search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race
[linux/fpc-iii.git] / arch / x86 / kvm / emulate.c
blob46559812da24ec7a34b7e1f84c63b7643d138b42
1 /******************************************************************************
2 * emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
13 *
14 * Avi Kivity <avi@qumranet.com>
15 * Yaniv Kamay <yaniv@qumranet.com>
16 *
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
19 *
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
21 */
22
23 #include <linux/kvm_host.h>
24 #include "kvm_cache_regs.h"
25 #include <asm/kvm_emulate.h>
26 #include <linux/stringify.h>
27 #include <asm/debugreg.h>
28 #include <asm/nospec-branch.h>
29
30 #include "x86.h"
31 #include "tss.h"
32 #include "mmu.h"
33
34 /*
35 * Operand types
36 */
37 #define OpNone 0ull
38 #define OpImplicit 1ull /* No generic decode */
39 #define OpReg 2ull /* Register */
40 #define OpMem 3ull /* Memory */
41 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
42 #define OpDI 5ull /* ES:DI/EDI/RDI */
43 #define OpMem64 6ull /* Memory, 64-bit */
44 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
45 #define OpDX 8ull /* DX register */
46 #define OpCL 9ull /* CL register (for shifts) */
47 #define OpImmByte 10ull /* 8-bit sign extended immediate */
48 #define OpOne 11ull /* Implied 1 */
49 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
50 #define OpMem16 13ull /* Memory operand (16-bit). */
51 #define OpMem32 14ull /* Memory operand (32-bit). */
52 #define OpImmU 15ull /* Immediate operand, zero extended */
53 #define OpSI 16ull /* SI/ESI/RSI */
54 #define OpImmFAddr 17ull /* Immediate far address */
55 #define OpMemFAddr 18ull /* Far address in memory */
56 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
57 #define OpES 20ull /* ES */
58 #define OpCS 21ull /* CS */
59 #define OpSS 22ull /* SS */
60 #define OpDS 23ull /* DS */
61 #define OpFS 24ull /* FS */
62 #define OpGS 25ull /* GS */
63 #define OpMem8 26ull /* 8-bit zero extended memory operand */
64 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
65 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
66 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
67 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
68
69 #define OpBits 5 /* Width of operand field */
70 #define OpMask ((1ull << OpBits) - 1)
71
72 /*
73 * Opcode effective-address decode tables.
74 * Note that we only emulate instructions that have at least one memory
75 * operand (excluding implicit stack references). We assume that stack
76 * references and instruction fetches will never occur in special memory
77 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
78 * not be handled.
79 */
80
81 /* Operand sizes: 8-bit operands or specified/overridden size. */
82 #define ByteOp (1<<0) /* 8-bit operands. */
83 /* Destination operand type. */
84 #define DstShift 1
85 #define ImplicitOps (OpImplicit << DstShift)
86 #define DstReg (OpReg << DstShift)
87 #define DstMem (OpMem << DstShift)
88 #define DstAcc (OpAcc << DstShift)
89 #define DstDI (OpDI << DstShift)
90 #define DstMem64 (OpMem64 << DstShift)
91 #define DstMem16 (OpMem16 << DstShift)
92 #define DstImmUByte (OpImmUByte << DstShift)
93 #define DstDX (OpDX << DstShift)
94 #define DstAccLo (OpAccLo << DstShift)
95 #define DstMask (OpMask << DstShift)
96 /* Source operand type. */
97 #define SrcShift 6
98 #define SrcNone (OpNone << SrcShift)
99 #define SrcReg (OpReg << SrcShift)
100 #define SrcMem (OpMem << SrcShift)
101 #define SrcMem16 (OpMem16 << SrcShift)
102 #define SrcMem32 (OpMem32 << SrcShift)
103 #define SrcImm (OpImm << SrcShift)
104 #define SrcImmByte (OpImmByte << SrcShift)
105 #define SrcOne (OpOne << SrcShift)
106 #define SrcImmUByte (OpImmUByte << SrcShift)
107 #define SrcImmU (OpImmU << SrcShift)
108 #define SrcSI (OpSI << SrcShift)
109 #define SrcXLat (OpXLat << SrcShift)
110 #define SrcImmFAddr (OpImmFAddr << SrcShift)
111 #define SrcMemFAddr (OpMemFAddr << SrcShift)
112 #define SrcAcc (OpAcc << SrcShift)
113 #define SrcImmU16 (OpImmU16 << SrcShift)
114 #define SrcImm64 (OpImm64 << SrcShift)
115 #define SrcDX (OpDX << SrcShift)
116 #define SrcMem8 (OpMem8 << SrcShift)
117 #define SrcAccHi (OpAccHi << SrcShift)
118 #define SrcMask (OpMask << SrcShift)
119 #define BitOp (1<<11)
120 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
121 #define String (1<<13) /* String instruction (rep capable) */
122 #define Stack (1<<14) /* Stack instruction (push/pop) */
123 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
124 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
125 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
126 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
127 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
128 #define Escape (5<<15) /* Escape to coprocessor instruction */
129 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
130 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
131 #define Sse (1<<18) /* SSE Vector instruction */
132 /* Generic ModRM decode. */
133 #define ModRM (1<<19)
134 /* Destination is only written; never read. */
135 #define Mov (1<<20)
136 /* Misc flags */
137 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
138 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
139 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
140 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
141 #define Undefined (1<<25) /* No Such Instruction */
142 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
143 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
144 #define No64 (1<<28)
145 #define PageTable (1 << 29) /* instruction used to write page table */
146 #define NotImpl (1 << 30) /* instruction is not implemented */
147 /* Source 2 operand type */
148 #define Src2Shift (31)
149 #define Src2None (OpNone << Src2Shift)
150 #define Src2Mem (OpMem << Src2Shift)
151 #define Src2CL (OpCL << Src2Shift)
152 #define Src2ImmByte (OpImmByte << Src2Shift)
153 #define Src2One (OpOne << Src2Shift)
154 #define Src2Imm (OpImm << Src2Shift)
155 #define Src2ES (OpES << Src2Shift)
156 #define Src2CS (OpCS << Src2Shift)
157 #define Src2SS (OpSS << Src2Shift)
158 #define Src2DS (OpDS << Src2Shift)
159 #define Src2FS (OpFS << Src2Shift)
160 #define Src2GS (OpGS << Src2Shift)
161 #define Src2Mask (OpMask << Src2Shift)
162 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
163 #define AlignMask ((u64)7 << 41)
164 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
165 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
166 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
167 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
168 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
169 #define NoWrite ((u64)1 << 45) /* No writeback */
170 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
171 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
172 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
173 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
174 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
175 #define NearBranch ((u64)1 << 52) /* Near branches */
176 #define No16 ((u64)1 << 53) /* No 16 bit operand */
177 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
178 #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand */
179
180 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
181
182 #define X2(x...) x, x
183 #define X3(x...) X2(x), x
184 #define X4(x...) X2(x), X2(x)
185 #define X5(x...) X4(x), x
186 #define X6(x...) X4(x), X2(x)
187 #define X7(x...) X4(x), X3(x)
188 #define X8(x...) X4(x), X4(x)
189 #define X16(x...) X8(x), X8(x)
190
191 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
192 #define FASTOP_SIZE 8
193
194 /*
195 * fastop functions have a special calling convention:
196 *
197 * dst: rax (in/out)
198 * src: rdx (in/out)
199 * src2: rcx (in)
200 * flags: rflags (in/out)
201 * ex: rsi (in:fastop pointer, out:zero if exception)
202 *
203 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
204 * different operand sizes can be reached by calculation, rather than a jump
205 * table (which would be bigger than the code).
206 *
207 * fastop functions are declared as taking a never-defined fastop parameter,
208 * so they can't be called from C directly.
209 */
210
211 struct fastop;
212
213 struct opcode {
214 u64 flags : 56;
215 u64 intercept : 8;
216 union {
217 int (*execute)(struct x86_emulate_ctxt *ctxt);
218 const struct opcode *group;
219 const struct group_dual *gdual;
220 const struct gprefix *gprefix;
221 const struct escape *esc;
222 const struct instr_dual *idual;
223 const struct mode_dual *mdual;
224 void (*fastop)(struct fastop *fake);
225 } u;
226 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
227 };
228
229 struct group_dual {
230 struct opcode mod012[8];
231 struct opcode mod3[8];
232 };
233
234 struct gprefix {
235 struct opcode pfx_no;
236 struct opcode pfx_66;
237 struct opcode pfx_f2;
238 struct opcode pfx_f3;
239 };
240
241 struct escape {
242 struct opcode op[8];
243 struct opcode high[64];
244 };
245
246 struct instr_dual {
247 struct opcode mod012;
248 struct opcode mod3;
249 };
250
251 struct mode_dual {
252 struct opcode mode32;
253 struct opcode mode64;
254 };
255
256 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
257
258 enum x86_transfer_type {
259 X86_TRANSFER_NONE,
260 X86_TRANSFER_CALL_JMP,
261 X86_TRANSFER_RET,
262 X86_TRANSFER_TASK_SWITCH,
263 };
264
265 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
266 {
267 if (!(ctxt->regs_valid & (1 << nr))) {
268 ctxt->regs_valid |= 1 << nr;
269 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
270 }
271 return ctxt->_regs[nr];
272 }
273
274 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
275 {
276 ctxt->regs_valid |= 1 << nr;
277 ctxt->regs_dirty |= 1 << nr;
278 return &ctxt->_regs[nr];
279 }
280
281 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
282 {
283 reg_read(ctxt, nr);
284 return reg_write(ctxt, nr);
285 }
286
287 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
288 {
289 unsigned reg;
290
291 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
292 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
293 }
294
295 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
296 {
297 ctxt->regs_dirty = 0;
298 ctxt->regs_valid = 0;
299 }
300
301 /*
302 * These EFLAGS bits are restored from saved value during emulation, and
303 * any changes are written back to the saved value after emulation.
