) >> 3;
530 }
531
532 /* Access/update address held in a register, based on addressing mode. */
533 static inline unsigned long
534 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
535 {
536 if (ctxt->ad_bytes == sizeof(unsigned long))
537 return reg;
538 else
539 return reg & ad_mask(ctxt);
540 }
541
542 static inline unsigned long
543 register_address(struct x86_emulate_ctxt *ctxt, int reg)
544 {
545 return address_mask(ctxt, reg_read(ctxt, reg));
546 }
547
548 static void masked_increment(ulong *reg, ulong mask, int inc)
549 {
550 assign_masked(reg, *reg + inc, mask);
551 }
552
553 static inline void
554 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
555 {
556 ulong *preg = reg_rmw(ctxt, reg);
557
558 assign_register(preg, *preg + inc, ctxt->ad_bytes);
559 }
560
561 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
562 {
563 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
564 }
565
566 static u32 desc_limit_scaled(struct desc_struct *desc)
567 {
568 u32 limit = get_desc_limit(desc);
569
570 return desc->g ? (limit << 12) | 0xfff : limit;
571 }
572
573 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
574 {
575 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
576 return 0;
577
578 return ctxt->ops->get_cached_segment_base(ctxt, seg);
579 }
580
581 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
582 u32 error, bool valid)
583 {
584 if (KVM_EMULATOR_BUG_ON(vec > 0x1f, ctxt))
585 return X86EMUL_UNHANDLEABLE;
586
587 ctxt->exception.vector = vec;
588 ctxt->exception.error_code = error;
589 ctxt->exception.error_code_valid = valid;
590 return X86EMUL_PROPAGATE_FAULT;
591 }
592
593 static int emulate_db(struct x86_emulate_ctxt *ctxt)
594 {
595 return emulate_exception(ctxt, DB_VECTOR, 0, false);
596 }
597
598 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
599 {
600 return emulate_exception(ctxt, GP_VECTOR, err, true);
601 }
602
603 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
604 {
605 return emulate_exception(ctxt, SS_VECTOR, err, true);
606 }
607
608 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
609 {
610 return emulate_exception(ctxt, UD_VECTOR, 0, false);
611 }
612
613 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
614 {
615 return emulate_exception(ctxt, TS_VECTOR, err, true);
616 }
617
618 static int emulate_de(struct x86_emulate_ctxt *ctxt)
619 {
620 return emulate_exception(ctxt, DE_VECTOR, 0, false);
621 }
622
623 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
624 {
625 return emulate_exception(ctxt, NM_VECTOR, 0, false);
626 }
627
628 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
629 {
630 u16 selector;
631 struct desc_struct desc;
632
633 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
634 return selector;
635 }
636
637 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
638 unsigned seg)
639 {
640 u16 dummy;
641 u32 base3;
642 struct desc_struct desc;
643
644 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
645 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
646 }
647
648 static inline u8 ctxt_virt_addr_bits(struct x86_emulate_ctxt *ctxt)
649 {
650 return (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_LA57) ? 57 : 48;
651 }
652
653 static inline bool emul_is_noncanonical_address(u64 la,
654 struct x86_emulate_ctxt *ctxt,
655 unsigned int flags)
656 {
657 return !ctxt->ops->is_canonical_addr(ctxt, la, flags);
658 }
659
660 /*
661 * x86 defines three classes of vector instructions: explicitly
662 * aligned, explicitly unaligned, and the rest, which change behaviour
663 * depending on whether they're AVX encoded or not.
664 *
665 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
666 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
667 * 512 bytes of data must be aligned to a 16 byte boundary.
668 */
669 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
670 {
671 u64 alignment = ctxt->d & AlignMask;
672
673 if (likely(size < 16))
674 return 1;
675
676 switch (alignment) {
677 case Unaligned:
678 case Avx:
679 return 1;
680 case Aligned16:
681 return 16;
682 case Aligned:
683 default:
684 return size;
685 }
686 }
687
688 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
689 struct segmented_address addr,
690 unsigned *max_size, unsigned size,
691 enum x86emul_mode mode, ulong *linear,
692 unsigned int flags)
693 {
694 struct desc_struct desc;
695 bool usable;
696 ulong la;
697 u32 lim;
698 u16 sel;
699 u8 va_bits;
700
701 la = seg_base(ctxt, addr.seg) + addr.ea;
702 *max_size = 0;
703 switch (mode) {
704 case X86EMUL_MODE_PROT64:
705 *linear = la = ctxt->ops->get_untagged_addr(ctxt, la, flags);
706 va_bits = ctxt_virt_addr_bits(ctxt);
707 if (!__is_canonical_address(la, va_bits))
708 goto bad;
709
710 *max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
711 if (size > *max_size)
712 goto bad;
713 break;
714 default:
715 *linear = la = (u32)la;
716 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
717 addr.seg);
718 if (!usable)
719 goto bad;
720 /* code segment in protected mode or read-only data segment */
721 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8)) || !(desc.type & 2)) &&
722 (flags & X86EMUL_F_WRITE))
723 goto bad;
724 /* unreadable code segment */
725 if (!(flags & X86EMUL_F_FETCH) && (desc.type & 8) && !(desc.type & 2))
726 goto bad;
727 lim = desc_limit_scaled(&desc);
728 if (!(desc.type & 8) && (desc.type & 4)) {
729 /* expand-down segment */
730 if (addr.ea <= lim)
731 goto bad;
732 lim = desc.d ? 0xffffffff : 0xffff;
733 }
734 if (addr.ea > lim)
735 goto bad;
736 if (lim == 0xffffffff)
737 *max_size = ~0u;
738 else {
739 *max_size = (u64)lim + 1 - addr.ea;
740 if (size > *max_size)
741 goto bad;
742 }
743 break;
744 }
745 if (la & (insn_alignment(ctxt, size) - 1))
746 return emulate_gp(ctxt, 0);
747 return X86EMUL_CONTINUE;
748 bad:
749 if (addr.seg == VCPU_SREG_SS)
750 return emulate_ss(ctxt, 0);
751 else
752 return emulate_gp(ctxt, 0);
753 }
754
755 static int linearize(struct x86_emulate_ctxt *ctxt,
756 struct segmented_address addr,
757 unsigned size, bool write,
758 ulong *linear)
759 {
760 unsigned max_size;
761 return __linearize(ctxt, addr, &max_size, size, ctxt->mode, linear,
762 write ? X86EMUL_F_WRITE : 0);
763 }
764
765 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst)
766 {
767 ulong linear;
768 int rc;
769 unsigned max_size;
770 struct segmented_address addr = { .seg = VCPU_SREG_CS,
771 .ea = dst };
772
773 if (ctxt->op_bytes != sizeof(unsigned long))
774 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
775 rc = __linearize(ctxt, addr, &max_size, 1, ctxt->mode, &linear,
776 X86EMUL_F_FETCH);
777 if (rc == X86EMUL_CONTINUE)
778 ctxt->_eip = addr.ea;
779 return rc;
780 }
781
782 static inline int emulator_recalc_and_set_mode(struct x86_emulate_ctxt *ctxt)
783 {
784 u64 efer;
785 struct desc_struct cs;
786 u16 selector;
787 u32 base3;
788
789 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
790
791 if (!(ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PE)) {
792 /* Real mode. cpu must not have long mode active */
793 if (efer & EFER_LMA)
794 return X86EMUL_UNHANDLEABLE;
795 ctxt->mode = X86EMUL_MODE_REAL;
796 return X86EMUL_CONTINUE;
797 }
798
799 if (ctxt->eflags & X86_EFLAGS_VM) {
800 /* Protected/VM86 mode. cpu must not have long mode active */
801 if (efer & EFER_LMA)
802 return X86EMUL_UNHANDLEABLE;
803 ctxt->mode = X86EMUL_MODE_VM86;
804 return X86EMUL_CONTINUE;
805 }
806
807 if (!ctxt->ops->get_segment(ctxt, &selector, &cs, &base3, VCPU_SREG_CS))
808 return X86EMUL_UNHANDLEABLE;
809
810 if (efer & EFER_LMA) {
811 if (cs.l) {
812 /* Proper long mode */
813 ctxt->mode = X86EMUL_MODE_PROT64;
814 } else if (cs.d) {
815 /* 32 bit compatibility mode*/
816 ctxt->mode = X86EMUL_MODE_PROT32;
817 } else {
818 ctxt->mode = X86EMUL_MODE_PROT16;
819 }
820 } else {
821 /* Legacy 32 bit / 16 bit mode */
822 ctxt->mode = cs.d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
823 }
824
825 return X86EMUL_CONTINUE;
826 }
827
828 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
829 {
830 return assign_eip(ctxt, dst);
831 }
832
833 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst)
834 {
835 int rc = emulator_recalc_and_set_mode(ctxt);
836
837 if (rc != X86EMUL_CONTINUE)
838 return rc;
839
840 return assign_eip(ctxt, dst);
841 }
842
843 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
844 {
845 return assign_eip_near(ctxt, ctxt->_eip + rel);
846 }
847
848 static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
849 void *data, unsigned size)
850 {
851 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
852 }
853
854 static int linear_write_system(struct x86_emulate_ctxt *ctxt,
855 ulong linear, void *data,
856 unsigned int size)
857 {
858 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
859 }
860
861 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
862 struct segmented_address addr,
863 void *data,
864 unsigned size)
865 {
866 int rc;
867 ulong linear;
868
869 rc = linearize(ctxt, addr, size, false, &linear);
870 if (rc != X86EMUL_CONTINUE)
871 return rc;
872 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
873 }
874
875 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
876 struct segmented_address addr,
877 void *data,
878 unsigned int size)
879 {
880 int rc;
881 ulong linear;
882
883 rc = linearize(ctxt, addr, size, true, &linear);
884 if (rc != X86EMUL_CONTINUE)
885 return rc;
886 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
887 }
888
889 /*
890 * Prefetch the remaining bytes of the instruction without crossing page
891 * boundary if they are not in fetch_cache yet.
892 */
893 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
894 {
895 int rc;
896 unsigned size, max_size;
897 unsigned long linear;
898 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
899 struct segmented_address addr = { .seg = VCPU_SREG_CS,
900 .ea = ctxt->eip + cur_size };
901
902 /*
903 * We do not know exactly how many bytes will be needed, and
904 * __linearize is expensive, so fetch as much as possible. We
905 * just have to avoid going beyond the 15 byte limit, the end
906 * of the segment, or the end of the page.
907 *
908 * __linearize is called with size 0 so that it does not do any
909 * boundary check itself. Instead, we use max_size to check
910 * against op_size.
911 */
912 rc = __linearize(ctxt, addr, &max_size, 0, ctxt->mode, &linear,
913 X86EMUL_F_FETCH);
914 if (unlikely(rc != X86EMUL_CONTINUE))
915 return rc;
916
917 size = min_t(unsigned, 15UL ^ cur_size, max_size);
918 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
919
920 /*
921 * One instruction can only straddle two pages,
922 * and one has been loaded at the beginning of
923 * x86_decode_insn. So, if not enough bytes
924 * still, we must have hit the 15-byte boundary.
925 */
926 if (unlikely(size < op_size))
927 return emulate_gp(ctxt, 0);
928
929 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
930 size, &ctxt->exception);
931 if (unlikely(rc != X86EMUL_CONTINUE))
932 return rc;
933 ctxt->fetch.end += size;
934 return X86EMUL_CONTINUE;
935 }
936
937 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
938 unsigned size)
939 {
940 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
941
942 if (unlikely(done_size < size))
943 return __do_insn_fetch_bytes(ctxt, size - done_size);
944 else
945 return X86EMUL_CONTINUE;
946 }
947
948 /* Fetch next part of the instruction being emulated. */
949 #define insn_fetch(_type, _ctxt) \
950 ({ _type _x; \
951 \
952 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
953 if (rc != X86EMUL_CONTINUE) \
954 goto done; \
955 ctxt->_eip += sizeof(_type); \
956 memcpy(&_x, ctxt->fetch.ptr, sizeof(_type)); \
957 ctxt->fetch.ptr += sizeof(_type); \
958 _x; \
959 })
960
961 #define insn_fetch_arr(_arr, _size, _ctxt) \
962 ({ \
963 rc = do_insn_fetch_bytes(_ctxt, _size); \
964 if (rc != X86EMUL_CONTINUE) \
965 goto done; \
966 ctxt->_eip += (_size); \
967 memcpy(_arr, ctxt->fetch.ptr, _size); \
968 ctxt->fetch.ptr += (_size); \
969 })
970
971 /*
972 * Given the 'reg' portion of a ModRM byte, and a register block, return a
973 * pointer into the block that addresses the relevant register.
974 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
975 */
976 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
977 int byteop)
978 {
979 void *p;
980 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
981
982 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
983 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
984 else
985 p = reg_rmw(ctxt, modrm_reg);
986 return p;
987 }
988
989 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
990 struct segmented_address addr,
991 u16 *size, unsigned long *address, int op_bytes)
992 {
993 int rc;
994
995 if (op_bytes == 2)
996 op_bytes = 3;
997 *address = 0;
998 rc = segmented_read_std(ctxt, addr, size, 2);
999 if (rc != X86EMUL_CONTINUE)
1000 return rc;
1001 addr.ea += 2;
1002 rc = segmented_read_std(ctxt, addr, address, op_bytes);
1003 return rc;
1004 }
1005
1006 FASTOP2(add);
1007 FASTOP2(or);
1008 FASTOP2(adc);
1009 FASTOP2(sbb);
1010 FASTOP2(and);
1011 FASTOP2(sub);
1012 FASTOP2(xor);
1013 FASTOP2(cmp);
1014 FASTOP2(test);
1015
1016 FASTOP1SRC2(mul, mul_ex);
1017 FASTOP1SRC2(imul, imul_ex);
1018 FASTOP1SRC2EX(div, div_ex);
1019 FASTOP1SRC2EX(idiv, idiv_ex);
1020
1021 FASTOP3WCL(shld);
1022 FASTOP3WCL(shrd);
1023
1024 FASTOP2W(imul);
1025
1026 FASTOP1(not);
1027 FASTOP1(neg);
1028 FASTOP1(inc);
1029 FASTOP1(dec);
1030
1031 FASTOP2CL(rol);
1032 FASTOP2CL(ror);
1033 FASTOP2CL(rcl);
1034 FASTOP2CL(rcr);
1035 FASTOP2CL(shl);
1036 FASTOP2CL(shr);
1037 FASTOP2CL(sar);
1038
1039 FASTOP2W(bsf);
1040 FASTOP2W(bsr);
1041 FASTOP2W(bt);
1042 FASTOP2W(bts);
1043 FASTOP2W(btr);
1044 FASTOP2W(btc);
1045
1046 FASTOP2(xadd);
1047
1048 FASTOP2R(cmp, cmp_r);
1049
1050 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1051 {
1052 /* If src is zero, do not writeback, but update flags */
1053 if (ctxt->src.val == 0)
1054 ctxt->dst.type = OP_NONE;
1055 return fastop(ctxt, em_bsf);
1056 }
1057
1058 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1059 {
1060 /* If src is zero, do not writeback, but update flags */
1061 if (ctxt->src.val == 0)
1062 ctxt->dst.type = OP_NONE;
1063 return fastop(ctxt, em_bsr);
1064 }
1065
1066 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1067 {
1068 u8 rc;
1069 void (*fop)(void) = (void *)em_setcc + FASTOP_SIZE * (condition & 0xf);
1070
1071 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1072 asm("push %[flags]; popf; " CALL_NOSPEC
1073 : "=a"(rc), ASM_CALL_CONSTRAINT : [thunk_target]"r"(fop), [flags]"r"(flags));
1074 return rc;
1075 }
1076
1077 static void fetch_register_operand(struct operand *op)
1078 {
1079 switch (op->bytes) {
1080 case 1:
1081 op->val = *(u8 *)op->addr.reg;
1082 break;
1083 case 2:
1084 op->val = *(u16 *)op->addr.reg;
1085 break;
1086 case 4:
1087 op->val = *(u32 *)op->addr.reg;
1088 break;
1089 case 8:
1090 op->val = *(u64 *)op->addr.reg;
1091 break;
1092 }
1093 }
1094
1095 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1096 {
1097 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1098 return emulate_nm(ctxt);
1099
1100 kvm_fpu_get();
1101 asm volatile("fninit");
1102 kvm_fpu_put();
1103 return X86EMUL_CONTINUE;
1104 }
1105
1106 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1107 {
1108 u16 fcw;
1109
1110 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1111 return emulate_nm(ctxt);
1112
1113 kvm_fpu_get();
1114 asm volatile("fnstcw %0": "+m"(fcw));
1115 kvm_fpu_put();
1116
1117 ctxt->dst.val = fcw;
1118
1119 return X86EMUL_CONTINUE;
1120 }
1121
1122 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1123 {
1124 u16 fsw;
1125
1126 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1127 return emulate_nm(ctxt);
1128
1129 kvm_fpu_get();
1130 asm volatile("fnstsw %0": "+m"(fsw));
1131 kvm_fpu_put();
1132
1133 ctxt->dst.val = fsw;
1134
1135 return X86EMUL_CONTINUE;
1136 }
1137
1138 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1139 struct operand *op)
1140 {
1141 unsigned int reg;
1142
1143 if (ctxt->d & ModRM)
1144 reg = ctxt->modrm_reg;
1145 else
1146 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1147
1148 if (ctxt->d & Sse) {
1149 op->type = OP_XMM;
1150 op->bytes = 16;
1151 op->addr.xmm = reg;
1152 kvm_read_sse_reg(reg, &op->vec_val);
1153 return;
1154 }
1155 if (ctxt->d & Mmx) {
1156 reg &= 7;
1157 op->type = OP_MM;
1158 op->bytes = 8;
1159 op->addr.mm = reg;
1160 return;
1161 }
1162
1163 op->type = OP_REG;
1164 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1165 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1166
