search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ALSA: hda - Add the top speaker pin config for HP Spectre x360
[linux/fpc-iii.git] / arch / x86 / kvm / emulate.c
blob4e95d3eb29557bcb99219fddb7b909e23ff3b090
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <asm/kvm_emulate.h>
26 #include <linux/stringify.h>
27 #include <asm/debugreg.h>
28
29 #include "x86.h"
30 #include "tss.h"
31
32 /*
33 * Operand types
34 */
35 #define OpNone 0ull
36 #define OpImplicit 1ull /* No generic decode */
37 #define OpReg 2ull /* Register */
38 #define OpMem 3ull /* Memory */
39 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
40 #define OpDI 5ull /* ES:DI/EDI/RDI */
41 #define OpMem64 6ull /* Memory, 64-bit */
42 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
43 #define OpDX 8ull /* DX register */
44 #define OpCL 9ull /* CL register (for shifts) */
45 #define OpImmByte 10ull /* 8-bit sign extended immediate */
46 #define OpOne 11ull /* Implied 1 */
47 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
48 #define OpMem16 13ull /* Memory operand (16-bit). */
49 #define OpMem32 14ull /* Memory operand (32-bit). */
50 #define OpImmU 15ull /* Immediate operand, zero extended */
51 #define OpSI 16ull /* SI/ESI/RSI */
52 #define OpImmFAddr 17ull /* Immediate far address */
53 #define OpMemFAddr 18ull /* Far address in memory */
54 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
55 #define OpES 20ull /* ES */
56 #define OpCS 21ull /* CS */
57 #define OpSS 22ull /* SS */
58 #define OpDS 23ull /* DS */
59 #define OpFS 24ull /* FS */
60 #define OpGS 25ull /* GS */
61 #define OpMem8 26ull /* 8-bit zero extended memory operand */
62 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
63 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
64 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
65 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
66
67 #define OpBits 5 /* Width of operand field */
68 #define OpMask ((1ull << OpBits) - 1)
69
70 /*
71 * Opcode effective-address decode tables.
72 * Note that we only emulate instructions that have at least one memory
73 * operand (excluding implicit stack references). We assume that stack
74 * references and instruction fetches will never occur in special memory
75 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
76 * not be handled.
77 */
78
79 /* Operand sizes: 8-bit operands or specified/overridden size. */
80 #define ByteOp (1<<0) /* 8-bit operands. */
81 /* Destination operand type. */
82 #define DstShift 1
83 #define ImplicitOps (OpImplicit << DstShift)
84 #define DstReg (OpReg << DstShift)
85 #define DstMem (OpMem << DstShift)
86 #define DstAcc (OpAcc << DstShift)
87 #define DstDI (OpDI << DstShift)
88 #define DstMem64 (OpMem64 << DstShift)
89 #define DstMem16 (OpMem16 << DstShift)
90 #define DstImmUByte (OpImmUByte << DstShift)
91 #define DstDX (OpDX << DstShift)
92 #define DstAccLo (OpAccLo << DstShift)
93 #define DstMask (OpMask << DstShift)
94 /* Source operand type. */
95 #define SrcShift 6
96 #define SrcNone (OpNone << SrcShift)
97 #define SrcReg (OpReg << SrcShift)
98 #define SrcMem (OpMem << SrcShift)
99 #define SrcMem16 (OpMem16 << SrcShift)
100 #define SrcMem32 (OpMem32 << SrcShift)
101 #define SrcImm (OpImm << SrcShift)
102 #define SrcImmByte (OpImmByte << SrcShift)
103 #define SrcOne (OpOne << SrcShift)
104 #define SrcImmUByte (OpImmUByte << SrcShift)
105 #define SrcImmU (OpImmU << SrcShift)
106 #define SrcSI (OpSI << SrcShift)
107 #define SrcXLat (OpXLat << SrcShift)
108 #define SrcImmFAddr (OpImmFAddr << SrcShift)
109 #define SrcMemFAddr (OpMemFAddr << SrcShift)
110 #define SrcAcc (OpAcc << SrcShift)
111 #define SrcImmU16 (OpImmU16 << SrcShift)
112 #define SrcImm64 (OpImm64 << SrcShift)
113 #define SrcDX (OpDX << SrcShift)
114 #define SrcMem8 (OpMem8 << SrcShift)
115 #define SrcAccHi (OpAccHi << SrcShift)
116 #define SrcMask (OpMask << SrcShift)
117 #define BitOp (1<<11)
118 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
119 #define String (1<<13) /* String instruction (rep capable) */
120 #define Stack (1<<14) /* Stack instruction (push/pop) */
121 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
122 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
123 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
124 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
125 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
126 #define Escape (5<<15) /* Escape to coprocessor instruction */
127 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
128 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
129 #define Sse (1<<18) /* SSE Vector instruction */
130 /* Generic ModRM decode. */
131 #define ModRM (1<<19)
132 /* Destination is only written; never read. */
133 #define Mov (1<<20)
134 /* Misc flags */
135 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
136 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
137 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
138 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
139 #define Undefined (1<<25) /* No Such Instruction */
140 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
141 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
142 #define No64 (1<<28)
143 #define PageTable (1 << 29) /* instruction used to write page table */
144 #define NotImpl (1 << 30) /* instruction is not implemented */
145 /* Source 2 operand type */
146 #define Src2Shift (31)
147 #define Src2None (OpNone << Src2Shift)
148 #define Src2Mem (OpMem << Src2Shift)
149 #define Src2CL (OpCL << Src2Shift)
150 #define Src2ImmByte (OpImmByte << Src2Shift)
151 #define Src2One (OpOne << Src2Shift)
152 #define Src2Imm (OpImm << Src2Shift)
153 #define Src2ES (OpES << Src2Shift)
154 #define Src2CS (OpCS << Src2Shift)
155 #define Src2SS (OpSS << Src2Shift)
156 #define Src2DS (OpDS << Src2Shift)
157 #define Src2FS (OpFS << Src2Shift)
158 #define Src2GS (OpGS << Src2Shift)
159 #define Src2Mask (OpMask << Src2Shift)
160 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
161 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
162 #define Unaligned ((u64)1 << 42) /* Explicitly unaligned (e.g. MOVDQU) */
163 #define Avx ((u64)1 << 43) /* Advanced Vector Extensions */
164 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
165 #define NoWrite ((u64)1 << 45) /* No writeback */
166 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
167 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
168 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
169 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
170 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
171 #define NearBranch ((u64)1 << 52) /* Near branches */
172 #define No16 ((u64)1 << 53) /* No 16 bit operand */
173 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
174
175 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
176
177 #define X2(x...) x, x
178 #define X3(x...) X2(x), x
179 #define X4(x...) X2(x), X2(x)
180 #define X5(x...) X4(x), x
181 #define X6(x...) X4(x), X2(x)
182 #define X7(x...) X4(x), X3(x)
183 #define X8(x...) X4(x), X4(x)
184 #define X16(x...) X8(x), X8(x)
185
186 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
187 #define FASTOP_SIZE 8
188
189 /*
190 * fastop functions have a special calling convention:
191 *
192 * dst: rax (in/out)
193 * src: rdx (in/out)
194 * src2: rcx (in)
195 * flags: rflags (in/out)
196 * ex: rsi (in:fastop pointer, out:zero if exception)
197 *
198 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
199 * different operand sizes can be reached by calculation, rather than a jump
200 * table (which would be bigger than the code).
201 *
202 * fastop functions are declared as taking a never-defined fastop parameter,
203 * so they can't be called from C directly.
204 */
205
206 struct fastop;
207
208 struct opcode {
209 u64 flags : 56;
210 u64 intercept : 8;
211 union {
212 int (*execute)(struct x86_emulate_ctxt *ctxt);
213 const struct opcode *group;
214 const struct group_dual *gdual;
215 const struct gprefix *gprefix;
216 const struct escape *esc;
217 const struct instr_dual *idual;
218 const struct mode_dual *mdual;
219 void (*fastop)(struct fastop *fake);
220 } u;
221 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
222 };
223
224 struct group_dual {
225 struct opcode mod012[8];
226 struct opcode mod3[8];
227 };
228
229 struct gprefix {
230 struct opcode pfx_no;
231 struct opcode pfx_66;
232 struct opcode pfx_f2;
233 struct opcode pfx_f3;
234 };
235
236 struct escape {
237 struct opcode op[8];
238 struct opcode high[64];
239 };
240
241 struct instr_dual {
242 struct opcode mod012;
243 struct opcode mod3;
244 };
245
246 struct mode_dual {
247 struct opcode mode32;
248 struct opcode mode64;
249 };
250
251 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
252
253 enum x86_transfer_type {
254 X86_TRANSFER_NONE,
255 X86_TRANSFER_CALL_JMP,
256 X86_TRANSFER_RET,
257 X86_TRANSFER_TASK_SWITCH,
258 };
259
260 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
261 {
262 if (!(ctxt->regs_valid & (1 << nr))) {
263 ctxt->regs_valid |= 1 << nr;
264 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
265 }
266 return ctxt->_regs[nr];
267 }
268
269 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
270 {
271 ctxt->regs_valid |= 1 << nr;
272 ctxt->regs_dirty |= 1 << nr;
273 return &ctxt->_regs[nr];
274 }
275
276 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
277 {
278 reg_read(ctxt, nr);
279 return reg_write(ctxt, nr);
280 }
281
282 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
283 {
284 unsigned reg;
285
286 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
287 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
288 }
289
290 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
291 {
292 ctxt->regs_dirty = 0;
293 ctxt->regs_valid = 0;
294 }
295
296 /*
297 * These EFLAGS bits are restored from saved value during emulation, and
298 * any changes are written back to the saved value after emulation.
299 */
300 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
301 X86_EFLAGS_PF|X86_EFLAGS_CF)
302
303 #ifdef CONFIG_X86_64
304 #define ON64(x) x
305 #else
306 #define ON64(x)
307 #endif
308
309 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
310
311 #define FOP_FUNC(name) \
312 ".align " __stringify(FASTOP_SIZE) " \n\t" \
313 ".type " name ", @function \n\t" \
314 name ":\n\t"
315
316 #define FOP_RET "ret \n\t"
317
318 #define FOP_START(op) \
319 extern void em_##op(struct fastop *fake); \
320 asm(".pushsection .text, \"ax\" \n\t" \
321 ".global em_" #op " \n\t" \
322 FOP_FUNC("em_" #op)
323
324 #define FOP_END \
325 ".popsection")
326
327 #define FOPNOP() \
328 FOP_FUNC(__stringify(__UNIQUE_ID(nop))) \
329 FOP_RET
330
331 #define FOP1E(op, dst) \
332 FOP_FUNC(#op "_" #dst) \
333 "10: " #op " %" #dst " \n\t" FOP_RET
334
335 #define FOP1EEX(op, dst) \
336 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
337
338 #define FASTOP1(op) \
339 FOP_START(op) \
340 FOP1E(op##b, al) \
341 FOP1E(op##w, ax) \
342 FOP1E(op##l, eax) \
343 ON64(FOP1E(op##q, rax)) \
344 FOP_END
345
346 /* 1-operand, using src2 (for MUL/DIV r/m) */
347 #define FASTOP1SRC2(op, name) \
348 FOP_START(name) \
349 FOP1E(op, cl) \
350 FOP1E(op, cx) \
351 FOP1E(op, ecx) \
352 ON64(FOP1E(op, rcx)) \
353 FOP_END
354
355 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
356 #define FASTOP1SRC2EX(op, name) \
357 FOP_START(name) \
358 FOP1EEX(op, cl) \
359 FOP1EEX(op, cx) \
360 FOP1EEX(op, ecx) \
361 ON64(FOP1EEX(op, rcx)) \
362 FOP_END
363
364 #define FOP2E(op, dst, src) \
365 FOP_FUNC(#op "_" #dst "_" #src) \
366 #op " %" #src ", %" #dst " \n\t" FOP_RET
367
368 #define FASTOP2(op) \
369 FOP_START(op) \
370 FOP2E(op##b, al, dl) \
371 FOP2E(op##w, ax, dx) \
372 FOP2E(op##l, eax, edx) \
373 ON64(FOP2E(op##q, rax, rdx)) \
374 FOP_END
375
376 /* 2 operand, word only */
377 #define FASTOP2W(op) \
378 FOP_START(op) \
379 FOPNOP() \
380 FOP2E(op##w, ax, dx) \
381 FOP2E(op##l, eax, edx) \
382 ON64(FOP2E(op##q, rax, rdx)) \
383 FOP_END
384
385 /* 2 operand, src is CL */
386 #define FASTOP2CL(op) \
387 FOP_START(op) \
388 FOP2E(op##b, al, cl) \
389 FOP2E(op##w, ax, cl) \
390 FOP2E(op##l, eax, cl) \
391 ON64(FOP2E(op##q, rax, cl)) \
392 FOP_END
393
394 /* 2 operand, src and dest are reversed */
395 #define FASTOP2R(op, name) \
396 FOP_START(name) \
397 FOP2E(op##b, dl, al) \
398 FOP2E(op##w, dx, ax) \
399 FOP2E(op##l, edx, eax) \
400 ON64(FOP2E(op##q, rdx, rax)) \
401 FOP_END
402
403 #define FOP3E(op, dst, src, src2) \
404 FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
405 #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
406
407 /* 3-operand, word-only, src2=cl */
408 #define FASTOP3WCL(op) \
409 FOP_START(op) \
410 FOPNOP() \
411 FOP3E(op##w, ax, dx, cl) \
412 FOP3E(op##l, eax, edx, cl) \
413 ON64(FOP3E(op##q, rax, rdx, cl)) \
414 FOP_END
415
416 /* Special case for SETcc - 1 instruction per cc */
417 #define FOP_SETCC(op) \
418 ".align 4 \n\t" \
419 ".type " #op ", @function \n\t" \
420 #op ": \n\t" \
421 #op " %al \n\t" \
422 FOP_RET
423
424 asm(".global kvm_fastop_exception \n"
425 "kvm_fastop_exception: xor %esi, %esi; ret");
426
427 FOP_START(setcc)
428 FOP_SETCC(seto)
429 FOP_SETCC(setno)
430 FOP_SETCC(setc)
431 FOP_SETCC(setnc)
432 FOP_SETCC(setz)
433 FOP_SETCC(setnz)
434 FOP_SETCC(setbe)
435 FOP_SETCC(setnbe)
436 FOP_SETCC(sets)
437 FOP_SETCC(setns)
438 FOP_SETCC(setp)
439 FOP_SETCC(setnp)
440 FOP_SETCC(setl)
441 FOP_SETCC(setnl)
442 FOP_SETCC(setle)
443 FOP_SETCC(setnle)
444 FOP_END;
445
446 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
447 FOP_END;
448
449 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
450 enum x86_intercept intercept,
451 enum x86_intercept_stage stage)
452 {
453 struct x86_instruction_info info = {
454 .intercept = intercept,
455 .rep_prefix = ctxt->rep_prefix,
456 .modrm_mod = ctxt->modrm_mod,
457 .modrm_reg = ctxt->modrm_reg,
458 .modrm_rm = ctxt->modrm_rm,
459 .src_val = ctxt->src.val64,
460 .dst_val = ctxt->dst.val64,
461 .src_bytes = ctxt->src.bytes,
462 .dst_bytes = ctxt->dst.bytes,
463 .ad_bytes = ctxt->ad_bytes,
464 .next_rip = ctxt->eip,
465 };
466
467 return ctxt->ops->intercept(ctxt, &info, stage);
468 }
469
470 static void assign_masked(ulong *dest, ulong src, ulong mask)
471 {
472 *dest = (*dest & ~mask) | (src & mask);
473 }
474
475 static void assign_register(unsigned long *reg, u64 val, int bytes)
476 {
477 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
478 switch (bytes) {
479 case 1:
480 *(u8 *)reg = (u8)val;
481 break;
482 case 2:
483 *(u16 *)reg = (u16)val;
484 break;
485 case 4:
486 *reg = (u32)val;
487 break; /* 64b: zero-extend */
488 case 8:
489 *reg = val;
490 break;
491 }
492 }
493
494 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
495 {
496 return (1UL << (ctxt->ad_bytes << 3)) - 1;
497 }
498
499 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
500 {
501 u16 sel;
502 struct desc_struct ss;
503
504 if (ctxt->mode == X86EMUL_MODE_PROT64)
505 return ~0UL;
506 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
507 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
508 }
509
510 static int stack_size(struct x86_emulate_ctxt *ctxt)
511 {
512 return (__fls(stack_mask(ctxt)) + 1) >> 3;
513 }
514
515 /* Access/update address held in a register, based on addressing mode. */
516 static inline unsigned long
517 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
518 {
519 if (ctxt->ad_bytes == sizeof(unsigned long))
520 return reg;
521 else
522 return reg & ad_mask(ctxt);
523 }
524
525 static inline unsigned long
526 register_address(struct x86_emulate_ctxt *ctxt, int reg)
527 {
528 return address_mask(ctxt, reg_read(ctxt, reg));
529 }
530
531 static void masked_increment(ulong *reg, ulong mask, int inc)
532 {
533 assign_masked(reg, *reg + inc, mask);
534 }
535
536 static inline void
537 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
538 {
539 ulong *preg = reg_rmw(ctxt, reg);
540
541 assign_register(preg, *preg + inc, ctxt->ad_bytes);
542 }
543
544 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
545 {
546 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
547 }
548
549 static u32 desc_limit_scaled(struct desc_struct *desc)
550 {
551 u32 limit = get_desc_limit(desc);
552
553 return desc->g ? (limit << 12) | 0xfff : limit;
554 }
555
556 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
557 {
558 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
559 return 0;
560
561 return ctxt->ops->get_cached_segment_base(ctxt, seg);
562 }
563
564 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
565 u32 error, bool valid)
566 {
567 WARN_ON(vec > 0x1f);
568 ctxt->exception.vector = vec;
569 ctxt->exception.error_code = error;
570 ctxt->exception.error_code_valid = valid;
571 return X86EMUL_PROPAGATE_FAULT;
572 }
573
574 static int emulate_db(struct x86_emulate_ctxt *ctxt)
575 {
576 return emulate_exception(ctxt, DB_VECTOR, 0, false);
577 }
578
579 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
580 {
581 return emulate_exception(ctxt, GP_VECTOR, err, true);
582 }
583
584 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
585 {
586 return emulate_exception(ctxt, SS_VECTOR, err, true);
587 }
588
589 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
590 {
591 return emulate_exception(ctxt, UD_VECTOR, 0, false);
592 }
593
594 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
595 {
596 return emulate_exception(ctxt, TS_VECTOR, err, true);
597 }
598
599 static int emulate_de(struct x86_emulate_ctxt *ctxt)
600 {
601 return emulate_exception(ctxt, DE_VECTOR, 0, false);
602 }
603
604 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
605 {
606 return emulate_exception(ctxt, NM_VECTOR, 0, false);
607 }
608
609 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
610 {
611 u16 selector;
612 struct desc_struct desc;
613
614 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
615 return selector;
616 }
617
618 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
619 unsigned seg)
620 {
621 u16 dummy;
622 u32 base3;
623 struct desc_struct desc;
624
625 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
626 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
627 }
628
629 /*
630 * x86 defines three classes of vector instructions: explicitly
631 * aligned, explicitly unaligned, and the rest, which change behaviour
632 * depending on whether they're AVX encoded or not.
633 *
634 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
635 * subject to the same check.