304 */
305 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
306 X86_EFLAGS_PF|X86_EFLAGS_CF)
307
308 #ifdef CONFIG_X86_64
309 #define ON64(x) x
310 #else
311 #define ON64(x)
312 #endif
313
314 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *));
315
316 #define FOP_FUNC(name) \
317 ".align " __stringify(FASTOP_SIZE) " \n\t" \
318 ".type " name ", @function \n\t" \
319 name ":\n\t"
320
321 #define FOP_RET "ret \n\t"
322
323 #define FOP_START(op) \
324 extern void em_##op(struct fastop *fake); \
325 asm(".pushsection .text, \"ax\" \n\t" \
326 ".global em_" #op " \n\t" \
327 FOP_FUNC("em_" #op)
328
329 #define FOP_END \
330 ".popsection")
331
332 #define FOPNOP() \
333 FOP_FUNC(__stringify(__UNIQUE_ID(nop))) \
334 FOP_RET
335
336 #define FOP1E(op, dst) \
337 FOP_FUNC(#op "_" #dst) \
338 "10: " #op " %" #dst " \n\t" FOP_RET
339
340 #define FOP1EEX(op, dst) \
341 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
342
343 #define FASTOP1(op) \
344 FOP_START(op) \
345 FOP1E(op##b, al) \
346 FOP1E(op##w, ax) \
347 FOP1E(op##l, eax) \
348 ON64(FOP1E(op##q, rax)) \
349 FOP_END
350
351 /* 1-operand, using src2 (for MUL/DIV r/m) */
352 #define FASTOP1SRC2(op, name) \
353 FOP_START(name) \
354 FOP1E(op, cl) \
355 FOP1E(op, cx) \
356 FOP1E(op, ecx) \
357 ON64(FOP1E(op, rcx)) \
358 FOP_END
359
360 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
361 #define FASTOP1SRC2EX(op, name) \
362 FOP_START(name) \
363 FOP1EEX(op, cl) \
364 FOP1EEX(op, cx) \
365 FOP1EEX(op, ecx) \
366 ON64(FOP1EEX(op, rcx)) \
367 FOP_END
368
369 #define FOP2E(op, dst, src) \
370 FOP_FUNC(#op "_" #dst "_" #src) \
371 #op " %" #src ", %" #dst " \n\t" FOP_RET
372
373 #define FASTOP2(op) \
374 FOP_START(op) \
375 FOP2E(op##b, al, dl) \
376 FOP2E(op##w, ax, dx) \
377 FOP2E(op##l, eax, edx) \
378 ON64(FOP2E(op##q, rax, rdx)) \
379 FOP_END
380
381 /* 2 operand, word only */
382 #define FASTOP2W(op) \
383 FOP_START(op) \
384 FOPNOP() \
385 FOP2E(op##w, ax, dx) \
386 FOP2E(op##l, eax, edx) \
387 ON64(FOP2E(op##q, rax, rdx)) \
388 FOP_END
389
390 /* 2 operand, src is CL */
391 #define FASTOP2CL(op) \
392 FOP_START(op) \
393 FOP2E(op##b, al, cl) \
394 FOP2E(op##w, ax, cl) \
395 FOP2E(op##l, eax, cl) \
396 ON64(FOP2E(op##q, rax, cl)) \
397 FOP_END
398
399 /* 2 operand, src and dest are reversed */
400 #define FASTOP2R(op, name) \
401 FOP_START(name) \
402 FOP2E(op##b, dl, al) \
403 FOP2E(op##w, dx, ax) \
404 FOP2E(op##l, edx, eax) \
405 ON64(FOP2E(op##q, rdx, rax)) \
406 FOP_END
407
408 #define FOP3E(op, dst, src, src2) \
409 FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
410 #op " %" #src2 ", %" #src ", %" #dst " \n\t" FOP_RET
411
412 /* 3-operand, word-only, src2=cl */
413 #define FASTOP3WCL(op) \
414 FOP_START(op) \
415 FOPNOP() \
416 FOP3E(op##w, ax, dx, cl) \
417 FOP3E(op##l, eax, edx, cl) \
418 ON64(FOP3E(op##q, rax, rdx, cl)) \
419 FOP_END
420
421 /* Special case for SETcc - 1 instruction per cc */
422 #define FOP_SETCC(op) \
423 ".align 4 \n\t" \
424 ".type " #op ", @function \n\t" \
425 #op ": \n\t" \
426 #op " %al \n\t" \
427 FOP_RET
428
429 asm(".pushsection .fixup, \"ax\"\n"
430 ".global kvm_fastop_exception \n"
431 "kvm_fastop_exception: xor %esi, %esi; ret\n"
432 ".popsection");
433
434 FOP_START(setcc)
435 FOP_SETCC(seto)
436 FOP_SETCC(setno)
437 FOP_SETCC(setc)
438 FOP_SETCC(setnc)
439 FOP_SETCC(setz)
440 FOP_SETCC(setnz)
441 FOP_SETCC(setbe)
442 FOP_SETCC(setnbe)
443 FOP_SETCC(sets)
444 FOP_SETCC(setns)
445 FOP_SETCC(setp)
446 FOP_SETCC(setnp)
447 FOP_SETCC(setl)
448 FOP_SETCC(setnl)
449 FOP_SETCC(setle)
450 FOP_SETCC(setnle)
451 FOP_END;
452
453 FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
454 FOP_END;
455
456 /*
457 * XXX: inoutclob user must know where the argument is being expanded.
458 * Relying on CC_HAVE_ASM_GOTO would allow us to remove _fault.
459 */
460 #define asm_safe(insn, inoutclob...) \
461 ({ \
462 int _fault = 0; \
463 \
464 asm volatile("1:" insn "\n" \
465 "2:\n" \
466 ".pushsection .fixup, \"ax\"\n" \
467 "3: movl $1, %[_fault]\n" \
468 " jmp 2b\n" \
469 ".popsection\n" \
470 _ASM_EXTABLE(1b, 3b) \
471 : [_fault] "+qm"(_fault) inoutclob ); \
472 \
473 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
474 })
475
476 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
477 enum x86_intercept intercept,
478 enum x86_intercept_stage stage)
479 {
480 struct x86_instruction_info info = {
481 .intercept = intercept,
482 .rep_prefix = ctxt->rep_prefix,
483 .modrm_mod = ctxt->modrm_mod,
484 .modrm_reg = ctxt->modrm_reg,
485 .modrm_rm = ctxt->modrm_rm,
486 .src_val = ctxt->src.val64,
487 .dst_val = ctxt->dst.val64,
488 .src_bytes = ctxt->src.bytes,
489 .dst_bytes = ctxt->dst.bytes,
490 .ad_bytes = ctxt->ad_bytes,
491 .next_rip = ctxt->eip,
492 };
493
494 return ctxt->ops->intercept(ctxt, &info, stage);
495 }
496
497 static void assign_masked(ulong *dest, ulong src, ulong mask)
498 {
499 *dest = (*dest & ~mask) | (src & mask);
500 }
501
502 static void assign_register(unsigned long *reg, u64 val, int bytes)
503 {
504 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
505 switch (bytes) {
506 case 1:
507 *(u8 *)reg = (u8)val;
508 break;
509 case 2:
510 *(u16 *)reg = (u16)val;
511 break;
512 case 4:
513 *reg = (u32)val;
514 break; /* 64b: zero-extend */
515 case 8:
516 *reg = val;
517 break;
518 }
519 }
520
521 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
522 {
523 return (1UL << (ctxt->ad_bytes << 3)) - 1;
524 }
525
526 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
527 {
528 u16 sel;
529 struct desc_struct ss;
530
531 if (ctxt->mode == X86EMUL_MODE_PROT64)
532 return ~0UL;
533 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
534 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
535 }
536
537 static int stack_size(struct x86_emulate_ctxt *ctxt)
538 {
539 return (__fls(stack_mask(ctxt)) + 1) >> 3;
540 }
541
542 /* Access/update address held in a register, based on addressing mode. */
543 static inline unsigned long
544 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
545 {
546 if (ctxt->ad_bytes == sizeof(unsigned long))
547 return reg;
548 else
549 return reg & ad_mask(ctxt);
550 }
551
552 static inline unsigned long
553 register_address(struct x86_emulate_ctxt *ctxt, int reg)
554 {
555 return address_mask(ctxt, reg_read(ctxt, reg));
556 }
557
558 static void masked_increment(ulong *reg, ulong mask, int inc)
559 {
560 assign_masked(reg, *reg + inc, mask);
561 }
562
563 static inline void
564 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
565 {
566 ulong *preg = reg_rmw(ctxt, reg);
567
568 assign_register(preg, *preg + inc, ctxt->ad_bytes);
569 }
570
571 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
572 {
573 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
574 }
575
576 static u32 desc_limit_scaled(struct desc_struct *desc)
577 {
578 u32 limit = get_desc_limit(desc);
579
580 return desc->g ? (limit << 12) | 0xfff : limit;
581 }
582
583 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
584 {
585 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
586 return 0;
587
588 return ctxt->ops->get_cached_segment_base(ctxt, seg);
589 }
590
591 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
592 u32 error, bool valid)
593 {
594 WARN_ON(vec > 0x1f);
595 ctxt->exception.vector = vec;
596 ctxt->exception.error_code = error;
597 ctxt->exception.error_code_valid = valid;
598 return X86EMUL_PROPAGATE_FAULT;
599 }
600
601 static int emulate_db(struct x86_emulate_ctxt *ctxt)
602 {
603 return emulate_exception(ctxt, DB_VECTOR, 0, false);
604 }
605
606 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
607 {
608 return emulate_exception(ctxt, GP_VECTOR, err, true);
609 }
610
611 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
612 {
613 return emulate_exception(ctxt, SS_VECTOR, err, true);
614 }
615
616 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
617 {
618 return emulate_exception(ctxt, UD_VECTOR, 0, false);
619 }
620
621 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
622 {
623 return emulate_exception(ctxt, TS_VECTOR, err, true);
624 }
625
626 static int emulate_de(struct x86_emulate_ctxt *ctxt)
627 {
628 return emulate_exception(ctxt, DE_VECTOR, 0, false);
629 }
630
631 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
632 {
633 return emulate_exception(ctxt, NM_VECTOR, 0, false);
634 }
635
636 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
637 {
638 u16 selector;
639 struct desc_struct desc;
640
641 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
642 return selector;
643 }
644
645 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
646 unsigned seg)
647 {
648 u16 dummy;
649 u32 base3;
650 struct desc_struct desc;
651
652 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
653 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
654 }
655
656 /*
657 * x86 defines three classes of vector instructions: explicitly
658 * aligned, explicitly unaligned, and the rest, which change behaviour
659 * depending on whether they're AVX encoded or not.
660 *
661 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
662 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
663 * 512 bytes of data must be aligned to a 16 byte boundary.