1167 fetch_register_operand(op);
1168 op->orig_val = op->val;
1169 }
1170
1171 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1172 {
1173 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1174 ctxt->modrm_seg = VCPU_SREG_SS;
1175 }
1176
1177 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1178 struct operand *op)
1179 {
1180 u8 sib;
1181 int index_reg, base_reg, scale;
1182 int rc = X86EMUL_CONTINUE;
1183 ulong modrm_ea = 0;
1184
1185 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1186 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1187 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1188
1189 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1190 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1191 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1192 ctxt->modrm_seg = VCPU_SREG_DS;
1193
1194 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1195 op->type = OP_REG;
1196 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1197 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1198 ctxt->d & ByteOp);
1199 if (ctxt->d & Sse) {
1200 op->type = OP_XMM;
1201 op->bytes = 16;
1202 op->addr.xmm = ctxt->modrm_rm;
1203 kvm_read_sse_reg(ctxt->modrm_rm, &op->vec_val);
1204 return rc;
1205 }
1206 if (ctxt->d & Mmx) {
1207 op->type = OP_MM;
1208 op->bytes = 8;
1209 op->addr.mm = ctxt->modrm_rm & 7;
1210 return rc;
1211 }
1212 fetch_register_operand(op);
1213 return rc;
1214 }
1215
1216 op->type = OP_MEM;
1217
1218 if (ctxt->ad_bytes == 2) {
1219 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1220 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1221 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1222 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1223
1224 /* 16-bit ModR/M decode. */
1225 switch (ctxt->modrm_mod) {
1226 case 0:
1227 if (ctxt->modrm_rm == 6)
1228 modrm_ea += insn_fetch(u16, ctxt);
1229 break;
1230 case 1:
1231 modrm_ea += insn_fetch(s8, ctxt);
1232 break;
1233 case 2:
1234 modrm_ea += insn_fetch(u16, ctxt);
1235 break;
1236 }
1237 switch (ctxt->modrm_rm) {
1238 case 0:
1239 modrm_ea += bx + si;
1240 break;
1241 case 1:
1242 modrm_ea += bx + di;
1243 break;
1244 case 2:
1245 modrm_ea += bp + si;
1246 break;
1247 case 3:
1248 modrm_ea += bp + di;
1249 break;
1250 case 4:
1251 modrm_ea += si;
1252 break;
1253 case 5:
1254 modrm_ea += di;
1255 break;
1256 case 6:
1257 if (ctxt->modrm_mod != 0)
1258 modrm_ea += bp;
1259 break;
1260 case 7:
1261 modrm_ea += bx;
1262 break;
1263 }
1264 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1265 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1266 ctxt->modrm_seg = VCPU_SREG_SS;
1267 modrm_ea = (u16)modrm_ea;
1268 } else {
1269 /* 32/64-bit ModR/M decode. */
1270 if ((ctxt->modrm_rm & 7) == 4) {
1271 sib = insn_fetch(u8, ctxt);
1272 index_reg |= (sib >> 3) & 7;
1273 base_reg |= sib & 7;
1274 scale = sib >> 6;
1275
1276 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1277 modrm_ea += insn_fetch(s32, ctxt);
1278 else {
1279 modrm_ea += reg_read(ctxt, base_reg);
1280 adjust_modrm_seg(ctxt, base_reg);
1281 /* Increment ESP on POP [ESP] */
1282 if ((ctxt->d & IncSP) &&
1283 base_reg == VCPU_REGS_RSP)
1284 modrm_ea += ctxt->op_bytes;
1285 }
1286 if (index_reg != 4)
1287 modrm_ea += reg_read(ctxt, index_reg) << scale;
1288 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1289 modrm_ea += insn_fetch(s32, ctxt);
1290 if (ctxt->mode == X86EMUL_MODE_PROT64)
1291 ctxt->rip_relative = 1;
1292 } else {
1293 base_reg = ctxt->modrm_rm;
1294 modrm_ea += reg_read(ctxt, base_reg);
1295 adjust_modrm_seg(ctxt, base_reg);
1296 }
1297 switch (ctxt->modrm_mod) {
1298 case 1:
1299 modrm_ea += insn_fetch(s8, ctxt);
1300 break;
1301 case 2:
1302 modrm_ea += insn_fetch(s32, ctxt);
1303 break;
1304 }
1305 }
1306 op->addr.mem.ea = modrm_ea;
1307 if (ctxt->ad_bytes != 8)
1308 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1309
1310 done:
1311 return rc;
1312 }
1313
1314 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1315 struct operand *op)
1316 {
1317 int rc = X86EMUL_CONTINUE;
1318
1319 op->type = OP_MEM;
1320 switch (ctxt->ad_bytes) {
1321 case 2:
1322 op->addr.mem.ea = insn_fetch(u16, ctxt);
1323 break;
1324 case 4:
1325 op->addr.mem.ea = insn_fetch(u32, ctxt);
1326 break;
1327 case 8:
1328 op->addr.mem.ea = insn_fetch(u64, ctxt);
1329 break;
1330 }
1331 done:
1332 return rc;
1333 }
1334
1335 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1336 {
1337 long sv = 0, mask;
1338
1339 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1340 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1341
1342 if (ctxt->src.bytes == 2)
1343 sv = (s16)ctxt->src.val & (s16)mask;
1344 else if (ctxt->src.bytes == 4)
1345 sv = (s32)ctxt->src.val & (s32)mask;
1346 else
1347 sv = (s64)ctxt->src.val & (s64)mask;
1348
1349 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1350 ctxt->dst.addr.mem.ea + (sv >> 3));
1351 }
1352
1353 /* only subword offset */
1354 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1355 }
1356
1357 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1358 unsigned long addr, void *dest, unsigned size)
1359 {
1360 int rc;
1361 struct read_cache *mc = &ctxt->mem_read;
1362
1363 if (mc->pos < mc->end)
1364 goto read_cached;
1365
1366 if (KVM_EMULATOR_BUG_ON((mc->end + size) >= sizeof(mc->data), ctxt))
1367 return X86EMUL_UNHANDLEABLE;
1368
1369 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1370 &ctxt->exception);
1371 if (rc != X86EMUL_CONTINUE)
1372 return rc;
1373
1374 mc->end += size;
1375
1376 read_cached:
1377 memcpy(dest, mc->data + mc->pos, size);
1378 mc->pos += size;
1379 return X86EMUL_CONTINUE;
1380 }
1381
1382 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1383 struct segmented_address addr,
1384 void *data,
1385 unsigned size)
1386 {
1387 int rc;
1388 ulong linear;
1389
1390 rc = linearize(ctxt, addr, size, false, &linear);
1391 if (rc != X86EMUL_CONTINUE)
1392 return rc;
1393 return read_emulated(ctxt, linear, data, size);
1394 }
1395
1396 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1397 struct segmented_address addr,
1398 const void *data,
1399 unsigned size)
1400 {
1401 int rc;
1402 ulong linear;
1403
1404 rc = linearize(ctxt, addr, size, true, &linear);
1405 if (rc != X86EMUL_CONTINUE)
1406 return rc;
1407 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1408 &ctxt->exception);
1409 }
1410
1411 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1412 struct segmented_address addr,
1413 const void *orig_data, const void *data,
1414 unsigned size)
1415 {
1416 int rc;
1417 ulong linear;
1418
1419 rc = linearize(ctxt, addr, size, true, &linear);
1420 if (rc != X86EMUL_CONTINUE)
1421 return rc;
1422 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1423 size, &ctxt->exception);
1424 }
1425
1426 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1427 unsigned int size, unsigned short port,
1428 void *dest)
1429 {
1430 struct read_cache *rc = &ctxt->io_read;
1431
1432 if (rc->pos == rc->end) { /* refill pio read ahead */
1433 unsigned int in_page, n;
1434 unsigned int count = ctxt->rep_prefix ?
1435 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1436 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1437 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1438 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1439 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1440 if (n == 0)
1441 n = 1;
1442 rc->pos = rc->end = 0;
1443 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1444 return 0;
1445 rc->end = n * size;
1446 }
1447
1448 if (ctxt->rep_prefix && (ctxt->d & String) &&
1449 !(ctxt->eflags & X86_EFLAGS_DF)) {
1450 ctxt->dst.data = rc->data + rc->pos;
1451 ctxt->dst.type = OP_MEM_STR;
1452 ctxt->dst.count = (rc->end - rc->pos) / size;
1453 rc->pos = rc->end;
1454 } else {
1455 memcpy(dest, rc->data + rc->pos, size);
1456 rc->pos += size;
1457 }
1458 return 1;
1459 }
1460
1461 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1462 u16 index, struct desc_struct *desc)
1463 {
1464 struct desc_ptr dt;
1465 ulong addr;
1466
1467 ctxt->ops->get_idt(ctxt, &dt);
1468
1469 if (dt.size < index * 8 + 7)
1470 return emulate_gp(ctxt, index << 3 | 0x2);
1471
1472 addr = dt.address + index * 8;
1473 return linear_read_system(ctxt, addr, desc, sizeof(*desc));
1474 }
1475
1476 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1477 u16 selector, struct desc_ptr *dt)
1478 {
1479 const struct x86_emulate_ops *ops = ctxt->ops;
1480 u32 base3 = 0;
1481
1482 if (selector & 1 << 2) {
1483 struct desc_struct desc;
1484 u16 sel;
1485
1486 memset(dt, 0, sizeof(*dt));
1487 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1488 VCPU_SREG_LDTR))
1489 return;
1490
1491 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1492 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1493 } else
1494 ops->get_gdt(ctxt, dt);
1495 }
1496
1497 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1498 u16 selector, ulong *desc_addr_p)
1499 {
1500 struct desc_ptr dt;
1501 u16 index = selector >> 3;
1502 ulong addr;
1503
1504 get_descriptor_table_ptr(ctxt, selector, &dt);
1505
1506 if (dt.size < index * 8 + 7)
1507 return emulate_gp(ctxt, selector & 0xfffc);
1508
1509 addr = dt.address + index * 8;
1510
1511 #ifdef CONFIG_X86_64
1512 if (addr >> 32 != 0) {
1513 u64 efer = 0;
1514
1515 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1516 if (!(efer & EFER_LMA))
1517 addr &= (u32)-1;
1518 }
1519 #endif
1520
1521 *desc_addr_p = addr;
1522 return X86EMUL_CONTINUE;
1523 }
1524
1525 /* allowed just for 8 bytes segments */
1526 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1527 u16 selector, struct desc_struct *desc,
1528 ulong *desc_addr_p)
1529 {
1530 int rc;
1531
1532 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1533 if (rc != X86EMUL_CONTINUE)
1534 return rc;
1535
1536 return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
1537 }
1538
1539 /* allowed just for 8 bytes segments */
1540 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1541 u16 selector, struct desc_struct *desc)
1542 {
1543 int rc;
1544 ulong addr;
1545
1546 rc = get_descriptor_ptr(ctxt, selector, &addr);
1547 if (rc != X86EMUL_CONTINUE)
1548 return rc;
1549
1550 return linear_write_system(ctxt, addr, desc, sizeof(*desc));
1551 }
1552
1553 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1554 u16 selector, int seg, u8 cpl,
1555 enum x86_transfer_type transfer,
1556 struct desc_struct *desc)
1557 {
1558 struct desc_struct seg_desc, old_desc;
1559 u8 dpl, rpl;
1560 unsigned err_vec = GP_VECTOR;
1561 u32 err_code = 0;
1562 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1563 ulong desc_addr;
1564 int ret;
1565 u16 dummy;
1566 u32 base3 = 0;
1567
1568 memset(&seg_desc, 0, sizeof(seg_desc));
1569
1570 if (ctxt->mode == X86EMUL_MODE_REAL) {
1571 /* set real mode segment descriptor (keep limit etc. for
1572 * unreal mode) */
1573 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1574 set_desc_base(&seg_desc, selector << 4);
1575 goto load;
1576 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1577 /* VM86 needs a clean new segment descriptor */
1578 set_desc_base(&seg_desc, selector << 4);
1579 set_desc_limit(&seg_desc, 0xffff);
1580 seg_desc.type = 3;
1581 seg_desc.p = 1;
1582 seg_desc.s = 1;
1583 seg_desc.dpl = 3;
1584 goto load;
1585 }
1586
1587 rpl = selector & 3;
1588
1589 /* TR should be in GDT only */
1590 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1591 goto exception;
1592
1593 /* NULL selector is not valid for TR, CS and (except for long mode) SS */
1594 if (null_selector) {
1595 if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1596 goto exception;
1597
1598 if (seg == VCPU_SREG_SS) {
1599 if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1600 goto exception;
1601
1602 /*
1603 * ctxt->ops->set_segment expects the CPL to be in
1604 * SS.DPL, so fake an expand-up 32-bit data segment.
1605 */
1606 seg_desc.type = 3;
1607 seg_desc.p = 1;
1608 seg_desc.s = 1;
1609 seg_desc.dpl = cpl;
1610 seg_desc.d = 1;
1611 seg_desc.g = 1;
1612 }
1613
1614 /* Skip all following checks */
1615 goto load;
1616 }
1617
1618 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1619 if (ret != X86EMUL_CONTINUE)
1620 return ret;
1621
1622 err_code = selector & 0xfffc;
1623 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1624 GP_VECTOR;
1625
1626 /* can't load system descriptor into segment selector */
1627 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1628 if (transfer == X86_TRANSFER_CALL_JMP)
1629 return X86EMUL_UNHANDLEABLE;
1630 goto exception;
1631 }
1632
1633 dpl = seg_desc.dpl;
1634
1635 switch (seg) {
1636 case VCPU_SREG_SS:
1637 /*
1638 * segment is not a writable data segment or segment
1639 * selector's RPL != CPL or DPL != CPL
1640 */
1641 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1642 goto exception;
1643 break;
1644 case VCPU_SREG_CS:
1645 /*
1646 * KVM uses "none" when loading CS as part of emulating Real
1647 * Mode exceptions and IRET (handled above). In all other
1648 * cases, loading CS without a control transfer is a KVM bug.
1649 */
1650 if (WARN_ON_ONCE(transfer == X86_TRANSFER_NONE))
1651 goto exception;
1652
1653 if (!(seg_desc.type & 8))
1654 goto exception;
1655
1656 if (transfer == X86_TRANSFER_RET) {
1657 /* RET can never return to an inner privilege level. */
1658 if (rpl < cpl)
1659 goto exception;
1660 /* Outer-privilege level return is not implemented */
1661 if (rpl > cpl)
1662 return X86EMUL_UNHANDLEABLE;
1663 }
1664 if (transfer == X86_TRANSFER_RET || transfer == X86_TRANSFER_TASK_SWITCH) {
1665 if (seg_desc.type & 4) {
1666 /* conforming */
1667 if (dpl > rpl)
1668 goto exception;
1669 } else {
1670 /* nonconforming */
1671 if (dpl != rpl)
1672 goto exception;
1673 }
1674 } else { /* X86_TRANSFER_CALL_JMP */
1675 if (seg_desc.type & 4) {
1676 /* conforming */
1677 if (dpl > cpl)
1678 goto exception;
1679 } else {
1680 /* nonconforming */
1681 if (rpl > cpl || dpl != cpl)
1682 goto exception;
1683 }
1684 }
1685 /* in long-mode d/b must be clear if l is set */
1686 if (seg_desc.d && seg_desc.l) {
1687 u64 efer = 0;
1688
1689 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1690 if (efer & EFER_LMA)
1691 goto exception;
1692 }
1693
1694 /* CS(RPL) <- CPL */
1695 selector = (selector & 0xfffc) | cpl;
1696 break;
1697 case VCPU_SREG_TR:
1698 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1699 goto exception;
1700 break;
1701 case VCPU_SREG_LDTR:
1702 if (seg_desc.s || seg_desc.type != 2)
1703 goto exception;
1704 break;
1705 default: /* DS, ES, FS, or GS */
1706 /*
1707 * segment is not a data or readable code segment or
1708 * ((segment is a data or nonconforming code segment)
1709 * and ((RPL > DPL) or (CPL > DPL)))
1710 */
1711 if ((seg_desc.type & 0xa) == 0x8 ||
1712 (((seg_desc.type & 0xc) != 0xc) &&
1713 (rpl > dpl || cpl > dpl)))
1714 goto exception;
1715 break;
1716 }
1717
1718 if (!seg_desc.p) {
1719 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1720 goto exception;
1721 }
1722
1723 if (seg_desc.s) {
1724 /* mark segment as accessed */
1725 if (!(seg_desc.type & 1)) {
1726 seg_desc.type |= 1;
1727 ret = write_segment_descriptor(ctxt, selector,
1728 &seg_desc);
1729 if (ret != X86EMUL_CONTINUE)
1730 return ret;
1731 }
1732 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1733 ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
1734 if (ret != X86EMUL_CONTINUE)
1735 return ret;
1736 if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1737 ((u64)base3 << 32), ctxt,
1738 X86EMUL_F_DT_LOAD))
1739 return emulate_gp(ctxt, err_code);
1740 }
1741
1742 if (seg == VCPU_SREG_TR) {
1743 old_desc = seg_desc;
1744 seg_desc.type |= 2; /* busy */
1745 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1746 sizeof(seg_desc), &ctxt->exception);
1747 if (ret != X86EMUL_CONTINUE)
1748 return ret;
1749 }
1750 load:
1751 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1752 if (desc)
1753 *desc = seg_desc;
1754 return X86EMUL_CONTINUE;
1755 exception:
1756 return emulate_exception(ctxt, err_vec, err_code, true);
1757 }
1758
1759 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1760 u16 selector, int seg)
1761 {
1762 u8 cpl = ctxt->ops->cpl(ctxt);
1763
1764 /*
1765 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1766 * they can load it at CPL<3 (Intel's manual says only LSS can,
1767 * but it's wrong).
1768 *
1769 * However, the Intel manual says that putting IST=1/DPL=3 in
1770 * an interrupt gate will result in SS=3 (the AMD manual instead
1771 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1772 * and only forbid it here.