636 */
637 static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
638 {
639 if (likely(size < 16))
640 return false;
641
642 if (ctxt->d & Aligned)
643 return true;
644 else if (ctxt->d & Unaligned)
645 return false;
646 else if (ctxt->d & Avx)
647 return false;
648 else
649 return true;
650 }
651
652 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
653 struct segmented_address addr,
654 unsigned *max_size, unsigned size,
655 bool write, bool fetch,
656 enum x86emul_mode mode, ulong *linear)
657 {
658 struct desc_struct desc;
659 bool usable;
660 ulong la;
661 u32 lim;
662 u16 sel;
663
664 la = seg_base(ctxt, addr.seg) + addr.ea;
665 *max_size = 0;
666 switch (mode) {
667 case X86EMUL_MODE_PROT64:
668 *linear = la;
669 if (is_noncanonical_address(la))
670 goto bad;
671
672 *max_size = min_t(u64, ~0u, (1ull << 48) - la);
673 if (size > *max_size)
674 goto bad;
675 break;
676 default:
677 *linear = la = (u32)la;
678 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
679 addr.seg);
680 if (!usable)
681 goto bad;
682 /* code segment in protected mode or read-only data segment */
683 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
684 || !(desc.type & 2)) && write)
685 goto bad;
686 /* unreadable code segment */
687 if (!fetch && (desc.type & 8) && !(desc.type & 2))
688 goto bad;
689 lim = desc_limit_scaled(&desc);
690 if (!(desc.type & 8) && (desc.type & 4)) {
691 /* expand-down segment */
692 if (addr.ea <= lim)
693 goto bad;
694 lim = desc.d ? 0xffffffff : 0xffff;
695 }
696 if (addr.ea > lim)
697 goto bad;
698 if (lim == 0xffffffff)
699 *max_size = ~0u;
700 else {
701 *max_size = (u64)lim + 1 - addr.ea;
702 if (size > *max_size)
703 goto bad;
704 }
705 break;
706 }
707 if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
708 return emulate_gp(ctxt, 0);
709 return X86EMUL_CONTINUE;
710 bad:
711 if (addr.seg == VCPU_SREG_SS)
712 return emulate_ss(ctxt, 0);
713 else
714 return emulate_gp(ctxt, 0);
715 }
716
717 static int linearize(struct x86_emulate_ctxt *ctxt,
718 struct segmented_address addr,
719 unsigned size, bool write,
720 ulong *linear)
721 {
722 unsigned max_size;
723 return __linearize(ctxt, addr, &max_size, size, write, false,
724 ctxt->mode, linear);
725 }
726
727 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
728 enum x86emul_mode mode)
729 {
730 ulong linear;
731 int rc;
732 unsigned max_size;
733 struct segmented_address addr = { .seg = VCPU_SREG_CS,
734 .ea = dst };
735
736 if (ctxt->op_bytes != sizeof(unsigned long))
737 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
738 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
739 if (rc == X86EMUL_CONTINUE)
740 ctxt->_eip = addr.ea;
741 return rc;
742 }
743
744 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
745 {
746 return assign_eip(ctxt, dst, ctxt->mode);
747 }
748
749 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
750 const struct desc_struct *cs_desc)
751 {
752 enum x86emul_mode mode = ctxt->mode;
753 int rc;
754
755 #ifdef CONFIG_X86_64
756 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
757 if (cs_desc->l) {
758 u64 efer = 0;
759
760 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
761 if (efer & EFER_LMA)
762 mode = X86EMUL_MODE_PROT64;
763 } else
764 mode = X86EMUL_MODE_PROT32; /* temporary value */
765 }
766 #endif
767 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
768 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
769 rc = assign_eip(ctxt, dst, mode);
770 if (rc == X86EMUL_CONTINUE)
771 ctxt->mode = mode;
772 return rc;
773 }
774
775 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
776 {
777 return assign_eip_near(ctxt, ctxt->_eip + rel);
778 }
779
780 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
781 struct segmented_address addr,
782 void *data,
783 unsigned size)
784 {
785 int rc;
786 ulong linear;
787
788 rc = linearize(ctxt, addr, size, false, &linear);
789 if (rc != X86EMUL_CONTINUE)
790 return rc;
791 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
792 }
793
794 /*
795 * Prefetch the remaining bytes of the instruction without crossing page
796 * boundary if they are not in fetch_cache yet.
797 */
798 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
799 {
800 int rc;
801 unsigned size, max_size;
802 unsigned long linear;
803 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
804 struct segmented_address addr = { .seg = VCPU_SREG_CS,
805 .ea = ctxt->eip + cur_size };
806
807 /*
808 * We do not know exactly how many bytes will be needed, and
809 * __linearize is expensive, so fetch as much as possible. We
810 * just have to avoid going beyond the 15 byte limit, the end
811 * of the segment, or the end of the page.
812 *
813 * __linearize is called with size 0 so that it does not do any
814 * boundary check itself. Instead, we use max_size to check
815 * against op_size.
816 */
817 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
818 &linear);
819 if (unlikely(rc != X86EMUL_CONTINUE))
820 return rc;
821
822 size = min_t(unsigned, 15UL ^ cur_size, max_size);
823 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
824
825 /*
826 * One instruction can only straddle two pages,
827 * and one has been loaded at the beginning of
828 * x86_decode_insn. So, if not enough bytes
829 * still, we must have hit the 15-byte boundary.
830 */
831 if (unlikely(size < op_size))
832 return emulate_gp(ctxt, 0);
833
834 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
835 size, &ctxt->exception);
836 if (unlikely(rc != X86EMUL_CONTINUE))
837 return rc;
838 ctxt->fetch.end += size;
839 return X86EMUL_CONTINUE;
840 }
841
842 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
843 unsigned size)
844 {
845 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
846
847 if (unlikely(done_size < size))
848 return __do_insn_fetch_bytes(ctxt, size - done_size);
849 else
850 return X86EMUL_CONTINUE;
851 }
852
853 /* Fetch next part of the instruction being emulated. */
854 #define insn_fetch(_type, _ctxt) \
855 ({ _type _x; \
856 \
857 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
858 if (rc != X86EMUL_CONTINUE) \
859 goto done; \
860 ctxt->_eip += sizeof(_type); \
861 _x = *(_type __aligned(1) *) ctxt->fetch.ptr; \
862 ctxt->fetch.ptr += sizeof(_type); \
863 _x; \
864 })
865
866 #define insn_fetch_arr(_arr, _size, _ctxt) \
867 ({ \
868 rc = do_insn_fetch_bytes(_ctxt, _size); \
869 if (rc != X86EMUL_CONTINUE) \
870 goto done; \
871 ctxt->_eip += (_size); \
872 memcpy(_arr, ctxt->fetch.ptr, _size); \
873 ctxt->fetch.ptr += (_size); \
874 })
875
876 /*
877 * Given the 'reg' portion of a ModRM byte, and a register block, return a
878 * pointer into the block that addresses the relevant register.
879 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
880 */
881 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
882 int byteop)
883 {
884 void *p;
885 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
886
887 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
888 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
889 else
890 p = reg_rmw(ctxt, modrm_reg);
891 return p;
892 }
893
894 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
895 struct segmented_address addr,
896 u16 *size, unsigned long *address, int op_bytes)
897 {
898 int rc;
899
900 if (op_bytes == 2)
901 op_bytes = 3;
902 *address = 0;
903 rc = segmented_read_std(ctxt, addr, size, 2);
904 if (rc != X86EMUL_CONTINUE)
905 return rc;
906 addr.ea += 2;
907 rc = segmented_read_std(ctxt, addr, address, op_bytes);
908 return rc;
909 }
910
911 FASTOP2(add);
912 FASTOP2(or);
913 FASTOP2(adc);
914 FASTOP2(sbb);
915 FASTOP2(and);
916 FASTOP2(sub);
917 FASTOP2(xor);
918 FASTOP2(cmp);
919 FASTOP2(test);
920
921 FASTOP1SRC2(mul, mul_ex);
922 FASTOP1SRC2(imul, imul_ex);
923 FASTOP1SRC2EX(div, div_ex);
924 FASTOP1SRC2EX(idiv, idiv_ex);
925
926 FASTOP3WCL(shld);
927 FASTOP3WCL(shrd);
928
929 FASTOP2W(imul);
930
931 FASTOP1(not);
932 FASTOP1(neg);
933 FASTOP1(inc);
934 FASTOP1(dec);
935
936 FASTOP2CL(rol);
937 FASTOP2CL(ror);
938 FASTOP2CL(rcl);
939 FASTOP2CL(rcr);
940 FASTOP2CL(shl);
941 FASTOP2CL(shr);
942 FASTOP2CL(sar);
943
944 FASTOP2W(bsf);
945 FASTOP2W(bsr);
946 FASTOP2W(bt);
947 FASTOP2W(bts);
948 FASTOP2W(btr);
949 FASTOP2W(btc);
950
951 FASTOP2(xadd);
952
953 FASTOP2R(cmp, cmp_r);
954
955 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
956 {
957 /* If src is zero, do not writeback, but update flags */
958 if (ctxt->src.val == 0)
959 ctxt->dst.type = OP_NONE;
960 return fastop(ctxt, em_bsf);
961 }
962
963 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
964 {
965 /* If src is zero, do not writeback, but update flags */
966 if (ctxt->src.val == 0)
967 ctxt->dst.type = OP_NONE;
968 return fastop(ctxt, em_bsr);
969 }
970
971 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
972 {
973 u8 rc;
974 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
975
976 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
977 asm("push %[flags]; popf; call *%[fastop]"
978 : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
979 return rc;
980 }
981
982 static void fetch_register_operand(struct operand *op)
983 {
984 switch (op->bytes) {
985 case 1:
986 op->val = *(u8 *)op->addr.reg;
987 break;
988 case 2:
989 op->val = *(u16 *)op->addr.reg;
990 break;
991 case 4:
992 op->val = *(u32 *)op->addr.reg;
993 break;
994 case 8:
995 op->val = *(u64 *)op->addr.reg;
996 break;
997 }
998 }
999
1000 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1001 {
1002 ctxt->ops->get_fpu(ctxt);
1003 switch (reg) {
1004 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1005 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1006 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1007 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1008 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1009 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1010 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1011 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1012 #ifdef CONFIG_X86_64
1013 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1014 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1015 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1016 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1017 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1018 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1019 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1020 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1021 #endif
1022 default: BUG();
1023 }
1024 ctxt->ops->put_fpu(ctxt);
1025 }
1026
1027 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1028 int reg)
1029 {
1030 ctxt->ops->get_fpu(ctxt);
1031 switch (reg) {
1032 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1033 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1034 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1035 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1036 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1037 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1038 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1039 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1040 #ifdef CONFIG_X86_64
1041 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1042 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1043 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1044 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1045 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1046 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1047 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1048 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1049 #endif
1050 default: BUG();
1051 }
1052 ctxt->ops->put_fpu(ctxt);
1053 }
1054
1055 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1056 {
1057 ctxt->ops->get_fpu(ctxt);
1058 switch (reg) {
1059 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1060 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1061 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1062 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1063 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1064 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1065 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1066 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1067 default: BUG();
1068 }
1069 ctxt->ops->put_fpu(ctxt);
1070 }
1071
1072 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1073 {
1074 ctxt->ops->get_fpu(ctxt);
1075 switch (reg) {
1076 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1077 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1078 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1079 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1080 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1081 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1082 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1083 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1084 default: BUG();
1085 }
1086 ctxt->ops->put_fpu(ctxt);
1087 }
1088
1089 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1090 {
1091 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1092 return emulate_nm(ctxt);
1093
1094 ctxt->ops->get_fpu(ctxt);
1095 asm volatile("fninit");
1096 ctxt->ops->put_fpu(ctxt);
1097 return X86EMUL_CONTINUE;
1098 }
1099
1100 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1101 {
1102 u16 fcw;
1103
1104 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1105 return emulate_nm(ctxt);
1106
1107 ctxt->ops->get_fpu(ctxt);
1108 asm volatile("fnstcw %0": "+m"(fcw));
1109 ctxt->ops->put_fpu(ctxt);
1110
1111 ctxt->dst.val = fcw;
1112
1113 return X86EMUL_CONTINUE;
1114 }
1115
1116 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1117 {
1118 u16 fsw;
1119
1120 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1121 return emulate_nm(ctxt);
1122
1123 ctxt->ops->get_fpu(ctxt);
1124 asm volatile("fnstsw %0": "+m"(fsw));
1125 ctxt->ops->put_fpu(ctxt);
1126
1127 ctxt->dst.val = fsw;
1128
1129 return X86EMUL_CONTINUE;
1130 }
1131
1132 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1133 struct operand *op)
1134 {
1135 unsigned reg = ctxt->modrm_reg;
1136
1137 if (!(ctxt->d & ModRM))
1138 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1139
1140 if (ctxt->d & Sse) {
1141 op->type = OP_XMM;
1142 op->bytes = 16;
1143 op->addr.xmm = reg;
1144 read_sse_reg(ctxt, &op->vec_val, reg);
1145 return;
1146 }
1147 if (ctxt->d & Mmx) {
1148 reg &= 7;
1149 op->type = OP_MM;
1150 op->bytes = 8;
1151 op->addr.mm = reg;
1152 return;
1153 }
1154
1155 op->type = OP_REG;
1156 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1157 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1158
1159 fetch_register_operand(op);
1160 op->orig_val = op->val;
1161 }
1162
1163 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1164 {
1165 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1166 ctxt->modrm_seg = VCPU_SREG_SS;
1167 }
1168
1169 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1170 struct operand *op)
1171 {
1172 u8 sib;
1173 int index_reg, base_reg, scale;
1174 int rc = X86EMUL_CONTINUE;
1175 ulong modrm_ea = 0;
1176
1177 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1178 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1179 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1180
1181 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1182 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1183 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1184 ctxt->modrm_seg = VCPU_SREG_DS;
1185
1186 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1187 op->type = OP_REG;
1188 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1189 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1190 ctxt->d & ByteOp);
1191 if (ctxt->d & Sse) {
1192 op->type = OP_XMM;
1193 op->bytes = 16;
1194 op->addr.xmm = ctxt->modrm_rm;
1195 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1196 return rc;
1197 }
1198 if (ctxt->d & Mmx) {
1199 op->type = OP_MM;
1200 op->bytes = 8;
1201 op->addr.mm = ctxt->modrm_rm & 7;
1202 return rc;
1203 }
1204 fetch_register_operand(op);
1205 return rc;
1206 }
1207
1208 op->type = OP_MEM;
1209
1210 if (ctxt->ad_bytes == 2) {
1211 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1212 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1213 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1214 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1215
1216 /* 16-bit ModR/M decode. */
1217 switch (ctxt->modrm_mod) {
1218 case 0:
1219 if (ctxt->modrm_rm == 6)
1220 modrm_ea += insn_fetch(u16, ctxt);
1221 break;
1222 case 1:
1223 modrm_ea += insn_fetch(s8, ctxt);
1224 break;
1225 case 2:
1226 modrm_ea += insn_fetch(u16, ctxt);
1227 break;
1228 }
1229 switch (ctxt->modrm_rm) {
1230 case 0:
1231 modrm_ea += bx + si;
1232 break;
1233 case 1:
1234 modrm_ea += bx + di;
1235 break;
1236 case 2:
1237 modrm_ea += bp + si;
1238 break;
1239 case 3:
1240 modrm_ea += bp + di;
1241 break;
1242 case 4:
1243 modrm_ea += si;
1244 break;
1245 case 5:
1246 modrm_ea += di;
1247 break;
1248 case 6:
1249 if (ctxt->modrm_mod != 0)
1250 modrm_ea += bp;
1251 break;
1252 case 7:
1253 modrm_ea += bx;
1254 break;
1255 }
1256 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1257 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1258 ctxt->modrm_seg = VCPU_SREG_SS;
1259 modrm_ea = (u16)modrm_ea;
1260 } else {
1261 /* 32/64-bit ModR/M decode. */
1262 if ((ctxt->modrm_rm & 7) == 4) {
1263 sib = insn_fetch(u8, ctxt);
1264 index_reg |= (sib >> 3) & 7;
1265 base_reg |= sib & 7;
1266 scale = sib >> 6;
1267
1268 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1269 modrm_ea += insn_fetch(s32, ctxt);
1270 else {
1271 modrm_ea += reg_read(ctxt, base_reg);
1272 adjust_modrm_seg(ctxt, base_reg);
1273 /* Increment ESP on POP [ESP] */
1274 if ((ctxt->d & IncSP) &&
1275 base_reg == VCPU_REGS_RSP)
1276 modrm_ea += ctxt->op_bytes;
1277 }
1278 if (index_reg != 4)
1279 modrm_ea += reg_read(ctxt, index_reg) << scale;
1280 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1281 modrm_ea += insn_fetch(s32, ctxt);
1282 if (ctxt->mode == X86EMUL_MODE_PROT64)
1283 ctxt->rip_relative = 1;
1284 } else {
1285 base_reg = ctxt->modrm_rm;
1286 modrm_ea += reg_read(ctxt, base_reg);
1287 adjust_modrm_seg(ctxt, base_reg);
1288 }
1289 switch (ctxt->modrm_mod) {
1290 case 1:
1291 modrm_ea += insn_fetch(s8, ctxt);
1292 break;
1293 case 2:
1294 modrm_ea += insn_fetch(s32, ctxt);
1295 break;
1296 }
1297 }
1298 op->addr.mem.ea = modrm_ea;
1299 if (ctxt->ad_bytes != 8)
1300 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1301
1302 done:
1303 return rc;
1304 }
1305
1306 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1307 struct operand *op)
1308 {
1309 int rc = X86EMUL_CONTINUE;
1310
1311 op->type = OP_MEM;
1312 switch (ctxt->ad_bytes) {
1313 case 2:
1314 op->addr.mem.ea = insn_fetch(u16, ctxt);
1315 break;
1316 case 4:
1317 op->addr.mem.ea = insn_fetch(u32, ctxt);
1318 break;
1319 case 8:
1320 op->addr.mem.ea = insn_fetch(u64, ctxt);
1321 break;
1322 }
1323 done:
1324 return rc;
1325 }
1326
1327 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1328 {
1329 long sv = 0, mask;
1330
1331 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1332 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1333
1334 if (ctxt->src.bytes == 2)
1335 sv = (s16)ctxt->src.val & (s16)mask;
1336 else if (ctxt->src.bytes == 4)
1337 sv = (s32)ctxt->src.val & (s32)mask;
1338 else
1339 sv = (s64)ctxt->src.val & (s64)mask;
1340
1341 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1342 ctxt->dst.addr.mem.ea + (sv >> 3));
1343 }
1344
1345 /* only subword offset */
1346 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1347 }
1348
1349 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1350 unsigned long addr, void *dest, unsigned size)
1351 {
1352 int rc;
1353 struct read_cache *mc = &ctxt->mem_read;
1354
1355 if (mc->pos < mc->end)
1356 goto read_cached;
1357
1358 WARN_ON((mc->end + size) >= sizeof(mc->data));
1359
1360 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1361 &ctxt->exception);
1362 if (rc != X86EMUL_CONTINUE)
1363 return rc;
1364
1365 mc->end += size;
1366
1367 read_cached:
1368 memcpy(dest, mc->data + mc->pos, size);
1369 mc->pos += size;
1370 return X86EMUL_CONTINUE;
1371 }
1372
1373 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1374 struct segmented_address addr,
1375 void *data,
1376 unsigned size)
1377 {
1378 int rc;
1379 ulong linear;
1380
1381 rc = linearize(ctxt, addr, size, false, &linear);
1382 if (rc != X86EMUL_CONTINUE)
1383 return rc;
1384 return read_emulated(ctxt, linear, data, size);
1385 }
1386
1387 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1388 struct segmented_address addr,
1389 const void *data,
1390 unsigned size)
1391 {
1392 int rc;
1393 ulong linear;
1394
1395 rc = linearize(ctxt, addr, size, true, &linear);
1396 if (rc != X86EMUL_CONTINUE)
1397 return rc;
1398 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1399 &ctxt->exception);
1400 }
1401
1402 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1403 struct segmented_address addr,
1404 const void *orig_data, const void *data,
1405 unsigned size)
1406 {
1407 int rc;
1408 ulong linear;
1409
1410 rc = linearize(ctxt, addr, size, true, &linear);
1411 if (rc != X86EMUL_CONTINUE)
1412 return rc;
1413 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1414 size, &ctxt->exception);
1415 }
1416
1417 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1418 unsigned int size, unsigned short port,
1419 void *dest)
1420 {
1421 struct read_cache *rc = &ctxt->io_read;
1422
1423 if (rc->pos == rc->end) { /* refill pio read ahead */
1424 unsigned int in_page, n;
1425 unsigned int count = ctxt->rep_prefix ?