664 */
665 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
666 {
667 u64 alignment = ctxt->d & AlignMask;
668
669 if (likely(size < 16))
670 return 1;
671
672 switch (alignment) {
673 case Unaligned:
674 case Avx:
675 return 1;
676 case Aligned16:
677 return 16;
678 case Aligned:
679 default:
680 return size;
681 }
682 }
683
684 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
685 struct segmented_address addr,
686 unsigned *max_size, unsigned size,
687 bool write, bool fetch,
688 enum x86emul_mode mode, ulong *linear)
689 {
690 struct desc_struct desc;
691 bool usable;
692 ulong la;
693 u32 lim;
694 u16 sel;
695 u8 va_bits;
696
697 la = seg_base(ctxt, addr.seg) + addr.ea;
698 *max_size = 0;
699 switch (mode) {
700 case X86EMUL_MODE_PROT64:
701 *linear = la;
702 va_bits = ctxt_virt_addr_bits(ctxt);
703 if (get_canonical(la, va_bits) != la)
704 goto bad;
705
706 *max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
707 if (size > *max_size)
708 goto bad;
709 break;
710 default:
711 *linear = la = (u32)la;
712 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
713 addr.seg);
714 if (!usable)
715 goto bad;
716 /* code segment in protected mode or read-only data segment */
717 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
718 || !(desc.type & 2)) && write)
719 goto bad;
720 /* unreadable code segment */
721 if (!fetch && (desc.type & 8) && !(desc.type & 2))
722 goto bad;
723 lim = desc_limit_scaled(&desc);
724 if (!(desc.type & 8) && (desc.type & 4)) {
725 /* expand-down segment */
726 if (addr.ea <= lim)
727 goto bad;
728 lim = desc.d ? 0xffffffff : 0xffff;
729 }
730 if (addr.ea > lim)
731 goto bad;
732 if (lim == 0xffffffff)
733 *max_size = ~0u;
734 else {
735 *max_size = (u64)lim + 1 - addr.ea;
736 if (size > *max_size)
737 goto bad;
738 }
739 break;
740 }
741 if (la & (insn_alignment(ctxt, size) - 1))
742 return emulate_gp(ctxt, 0);
743 return X86EMUL_CONTINUE;
744 bad:
745 if (addr.seg == VCPU_SREG_SS)
746 return emulate_ss(ctxt, 0);
747 else
748 return emulate_gp(ctxt, 0);
749 }
750
751 static int linearize(struct x86_emulate_ctxt *ctxt,
752 struct segmented_address addr,
753 unsigned size, bool write,
754 ulong *linear)
755 {
756 unsigned max_size;
757 return __linearize(ctxt, addr, &max_size, size, write, false,
758 ctxt->mode, linear);
759 }
760
761 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
762 enum x86emul_mode mode)
763 {
764 ulong linear;
765 int rc;
766 unsigned max_size;
767 struct segmented_address addr = { .seg = VCPU_SREG_CS,
768 .ea = dst };
769
770 if (ctxt->op_bytes != sizeof(unsigned long))
771 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
772 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
773 if (rc == X86EMUL_CONTINUE)
774 ctxt->_eip = addr.ea;
775 return rc;
776 }
777
778 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
779 {
780 return assign_eip(ctxt, dst, ctxt->mode);
781 }
782
783 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
784 const struct desc_struct *cs_desc)
785 {
786 enum x86emul_mode mode = ctxt->mode;
787 int rc;
788
789 #ifdef CONFIG_X86_64
790 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
791 if (cs_desc->l) {
792 u64 efer = 0;
793
794 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
795 if (efer & EFER_LMA)
796 mode = X86EMUL_MODE_PROT64;
797 } else
798 mode = X86EMUL_MODE_PROT32; /* temporary value */
799 }
800 #endif
801 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
802 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
803 rc = assign_eip(ctxt, dst, mode);
804 if (rc == X86EMUL_CONTINUE)
805 ctxt->mode = mode;
806 return rc;
807 }
808
809 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
810 {
811 return assign_eip_near(ctxt, ctxt->_eip + rel);
812 }
813
814 static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
815 void *data, unsigned size)
816 {
817 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
818 }
819
820 static int linear_write_system(struct x86_emulate_ctxt *ctxt,
821 ulong linear, void *data,
822 unsigned int size)
823 {
824 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
825 }
826
827 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
828 struct segmented_address addr,
829 void *data,
830 unsigned size)
831 {
832 int rc;
833 ulong linear;
834
835 rc = linearize(ctxt, addr, size, false, &linear);
836 if (rc != X86EMUL_CONTINUE)
837 return rc;
838 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
839 }
840
841 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
842 struct segmented_address addr,
843 void *data,
844 unsigned int size)
845 {
846 int rc;
847 ulong linear;
848
849 rc = linearize(ctxt, addr, size, true, &linear);
850 if (rc != X86EMUL_CONTINUE)
851 return rc;
852 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
853 }
854
855 /*
856 * Prefetch the remaining bytes of the instruction without crossing page
857 * boundary if they are not in fetch_cache yet.
858 */
859 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
860 {
861 int rc;
862 unsigned size, max_size;
863 unsigned long linear;
864 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
865 struct segmented_address addr = { .seg = VCPU_SREG_CS,
866 .ea = ctxt->eip + cur_size };
867
868 /*
869 * We do not know exactly how many bytes will be needed, and
870 * __linearize is expensive, so fetch as much as possible. We
871 * just have to avoid going beyond the 15 byte limit, the end
872 * of the segment, or the end of the page.
873 *
874 * __linearize is called with size 0 so that it does not do any
875 * boundary check itself. Instead, we use max_size to check
876 * against op_size.
877 */
878 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
879 &linear);
880 if (unlikely(rc != X86EMUL_CONTINUE))
881 return rc;
882
883 size = min_t(unsigned, 15UL ^ cur_size, max_size);
884 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
885
886 /*
887 * One instruction can only straddle two pages,
888 * and one has been loaded at the beginning of
889 * x86_decode_insn. So, if not enough bytes
890 * still, we must have hit the 15-byte boundary.
891 */
892 if (unlikely(size < op_size))
893 return emulate_gp(ctxt, 0);
894
895 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
896 size, &ctxt->exception);
897 if (unlikely(rc != X86EMUL_CONTINUE))
898 return rc;
899 ctxt->fetch.end += size;
900 return X86EMUL_CONTINUE;
901 }
902
903 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
904 unsigned size)
905 {
906 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
907
908 if (unlikely(done_size < size))
909 return __do_insn_fetch_bytes(ctxt, size - done_size);
910 else
911 return X86EMUL_CONTINUE;
912 }
913
914 /* Fetch next part of the instruction being emulated. */
915 #define insn_fetch(_type, _ctxt) \
916 ({ _type _x; \
917 \
918 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
919 if (rc != X86EMUL_CONTINUE) \
920 goto done; \
921 ctxt->_eip += sizeof(_type); \
922 memcpy(&_x, ctxt->fetch.ptr, sizeof(_type)); \
923 ctxt->fetch.ptr += sizeof(_type); \
924 _x; \
925 })
926
927 #define insn_fetch_arr(_arr, _size, _ctxt) \
928 ({ \
929 rc = do_insn_fetch_bytes(_ctxt, _size); \
930 if (rc != X86EMUL_CONTINUE) \
931 goto done; \
932 ctxt->_eip += (_size); \
933 memcpy(_arr, ctxt->fetch.ptr, _size); \
934 ctxt->fetch.ptr += (_size); \
935 })
936
937 /*
938 * Given the 'reg' portion of a ModRM byte, and a register block, return a
939 * pointer into the block that addresses the relevant register.
940 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
941 */
942 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
943 int byteop)
944 {
945 void *p;
946 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
947
948 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
949 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
950 else
951 p = reg_rmw(ctxt, modrm_reg);
952 return p;
953 }
954
955 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
956 struct segmented_address addr,
957 u16 *size, unsigned long *address, int op_bytes)
958 {
959 int rc;
960
961 if (op_bytes == 2)
962 op_bytes = 3;
963 *address = 0;
964 rc = segmented_read_std(ctxt, addr, size, 2);
965 if (rc != X86EMUL_CONTINUE)
966 return rc;
967 addr.ea += 2;
968 rc = segmented_read_std(ctxt, addr, address, op_bytes);
969 return rc;
970 }
971
972 FASTOP2(add);
973 FASTOP2(or);
974 FASTOP2(adc);
975 FASTOP2(sbb);
976 FASTOP2(and);
977 FASTOP2(sub);
978 FASTOP2(xor);
979 FASTOP2(cmp);
980 FASTOP2(test);
981
982 FASTOP1SRC2(mul, mul_ex);
983 FASTOP1SRC2(imul, imul_ex);
984 FASTOP1SRC2EX(div, div_ex);
985 FASTOP1SRC2EX(idiv, idiv_ex);
986
987 FASTOP3WCL(shld);
988 FASTOP3WCL(shrd);
989
990 FASTOP2W(imul);
991
992 FASTOP1(not);
993 FASTOP1(neg);
994 FASTOP1(inc);
995 FASTOP1(dec);
996
997 FASTOP2CL(rol);
998 FASTOP2CL(ror);
999 FASTOP2CL(rcl);
1000 FASTOP2CL(rcr);
1001 FASTOP2CL(shl);
1002 FASTOP2CL(shr);
1003 FASTOP2CL(sar);
1004
1005 FASTOP2W(bsf);
1006 FASTOP2W(bsr);
1007 FASTOP2W(bt);
1008 FASTOP2W(bts);
1009 FASTOP2W(btr);
1010 FASTOP2W(btc);
1011
1012 FASTOP2(xadd);
1013
1014 FASTOP2R(cmp, cmp_r);
1015
1016 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1017 {
1018 /* If src is zero, do not writeback, but update flags */
1019 if (ctxt->src.val == 0)
1020 ctxt->dst.type = OP_NONE;
1021 return fastop(ctxt, em_bsf);
1022 }
1023
1024 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1025 {
1026 /* If src is zero, do not writeback, but update flags */
1027 if (ctxt->src.val == 0)
1028 ctxt->dst.type = OP_NONE;
1029 return fastop(ctxt, em_bsr);
1030 }
1031
1032 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1033 {
1034 u8 rc;
1035 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
1036
1037 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1038 asm("push %[flags]; popf; " CALL_NOSPEC
1039 : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
1040 return rc;
1041 }
1042
1043 static void fetch_register_operand(struct operand *op)
1044 {
1045 switch (op->bytes) {
1046 case 1:
1047 op->val = *(u8 *)op->addr.reg;
1048 break;
1049 case 2:
1050 op->val = *(u16 *)op->addr.reg;
1051 break;
1052 case 4:
1053 op->val = *(u32 *)op->addr.reg;
1054 break;
1055 case 8:
1056 op->val = *(u64 *)op->addr.reg;
1057 break;
1058 }
1059 }
1060
1061 static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
1062 {
1063 ctxt->ops->get_fpu(ctxt);
1064 switch (reg) {
1065 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1066 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1067 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1068 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1069 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1070 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1071 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1072 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1073 #ifdef CONFIG_X86_64
1074 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1075 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1076 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1077 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1078 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1079 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1080 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1081 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1082 #endif