1773 */
1774 if (seg == VCPU_SREG_SS && selector == 3 &&
1775 ctxt->mode == X86EMUL_MODE_PROT64)
1776 return emulate_exception(ctxt, GP_VECTOR, 0, true);
1777
1778 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1779 X86_TRANSFER_NONE, NULL);
1780 }
1781
1782 static void write_register_operand(struct operand *op)
1783 {
1784 return assign_register(op->addr.reg, op->val, op->bytes);
1785 }
1786
1787 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1788 {
1789 switch (op->type) {
1790 case OP_REG:
1791 write_register_operand(op);
1792 break;
1793 case OP_MEM:
1794 if (ctxt->lock_prefix)
1795 return segmented_cmpxchg(ctxt,
1796 op->addr.mem,
1797 &op->orig_val,
1798 &op->val,
1799 op->bytes);
1800 else
1801 return segmented_write(ctxt,
1802 op->addr.mem,
1803 &op->val,
1804 op->bytes);
1805 case OP_MEM_STR:
1806 return segmented_write(ctxt,
1807 op->addr.mem,
1808 op->data,
1809 op->bytes * op->count);
1810 case OP_XMM:
1811 kvm_write_sse_reg(op->addr.xmm, &op->vec_val);
1812 break;
1813 case OP_MM:
1814 kvm_write_mmx_reg(op->addr.mm, &op->mm_val);
1815 break;
1816 case OP_NONE:
1817 /* no writeback */
1818 break;
1819 default:
1820 break;
1821 }
1822 return X86EMUL_CONTINUE;
1823 }
1824
1825 static int emulate_push(struct x86_emulate_ctxt *ctxt, const void *data, int len)
1826 {
1827 struct segmented_address addr;
1828
1829 rsp_increment(ctxt, -len);
1830 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1831 addr.seg = VCPU_SREG_SS;
1832
1833 return segmented_write(ctxt, addr, data, len);
1834 }
1835
1836 static int em_push(struct x86_emulate_ctxt *ctxt)
1837 {
1838 /* Disable writeback. */
1839 ctxt->dst.type = OP_NONE;
1840 return emulate_push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1841 }
1842
1843 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1844 void *dest, int len)
1845 {
1846 int rc;
1847 struct segmented_address addr;
1848
1849 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1850 addr.seg = VCPU_SREG_SS;
1851 rc = segmented_read(ctxt, addr, dest, len);
1852 if (rc != X86EMUL_CONTINUE)
1853 return rc;
1854
1855 rsp_increment(ctxt, len);
1856 return rc;
1857 }
1858
1859 static int em_pop(struct x86_emulate_ctxt *ctxt)
1860 {
1861 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1862 }
1863
1864 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1865 void *dest, int len)
1866 {
1867 int rc;
1868 unsigned long val = 0;
1869 unsigned long change_mask;
1870 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1871 int cpl = ctxt->ops->cpl(ctxt);
1872
1873 rc = emulate_pop(ctxt, &val, len);
1874 if (rc != X86EMUL_CONTINUE)
1875 return rc;
1876
1877 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1878 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1879 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1880 X86_EFLAGS_AC | X86_EFLAGS_ID;
1881
1882 switch(ctxt->mode) {
1883 case X86EMUL_MODE_PROT64:
1884 case X86EMUL_MODE_PROT32:
1885 case X86EMUL_MODE_PROT16:
1886 if (cpl == 0)
1887 change_mask |= X86_EFLAGS_IOPL;
1888 if (cpl <= iopl)
1889 change_mask |= X86_EFLAGS_IF;
1890 break;
1891 case X86EMUL_MODE_VM86:
1892 if (iopl < 3)
1893 return emulate_gp(ctxt, 0);
1894 change_mask |= X86_EFLAGS_IF;
1895 break;
1896 default: /* real mode */
1897 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1898 break;
1899 }
1900
1901 *(unsigned long *)dest =
1902 (ctxt->eflags & ~change_mask) | (val & change_mask);
1903
1904 return rc;
1905 }
1906
1907 static int em_popf(struct x86_emulate_ctxt *ctxt)
1908 {
1909 ctxt->dst.type = OP_REG;
1910 ctxt->dst.addr.reg = &ctxt->eflags;
1911 ctxt->dst.bytes = ctxt->op_bytes;
1912 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1913 }
1914
1915 static int em_enter(struct x86_emulate_ctxt *ctxt)
1916 {
1917 int rc;
1918 unsigned frame_size = ctxt->src.val;
1919 unsigned nesting_level = ctxt->src2.val & 31;
1920 ulong rbp;
1921
1922 if (nesting_level)
1923 return X86EMUL_UNHANDLEABLE;
1924
1925 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1926 rc = emulate_push(ctxt, &rbp, stack_size(ctxt));
1927 if (rc != X86EMUL_CONTINUE)
1928 return rc;
1929 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1930 stack_mask(ctxt));
1931 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1932 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1933 stack_mask(ctxt));
1934 return X86EMUL_CONTINUE;
1935 }
1936
1937 static int em_leave(struct x86_emulate_ctxt *ctxt)
1938 {
1939 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1940 stack_mask(ctxt));
1941 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1942 }
1943
1944 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1945 {
1946 int seg = ctxt->src2.val;
1947
1948 ctxt->src.val = get_segment_selector(ctxt, seg);
1949 if (ctxt->op_bytes == 4) {
1950 rsp_increment(ctxt, -2);
1951 ctxt->op_bytes = 2;
1952 }
1953
1954 return em_push(ctxt);
1955 }
1956
1957 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1958 {
1959 int seg = ctxt->src2.val;
1960 unsigned long selector = 0;
1961 int rc;
1962
1963 rc = emulate_pop(ctxt, &selector, 2);
1964 if (rc != X86EMUL_CONTINUE)
1965 return rc;
1966
1967 if (seg == VCPU_SREG_SS)
1968 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1969 if (ctxt->op_bytes > 2)
1970 rsp_increment(ctxt, ctxt->op_bytes - 2);
1971
1972 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1973 return rc;
1974 }
1975
1976 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1977 {
1978 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1979 int rc = X86EMUL_CONTINUE;
1980 int reg = VCPU_REGS_RAX;
1981
1982 while (reg <= VCPU_REGS_RDI) {
1983 (reg == VCPU_REGS_RSP) ?
1984 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1985
1986 rc = em_push(ctxt);
1987 if (rc != X86EMUL_CONTINUE)
1988 return rc;
1989
1990 ++reg;
1991 }
1992
1993 return rc;
1994 }
1995
1996 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1997 {
1998 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1999 return em_push(ctxt);
2000 }
2001
2002 static int em_popa(struct x86_emulate_ctxt *ctxt)
2003 {
2004 int rc = X86EMUL_CONTINUE;
2005 int reg = VCPU_REGS_RDI;
2006 u32 val = 0;
2007
2008 while (reg >= VCPU_REGS_RAX) {
2009 if (reg == VCPU_REGS_RSP) {
2010 rsp_increment(ctxt, ctxt->op_bytes);
2011 --reg;
2012 }
2013
2014 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2015 if (rc != X86EMUL_CONTINUE)
2016 break;
2017 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2018 --reg;
2019 }
2020 return rc;
2021 }
2022
2023 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2024 {
2025 const struct x86_emulate_ops *ops = ctxt->ops;
2026 int rc;
2027 struct desc_ptr dt;
2028 gva_t cs_addr;
2029 gva_t eip_addr;
2030 u16 cs, eip;
2031
2032 /* TODO: Add limit checks */
2033 ctxt->src.val = ctxt->eflags;
2034 rc = em_push(ctxt);
2035 if (rc != X86EMUL_CONTINUE)
2036 return rc;
2037
2038 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2039
2040 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2041 rc = em_push(ctxt);
2042 if (rc != X86EMUL_CONTINUE)
2043 return rc;
2044
2045 ctxt->src.val = ctxt->_eip;
2046 rc = em_push(ctxt);
2047 if (rc != X86EMUL_CONTINUE)
2048 return rc;
2049
2050 ops->get_idt(ctxt, &dt);
2051
2052 eip_addr = dt.address + (irq << 2);
2053 cs_addr = dt.address + (irq << 2) + 2;
2054
2055 rc = linear_read_system(ctxt, cs_addr, &cs, 2);
2056 if (rc != X86EMUL_CONTINUE)
2057 return rc;
2058
2059 rc = linear_read_system(ctxt, eip_addr, &eip, 2);
2060 if (rc != X86EMUL_CONTINUE)
2061 return rc;
2062
2063 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2064 if (rc != X86EMUL_CONTINUE)
2065 return rc;
2066
2067 ctxt->_eip = eip;
2068
2069 return rc;
2070 }
2071
2072 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2073 {
2074 int rc;
2075
2076 invalidate_registers(ctxt);
2077 rc = __emulate_int_real(ctxt, irq);
2078 if (rc == X86EMUL_CONTINUE)
2079 writeback_registers(ctxt);
2080 return rc;
2081 }
2082
2083 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2084 {
2085 switch(ctxt->mode) {
2086 case X86EMUL_MODE_REAL:
2087 return __emulate_int_real(ctxt, irq);
2088 case X86EMUL_MODE_VM86:
2089 case X86EMUL_MODE_PROT16:
2090 case X86EMUL_MODE_PROT32:
2091 case X86EMUL_MODE_PROT64:
2092 default:
2093 /* Protected mode interrupts unimplemented yet */
2094 return X86EMUL_UNHANDLEABLE;
2095 }
2096 }
2097
2098 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2099 {
2100 int rc = X86EMUL_CONTINUE;
2101 unsigned long temp_eip = 0;
2102 unsigned long temp_eflags = 0;
2103 unsigned long cs = 0;
2104 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2105 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2106 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2107 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2108 X86_EFLAGS_AC | X86_EFLAGS_ID |
2109 X86_EFLAGS_FIXED;
2110 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2111 X86_EFLAGS_VIP;
2112
2113 /* TODO: Add stack limit check */
2114
2115 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2116
2117 if (rc != X86EMUL_CONTINUE)
2118 return rc;
2119
2120 if (temp_eip & ~0xffff)
2121 return emulate_gp(ctxt, 0);
2122
2123 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2124
2125 if (rc != X86EMUL_CONTINUE)
2126 return rc;
2127
2128 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2129
2130 if (rc != X86EMUL_CONTINUE)
2131 return rc;
2132
2133 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2134
2135 if (rc != X86EMUL_CONTINUE)
2136 return rc;
2137
2138 ctxt->_eip = temp_eip;
2139
2140 if (ctxt->op_bytes == 4)
2141 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2142 else if (ctxt->op_bytes == 2) {
2143 ctxt->eflags &= ~0xffff;
2144 ctxt->eflags |= temp_eflags;
2145 }
2146
2147 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2148 ctxt->eflags |= X86_EFLAGS_FIXED;
2149 ctxt->ops->set_nmi_mask(ctxt, false);
2150
2151 return rc;
2152 }
2153
2154 static int em_iret(struct x86_emulate_ctxt *ctxt)
2155 {
2156 switch(ctxt->mode) {
2157 case X86EMUL_MODE_REAL:
2158 return emulate_iret_real(ctxt);
2159 case X86EMUL_MODE_VM86:
2160 case X86EMUL_MODE_PROT16:
2161 case X86EMUL_MODE_PROT32:
2162 case X86EMUL_MODE_PROT64:
2163 default:
2164 /* iret from protected mode unimplemented yet */
2165 return X86EMUL_UNHANDLEABLE;
2166 }
2167 }
2168
2169 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2170 {
2171 int rc;
2172 unsigned short sel;
2173 struct desc_struct new_desc;
2174 u8 cpl = ctxt->ops->cpl(ctxt);
2175
2176 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2177
2178 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2179 X86_TRANSFER_CALL_JMP,
2180 &new_desc);
2181 if (rc != X86EMUL_CONTINUE)
2182 return rc;
2183
2184 rc = assign_eip_far(ctxt, ctxt->src.val);
2185 /* Error handling is not implemented. */
2186 if (rc != X86EMUL_CONTINUE)
2187 return X86EMUL_UNHANDLEABLE;
2188
2189 return rc;
2190 }
2191
2192 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2193 {
2194 return assign_eip_near(ctxt, ctxt->src.val);
2195 }
2196
2197 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2198 {
2199 int rc;
2200 long int old_eip;
2201
2202 old_eip = ctxt->_eip;
2203 rc = assign_eip_near(ctxt, ctxt->src.val);
2204 if (rc != X86EMUL_CONTINUE)
2205 return rc;
2206 ctxt->src.val = old_eip;
2207 rc = em_push(ctxt);
2208 return rc;
2209 }
2210
2211 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2212 {
2213 u64 old = ctxt->dst.orig_val64;
2214
2215 if (ctxt->dst.bytes == 16)
2216 return X86EMUL_UNHANDLEABLE;
2217
2218 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2219 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2220 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2221 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2222 ctxt->eflags &= ~X86_EFLAGS_ZF;
2223 } else {
2224 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2225 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2226
2227 ctxt->eflags |= X86_EFLAGS_ZF;
2228 }
2229 return X86EMUL_CONTINUE;
2230 }
2231
2232 static int em_ret(struct x86_emulate_ctxt *ctxt)
2233 {
2234 int rc;
2235 unsigned long eip = 0;
2236
2237 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2238 if (rc != X86EMUL_CONTINUE)
2239 return rc;
2240
2241 return assign_eip_near(ctxt, eip);
2242 }
2243
2244 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2245 {
2246 int rc;
2247 unsigned long eip = 0;
2248 unsigned long cs = 0;
2249 int cpl = ctxt->ops->cpl(ctxt);
2250 struct desc_struct new_desc;
2251
2252 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2253 if (rc != X86EMUL_CONTINUE)
2254 return rc;
2255 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2256 if (rc != X86EMUL_CONTINUE)
2257 return rc;
2258 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2259 X86_TRANSFER_RET,
2260 &new_desc);
2261 if (rc != X86EMUL_CONTINUE)
2262 return rc;
2263 rc = assign_eip_far(ctxt, eip);
2264 /* Error handling is not implemented. */
2265 if (rc != X86EMUL_CONTINUE)
2266 return X86EMUL_UNHANDLEABLE;
2267
2268 return rc;
2269 }
2270
2271 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2272 {
2273 int rc;
2274
2275 rc = em_ret_far(ctxt);
2276 if (rc != X86EMUL_CONTINUE)
2277 return rc;
2278 rsp_increment(ctxt, ctxt->src.val);
2279 return X86EMUL_CONTINUE;
2280 }
2281
2282 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2283 {
2284 /* Save real source value, then compare EAX against destination. */
2285 ctxt->dst.orig_val = ctxt->dst.val;
2286 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2287 ctxt->src.orig_val = ctxt->src.val;
2288 ctxt->src.val = ctxt->dst.orig_val;
2289 fastop(ctxt, em_cmp);
2290
2291 if (ctxt->eflags & X86_EFLAGS_ZF) {
2292 /* Success: write back to memory; no update of EAX */
2293 ctxt->src.type = OP_NONE;
2294 ctxt->dst.val = ctxt->src.orig_val;
2295 } else {
2296 /* Failure: write the value we saw to EAX. */
2297 ctxt->src.type = OP_REG;
2298 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2299 ctxt->src.val = ctxt->dst.orig_val;
2300 /* Create write-cycle to dest by writing the same value */
2301 ctxt->dst.val = ctxt->dst.orig_val;
2302 }
2303 return X86EMUL_CONTINUE;
2304 }
2305
2306 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2307 {
2308 int seg = ctxt->src2.val;
2309 unsigned short sel;
2310 int rc;
2311
2312 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2313
2314 rc = load_segment_descriptor(ctxt, sel, seg);
2315 if (rc != X86EMUL_CONTINUE)
2316 return rc;
2317
2318 ctxt->dst.val = ctxt->src.val;
2319 return rc;
2320 }
2321
2322 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2323 {
2324 if (!ctxt->ops->is_smm(ctxt))
2325 return emulate_ud(ctxt);
2326
2327 if (ctxt->ops->leave_smm(ctxt))
2328 ctxt->ops->triple_fault(ctxt);
2329
2330 return emulator_recalc_and_set_mode(ctxt);
2331 }
2332
2333 static void
2334 setup_syscalls_segments(struct desc_struct *cs, struct desc_struct *ss)
2335 {
2336 cs->l = 0; /* will be adjusted later */
2337 set_desc_base(cs, 0); /* flat segment */
2338 cs->g = 1; /* 4kb granularity */
2339 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2340 cs->type = 0x0b; /* Read, Execute, Accessed */
2341 cs->s = 1;
2342 cs->dpl = 0; /* will be adjusted later */
2343 cs->p = 1;
2344 cs->d = 1;
2345 cs->avl = 0;
2346
2347 set_desc_base(ss, 0); /* flat segment */
2348 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2349 ss->g = 1; /* 4kb granularity */
2350 ss->s = 1;
2351 ss->type = 0x03; /* Read/Write, Accessed */
2352 ss->d = 1; /* 32bit stack segment */
2353 ss->dpl = 0;
2354 ss->p = 1;
2355 ss->l = 0;
2356 ss->avl = 0;
2357 }
2358
2359 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2360 {
2361 const struct x86_emulate_ops *ops = ctxt->ops;
2362 struct desc_struct cs, ss;
2363 u64 msr_data;
2364 u16 cs_sel, ss_sel;
2365 u64 efer = 0;
2366
2367 /* syscall is not available in real mode */
2368 if (ctxt->mode == X86EMUL_MODE_REAL ||
2369 ctxt->mode == X86EMUL_MODE_VM86)
2370 return emulate_ud(ctxt);
2371
2372 /*
2373 * Intel compatible CPUs only support SYSCALL in 64-bit mode, whereas
2374 * AMD allows SYSCALL in any flavor of protected mode. Note, it's
2375 * infeasible to emulate Intel behavior when running on AMD hardware,
2376 * as SYSCALL won't fault in the "wrong" mode, i.e. there is no #UD
2377 * for KVM to trap-and-emulate, unlike emulating AMD on Intel.
2378 */
2379 if (ctxt->mode != X86EMUL_MODE_PROT64 &&
2380 ctxt->ops->guest_cpuid_is_intel_compatible(ctxt))
2381 return emulate_ud(ctxt);
2382
2383 ops->get_msr(ctxt, MSR_EFER, &efer);
2384 if (!(efer & EFER_SCE))
2385 return emulate_ud(ctxt);
2386
2387 setup_syscalls_segments(&cs, &ss);
2388 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2389 msr_data >>= 32;
2390 cs_sel = (u16)(msr_data & 0xfffc);
2391 ss_sel = (u16)(msr_data + 8);
2392
2393 if (efer & EFER_LMA) {
2394 cs.d = 0;
2395 cs.l = 1;
2396 }
2397 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2398 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2399
2400 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2401 if (efer & EFER_LMA) {
2402 #ifdef CONFIG_X86_64
2403 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2404
2405 ops->get_msr(ctxt,
2406 ctxt->mode == X86EMUL_MODE_PROT64 ?
2407 MSR_LSTAR : MSR_CSTAR, &msr_data);
2408 ctxt->_eip = msr_data;
2409
2410 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2411 ctxt->eflags &= ~msr_data;
2412 ctxt->eflags |= X86_EFLAGS_FIXED;
2413 #endif
2414 } else {
2415 /* legacy mode */
2416 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2417 ctxt->_eip = (u32)msr_data;
2418
2419 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2420 }
2421
2422 ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2423 return X86EMUL_CONTINUE;
2424 }
2425
2426 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2427 {
2428 const struct x86_emulate_ops *ops = ctxt->ops;
2429 struct desc_struct cs, ss;
2430 u64 msr_data;
2431 u16 cs_sel, ss_sel;
2432 u64 efer = 0;
2433
2434 ops->get_msr(ctxt, MSR_EFER, &efer);
2435 /* inject #GP if in real mode */
2436 if (ctxt->mode == X86EMUL_MODE_REAL)
2437 return emulate_gp(ctxt, 0);
2438
2439 /*
2440 * Intel's architecture allows SYSENTER in compatibility mode, but AMD
2441 * does not. Note, AMD does allow SYSENTER in legacy protected mode.