1426 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1427 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1428 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1429 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1430 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1431 if (n == 0)
1432 n = 1;
1433 rc->pos = rc->end = 0;
1434 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1435 return 0;
1436 rc->end = n * size;
1437 }
1438
1439 if (ctxt->rep_prefix && (ctxt->d & String) &&
1440 !(ctxt->eflags & X86_EFLAGS_DF)) {
1441 ctxt->dst.data = rc->data + rc->pos;
1442 ctxt->dst.type = OP_MEM_STR;
1443 ctxt->dst.count = (rc->end - rc->pos) / size;
1444 rc->pos = rc->end;
1445 } else {
1446 memcpy(dest, rc->data + rc->pos, size);
1447 rc->pos += size;
1448 }
1449 return 1;
1450 }
1451
1452 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1453 u16 index, struct desc_struct *desc)
1454 {
1455 struct desc_ptr dt;
1456 ulong addr;
1457
1458 ctxt->ops->get_idt(ctxt, &dt);
1459
1460 if (dt.size < index * 8 + 7)
1461 return emulate_gp(ctxt, index << 3 | 0x2);
1462
1463 addr = dt.address + index * 8;
1464 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1465 &ctxt->exception);
1466 }
1467
1468 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1469 u16 selector, struct desc_ptr *dt)
1470 {
1471 const struct x86_emulate_ops *ops = ctxt->ops;
1472 u32 base3 = 0;
1473
1474 if (selector & 1 << 2) {
1475 struct desc_struct desc;
1476 u16 sel;
1477
1478 memset (dt, 0, sizeof *dt);
1479 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1480 VCPU_SREG_LDTR))
1481 return;
1482
1483 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1484 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1485 } else
1486 ops->get_gdt(ctxt, dt);
1487 }
1488
1489 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1490 u16 selector, ulong *desc_addr_p)
1491 {
1492 struct desc_ptr dt;
1493 u16 index = selector >> 3;
1494 ulong addr;
1495
1496 get_descriptor_table_ptr(ctxt, selector, &dt);
1497
1498 if (dt.size < index * 8 + 7)
1499 return emulate_gp(ctxt, selector & 0xfffc);
1500
1501 addr = dt.address + index * 8;
1502
1503 #ifdef CONFIG_X86_64
1504 if (addr >> 32 != 0) {
1505 u64 efer = 0;
1506
1507 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1508 if (!(efer & EFER_LMA))
1509 addr &= (u32)-1;
1510 }
1511 #endif
1512
1513 *desc_addr_p = addr;
1514 return X86EMUL_CONTINUE;
1515 }
1516
1517 /* allowed just for 8 bytes segments */
1518 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1519 u16 selector, struct desc_struct *desc,
1520 ulong *desc_addr_p)
1521 {
1522 int rc;
1523
1524 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1525 if (rc != X86EMUL_CONTINUE)
1526 return rc;
1527
1528 return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
1529 &ctxt->exception);
1530 }
1531
1532 /* allowed just for 8 bytes segments */
1533 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1534 u16 selector, struct desc_struct *desc)
1535 {
1536 int rc;
1537 ulong addr;
1538
1539 rc = get_descriptor_ptr(ctxt, selector, &addr);
1540 if (rc != X86EMUL_CONTINUE)
1541 return rc;
1542
1543 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1544 &ctxt->exception);
1545 }
1546
1547 /* Does not support long mode */
1548 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1549 u16 selector, int seg, u8 cpl,
1550 enum x86_transfer_type transfer,
1551 struct desc_struct *desc)
1552 {
1553 struct desc_struct seg_desc, old_desc;
1554 u8 dpl, rpl;
1555 unsigned err_vec = GP_VECTOR;
1556 u32 err_code = 0;
1557 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1558 ulong desc_addr;
1559 int ret;
1560 u16 dummy;
1561 u32 base3 = 0;
1562
1563 memset(&seg_desc, 0, sizeof seg_desc);
1564
1565 if (ctxt->mode == X86EMUL_MODE_REAL) {
1566 /* set real mode segment descriptor (keep limit etc. for
1567 * unreal mode) */
1568 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1569 set_desc_base(&seg_desc, selector << 4);
1570 goto load;
1571 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1572 /* VM86 needs a clean new segment descriptor */
1573 set_desc_base(&seg_desc, selector << 4);
1574 set_desc_limit(&seg_desc, 0xffff);
1575 seg_desc.type = 3;
1576 seg_desc.p = 1;
1577 seg_desc.s = 1;
1578 seg_desc.dpl = 3;
1579 goto load;
1580 }
1581
1582 rpl = selector & 3;
1583
1584 /* NULL selector is not valid for TR, CS and SS (except for long mode) */
1585 if ((seg == VCPU_SREG_CS
1586 || (seg == VCPU_SREG_SS
1587 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
1588 || seg == VCPU_SREG_TR)
1589 && null_selector)
1590 goto exception;
1591
1592 /* TR should be in GDT only */
1593 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1594 goto exception;
1595
1596 if (null_selector) /* for NULL selector skip all following checks */
1597 goto load;
1598
1599 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1600 if (ret != X86EMUL_CONTINUE)
1601 return ret;
1602
1603 err_code = selector & 0xfffc;
1604 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1605 GP_VECTOR;
1606
1607 /* can't load system descriptor into segment selector */
1608 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1609 if (transfer == X86_TRANSFER_CALL_JMP)
1610 return X86EMUL_UNHANDLEABLE;
1611 goto exception;
1612 }
1613
1614 if (!seg_desc.p) {
1615 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1616 goto exception;
1617 }
1618
1619 dpl = seg_desc.dpl;
1620
1621 switch (seg) {
1622 case VCPU_SREG_SS:
1623 /*
1624 * segment is not a writable data segment or segment
1625 * selector's RPL != CPL or segment selector's RPL != CPL
1626 */
1627 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1628 goto exception;
1629 break;
1630 case VCPU_SREG_CS:
1631 if (!(seg_desc.type & 8))
1632 goto exception;
1633
1634 if (seg_desc.type & 4) {
1635 /* conforming */
1636 if (dpl > cpl)
1637 goto exception;
1638 } else {
1639 /* nonconforming */
1640 if (rpl > cpl || dpl != cpl)
1641 goto exception;
1642 }
1643 /* in long-mode d/b must be clear if l is set */
1644 if (seg_desc.d && seg_desc.l) {
1645 u64 efer = 0;
1646
1647 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1648 if (efer & EFER_LMA)
1649 goto exception;
1650 }
1651
1652 /* CS(RPL) <- CPL */
1653 selector = (selector & 0xfffc) | cpl;
1654 break;
1655 case VCPU_SREG_TR:
1656 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1657 goto exception;
1658 old_desc = seg_desc;
1659 seg_desc.type |= 2; /* busy */
1660 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1661 sizeof(seg_desc), &ctxt->exception);
1662 if (ret != X86EMUL_CONTINUE)
1663 return ret;
1664 break;
1665 case VCPU_SREG_LDTR:
1666 if (seg_desc.s || seg_desc.type != 2)
1667 goto exception;
1668 break;
1669 default: /* DS, ES, FS, or GS */
1670 /*
1671 * segment is not a data or readable code segment or
1672 * ((segment is a data or nonconforming code segment)
1673 * and (both RPL and CPL > DPL))
1674 */
1675 if ((seg_desc.type & 0xa) == 0x8 ||
1676 (((seg_desc.type & 0xc) != 0xc) &&
1677 (rpl > dpl && cpl > dpl)))
1678 goto exception;
1679 break;
1680 }
1681
1682 if (seg_desc.s) {
1683 /* mark segment as accessed */
1684 if (!(seg_desc.type & 1)) {
1685 seg_desc.type |= 1;
1686 ret = write_segment_descriptor(ctxt, selector,
1687 &seg_desc);
1688 if (ret != X86EMUL_CONTINUE)
1689 return ret;
1690 }
1691 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1692 ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
1693 sizeof(base3), &ctxt->exception);
1694 if (ret != X86EMUL_CONTINUE)
1695 return ret;
1696 if (is_noncanonical_address(get_desc_base(&seg_desc) |
1697 ((u64)base3 << 32)))
1698 return emulate_gp(ctxt, 0);
1699 }
1700 load:
1701 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1702 if (desc)
1703 *desc = seg_desc;
1704 return X86EMUL_CONTINUE;
1705 exception:
1706 return emulate_exception(ctxt, err_vec, err_code, true);
1707 }
1708
1709 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1710 u16 selector, int seg)
1711 {
1712 u8 cpl = ctxt->ops->cpl(ctxt);
1713 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1714 X86_TRANSFER_NONE, NULL);
1715 }
1716
1717 static void write_register_operand(struct operand *op)
1718 {
1719 return assign_register(op->addr.reg, op->val, op->bytes);
1720 }
1721
1722 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1723 {
1724 switch (op->type) {
1725 case OP_REG:
1726 write_register_operand(op);
1727 break;
1728 case OP_MEM:
1729 if (ctxt->lock_prefix)
1730 return segmented_cmpxchg(ctxt,
1731 op->addr.mem,
1732 &op->orig_val,
1733 &op->val,
1734 op->bytes);
1735 else
1736 return segmented_write(ctxt,
1737 op->addr.mem,
1738 &op->val,
1739 op->bytes);
1740 break;
1741 case OP_MEM_STR:
1742 return segmented_write(ctxt,
1743 op->addr.mem,
1744 op->data,
1745 op->bytes * op->count);
1746 break;
1747 case OP_XMM:
1748 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1749 break;
1750 case OP_MM:
1751 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1752 break;
1753 case OP_NONE:
1754 /* no writeback */
1755 break;
1756 default:
1757 break;
1758 }
1759 return X86EMUL_CONTINUE;
1760 }
1761
1762 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1763 {
1764 struct segmented_address addr;
1765
1766 rsp_increment(ctxt, -bytes);
1767 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1768 addr.seg = VCPU_SREG_SS;
1769
1770 return segmented_write(ctxt, addr, data, bytes);
1771 }
1772
1773 static int em_push(struct x86_emulate_ctxt *ctxt)
1774 {
1775 /* Disable writeback. */
1776 ctxt->dst.type = OP_NONE;
1777 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1778 }
1779
1780 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1781 void *dest, int len)
1782 {
1783 int rc;
1784 struct segmented_address addr;
1785
1786 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1787 addr.seg = VCPU_SREG_SS;
1788 rc = segmented_read(ctxt, addr, dest, len);
1789 if (rc != X86EMUL_CONTINUE)
1790 return rc;
1791
1792 rsp_increment(ctxt, len);
1793 return rc;
1794 }
1795
1796 static int em_pop(struct x86_emulate_ctxt *ctxt)
1797 {
1798 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1799 }
1800
1801 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1802 void *dest, int len)
1803 {
1804 int rc;
1805 unsigned long val, change_mask;
1806 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1807 int cpl = ctxt->ops->cpl(ctxt);
1808
1809 rc = emulate_pop(ctxt, &val, len);
1810 if (rc != X86EMUL_CONTINUE)
1811 return rc;
1812
1813 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1814 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1815 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1816 X86_EFLAGS_AC | X86_EFLAGS_ID;
1817
1818 switch(ctxt->mode) {
1819 case X86EMUL_MODE_PROT64:
1820 case X86EMUL_MODE_PROT32:
1821 case X86EMUL_MODE_PROT16:
1822 if (cpl == 0)
1823 change_mask |= X86_EFLAGS_IOPL;
1824 if (cpl <= iopl)
1825 change_mask |= X86_EFLAGS_IF;
1826 break;
1827 case X86EMUL_MODE_VM86:
1828 if (iopl < 3)
1829 return emulate_gp(ctxt, 0);
1830 change_mask |= X86_EFLAGS_IF;
1831 break;
1832 default: /* real mode */
1833 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1834 break;
1835 }
1836
1837 *(unsigned long *)dest =
1838 (ctxt->eflags & ~change_mask) | (val & change_mask);
1839
1840 return rc;
1841 }
1842
1843 static int em_popf(struct x86_emulate_ctxt *ctxt)
1844 {
1845 ctxt->dst.type = OP_REG;
1846 ctxt->dst.addr.reg = &ctxt->eflags;
1847 ctxt->dst.bytes = ctxt->op_bytes;
1848 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1849 }
1850
1851 static int em_enter(struct x86_emulate_ctxt *ctxt)
1852 {
1853 int rc;
1854 unsigned frame_size = ctxt->src.val;
1855 unsigned nesting_level = ctxt->src2.val & 31;
1856 ulong rbp;
1857
1858 if (nesting_level)
1859 return X86EMUL_UNHANDLEABLE;
1860
1861 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1862 rc = push(ctxt, &rbp, stack_size(ctxt));
1863 if (rc != X86EMUL_CONTINUE)
1864 return rc;
1865 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1866 stack_mask(ctxt));
1867 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1868 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1869 stack_mask(ctxt));
1870 return X86EMUL_CONTINUE;
1871 }
1872
1873 static int em_leave(struct x86_emulate_ctxt *ctxt)
1874 {
1875 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1876 stack_mask(ctxt));
1877 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1878 }
1879
1880 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1881 {
1882 int seg = ctxt->src2.val;
1883
1884 ctxt->src.val = get_segment_selector(ctxt, seg);
1885 if (ctxt->op_bytes == 4) {
1886 rsp_increment(ctxt, -2);
1887 ctxt->op_bytes = 2;
1888 }
1889
1890 return em_push(ctxt);
1891 }
1892
1893 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1894 {
1895 int seg = ctxt->src2.val;
1896 unsigned long selector;
1897 int rc;
1898
1899 rc = emulate_pop(ctxt, &selector, 2);
1900 if (rc != X86EMUL_CONTINUE)
1901 return rc;
1902
1903 if (ctxt->modrm_reg == VCPU_SREG_SS)
1904 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1905 if (ctxt->op_bytes > 2)
1906 rsp_increment(ctxt, ctxt->op_bytes - 2);
1907
1908 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1909 return rc;
1910 }
1911
1912 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1913 {
1914 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1915 int rc = X86EMUL_CONTINUE;
1916 int reg = VCPU_REGS_RAX;
1917
1918 while (reg <= VCPU_REGS_RDI) {
1919 (reg == VCPU_REGS_RSP) ?