1083 default: BUG();
1084 }
1085 ctxt->ops->put_fpu(ctxt);
1086 }
1087
1088 static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
1089 int reg)
1090 {
1091 ctxt->ops->get_fpu(ctxt);
1092 switch (reg) {
1093 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1094 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1095 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1096 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1097 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1098 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1099 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1100 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1101 #ifdef CONFIG_X86_64
1102 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1103 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1104 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1105 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1106 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1107 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1108 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1109 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1110 #endif
1111 default: BUG();
1112 }
1113 ctxt->ops->put_fpu(ctxt);
1114 }
1115
1116 static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1117 {
1118 ctxt->ops->get_fpu(ctxt);
1119 switch (reg) {
1120 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1121 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1122 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1123 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1124 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1125 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1126 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1127 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1128 default: BUG();
1129 }
1130 ctxt->ops->put_fpu(ctxt);
1131 }
1132
1133 static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
1134 {
1135 ctxt->ops->get_fpu(ctxt);
1136 switch (reg) {
1137 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1138 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1139 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1140 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1141 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1142 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1143 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1144 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1145 default: BUG();
1146 }
1147 ctxt->ops->put_fpu(ctxt);
1148 }
1149
1150 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1151 {
1152 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1153 return emulate_nm(ctxt);
1154
1155 ctxt->ops->get_fpu(ctxt);
1156 asm volatile("fninit");
1157 ctxt->ops->put_fpu(ctxt);
1158 return X86EMUL_CONTINUE;
1159 }
1160
1161 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1162 {
1163 u16 fcw;
1164
1165 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1166 return emulate_nm(ctxt);
1167
1168 ctxt->ops->get_fpu(ctxt);
1169 asm volatile("fnstcw %0": "+m"(fcw));
1170 ctxt->ops->put_fpu(ctxt);
1171
1172 ctxt->dst.val = fcw;
1173
1174 return X86EMUL_CONTINUE;
1175 }
1176
1177 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1178 {
1179 u16 fsw;
1180
1181 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1182 return emulate_nm(ctxt);
1183
1184 ctxt->ops->get_fpu(ctxt);
1185 asm volatile("fnstsw %0": "+m"(fsw));
1186 ctxt->ops->put_fpu(ctxt);
1187
1188 ctxt->dst.val = fsw;
1189
1190 return X86EMUL_CONTINUE;
1191 }
1192
1193 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1194 struct operand *op)
1195 {
1196 unsigned reg = ctxt->modrm_reg;
1197
1198 if (!(ctxt->d & ModRM))
1199 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1200
1201 if (ctxt->d & Sse) {
1202 op->type = OP_XMM;
1203 op->bytes = 16;
1204 op->addr.xmm = reg;
1205 read_sse_reg(ctxt, &op->vec_val, reg);
1206 return;
1207 }
1208 if (ctxt->d & Mmx) {
1209 reg &= 7;
1210 op->type = OP_MM;
1211 op->bytes = 8;
1212 op->addr.mm = reg;
1213 return;
1214 }
1215
1216 op->type = OP_REG;
1217 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1218 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1219
1220 fetch_register_operand(op);
1221 op->orig_val = op->val;
1222 }
1223
1224 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1225 {
1226 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1227 ctxt->modrm_seg = VCPU_SREG_SS;
1228 }
1229
1230 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1231 struct operand *op)
1232 {
1233 u8 sib;
1234 int index_reg, base_reg, scale;
1235 int rc = X86EMUL_CONTINUE;
1236 ulong modrm_ea = 0;
1237
1238 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1239 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1240 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1241
1242 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1243 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1244 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1245 ctxt->modrm_seg = VCPU_SREG_DS;
1246
1247 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1248 op->type = OP_REG;
1249 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1250 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1251 ctxt->d & ByteOp);
1252 if (ctxt->d & Sse) {
1253 op->type = OP_XMM;
1254 op->bytes = 16;
1255 op->addr.xmm = ctxt->modrm_rm;
1256 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
1257 return rc;
1258 }
1259 if (ctxt->d & Mmx) {
1260 op->type = OP_MM;
1261 op->bytes = 8;
1262 op->addr.mm = ctxt->modrm_rm & 7;
1263 return rc;
1264 }
1265 fetch_register_operand(op);
1266 return rc;
1267 }
1268
1269 op->type = OP_MEM;
1270
1271 if (ctxt->ad_bytes == 2) {
1272 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1273 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1274 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1275 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1276
1277 /* 16-bit ModR/M decode. */
1278 switch (ctxt->modrm_mod) {
1279 case 0:
1280 if (ctxt->modrm_rm == 6)
1281 modrm_ea += insn_fetch(u16, ctxt);
1282 break;
1283 case 1:
1284 modrm_ea += insn_fetch(s8, ctxt);
1285 break;
1286 case 2:
1287 modrm_ea += insn_fetch(u16, ctxt);
1288 break;
1289 }
1290 switch (ctxt->modrm_rm) {
1291 case 0:
1292 modrm_ea += bx + si;
1293 break;
1294 case 1:
1295 modrm_ea += bx + di;
1296 break;
1297 case 2:
1298 modrm_ea += bp + si;
1299 break;
1300 case 3:
1301 modrm_ea += bp + di;
1302 break;
1303 case 4:
1304 modrm_ea += si;
1305 break;
1306 case 5:
1307 modrm_ea += di;
1308 break;
1309 case 6:
1310 if (ctxt->modrm_mod != 0)
1311 modrm_ea += bp;
1312 break;
1313 case 7:
1314 modrm_ea += bx;
1315 break;
1316 }
1317 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1318 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1319 ctxt->modrm_seg = VCPU_SREG_SS;
1320 modrm_ea = (u16)modrm_ea;
1321 } else {
1322 /* 32/64-bit ModR/M decode. */
1323 if ((ctxt->modrm_rm & 7) == 4) {
1324 sib = insn_fetch(u8, ctxt);
1325 index_reg |= (sib >> 3) & 7;
1326 base_reg |= sib & 7;
1327 scale = sib >> 6;
1328
1329 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1330 modrm_ea += insn_fetch(s32, ctxt);
1331 else {
1332 modrm_ea += reg_read(ctxt, base_reg);
1333 adjust_modrm_seg(ctxt, base_reg);
1334 /* Increment ESP on POP [ESP] */
1335 if ((ctxt->d & IncSP) &&
1336 base_reg == VCPU_REGS_RSP)
1337 modrm_ea += ctxt->op_bytes;
1338 }
1339 if (index_reg != 4)
1340 modrm_ea += reg_read(ctxt, index_reg) << scale;
1341 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1342 modrm_ea += insn_fetch(s32, ctxt);
1343 if (ctxt->mode == X86EMUL_MODE_PROT64)
1344 ctxt->rip_relative = 1;
1345 } else {
1346 base_reg = ctxt->modrm_rm;
1347 modrm_ea += reg_read(ctxt, base_reg);
1348 adjust_modrm_seg(ctxt, base_reg);
1349 }
1350 switch (ctxt->modrm_mod) {
1351 case 1:
1352 modrm_ea += insn_fetch(s8, ctxt);
1353 break;
1354 case 2:
1355 modrm_ea += insn_fetch(s32, ctxt);
1356 break;
1357 }
1358 }
1359 op->addr.mem.ea = modrm_ea;
1360 if (ctxt->ad_bytes != 8)
1361 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1362
1363 done:
1364 return rc;
1365 }
1366
1367 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1368 struct operand *op)
1369 {
1370 int rc = X86EMUL_CONTINUE;
1371
1372 op->type = OP_MEM;
1373 switch (ctxt->ad_bytes) {
1374 case 2:
1375 op->addr.mem.ea = insn_fetch(u16, ctxt);
1376 break;
1377 case 4:
1378 op->addr.mem.ea = insn_fetch(u32, ctxt);
1379 break;
1380 case 8:
1381 op->addr.mem.ea = insn_fetch(u64, ctxt);
1382 break;
1383 }
1384 done:
1385 return rc;
1386 }
1387
1388 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1389 {
1390 long sv = 0, mask;
1391
1392 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1393 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1394
1395 if (ctxt->src.bytes == 2)
1396 sv = (s16)ctxt->src.val & (s16)mask;
1397 else if (ctxt->src.bytes == 4)
1398 sv = (s32)ctxt->src.val & (s32)mask;
1399 else
1400 sv = (s64)ctxt->src.val & (s64)mask;
1401
1402 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1403 ctxt->dst.addr.mem.ea + (sv >> 3));
1404 }
1405
1406 /* only subword offset */
1407 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1408 }
1409
1410 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1411 unsigned long addr, void *dest, unsigned size)
1412 {
1413 int rc;
1414 struct read_cache *mc = &ctxt->mem_read;
1415
1416 if (mc->pos < mc->end)
1417 goto read_cached;
1418
1419 WARN_ON((mc->end + size) >= sizeof(mc->data));
1420
1421 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1422 &ctxt->exception);
1423 if (rc != X86EMUL_CONTINUE)
1424 return rc;
1425
1426 mc->end += size;
1427
1428 read_cached:
1429 memcpy(dest, mc->data + mc->pos, size);
1430 mc->pos += size;
1431 return X86EMUL_CONTINUE;
1432 }
1433
1434 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1435 struct segmented_address addr,
1436 void *data,
1437 unsigned size)
1438 {
1439 int rc;
1440 ulong linear;
1441
1442 rc = linearize(ctxt, addr, size, false, &linear);
1443 if (rc != X86EMUL_CONTINUE)
1444 return rc;
1445 return read_emulated(ctxt, linear, data, size);
1446 }
1447
1448 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1449 struct segmented_address addr,
1450 const void *data,
1451 unsigned size)
1452 {
1453 int rc;
1454 ulong linear;
1455
1456 rc = linearize(ctxt, addr, size, true, &linear);
1457 if (rc != X86EMUL_CONTINUE)
1458 return rc;
1459 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1460 &ctxt->exception);
1461 }
1462
1463 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1464 struct segmented_address addr,
1465 const void *orig_data, const void *data,
1466 unsigned size)
1467 {
1468 int rc;
1469 ulong linear;
1470
1471 rc = linearize(ctxt, addr, size, true, &linear);
1472 if (rc != X86EMUL_CONTINUE)
1473 return rc;
1474 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1475 size, &ctxt->exception);
1476 }
1477
1478 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1479 unsigned int size, unsigned short port,
1480 void *dest)
1481 {
1482 struct read_cache *rc = &ctxt->io_read;
1483
1484 if (rc->pos == rc->end) { /* refill pio read ahead */
1485 unsigned int in_page, n;
1486 unsigned int count = ctxt->rep_prefix ?