2442 */
2443 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) &&
2444 !ctxt->ops->guest_cpuid_is_intel_compatible(ctxt))
2445 return emulate_ud(ctxt);
2446
2447 /* sysenter/sysexit have not been tested in 64bit mode. */
2448 if (ctxt->mode == X86EMUL_MODE_PROT64)
2449 return X86EMUL_UNHANDLEABLE;
2450
2451 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2452 if ((msr_data & 0xfffc) == 0x0)
2453 return emulate_gp(ctxt, 0);
2454
2455 setup_syscalls_segments(&cs, &ss);
2456 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2457 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2458 ss_sel = cs_sel + 8;
2459 if (efer & EFER_LMA) {
2460 cs.d = 0;
2461 cs.l = 1;
2462 }
2463
2464 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2465 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2466
2467 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2468 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2469
2470 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2471 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2472 (u32)msr_data;
2473 if (efer & EFER_LMA)
2474 ctxt->mode = X86EMUL_MODE_PROT64;
2475
2476 return X86EMUL_CONTINUE;
2477 }
2478
2479 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2480 {
2481 const struct x86_emulate_ops *ops = ctxt->ops;
2482 struct desc_struct cs, ss;
2483 u64 msr_data, rcx, rdx;
2484 int usermode;
2485 u16 cs_sel = 0, ss_sel = 0;
2486
2487 /* inject #GP if in real mode or Virtual 8086 mode */
2488 if (ctxt->mode == X86EMUL_MODE_REAL ||
2489 ctxt->mode == X86EMUL_MODE_VM86)
2490 return emulate_gp(ctxt, 0);
2491
2492 setup_syscalls_segments(&cs, &ss);
2493
2494 if ((ctxt->rex_prefix & 0x8) != 0x0)
2495 usermode = X86EMUL_MODE_PROT64;
2496 else
2497 usermode = X86EMUL_MODE_PROT32;
2498
2499 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2500 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2501
2502 cs.dpl = 3;
2503 ss.dpl = 3;
2504 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2505 switch (usermode) {
2506 case X86EMUL_MODE_PROT32:
2507 cs_sel = (u16)(msr_data + 16);
2508 if ((msr_data & 0xfffc) == 0x0)
2509 return emulate_gp(ctxt, 0);
2510 ss_sel = (u16)(msr_data + 24);
2511 rcx = (u32)rcx;
2512 rdx = (u32)rdx;
2513 break;
2514 case X86EMUL_MODE_PROT64:
2515 cs_sel = (u16)(msr_data + 32);
2516 if (msr_data == 0x0)
2517 return emulate_gp(ctxt, 0);
2518 ss_sel = cs_sel + 8;
2519 cs.d = 0;
2520 cs.l = 1;
2521 if (emul_is_noncanonical_address(rcx, ctxt, 0) ||
2522 emul_is_noncanonical_address(rdx, ctxt, 0))
2523 return emulate_gp(ctxt, 0);
2524 break;
2525 }
2526 cs_sel |= SEGMENT_RPL_MASK;
2527 ss_sel |= SEGMENT_RPL_MASK;
2528
2529 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2530 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2531
2532 ctxt->_eip = rdx;
2533 ctxt->mode = usermode;
2534 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2535
2536 return X86EMUL_CONTINUE;
2537 }
2538
2539 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2540 {
2541 int iopl;
2542 if (ctxt->mode == X86EMUL_MODE_REAL)
2543 return false;
2544 if (ctxt->mode == X86EMUL_MODE_VM86)
2545 return true;
2546 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2547 return ctxt->ops->cpl(ctxt) > iopl;
2548 }
2549
2550 #define VMWARE_PORT_VMPORT (0x5658)
2551 #define VMWARE_PORT_VMRPC (0x5659)
2552
2553 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2554 u16 port, u16 len)
2555 {
2556 const struct x86_emulate_ops *ops = ctxt->ops;
2557 struct desc_struct tr_seg;
2558 u32 base3;
2559 int r;
2560 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2561 unsigned mask = (1 << len) - 1;
2562 unsigned long base;
2563
2564 /*
2565 * VMware allows access to these ports even if denied
2566 * by TSS I/O permission bitmap. Mimic behavior.
2567 */
2568 if (enable_vmware_backdoor &&
2569 ((port == VMWARE_PORT_VMPORT) || (port == VMWARE_PORT_VMRPC)))
2570 return true;
2571
2572 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2573 if (!tr_seg.p)
2574 return false;
2575 if (desc_limit_scaled(&tr_seg) < 103)
2576 return false;
2577 base = get_desc_base(&tr_seg);
2578 #ifdef CONFIG_X86_64
2579 base |= ((u64)base3) << 32;
2580 #endif
2581 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
2582 if (r != X86EMUL_CONTINUE)
2583 return false;
2584 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2585 return false;
2586 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
2587 if (r != X86EMUL_CONTINUE)
2588 return false;
2589 if ((perm >> bit_idx) & mask)
2590 return false;
2591 return true;
2592 }
2593
2594 static bool emulator_io_permitted(struct x86_emulate_ctxt *ctxt,
2595 u16 port, u16 len)
2596 {
2597 if (ctxt->perm_ok)
2598 return true;
2599
2600 if (emulator_bad_iopl(ctxt))
2601 if (!emulator_io_port_access_allowed(ctxt, port, len))
2602 return false;
2603
2604 ctxt->perm_ok = true;
2605
2606 return true;
2607 }
2608
2609 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2610 {
2611 /*
2612 * Intel CPUs mask the counter and pointers in quite strange
2613 * manner when ECX is zero due to REP-string optimizations.
2614 */
2615 #ifdef CONFIG_X86_64
2616 u32 eax, ebx, ecx, edx;
2617
2618 if (ctxt->ad_bytes != 4)
2619 return;
2620
2621 eax = ecx = 0;
2622 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
2623 if (!is_guest_vendor_intel(ebx, ecx, edx))
2624 return;
2625
2626 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2627
2628 switch (ctxt->b) {
2629 case 0xa4: /* movsb */
2630 case 0xa5: /* movsd/w */
2631 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2632 fallthrough;
2633 case 0xaa: /* stosb */
2634 case 0xab: /* stosd/w */
2635 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2636 }
2637 #endif
2638 }
2639
2640 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2641 struct tss_segment_16 *tss)
2642 {
2643 tss->ip = ctxt->_eip;
2644 tss->flag = ctxt->eflags;
2645 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2646 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2647 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2648 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2649 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2650 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2651 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2652 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2653
2654 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2655 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2656 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2657 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2658 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2659 }
2660
2661 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2662 struct tss_segment_16 *tss)
2663 {
2664 int ret;
2665 u8 cpl;
2666
2667 ctxt->_eip = tss->ip;
2668 ctxt->eflags = tss->flag | 2;
2669 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2670 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2671 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2672 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2673 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2674 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2675 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2676 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2677
2678 /*
2679 * SDM says that segment selectors are loaded before segment
2680 * descriptors
2681 */
2682 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2683 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2684 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2685 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2686 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2687
2688 cpl = tss->cs & 3;
2689
2690 /*
2691 * Now load segment descriptors. If fault happens at this stage
2692 * it is handled in a context of new task
2693 */
2694 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2695 X86_TRANSFER_TASK_SWITCH, NULL);
2696 if (ret != X86EMUL_CONTINUE)
2697 return ret;
2698 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2699 X86_TRANSFER_TASK_SWITCH, NULL);
2700 if (ret != X86EMUL_CONTINUE)
2701 return ret;
2702 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2703 X86_TRANSFER_TASK_SWITCH, NULL);
2704 if (ret != X86EMUL_CONTINUE)
2705 return ret;
2706 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2707 X86_TRANSFER_TASK_SWITCH, NULL);
2708 if (ret != X86EMUL_CONTINUE)
2709 return ret;
2710 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2711 X86_TRANSFER_TASK_SWITCH, NULL);
2712 if (ret != X86EMUL_CONTINUE)
2713 return ret;
2714
2715 return X86EMUL_CONTINUE;
2716 }
2717
2718 static int task_switch_16(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
2719 ulong old_tss_base, struct desc_struct *new_desc)
2720 {
2721 struct tss_segment_16 tss_seg;
2722 int ret;
2723 u32 new_tss_base = get_desc_base(new_desc);
2724
2725 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2726 if (ret != X86EMUL_CONTINUE)
2727 return ret;
2728
2729 save_state_to_tss16(ctxt, &tss_seg);
2730
2731 ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2732 if (ret != X86EMUL_CONTINUE)
2733 return ret;
2734
2735 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
2736 if (ret != X86EMUL_CONTINUE)
2737 return ret;
2738
2739 if (old_tss_sel != 0xffff) {
2740 tss_seg.prev_task_link = old_tss_sel;
2741
2742 ret = linear_write_system(ctxt, new_tss_base,
2743 &tss_seg.prev_task_link,
2744 sizeof(tss_seg.prev_task_link));
2745 if (ret != X86EMUL_CONTINUE)
2746 return ret;
2747 }
2748
2749 return load_state_from_tss16(ctxt, &tss_seg);
2750 }
2751
2752 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2753 struct tss_segment_32 *tss)
2754 {
2755 /* CR3 and ldt selector are not saved intentionally */
2756 tss->eip = ctxt->_eip;
2757 tss->eflags = ctxt->eflags;
2758 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2759 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2760 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2761 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2762 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2763 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2764 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2765 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2766
2767 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2768 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2769 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2770 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2771 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2772 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2773 }
2774
2775 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2776 struct tss_segment_32 *tss)
2777 {
2778 int ret;
2779 u8 cpl;
2780
2781 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2782 return emulate_gp(ctxt, 0);
2783 ctxt->_eip = tss->eip;
2784 ctxt->eflags = tss->eflags | 2;
2785
2786 /* General purpose registers */
2787 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2788 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2789 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2790 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2791 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2792 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2793 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2794 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2795
2796 /*
2797 * SDM says that segment selectors are loaded before segment
2798 * descriptors. This is important because CPL checks will
2799 * use CS.RPL.
2800 */
2801 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2802 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2803 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2804 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2805 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2806 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2807 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2808
2809 /*
2810 * If we're switching between Protected Mode and VM86, we need to make
2811 * sure to update the mode before loading the segment descriptors so
2812 * that the selectors are interpreted correctly.
2813 */
2814 if (ctxt->eflags & X86_EFLAGS_VM) {
2815 ctxt->mode = X86EMUL_MODE_VM86;
2816 cpl = 3;
2817 } else {
2818 ctxt->mode = X86EMUL_MODE_PROT32;
2819 cpl = tss->cs & 3;
2820 }
2821
2822 /*
2823 * Now load segment descriptors. If fault happens at this stage
2824 * it is handled in a context of new task
2825 */
2826 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
2827 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
2828 if (ret != X86EMUL_CONTINUE)
2829 return ret;
2830 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2831 X86_TRANSFER_TASK_SWITCH, NULL);
2832 if (ret != X86EMUL_CONTINUE)
2833 return ret;
2834 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2835 X86_TRANSFER_TASK_SWITCH, NULL);
2836 if (ret != X86EMUL_CONTINUE)
2837 return ret;
2838 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2839 X86_TRANSFER_TASK_SWITCH, NULL);
2840 if (ret != X86EMUL_CONTINUE)
2841 return ret;
2842 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2843 X86_TRANSFER_TASK_SWITCH, NULL);
2844 if (ret != X86EMUL_CONTINUE)
2845 return ret;
2846 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
2847 X86_TRANSFER_TASK_SWITCH, NULL);
2848 if (ret != X86EMUL_CONTINUE)
2849 return ret;
2850 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
2851 X86_TRANSFER_TASK_SWITCH, NULL);
2852
2853 return ret;
2854 }
2855
2856 static int task_switch_32(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
2857 ulong old_tss_base, struct desc_struct *new_desc)
2858 {
2859 struct tss_segment_32 tss_seg;
2860 int ret;
2861 u32 new_tss_base = get_desc_base(new_desc);
2862 u32 eip_offset = offsetof(struct tss_segment_32, eip);
2863 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
2864
2865 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2866 if (ret != X86EMUL_CONTINUE)
2867 return ret;
2868
2869 save_state_to_tss32(ctxt, &tss_seg);
2870
2871 /* Only GP registers and segment selectors are saved */
2872 ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
2873 ldt_sel_offset - eip_offset);
2874 if (ret != X86EMUL_CONTINUE)
2875 return ret;
2876
2877 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
2878 if (ret != X86EMUL_CONTINUE)
2879 return ret;
2880
2881 if (old_tss_sel != 0xffff) {
2882 tss_seg.prev_task_link = old_tss_sel;
2883
2884 ret = linear_write_system(ctxt, new_tss_base,
2885 &tss_seg.prev_task_link,
2886 sizeof(tss_seg.prev_task_link));
2887 if (ret != X86EMUL_CONTINUE)
2888 return ret;
2889 }
2890
2891 return load_state_from_tss32(ctxt, &tss_seg);
2892 }
2893
2894 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2895 u16 tss_selector, int idt_index, int reason,
2896 bool has_error_code, u32 error_code)
2897 {
2898 const struct x86_emulate_ops *ops = ctxt->ops;
2899 struct desc_struct curr_tss_desc, next_tss_desc;
2900 int ret;
2901 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2902 ulong old_tss_base =
2903 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2904 u32 desc_limit;
2905 ulong desc_addr, dr7;
2906
2907 /* FIXME: old_tss_base == ~0 ? */
2908
2909 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2910 if (ret != X86EMUL_CONTINUE)
2911 return ret;
2912 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2913 if (ret != X86EMUL_CONTINUE)
2914 return ret;
2915
2916 /* FIXME: check that next_tss_desc is tss */
2917
2918 /*
2919 * Check privileges. The three cases are task switch caused by...
2920 *
2921 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2922 * 2. Exception/IRQ/iret: No check is performed
2923 * 3. jmp/call to TSS/task-gate: No check is performed since the
2924 * hardware checks it before exiting.