1920 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1921
1922 rc = em_push(ctxt);
1923 if (rc != X86EMUL_CONTINUE)
1924 return rc;
1925
1926 ++reg;
1927 }
1928
1929 return rc;
1930 }
1931
1932 static int em_pushf(struct x86_emulate_ctxt *ctxt)
1933 {
1934 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
1935 return em_push(ctxt);
1936 }
1937
1938 static int em_popa(struct x86_emulate_ctxt *ctxt)
1939 {
1940 int rc = X86EMUL_CONTINUE;
1941 int reg = VCPU_REGS_RDI;
1942 u32 val;
1943
1944 while (reg >= VCPU_REGS_RAX) {
1945 if (reg == VCPU_REGS_RSP) {
1946 rsp_increment(ctxt, ctxt->op_bytes);
1947 --reg;
1948 }
1949
1950 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
1951 if (rc != X86EMUL_CONTINUE)
1952 break;
1953 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
1954 --reg;
1955 }
1956 return rc;
1957 }
1958
1959 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1960 {
1961 const struct x86_emulate_ops *ops = ctxt->ops;
1962 int rc;
1963 struct desc_ptr dt;
1964 gva_t cs_addr;
1965 gva_t eip_addr;
1966 u16 cs, eip;
1967
1968 /* TODO: Add limit checks */
1969 ctxt->src.val = ctxt->eflags;
1970 rc = em_push(ctxt);
1971 if (rc != X86EMUL_CONTINUE)
1972 return rc;
1973
1974 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
1975
1976 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1977 rc = em_push(ctxt);
1978 if (rc != X86EMUL_CONTINUE)
1979 return rc;
1980
1981 ctxt->src.val = ctxt->_eip;
1982 rc = em_push(ctxt);
1983 if (rc != X86EMUL_CONTINUE)
1984 return rc;
1985
1986 ops->get_idt(ctxt, &dt);
1987
1988 eip_addr = dt.address + (irq << 2);
1989 cs_addr = dt.address + (irq << 2) + 2;
1990
1991 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1992 if (rc != X86EMUL_CONTINUE)
1993 return rc;
1994
1995 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1996 if (rc != X86EMUL_CONTINUE)
1997 return rc;
1998
1999 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2000 if (rc != X86EMUL_CONTINUE)
2001 return rc;
2002
2003 ctxt->_eip = eip;
2004
2005 return rc;
2006 }
2007
2008 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2009 {
2010 int rc;
2011
2012 invalidate_registers(ctxt);
2013 rc = __emulate_int_real(ctxt, irq);
2014 if (rc == X86EMUL_CONTINUE)
2015 writeback_registers(ctxt);
2016 return rc;
2017 }
2018
2019 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2020 {
2021 switch(ctxt->mode) {
2022 case X86EMUL_MODE_REAL:
2023 return __emulate_int_real(ctxt, irq);
2024 case X86EMUL_MODE_VM86:
2025 case X86EMUL_MODE_PROT16:
2026 case X86EMUL_MODE_PROT32:
2027 case X86EMUL_MODE_PROT64:
2028 default:
2029 /* Protected mode interrupts unimplemented yet */
2030 return X86EMUL_UNHANDLEABLE;
2031 }
2032 }
2033
2034 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2035 {
2036 int rc = X86EMUL_CONTINUE;
2037 unsigned long temp_eip = 0;
2038 unsigned long temp_eflags = 0;
2039 unsigned long cs = 0;
2040 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2041 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2042 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2043 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2044 X86_EFLAGS_AC | X86_EFLAGS_ID |
2045 X86_EFLAGS_FIXED;
2046 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2047 X86_EFLAGS_VIP;
2048
2049 /* TODO: Add stack limit check */
2050
2051 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2052
2053 if (rc != X86EMUL_CONTINUE)
2054 return rc;
2055
2056 if (temp_eip & ~0xffff)
2057 return emulate_gp(ctxt, 0);
2058
2059 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2060
2061 if (rc != X86EMUL_CONTINUE)
2062 return rc;
2063
2064 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2065
2066 if (rc != X86EMUL_CONTINUE)
2067 return rc;
2068
2069 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2070
2071 if (rc != X86EMUL_CONTINUE)
2072 return rc;
2073
2074 ctxt->_eip = temp_eip;
2075
2076 if (ctxt->op_bytes == 4)
2077 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2078 else if (ctxt->op_bytes == 2) {
2079 ctxt->eflags &= ~0xffff;
2080 ctxt->eflags |= temp_eflags;
2081 }
2082
2083 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2084 ctxt->eflags |= X86_EFLAGS_FIXED;
2085 ctxt->ops->set_nmi_mask(ctxt, false);
2086
2087 return rc;
2088 }
2089
2090 static int em_iret(struct x86_emulate_ctxt *ctxt)
2091 {
2092 switch(ctxt->mode) {
2093 case X86EMUL_MODE_REAL:
2094 return emulate_iret_real(ctxt);
2095 case X86EMUL_MODE_VM86:
2096 case X86EMUL_MODE_PROT16:
2097 case X86EMUL_MODE_PROT32:
2098 case X86EMUL_MODE_PROT64:
2099 default:
2100 /* iret from protected mode unimplemented yet */
2101 return X86EMUL_UNHANDLEABLE;
2102 }
2103 }
2104
2105 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2106 {
2107 int rc;
2108 unsigned short sel, old_sel;
2109 struct desc_struct old_desc, new_desc;
2110 const struct x86_emulate_ops *ops = ctxt->ops;
2111 u8 cpl = ctxt->ops->cpl(ctxt);
2112
2113 /* Assignment of RIP may only fail in 64-bit mode */
2114 if (ctxt->mode == X86EMUL_MODE_PROT64)
2115 ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
2116 VCPU_SREG_CS);
2117
2118 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2119
2120 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2121 X86_TRANSFER_CALL_JMP,
2122 &new_desc);
2123 if (rc != X86EMUL_CONTINUE)
2124 return rc;
2125
2126 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2127 if (rc != X86EMUL_CONTINUE) {
2128 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2129 /* assigning eip failed; restore the old cs */
2130 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
2131 return rc;
2132 }
2133 return rc;
2134 }
2135
2136 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2137 {
2138 return assign_eip_near(ctxt, ctxt->src.val);
2139 }
2140
2141 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2142 {
2143 int rc;
2144 long int old_eip;
2145
2146 old_eip = ctxt->_eip;
2147 rc = assign_eip_near(ctxt, ctxt->src.val);
2148 if (rc != X86EMUL_CONTINUE)
2149 return rc;
2150 ctxt->src.val = old_eip;
2151 rc = em_push(ctxt);
2152 return rc;
2153 }
2154
2155 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2156 {
2157 u64 old = ctxt->dst.orig_val64;
2158
2159 if (ctxt->dst.bytes == 16)
2160 return X86EMUL_UNHANDLEABLE;
2161
2162 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2163 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2164 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2165 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2166 ctxt->eflags &= ~X86_EFLAGS_ZF;
2167 } else {
2168 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2169 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2170
2171 ctxt->eflags |= X86_EFLAGS_ZF;
2172 }
2173 return X86EMUL_CONTINUE;
2174 }
2175
2176 static int em_ret(struct x86_emulate_ctxt *ctxt)
2177 {
2178 int rc;
2179 unsigned long eip;
2180
2181 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2182 if (rc != X86EMUL_CONTINUE)
2183 return rc;
2184
2185 return assign_eip_near(ctxt, eip);
2186 }
2187
2188 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2189 {
2190 int rc;
2191 unsigned long eip, cs;
2192 u16 old_cs;
2193 int cpl = ctxt->ops->cpl(ctxt);
2194 struct desc_struct old_desc, new_desc;
2195 const struct x86_emulate_ops *ops = ctxt->ops;
2196
2197 if (ctxt->mode == X86EMUL_MODE_PROT64)
2198 ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
2199 VCPU_SREG_CS);
2200
2201 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2202 if (rc != X86EMUL_CONTINUE)
2203 return rc;
2204 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2205 if (rc != X86EMUL_CONTINUE)
2206 return rc;
2207 /* Outer-privilege level return is not implemented */
2208 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2209 return X86EMUL_UNHANDLEABLE;
2210 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2211 X86_TRANSFER_RET,
2212 &new_desc);
2213 if (rc != X86EMUL_CONTINUE)
2214 return rc;
2215 rc = assign_eip_far(ctxt, eip, &new_desc);
2216 if (rc != X86EMUL_CONTINUE) {
2217 WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
2218 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
2219 }
2220 return rc;
2221 }
2222
2223 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2224 {
2225 int rc;
2226
2227 rc = em_ret_far(ctxt);
2228 if (rc != X86EMUL_CONTINUE)
2229 return rc;
2230 rsp_increment(ctxt, ctxt->src.val);
2231 return X86EMUL_CONTINUE;
2232 }
2233
2234 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2235 {
2236 /* Save real source value, then compare EAX against destination. */
2237 ctxt->dst.orig_val = ctxt->dst.val;
2238 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2239 ctxt->src.orig_val = ctxt->src.val;
2240 ctxt->src.val = ctxt->dst.orig_val;
2241 fastop(ctxt, em_cmp);
2242
2243 if (ctxt->eflags & X86_EFLAGS_ZF) {
2244 /* Success: write back to memory; no update of EAX */
2245 ctxt->src.type = OP_NONE;
2246 ctxt->dst.val = ctxt->src.orig_val;
2247 } else {
2248 /* Failure: write the value we saw to EAX. */
2249 ctxt->src.type = OP_REG;
2250 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2251 ctxt->src.val = ctxt->dst.orig_val;
2252 /* Create write-cycle to dest by writing the same value */
2253 ctxt->dst.val = ctxt->dst.orig_val;
2254 }
2255 return X86EMUL_CONTINUE;
2256 }
2257
2258 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2259 {
2260 int seg = ctxt->src2.val;
2261 unsigned short sel;
2262 int rc;
2263
2264 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2265
2266 rc = load_segment_descriptor(ctxt, sel, seg);
2267 if (rc != X86EMUL_CONTINUE)
2268 return rc;
2269
2270 ctxt->dst.val = ctxt->src.val;
2271 return rc;
2272 }
2273
2274 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2275 {
2276 u32 eax, ebx, ecx, edx;
2277
2278 eax = 0x80000001;
2279 ecx = 0;
2280 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2281 return edx & bit(X86_FEATURE_LM);
2282 }
2283
2284 #define GET_SMSTATE(type, smbase, offset) \
2285 ({ \
2286 type __val; \
2287 int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
2288 sizeof(__val)); \
2289 if (r != X86EMUL_CONTINUE) \
2290 return X86EMUL_UNHANDLEABLE; \
2291 __val; \
2292 })
2293
2294 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2295 {
2296 desc->g = (flags >> 23) & 1;
2297 desc->d = (flags >> 22) & 1;
2298 desc->l = (flags >> 21) & 1;
2299 desc->avl = (flags >> 20) & 1;
2300 desc->p = (flags >> 15) & 1;
2301 desc->dpl = (flags >> 13) & 3;
2302 desc->s = (flags >> 12) & 1;
2303 desc->type = (flags >> 8) & 15;
2304 }
2305
2306 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2307 {
2308 struct desc_struct desc;
2309 int offset;
2310 u16 selector;
2311
2312 selector = GET_SMSTATE(u32, smbase, 0x7fa8 + n * 4);
2313
2314 if (n < 3)
2315 offset = 0x7f84 + n * 12;
2316 else
2317 offset = 0x7f2c + (n - 3) * 12;
2318
2319 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2320 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2321 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, offset));
2322 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2323 return X86EMUL_CONTINUE;
2324 }
2325
2326 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2327 {
2328 struct desc_struct desc;
2329 int offset;
2330 u16 selector;
2331 u32 base3;
2332
2333 offset = 0x7e00 + n * 16;
2334
2335 selector = GET_SMSTATE(u16, smbase, offset);
2336 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smbase, offset + 2) << 8);
2337 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2338 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2339 base3 = GET_SMSTATE(u32, smbase, offset + 12);
2340
2341 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2342 return X86EMUL_CONTINUE;
2343 }
2344
2345 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2346 u64 cr0, u64 cr4)
2347 {
2348 int bad;
2349
2350 /*
2351 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2352 * Then enable protected mode. However, PCID cannot be enabled
2353 * if EFER.LMA=0, so set it separately.
2354 */
2355 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2356 if (bad)
2357 return X86EMUL_UNHANDLEABLE;
2358
2359 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2360 if (bad)
2361 return X86EMUL_UNHANDLEABLE;
2362
2363 if (cr4 & X86_CR4_PCIDE) {
2364 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2365 if (bad)
2366 return X86EMUL_UNHANDLEABLE;
2367 }
2368
2369 return X86EMUL_CONTINUE;
2370 }
2371
2372 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
2373 {
2374 struct desc_struct desc;
2375 struct desc_ptr dt;
2376 u16 selector;
2377 u32 val, cr0, cr4;
2378 int i;
2379
2380 cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
2381 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u32, smbase, 0x7ff8));
2382 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
2383 ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
2384
2385 for (i = 0; i < 8; i++)
2386 *reg_write(ctxt, i) = GET_SMSTATE(u32, smbase, 0x7fd0 + i * 4);
2387
2388 val = GET_SMSTATE(u32, smbase, 0x7fcc);
2389 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2390 val = GET_SMSTATE(u32, smbase, 0x7fc8);
2391 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2392
2393 selector = GET_SMSTATE(u32, smbase, 0x7fc4);
2394 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f64));
2395 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f60));
2396 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f5c));
2397 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2398
2399 selector = GET_SMSTATE(u32, smbase, 0x7fc0);
2400 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f80));
2401 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f7c));
2402 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f78));
2403 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2404
2405 dt.address = GET_SMSTATE(u32, smbase, 0x7f74);
2406 dt.size = GET_SMSTATE(u32, smbase, 0x7f70);
2407 ctxt->ops->set_gdt(ctxt, &dt);
2408
2409 dt.address = GET_SMSTATE(u32, smbase, 0x7f58);
2410 dt.size = GET_SMSTATE(u32, smbase, 0x7f54);
2411 ctxt->ops->set_idt(ctxt, &dt);
2412
2413 for (i = 0; i < 6; i++) {
2414 int r = rsm_load_seg_32(ctxt, smbase, i);
2415 if (r != X86EMUL_CONTINUE)
2416 return r;
2417 }
2418
2419 cr4 = GET_SMSTATE(u32, smbase, 0x7f14);
2420
2421 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
2422
2423 return rsm_enter_protected_mode(ctxt, cr0, cr4);
2424 }
2425
2426 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
2427 {
2428 struct desc_struct desc;
2429 struct desc_ptr dt;
2430 u64 val, cr0, cr4;
2431 u32 base3;
2432 u16 selector;
2433 int i, r;
2434
2435 for (i = 0; i < 16; i++)
2436 *reg_write(ctxt, i) = GET_SMSTATE(u64, smbase, 0x7ff8 - i * 8);
2437
2438 ctxt->_eip = GET_SMSTATE(u64, smbase, 0x7f78);
2439 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7f70) | X86_EFLAGS_FIXED;
2440
2441 val = GET_SMSTATE(u32, smbase, 0x7f68);
2442 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2443 val = GET_SMSTATE(u32, smbase, 0x7f60);
2444 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2445
2446 cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
2447 ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u64, smbase, 0x7f50));
2448 cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
2449 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
2450 val = GET_SMSTATE(u64, smbase, 0x7ed0);
2451 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2452
2453 selector = GET_SMSTATE(u32, smbase, 0x7e90);
2454 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e92) << 8);
2455 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e94));
2456 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e98));
2457 base3 = GET_SMSTATE(u32, smbase, 0x7e9c);
2458 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2459
2460 dt.size = GET_SMSTATE(u32, smbase, 0x7e84);
2461 dt.address = GET_SMSTATE(u64, smbase, 0x7e88);
2462 ctxt->ops->set_idt(ctxt, &dt);
2463
2464 selector = GET_SMSTATE(u32, smbase, 0x7e70);
2465 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e72) << 8);
2466 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e74));
2467 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e78));
2468 base3 = GET_SMSTATE(u32, smbase, 0x7e7c);
2469 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2470
2471 dt.size = GET_SMSTATE(u32, smbase, 0x7e64);
2472 dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
2473 ctxt->ops->set_gdt(ctxt, &dt);
2474
2475 r = rsm_enter_protected_mode(ctxt, cr0, cr4);
2476 if (r != X86EMUL_CONTINUE)
2477 return r;
2478
2479 for (i = 0; i < 6; i++) {
2480 r = rsm_load_seg_64(ctxt, smbase, i);
2481 if (r != X86EMUL_CONTINUE)
2482 return r;
2483 }
2484
2485 return X86EMUL_CONTINUE;
2486 }
2487
2488 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2489 {
2490 unsigned long cr0, cr4, efer;
2491 u64 smbase;
2492 int ret;
2493
2494 if ((ctxt->emul_flags & X86EMUL_SMM_MASK) == 0)
2495 return emulate_ud(ctxt);
2496
2497 /*
2498 * Get back to real mode, to prepare a safe state in which to load
2499 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2500 * supports long mode.
2501 */
2502 cr4 = ctxt->ops->get_cr(ctxt, 4);
2503 if (emulator_has_longmode(ctxt)) {
2504 struct desc_struct cs_desc;
2505
2506 /* Zero CR4.PCIDE before CR0.PG. */
2507 if (cr4 & X86_CR4_PCIDE) {
2508 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2509 cr4 &= ~X86_CR4_PCIDE;
2510 }
2511
2512 /* A 32-bit code segment is required to clear EFER.LMA. */
2513 memset(&cs_desc, 0, sizeof(cs_desc));
2514 cs_desc.type = 0xb;
2515 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2516 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2517 }
2518
2519 /* For the 64-bit case, this will clear EFER.LMA. */
2520 cr0 = ctxt->ops->get_cr(ctxt, 0);
2521 if (cr0 & X86_CR0_PE)
2522 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2523
2524 /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
2525 if (cr4 & X86_CR4_PAE)
2526 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2527
2528 /* And finally go back to 32-bit mode. */
2529 efer = 0;
2530 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2531
2532 smbase = ctxt->ops->get_smbase(ctxt);
2533 if (emulator_has_longmode(ctxt))
2534 ret = rsm_load_state_64(ctxt, smbase + 0x8000);
2535 else
2536 ret = rsm_load_state_32(ctxt, smbase + 0x8000);
2537
2538 if (ret != X86EMUL_CONTINUE) {
2539 /* FIXME: should triple fault */
2540 return X86EMUL_UNHANDLEABLE;
2541 }
2542
2543 if ((ctxt->emul_flags & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2544 ctxt->ops->set_nmi_mask(ctxt, false);
2545
2546 ctxt->emul_flags &= ~X86EMUL_SMM_INSIDE_NMI_MASK;
2547 ctxt->emul_flags &= ~X86EMUL_SMM_MASK;
2548 return X86EMUL_CONTINUE;
2549 }
2550
2551 static void
2552 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2553 struct desc_struct *cs, struct desc_struct *ss)
2554 {
2555 cs->l = 0; /* will be adjusted later */
2556 set_desc_base(cs, 0); /* flat segment */
2557 cs->g = 1; /* 4kb granularity */
2558 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2559 cs->type = 0x0b; /* Read, Execute, Accessed */
2560 cs->s = 1;
2561 cs->dpl = 0; /* will be adjusted later */
2562 cs->p = 1;
2563 cs->d = 1;
2564 cs->avl = 0;
2565
2566 set_desc_base(ss, 0); /* flat segment */
2567 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2568 ss->g = 1; /* 4kb granularity */
2569 ss->s = 1;
2570 ss->type = 0x03; /* Read/Write, Accessed */
2571 ss->d = 1; /* 32bit stack segment */
2572 ss->dpl = 0;
2573 ss->p = 1;
2574 ss->l = 0;
2575 ss->avl = 0;
2576 }
2577
2578 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2579 {
2580 u32 eax, ebx, ecx, edx;
2581
2582 eax = ecx = 0;
2583 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2584 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2585 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2586 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2587 }
2588
2589 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2590 {
2591 const struct x86_emulate_ops *ops = ctxt->ops;
2592 u32 eax, ebx, ecx, edx;
2593
2594 /*
2595 * syscall should always be enabled in longmode - so only become
2596 * vendor specific (cpuid) if other modes are active...
2597 */
2598 if (ctxt->mode == X86EMUL_MODE_PROT64)
2599 return true;
2600
2601 eax = 0x00000000;
2602 ecx = 0x00000000;
2603 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
2604 /*
2605 * Intel ("GenuineIntel")
2606 * remark: Intel CPUs only support "syscall" in 64bit
2607 * longmode. Also an 64bit guest with a
2608 * 32bit compat-app running will #UD !! While this
2609 * behaviour can be fixed (by emulating) into AMD
2610 * response - CPUs of AMD can't behave like Intel.
2611 */
2612 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2613 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2614 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2615 return false;
2616
2617 /* AMD ("AuthenticAMD") */
2618 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2619 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2620 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2621 return true;
2622
2623 /* AMD ("AMDisbetter!") */
2624 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2625 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2626 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2627 return true;
2628
2629 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2630 return false;
2631 }
2632
2633 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2634 {
2635 const struct x86_emulate_ops *ops = ctxt->ops;
2636 struct desc_struct cs, ss;
2637 u64 msr_data;
2638 u16 cs_sel, ss_sel;
2639 u64 efer = 0;
2640
2641 /* syscall is not available in real mode */
2642 if (ctxt->mode == X86EMUL_MODE_REAL ||
2643 ctxt->mode == X86EMUL_MODE_VM86)
2644 return emulate_ud(ctxt);
2645
2646 if (!(em_syscall_is_enabled(ctxt)))
2647 return emulate_ud(ctxt);
2648
2649 ops->get_msr(ctxt, MSR_EFER, &efer);
2650 setup_syscalls_segments(ctxt, &cs, &ss);
2651
2652 if (!(efer & EFER_SCE))
2653 return emulate_ud(ctxt);
2654
2655 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2656 msr_data >>= 32;
2657 cs_sel = (u16)(msr_data & 0xfffc);
2658 ss_sel = (u16)(msr_data + 8);
2659
2660 if (efer & EFER_LMA) {
2661 cs.d = 0;
2662 cs.l = 1;
2663 }
2664 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2665 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2666
2667 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2668 if (efer & EFER_LMA) {
2669 #ifdef CONFIG_X86_64
2670 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2671
2672 ops->get_msr(ctxt,
2673 ctxt->mode == X86EMUL_MODE_PROT64 ?
2674 MSR_LSTAR : MSR_CSTAR, &msr_data);
2675 ctxt->_eip = msr_data;
2676
2677 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2678 ctxt->eflags &= ~msr_data;
2679 ctxt->eflags |= X86_EFLAGS_FIXED;
2680 #endif
2681 } else {
2682 /* legacy mode */
2683 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2684 ctxt->_eip = (u32)msr_data;
2685
2686 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2687 }
2688
2689 return X86EMUL_CONTINUE;
2690 }
2691
2692 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2693 {
2694 const struct x86_emulate_ops *ops = ctxt->ops;
2695 struct desc_struct cs, ss;
2696 u64 msr_data;
2697 u16 cs_sel, ss_sel;
2698 u64 efer = 0;
2699
2700 ops->get_msr(ctxt, MSR_EFER, &efer);
2701 /* inject #GP if in real mode */
2702 if (ctxt->mode == X86EMUL_MODE_REAL)
2703 return emulate_gp(ctxt, 0);
2704
2705 /*
2706 * Not recognized on AMD in compat mode (but is recognized in legacy
2707 * mode).