1487 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1488 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1489 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1490 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1491 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1492 if (n == 0)
1493 n = 1;
1494 rc->pos = rc->end = 0;
1495 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1496 return 0;
1497 rc->end = n * size;
1498 }
1499
1500 if (ctxt->rep_prefix && (ctxt->d & String) &&
1501 !(ctxt->eflags & X86_EFLAGS_DF)) {
1502 ctxt->dst.data = rc->data + rc->pos;
1503 ctxt->dst.type = OP_MEM_STR;
1504 ctxt->dst.count = (rc->end - rc->pos) / size;
1505 rc->pos = rc->end;
1506 } else {
1507 memcpy(dest, rc->data + rc->pos, size);
1508 rc->pos += size;
1509 }
1510 return 1;
1511 }
1512
1513 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1514 u16 index, struct desc_struct *desc)
1515 {
1516 struct desc_ptr dt;
1517 ulong addr;
1518
1519 ctxt->ops->get_idt(ctxt, &dt);
1520
1521 if (dt.size < index * 8 + 7)
1522 return emulate_gp(ctxt, index << 3 | 0x2);
1523
1524 addr = dt.address + index * 8;
1525 return linear_read_system(ctxt, addr, desc, sizeof *desc);
1526 }
1527
1528 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1529 u16 selector, struct desc_ptr *dt)
1530 {
1531 const struct x86_emulate_ops *ops = ctxt->ops;
1532 u32 base3 = 0;
1533
1534 if (selector & 1 << 2) {
1535 struct desc_struct desc;
1536 u16 sel;
1537
1538 memset (dt, 0, sizeof *dt);
1539 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1540 VCPU_SREG_LDTR))
1541 return;
1542
1543 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1544 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1545 } else
1546 ops->get_gdt(ctxt, dt);
1547 }
1548
1549 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1550 u16 selector, ulong *desc_addr_p)
1551 {
1552 struct desc_ptr dt;
1553 u16 index = selector >> 3;
1554 ulong addr;
1555
1556 get_descriptor_table_ptr(ctxt, selector, &dt);
1557
1558 if (dt.size < index * 8 + 7)
1559 return emulate_gp(ctxt, selector & 0xfffc);
1560
1561 addr = dt.address + index * 8;
1562
1563 #ifdef CONFIG_X86_64
1564 if (addr >> 32 != 0) {
1565 u64 efer = 0;
1566
1567 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1568 if (!(efer & EFER_LMA))
1569 addr &= (u32)-1;
1570 }
1571 #endif
1572
1573 *desc_addr_p = addr;
1574 return X86EMUL_CONTINUE;
1575 }
1576
1577 /* allowed just for 8 bytes segments */
1578 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1579 u16 selector, struct desc_struct *desc,
1580 ulong *desc_addr_p)
1581 {
1582 int rc;
1583
1584 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1585 if (rc != X86EMUL_CONTINUE)
1586 return rc;
1587
1588 return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
1589 }
1590
1591 /* allowed just for 8 bytes segments */
1592 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1593 u16 selector, struct desc_struct *desc)
1594 {
1595 int rc;
1596 ulong addr;
1597
1598 rc = get_descriptor_ptr(ctxt, selector, &addr);
1599 if (rc != X86EMUL_CONTINUE)
1600 return rc;
1601
1602 return linear_write_system(ctxt, addr, desc, sizeof *desc);
1603 }
1604
1605 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1606 u16 selector, int seg, u8 cpl,
1607 enum x86_transfer_type transfer,
1608 struct desc_struct *desc)
1609 {
1610 struct desc_struct seg_desc, old_desc;
1611 u8 dpl, rpl;
1612 unsigned err_vec = GP_VECTOR;
1613 u32 err_code = 0;
1614 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1615 ulong desc_addr;
1616 int ret;
1617 u16 dummy;
1618 u32 base3 = 0;
1619
1620 memset(&seg_desc, 0, sizeof seg_desc);
1621
1622 if (ctxt->mode == X86EMUL_MODE_REAL) {
1623 /* set real mode segment descriptor (keep limit etc. for
1624 * unreal mode) */
1625 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1626 set_desc_base(&seg_desc, selector << 4);
1627 goto load;
1628 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1629 /* VM86 needs a clean new segment descriptor */
1630 set_desc_base(&seg_desc, selector << 4);
1631 set_desc_limit(&seg_desc, 0xffff);
1632 seg_desc.type = 3;
1633 seg_desc.p = 1;
1634 seg_desc.s = 1;
1635 seg_desc.dpl = 3;
1636 goto load;
1637 }
1638
1639 rpl = selector & 3;
1640
1641 /* TR should be in GDT only */
1642 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1643 goto exception;
1644
1645 /* NULL selector is not valid for TR, CS and (except for long mode) SS */
1646 if (null_selector) {
1647 if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1648 goto exception;
1649
1650 if (seg == VCPU_SREG_SS) {
1651 if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1652 goto exception;
1653
1654 /*
1655 * ctxt->ops->set_segment expects the CPL to be in
1656 * SS.DPL, so fake an expand-up 32-bit data segment.
1657 */
1658 seg_desc.type = 3;
1659 seg_desc.p = 1;
1660 seg_desc.s = 1;
1661 seg_desc.dpl = cpl;
1662 seg_desc.d = 1;
1663 seg_desc.g = 1;
1664 }
1665
1666 /* Skip all following checks */
1667 goto load;
1668 }
1669
1670 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1671 if (ret != X86EMUL_CONTINUE)
1672 return ret;
1673
1674 err_code = selector & 0xfffc;
1675 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1676 GP_VECTOR;
1677
1678 /* can't load system descriptor into segment selector */
1679 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1680 if (transfer == X86_TRANSFER_CALL_JMP)
1681 return X86EMUL_UNHANDLEABLE;
1682 goto exception;
1683 }
1684
1685 if (!seg_desc.p) {
1686 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1687 goto exception;
1688 }
1689
1690 dpl = seg_desc.dpl;
1691
1692 switch (seg) {
1693 case VCPU_SREG_SS:
1694 /*
1695 * segment is not a writable data segment or segment
1696 * selector's RPL != CPL or segment selector's RPL != CPL
1697 */
1698 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1699 goto exception;
1700 break;
1701 case VCPU_SREG_CS:
1702 if (!(seg_desc.type & 8))
1703 goto exception;
1704
1705 if (seg_desc.type & 4) {
1706 /* conforming */
1707 if (dpl > cpl)
1708 goto exception;
1709 } else {
1710 /* nonconforming */
1711 if (rpl > cpl || dpl != cpl)
1712 goto exception;
1713 }
1714 /* in long-mode d/b must be clear if l is set */
1715 if (seg_desc.d && seg_desc.l) {
1716 u64 efer = 0;
1717
1718 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1719 if (efer & EFER_LMA)
1720 goto exception;
1721 }
1722
1723 /* CS(RPL) <- CPL */
1724 selector = (selector & 0xfffc) | cpl;
1725 break;
1726 case VCPU_SREG_TR:
1727 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1728 goto exception;
1729 old_desc = seg_desc;
1730 seg_desc.type |= 2; /* busy */
1731 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1732 sizeof(seg_desc), &ctxt->exception);
1733 if (ret != X86EMUL_CONTINUE)
1734 return ret;
1735 break;
1736 case VCPU_SREG_LDTR:
1737 if (seg_desc.s || seg_desc.type != 2)
1738 goto exception;
1739 break;
1740 default: /* DS, ES, FS, or GS */
1741 /*
1742 * segment is not a data or readable code segment or
1743 * ((segment is a data or nonconforming code segment)
1744 * and (both RPL and CPL > DPL))
1745 */
1746 if ((seg_desc.type & 0xa) == 0x8 ||
1747 (((seg_desc.type & 0xc) != 0xc) &&
1748 (rpl > dpl && cpl > dpl)))
1749 goto exception;
1750 break;
1751 }
1752
1753 if (seg_desc.s) {
1754 /* mark segment as accessed */
1755 if (!(seg_desc.type & 1)) {
1756 seg_desc.type |= 1;
1757 ret = write_segment_descriptor(ctxt, selector,
1758 &seg_desc);
1759 if (ret != X86EMUL_CONTINUE)
1760 return ret;
1761 }
1762 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1763 ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
1764 if (ret != X86EMUL_CONTINUE)
1765 return ret;
1766 if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1767 ((u64)base3 << 32), ctxt))
1768 return emulate_gp(ctxt, 0);
1769 }
1770 load:
1771 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1772 if (desc)
1773 *desc = seg_desc;
1774 return X86EMUL_CONTINUE;
1775 exception:
1776 return emulate_exception(ctxt, err_vec, err_code, true);
1777 }
1778
1779 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1780 u16 selector, int seg)
1781 {
1782 u8 cpl = ctxt->ops->cpl(ctxt);
1783
1784 /*
1785 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1786 * they can load it at CPL<3 (Intel's manual says only LSS can,
1787 * but it's wrong).
1788 *
1789 * However, the Intel manual says that putting IST=1/DPL=3 in
1790 * an interrupt gate will result in SS=3 (the AMD manual instead
1791 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1792 * and only forbid it here.