2925 */
2926 if (reason == TASK_SWITCH_GATE) {
2927 if (idt_index != -1) {
2928 /* Software interrupts */
2929 struct desc_struct task_gate_desc;
2930 int dpl;
2931
2932 ret = read_interrupt_descriptor(ctxt, idt_index,
2933 &task_gate_desc);
2934 if (ret != X86EMUL_CONTINUE)
2935 return ret;
2936
2937 dpl = task_gate_desc.dpl;
2938 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2939 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2940 }
2941 }
2942
2943 desc_limit = desc_limit_scaled(&next_tss_desc);
2944 if (!next_tss_desc.p ||
2945 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2946 desc_limit < 0x2b)) {
2947 return emulate_ts(ctxt, tss_selector & 0xfffc);
2948 }
2949
2950 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2951 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2952 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2953 }
2954
2955 if (reason == TASK_SWITCH_IRET)
2956 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2957
2958 /* set back link to prev task only if NT bit is set in eflags
2959 note that old_tss_sel is not used after this point */
2960 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2961 old_tss_sel = 0xffff;
2962
2963 if (next_tss_desc.type & 8)
2964 ret = task_switch_32(ctxt, old_tss_sel, old_tss_base, &next_tss_desc);
2965 else
2966 ret = task_switch_16(ctxt, old_tss_sel,
2967 old_tss_base, &next_tss_desc);
2968 if (ret != X86EMUL_CONTINUE)
2969 return ret;
2970
2971 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2972 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2973
2974 if (reason != TASK_SWITCH_IRET) {
2975 next_tss_desc.type |= (1 << 1); /* set busy flag */
2976 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2977 }
2978
2979 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2980 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2981
2982 if (has_error_code) {
2983 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2984 ctxt->lock_prefix = 0;
2985 ctxt->src.val = (unsigned long) error_code;
2986 ret = em_push(ctxt);
2987 }
2988
2989 dr7 = ops->get_dr(ctxt, 7);
2990 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
2991
2992 return ret;
2993 }
2994
2995 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2996 u16 tss_selector, int idt_index, int reason,
2997 bool has_error_code, u32 error_code)
2998 {
2999 int rc;
3000
3001 invalidate_registers(ctxt);
3002 ctxt->_eip = ctxt->eip;
3003 ctxt->dst.type = OP_NONE;
3004
3005 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3006 has_error_code, error_code);
3007
3008 if (rc == X86EMUL_CONTINUE) {
3009 ctxt->eip = ctxt->_eip;
3010 writeback_registers(ctxt);
3011 }
3012
3013 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3014 }
3015
3016 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3017 struct operand *op)
3018 {
3019 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3020
3021 register_address_increment(ctxt, reg, df * op->bytes);
3022 op->addr.mem.ea = register_address(ctxt, reg);
3023 }
3024
3025 static int em_das(struct x86_emulate_ctxt *ctxt)
3026 {
3027 u8 al, old_al;
3028 bool af, cf, old_cf;
3029
3030 cf = ctxt->eflags & X86_EFLAGS_CF;
3031 al = ctxt->dst.val;
3032
3033 old_al = al;
3034 old_cf = cf;
3035 cf = false;
3036 af = ctxt->eflags & X86_EFLAGS_AF;
3037 if ((al & 0x0f) > 9 || af) {
3038 al -= 6;
3039 cf = old_cf | (al >= 250);
3040 af = true;
3041 } else {
3042 af = false;
3043 }
3044 if (old_al > 0x99 || old_cf) {
3045 al -= 0x60;
3046 cf = true;
3047 }
3048
3049 ctxt->dst.val = al;
3050 /* Set PF, ZF, SF */
3051 ctxt->src.type = OP_IMM;
3052 ctxt->src.val = 0;
3053 ctxt->src.bytes = 1;
3054 fastop(ctxt, em_or);
3055 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3056 if (cf)
3057 ctxt->eflags |= X86_EFLAGS_CF;
3058 if (af)
3059 ctxt->eflags |= X86_EFLAGS_AF;
3060 return X86EMUL_CONTINUE;
3061 }
3062
3063 static int em_aam(struct x86_emulate_ctxt *ctxt)
3064 {
3065 u8 al, ah;
3066
3067 if (ctxt->src.val == 0)
3068 return emulate_de(ctxt);
3069
3070 al = ctxt->dst.val & 0xff;
3071 ah = al / ctxt->src.val;
3072 al %= ctxt->src.val;
3073
3074 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3075
3076 /* Set PF, ZF, SF */
3077 ctxt->src.type = OP_IMM;
3078 ctxt->src.val = 0;
3079 ctxt->src.bytes = 1;
3080 fastop(ctxt, em_or);
3081
3082 return X86EMUL_CONTINUE;
3083 }
3084
3085 static int em_aad(struct x86_emulate_ctxt *ctxt)
3086 {
3087 u8 al = ctxt->dst.val & 0xff;
3088 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3089
3090 al = (al + (ah * ctxt->src.val)) & 0xff;
3091
3092 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3093
3094 /* Set PF, ZF, SF */
3095 ctxt->src.type = OP_IMM;
3096 ctxt->src.val = 0;
3097 ctxt->src.bytes = 1;
3098 fastop(ctxt, em_or);
3099
3100 return X86EMUL_CONTINUE;
3101 }
3102
3103 static int em_call(struct x86_emulate_ctxt *ctxt)
3104 {
3105 int rc;
3106 long rel = ctxt->src.val;
3107
3108 ctxt->src.val = (unsigned long)ctxt->_eip;
3109 rc = jmp_rel(ctxt, rel);
3110 if (rc != X86EMUL_CONTINUE)
3111 return rc;
3112 return em_push(ctxt);
3113 }
3114
3115 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3116 {
3117 u16 sel, old_cs;
3118 ulong old_eip;
3119 int rc;
3120 struct desc_struct old_desc, new_desc;
3121 const struct x86_emulate_ops *ops = ctxt->ops;
3122 int cpl = ctxt->ops->cpl(ctxt);
3123 enum x86emul_mode prev_mode = ctxt->mode;
3124
3125 old_eip = ctxt->_eip;
3126 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3127
3128 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3129 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3130 X86_TRANSFER_CALL_JMP, &new_desc);
3131 if (rc != X86EMUL_CONTINUE)
3132 return rc;
3133
3134 rc = assign_eip_far(ctxt, ctxt->src.val);
3135 if (rc != X86EMUL_CONTINUE)
3136 goto fail;
3137
3138 ctxt->src.val = old_cs;
3139 rc = em_push(ctxt);
3140 if (rc != X86EMUL_CONTINUE)
3141 goto fail;
3142
3143 ctxt->src.val = old_eip;
3144 rc = em_push(ctxt);
3145 /* If we failed, we tainted the memory, but the very least we should
3146 restore cs */
3147 if (rc != X86EMUL_CONTINUE) {
3148 pr_warn_once("faulting far call emulation tainted memory\n");
3149 goto fail;
3150 }
3151 return rc;
3152 fail:
3153 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3154 ctxt->mode = prev_mode;
3155 return rc;
3156
3157 }
3158
3159 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3160 {
3161 int rc;
3162 unsigned long eip = 0;
3163
3164 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3165 if (rc != X86EMUL_CONTINUE)
3166 return rc;
3167 rc = assign_eip_near(ctxt, eip);
3168 if (rc != X86EMUL_CONTINUE)
3169 return rc;
3170 rsp_increment(ctxt, ctxt->src.val);
3171 return X86EMUL_CONTINUE;
3172 }
3173
3174 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3175 {
3176 /* Write back the register source. */
3177 ctxt->src.val = ctxt->dst.val;
3178 write_register_operand(&ctxt->src);
3179
3180 /* Write back the memory destination with implicit LOCK prefix. */
3181 ctxt->dst.val = ctxt->src.orig_val;
3182 ctxt->lock_prefix = 1;
3183 return X86EMUL_CONTINUE;
3184 }
3185
3186 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3187 {
3188 ctxt->dst.val = ctxt->src2.val;
3189 return fastop(ctxt, em_imul);
3190 }
3191
3192 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3193 {
3194 ctxt->dst.type = OP_REG;
3195 ctxt->dst.bytes = ctxt->src.bytes;
3196 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3197 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3198
3199 return X86EMUL_CONTINUE;
3200 }
3201
3202 static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3203 {
3204 u64 tsc_aux = 0;
3205
3206 if (!ctxt->ops->guest_has_rdpid(ctxt))
3207 return emulate_ud(ctxt);
3208
3209 ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux);
3210 ctxt->dst.val = tsc_aux;
3211 return X86EMUL_CONTINUE;
3212 }
3213
3214 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3215 {
3216 u64 tsc = 0;
3217
3218 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3219 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3220 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3221 return X86EMUL_CONTINUE;
3222 }
3223
3224 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3225 {
3226 u64 pmc;
3227
3228 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3229 return emulate_gp(ctxt, 0);
3230 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3231 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3232 return X86EMUL_CONTINUE;
3233 }
3234
3235 static int em_mov(struct x86_emulate_ctxt *ctxt)
3236 {
3237 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3238 return X86EMUL_CONTINUE;
3239 }
3240
3241 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3242 {
3243 u16 tmp;
3244
3245 if (!ctxt->ops->guest_has_movbe(ctxt))
3246 return emulate_ud(ctxt);
3247
3248 switch (ctxt->op_bytes) {
3249 case 2:
3250 /*
3251 * From MOVBE definition: "...When the operand size is 16 bits,
3252 * the upper word of the destination register remains unchanged
3253 * ..."
3254 *
3255 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3256 * rules so we have to do the operation almost per hand.
3257 */
3258 tmp = (u16)ctxt->src.val;
3259 ctxt->dst.val &= ~0xffffUL;
3260 ctxt->dst.val |= (unsigned long)swab16(tmp);
3261 break;
3262 case 4:
3263 ctxt->dst.val = swab32((u32)ctxt->src.val);
3264 break;
3265 case 8:
3266 ctxt->dst.val = swab64(ctxt->src.val);
3267 break;
3268 default:
3269 BUG();
3270 }
3271 return X86EMUL_CONTINUE;
3272 }
3273
3274 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3275 {
3276 int cr_num = ctxt->modrm_reg;
3277 int r;
3278
3279 if (ctxt->ops->set_cr(ctxt, cr_num, ctxt->src.val))
3280 return emulate_gp(ctxt, 0);
3281
3282 /* Disable writeback. */
3283 ctxt->dst.type = OP_NONE;
3284
3285 if (cr_num == 0) {
3286 /*
3287 * CR0 write might have updated CR0.PE and/or CR0.PG
3288 * which can affect the cpu's execution mode.
3289 */
3290 r = emulator_recalc_and_set_mode(ctxt);
3291 if (r != X86EMUL_CONTINUE)
3292 return r;
3293 }
3294
3295 return X86EMUL_CONTINUE;
3296 }
3297
3298 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3299 {
3300 unsigned long val;
3301
3302 if (ctxt->mode == X86EMUL_MODE_PROT64)
3303 val = ctxt->src.val & ~0ULL;
3304 else
3305 val = ctxt->src.val & ~0U;
3306
3307 /* #UD condition is already handled. */
3308 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3309 return emulate_gp(ctxt, 0);
3310
3311 /* Disable writeback. */
3312 ctxt->dst.type = OP_NONE;
3313 return X86EMUL_CONTINUE;
3314 }
3315
3316 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3317 {
3318 u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3319 u64 msr_data;
3320 int r;
3321
3322 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3323 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3324 r = ctxt->ops->set_msr_with_filter(ctxt, msr_index, msr_data);
3325
3326 if (r == X86EMUL_PROPAGATE_FAULT)
3327 return emulate_gp(ctxt, 0);
3328
3329 return r;
3330 }
3331
3332 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3333 {
3334 u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3335 u64 msr_data;
3336 int r;
3337
3338 r = ctxt->ops->get_msr_with_filter(ctxt, msr_index, &msr_data);
3339
3340 if (r == X86EMUL_PROPAGATE_FAULT)
3341 return emulate_gp(ctxt, 0);
3342
3343 if (r == X86EMUL_CONTINUE) {
3344 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3345 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3346 }
3347 return r;
3348 }
3349
3350 static int em_store_sreg(struct x86_emulate_ctxt *ctxt, int segment)
3351 {
3352 if (segment > VCPU_SREG_GS &&
3353 (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3354 ctxt->ops->cpl(ctxt) > 0)
3355 return emulate_gp(ctxt, 0);
3356
3357 ctxt->dst.val = get_segment_selector(ctxt, segment);
3358 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3359 ctxt->dst.bytes = 2;
3360 return X86EMUL_CONTINUE;
3361 }
3362
3363 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3364 {
3365 if (ctxt->modrm_reg > VCPU_SREG_GS)
3366 return emulate_ud(ctxt);
3367
3368 return em_store_sreg(ctxt, ctxt->modrm_reg);
3369 }
3370
3371 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3372 {
3373 u16 sel = ctxt->src.val;
3374
3375 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3376 return emulate_ud(ctxt);
3377
3378 if (ctxt->modrm_reg == VCPU_SREG_SS)
3379 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3380
3381 /* Disable writeback. */
3382 ctxt->dst.type = OP_NONE;
3383 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3384 }
3385
3386 static int em_sldt(struct x86_emulate_ctxt *ctxt)
3387 {
3388 return em_store_sreg(ctxt, VCPU_SREG_LDTR);
3389 }
3390
3391 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3392 {
3393 u16 sel = ctxt->src.val;
3394
3395 /* Disable writeback. */
3396 ctxt->dst.type = OP_NONE;
3397 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3398 }
3399
3400 static int em_str(struct x86_emulate_ctxt *ctxt)
3401 {
3402 return em_store_sreg(ctxt, VCPU_SREG_TR);
3403 }
3404
3405 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3406 {
3407 u16 sel = ctxt->src.val;
3408
3409 /* Disable writeback. */
3410 ctxt->dst.type = OP_NONE;
3411 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3412 }
3413
3414 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3415 {
3416 int rc;
3417 ulong linear;
3418 unsigned int max_size;
3419
3420 rc = __linearize(ctxt, ctxt->src.addr.mem, &max_size, 1, ctxt->mode,
3421 &linear, X86EMUL_F_INVLPG);
3422 if (rc == X86EMUL_CONTINUE)
3423 ctxt->ops->invlpg(ctxt, linear);
3424 /* Disable writeback. */
3425 ctxt->dst.type = OP_NONE;
3426 return X86EMUL_CONTINUE;
3427 }
3428
3429 static int em_clts(struct x86_emulate_ctxt *ctxt)
3430 {
3431 ulong cr0;
3432
3433 cr0 = ctxt->ops->get_cr(ctxt, 0);
3434 cr0 &= ~X86_CR0_TS;
3435 ctxt->ops->set_cr(ctxt, 0, cr0);
3436 return X86EMUL_CONTINUE;
3437 }
3438
3439 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3440 {
3441 int rc = ctxt->ops->fix_hypercall(ctxt);
3442
3443 if (rc != X86EMUL_CONTINUE)
3444 return rc;
3445
3446 /* Let the processor re-execute the fixed hypercall */
3447 ctxt->_eip = ctxt->eip;
3448 /* Disable writeback. */
3449 ctxt->dst.type = OP_NONE;
3450 return X86EMUL_CONTINUE;
3451 }
3452
3453 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3454 void (*get)(struct x86_emulate_ctxt *ctxt,
3455 struct desc_ptr *ptr))
3456 {
3457 struct desc_ptr desc_ptr;
3458
3459 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3460 ctxt->ops->cpl(ctxt) > 0)
3461 return emulate_gp(ctxt, 0);
3462
3463 if (ctxt->mode == X86EMUL_MODE_PROT64)
3464 ctxt->op_bytes = 8;
3465 get(ctxt, &desc_ptr);
3466 if (ctxt->op_bytes == 2) {
3467 ctxt->op_bytes = 4;
3468 desc_ptr.address &= 0x00ffffff;
3469 }
3470 /* Disable writeback. */
3471 ctxt->dst.type = OP_NONE;
3472 return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3473 &desc_ptr, 2 + ctxt->op_bytes);
3474 }
3475
3476 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3477 {
3478 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3479 }
3480
3481 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3482 {
3483 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3484 }
3485
3486 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3487 {
3488 struct desc_ptr desc_ptr;
3489 int rc;
3490
3491 if (ctxt->mode == X86EMUL_MODE_PROT64)
3492 ctxt->op_bytes = 8;
3493 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3494 &desc_ptr.size, &desc_ptr.address,
3495 ctxt->op_bytes);
3496 if (rc != X86EMUL_CONTINUE)
3497 return rc;
3498 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3499 emul_is_noncanonical_address(desc_ptr.address, ctxt,
3500 X86EMUL_F_DT_LOAD))
3501 return emulate_gp(ctxt, 0);
3502 if (lgdt)
3503 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3504 else
3505 ctxt->ops->set_idt(ctxt, &desc_ptr);
3506 /* Disable writeback. */
3507 ctxt->dst.type = OP_NONE;
3508 return X86EMUL_CONTINUE;
3509 }
3510
3511 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3512 {
3513 return em_lgdt_lidt(ctxt, true);
3514 }
3515
3516 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3517 {
3518 return em_lgdt_lidt(ctxt, false);
3519 }
3520
3521 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3522 {
3523 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3524 ctxt->ops->cpl(ctxt) > 0)
3525 return emulate_gp(ctxt, 0);
3526
3527 if (ctxt->dst.type == OP_MEM)
3528 ctxt->dst.bytes = 2;
3529 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3530 return X86EMUL_CONTINUE;
3531 }
3532
3533 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3534 {
3535 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3536 | (ctxt->src.val & 0x0f));
3537 ctxt->dst.type = OP_NONE;
3538 return X86EMUL_CONTINUE;
3539 }
3540
3541 static int em_loop(struct x86_emulate_ctxt *ctxt)
3542 {
3543 int rc = X86EMUL_CONTINUE;
3544
3545 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3546 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3547 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3548 rc = jmp_rel(ctxt, ctxt->src.val);
3549
3550 return rc;
3551 }
3552
3553 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3554 {
3555 int rc = X86EMUL_CONTINUE;
3556
3557 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3558 rc = jmp_rel(ctxt, ctxt->src.val);
3559
3560 return rc;
3561 }
3562
3563 static int em_in(struct x86_emulate_ctxt *ctxt)
3564 {
3565 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3566 &ctxt->dst.val))
3567 return X86EMUL_IO_NEEDED;
3568
3569 return X86EMUL_CONTINUE;
3570 }
3571
3572 static int em_out(struct x86_emulate_ctxt *ctxt)
3573 {
3574 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3575 &ctxt->src.val, 1);
3576 /* Disable writeback. */
3577 ctxt->dst.type = OP_NONE;
3578 return X86EMUL_CONTINUE;
3579 }
3580
3581 static int em_cli(struct x86_emulate_ctxt *ctxt)
3582 {
3583 if (emulator_bad_iopl(ctxt))
3584 return emulate_gp(ctxt, 0);
3585
3586 ctxt->eflags &= ~X86_EFLAGS_IF;
3587 return X86EMUL_CONTINUE;
3588 }
3589
3590 static int em_sti(struct x86_emulate_ctxt *ctxt)
3591 {
3592 if (emulator_bad_iopl(ctxt))
3593 return emulate_gp(ctxt, 0);
3594
3595 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3596 ctxt->eflags |= X86_EFLAGS_IF;
3597 return X86EMUL_CONTINUE;
3598 }
3599
3600 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3601 {
3602 u32 eax, ebx, ecx, edx;
3603 u64 msr = 0;
3604
3605 ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3606 if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3607 ctxt->ops->cpl(ctxt)) {
3608 return emulate_gp(ctxt, 0);
3609 }
3610
3611 eax = reg_read(ctxt, VCPU_REGS_RAX);
3612 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3613 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3614 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3615 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3616 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3617 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3618 return X86EMUL_CONTINUE;
3619 }
3620
3621 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3622 {
3623 u32 flags;
3624
3625 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3626 X86_EFLAGS_SF;
3627 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3628
3629 ctxt->eflags &= ~0xffUL;
3630 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3631 return X86EMUL_CONTINUE;
3632 }
3633
3634 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3635 {
3636 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3637 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3638 return X86EMUL_CONTINUE;
3639 }
3640
3641 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3642 {
3643 switch (ctxt->op_bytes) {
3644 #ifdef CONFIG_X86_64
3645 case 8:
3646 asm("bswap %0" : "+r"(ctxt->dst.val));
3647 break;
3648 #endif
3649 default:
3650 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3651 break;
3652 }
3653 return X86EMUL_CONTINUE;
3654 }
3655
3656 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3657 {
3658 /* emulating clflush regardless of cpuid */
3659 return X86EMUL_CONTINUE;
3660 }
3661
3662 static int em_clflushopt(struct x86_emulate_ctxt *ctxt)
3663 {
3664 /* emulating clflushopt regardless of cpuid */
3665 return X86EMUL_CONTINUE;
3666 }
3667
3668 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3669 {
3670 ctxt->dst.val = (s32) ctxt->src.val;
3671 return X86EMUL_CONTINUE;
3672 }
3673
3674 static int check_fxsr(struct x86_emulate_ctxt *ctxt)
3675 {
3676 if (!ctxt->ops->guest_has_fxsr(ctxt))
3677 return emulate_ud(ctxt);
3678
3679 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
3680 return emulate_nm(ctxt);
3681
3682 /*
3683 * Don't emulate a case that should never be hit, instead of working
3684 * around a lack of fxsave64/fxrstor64 on old compilers.
3685 */
3686 if (ctxt->mode >= X86EMUL_MODE_PROT64)
3687 return X86EMUL_UNHANDLEABLE;
3688
3689 return X86EMUL_CONTINUE;
3690 }
3691
3692 /*
3693 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
3694 * and restore MXCSR.
3695 */
3696 static size_t __fxstate_size(int nregs)
3697 {
3698 return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
3699 }
3700
3701 static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
3702 {
3703 bool cr4_osfxsr;
3704 if (ctxt->mode == X86EMUL_MODE_PROT64)
3705 return __fxstate_size(16);
3706
3707 cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
3708 return __fxstate_size(cr4_osfxsr ? 8 : 0);
3709 }
3710
3711 /*
3712 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
3713 * 1) 16 bit mode
3714 * 2) 32 bit mode
3715 * - like (1), but FIP and FDP (foo) are only 16 bit. At least Intel CPUs
3716 * preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
3717 * save and restore
3718 * 3) 64-bit mode with REX.W prefix
3719 * - like (2), but XMM 8-15 are being saved and restored
3720 * 4) 64-bit mode without REX.W prefix
3721 * - like (3), but FIP and FDP are 64 bit
3722 *
3723 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
3724 * desired result. (4) is not emulated.
3725 *
3726 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
3727 * and FPU DS) should match.