2708 */
2709 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2710 && !vendor_intel(ctxt))
2711 return emulate_ud(ctxt);
2712
2713 /* sysenter/sysexit have not been tested in 64bit mode. */
2714 if (ctxt->mode == X86EMUL_MODE_PROT64)
2715 return X86EMUL_UNHANDLEABLE;
2716
2717 setup_syscalls_segments(ctxt, &cs, &ss);
2718
2719 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2720 if ((msr_data & 0xfffc) == 0x0)
2721 return emulate_gp(ctxt, 0);
2722
2723 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2724 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2725 ss_sel = cs_sel + 8;
2726 if (efer & EFER_LMA) {
2727 cs.d = 0;
2728 cs.l = 1;
2729 }
2730
2731 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2732 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2733
2734 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2735 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2736
2737 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2738 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2739 (u32)msr_data;
2740
2741 return X86EMUL_CONTINUE;
2742 }
2743
2744 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2745 {
2746 const struct x86_emulate_ops *ops = ctxt->ops;
2747 struct desc_struct cs, ss;
2748 u64 msr_data, rcx, rdx;
2749 int usermode;
2750 u16 cs_sel = 0, ss_sel = 0;
2751
2752 /* inject #GP if in real mode or Virtual 8086 mode */
2753 if (ctxt->mode == X86EMUL_MODE_REAL ||
2754 ctxt->mode == X86EMUL_MODE_VM86)
2755 return emulate_gp(ctxt, 0);
2756
2757 setup_syscalls_segments(ctxt, &cs, &ss);
2758
2759 if ((ctxt->rex_prefix & 0x8) != 0x0)
2760 usermode = X86EMUL_MODE_PROT64;
2761 else
2762 usermode = X86EMUL_MODE_PROT32;
2763
2764 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2765 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2766
2767 cs.dpl = 3;
2768 ss.dpl = 3;
2769 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2770 switch (usermode) {
2771 case X86EMUL_MODE_PROT32:
2772 cs_sel = (u16)(msr_data + 16);
2773 if ((msr_data & 0xfffc) == 0x0)
2774 return emulate_gp(ctxt, 0);
2775 ss_sel = (u16)(msr_data + 24);
2776 rcx = (u32)rcx;
2777 rdx = (u32)rdx;
2778 break;
2779 case X86EMUL_MODE_PROT64:
2780 cs_sel = (u16)(msr_data + 32);
2781 if (msr_data == 0x0)
2782 return emulate_gp(ctxt, 0);
2783 ss_sel = cs_sel + 8;
2784 cs.d = 0;
2785 cs.l = 1;
2786 if (is_noncanonical_address(rcx) ||
2787 is_noncanonical_address(rdx))
2788 return emulate_gp(ctxt, 0);
2789 break;
2790 }
2791 cs_sel |= SEGMENT_RPL_MASK;
2792 ss_sel |= SEGMENT_RPL_MASK;
2793
2794 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2795 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2796
2797 ctxt->_eip = rdx;
2798 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2799
2800 return X86EMUL_CONTINUE;
2801 }
2802
2803 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2804 {
2805 int iopl;
2806 if (ctxt->mode == X86EMUL_MODE_REAL)
2807 return false;
2808 if (ctxt->mode == X86EMUL_MODE_VM86)
2809 return true;
2810 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2811 return ctxt->ops->cpl(ctxt) > iopl;
2812 }
2813
2814 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2815 u16 port, u16 len)
2816 {
2817 const struct x86_emulate_ops *ops = ctxt->ops;
2818 struct desc_struct tr_seg;
2819 u32 base3;
2820 int r;
2821 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2822 unsigned mask = (1 << len) - 1;
2823 unsigned long base;
2824
2825 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2826 if (!tr_seg.p)
2827 return false;
2828 if (desc_limit_scaled(&tr_seg) < 103)
2829 return false;
2830 base = get_desc_base(&tr_seg);
2831 #ifdef CONFIG_X86_64
2832 base |= ((u64)base3) << 32;
2833 #endif
2834 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2835 if (r != X86EMUL_CONTINUE)
2836 return false;
2837 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2838 return false;
2839 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2840 if (r != X86EMUL_CONTINUE)
2841 return false;
2842 if ((perm >> bit_idx) & mask)
2843 return false;
2844 return true;
2845 }
2846
2847 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2848 u16 port, u16 len)
2849 {
2850 if (ctxt->perm_ok)
2851 return true;
2852
2853 if (emulator_bad_iopl(ctxt))
2854 if (!emulator_io_port_access_allowed(ctxt, port, len))
2855 return false;
2856
2857 ctxt->perm_ok = true;
2858
2859 return true;
2860 }
2861
2862 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2863 {
2864 /*
2865 * Intel CPUs mask the counter and pointers in quite strange
2866 * manner when ECX is zero due to REP-string optimizations.
2867 */
2868 #ifdef CONFIG_X86_64
2869 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2870 return;
2871
2872 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2873
2874 switch (ctxt->b) {
2875 case 0xa4: /* movsb */
2876 case 0xa5: /* movsd/w */
2877 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2878 /* fall through */
2879 case 0xaa: /* stosb */
2880 case 0xab: /* stosd/w */
2881 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2882 }
2883 #endif
2884 }
2885
2886 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2887 struct tss_segment_16 *tss)
2888 {
2889 tss->ip = ctxt->_eip;
2890 tss->flag = ctxt->eflags;
2891 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2892 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2893 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2894 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2895 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2896 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2897 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2898 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2899
2900 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2901 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2902 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2903 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2904 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2905 }
2906
2907 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2908 struct tss_segment_16 *tss)
2909 {
2910 int ret;
2911 u8 cpl;
2912
2913 ctxt->_eip = tss->ip;
2914 ctxt->eflags = tss->flag | 2;
2915 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2916 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2917 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2918 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2919 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2920 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2921 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2922 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2923
2924 /*
2925 * SDM says that segment selectors are loaded before segment
2926 * descriptors
2927 */
2928 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2929 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2930 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2931 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2932 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2933
2934 cpl = tss->cs & 3;
2935
2936 /*
2937 * Now load segment descriptors. If fault happens at this stage
2938 * it is handled in a context of new task
2939 */
2940 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2941 X86_TRANSFER_TASK_SWITCH, NULL);
2942 if (ret != X86EMUL_CONTINUE)
2943 return ret;
2944 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2945 X86_TRANSFER_TASK_SWITCH, NULL);
2946 if (ret != X86EMUL_CONTINUE)
2947 return ret;
2948 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2949 X86_TRANSFER_TASK_SWITCH, NULL);
2950 if (ret != X86EMUL_CONTINUE)
2951 return ret;
2952 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2953 X86_TRANSFER_TASK_SWITCH, NULL);
2954 if (ret != X86EMUL_CONTINUE)
2955 return ret;
2956 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2957 X86_TRANSFER_TASK_SWITCH, NULL);
2958 if (ret != X86EMUL_CONTINUE)
2959 return ret;
2960
2961 return X86EMUL_CONTINUE;
2962 }
2963
2964 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2965 u16 tss_selector, u16 old_tss_sel,
2966 ulong old_tss_base, struct desc_struct *new_desc)
2967 {
2968 const struct x86_emulate_ops *ops = ctxt->ops;
2969 struct tss_segment_16 tss_seg;
2970 int ret;
2971 u32 new_tss_base = get_desc_base(new_desc);
2972
2973 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2974 &ctxt->exception);
2975 if (ret != X86EMUL_CONTINUE)
2976 return ret;
2977
2978 save_state_to_tss16(ctxt, &tss_seg);
2979
2980 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2981 &ctxt->exception);
2982 if (ret != X86EMUL_CONTINUE)
2983 return ret;
2984
2985 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2986 &ctxt->exception);
2987 if (ret != X86EMUL_CONTINUE)
2988 return ret;
2989
2990 if (old_tss_sel != 0xffff) {
2991 tss_seg.prev_task_link = old_tss_sel;
2992
2993 ret = ops->write_std(ctxt, new_tss_base,
2994 &tss_seg.prev_task_link,
2995 sizeof tss_seg.prev_task_link,
2996 &ctxt->exception);
2997 if (ret != X86EMUL_CONTINUE)
2998 return ret;
2999 }
3000
3001 return load_state_from_tss16(ctxt, &tss_seg);
3002 }
3003
3004 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3005 struct tss_segment_32 *tss)
3006 {
3007 /* CR3 and ldt selector are not saved intentionally */
3008 tss->eip = ctxt->_eip;
3009 tss->eflags = ctxt->eflags;
3010 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3011 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3012 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3013 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3014 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3015 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3016 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3017 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3018
3019 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3020 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3021 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3022 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3023 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3024 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3025 }
3026
3027 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3028 struct tss_segment_32 *tss)
3029 {
3030 int ret;
3031 u8 cpl;
3032
3033 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3034 return emulate_gp(ctxt, 0);
3035 ctxt->_eip = tss->eip;
3036 ctxt->eflags = tss->eflags | 2;
3037
3038 /* General purpose registers */
3039 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3040 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3041 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3042 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3043 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3044 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3045 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3046 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3047
3048 /*
3049 * SDM says that segment selectors are loaded before segment
3050 * descriptors. This is important because CPL checks will
3051 * use CS.RPL.
3052 */
3053 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3054 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3055 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3056 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3057 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3058 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3059 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3060
3061 /*
3062 * If we're switching between Protected Mode and VM86, we need to make
3063 * sure to update the mode before loading the segment descriptors so
3064 * that the selectors are interpreted correctly.
3065 */
3066 if (ctxt->eflags & X86_EFLAGS_VM) {
3067 ctxt->mode = X86EMUL_MODE_VM86;
3068 cpl = 3;
3069 } else {
3070 ctxt->mode = X86EMUL_MODE_PROT32;
3071 cpl = tss->cs & 3;
3072 }
3073
3074 /*
3075 * Now load segment descriptors. If fault happenes at this stage
3076 * it is handled in a context of new task
3077 */
3078 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3079 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3080 if (ret != X86EMUL_CONTINUE)
3081 return ret;
3082 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3083 X86_TRANSFER_TASK_SWITCH, NULL);
3084 if (ret != X86EMUL_CONTINUE)
3085 return ret;
3086 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3087 X86_TRANSFER_TASK_SWITCH, NULL);
3088 if (ret != X86EMUL_CONTINUE)
3089 return ret;
3090 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3091 X86_TRANSFER_TASK_SWITCH, NULL);
3092 if (ret != X86EMUL_CONTINUE)
3093 return ret;
3094 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3095 X86_TRANSFER_TASK_SWITCH, NULL);
3096 if (ret != X86EMUL_CONTINUE)
3097 return ret;
3098 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3099 X86_TRANSFER_TASK_SWITCH, NULL);
3100 if (ret != X86EMUL_CONTINUE)
3101 return ret;
3102 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3103 X86_TRANSFER_TASK_SWITCH, NULL);
3104
3105 return ret;
3106 }
3107
3108 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3109 u16 tss_selector, u16 old_tss_sel,
3110 ulong old_tss_base, struct desc_struct *new_desc)
3111 {
3112 const struct x86_emulate_ops *ops = ctxt->ops;
3113 struct tss_segment_32 tss_seg;
3114 int ret;
3115 u32 new_tss_base = get_desc_base(new_desc);
3116 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3117 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3118
3119 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
3120 &ctxt->exception);
3121 if (ret != X86EMUL_CONTINUE)
3122 return ret;
3123
3124 save_state_to_tss32(ctxt, &tss_seg);
3125
3126 /* Only GP registers and segment selectors are saved */
3127 ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3128 ldt_sel_offset - eip_offset, &ctxt->exception);
3129 if (ret != X86EMUL_CONTINUE)
3130 return ret;
3131
3132 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
3133 &ctxt->exception);
3134 if (ret != X86EMUL_CONTINUE)
3135 return ret;
3136
3137 if (old_tss_sel != 0xffff) {
3138 tss_seg.prev_task_link = old_tss_sel;
3139
3140 ret = ops->write_std(ctxt, new_tss_base,
3141 &tss_seg.prev_task_link,
3142 sizeof tss_seg.prev_task_link,
3143 &ctxt->exception);
3144 if (ret != X86EMUL_CONTINUE)
3145 return ret;
3146 }
3147
3148 return load_state_from_tss32(ctxt, &tss_seg);
3149 }
3150
3151 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3152 u16 tss_selector, int idt_index, int reason,
3153 bool has_error_code, u32 error_code)
3154 {
3155 const struct x86_emulate_ops *ops = ctxt->ops;
3156 struct desc_struct curr_tss_desc, next_tss_desc;
3157 int ret;
3158 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3159 ulong old_tss_base =
3160 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3161 u32 desc_limit;
3162 ulong desc_addr, dr7;
3163
3164 /* FIXME: old_tss_base == ~0 ? */
3165
3166 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3167 if (ret != X86EMUL_CONTINUE)
3168 return ret;
3169 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3170 if (ret != X86EMUL_CONTINUE)
3171 return ret;
3172
3173 /* FIXME: check that next_tss_desc is tss */
3174
3175 /*
3176 * Check privileges. The three cases are task switch caused by...
3177 *
3178 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3179 * 2. Exception/IRQ/iret: No check is performed
3180 * 3. jmp/call to TSS/task-gate: No check is performed since the
3181 * hardware checks it before exiting.
3182 */
3183 if (reason == TASK_SWITCH_GATE) {
3184 if (idt_index != -1) {
3185 /* Software interrupts */
3186 struct desc_struct task_gate_desc;
3187 int dpl;
3188
3189 ret = read_interrupt_descriptor(ctxt, idt_index,
3190 &task_gate_desc);
3191 if (ret != X86EMUL_CONTINUE)
3192 return ret;
3193
3194 dpl = task_gate_desc.dpl;
3195 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3196 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3197 }
3198 }
3199
3200 desc_limit = desc_limit_scaled(&next_tss_desc);
3201 if (!next_tss_desc.p ||
3202 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3203 desc_limit < 0x2b)) {
3204 return emulate_ts(ctxt, tss_selector & 0xfffc);
3205 }
3206
3207 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3208 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3209 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3210 }
3211
3212 if (reason == TASK_SWITCH_IRET)
3213 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3214
3215 /* set back link to prev task only if NT bit is set in eflags
3216 note that old_tss_sel is not used after this point */
3217 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3218 old_tss_sel = 0xffff;
3219
3220 if (next_tss_desc.type & 8)
3221 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3222 old_tss_base, &next_tss_desc);
3223 else
3224 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3225 old_tss_base, &next_tss_desc);
3226 if (ret != X86EMUL_CONTINUE)
3227 return ret;
3228
3229 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3230 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3231
3232 if (reason != TASK_SWITCH_IRET) {
3233 next_tss_desc.type |= (1 << 1); /* set busy flag */
3234 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3235 }
3236
3237 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3238 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3239
3240 if (has_error_code) {
3241 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3242 ctxt->lock_prefix = 0;
3243 ctxt->src.val = (unsigned long) error_code;
3244 ret = em_push(ctxt);
3245 }
3246
3247 ops->get_dr(ctxt, 7, &dr7);
3248 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3249
3250 return ret;
3251 }
3252
3253 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3254 u16 tss_selector, int idt_index, int reason,
3255 bool has_error_code, u32 error_code)
3256 {
3257 int rc;
3258
3259 invalidate_registers(ctxt);
3260 ctxt->_eip = ctxt->eip;
3261 ctxt->dst.type = OP_NONE;
3262
3263 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3264 has_error_code, error_code);
3265
3266 if (rc == X86EMUL_CONTINUE) {
3267 ctxt->eip = ctxt->_eip;
3268 writeback_registers(ctxt);
3269 }
3270
3271 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3272 }
3273
3274 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3275 struct operand *op)
3276 {
3277 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3278
3279 register_address_increment(ctxt, reg, df * op->bytes);
3280 op->addr.mem.ea = register_address(ctxt, reg);
3281 }
3282
3283 static int em_das(struct x86_emulate_ctxt *ctxt)
3284 {
3285 u8 al, old_al;
3286 bool af, cf, old_cf;
3287
3288 cf = ctxt->eflags & X86_EFLAGS_CF;
3289 al = ctxt->dst.val;
3290
3291 old_al = al;
3292 old_cf = cf;
3293 cf = false;
3294 af = ctxt->eflags & X86_EFLAGS_AF;
3295 if ((al & 0x0f) > 9 || af) {
3296 al -= 6;
3297 cf = old_cf | (al >= 250);
3298 af = true;
3299 } else {
3300 af = false;
3301 }
3302 if (old_al > 0x99 || old_cf) {
3303 al -= 0x60;
3304 cf = true;
3305 }
3306
3307 ctxt->dst.val = al;
3308 /* Set PF, ZF, SF */
3309 ctxt->src.type = OP_IMM;
3310 ctxt->src.val = 0;
3311 ctxt->src.bytes = 1;
3312 fastop(ctxt, em_or);
3313 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3314 if (cf)
3315 ctxt->eflags |= X86_EFLAGS_CF;
3316 if (af)
3317 ctxt->eflags |= X86_EFLAGS_AF;
3318 return X86EMUL_CONTINUE;
3319 }
3320
3321 static int em_aam(struct x86_emulate_ctxt *ctxt)
3322 {
3323 u8 al, ah;
3324
3325 if (ctxt->src.val == 0)
3326 return emulate_de(ctxt);
3327
3328 al = ctxt->dst.val & 0xff;
3329 ah = al / ctxt->src.val;
3330 al %= ctxt->src.val;
3331
3332 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3333
3334 /* Set PF, ZF, SF */
3335 ctxt->src.type = OP_IMM;
3336 ctxt->src.val = 0;
3337 ctxt->src.bytes = 1;
3338 fastop(ctxt, em_or);
3339
3340 return X86EMUL_CONTINUE;
3341 }
3342
3343 static int em_aad(struct x86_emulate_ctxt *ctxt)
3344 {
3345 u8 al = ctxt->dst.val & 0xff;
3346 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3347
3348 al = (al + (ah * ctxt->src.val)) & 0xff;
3349
3350 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3351
3352 /* Set PF, ZF, SF */
3353 ctxt->src.type = OP_IMM;
3354 ctxt->src.val = 0;
3355 ctxt->src.bytes = 1;
3356 fastop(ctxt, em_or);
3357
3358 return X86EMUL_CONTINUE;
3359 }
3360
3361 static int em_call(struct x86_emulate_ctxt *ctxt)
3362 {
3363 int rc;
3364 long rel = ctxt->src.val;
3365
3366 ctxt->src.val = (unsigned long)ctxt->_eip;
3367 rc = jmp_rel(ctxt, rel);
3368 if (rc != X86EMUL_CONTINUE)
3369 return rc;
3370 return em_push(ctxt);
3371 }
3372
3373 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3374 {
3375 u16 sel, old_cs;
3376 ulong old_eip;
3377 int rc;
3378 struct desc_struct old_desc, new_desc;
3379 const struct x86_emulate_ops *ops = ctxt->ops;
3380 int cpl = ctxt->ops->cpl(ctxt);
3381 enum x86emul_mode prev_mode = ctxt->mode;
3382
3383 old_eip = ctxt->_eip;
3384 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3385
3386 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3387 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3388 X86_TRANSFER_CALL_JMP, &new_desc);
3389 if (rc != X86EMUL_CONTINUE)
3390 return rc;
3391
3392 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3393 if (rc != X86EMUL_CONTINUE)
3394 goto fail;
3395
3396 ctxt->src.val = old_cs;
3397 rc = em_push(ctxt);
3398 if (rc != X86EMUL_CONTINUE)
3399 goto fail;
3400
3401 ctxt->src.val = old_eip;
3402 rc = em_push(ctxt);
3403 /* If we failed, we tainted the memory, but the very least we should
3404 restore cs */
3405 if (rc != X86EMUL_CONTINUE) {
3406 pr_warn_once("faulting far call emulation tainted memory\n");
3407 goto fail;
3408 }
3409 return rc;
3410 fail:
3411 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3412 ctxt->mode = prev_mode;
3413 return rc;
3414
3415 }
3416
3417 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3418 {
3419 int rc;
3420 unsigned long eip;
3421
3422 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3423 if (rc != X86EMUL_CONTINUE)
3424 return rc;
3425 rc = assign_eip_near(ctxt, eip);
3426 if (rc != X86EMUL_CONTINUE)
3427 return rc;
3428 rsp_increment(ctxt, ctxt->src.val);
3429 return X86EMUL_CONTINUE;
3430 }
3431
3432 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3433 {
3434 /* Write back the register source. */
3435 ctxt->src.val = ctxt->dst.val;
3436 write_register_operand(&ctxt->src);
3437
3438 /* Write back the memory destination with implicit LOCK prefix. */
3439 ctxt->dst.val = ctxt->src.orig_val;
3440 ctxt->lock_prefix = 1;
3441 return X86EMUL_CONTINUE;
3442 }
3443
3444 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3445 {
3446 ctxt->dst.val = ctxt->src2.val;
3447 return fastop(ctxt, em_imul);
3448 }
3449
3450 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3451 {
3452 ctxt->dst.type = OP_REG;
3453 ctxt->dst.bytes = ctxt->src.bytes;
3454 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3455 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3456
3457 return X86EMUL_CONTINUE;
3458 }
3459
3460 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3461 {
3462 u64 tsc = 0;
3463
3464 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3465 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3466 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3467 return X86EMUL_CONTINUE;
3468 }
3469
3470 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3471 {
3472 u64 pmc;
3473
3474 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3475 return emulate_gp(ctxt, 0);
3476 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3477 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3478 return X86EMUL_CONTINUE;
3479 }
3480
3481 static int em_mov(struct x86_emulate_ctxt *ctxt)
3482 {
3483 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3484 return X86EMUL_CONTINUE;
3485 }
3486
3487 #define FFL(x) bit(X86_FEATURE_##x)
3488
3489 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3490 {
3491 u32 ebx, ecx, edx, eax = 1;
3492 u16 tmp;
3493
3494 /*
3495 * Check MOVBE is set in the guest-visible CPUID leaf.