1793 */
1794 if (seg == VCPU_SREG_SS && selector == 3 &&
1795 ctxt->mode == X86EMUL_MODE_PROT64)
1796 return emulate_exception(ctxt, GP_VECTOR, 0, true);
1797
1798 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1799 X86_TRANSFER_NONE, NULL);
1800 }
1801
1802 static void write_register_operand(struct operand *op)
1803 {
1804 return assign_register(op->addr.reg, op->val, op->bytes);
1805 }
1806
1807 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1808 {
1809 switch (op->type) {
1810 case OP_REG:
1811 write_register_operand(op);
1812 break;
1813 case OP_MEM:
1814 if (ctxt->lock_prefix)
1815 return segmented_cmpxchg(ctxt,
1816 op->addr.mem,
1817 &op->orig_val,
1818 &op->val,
1819 op->bytes);
1820 else
1821 return segmented_write(ctxt,
1822 op->addr.mem,
1823 &op->val,
1824 op->bytes);
1825 break;
1826 case OP_MEM_STR:
1827 return segmented_write(ctxt,
1828 op->addr.mem,
1829 op->data,
1830 op->bytes * op->count);
1831 break;
1832 case OP_XMM:
1833 write_sse_reg(ctxt, &op->vec_val, op->addr.xmm);
1834 break;
1835 case OP_MM:
1836 write_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
1837 break;
1838 case OP_NONE:
1839 /* no writeback */
1840 break;
1841 default:
1842 break;
1843 }
1844 return X86EMUL_CONTINUE;
1845 }
1846
1847 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1848 {
1849 struct segmented_address addr;
1850
1851 rsp_increment(ctxt, -bytes);
1852 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1853 addr.seg = VCPU_SREG_SS;
1854
1855 return segmented_write(ctxt, addr, data, bytes);
1856 }
1857
1858 static int em_push(struct x86_emulate_ctxt *ctxt)
1859 {
1860 /* Disable writeback. */
1861 ctxt->dst.type = OP_NONE;
1862 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1863 }
1864
1865 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1866 void *dest, int len)
1867 {
1868 int rc;
1869 struct segmented_address addr;
1870
1871 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1872 addr.seg = VCPU_SREG_SS;
1873 rc = segmented_read(ctxt, addr, dest, len);
1874 if (rc != X86EMUL_CONTINUE)
1875 return rc;
1876
1877 rsp_increment(ctxt, len);
1878 return rc;
1879 }
1880
1881 static int em_pop(struct x86_emulate_ctxt *ctxt)
1882 {
1883 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1884 }
1885
1886 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1887 void *dest, int len)
1888 {
1889 int rc;
1890 unsigned long val, change_mask;
1891 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1892 int cpl = ctxt->ops->cpl(ctxt);
1893
1894 rc = emulate_pop(ctxt, &val, len);
1895 if (rc != X86EMUL_CONTINUE)
1896 return rc;
1897
1898 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1899 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1900 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1901 X86_EFLAGS_AC | X86_EFLAGS_ID;
1902
1903 switch(ctxt->mode) {
1904 case X86EMUL_MODE_PROT64:
1905 case X86EMUL_MODE_PROT32:
1906 case X86EMUL_MODE_PROT16:
1907 if (cpl == 0)
1908 change_mask |= X86_EFLAGS_IOPL;
1909 if (cpl <= iopl)
1910 change_mask |= X86_EFLAGS_IF;
1911 break;
1912 case X86EMUL_MODE_VM86:
1913 if (iopl < 3)
1914 return emulate_gp(ctxt, 0);
1915 change_mask |= X86_EFLAGS_IF;
1916 break;
1917 default: /* real mode */
1918 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1919 break;
1920 }
1921
1922 *(unsigned long *)dest =
1923 (ctxt->eflags & ~change_mask) | (val & change_mask);
1924
1925 return rc;
1926 }
1927
1928 static int em_popf(struct x86_emulate_ctxt *ctxt)
1929 {
1930 ctxt->dst.type = OP_REG;
1931 ctxt->dst.addr.reg = &ctxt->eflags;
1932 ctxt->dst.bytes = ctxt->op_bytes;
1933 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1934 }
1935
1936 static int em_enter(struct x86_emulate_ctxt *ctxt)
1937 {
1938 int rc;
1939 unsigned frame_size = ctxt->src.val;
1940 unsigned nesting_level = ctxt->src2.val & 31;
1941 ulong rbp;
1942
1943 if (nesting_level)
1944 return X86EMUL_UNHANDLEABLE;
1945
1946 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1947 rc = push(ctxt, &rbp, stack_size(ctxt));
1948 if (rc != X86EMUL_CONTINUE)
1949 return rc;
1950 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1951 stack_mask(ctxt));
1952 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1953 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1954 stack_mask(ctxt));
1955 return X86EMUL_CONTINUE;
1956 }
1957
1958 static int em_leave(struct x86_emulate_ctxt *ctxt)
1959 {
1960 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1961 stack_mask(ctxt));
1962 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1963 }
1964
1965 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1966 {
1967 int seg = ctxt->src2.val;
1968
1969 ctxt->src.val = get_segment_selector(ctxt, seg);
1970 if (ctxt->op_bytes == 4) {
1971 rsp_increment(ctxt, -2);
1972 ctxt->op_bytes = 2;
1973 }
1974
1975 return em_push(ctxt);
1976 }
1977
1978 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1979 {
1980 int seg = ctxt->src2.val;
1981 unsigned long selector;
1982 int rc;
1983
1984 rc = emulate_pop(ctxt, &selector, 2);
1985 if (rc != X86EMUL_CONTINUE)
1986 return rc;
1987
1988 if (ctxt->modrm_reg == VCPU_SREG_SS)
1989 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1990 if (ctxt->op_bytes > 2)
1991 rsp_increment(ctxt, ctxt->op_bytes - 2);
1992
1993 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1994 return rc;
1995 }
1996
1997 static int em_pusha(struct x86_emulate_ctxt *ctxt)
1998 {
1999 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
2000 int rc = X86EMUL_CONTINUE;
2001 int reg = VCPU_REGS_RAX;
2002
2003 while (reg <= VCPU_REGS_RDI) {
2004 (reg == VCPU_REGS_RSP) ?
2005 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
2006
2007 rc = em_push(ctxt);
2008 if (rc != X86EMUL_CONTINUE)
2009 return rc;
2010
2011 ++reg;
2012 }
2013
2014 return rc;
2015 }
2016
2017 static int em_pushf(struct x86_emulate_ctxt *ctxt)
2018 {
2019 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
2020 return em_push(ctxt);
2021 }
2022
2023 static int em_popa(struct x86_emulate_ctxt *ctxt)
2024 {
2025 int rc = X86EMUL_CONTINUE;
2026 int reg = VCPU_REGS_RDI;
2027 u32 val;
2028
2029 while (reg >= VCPU_REGS_RAX) {
2030 if (reg == VCPU_REGS_RSP) {
2031 rsp_increment(ctxt, ctxt->op_bytes);
2032 --reg;
2033 }
2034
2035 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2036 if (rc != X86EMUL_CONTINUE)
2037 break;
2038 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2039 --reg;
2040 }
2041 return rc;
2042 }
2043
2044 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2045 {
2046 const struct x86_emulate_ops *ops = ctxt->ops;
2047 int rc;
2048 struct desc_ptr dt;
2049 gva_t cs_addr;
2050 gva_t eip_addr;
2051 u16 cs, eip;
2052
2053 /* TODO: Add limit checks */
2054 ctxt->src.val = ctxt->eflags;
2055 rc = em_push(ctxt);
2056 if (rc != X86EMUL_CONTINUE)
2057 return rc;
2058
2059 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2060
2061 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2062 rc = em_push(ctxt);
2063 if (rc != X86EMUL_CONTINUE)
2064 return rc;
2065
2066 ctxt->src.val = ctxt->_eip;
2067 rc = em_push(ctxt);
2068 if (rc != X86EMUL_CONTINUE)
2069 return rc;
2070
2071 ops->get_idt(ctxt, &dt);
2072
2073 eip_addr = dt.address + (irq << 2);
2074 cs_addr = dt.address + (irq << 2) + 2;
2075
2076 rc = linear_read_system(ctxt, cs_addr, &cs, 2);
2077 if (rc != X86EMUL_CONTINUE)
2078 return rc;
2079
2080 rc = linear_read_system(ctxt, eip_addr, &eip, 2);
2081 if (rc != X86EMUL_CONTINUE)
2082 return rc;
2083
2084 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2085 if (rc != X86EMUL_CONTINUE)
2086 return rc;
2087
2088 ctxt->_eip = eip;
2089
2090 return rc;
2091 }
2092
2093 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2094 {
2095 int rc;
2096
2097 invalidate_registers(ctxt);
2098 rc = __emulate_int_real(ctxt, irq);
2099 if (rc == X86EMUL_CONTINUE)
2100 writeback_registers(ctxt);
2101 return rc;
2102 }
2103
2104 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2105 {
2106 switch(ctxt->mode) {
2107 case X86EMUL_MODE_REAL:
2108 return __emulate_int_real(ctxt, irq);
2109 case X86EMUL_MODE_VM86:
2110 case X86EMUL_MODE_PROT16:
2111 case X86EMUL_MODE_PROT32:
2112 case X86EMUL_MODE_PROT64:
2113 default:
2114 /* Protected mode interrupts unimplemented yet */
2115 return X86EMUL_UNHANDLEABLE;
2116 }
2117 }
2118
2119 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2120 {
2121 int rc = X86EMUL_CONTINUE;
2122 unsigned long temp_eip = 0;
2123 unsigned long temp_eflags = 0;
2124 unsigned long cs = 0;
2125 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2126 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2127 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2128 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2129 X86_EFLAGS_AC | X86_EFLAGS_ID |
2130 X86_EFLAGS_FIXED;
2131 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2132 X86_EFLAGS_VIP;
2133
2134 /* TODO: Add stack limit check */
2135
2136 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2137
2138 if (rc != X86EMUL_CONTINUE)
2139 return rc;
2140
2141 if (temp_eip & ~0xffff)
2142 return emulate_gp(ctxt, 0);
2143
2144 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2145
2146 if (rc != X86EMUL_CONTINUE)
2147 return rc;
2148
2149 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2150
2151 if (rc != X86EMUL_CONTINUE)
2152 return rc;
2153
2154 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2155
2156 if (rc != X86EMUL_CONTINUE)
2157 return rc;
2158
2159 ctxt->_eip = temp_eip;
2160
2161 if (ctxt->op_bytes == 4)
2162 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2163 else if (ctxt->op_bytes == 2) {
2164 ctxt->eflags &= ~0xffff;
2165 ctxt->eflags |= temp_eflags;
2166 }
2167
2168 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2169 ctxt->eflags |= X86_EFLAGS_FIXED;
2170 ctxt->ops->set_nmi_mask(ctxt, false);
2171
2172 return rc;
2173 }
2174
2175 static int em_iret(struct x86_emulate_ctxt *ctxt)
2176 {
2177 switch(ctxt->mode) {
2178 case X86EMUL_MODE_REAL:
2179 return emulate_iret_real(ctxt);
2180 case X86EMUL_MODE_VM86:
2181 case X86EMUL_MODE_PROT16:
2182 case X86EMUL_MODE_PROT32:
2183 case X86EMUL_MODE_PROT64:
2184 default:
2185 /* iret from protected mode unimplemented yet */
2186 return X86EMUL_UNHANDLEABLE;
2187 }
2188 }
2189
2190 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2191 {
2192 int rc;
2193 unsigned short sel;
2194 struct desc_struct new_desc;
2195 u8 cpl = ctxt->ops->cpl(ctxt);
2196
2197 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2198
2199 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2200 X86_TRANSFER_CALL_JMP,
2201 &new_desc);
2202 if (rc != X86EMUL_CONTINUE)
2203 return rc;
2204
2205 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2206 /* Error handling is not implemented. */
2207 if (rc != X86EMUL_CONTINUE)
2208 return X86EMUL_UNHANDLEABLE;
2209
2210 return rc;
2211 }
2212
2213 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2214 {
2215 return assign_eip_near(ctxt, ctxt->src.val);
2216 }
2217
2218 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2219 {
2220 int rc;
2221 long int old_eip;
2222
2223 old_eip = ctxt->_eip;
2224 rc = assign_eip_near(ctxt, ctxt->src.val);
2225 if (rc != X86EMUL_CONTINUE)