3728 */
3729 static int em_fxsave(struct x86_emulate_ctxt *ctxt)
3730 {
3731 struct fxregs_state fx_state;
3732 int rc;
3733
3734 rc = check_fxsr(ctxt);
3735 if (rc != X86EMUL_CONTINUE)
3736 return rc;
3737
3738 kvm_fpu_get();
3739
3740 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
3741
3742 kvm_fpu_put();
3743
3744 if (rc != X86EMUL_CONTINUE)
3745 return rc;
3746
3747 return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
3748 fxstate_size(ctxt));
3749 }
3750
3751 /*
3752 * FXRSTOR might restore XMM registers not provided by the guest. Fill
3753 * in the host registers (via FXSAVE) instead, so they won't be modified.
3754 * (preemption has to stay disabled until FXRSTOR).
3755 *
3756 * Use noinline to keep the stack for other functions called by callers small.
3757 */
3758 static noinline int fxregs_fixup(struct fxregs_state *fx_state,
3759 const size_t used_size)
3760 {
3761 struct fxregs_state fx_tmp;
3762 int rc;
3763
3764 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
3765 memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
3766 __fxstate_size(16) - used_size);
3767
3768 return rc;
3769 }
3770
3771 static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
3772 {
3773 struct fxregs_state fx_state;
3774 int rc;
3775 size_t size;
3776
3777 rc = check_fxsr(ctxt);
3778 if (rc != X86EMUL_CONTINUE)
3779 return rc;
3780
3781 size = fxstate_size(ctxt);
3782 rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
3783 if (rc != X86EMUL_CONTINUE)
3784 return rc;
3785
3786 kvm_fpu_get();
3787
3788 if (size < __fxstate_size(16)) {
3789 rc = fxregs_fixup(&fx_state, size);
3790 if (rc != X86EMUL_CONTINUE)
3791 goto out;
3792 }
3793
3794 if (fx_state.mxcsr >> 16) {
3795 rc = emulate_gp(ctxt, 0);
3796 goto out;
3797 }
3798
3799 if (rc == X86EMUL_CONTINUE)
3800 rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
3801
3802 out:
3803 kvm_fpu_put();
3804
3805 return rc;
3806 }
3807
3808 static int em_xsetbv(struct x86_emulate_ctxt *ctxt)
3809 {
3810 u32 eax, ecx, edx;
3811
3812 if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSXSAVE))
3813 return emulate_ud(ctxt);
3814
3815 eax = reg_read(ctxt, VCPU_REGS_RAX);
3816 edx = reg_read(ctxt, VCPU_REGS_RDX);
3817 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3818
3819 if (ctxt->ops->set_xcr(ctxt, ecx, ((u64)edx << 32) | eax))
3820 return emulate_gp(ctxt, 0);
3821
3822 return X86EMUL_CONTINUE;
3823 }
3824
3825 static bool valid_cr(int nr)
3826 {
3827 switch (nr) {
3828 case 0:
3829 case 2 ... 4:
3830 case 8:
3831 return true;
3832 default:
3833 return false;
3834 }
3835 }
3836
3837 static int check_cr_access(struct x86_emulate_ctxt *ctxt)
3838 {
3839 if (!valid_cr(ctxt->modrm_reg))
3840 return emulate_ud(ctxt);
3841
3842 return X86EMUL_CONTINUE;
3843 }
3844
3845 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3846 {
3847 int dr = ctxt->modrm_reg;
3848 u64 cr4;
3849
3850 if (dr > 7)
3851 return emulate_ud(ctxt);
3852
3853 cr4 = ctxt->ops->get_cr(ctxt, 4);
3854 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3855 return emulate_ud(ctxt);
3856
3857 if (ctxt->ops->get_dr(ctxt, 7) & DR7_GD) {
3858 ulong dr6;
3859
3860 dr6 = ctxt->ops->get_dr(ctxt, 6);
3861 dr6 &= ~DR_TRAP_BITS;
3862 dr6 |= DR6_BD | DR6_ACTIVE_LOW;
3863 ctxt->ops->set_dr(ctxt, 6, dr6);
3864 return emulate_db(ctxt);
3865 }
3866
3867 return X86EMUL_CONTINUE;
3868 }
3869
3870 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3871 {
3872 u64 new_val = ctxt->src.val64;
3873 int dr = ctxt->modrm_reg;
3874
3875 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3876 return emulate_gp(ctxt, 0);
3877
3878 return check_dr_read(ctxt);
3879 }
3880
3881 static int check_svme(struct x86_emulate_ctxt *ctxt)
3882 {
3883 u64 efer = 0;
3884
3885 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3886
3887 if (!(efer & EFER_SVME))
3888 return emulate_ud(ctxt);
3889
3890 return X86EMUL_CONTINUE;
3891 }
3892
3893 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3894 {
3895 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3896
3897 /* Valid physical address? */
3898 if (rax & 0xffff000000000000ULL)
3899 return emulate_gp(ctxt, 0);
3900
3901 return check_svme(ctxt);
3902 }
3903
3904 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3905 {
3906 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3907
3908 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3909 return emulate_gp(ctxt, 0);
3910
3911 return X86EMUL_CONTINUE;
3912 }
3913
3914 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3915 {
3916 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3917 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3918
3919 /*
3920 * VMware allows access to these Pseduo-PMCs even when read via RDPMC
3921 * in Ring3 when CR4.PCE=0.
3922 */
3923 if (enable_vmware_backdoor && is_vmware_backdoor_pmc(rcx))
3924 return X86EMUL_CONTINUE;
3925
3926 /*
3927 * If CR4.PCE is set, the SDM requires CPL=0 or CR0.PE=0. The CR0.PE
3928 * check however is unnecessary because CPL is always 0 outside
3929 * protected mode.
3930 */
3931 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3932 ctxt->ops->check_rdpmc_early(ctxt, rcx))
3933 return emulate_gp(ctxt, 0);
3934
3935 return X86EMUL_CONTINUE;
3936 }
3937
3938 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3939 {
3940 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3941 if (!emulator_io_permitted(ctxt, ctxt->src.val, ctxt->dst.bytes))
3942 return emulate_gp(ctxt, 0);
3943
3944 return X86EMUL_CONTINUE;
3945 }
3946
3947 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3948 {
3949 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3950 if (!emulator_io_permitted(ctxt, ctxt->dst.val, ctxt->src.bytes))
3951 return emulate_gp(ctxt, 0);
3952
3953 return X86EMUL_CONTINUE;
3954 }
3955
3956 #define D(_y) { .flags = (_y) }
3957 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
3958 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
3959 .intercept = x86_intercept_##_i, .check_perm = (_p) }
3960 #define N D(NotImpl)
3961 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3962 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3963 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3964 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
3965 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
3966 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
3967 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3968 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
3969 #define II(_f, _e, _i) \
3970 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
3971 #define IIP(_f, _e, _i, _p) \
3972 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
3973 .intercept = x86_intercept_##_i, .check_perm = (_p) }
3974 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3975
3976 #define D2bv(_f) D((_f) | ByteOp), D(_f)
3977 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3978 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3979 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
3980 #define I2bvIP(_f, _e, _i, _p) \
3981 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3982
3983 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3984 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3985 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3986
3987 static const struct opcode group7_rm0[] = {
3988 N,
3989 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
3990 N, N, N, N, N, N,
3991 };
3992
3993 static const struct opcode group7_rm1[] = {
3994 DI(SrcNone | Priv, monitor),
3995 DI(SrcNone | Priv, mwait),
3996 N, N, N, N, N, N,
3997 };
3998
3999 static const struct opcode group7_rm2[] = {
4000 N,
4001 II(ImplicitOps | Priv, em_xsetbv, xsetbv),
4002 N, N, N, N, N, N,
4003 };
4004
4005 static const struct opcode group7_rm3[] = {
4006 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4007 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4008 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4009 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4010 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4011 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4012 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4013 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4014 };
4015
4016 static const struct opcode group7_rm7[] = {
4017 N,
4018 DIP(SrcNone, rdtscp, check_rdtsc),
4019 N, N, N, N, N, N,
4020 };
4021
4022 static const struct opcode group1[] = {
4023 F(Lock, em_add),
4024 F(Lock | PageTable, em_or),
4025 F(Lock, em_adc),
4026 F(Lock, em_sbb),
4027 F(Lock | PageTable, em_and),
4028 F(Lock, em_sub),
4029 F(Lock, em_xor),
4030 F(NoWrite, em_cmp),
4031 };
4032
4033 static const struct opcode group1A[] = {
4034 I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4035 };
4036
4037 static const struct opcode group2[] = {
4038 F(DstMem | ModRM, em_rol),
4039 F(DstMem | ModRM, em_ror),
4040 F(DstMem | ModRM, em_rcl),
4041 F(DstMem | ModRM, em_rcr),
4042 F(DstMem | ModRM, em_shl),
4043 F(DstMem | ModRM, em_shr),
4044 F(DstMem | ModRM, em_shl),
4045 F(DstMem | ModRM, em_sar),
4046 };
4047
4048 static const struct opcode group3[] = {
4049 F(DstMem | SrcImm | NoWrite, em_test),
4050 F(DstMem | SrcImm | NoWrite, em_test),
4051 F(DstMem | SrcNone | Lock, em_not),
4052 F(DstMem | SrcNone | Lock, em_neg),
4053 F(DstXacc | Src2Mem, em_mul_ex),
4054 F(DstXacc | Src2Mem, em_imul_ex),
4055 F(DstXacc | Src2Mem, em_div_ex),
4056 F(DstXacc | Src2Mem, em_idiv_ex),
4057 };
4058
4059 static const struct opcode group4[] = {
4060 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4061 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4062 N, N, N, N, N, N,
4063 };
4064
4065 static const struct opcode group5[] = {
4066 F(DstMem | SrcNone | Lock, em_inc),
4067 F(DstMem | SrcNone | Lock, em_dec),
4068 I(SrcMem | NearBranch | IsBranch, em_call_near_abs),
4069 I(SrcMemFAddr | ImplicitOps | IsBranch, em_call_far),
4070 I(SrcMem | NearBranch | IsBranch, em_jmp_abs),
4071 I(SrcMemFAddr | ImplicitOps | IsBranch, em_jmp_far),
4072 I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined),
4073 };
4074
4075 static const struct opcode group6[] = {
4076 II(Prot | DstMem, em_sldt, sldt),
4077 II(Prot | DstMem, em_str, str),
4078 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4079 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4080 N, N, N, N,
4081 };
4082
4083 static const struct group_dual group7 = { {
4084 II(Mov | DstMem, em_sgdt, sgdt),
4085 II(Mov | DstMem, em_sidt, sidt),
4086 II(SrcMem | Priv, em_lgdt, lgdt),
4087 II(SrcMem | Priv, em_lidt, lidt),
4088 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4089 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4090 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4091 }, {
4092 EXT(0, group7_rm0),
4093 EXT(0, group7_rm1),
4094 EXT(0, group7_rm2),
4095 EXT(0, group7_rm3),
4096 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4097 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4098 EXT(0, group7_rm7),
4099 } };
4100
4101 static const struct opcode group8[] = {
4102 N, N, N, N,
4103 F(DstMem | SrcImmByte | NoWrite, em_bt),
4104 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4105 F(DstMem | SrcImmByte | Lock, em_btr),
4106 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4107 };
4108
4109 /*
4110 * The "memory" destination is actually always a register, since we come
4111 * from the register case of group9.
4112 */
4113 static const struct gprefix pfx_0f_c7_7 = {
4114 N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdpid),
4115 };
4116
4117
4118 static const struct group_dual group9 = { {
4119 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4120 }, {
4121 N, N, N, N, N, N, N,
4122 GP(0, &pfx_0f_c7_7),
4123 } };
4124
4125 static const struct opcode group11[] = {
4126 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4127 X7(D(Undefined)),
4128 };
4129
4130 static const struct gprefix pfx_0f_ae_7 = {
4131 I(SrcMem | ByteOp, em_clflush), I(SrcMem | ByteOp, em_clflushopt), N, N,
4132 };
4133
4134 static const struct group_dual group15 = { {
4135 I(ModRM | Aligned16, em_fxsave),
4136 I(ModRM | Aligned16, em_fxrstor),
4137 N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4138 }, {
4139 N, N, N, N, N, N, N, N,
4140 } };
4141
4142 static const struct gprefix pfx_0f_6f_0f_7f = {
4143 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4144 };
4145
4146 static const struct instr_dual instr_dual_0f_2b = {
4147 I(0, em_mov), N
4148 };
4149
4150 static const struct gprefix pfx_0f_2b = {
4151 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4152 };
4153
4154 static const struct gprefix pfx_0f_10_0f_11 = {
4155 I(Unaligned, em_mov), I(Unaligned, em_mov), N, N,
4156 };
4157
4158 static const struct gprefix pfx_0f_28_0f_29 = {
4159 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4160 };
4161
4162 static const struct gprefix pfx_0f_e7 = {
4163 N, I(Sse, em_mov), N, N,
4164 };
4165
4166 static const struct escape escape_d9 = { {
4167 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4168 }, {
4169 /* 0xC0 - 0xC7 */
4170 N, N, N, N, N, N, N, N,
4171 /* 0xC8 - 0xCF */
4172 N, N, N, N, N, N, N, N,
4173 /* 0xD0 - 0xC7 */
4174 N, N, N, N, N, N, N, N,
4175 /* 0xD8 - 0xDF */
4176 N, N, N, N, N, N, N, N,
4177 /* 0xE0 - 0xE7 */
4178 N, N, N, N, N, N, N, N,
4179 /* 0xE8 - 0xEF */
4180 N, N, N, N, N, N, N, N,
4181 /* 0xF0 - 0xF7 */
4182 N, N, N, N, N, N, N, N,
4183 /* 0xF8 - 0xFF */
4184 N, N, N, N, N, N, N, N,
4185 } };
4186
4187 static const struct escape escape_db = { {
4188 N, N, N, N, N, N, N, N,
4189 }, {
4190 /* 0xC0 - 0xC7 */
4191 N, N, N, N, N, N, N, N,
4192 /* 0xC8 - 0xCF */
4193 N, N, N, N, N, N, N, N,
4194 /* 0xD0 - 0xC7 */
4195 N, N, N, N, N, N, N, N,
4196 /* 0xD8 - 0xDF */
4197 N, N, N, N, N, N, N, N,
4198 /* 0xE0 - 0xE7 */
4199 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4200 /* 0xE8 - 0xEF */
4201 N, N, N, N, N, N, N, N,
4202 /* 0xF0 - 0xF7 */
4203 N, N, N, N, N, N, N, N,
4204 /* 0xF8 - 0xFF */
4205 N, N, N, N, N, N, N, N,
4206 } };
4207
4208 static const struct escape escape_dd = { {
4209 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4210 }, {
4211 /* 0xC0 - 0xC7 */
4212 N, N, N, N, N, N, N, N,
4213 /* 0xC8 - 0xCF */
4214 N, N, N, N, N, N, N, N,
4215 /* 0xD0 - 0xC7 */
4216 N, N, N, N, N, N, N, N,
4217 /* 0xD8 - 0xDF */
4218 N, N, N, N, N, N, N, N,
4219 /* 0xE0 - 0xE7 */
4220 N, N, N, N, N, N, N, N,
4221 /* 0xE8 - 0xEF */
4222 N, N, N, N, N, N, N, N,
4223 /* 0xF0 - 0xF7 */
4224 N, N, N, N, N, N, N, N,
4225 /* 0xF8 - 0xFF */
4226 N, N, N, N, N, N, N, N,
4227 } };
4228
4229 static const struct instr_dual instr_dual_0f_c3 = {
4230 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4231 };
4232
4233 static const struct mode_dual mode_dual_63 = {
4234 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4235 };
4236
4237 static const struct instr_dual instr_dual_8d = {
4238 D(DstReg | SrcMem | ModRM | NoAccess), N
4239 };
4240
4241 static const struct opcode opcode_table[256] = {
4242 /* 0x00 - 0x07 */
4243 F6ALU(Lock, em_add),
4244 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4245 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4246 /* 0x08 - 0x0F */
4247 F6ALU(Lock | PageTable, em_or),
4248 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4249 N,
4250 /* 0x10 - 0x17 */
4251 F6ALU(Lock, em_adc),
4252 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4253 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4254 /* 0x18 - 0x1F */
4255 F6ALU(Lock, em_sbb),
4256 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4257 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4258 /* 0x20 - 0x27 */
4259 F6ALU(Lock | PageTable, em_and), N, N,
4260 /* 0x28 - 0x2F */
4261 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4262 /* 0x30 - 0x37 */
4263 F6ALU(Lock, em_xor), N, N,
4264 /* 0x38 - 0x3F */
4265 F6ALU(NoWrite, em_cmp), N, N,
4266 /* 0x40 - 0x4F */
4267 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4268 /* 0x50 - 0x57 */
4269 X8(I(SrcReg | Stack, em_push)),
4270 /* 0x58 - 0x5F */
4271 X8(I(DstReg | Stack, em_pop)),
4272 /* 0x60 - 0x67 */
4273 I(ImplicitOps | Stack | No64, em_pusha),
4274 I(ImplicitOps | Stack | No64, em_popa),
4275 N, MD(ModRM, &mode_dual_63),
4276 N, N, N, N,
4277 /* 0x68 - 0x6F */
4278 I(SrcImm | Mov | Stack, em_push),
4279 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4280 I(SrcImmByte | Mov | Stack, em_push),
4281 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4282 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4283 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4284 /* 0x70 - 0x7F */
4285 X16(D(SrcImmByte | NearBranch | IsBranch)),
4286 /* 0x80 - 0x87 */
4287 G(ByteOp | DstMem | SrcImm, group1),
4288 G(DstMem | SrcImm, group1),
4289 G(ByteOp | DstMem | SrcImm | No64, group1),
4290 G(DstMem | SrcImmByte, group1),
4291 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4292 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4293 /* 0x88 - 0x8F */
4294 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4295 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4296 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4297 ID(0, &instr_dual_8d),
4298 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4299 G(0, group1A),
4300 /* 0x90 - 0x97 */
4301 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4302 /* 0x98 - 0x9F */
4303 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4304 I(SrcImmFAddr | No64 | IsBranch, em_call_far), N,
4305 II(ImplicitOps | Stack, em_pushf, pushf),
4306 II(ImplicitOps | Stack, em_popf, popf),
4307 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4308 /* 0xA0 - 0xA7 */
4309 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4310 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4311 I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4312 F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4313 /* 0xA8 - 0xAF */
4314 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4315 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4316 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4317 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4318 /* 0xB0 - 0xB7 */
4319 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4320 /* 0xB8 - 0xBF */
4321 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4322 /* 0xC0 - 0xC7 */
4323 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4324 I(ImplicitOps | NearBranch | SrcImmU16 | IsBranch, em_ret_near_imm),
4325 I(ImplicitOps | NearBranch | IsBranch, em_ret),
4326 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4327 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4328 G(ByteOp, group11), G(0, group11),
4329 /* 0xC8 - 0xCF */