3496 */
3497 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3498 if (!(ecx & FFL(MOVBE)))
3499 return emulate_ud(ctxt);
3500
3501 switch (ctxt->op_bytes) {
3502 case 2:
3503 /*
3504 * From MOVBE definition: "...When the operand size is 16 bits,
3505 * the upper word of the destination register remains unchanged
3506 * ..."
3507 *
3508 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3509 * rules so we have to do the operation almost per hand.
3510 */
3511 tmp = (u16)ctxt->src.val;
3512 ctxt->dst.val &= ~0xffffUL;
3513 ctxt->dst.val |= (unsigned long)swab16(tmp);
3514 break;
3515 case 4:
3516 ctxt->dst.val = swab32((u32)ctxt->src.val);
3517 break;
3518 case 8:
3519 ctxt->dst.val = swab64(ctxt->src.val);
3520 break;
3521 default:
3522 BUG();
3523 }
3524 return X86EMUL_CONTINUE;
3525 }
3526
3527 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3528 {
3529 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3530 return emulate_gp(ctxt, 0);
3531
3532 /* Disable writeback. */
3533 ctxt->dst.type = OP_NONE;
3534 return X86EMUL_CONTINUE;
3535 }
3536
3537 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3538 {
3539 unsigned long val;
3540
3541 if (ctxt->mode == X86EMUL_MODE_PROT64)
3542 val = ctxt->src.val & ~0ULL;
3543 else
3544 val = ctxt->src.val & ~0U;
3545
3546 /* #UD condition is already handled. */
3547 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3548 return emulate_gp(ctxt, 0);
3549
3550 /* Disable writeback. */
3551 ctxt->dst.type = OP_NONE;
3552 return X86EMUL_CONTINUE;
3553 }
3554
3555 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3556 {
3557 u64 msr_data;
3558
3559 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3560 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3561 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3562 return emulate_gp(ctxt, 0);
3563
3564 return X86EMUL_CONTINUE;
3565 }
3566
3567 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3568 {
3569 u64 msr_data;
3570
3571 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3572 return emulate_gp(ctxt, 0);
3573
3574 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3575 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3576 return X86EMUL_CONTINUE;
3577 }
3578
3579 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3580 {
3581 if (ctxt->modrm_reg > VCPU_SREG_GS)
3582 return emulate_ud(ctxt);
3583
3584 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3585 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3586 ctxt->dst.bytes = 2;
3587 return X86EMUL_CONTINUE;
3588 }
3589
3590 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3591 {
3592 u16 sel = ctxt->src.val;
3593
3594 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3595 return emulate_ud(ctxt);
3596
3597 if (ctxt->modrm_reg == VCPU_SREG_SS)
3598 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3599
3600 /* Disable writeback. */
3601 ctxt->dst.type = OP_NONE;
3602 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3603 }
3604
3605 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3606 {
3607 u16 sel = ctxt->src.val;
3608
3609 /* Disable writeback. */
3610 ctxt->dst.type = OP_NONE;
3611 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3612 }
3613
3614 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3615 {
3616 u16 sel = ctxt->src.val;
3617
3618 /* Disable writeback. */
3619 ctxt->dst.type = OP_NONE;
3620 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3621 }
3622
3623 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3624 {
3625 int rc;
3626 ulong linear;
3627
3628 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3629 if (rc == X86EMUL_CONTINUE)
3630 ctxt->ops->invlpg(ctxt, linear);
3631 /* Disable writeback. */
3632 ctxt->dst.type = OP_NONE;
3633 return X86EMUL_CONTINUE;
3634 }
3635
3636 static int em_clts(struct x86_emulate_ctxt *ctxt)
3637 {
3638 ulong cr0;
3639
3640 cr0 = ctxt->ops->get_cr(ctxt, 0);
3641 cr0 &= ~X86_CR0_TS;
3642 ctxt->ops->set_cr(ctxt, 0, cr0);
3643 return X86EMUL_CONTINUE;
3644 }
3645
3646 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3647 {
3648 int rc = ctxt->ops->fix_hypercall(ctxt);
3649
3650 if (rc != X86EMUL_CONTINUE)
3651 return rc;
3652
3653 /* Let the processor re-execute the fixed hypercall */
3654 ctxt->_eip = ctxt->eip;
3655 /* Disable writeback. */
3656 ctxt->dst.type = OP_NONE;
3657 return X86EMUL_CONTINUE;
3658 }
3659
3660 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3661 void (*get)(struct x86_emulate_ctxt *ctxt,
3662 struct desc_ptr *ptr))
3663 {
3664 struct desc_ptr desc_ptr;
3665
3666 if (ctxt->mode == X86EMUL_MODE_PROT64)
3667 ctxt->op_bytes = 8;
3668 get(ctxt, &desc_ptr);
3669 if (ctxt->op_bytes == 2) {
3670 ctxt->op_bytes = 4;
3671 desc_ptr.address &= 0x00ffffff;
3672 }
3673 /* Disable writeback. */
3674 ctxt->dst.type = OP_NONE;
3675 return segmented_write(ctxt, ctxt->dst.addr.mem,
3676 &desc_ptr, 2 + ctxt->op_bytes);
3677 }
3678
3679 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3680 {
3681 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3682 }
3683
3684 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3685 {
3686 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3687 }
3688
3689 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3690 {
3691 struct desc_ptr desc_ptr;
3692 int rc;
3693
3694 if (ctxt->mode == X86EMUL_MODE_PROT64)
3695 ctxt->op_bytes = 8;
3696 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3697 &desc_ptr.size, &desc_ptr.address,
3698 ctxt->op_bytes);
3699 if (rc != X86EMUL_CONTINUE)
3700 return rc;
3701 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3702 is_noncanonical_address(desc_ptr.address))
3703 return emulate_gp(ctxt, 0);
3704 if (lgdt)
3705 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3706 else
3707 ctxt->ops->set_idt(ctxt, &desc_ptr);
3708 /* Disable writeback. */
3709 ctxt->dst.type = OP_NONE;
3710 return X86EMUL_CONTINUE;
3711 }
3712
3713 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3714 {
3715 return em_lgdt_lidt(ctxt, true);
3716 }
3717
3718 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3719 {
3720 return em_lgdt_lidt(ctxt, false);
3721 }
3722
3723 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3724 {
3725 if (ctxt->dst.type == OP_MEM)
3726 ctxt->dst.bytes = 2;
3727 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3728 return X86EMUL_CONTINUE;
3729 }
3730
3731 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3732 {
3733 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3734 | (ctxt->src.val & 0x0f));
3735 ctxt->dst.type = OP_NONE;
3736 return X86EMUL_CONTINUE;
3737 }
3738
3739 static int em_loop(struct x86_emulate_ctxt *ctxt)
3740 {
3741 int rc = X86EMUL_CONTINUE;
3742
3743 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3744 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3745 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3746 rc = jmp_rel(ctxt, ctxt->src.val);
3747
3748 return rc;
3749 }
3750
3751 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3752 {
3753 int rc = X86EMUL_CONTINUE;
3754
3755 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3756 rc = jmp_rel(ctxt, ctxt->src.val);
3757
3758 return rc;
3759 }
3760
3761 static int em_in(struct x86_emulate_ctxt *ctxt)
3762 {
3763 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3764 &ctxt->dst.val))
3765 return X86EMUL_IO_NEEDED;
3766
3767 return X86EMUL_CONTINUE;
3768 }
3769
3770 static int em_out(struct x86_emulate_ctxt *ctxt)
3771 {
3772 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3773 &ctxt->src.val, 1);
3774 /* Disable writeback. */
3775 ctxt->dst.type = OP_NONE;
3776 return X86EMUL_CONTINUE;
3777 }
3778
3779 static int em_cli(struct x86_emulate_ctxt *ctxt)
3780 {
3781 if (emulator_bad_iopl(ctxt))
3782 return emulate_gp(ctxt, 0);
3783
3784 ctxt->eflags &= ~X86_EFLAGS_IF;
3785 return X86EMUL_CONTINUE;
3786 }
3787
3788 static int em_sti(struct x86_emulate_ctxt *ctxt)
3789 {
3790 if (emulator_bad_iopl(ctxt))
3791 return emulate_gp(ctxt, 0);
3792
3793 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3794 ctxt->eflags |= X86_EFLAGS_IF;
3795 return X86EMUL_CONTINUE;
3796 }
3797
3798 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3799 {
3800 u32 eax, ebx, ecx, edx;
3801
3802 eax = reg_read(ctxt, VCPU_REGS_RAX);
3803 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3804 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
3805 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3806 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3807 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3808 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3809 return X86EMUL_CONTINUE;
3810 }
3811
3812 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3813 {
3814 u32 flags;
3815
3816 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3817 X86_EFLAGS_SF;
3818 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3819
3820 ctxt->eflags &= ~0xffUL;
3821 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3822 return X86EMUL_CONTINUE;
3823 }
3824
3825 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3826 {
3827 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3828 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3829 return X86EMUL_CONTINUE;
3830 }
3831
3832 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3833 {
3834 switch (ctxt->op_bytes) {
3835 #ifdef CONFIG_X86_64
3836 case 8:
3837 asm("bswap %0" : "+r"(ctxt->dst.val));
3838 break;
3839 #endif
3840 default:
3841 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3842 break;
3843 }
3844 return X86EMUL_CONTINUE;
3845 }
3846
3847 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3848 {
3849 /* emulating clflush regardless of cpuid */
3850 return X86EMUL_CONTINUE;
3851 }
3852
3853 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3854 {
3855 ctxt->dst.val = (s32) ctxt->src.val;
3856 return X86EMUL_CONTINUE;
3857 }
3858
3859 static bool valid_cr(int nr)
3860 {
3861 switch (nr) {
3862 case 0:
3863 case 2 ... 4:
3864 case 8:
3865 return true;
3866 default:
3867 return false;
3868 }
3869 }
3870
3871 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3872 {
3873 if (!valid_cr(ctxt->modrm_reg))
3874 return emulate_ud(ctxt);
3875
3876 return X86EMUL_CONTINUE;
3877 }
3878
3879 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3880 {
3881 u64 new_val = ctxt->src.val64;
3882 int cr = ctxt->modrm_reg;
3883 u64 efer = 0;
3884
3885 static u64 cr_reserved_bits[] = {
3886 0xffffffff00000000ULL,
3887 0, 0, 0, /* CR3 checked later */
3888 CR4_RESERVED_BITS,
3889 0, 0, 0,
3890 CR8_RESERVED_BITS,
3891 };
3892
3893 if (!valid_cr(cr))
3894 return emulate_ud(ctxt);
3895
3896 if (new_val & cr_reserved_bits[cr])
3897 return emulate_gp(ctxt, 0);
3898
3899 switch (cr) {
3900 case 0: {
3901 u64 cr4;
3902 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3903 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3904 return emulate_gp(ctxt, 0);
3905
3906 cr4 = ctxt->ops->get_cr(ctxt, 4);
3907 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3908
3909 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3910 !(cr4 & X86_CR4_PAE))
3911 return emulate_gp(ctxt, 0);
3912
3913 break;
3914 }
3915 case 3: {
3916 u64 rsvd = 0;
3917
3918 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3919 if (efer & EFER_LMA)
3920 rsvd = CR3_L_MODE_RESERVED_BITS & ~CR3_PCID_INVD;
3921
3922 if (new_val & rsvd)
3923 return emulate_gp(ctxt, 0);
3924
3925 break;
3926 }
3927 case 4: {
3928 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3929
3930 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3931 return emulate_gp(ctxt, 0);
3932
3933 break;
3934 }
3935 }
3936
3937 return X86EMUL_CONTINUE;
3938 }
3939
3940 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3941 {
3942 unsigned long dr7;
3943
3944 ctxt->ops->get_dr(ctxt, 7, &dr7);
3945
3946 /* Check if DR7.Global_Enable is set */
3947 return dr7 & (1 << 13);
3948 }
3949
3950 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3951 {
3952 int dr = ctxt->modrm_reg;
3953 u64 cr4;
3954
3955 if (dr > 7)
3956 return emulate_ud(ctxt);
3957
3958 cr4 = ctxt->ops->get_cr(ctxt, 4);
3959 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3960 return emulate_ud(ctxt);
3961
3962 if (check_dr7_gd(ctxt)) {
3963 ulong dr6;
3964
3965 ctxt->ops->get_dr(ctxt, 6, &dr6);
3966 dr6 &= ~15;
3967 dr6 |= DR6_BD | DR6_RTM;
3968 ctxt->ops->set_dr(ctxt, 6, dr6);
3969 return emulate_db(ctxt);
3970 }
3971
3972 return X86EMUL_CONTINUE;
3973 }
3974
3975 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3976 {
3977 u64 new_val = ctxt->src.val64;
3978 int dr = ctxt->modrm_reg;
3979
3980 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3981 return emulate_gp(ctxt, 0);
3982
3983 return check_dr_read(ctxt);
3984 }
3985
3986 static int check_svme(struct x86_emulate_ctxt *ctxt)
3987 {
3988 u64 efer;
3989
3990 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3991
3992 if (!(efer & EFER_SVME))
3993 return emulate_ud(ctxt);
3994
3995 return X86EMUL_CONTINUE;
3996 }
3997
3998 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3999 {
4000 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4001
4002 /* Valid physical address? */
4003 if (rax & 0xffff000000000000ULL)
4004 return emulate_gp(ctxt, 0);
4005
4006 return check_svme(ctxt);
4007 }
4008
4009 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4010 {
4011 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4012
4013 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4014 return emulate_ud(ctxt);
4015
4016 return X86EMUL_CONTINUE;
4017 }
4018
4019 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4020 {
4021 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4022 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4023
4024 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4025 ctxt->ops->check_pmc(ctxt, rcx))
4026 return emulate_gp(ctxt, 0);
4027
4028 return X86EMUL_CONTINUE;
4029 }
4030
4031 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4032 {
4033 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4034 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4035 return emulate_gp(ctxt, 0);
4036
4037 return X86EMUL_CONTINUE;
4038 }
4039
4040 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4041 {
4042 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4043 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4044 return emulate_gp(ctxt, 0);
4045
4046 return X86EMUL_CONTINUE;
4047 }
4048
4049 #define D(_y) { .flags = (_y) }
4050 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4051 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4052 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4053 #define N D(NotImpl)
4054 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4055 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4056 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4057 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4058 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4059 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4060 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4061 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4062 #define II(_f, _e, _i) \
4063 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4064 #define IIP(_f, _e, _i, _p) \
4065 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4066 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4067 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4068
4069 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4070 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4071 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4072 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4073 #define I2bvIP(_f, _e, _i, _p) \
4074 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4075
4076 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4077 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4078 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4079
4080 static const struct opcode group7_rm0[] = {
4081 N,
4082 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4083 N, N, N, N, N, N,
4084 };
4085
4086 static const struct opcode group7_rm1[] = {
4087 DI(SrcNone | Priv, monitor),
4088 DI(SrcNone | Priv, mwait),
4089 N, N, N, N, N, N,
4090 };
4091
4092 static const struct opcode group7_rm3[] = {
4093 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4094 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4095 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4096 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4097 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4098 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4099 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4100 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4101 };
4102
4103 static const struct opcode group7_rm7[] = {
4104 N,
4105 DIP(SrcNone, rdtscp, check_rdtsc),
4106 N, N, N, N, N, N,
4107 };
4108
4109 static const struct opcode group1[] = {
4110 F(Lock, em_add),
4111 F(Lock | PageTable, em_or),
4112 F(Lock, em_adc),
4113 F(Lock, em_sbb),
4114 F(Lock | PageTable, em_and),
4115 F(Lock, em_sub),
4116 F(Lock, em_xor),
4117 F(NoWrite, em_cmp),
4118 };
4119
4120 static const struct opcode group1A[] = {
4121 I(DstMem | SrcNone | Mov | Stack | IncSP, em_pop), N, N, N, N, N, N, N,
4122 };
4123
4124 static const struct opcode group2[] = {
4125 F(DstMem | ModRM, em_rol),
4126 F(DstMem | ModRM, em_ror),
4127 F(DstMem | ModRM, em_rcl),
4128 F(DstMem | ModRM, em_rcr),
4129 F(DstMem | ModRM, em_shl),
4130 F(DstMem | ModRM, em_shr),
4131 F(DstMem | ModRM, em_shl),
4132 F(DstMem | ModRM, em_sar),
4133 };
4134
4135 static const struct opcode group3[] = {
4136 F(DstMem | SrcImm | NoWrite, em_test),
4137 F(DstMem | SrcImm | NoWrite, em_test),
4138 F(DstMem | SrcNone | Lock, em_not),
4139 F(DstMem | SrcNone | Lock, em_neg),
4140 F(DstXacc | Src2Mem, em_mul_ex),
4141 F(DstXacc | Src2Mem, em_imul_ex),
4142 F(DstXacc | Src2Mem, em_div_ex),
4143 F(DstXacc | Src2Mem, em_idiv_ex),
4144 };
4145
4146 static const struct opcode group4[] = {
4147 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4148 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4149 N, N, N, N, N, N,
4150 };
4151
4152 static const struct opcode group5[] = {
4153 F(DstMem | SrcNone | Lock, em_inc),
4154 F(DstMem | SrcNone | Lock, em_dec),
4155 I(SrcMem | NearBranch, em_call_near_abs),
4156 I(SrcMemFAddr | ImplicitOps, em_call_far),
4157 I(SrcMem | NearBranch, em_jmp_abs),
4158 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4159 I(SrcMem | Stack, em_push), D(Undefined),
4160 };
4161
4162 static const struct opcode group6[] = {
4163 DI(Prot | DstMem, sldt),
4164 DI(Prot | DstMem, str),
4165 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4166 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4167 N, N, N, N,
4168 };
4169
4170 static const struct group_dual group7 = { {
4171 II(Mov | DstMem, em_sgdt, sgdt),
4172 II(Mov | DstMem, em_sidt, sidt),
4173 II(SrcMem | Priv, em_lgdt, lgdt),
4174 II(SrcMem | Priv, em_lidt, lidt),
4175 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4176 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4177 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4178 }, {
4179 EXT(0, group7_rm0),
4180 EXT(0, group7_rm1),
4181 N, EXT(0, group7_rm3),
4182 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4183 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4184 EXT(0, group7_rm7),
4185 } };
4186
4187 static const struct opcode group8[] = {
4188 N, N, N, N,
4189 F(DstMem | SrcImmByte | NoWrite, em_bt),
4190 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4191 F(DstMem | SrcImmByte | Lock, em_btr),
4192 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4193 };
4194
4195 static const struct group_dual group9 = { {
4196 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4197 }, {
4198 N, N, N, N, N, N, N, N,
4199 } };
4200
4201 static const struct opcode group11[] = {
4202 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4203 X7(D(Undefined)),
4204 };
4205
4206 static const struct gprefix pfx_0f_ae_7 = {
4207 I(SrcMem | ByteOp, em_clflush), N, N, N,
4208 };
4209
4210 static const struct group_dual group15 = { {
4211 N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4212 }, {
4213 N, N, N, N, N, N, N, N,
4214 } };
4215
4216 static const struct gprefix pfx_0f_6f_0f_7f = {
4217 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4218 };
4219
4220 static const struct instr_dual instr_dual_0f_2b = {
4221 I(0, em_mov), N
4222 };
4223
4224 static const struct gprefix pfx_0f_2b = {
4225 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4226 };
4227
4228 static const struct gprefix pfx_0f_28_0f_29 = {
4229 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4230 };
4231
4232 static const struct gprefix pfx_0f_e7 = {
4233 N, I(Sse, em_mov), N, N,
4234 };
4235
4236 static const struct escape escape_d9 = { {
4237 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4238 }, {
4239 /* 0xC0 - 0xC7 */
4240 N, N, N, N, N, N, N, N,
4241 /* 0xC8 - 0xCF */
4242 N, N, N, N, N, N, N, N,
4243 /* 0xD0 - 0xC7 */
4244 N, N, N, N, N, N, N, N,
4245 /* 0xD8 - 0xDF */
4246 N, N, N, N, N, N, N, N,
4247 /* 0xE0 - 0xE7 */
4248 N, N, N, N, N, N, N, N,
4249 /* 0xE8 - 0xEF */
4250 N, N, N, N, N, N, N, N,
4251 /* 0xF0 - 0xF7 */
4252 N, N, N, N, N, N, N, N,
4253 /* 0xF8 - 0xFF */
4254 N, N, N, N, N, N, N, N,
4255 } };
4256
4257 static const struct escape escape_db = { {
4258 N, N, N, N, N, N, N, N,
4259 }, {
4260 /* 0xC0 - 0xC7 */
4261 N, N, N, N, N, N, N, N,
4262 /* 0xC8 - 0xCF */
4263 N, N, N, N, N, N, N, N,
4264 /* 0xD0 - 0xC7 */
4265 N, N, N, N, N, N, N, N,
4266 /* 0xD8 - 0xDF */
4267 N, N, N, N, N, N, N, N,
4268 /* 0xE0 - 0xE7 */
4269 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4270 /* 0xE8 - 0xEF */
4271 N, N, N, N, N, N, N, N,