2226 return rc;
2227 ctxt->src.val = old_eip;
2228 rc = em_push(ctxt);
2229 return rc;
2230 }
2231
2232 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2233 {
2234 u64 old = ctxt->dst.orig_val64;
2235
2236 if (ctxt->dst.bytes == 16)
2237 return X86EMUL_UNHANDLEABLE;
2238
2239 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2240 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2241 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2242 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2243 ctxt->eflags &= ~X86_EFLAGS_ZF;
2244 } else {
2245 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2246 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2247
2248 ctxt->eflags |= X86_EFLAGS_ZF;
2249 }
2250 return X86EMUL_CONTINUE;
2251 }
2252
2253 static int em_ret(struct x86_emulate_ctxt *ctxt)
2254 {
2255 int rc;
2256 unsigned long eip;
2257
2258 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2259 if (rc != X86EMUL_CONTINUE)
2260 return rc;
2261
2262 return assign_eip_near(ctxt, eip);
2263 }
2264
2265 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2266 {
2267 int rc;
2268 unsigned long eip, cs;
2269 int cpl = ctxt->ops->cpl(ctxt);
2270 struct desc_struct new_desc;
2271
2272 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2273 if (rc != X86EMUL_CONTINUE)
2274 return rc;
2275 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2276 if (rc != X86EMUL_CONTINUE)
2277 return rc;
2278 /* Outer-privilege level return is not implemented */
2279 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2280 return X86EMUL_UNHANDLEABLE;
2281 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2282 X86_TRANSFER_RET,
2283 &new_desc);
2284 if (rc != X86EMUL_CONTINUE)
2285 return rc;
2286 rc = assign_eip_far(ctxt, eip, &new_desc);
2287 /* Error handling is not implemented. */
2288 if (rc != X86EMUL_CONTINUE)
2289 return X86EMUL_UNHANDLEABLE;
2290
2291 return rc;
2292 }
2293
2294 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2295 {
2296 int rc;
2297
2298 rc = em_ret_far(ctxt);
2299 if (rc != X86EMUL_CONTINUE)
2300 return rc;
2301 rsp_increment(ctxt, ctxt->src.val);
2302 return X86EMUL_CONTINUE;
2303 }
2304
2305 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2306 {
2307 /* Save real source value, then compare EAX against destination. */
2308 ctxt->dst.orig_val = ctxt->dst.val;
2309 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2310 ctxt->src.orig_val = ctxt->src.val;
2311 ctxt->src.val = ctxt->dst.orig_val;
2312 fastop(ctxt, em_cmp);
2313
2314 if (ctxt->eflags & X86_EFLAGS_ZF) {
2315 /* Success: write back to memory; no update of EAX */
2316 ctxt->src.type = OP_NONE;
2317 ctxt->dst.val = ctxt->src.orig_val;
2318 } else {
2319 /* Failure: write the value we saw to EAX. */
2320 ctxt->src.type = OP_REG;
2321 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2322 ctxt->src.val = ctxt->dst.orig_val;
2323 /* Create write-cycle to dest by writing the same value */
2324 ctxt->dst.val = ctxt->dst.orig_val;
2325 }
2326 return X86EMUL_CONTINUE;
2327 }
2328
2329 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2330 {
2331 int seg = ctxt->src2.val;
2332 unsigned short sel;
2333 int rc;
2334
2335 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2336
2337 rc = load_segment_descriptor(ctxt, sel, seg);
2338 if (rc != X86EMUL_CONTINUE)
2339 return rc;
2340
2341 ctxt->dst.val = ctxt->src.val;
2342 return rc;
2343 }
2344
2345 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2346 {
2347 u32 eax, ebx, ecx, edx;
2348
2349 eax = 0x80000001;
2350 ecx = 0;
2351 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2352 return edx & bit(X86_FEATURE_LM);
2353 }
2354
2355 #define GET_SMSTATE(type, smbase, offset) \
2356 ({ \
2357 type __val; \
2358 int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
2359 sizeof(__val)); \
2360 if (r != X86EMUL_CONTINUE) \
2361 return X86EMUL_UNHANDLEABLE; \
2362 __val; \
2363 })
2364
2365 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2366 {
2367 desc->g = (flags >> 23) & 1;
2368 desc->d = (flags >> 22) & 1;
2369 desc->l = (flags >> 21) & 1;
2370 desc->avl = (flags >> 20) & 1;
2371 desc->p = (flags >> 15) & 1;
2372 desc->dpl = (flags >> 13) & 3;
2373 desc->s = (flags >> 12) & 1;
2374 desc->type = (flags >> 8) & 15;
2375 }
2376
2377 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2378 {
2379 struct desc_struct desc;
2380 int offset;
2381 u16 selector;
2382
2383 selector = GET_SMSTATE(u32, smbase, 0x7fa8 + n * 4);
2384
2385 if (n < 3)
2386 offset = 0x7f84 + n * 12;
2387 else
2388 offset = 0x7f2c + (n - 3) * 12;
2389
2390 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2391 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2392 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, offset));
2393 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2394 return X86EMUL_CONTINUE;
2395 }
2396
2397 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
2398 {
2399 struct desc_struct desc;
2400 int offset;
2401 u16 selector;
2402 u32 base3;
2403
2404 offset = 0x7e00 + n * 16;
2405
2406 selector = GET_SMSTATE(u16, smbase, offset);
2407 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smbase, offset + 2) << 8);
2408 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, offset + 4));
2409 set_desc_base(&desc, GET_SMSTATE(u32, smbase, offset + 8));
2410 base3 = GET_SMSTATE(u32, smbase, offset + 12);
2411
2412 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2413 return X86EMUL_CONTINUE;
2414 }
2415
2416 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2417 u64 cr0, u64 cr3, u64 cr4)
2418 {
2419 int bad;
2420 u64 pcid;
2421
2422 /* In order to later set CR4.PCIDE, CR3[11:0] must be zero. */
2423 pcid = 0;
2424 if (cr4 & X86_CR4_PCIDE) {
2425 pcid = cr3 & 0xfff;
2426 cr3 &= ~0xfff;
2427 }
2428
2429 bad = ctxt->ops->set_cr(ctxt, 3, cr3);
2430 if (bad)
2431 return X86EMUL_UNHANDLEABLE;
2432
2433 /*
2434 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2435 * Then enable protected mode. However, PCID cannot be enabled
2436 * if EFER.LMA=0, so set it separately.
2437 */
2438 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2439 if (bad)
2440 return X86EMUL_UNHANDLEABLE;
2441
2442 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2443 if (bad)
2444 return X86EMUL_UNHANDLEABLE;
2445
2446 if (cr4 & X86_CR4_PCIDE) {
2447 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2448 if (bad)
2449 return X86EMUL_UNHANDLEABLE;
2450 if (pcid) {
2451 bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
2452 if (bad)
2453 return X86EMUL_UNHANDLEABLE;
2454 }
2455
2456 }
2457
2458 return X86EMUL_CONTINUE;
2459 }
2460
2461 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
2462 {
2463 struct desc_struct desc;
2464 struct desc_ptr dt;
2465 u16 selector;
2466 u32 val, cr0, cr3, cr4;
2467 int i;
2468
2469 cr0 = GET_SMSTATE(u32, smbase, 0x7ffc);
2470 cr3 = GET_SMSTATE(u32, smbase, 0x7ff8);
2471 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
2472 ctxt->_eip = GET_SMSTATE(u32, smbase, 0x7ff0);
2473
2474 for (i = 0; i < 8; i++)
2475 *reg_write(ctxt, i) = GET_SMSTATE(u32, smbase, 0x7fd0 + i * 4);
2476
2477 val = GET_SMSTATE(u32, smbase, 0x7fcc);
2478 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2479 val = GET_SMSTATE(u32, smbase, 0x7fc8);
2480 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2481
2482 selector = GET_SMSTATE(u32, smbase, 0x7fc4);
2483 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f64));
2484 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f60));
2485 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f5c));
2486 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2487
2488 selector = GET_SMSTATE(u32, smbase, 0x7fc0);
2489 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7f80));
2490 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7f7c));
2491 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7f78));
2492 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2493
2494 dt.address = GET_SMSTATE(u32, smbase, 0x7f74);
2495 dt.size = GET_SMSTATE(u32, smbase, 0x7f70);
2496 ctxt->ops->set_gdt(ctxt, &dt);
2497
2498 dt.address = GET_SMSTATE(u32, smbase, 0x7f58);
2499 dt.size = GET_SMSTATE(u32, smbase, 0x7f54);
2500 ctxt->ops->set_idt(ctxt, &dt);
2501
2502 for (i = 0; i < 6; i++) {
2503 int r = rsm_load_seg_32(ctxt, smbase, i);
2504 if (r != X86EMUL_CONTINUE)
2505 return r;
2506 }
2507
2508 cr4 = GET_SMSTATE(u32, smbase, 0x7f14);
2509
2510 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
2511
2512 return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2513 }
2514
2515 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
2516 {
2517 struct desc_struct desc;
2518 struct desc_ptr dt;
2519 u64 val, cr0, cr3, cr4;
2520 u32 base3;
2521 u16 selector;
2522 int i, r;
2523
2524 for (i = 0; i < 16; i++)
2525 *reg_write(ctxt, i) = GET_SMSTATE(u64, smbase, 0x7ff8 - i * 8);
2526
2527 ctxt->_eip = GET_SMSTATE(u64, smbase, 0x7f78);
2528 ctxt->eflags = GET_SMSTATE(u32, smbase, 0x7f70) | X86_EFLAGS_FIXED;
2529
2530 val = GET_SMSTATE(u32, smbase, 0x7f68);
2531 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2532 val = GET_SMSTATE(u32, smbase, 0x7f60);
2533 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2534
2535 cr0 = GET_SMSTATE(u64, smbase, 0x7f58);
2536 cr3 = GET_SMSTATE(u64, smbase, 0x7f50);
2537 cr4 = GET_SMSTATE(u64, smbase, 0x7f48);
2538 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
2539 val = GET_SMSTATE(u64, smbase, 0x7ed0);
2540 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2541
2542 selector = GET_SMSTATE(u32, smbase, 0x7e90);
2543 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e92) << 8);
2544 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e94));
2545 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e98));
2546 base3 = GET_SMSTATE(u32, smbase, 0x7e9c);
2547 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2548
2549 dt.size = GET_SMSTATE(u32, smbase, 0x7e84);
2550 dt.address = GET_SMSTATE(u64, smbase, 0x7e88);
2551 ctxt->ops->set_idt(ctxt, &dt);
2552
2553 selector = GET_SMSTATE(u32, smbase, 0x7e70);
2554 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smbase, 0x7e72) << 8);
2555 set_desc_limit(&desc, GET_SMSTATE(u32, smbase, 0x7e74));
2556 set_desc_base(&desc, GET_SMSTATE(u32, smbase, 0x7e78));
2557 base3 = GET_SMSTATE(u32, smbase, 0x7e7c);
2558 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2559
2560 dt.size = GET_SMSTATE(u32, smbase, 0x7e64);
2561 dt.address = GET_SMSTATE(u64, smbase, 0x7e68);
2562 ctxt->ops->set_gdt(ctxt, &dt);
2563
2564 r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2565 if (r != X86EMUL_CONTINUE)
2566 return r;
2567
2568 for (i = 0; i < 6; i++) {
2569 r = rsm_load_seg_64(ctxt, smbase, i);
2570 if (r != X86EMUL_CONTINUE)
2571 return r;
2572 }
2573
2574 return X86EMUL_CONTINUE;
2575 }
2576
2577 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2578 {
2579 unsigned long cr0, cr4, efer;
2580 u64 smbase;
2581 int ret;
2582
2583 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
2584 return emulate_ud(ctxt);
2585
2586 /*
2587 * Get back to real mode, to prepare a safe state in which to load
2588 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2589 * supports long mode.