4330 I(Stack | SrcImmU16 | Src2ImmByte | IsBranch, em_enter),
4331 I(Stack | IsBranch, em_leave),
4332 I(ImplicitOps | SrcImmU16 | IsBranch, em_ret_far_imm),
4333 I(ImplicitOps | IsBranch, em_ret_far),
4334 D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch, intn),
4335 D(ImplicitOps | No64 | IsBranch),
4336 II(ImplicitOps | IsBranch, em_iret, iret),
4337 /* 0xD0 - 0xD7 */
4338 G(Src2One | ByteOp, group2), G(Src2One, group2),
4339 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4340 I(DstAcc | SrcImmUByte | No64, em_aam),
4341 I(DstAcc | SrcImmUByte | No64, em_aad),
4342 F(DstAcc | ByteOp | No64, em_salc),
4343 I(DstAcc | SrcXLat | ByteOp, em_mov),
4344 /* 0xD8 - 0xDF */
4345 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4346 /* 0xE0 - 0xE7 */
4347 X3(I(SrcImmByte | NearBranch | IsBranch, em_loop)),
4348 I(SrcImmByte | NearBranch | IsBranch, em_jcxz),
4349 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4350 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4351 /* 0xE8 - 0xEF */
4352 I(SrcImm | NearBranch | IsBranch, em_call),
4353 D(SrcImm | ImplicitOps | NearBranch | IsBranch),
4354 I(SrcImmFAddr | No64 | IsBranch, em_jmp_far),
4355 D(SrcImmByte | ImplicitOps | NearBranch | IsBranch),
4356 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4357 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4358 /* 0xF0 - 0xF7 */
4359 N, DI(ImplicitOps, icebp), N, N,
4360 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4361 G(ByteOp, group3), G(0, group3),
4362 /* 0xF8 - 0xFF */
4363 D(ImplicitOps), D(ImplicitOps),
4364 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4365 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4366 };
4367
4368 static const struct opcode twobyte_table[256] = {
4369 /* 0x00 - 0x0F */
4370 G(0, group6), GD(0, &group7), N, N,
4371 N, I(ImplicitOps | EmulateOnUD | IsBranch, em_syscall),
4372 II(ImplicitOps | Priv, em_clts, clts), N,
4373 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4374 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4375 /* 0x10 - 0x1F */
4376 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_10_0f_11),
4377 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_10_0f_11),
4378 N, N, N, N, N, N,
4379 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 4 * prefetch + 4 * reserved NOP */
4380 D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4381 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4382 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4383 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4384 D(ImplicitOps | ModRM | SrcMem | NoAccess), /* NOP + 7 * reserved NOP */
4385 /* 0x20 - 0x2F */
4386 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_access),
4387 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4388 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4389 check_cr_access),
4390 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4391 check_dr_write),
4392 N, N, N, N,
4393 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4394 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4395 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4396 N, N, N, N,
4397 /* 0x30 - 0x3F */
4398 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4399 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4400 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4401 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4402 I(ImplicitOps | EmulateOnUD | IsBranch, em_sysenter),
4403 I(ImplicitOps | Priv | EmulateOnUD | IsBranch, em_sysexit),
4404 N, N,
4405 N, N, N, N, N, N, N, N,
4406 /* 0x40 - 0x4F */
4407 X16(D(DstReg | SrcMem | ModRM)),
4408 /* 0x50 - 0x5F */
4409 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4410 /* 0x60 - 0x6F */
4411 N, N, N, N,
4412 N, N, N, N,
4413 N, N, N, N,
4414 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4415 /* 0x70 - 0x7F */
4416 N, N, N, N,
4417 N, N, N, N,
4418 N, N, N, N,
4419 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4420 /* 0x80 - 0x8F */
4421 X16(D(SrcImm | NearBranch | IsBranch)),
4422 /* 0x90 - 0x9F */
4423 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4424 /* 0xA0 - 0xA7 */
4425 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4426 II(ImplicitOps, em_cpuid, cpuid),
4427 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4428 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4429 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4430 /* 0xA8 - 0xAF */
4431 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4432 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4433 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4434 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4435 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4436 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4437 /* 0xB0 - 0xB7 */
4438 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4439 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4440 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4441 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4442 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4443 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4444 /* 0xB8 - 0xBF */
4445 N, N,
4446 G(BitOp, group8),
4447 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4448 I(DstReg | SrcMem | ModRM, em_bsf_c),
4449 I(DstReg | SrcMem | ModRM, em_bsr_c),
4450 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4451 /* 0xC0 - 0xC7 */
4452 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4453 N, ID(0, &instr_dual_0f_c3),
4454 N, N, N, GD(0, &group9),
4455 /* 0xC8 - 0xCF */
4456 X8(I(DstReg, em_bswap)),
4457 /* 0xD0 - 0xDF */
4458 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4459 /* 0xE0 - 0xEF */
4460 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4461 N, N, N, N, N, N, N, N,
4462 /* 0xF0 - 0xFF */
4463 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4464 };
4465
4466 static const struct instr_dual instr_dual_0f_38_f0 = {
4467 I(DstReg | SrcMem | Mov, em_movbe), N
4468 };
4469
4470 static const struct instr_dual instr_dual_0f_38_f1 = {
4471 I(DstMem | SrcReg | Mov, em_movbe), N
4472 };
4473
4474 static const struct gprefix three_byte_0f_38_f0 = {
4475 ID(0, &instr_dual_0f_38_f0), ID(0, &instr_dual_0f_38_f0), N, N
4476 };
4477
4478 static const struct gprefix three_byte_0f_38_f1 = {
4479 ID(0, &instr_dual_0f_38_f1), ID(0, &instr_dual_0f_38_f1), N, N
4480 };
4481
4482 /*
4483 * Insns below are selected by the prefix which indexed by the third opcode
4484 * byte.
4485 */
4486 static const struct opcode opcode_map_0f_38[256] = {
4487 /* 0x00 - 0x7f */
4488 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4489 /* 0x80 - 0xef */
4490 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4491 /* 0xf0 - 0xf1 */
4492 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4493 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4494 /* 0xf2 - 0xff */
4495 N, N, X4(N), X8(N)
4496 };
4497
4498 #undef D
4499 #undef N
4500 #undef G
4501 #undef GD
4502 #undef I
4503 #undef GP
4504 #undef EXT
4505 #undef MD
4506 #undef ID
4507
4508 #undef D2bv
4509 #undef D2bvIP
4510 #undef I2bv
4511 #undef I2bvIP
4512 #undef I6ALU
4513
4514 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4515 {
4516 unsigned size;
4517
4518 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4519 if (size == 8)
4520 size = 4;
4521 return size;
4522 }
4523
4524 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4525 unsigned size, bool sign_extension)
4526 {
4527 int rc = X86EMUL_CONTINUE;
4528
4529 op->type = OP_IMM;
4530 op->bytes = size;
4531 op->addr.mem.ea = ctxt->_eip;
4532 /* NB. Immediates are sign-extended as necessary. */
4533 switch (op->bytes) {
4534 case 1:
4535 op->val = insn_fetch(s8, ctxt);
4536 break;
4537 case 2:
4538 op->val = insn_fetch(s16, ctxt);
4539 break;
4540 case 4:
4541 op->val = insn_fetch(s32, ctxt);
4542 break;
4543 case 8:
4544 op->val = insn_fetch(s64, ctxt);
4545 break;
4546 }
4547 if (!sign_extension) {
4548 switch (op->bytes) {
4549 case 1:
4550 op->val &= 0xff;
4551 break;
4552 case 2:
4553 op->val &= 0xffff;
4554 break;
4555 case 4:
4556 op->val &= 0xffffffff;
4557 break;
4558 }
4559 }
4560 done:
4561 return rc;
4562 }
4563
4564 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4565 unsigned d)
4566 {
4567 int rc = X86EMUL_CONTINUE;
4568
4569 switch (d) {
4570 case OpReg:
4571 decode_register_operand(ctxt, op);
4572 break;
4573 case OpImmUByte:
4574 rc = decode_imm(ctxt, op, 1, false);
4575 break;
4576 case OpMem:
4577 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4578 mem_common:
4579 *op = ctxt->memop;
4580 ctxt->memopp = op;
4581 if (ctxt->d & BitOp)
4582 fetch_bit_operand(ctxt);
4583 op->orig_val = op->val;
4584 break;
4585 case OpMem64:
4586 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4587 goto mem_common;
4588 case OpAcc:
4589 op->type = OP_REG;
4590 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4591 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4592 fetch_register_operand(op);
4593 op->orig_val = op->val;
4594 break;
4595 case OpAccLo:
4596 op->type = OP_REG;
4597 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4598 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4599 fetch_register_operand(op);
4600 op->orig_val = op->val;
4601 break;
4602 case OpAccHi:
4603 if (ctxt->d & ByteOp) {
4604 op->type = OP_NONE;
4605 break;
4606 }
4607 op->type = OP_REG;
4608 op->bytes = ctxt->op_bytes;
4609 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4610 fetch_register_operand(op);
4611 op->orig_val = op->val;
4612 break;
4613 case OpDI:
4614 op->type = OP_MEM;
4615 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4616 op->addr.mem.ea =
4617 register_address(ctxt, VCPU_REGS_RDI);
4618 op->addr.mem.seg = VCPU_SREG_ES;
4619 op->val = 0;
4620 op->count = 1;
4621 break;
4622 case OpDX:
4623 op->type = OP_REG;
4624 op->bytes = 2;
4625 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4626 fetch_register_operand(op);
4627 break;
4628 case OpCL:
4629 op->type = OP_IMM;
4630 op->bytes = 1;
4631 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4632 break;
4633 case OpImmByte:
4634 rc = decode_imm(ctxt, op, 1, true);
4635 break;
4636 case OpOne:
4637 op->type = OP_IMM;
4638 op->bytes = 1;
4639 op->val = 1;
4640 break;
4641 case OpImm:
4642 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4643 break;
4644 case OpImm64:
4645 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4646 break;
4647 case OpMem8:
4648 ctxt->memop.bytes = 1;
4649 if (ctxt->memop.type == OP_REG) {
4650 ctxt->memop.addr.reg = decode_register(ctxt,
4651 ctxt->modrm_rm, true);
4652 fetch_register_operand(&ctxt->memop);
4653 }
4654 goto mem_common;
4655 case OpMem16:
4656 ctxt->memop.bytes = 2;
4657 goto mem_common;
4658 case OpMem32:
4659 ctxt->memop.bytes = 4;
4660 goto mem_common;
4661 case OpImmU16:
4662 rc = decode_imm(ctxt, op, 2, false);
4663 break;
4664 case OpImmU:
4665 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4666 break;
4667 case OpSI:
4668 op->type = OP_MEM;
4669 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4670 op->addr.mem.ea =
4671 register_address(ctxt, VCPU_REGS_RSI);
4672 op->addr.mem.seg = ctxt->seg_override;
4673 op->val = 0;
4674 op->count = 1;
4675 break;
4676 case OpXLat:
4677 op->type = OP_MEM;
4678 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4679 op->addr.mem.ea =
4680 address_mask(ctxt,
4681 reg_read(ctxt, VCPU_REGS_RBX) +
4682 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4683 op->addr.mem.seg = ctxt->seg_override;
4684 op->val = 0;
4685 break;
4686 case OpImmFAddr:
4687 op->type = OP_IMM;
4688 op->addr.mem.ea = ctxt->_eip;
4689 op->bytes = ctxt->op_bytes + 2;
4690 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4691 break;
4692 case OpMemFAddr:
4693 ctxt->memop.bytes = ctxt->op_bytes + 2;
4694 goto mem_common;
4695 case OpES:
4696 op->type = OP_IMM;
4697 op->val = VCPU_SREG_ES;
4698 break;
4699 case OpCS:
4700 op->type = OP_IMM;
4701 op->val = VCPU_SREG_CS;
4702 break;
4703 case OpSS:
4704 op->type = OP_IMM;
4705 op->val = VCPU_SREG_SS;
4706 break;
4707 case OpDS:
4708 op->type = OP_IMM;
4709 op->val = VCPU_SREG_DS;
4710 break;
4711 case OpFS:
4712 op->type = OP_IMM;
4713 op->val = VCPU_SREG_FS;
4714 break;
4715 case OpGS:
4716 op->type = OP_IMM;
4717 op->val = VCPU_SREG_GS;
4718 break;
4719 case OpImplicit:
4720 /* Special instructions do their own operand decoding. */
4721 default:
4722 op->type = OP_NONE; /* Disable writeback. */
4723 break;
4724 }
4725
4726 done:
4727 return rc;
4728 }
4729
4730 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int emulation_type)
4731 {
4732 int rc = X86EMUL_CONTINUE;
4733 int mode = ctxt->mode;
4734 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4735 bool op_prefix = false;
4736 bool has_seg_override = false;
4737 struct opcode opcode;
4738 u16 dummy;
4739 struct desc_struct desc;
4740
4741 ctxt->memop.type = OP_NONE;
4742 ctxt->memopp = NULL;
4743 ctxt->_eip = ctxt->eip;
4744 ctxt->fetch.ptr = ctxt->fetch.data;
4745 ctxt->fetch.end = ctxt->fetch.data + insn_len;
4746 ctxt->opcode_len = 1;
4747 ctxt->intercept = x86_intercept_none;
4748 if (insn_len > 0)
4749 memcpy(ctxt->fetch.data, insn, insn_len);
4750 else {
4751 rc = __do_insn_fetch_bytes(ctxt, 1);
4752 if (rc != X86EMUL_CONTINUE)
4753 goto done;
4754 }
4755
4756 switch (mode) {
4757 case X86EMUL_MODE_REAL:
4758 case X86EMUL_MODE_VM86:
4759 def_op_bytes = def_ad_bytes = 2;
4760 ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
4761 if (desc.d)
4762 def_op_bytes = def_ad_bytes = 4;
4763 break;
4764 case X86EMUL_MODE_PROT16:
4765 def_op_bytes = def_ad_bytes = 2;
4766 break;
4767 case X86EMUL_MODE_PROT32:
4768 def_op_bytes = def_ad_bytes = 4;
4769 break;
4770 #ifdef CONFIG_X86_64
4771 case X86EMUL_MODE_PROT64:
4772 def_op_bytes = 4;
4773 def_ad_bytes = 8;
4774 break;
4775 #endif
4776 default:
4777 return EMULATION_FAILED;
4778 }
4779
4780 ctxt->op_bytes = def_op_bytes;
4781 ctxt->ad_bytes = def_ad_bytes;
4782
4783 /* Legacy prefixes. */
4784 for (;;) {
4785 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4786 case 0x66: /* operand-size override */
4787 op_prefix = true;
4788 /* switch between 2/4 bytes */
4789 ctxt->op_bytes = def_op_bytes ^ 6;
4790 break;
4791 case 0x67: /* address-size override */
4792 if (mode == X86EMUL_MODE_PROT64)
4793 /* switch between 4/8 bytes */
4794 ctxt->ad_bytes = def_ad_bytes ^ 12;
4795 else
4796 /* switch between 2/4 bytes */
4797 ctxt->ad_bytes = def_ad_bytes ^ 6;
4798 break;
4799 case 0x26: /* ES override */
4800 has_seg_override = true;
4801 ctxt->seg_override = VCPU_SREG_ES;
4802 break;
4803 case 0x2e: /* CS override */
4804 has_seg_override = true;
4805 ctxt->seg_override = VCPU_SREG_CS;
4806 break;
4807 case 0x36: /* SS override */
4808 has_seg_override = true;
4809 ctxt->seg_override = VCPU_SREG_SS;
4810 break;
4811 case 0x3e: /* DS override */
4812 has_seg_override = true;
4813 ctxt->seg_override = VCPU_SREG_DS;
4814 break;
4815 case 0x64: /* FS override */
4816 has_seg_override = true;
4817 ctxt->seg_override = VCPU_SREG_FS;
4818 break;
4819 case 0x65: /* GS override */
4820 has_seg_override = true;
4821 ctxt->seg_override = VCPU_SREG_GS;
4822 break;
4823 case 0x40 ... 0x4f: /* REX */
4824 if (mode != X86EMUL_MODE_PROT64)
4825 goto done_prefixes;
4826 ctxt->rex_prefix = ctxt->b;
4827 continue;
4828 case 0xf0: /* LOCK */
4829 ctxt->lock_prefix = 1;
4830 break;
4831 case 0xf2: /* REPNE/REPNZ */
4832 case 0xf3: /* REP/REPE/REPZ */
4833 ctxt->rep_prefix = ctxt->b;
4834 break;
4835 default:
4836 goto done_prefixes;
4837 }
4838
4839 /* Any legacy prefix after a REX prefix nullifies its effect. */
4840
4841 ctxt->rex_prefix = 0;
4842 }
4843
4844 done_prefixes:
4845
4846 /* REX prefix. */
4847 if (ctxt->rex_prefix & 8)
4848 ctxt->op_bytes = 8; /* REX.W */
4849
4850 /* Opcode byte(s). */
4851 opcode = opcode_table[ctxt->b];
4852 /* Two-byte opcode? */
4853 if (ctxt->b == 0x0f) {
4854 ctxt->opcode_len = 2;
4855 ctxt->b = insn_fetch(u8, ctxt);
4856 opcode = twobyte_table[ctxt->b];
4857
4858 /* 0F_38 opcode map */
4859 if (ctxt->b == 0x38) {
4860 ctxt->opcode_len = 3;
4861 ctxt->b = insn_fetch(u8, ctxt);
4862 opcode = opcode_map_0f_38[ctxt->b];
4863 }
4864 }
4865 ctxt->d = opcode.flags;
4866
4867 if (ctxt->d & ModRM)
4868 ctxt->modrm = insn_fetch(u8, ctxt);
4869
4870 /* vex-prefix instructions are not implemented */
4871 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4872 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4873 ctxt->d = NotImpl;
4874 }
4875
4876 while (ctxt->d & GroupMask) {
4877 switch (ctxt->d & GroupMask) {
4878 case Group:
4879 goffset = (ctxt->modrm >> 3) & 7;
4880 opcode = opcode.u.group[goffset];
4881 break;
4882 case GroupDual:
4883 goffset = (ctxt->modrm >> 3) & 7;
4884 if ((ctxt->modrm >> 6) == 3)
4885 opcode = opcode.u.gdual->mod3[goffset];
4886 else
4887 opcode = opcode.u.gdual->mod012[goffset];
4888 break;
4889 case RMExt:
4890 goffset = ctxt->modrm & 7;
4891 opcode = opcode.u.group[goffset];
4892 break;
4893 case Prefix:
4894 if (ctxt->rep_prefix && op_prefix)
4895 return EMULATION_FAILED;
4896 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4897 switch (simd_prefix) {
4898 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4899 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4900 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4901 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4902 }
4903 break;
4904 case Escape:
4905 if (ctxt->modrm > 0xbf) {
4906 size_t size = ARRAY_SIZE(opcode.u.esc->high);
4907 u32 index = array_index_nospec(
4908 ctxt->modrm - 0xc0, size);
4909
4910 opcode = opcode.u.esc->high[index];
4911 } else {
4912 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4913 }
4914 break;
4915 case InstrDual:
4916 if ((ctxt->modrm >> 6) == 3)
4917 opcode = opcode.u.idual->mod3;
4918 else
4919 opcode = opcode.u.idual->mod012;
4920 break;
4921 case ModeDual:
4922 if (ctxt->mode == X86EMUL_MODE_PROT64)
4923 opcode = opcode.u.mdual->mode64;
4924 else
4925 opcode = opcode.u.mdual->mode32;
4926 break;
4927 default:
4928 return EMULATION_FAILED;
4929 }
4930
4931 ctxt->d &= ~(u64)GroupMask;
4932 ctxt->d |= opcode.flags;
4933 }
4934
4935 ctxt->is_branch = opcode.flags & IsBranch;
4936
4937 /* Unrecognised? */
4938 if (ctxt->d == 0)
4939 return EMULATION_FAILED;
4940
4941 ctxt->execute = opcode.u.execute;
4942
4943 if (unlikely(emulation_type & EMULTYPE_TRAP_UD) &&
4944 likely(!(ctxt->d & EmulateOnUD)))
4945 return EMULATION_FAILED;
4946
4947 if (unlikely(ctxt->d &
4948 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
4949 No16))) {
4950 /*
4951 * These are copied unconditionally here, and checked unconditionally
4952 * in x86_emulate_insn.