4272 /* 0xF0 - 0xF7 */
4273 N, N, N, N, N, N, N, N,
4274 /* 0xF8 - 0xFF */
4275 N, N, N, N, N, N, N, N,
4276 } };
4277
4278 static const struct escape escape_dd = { {
4279 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4280 }, {
4281 /* 0xC0 - 0xC7 */
4282 N, N, N, N, N, N, N, N,
4283 /* 0xC8 - 0xCF */
4284 N, N, N, N, N, N, N, N,
4285 /* 0xD0 - 0xC7 */
4286 N, N, N, N, N, N, N, N,
4287 /* 0xD8 - 0xDF */
4288 N, N, N, N, N, N, N, N,
4289 /* 0xE0 - 0xE7 */
4290 N, N, N, N, N, N, N, N,
4291 /* 0xE8 - 0xEF */
4292 N, N, N, N, N, N, N, N,
4293 /* 0xF0 - 0xF7 */
4294 N, N, N, N, N, N, N, N,
4295 /* 0xF8 - 0xFF */
4296 N, N, N, N, N, N, N, N,
4297 } };
4298
4299 static const struct instr_dual instr_dual_0f_c3 = {
4300 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4301 };
4302
4303 static const struct mode_dual mode_dual_63 = {
4304 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4305 };
4306
4307 static const struct opcode opcode_table[256] = {
4308 /* 0x00 - 0x07 */
4309 F6ALU(Lock, em_add),
4310 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4311 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4312 /* 0x08 - 0x0F */
4313 F6ALU(Lock | PageTable, em_or),
4314 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4315 N,
4316 /* 0x10 - 0x17 */
4317 F6ALU(Lock, em_adc),
4318 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4319 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4320 /* 0x18 - 0x1F */
4321 F6ALU(Lock, em_sbb),
4322 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4323 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4324 /* 0x20 - 0x27 */
4325 F6ALU(Lock | PageTable, em_and), N, N,
4326 /* 0x28 - 0x2F */
4327 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4328 /* 0x30 - 0x37 */
4329 F6ALU(Lock, em_xor), N, N,
4330 /* 0x38 - 0x3F */
4331 F6ALU(NoWrite, em_cmp), N, N,
4332 /* 0x40 - 0x4F */
4333 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4334 /* 0x50 - 0x57 */
4335 X8(I(SrcReg | Stack, em_push)),
4336 /* 0x58 - 0x5F */
4337 X8(I(DstReg | Stack, em_pop)),
4338 /* 0x60 - 0x67 */
4339 I(ImplicitOps | Stack | No64, em_pusha),
4340 I(ImplicitOps | Stack | No64, em_popa),
4341 N, MD(ModRM, &mode_dual_63),
4342 N, N, N, N,
4343 /* 0x68 - 0x6F */
4344 I(SrcImm | Mov | Stack, em_push),
4345 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4346 I(SrcImmByte | Mov | Stack, em_push),
4347 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4348 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4349 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4350 /* 0x70 - 0x7F */
4351 X16(D(SrcImmByte | NearBranch)),
4352 /* 0x80 - 0x87 */
4353 G(ByteOp | DstMem | SrcImm, group1),
4354 G(DstMem | SrcImm, group1),
4355 G(ByteOp | DstMem | SrcImm | No64, group1),
4356 G(DstMem | SrcImmByte, group1),
4357 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4358 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4359 /* 0x88 - 0x8F */
4360 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4361 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4362 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4363 D(ModRM | SrcMem | NoAccess | DstReg),
4364 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4365 G(0, group1A),
4366 /* 0x90 - 0x97 */
4367 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4368 /* 0x98 - 0x9F */
4369 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4370 I(SrcImmFAddr | No64, em_call_far), N,
4371 II(ImplicitOps | Stack, em_pushf, pushf),
4372 II(ImplicitOps | Stack, em_popf, popf),
4373 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4374 /* 0xA0 - 0xA7 */
4375 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4376 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4377 I2bv(SrcSI | DstDI | Mov | String, em_mov),
4378 F2bv(SrcSI | DstDI | String | NoWrite, em_cmp_r),
4379 /* 0xA8 - 0xAF */
4380 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4381 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4382 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4383 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4384 /* 0xB0 - 0xB7 */
4385 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4386 /* 0xB8 - 0xBF */
4387 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4388 /* 0xC0 - 0xC7 */
4389 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4390 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4391 I(ImplicitOps | NearBranch, em_ret),
4392 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4393 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4394 G(ByteOp, group11), G(0, group11),
4395 /* 0xC8 - 0xCF */
4396 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4397 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4398 I(ImplicitOps, em_ret_far),
4399 D(ImplicitOps), DI(SrcImmByte, intn),
4400 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4401 /* 0xD0 - 0xD7 */
4402 G(Src2One | ByteOp, group2), G(Src2One, group2),
4403 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4404 I(DstAcc | SrcImmUByte | No64, em_aam),
4405 I(DstAcc | SrcImmUByte | No64, em_aad),
4406 F(DstAcc | ByteOp | No64, em_salc),
4407 I(DstAcc | SrcXLat | ByteOp, em_mov),
4408 /* 0xD8 - 0xDF */
4409 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4410 /* 0xE0 - 0xE7 */
4411 X3(I(SrcImmByte | NearBranch, em_loop)),
4412 I(SrcImmByte | NearBranch, em_jcxz),
4413 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4414 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4415 /* 0xE8 - 0xEF */
4416 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4417 I(SrcImmFAddr | No64, em_jmp_far),
4418 D(SrcImmByte | ImplicitOps | NearBranch),
4419 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4420 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4421 /* 0xF0 - 0xF7 */
4422 N, DI(ImplicitOps, icebp), N, N,
4423 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4424 G(ByteOp, group3), G(0, group3),
4425 /* 0xF8 - 0xFF */
4426 D(ImplicitOps), D(ImplicitOps),
4427 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4428 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4429 };
4430
4431 static const struct opcode twobyte_table[256] = {
4432 /* 0x00 - 0x0F */
4433 G(0, group6), GD(0, &group7), N, N,
4434 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4435 II(ImplicitOps | Priv, em_clts, clts), N,
4436 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4437 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4438 /* 0x10 - 0x1F */
4439 N, N, N, N, N, N, N, N,
4440 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4441 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4442 /* 0x20 - 0x2F */
4443 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4444 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4445 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4446 check_cr_write),
4447 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4448 check_dr_write),
4449 N, N, N, N,
4450 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4451 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4452 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4453 N, N, N, N,
4454 /* 0x30 - 0x3F */
4455 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4456 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4457 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4458 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4459 I(ImplicitOps | EmulateOnUD, em_sysenter),
4460 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4461 N, N,
4462 N, N, N, N, N, N, N, N,
4463 /* 0x40 - 0x4F */
4464 X16(D(DstReg | SrcMem | ModRM)),
4465 /* 0x50 - 0x5F */
4466 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4467 /* 0x60 - 0x6F */
4468 N, N, N, N,
4469 N, N, N, N,
4470 N, N, N, N,
4471 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4472 /* 0x70 - 0x7F */
4473 N, N, N, N,
4474 N, N, N, N,
4475 N, N, N, N,
4476 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4477 /* 0x80 - 0x8F */
4478 X16(D(SrcImm | NearBranch)),
4479 /* 0x90 - 0x9F */
4480 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4481 /* 0xA0 - 0xA7 */
4482 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4483 II(ImplicitOps, em_cpuid, cpuid),
4484 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4485 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4486 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4487 /* 0xA8 - 0xAF */
4488 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4489 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4490 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4491 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4492 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4493 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4494 /* 0xB0 - 0xB7 */
4495 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4496 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4497 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4498 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4499 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4500 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4501 /* 0xB8 - 0xBF */
4502 N, N,
4503 G(BitOp, group8),
4504 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4505 I(DstReg | SrcMem | ModRM, em_bsf_c),
4506 I(DstReg | SrcMem | ModRM, em_bsr_c),
4507 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4508 /* 0xC0 - 0xC7 */
4509 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4510 N, ID(0, &instr_dual_0f_c3),
4511 N, N, N, GD(0, &group9),
4512 /* 0xC8 - 0xCF */
4513 X8(I(DstReg, em_bswap)),
4514 /* 0xD0 - 0xDF */
4515 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4516 /* 0xE0 - 0xEF */
4517 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4518 N, N, N, N, N, N, N, N,
4519 /* 0xF0 - 0xFF */
4520 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4521 };
4522
4523 static const struct instr_dual instr_dual_0f_38_f0 = {
4524 I(DstReg | SrcMem | Mov, em_movbe), N
4525 };
4526
4527 static const struct instr_dual instr_dual_0f_38_f1 = {
4528 I(DstMem | SrcReg | Mov, em_movbe), N
4529 };
4530
4531 static const struct gprefix three_byte_0f_38_f0 = {
4532 ID(0, &instr_dual_0f_38_f0), N, N, N
4533 };
4534
4535 static const struct gprefix three_byte_0f_38_f1 = {
4536 ID(0, &instr_dual_0f_38_f1), N, N, N
4537 };
4538
4539 /*
4540 * Insns below are selected by the prefix which indexed by the third opcode
4541 * byte.
4542 */
4543 static const struct opcode opcode_map_0f_38[256] = {
4544 /* 0x00 - 0x7f */
4545 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4546 /* 0x80 - 0xef */
4547 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4548 /* 0xf0 - 0xf1 */
4549 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4550 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4551 /* 0xf2 - 0xff */
4552 N, N, X4(N), X8(N)
4553 };
4554
4555 #undef D
4556 #undef N
4557 #undef G
4558 #undef GD
4559 #undef I
4560 #undef GP
4561 #undef EXT
4562 #undef MD
4563 #undef ID
4564
4565 #undef D2bv
4566 #undef D2bvIP
4567 #undef I2bv
4568 #undef I2bvIP
4569 #undef I6ALU
4570
4571 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4572 {
4573 unsigned size;
4574
4575 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4576 if (size == 8)
4577 size = 4;
4578 return size;
4579 }
4580
4581 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4582 unsigned size, bool sign_extension)
4583 {
4584 int rc = X86EMUL_CONTINUE;
4585
4586 op->type = OP_IMM;
4587 op->bytes = size;
4588 op->addr.mem.ea = ctxt->_eip;
4589 /* NB. Immediates are sign-extended as necessary. */
4590 switch (op->bytes) {
4591 case 1:
4592 op->val = insn_fetch(s8, ctxt);
4593 break;
4594 case 2:
4595 op->val = insn_fetch(s16, ctxt);
4596 break;
4597 case 4:
4598 op->val = insn_fetch(s32, ctxt);
4599 break;
4600 case 8:
4601 op->val = insn_fetch(s64, ctxt);
4602 break;
4603 }
4604 if (!sign_extension) {
4605 switch (op->bytes) {
4606 case 1:
4607 op->val &= 0xff;
4608 break;
4609 case 2:
4610 op->val &= 0xffff;
4611 break;
4612 case 4:
4613 op->val &= 0xffffffff;
4614 break;
4615 }
4616 }
4617 done:
4618 return rc;
4619 }
4620
4621 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4622 unsigned d)
4623 {
4624 int rc = X86EMUL_CONTINUE;
4625
4626 switch (d) {
4627 case OpReg:
4628 decode_register_operand(ctxt, op);
4629 break;
4630 case OpImmUByte:
4631 rc = decode_imm(ctxt, op, 1, false);
4632 break;
4633 case OpMem:
4634 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4635 mem_common:
4636 *op = ctxt->memop;
4637 ctxt->memopp = op;
4638 if (ctxt->d & BitOp)
4639 fetch_bit_operand(ctxt);
4640 op->orig_val = op->val;
4641 break;
4642 case OpMem64:
4643 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4644 goto mem_common;
4645 case OpAcc:
4646 op->type = OP_REG;
4647 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4648 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4649 fetch_register_operand(op);
4650 op->orig_val = op->val;
4651 break;
4652 case OpAccLo:
4653 op->type = OP_REG;
4654 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4655 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4656 fetch_register_operand(op);
4657 op->orig_val = op->val;
4658 break;
4659 case OpAccHi:
4660 if (ctxt->d & ByteOp) {
4661 op->type = OP_NONE;
4662 break;
4663 }
4664 op->type = OP_REG;
4665 op->bytes = ctxt->op_bytes;
4666 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4667 fetch_register_operand(op);
4668 op->orig_val = op->val;
4669 break;
4670 case OpDI:
4671 op->type = OP_MEM;
4672 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4673 op->addr.mem.ea =
4674 register_address(ctxt, VCPU_REGS_RDI);
4675 op->addr.mem.seg = VCPU_SREG_ES;
4676 op->val = 0;
4677 op->count = 1;
4678 break;
4679 case OpDX:
4680 op->type = OP_REG;
4681 op->bytes = 2;
4682 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4683 fetch_register_operand(op);
4684 break;
4685 case OpCL:
4686 op->type = OP_IMM;
4687 op->bytes = 1;
4688 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4689 break;
4690 case OpImmByte:
4691 rc = decode_imm(ctxt, op, 1, true);
4692 break;
4693 case OpOne:
4694 op->type = OP_IMM;
4695 op->bytes = 1;
4696 op->val = 1;
4697 break;
4698 case OpImm:
4699 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4700 break;
4701 case OpImm64:
4702 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4703 break;
4704 case OpMem8:
4705 ctxt->memop.bytes = 1;
4706 if (ctxt->memop.type == OP_REG) {
4707 ctxt->memop.addr.reg = decode_register(ctxt,
4708 ctxt->modrm_rm, true);
4709 fetch_register_operand(&ctxt->memop);
4710 }
4711 goto mem_common;
4712 case OpMem16:
4713 ctxt->memop.bytes = 2;
4714 goto mem_common;
4715 case OpMem32:
4716 ctxt->memop.bytes = 4;
4717 goto mem_common;
4718 case OpImmU16:
4719 rc = decode_imm(ctxt, op, 2, false);
4720 break;
4721 case OpImmU:
4722 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4723 break;
4724 case OpSI:
4725 op->type = OP_MEM;
4726 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4727 op->addr.mem.ea =
4728 register_address(ctxt, VCPU_REGS_RSI);
4729 op->addr.mem.seg = ctxt->seg_override;
4730 op->val = 0;
4731 op->count = 1;
4732 break;
4733 case OpXLat:
4734 op->type = OP_MEM;
4735 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4736 op->addr.mem.ea =
4737 address_mask(ctxt,
4738 reg_read(ctxt, VCPU_REGS_RBX) +
4739 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4740 op->addr.mem.seg = ctxt->seg_override;
4741 op->val = 0;
4742 break;
4743 case OpImmFAddr:
4744 op->type = OP_IMM;
4745 op->addr.mem.ea = ctxt->_eip;
4746 op->bytes = ctxt->op_bytes + 2;
4747 insn_fetch_arr(op->valptr, op->bytes, ctxt);
4748 break;
4749 case OpMemFAddr:
4750 ctxt->memop.bytes = ctxt->op_bytes + 2;
4751 goto mem_common;
4752 case OpES:
4753 op->type = OP_IMM;
4754 op->val = VCPU_SREG_ES;
4755 break;
4756 case OpCS:
4757 op->type = OP_IMM;
4758 op->val = VCPU_SREG_CS;
4759 break;
4760 case OpSS:
4761 op->type = OP_IMM;
4762 op->val = VCPU_SREG_SS;
4763 break;
4764 case OpDS:
4765 op->type = OP_IMM;
4766 op->val = VCPU_SREG_DS;
4767 break;
4768 case OpFS:
4769 op->type = OP_IMM;
4770 op->val = VCPU_SREG_FS;
4771 break;
4772 case OpGS:
4773 op->type = OP_IMM;
4774 op->val = VCPU_SREG_GS;
4775 break;
4776 case OpImplicit:
4777 /* Special instructions do their own operand decoding. */
4778 default:
4779 op->type = OP_NONE; /* Disable writeback. */
4780 break;
4781 }
4782
4783 done:
4784 return rc;
4785 }
4786
4787 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
4788 {
4789 int rc = X86EMUL_CONTINUE;
4790 int mode = ctxt->mode;
4791 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4792 bool op_prefix = false;
4793 bool has_seg_override = false;
4794 struct opcode opcode;
4795
4796 ctxt->memop.type = OP_NONE;
4797 ctxt->memopp = NULL;
4798 ctxt->_eip = ctxt->eip;
4799 ctxt->fetch.ptr = ctxt->fetch.data;
4800 ctxt->fetch.end = ctxt->fetch.data + insn_len;
4801 ctxt->opcode_len = 1;
4802 if (insn_len > 0)
4803 memcpy(ctxt->fetch.data, insn, insn_len);
4804 else {
4805 rc = __do_insn_fetch_bytes(ctxt, 1);
4806 if (rc != X86EMUL_CONTINUE)
4807 return rc;
4808 }
4809
4810 switch (mode) {
4811 case X86EMUL_MODE_REAL:
4812 case X86EMUL_MODE_VM86:
4813 case X86EMUL_MODE_PROT16:
4814 def_op_bytes = def_ad_bytes = 2;
4815 break;
4816 case X86EMUL_MODE_PROT32:
4817 def_op_bytes = def_ad_bytes = 4;
4818 break;
4819 #ifdef CONFIG_X86_64
4820 case X86EMUL_MODE_PROT64:
4821 def_op_bytes = 4;
4822 def_ad_bytes = 8;
4823 break;
4824 #endif
4825 default:
4826 return EMULATION_FAILED;
4827 }
4828
4829 ctxt->op_bytes = def_op_bytes;
4830 ctxt->ad_bytes = def_ad_bytes;
4831
4832 /* Legacy prefixes. */
4833 for (;;) {
4834 switch (ctxt->b = insn_fetch(u8, ctxt)) {
4835 case 0x66: /* operand-size override */
4836 op_prefix = true;
4837 /* switch between 2/4 bytes */
4838 ctxt->op_bytes = def_op_bytes ^ 6;
4839 break;
4840 case 0x67: /* address-size override */
4841 if (mode == X86EMUL_MODE_PROT64)
4842 /* switch between 4/8 bytes */
4843 ctxt->ad_bytes = def_ad_bytes ^ 12;
4844 else
4845 /* switch between 2/4 bytes */
4846 ctxt->ad_bytes = def_ad_bytes ^ 6;
4847 break;
4848 case 0x26: /* ES override */
4849 case 0x2e: /* CS override */
4850 case 0x36: /* SS override */
4851 case 0x3e: /* DS override */
4852 has_seg_override = true;
4853 ctxt->seg_override = (ctxt->b >> 3) & 3;
4854 break;
4855 case 0x64: /* FS override */
4856 case 0x65: /* GS override */
4857 has_seg_override = true;
4858 ctxt->seg_override = ctxt->b & 7;
4859 break;
4860 case 0x40 ... 0x4f: /* REX */
4861 if (mode != X86EMUL_MODE_PROT64)
4862 goto done_prefixes;
4863 ctxt->rex_prefix = ctxt->b;
4864 continue;
4865 case 0xf0: /* LOCK */
4866 ctxt->lock_prefix = 1;
4867 break;
4868 case 0xf2: /* REPNE/REPNZ */
4869 case 0xf3: /* REP/REPE/REPZ */
4870 ctxt->rep_prefix = ctxt->b;
4871 break;
4872 default:
4873 goto done_prefixes;
4874 }
4875
4876 /* Any legacy prefix after a REX prefix nullifies its effect. */
4877
4878 ctxt->rex_prefix = 0;
4879 }
4880
4881 done_prefixes:
4882
4883 /* REX prefix. */
4884 if (ctxt->rex_prefix & 8)
4885 ctxt->op_bytes = 8; /* REX.W */
4886
4887 /* Opcode byte(s). */
4888 opcode = opcode_table[ctxt->b];
4889 /* Two-byte opcode? */
4890 if (ctxt->b == 0x0f) {
4891 ctxt->opcode_len = 2;
4892 ctxt->b = insn_fetch(u8, ctxt);
4893 opcode = twobyte_table[ctxt->b];
4894
4895 /* 0F_38 opcode map */
4896 if (ctxt->b == 0x38) {
4897 ctxt->opcode_len = 3;
4898 ctxt->b = insn_fetch(u8, ctxt);
4899 opcode = opcode_map_0f_38[ctxt->b];
4900 }
4901 }
4902 ctxt->d = opcode.flags;
4903
4904 if (ctxt->d & ModRM)
4905 ctxt->modrm = insn_fetch(u8, ctxt);
4906
4907 /* vex-prefix instructions are not implemented */
4908 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4909 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4910 ctxt->d = NotImpl;
4911 }
4912
4913 while (ctxt->d & GroupMask) {
4914 switch (ctxt->d & GroupMask) {
4915 case Group:
4916 goffset = (ctxt->modrm >> 3) & 7;
4917 opcode = opcode.u.group[goffset];
4918 break;
4919 case GroupDual:
4920 goffset = (ctxt->modrm >> 3) & 7;
4921 if ((ctxt->modrm >> 6) == 3)
4922 opcode = opcode.u.gdual->mod3[goffset];
4923 else
4924 opcode = opcode.u.gdual->mod012[goffset];
4925 break;
4926 case RMExt:
4927 goffset = ctxt->modrm & 7;
4928 opcode = opcode.u.group[goffset];
4929 break;
4930 case Prefix:
4931 if (ctxt->rep_prefix && op_prefix)
4932 return EMULATION_FAILED;
4933 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4934 switch (simd_prefix) {
4935 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4936 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4937 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4938 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4939 }
4940 break;
4941 case Escape:
4942 if (ctxt->modrm > 0xbf)
4943 opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
4944 else
4945 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4946 break;
4947 case InstrDual:
4948 if ((ctxt->modrm >> 6) == 3)
4949 opcode = opcode.u.idual->mod3;
4950 else
4951 opcode = opcode.u.idual->mod012;
4952 break;
4953 case ModeDual:
4954 if (ctxt->mode == X86EMUL_MODE_PROT64)
4955 opcode = opcode.u.mdual->mode64;
4956 else
4957 opcode = opcode.u.mdual->mode32;
4958 break;
4959 default:
4960 return EMULATION_FAILED;
4961 }
4962
4963 ctxt->d &= ~(u64)GroupMask;
4964 ctxt->d |= opcode.flags;
4965 }
4966
4967 /* Unrecognised? */
4968 if (ctxt->d == 0)
4969 return EMULATION_FAILED;
4970
4971 ctxt->execute = opcode.u.execute;
4972
4973 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
4974 return EMULATION_FAILED;
4975
4976 if (unlikely(ctxt->d &
4977 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
4978 No16))) {
4979 /*
4980 * These are copied unconditionally here, and checked unconditionally
4981 * in x86_emulate_insn.
4982 */
4983 ctxt->check_perm = opcode.check_perm;
4984 ctxt->intercept = opcode.intercept;
4985
4986 if (ctxt->d & NotImpl)
4987 return EMULATION_FAILED;
4988
4989 if (mode == X86EMUL_MODE_PROT64) {
4990 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
4991 ctxt->op_bytes = 8;
4992 else if (ctxt->d & NearBranch)
4993 ctxt->op_bytes = 8;
4994 }
4995
4996 if (ctxt->d & Op3264) {
4997 if (mode == X86EMUL_MODE_PROT64)
4998 ctxt->op_bytes = 8;
4999 else
5000 ctxt->op_bytes = 4;
5001 }
5002
5003 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5004 ctxt->op_bytes = 4;
5005
5006 if (ctxt->d & Sse)
5007 ctxt->op_bytes = 16;
5008 else if (ctxt->d & Mmx)
5009 ctxt->op_bytes = 8;
5010 }
5011
5012 /* ModRM and SIB bytes. */
5013 if (ctxt->d & ModRM) {
5014 rc = decode_modrm(ctxt, &ctxt->memop);
5015 if (!has_seg_override) {
5016 has_seg_override = true;
5017 ctxt->seg_override = ctxt->modrm_seg;
5018 }
5019 } else if (ctxt->d & MemAbs)
5020 rc = decode_abs(ctxt, &ctxt->memop);
5021 if (rc != X86EMUL_CONTINUE)
5022 goto done;
5023
5024 if (!has_seg_override)
5025 ctxt->seg_override = VCPU_SREG_DS;
5026
5027 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5028
5029 /*
5030 * Decode and fetch the source operand: register, memory
5031 * or immediate.
5032 */
5033 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5034 if (rc != X86EMUL_CONTINUE)
5035 goto done;
5036
5037 /*
5038 * Decode and fetch the second source operand: register, memory
5039 * or immediate.
5040 */
5041 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5042 if (rc != X86EMUL_CONTINUE)
5043 goto done;
5044
5045 /* Decode and fetch the destination operand: register or memory. */
5046 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5047
5048 if (ctxt->rip_relative)
5049 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5050 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5051
5052 done:
5053 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5054 }
5055
5056 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5057 {
5058 return ctxt->d & PageTable;
5059 }
5060
5061 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5062 {
5063 /* The second termination condition only applies for REPE
5064 * and REPNE. Test if the repeat string operation prefix is
5065 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5066 * corresponding termination condition according to:
5067 * - if REPE/REPZ and ZF = 0 then done
5068 * - if REPNE/REPNZ and ZF = 1 then done
5069 */
5070 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5071 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5072 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5073 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5074 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5075 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5076 return true;
5077
5078 return false;
5079 }
5080
5081 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5082 {
5083 bool fault = false;
5084
5085 ctxt->ops->get_fpu(ctxt);
5086 asm volatile("1: fwait \n\t"
5087 "2: \n\t"
5088 ".pushsection .fixup,\"ax\" \n\t"
5089 "3: \n\t"
5090 "movb $1, %[fault] \n\t"
5091 "jmp 2b \n\t"
5092 ".popsection \n\t"
5093 _ASM_EXTABLE(1b, 3b)
5094 : [fault]"+qm"(fault));
5095 ctxt->ops->put_fpu(ctxt);
5096
5097 if (unlikely(fault))
5098 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5099
5100 return X86EMUL_CONTINUE;
5101 }
5102
5103 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
5104 struct operand *op)
5105 {
5106 if (op->type == OP_MM)
5107 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
5108 }
5109
5110 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
5111 {
5112 register void *__sp asm(_ASM_SP);
5113 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5114
5115 if (!(ctxt->d & ByteOp))
5116 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5117
5118 asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
5119 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5120 [fastop]"+S"(fop), "+r"(__sp)
5121 : "c"(ctxt->src2.val));
5122
5123 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5124 if (!fop) /* exception is returned in fop variable */
5125 return emulate_de(ctxt);
5126 return X86EMUL_CONTINUE;
5127 }
5128
5129 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5130 {
5131 memset(&ctxt->rip_relative, 0,
5132 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5133
5134 ctxt->io_read.pos = 0;
5135 ctxt->io_read.end = 0;
5136 ctxt->mem_read.end = 0;
5137 }
5138
5139 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5140 {
5141 const struct x86_emulate_ops *ops = ctxt->ops;
5142 int rc = X86EMUL_CONTINUE;
5143 int saved_dst_type = ctxt->dst.type;
5144
5145 ctxt->mem_read.pos = 0;
5146
5147 /* LOCK prefix is allowed only with some instructions */
5148 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5149 rc = emulate_ud(ctxt);
5150 goto done;
5151 }
5152
5153 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5154 rc = emulate_ud(ctxt);
5155 goto done;
5156 }
5157
5158 if (unlikely(ctxt->d &
5159 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5160 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5161 (ctxt->d & Undefined)) {
5162 rc = emulate_ud(ctxt);
5163 goto done;
5164 }
5165
5166 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5167 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5168 rc = emulate_ud(ctxt);
5169 goto done;
5170 }
5171
5172 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5173 rc = emulate_nm(ctxt);
5174 goto done;
5175 }
5176
5177 if (ctxt->d & Mmx) {
5178 rc = flush_pending_x87_faults(ctxt);
5179 if (rc != X86EMUL_CONTINUE)
5180 goto done;
5181 /*
5182 * Now that we know the fpu is exception safe, we can fetch
5183 * operands from it.
5184 */
5185 fetch_possible_mmx_operand(ctxt, &ctxt->src);
5186 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
5187 if (!(ctxt->d & Mov))
5188 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
5189 }
5190
5191 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5192 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5193 X86_ICPT_PRE_EXCEPT);
5194 if (rc != X86EMUL_CONTINUE)
5195 goto done;
5196 }
5197
5198 /* Instruction can only be executed in protected mode */
5199 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5200 rc = emulate_ud(ctxt);
5201 goto done;
5202 }
5203
5204 /* Privileged instruction can be executed only in CPL=0 */
5205 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5206 if (ctxt->d & PrivUD)
5207 rc = emulate_ud(ctxt);
5208 else
5209 rc = emulate_gp(ctxt, 0);
5210 goto done;
5211 }
5212
5213 /* Do instruction specific permission checks */
5214 if (ctxt->d & CheckPerm) {
5215 rc = ctxt->check_perm(ctxt);
5216 if (rc != X86EMUL_CONTINUE)
5217 goto done;
5218 }
5219
5220 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5221 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5222 X86_ICPT_POST_EXCEPT);
5223 if (rc != X86EMUL_CONTINUE)
5224 goto done;
5225 }
5226
5227 if (ctxt->rep_prefix && (ctxt->d & String)) {
5228 /* All REP prefixes have the same first termination condition */
5229 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5230 string_registers_quirk(ctxt);
5231 ctxt->eip = ctxt->_eip;
5232 ctxt->eflags &= ~X86_EFLAGS_RF;
5233 goto done;
5234 }
5235 }
5236 }
5237
5238 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5239 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5240 ctxt->src.valptr, ctxt->src.bytes);
5241 if (rc != X86EMUL_CONTINUE)
5242 goto done;
5243 ctxt->src.orig_val64 = ctxt->src.val64;
5244 }
5245
5246 if (ctxt->src2.type == OP_MEM) {
5247 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5248 &ctxt->src2.val, ctxt->src2.bytes);
5249 if (rc != X86EMUL_CONTINUE)
5250 goto done;
5251 }
5252
5253 if ((ctxt->d & DstMask) == ImplicitOps)
5254 goto special_insn;
5255
5256
5257 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5258 /* optimisation - avoid slow emulated read if Mov */
5259 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5260 &ctxt->dst.val, ctxt->dst.bytes);
5261 if (rc != X86EMUL_CONTINUE) {
5262 if (!(ctxt->d & NoWrite) &&
5263 rc == X86EMUL_PROPAGATE_FAULT &&
5264 ctxt->exception.vector == PF_VECTOR)
5265 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5266 goto done;
5267 }
5268 }
5269 /* Copy full 64-bit value for CMPXCHG8B. */
5270 ctxt->dst.orig_val64 = ctxt->dst.val64;
5271
5272 special_insn:
5273
5274 if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5275 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5276 X86_ICPT_POST_MEMACCESS);
5277 if (rc != X86EMUL_CONTINUE)
5278 goto done;
5279 }
5280
5281 if (ctxt->rep_prefix && (ctxt->d & String))
5282 ctxt->eflags |= X86_EFLAGS_RF;
5283 else
5284 ctxt->eflags &= ~X86_EFLAGS_RF;
5285
5286 if (ctxt->execute) {
5287 if (ctxt->d & Fastop) {
5288 void (*fop)(struct fastop *) = (void *)ctxt->execute;
5289 rc = fastop(ctxt, fop);
5290 if (rc != X86EMUL_CONTINUE)
5291 goto done;
5292 goto writeback;
5293 }
5294 rc = ctxt->execute(ctxt);
5295 if (rc != X86EMUL_CONTINUE)
5296 goto done;
5297 goto writeback;
5298 }
5299
5300 if (ctxt->opcode_len == 2)
5301 goto twobyte_insn;
5302 else if (ctxt->opcode_len == 3)
5303 goto threebyte_insn;
5304
5305 switch (ctxt->b) {
5306 case 0x70 ... 0x7f: /* jcc (short) */
5307 if (test_cc(ctxt->b, ctxt->eflags))
5308 rc = jmp_rel(ctxt, ctxt->src.val);
5309 break;
5310 case 0x8d: /* lea r16/r32, m */
5311 ctxt->dst.val = ctxt->src.addr.mem.ea;
5312 break;
5313 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5314 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5315 ctxt->dst.type = OP_NONE;
5316 else
5317 rc = em_xchg(ctxt);
5318 break;
5319 case 0x98: /* cbw/cwde/cdqe */
5320 switch (ctxt->op_bytes) {
5321 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5322 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5323 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5324 }
5325 break;
5326 case 0xcc: /* int3 */
5327 rc = emulate_int(ctxt, 3);
5328 break;
5329 case 0xcd: /* int n */
5330 rc = emulate_int(ctxt, ctxt->src.val);
5331 break;
5332 case 0xce: /* into */
5333 if (ctxt->eflags & X86_EFLAGS_OF)
5334 rc = emulate_int(ctxt, 4);
5335 break;
5336 case 0xe9: /* jmp rel */
5337 case 0xeb: /* jmp rel short */
5338 rc = jmp_rel(ctxt, ctxt->src.val);
5339 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5340 break;
5341 case 0xf4: /* hlt */
5342 ctxt->ops->halt(ctxt);
5343 break;
5344 case 0xf5: /* cmc */
5345 /* complement carry flag from eflags reg */
5346 ctxt->eflags ^= X86_EFLAGS_CF;
5347 break;
5348 case 0xf8: /* clc */
5349 ctxt->eflags &= ~X86_EFLAGS_CF;
5350 break;
5351 case 0xf9: /* stc */
5352 ctxt->eflags |= X86_EFLAGS_CF;
5353 break;
5354 case 0xfc: /* cld */
5355 ctxt->eflags &= ~X86_EFLAGS_DF;
5356 break;
5357 case 0xfd: /* std */
5358 ctxt->eflags |= X86_EFLAGS_DF;
5359 break;
5360 default:
5361 goto cannot_emulate;
5362 }
5363
5364 if (rc != X86EMUL_CONTINUE)
5365 goto done;
5366
5367 writeback:
5368 if (ctxt->d & SrcWrite) {
5369 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5370 rc = writeback(ctxt, &ctxt->src);
5371 if (rc != X86EMUL_CONTINUE)
5372 goto done;
5373 }
5374 if (!(ctxt->d & NoWrite)) {
5375 rc = writeback(ctxt, &ctxt->dst);
5376 if (rc != X86EMUL_CONTINUE)
5377 goto done;
5378 }
5379
5380 /*
5381 * restore dst type in case the decoding will be reused
5382 * (happens for string instruction )
5383 */
5384 ctxt->dst.type = saved_dst_type;
5385
5386 if ((ctxt->d & SrcMask) == SrcSI)
5387 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5388
5389 if ((ctxt->d & DstMask) == DstDI)
5390 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5391
5392 if (ctxt->rep_prefix && (ctxt->d & String)) {
5393 unsigned int count;
5394 struct read_cache *r = &ctxt->io_read;
5395 if ((ctxt->d & SrcMask) == SrcSI)
5396 count = ctxt->src.count;
5397 else
5398 count = ctxt->dst.count;
5399 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5400
5401 if (!string_insn_completed(ctxt)) {
5402 /*
5403 * Re-enter guest when pio read ahead buffer is empty
5404 * or, if it is not used, after each 1024 iteration.
5405 */
5406 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5407 (r->end == 0 || r->end != r->pos)) {
5408 /*
5409 * Reset read cache. Usually happens before
5410 * decode, but since instruction is restarted
5411 * we have to do it here.
5412 */
5413 ctxt->mem_read.end = 0;
5414 writeback_registers(ctxt);
5415 return EMULATION_RESTART;
5416 }
5417 goto done; /* skip rip writeback */
5418 }
5419 ctxt->eflags &= ~X86_EFLAGS_RF;
5420 }
5421
5422 ctxt->eip = ctxt->_eip;
5423
5424 done:
5425 if (rc == X86EMUL_PROPAGATE_FAULT) {
5426 WARN_ON(ctxt->exception.vector > 0x1f);
5427 ctxt->have_exception = true;
5428 }
5429 if (rc == X86EMUL_INTERCEPTED)
5430 return EMULATION_INTERCEPTED;
5431
5432 if (rc == X86EMUL_CONTINUE)
5433 writeback_registers(ctxt);
5434
5435 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5436
5437 twobyte_insn:
5438 switch (ctxt->b) {
5439 case 0x09: /* wbinvd */
5440 (ctxt->ops->wbinvd)(ctxt);
5441 break;
5442 case 0x08: /* invd */
5443 case 0x0d: /* GrpP (prefetch) */
5444 case 0x18: /* Grp16 (prefetch/nop) */
5445 case 0x1f: /* nop */
5446 break;
5447 case 0x20: /* mov cr, reg */
5448 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5449 break;
5450 case 0x21: /* mov from dr to reg */
5451 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5452 break;
5453 case 0x40 ... 0x4f: /* cmov */
5454 if (test_cc(ctxt->b, ctxt->eflags))
5455 ctxt->dst.val = ctxt->src.val;
5456 else if (ctxt->op_bytes != 4)
5457 ctxt->dst.type = OP_NONE; /* no writeback */
5458 break;
5459 case 0x80 ... 0x8f: /* jnz rel, etc*/
5460 if (test_cc(ctxt->b, ctxt->eflags))
5461 rc = jmp_rel(ctxt, ctxt->src.val);
5462 break;
5463 case 0x90 ... 0x9f: /* setcc r/m8 */
5464 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5465 break;
5466 case 0xb6 ... 0xb7: /* movzx */
5467 ctxt->dst.bytes = ctxt->op_bytes;
5468 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5469 : (u16) ctxt->src.val;
5470 break;
5471 case 0xbe ... 0xbf: /* movsx */
5472 ctxt->dst.bytes = ctxt->op_bytes;
5473 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5474 (s16) ctxt->src.val;
5475 break;
5476 default:
5477 goto cannot_emulate;
5478 }
5479
5480 threebyte_insn:
5481
5482 if (rc != X86EMUL_CONTINUE)
5483 goto done;
5484
5485 goto writeback;
5486
5487 cannot_emulate:
5488 return EMULATION_FAILED;
5489 }
5490
5491 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5492 {
5493 invalidate_registers(ctxt);
5494 }
5495
5496 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5497 {
5498 writeback_registers(ctxt);
5499 }
Linux with added FPC-III support