4953 */
4954 ctxt->check_perm = opcode.check_perm;
4955 ctxt->intercept = opcode.intercept;
4956
4957 if (ctxt->d & NotImpl)
4958 return EMULATION_FAILED;
4959
4960 if (mode == X86EMUL_MODE_PROT64) {
4961 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
4962 ctxt->op_bytes = 8;
4963 else if (ctxt->d & NearBranch)
4964 ctxt->op_bytes = 8;
4965 }
4966
4967 if (ctxt->d & Op3264) {
4968 if (mode == X86EMUL_MODE_PROT64)
4969 ctxt->op_bytes = 8;
4970 else
4971 ctxt->op_bytes = 4;
4972 }
4973
4974 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
4975 ctxt->op_bytes = 4;
4976
4977 if (ctxt->d & Sse)
4978 ctxt->op_bytes = 16;
4979 else if (ctxt->d & Mmx)
4980 ctxt->op_bytes = 8;
4981 }
4982
4983 /* ModRM and SIB bytes. */
4984 if (ctxt->d & ModRM) {
4985 rc = decode_modrm(ctxt, &ctxt->memop);
4986 if (!has_seg_override) {
4987 has_seg_override = true;
4988 ctxt->seg_override = ctxt->modrm_seg;
4989 }
4990 } else if (ctxt->d & MemAbs)
4991 rc = decode_abs(ctxt, &ctxt->memop);
4992 if (rc != X86EMUL_CONTINUE)
4993 goto done;
4994
4995 if (!has_seg_override)
4996 ctxt->seg_override = VCPU_SREG_DS;
4997
4998 ctxt->memop.addr.mem.seg = ctxt->seg_override;
4999
5000 /*
5001 * Decode and fetch the source operand: register, memory
5002 * or immediate.
5003 */
5004 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5005 if (rc != X86EMUL_CONTINUE)
5006 goto done;
5007
5008 /*
5009 * Decode and fetch the second source operand: register, memory
5010 * or immediate.
5011 */
5012 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5013 if (rc != X86EMUL_CONTINUE)
5014 goto done;
5015
5016 /* Decode and fetch the destination operand: register or memory. */
5017 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5018
5019 if (ctxt->rip_relative && likely(ctxt->memopp))
5020 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5021 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5022
5023 done:
5024 if (rc == X86EMUL_PROPAGATE_FAULT)
5025 ctxt->have_exception = true;
5026 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5027 }
5028
5029 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5030 {
5031 return ctxt->d & PageTable;
5032 }
5033
5034 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5035 {
5036 /* The second termination condition only applies for REPE
5037 * and REPNE. Test if the repeat string operation prefix is
5038 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5039 * corresponding termination condition according to:
5040 * - if REPE/REPZ and ZF = 0 then done
5041 * - if REPNE/REPNZ and ZF = 1 then done
5042 */
5043 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5044 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5045 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5046 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5047 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5048 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5049 return true;
5050
5051 return false;
5052 }
5053
5054 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5055 {
5056 int rc;
5057
5058 kvm_fpu_get();
5059 rc = asm_safe("fwait");
5060 kvm_fpu_put();
5061
5062 if (unlikely(rc != X86EMUL_CONTINUE))
5063 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5064
5065 return X86EMUL_CONTINUE;
5066 }
5067
5068 static void fetch_possible_mmx_operand(struct operand *op)
5069 {
5070 if (op->type == OP_MM)
5071 kvm_read_mmx_reg(op->addr.mm, &op->mm_val);
5072 }
5073
5074 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop)
5075 {
5076 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5077
5078 if (!(ctxt->d & ByteOp))
5079 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5080
5081 asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5082 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5083 [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5084 : "c"(ctxt->src2.val));
5085
5086 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5087 if (!fop) /* exception is returned in fop variable */
5088 return emulate_de(ctxt);
5089 return X86EMUL_CONTINUE;
5090 }
5091
5092 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5093 {
5094 /* Clear fields that are set conditionally but read without a guard. */
5095 ctxt->rip_relative = false;
5096 ctxt->rex_prefix = 0;
5097 ctxt->lock_prefix = 0;
5098 ctxt->rep_prefix = 0;
5099 ctxt->regs_valid = 0;
5100 ctxt->regs_dirty = 0;
5101
5102 ctxt->io_read.pos = 0;
5103 ctxt->io_read.end = 0;
5104 ctxt->mem_read.end = 0;
5105 }
5106
5107 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5108 {
5109 const struct x86_emulate_ops *ops = ctxt->ops;
5110 int rc = X86EMUL_CONTINUE;
5111 int saved_dst_type = ctxt->dst.type;
5112 bool is_guest_mode = ctxt->ops->is_guest_mode(ctxt);
5113
5114 ctxt->mem_read.pos = 0;
5115
5116 /* LOCK prefix is allowed only with some instructions */
5117 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5118 rc = emulate_ud(ctxt);
5119 goto done;
5120 }
5121
5122 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5123 rc = emulate_ud(ctxt);
5124 goto done;
5125 }
5126
5127 if (unlikely(ctxt->d &
5128 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5129 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5130 (ctxt->d & Undefined)) {
5131 rc = emulate_ud(ctxt);
5132 goto done;
5133 }
5134
5135 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5136 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5137 rc = emulate_ud(ctxt);
5138 goto done;
5139 }
5140
5141 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5142 rc = emulate_nm(ctxt);
5143 goto done;
5144 }
5145
5146 if (ctxt->d & Mmx) {
5147 rc = flush_pending_x87_faults(ctxt);
5148 if (rc != X86EMUL_CONTINUE)
5149 goto done;
5150 /*
5151 * Now that we know the fpu is exception safe, we can fetch
5152 * operands from it.
5153 */
5154 fetch_possible_mmx_operand(&ctxt->src);
5155 fetch_possible_mmx_operand(&ctxt->src2);
5156 if (!(ctxt->d & Mov))
5157 fetch_possible_mmx_operand(&ctxt->dst);
5158 }
5159
5160 if (unlikely(is_guest_mode) && ctxt->intercept) {
5161 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5162 X86_ICPT_PRE_EXCEPT);
5163 if (rc != X86EMUL_CONTINUE)
5164 goto done;
5165 }
5166
5167 /* Instruction can only be executed in protected mode */
5168 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5169 rc = emulate_ud(ctxt);
5170 goto done;
5171 }
5172
5173 /* Privileged instruction can be executed only in CPL=0 */
5174 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5175 if (ctxt->d & PrivUD)
5176 rc = emulate_ud(ctxt);
5177 else
5178 rc = emulate_gp(ctxt, 0);
5179 goto done;
5180 }
5181
5182 /* Do instruction specific permission checks */
5183 if (ctxt->d & CheckPerm) {
5184 rc = ctxt->check_perm(ctxt);
5185 if (rc != X86EMUL_CONTINUE)
5186 goto done;
5187 }
5188
5189 if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
5190 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5191 X86_ICPT_POST_EXCEPT);
5192 if (rc != X86EMUL_CONTINUE)
5193 goto done;
5194 }
5195
5196 if (ctxt->rep_prefix && (ctxt->d & String)) {
5197 /* All REP prefixes have the same first termination condition */
5198 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5199 string_registers_quirk(ctxt);
5200 ctxt->eip = ctxt->_eip;
5201 ctxt->eflags &= ~X86_EFLAGS_RF;
5202 goto done;
5203 }
5204 }
5205 }
5206
5207 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5208 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5209 ctxt->src.valptr, ctxt->src.bytes);
5210 if (rc != X86EMUL_CONTINUE)
5211 goto done;
5212 ctxt->src.orig_val64 = ctxt->src.val64;
5213 }
5214
5215 if (ctxt->src2.type == OP_MEM) {
5216 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5217 &ctxt->src2.val, ctxt->src2.bytes);
5218 if (rc != X86EMUL_CONTINUE)
5219 goto done;
5220 }
5221
5222 if ((ctxt->d & DstMask) == ImplicitOps)
5223 goto special_insn;
5224
5225
5226 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5227 /* optimisation - avoid slow emulated read if Mov */
5228 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5229 &ctxt->dst.val, ctxt->dst.bytes);
5230 if (rc != X86EMUL_CONTINUE) {
5231 if (!(ctxt->d & NoWrite) &&
5232 rc == X86EMUL_PROPAGATE_FAULT &&
5233 ctxt->exception.vector == PF_VECTOR)
5234 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5235 goto done;
5236 }
5237 }
5238 /* Copy full 64-bit value for CMPXCHG8B. */
5239 ctxt->dst.orig_val64 = ctxt->dst.val64;
5240
5241 special_insn:
5242
5243 if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
5244 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5245 X86_ICPT_POST_MEMACCESS);
5246 if (rc != X86EMUL_CONTINUE)
5247 goto done;
5248 }
5249
5250 if (ctxt->rep_prefix && (ctxt->d & String))
5251 ctxt->eflags |= X86_EFLAGS_RF;
5252 else
5253 ctxt->eflags &= ~X86_EFLAGS_RF;
5254
5255 if (ctxt->execute) {
5256 if (ctxt->d & Fastop)
5257 rc = fastop(ctxt, ctxt->fop);
5258 else
5259 rc = ctxt->execute(ctxt);
5260 if (rc != X86EMUL_CONTINUE)
5261 goto done;
5262 goto writeback;
5263 }
5264
5265 if (ctxt->opcode_len == 2)
5266 goto twobyte_insn;
5267 else if (ctxt->opcode_len == 3)
5268 goto threebyte_insn;
5269
5270 switch (ctxt->b) {
5271 case 0x70 ... 0x7f: /* jcc (short) */
5272 if (test_cc(ctxt->b, ctxt->eflags))
5273 rc = jmp_rel(ctxt, ctxt->src.val);
5274 break;
5275 case 0x8d: /* lea r16/r32, m */
5276 ctxt->dst.val = ctxt->src.addr.mem.ea;
5277 break;
5278 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5279 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5280 ctxt->dst.type = OP_NONE;
5281 else
5282 rc = em_xchg(ctxt);
5283 break;
5284 case 0x98: /* cbw/cwde/cdqe */
5285 switch (ctxt->op_bytes) {
5286 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5287 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5288 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5289 }
5290 break;
5291 case 0xcc: /* int3 */
5292 rc = emulate_int(ctxt, 3);
5293 break;
5294 case 0xcd: /* int n */
5295 rc = emulate_int(ctxt, ctxt->src.val);
5296 break;
5297 case 0xce: /* into */
5298 if (ctxt->eflags & X86_EFLAGS_OF)
5299 rc = emulate_int(ctxt, 4);
5300 break;
5301 case 0xe9: /* jmp rel */
5302 case 0xeb: /* jmp rel short */
5303 rc = jmp_rel(ctxt, ctxt->src.val);
5304 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5305 break;
5306 case 0xf4: /* hlt */
5307 ctxt->ops->halt(ctxt);
5308 break;
5309 case 0xf5: /* cmc */
5310 /* complement carry flag from eflags reg */
5311 ctxt->eflags ^= X86_EFLAGS_CF;
5312 break;
5313 case 0xf8: /* clc */
5314 ctxt->eflags &= ~X86_EFLAGS_CF;
5315 break;
5316 case 0xf9: /* stc */
5317 ctxt->eflags |= X86_EFLAGS_CF;
5318 break;
5319 case 0xfc: /* cld */
5320 ctxt->eflags &= ~X86_EFLAGS_DF;
5321 break;
5322 case 0xfd: /* std */
5323 ctxt->eflags |= X86_EFLAGS_DF;
5324 break;
5325 default:
5326 goto cannot_emulate;
5327 }
5328
5329 if (rc != X86EMUL_CONTINUE)
5330 goto done;
5331
5332 writeback:
5333 if (ctxt->d & SrcWrite) {
5334 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5335 rc = writeback(ctxt, &ctxt->src);
5336 if (rc != X86EMUL_CONTINUE)
5337 goto done;
5338 }
5339 if (!(ctxt->d & NoWrite)) {
5340 rc = writeback(ctxt, &ctxt->dst);
5341 if (rc != X86EMUL_CONTINUE)
5342 goto done;
5343 }
5344
5345 /*
5346 * restore dst type in case the decoding will be reused
5347 * (happens for string instruction )
5348 */
5349 ctxt->dst.type = saved_dst_type;
5350
5351 if ((ctxt->d & SrcMask) == SrcSI)
5352 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5353
5354 if ((ctxt->d & DstMask) == DstDI)
5355 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5356
5357 if (ctxt->rep_prefix && (ctxt->d & String)) {
5358 unsigned int count;
5359 struct read_cache *r = &ctxt->io_read;
5360 if ((ctxt->d & SrcMask) == SrcSI)
5361 count = ctxt->src.count;
5362 else
5363 count = ctxt->dst.count;
5364 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5365
5366 if (!string_insn_completed(ctxt)) {
5367 /*
5368 * Re-enter guest when pio read ahead buffer is empty
5369 * or, if it is not used, after each 1024 iteration.
5370 */
5371 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5372 (r->end == 0 || r->end != r->pos)) {
5373 /*
5374 * Reset read cache. Usually happens before
5375 * decode, but since instruction is restarted
5376 * we have to do it here.
5377 */
5378 ctxt->mem_read.end = 0;
5379 writeback_registers(ctxt);
5380 return EMULATION_RESTART;
5381 }
5382 goto done; /* skip rip writeback */
5383 }
5384 ctxt->eflags &= ~X86_EFLAGS_RF;
5385 }
5386
5387 ctxt->eip = ctxt->_eip;
5388 if (ctxt->mode != X86EMUL_MODE_PROT64)
5389 ctxt->eip = (u32)ctxt->_eip;
5390
5391 done:
5392 if (rc == X86EMUL_PROPAGATE_FAULT) {
5393 if (KVM_EMULATOR_BUG_ON(ctxt->exception.vector > 0x1f, ctxt))
5394 return EMULATION_FAILED;
5395 ctxt->have_exception = true;
5396 }
5397 if (rc == X86EMUL_INTERCEPTED)
5398 return EMULATION_INTERCEPTED;
5399
5400 if (rc == X86EMUL_CONTINUE)
5401 writeback_registers(ctxt);
5402
5403 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5404
5405 twobyte_insn:
5406 switch (ctxt->b) {
5407 case 0x09: /* wbinvd */
5408 (ctxt->ops->wbinvd)(ctxt);
5409 break;
5410 case 0x08: /* invd */
5411 case 0x0d: /* GrpP (prefetch) */
5412 case 0x18: /* Grp16 (prefetch/nop) */
5413 case 0x1f: /* nop */
5414 break;
5415 case 0x20: /* mov cr, reg */
5416 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5417 break;
5418 case 0x21: /* mov from dr to reg */
5419 ctxt->dst.val = ops->get_dr(ctxt, ctxt->modrm_reg);
5420 break;
5421 case 0x40 ... 0x4f: /* cmov */
5422 if (test_cc(ctxt->b, ctxt->eflags))
5423 ctxt->dst.val = ctxt->src.val;
5424 else if (ctxt->op_bytes != 4)
5425 ctxt->dst.type = OP_NONE; /* no writeback */
5426 break;
5427 case 0x80 ... 0x8f: /* jnz rel, etc*/
5428 if (test_cc(ctxt->b, ctxt->eflags))
5429 rc = jmp_rel(ctxt, ctxt->src.val);
5430 break;
5431 case 0x90 ... 0x9f: /* setcc r/m8 */
5432 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5433 break;
5434 case 0xb6 ... 0xb7: /* movzx */
5435 ctxt->dst.bytes = ctxt->op_bytes;
5436 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5437 : (u16) ctxt->src.val;
5438 break;
5439 case 0xbe ... 0xbf: /* movsx */
5440 ctxt->dst.bytes = ctxt->op_bytes;
5441 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5442 (s16) ctxt->src.val;
5443 break;
5444 default:
5445 goto cannot_emulate;
5446 }
5447
5448 threebyte_insn:
5449
5450 if (rc != X86EMUL_CONTINUE)
5451 goto done;
5452
5453 goto writeback;
5454
5455 cannot_emulate:
5456 return EMULATION_FAILED;
5457 }
5458
5459 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5460 {
5461 invalidate_registers(ctxt);
5462 }
5463
5464 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5465 {
5466 writeback_registers(ctxt);
5467 }
5468
5469 bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5470 {
5471 if (ctxt->rep_prefix && (ctxt->d & String))
5472 return false;
5473
5474 if (ctxt->d & TwoMemOp)
5475 return false;
5476
5477 return true;
5478 }
Kernel DRM miscellaneous fixes and cross-tree changes