2590 */
2591 if (emulator_has_longmode(ctxt)) {
2592 struct desc_struct cs_desc;
2593
2594 /* Zero CR4.PCIDE before CR0.PG. */
2595 cr4 = ctxt->ops->get_cr(ctxt, 4);
2596 if (cr4 & X86_CR4_PCIDE)
2597 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2598
2599 /* A 32-bit code segment is required to clear EFER.LMA. */
2600 memset(&cs_desc, 0, sizeof(cs_desc));
2601 cs_desc.type = 0xb;
2602 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2603 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2604 }
2605
2606 /* For the 64-bit case, this will clear EFER.LMA. */
2607 cr0 = ctxt->ops->get_cr(ctxt, 0);
2608 if (cr0 & X86_CR0_PE)
2609 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2610
2611 if (emulator_has_longmode(ctxt)) {
2612 /* Clear CR4.PAE before clearing EFER.LME. */
2613 cr4 = ctxt->ops->get_cr(ctxt, 4);
2614 if (cr4 & X86_CR4_PAE)
2615 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2616
2617 /* And finally go back to 32-bit mode. */
2618 efer = 0;
2619 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2620 }
2621
2622 smbase = ctxt->ops->get_smbase(ctxt);
2623 if (emulator_has_longmode(ctxt))
2624 ret = rsm_load_state_64(ctxt, smbase + 0x8000);
2625 else
2626 ret = rsm_load_state_32(ctxt, smbase + 0x8000);
2627
2628 if (ret != X86EMUL_CONTINUE) {
2629 /* FIXME: should triple fault */
2630 return X86EMUL_UNHANDLEABLE;
2631 }
2632
2633 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2634 ctxt->ops->set_nmi_mask(ctxt, false);
2635
2636 ctxt->ops->set_hflags(ctxt, ctxt->ops->get_hflags(ctxt) &
2637 ~(X86EMUL_SMM_INSIDE_NMI_MASK | X86EMUL_SMM_MASK));
2638 return X86EMUL_CONTINUE;
2639 }
2640
2641 static void
2642 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2643 struct desc_struct *cs, struct desc_struct *ss)
2644 {
2645 cs->l = 0; /* will be adjusted later */
2646 set_desc_base(cs, 0); /* flat segment */
2647 cs->g = 1; /* 4kb granularity */
2648 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2649 cs->type = 0x0b; /* Read, Execute, Accessed */
2650 cs->s = 1;
2651 cs->dpl = 0; /* will be adjusted later */
2652 cs->p = 1;
2653 cs->d = 1;
2654 cs->avl = 0;
2655
2656 set_desc_base(ss, 0); /* flat segment */
2657 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2658 ss->g = 1; /* 4kb granularity */
2659 ss->s = 1;
2660 ss->type = 0x03; /* Read/Write, Accessed */
2661 ss->d = 1; /* 32bit stack segment */
2662 ss->dpl = 0;
2663 ss->p = 1;
2664 ss->l = 0;
2665 ss->avl = 0;
2666 }
2667
2668 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2669 {
2670 u32 eax, ebx, ecx, edx;
2671
2672 eax = ecx = 0;
2673 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2674 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2675 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2676 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2677 }
2678
2679 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2680 {
2681 const struct x86_emulate_ops *ops = ctxt->ops;
2682 u32 eax, ebx, ecx, edx;
2683
2684 /*
2685 * syscall should always be enabled in longmode - so only become
2686 * vendor specific (cpuid) if other modes are active...
2687 */
2688 if (ctxt->mode == X86EMUL_MODE_PROT64)
2689 return true;
2690
2691 eax = 0x00000000;
2692 ecx = 0x00000000;
2693 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2694 /*
2695 * Intel ("GenuineIntel")
2696 * remark: Intel CPUs only support "syscall" in 64bit
2697 * longmode. Also an 64bit guest with a
2698 * 32bit compat-app running will #UD !! While this
2699 * behaviour can be fixed (by emulating) into AMD
2700 * response - CPUs of AMD can't behave like Intel.
2701 */
2702 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2703 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2704 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2705 return false;
2706
2707 /* AMD ("AuthenticAMD") */
2708 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2709 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2710 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2711 return true;
2712
2713 /* AMD ("AMDisbetter!") */
2714 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2715 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2716 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2717 return true;
2718
2719 /* default: (not Intel, not AMD), apply Intel's stricter rules... */
2720 return false;
2721 }
2722
2723 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2724 {
2725 const struct x86_emulate_ops *ops = ctxt->ops;
2726 struct desc_struct cs, ss;
2727 u64 msr_data;
2728 u16 cs_sel, ss_sel;
2729 u64 efer = 0;
2730
2731 /* syscall is not available in real mode */
2732 if (ctxt->mode == X86EMUL_MODE_REAL ||
2733 ctxt->mode == X86EMUL_MODE_VM86)
2734 return emulate_ud(ctxt);
2735
2736 if (!(em_syscall_is_enabled(ctxt)))
2737 return emulate_ud(ctxt);
2738
2739 ops->get_msr(ctxt, MSR_EFER, &efer);
2740 setup_syscalls_segments(ctxt, &cs, &ss);
2741
2742 if (!(efer & EFER_SCE))
2743 return emulate_ud(ctxt);
2744
2745 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2746 msr_data >>= 32;
2747 cs_sel = (u16)(msr_data & 0xfffc);
2748 ss_sel = (u16)(msr_data + 8);
2749
2750 if (efer & EFER_LMA) {
2751 cs.d = 0;
2752 cs.l = 1;
2753 }
2754 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2755 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2756
2757 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2758 if (efer & EFER_LMA) {
2759 #ifdef CONFIG_X86_64
2760 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2761
2762 ops->get_msr(ctxt,
2763 ctxt->mode == X86EMUL_MODE_PROT64 ?
2764 MSR_LSTAR : MSR_CSTAR, &msr_data);
2765 ctxt->_eip = msr_data;
2766
2767 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2768 ctxt->eflags &= ~msr_data;
2769 ctxt->eflags |= X86_EFLAGS_FIXED;
2770 #endif
2771 } else {
2772 /* legacy mode */
2773 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2774 ctxt->_eip = (u32)msr_data;
2775
2776 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2777 }
2778
2779 ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2780 return X86EMUL_CONTINUE;
2781 }
2782
2783 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2784 {
2785 const struct x86_emulate_ops *ops = ctxt->ops;
2786 struct desc_struct cs, ss;
2787 u64 msr_data;
2788 u16 cs_sel, ss_sel;
2789 u64 efer = 0;
2790
2791 ops->get_msr(ctxt, MSR_EFER, &efer);
2792 /* inject #GP if in real mode */
2793 if (ctxt->mode == X86EMUL_MODE_REAL)
2794 return emulate_gp(ctxt, 0);
2795
2796 /*
2797 * Not recognized on AMD in compat mode (but is recognized in legacy
2798 * mode).
2799 */
2800 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2801 && !vendor_intel(ctxt))
2802 return emulate_ud(ctxt);
2803
2804 /* sysenter/sysexit have not been tested in 64bit mode. */
2805 if (ctxt->mode == X86EMUL_MODE_PROT64)
2806 return X86EMUL_UNHANDLEABLE;
2807
2808 setup_syscalls_segments(ctxt, &cs, &ss);
2809
2810 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2811 if ((msr_data & 0xfffc) == 0x0)
2812 return emulate_gp(ctxt, 0);
2813
2814 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2815 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2816 ss_sel = cs_sel + 8;
2817 if (efer & EFER_LMA) {
2818 cs.d = 0;
2819 cs.l = 1;
2820 }
2821
2822 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2823 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2824
2825 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2826 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2827
2828 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2829 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2830 (u32)msr_data;
2831
2832 return X86EMUL_CONTINUE;
2833 }
2834
2835 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2836 {
2837 const struct x86_emulate_ops *ops = ctxt->ops;
2838 struct desc_struct cs, ss;
2839 u64 msr_data, rcx, rdx;
2840 int usermode;
2841 u16 cs_sel = 0, ss_sel = 0;
2842
2843 /* inject #GP if in real mode or Virtual 8086 mode */
2844 if (ctxt->mode == X86EMUL_MODE_REAL ||
2845 ctxt->mode == X86EMUL_MODE_VM86)
2846 return emulate_gp(ctxt, 0);
2847
2848 setup_syscalls_segments(ctxt, &cs, &ss);
2849
2850 if ((ctxt->rex_prefix & 0x8) != 0x0)
2851 usermode = X86EMUL_MODE_PROT64;
2852 else
2853 usermode = X86EMUL_MODE_PROT32;
2854
2855 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2856 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2857
2858 cs.dpl = 3;
2859 ss.dpl = 3;
2860 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2861 switch (usermode) {
2862 case X86EMUL_MODE_PROT32:
2863 cs_sel = (u16)(msr_data + 16);
2864 if ((msr_data & 0xfffc) == 0x0)
2865 return emulate_gp(ctxt, 0);
2866 ss_sel = (u16)(msr_data + 24);
2867 rcx = (u32)rcx;
2868 rdx = (u32)rdx;
2869 break;
2870 case X86EMUL_MODE_PROT64:
2871 cs_sel = (u16)(msr_data + 32);
2872 if (msr_data == 0x0)
2873 return emulate_gp(ctxt, 0);
2874 ss_sel = cs_sel + 8;
2875 cs.d = 0;
2876 cs.l = 1;
2877 if (emul_is_noncanonical_address(rcx, ctxt) ||
2878 emul_is_noncanonical_address(rdx, ctxt))
2879 return emulate_gp(ctxt, 0);
2880 break;
2881 }
2882 cs_sel |= SEGMENT_RPL_MASK;
2883 ss_sel |= SEGMENT_RPL_MASK;
2884
2885 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2886 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2887
2888 ctxt->_eip = rdx;
2889 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2890
2891 return X86EMUL_CONTINUE;
2892 }
2893
2894 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2895 {
2896 int iopl;
2897 if (ctxt->mode == X86EMUL_MODE_REAL)
2898 return false;
2899 if (ctxt->mode == X86EMUL_MODE_VM86)
2900 return true;
2901 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2902 return ctxt->ops->cpl(ctxt) > iopl;
2903 }
2904
2905 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2906 u16 port, u16 len)
2907 {
2908 const struct x86_emulate_ops *ops = ctxt->ops;
2909 struct desc_struct tr_seg;
2910 u32 base3;
2911 int r;
2912 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2913 unsigned mask = (1 << len) - 1;
2914 unsigned long base;
2915
2916 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2917 if (!tr_seg.p)
2918 return false;
2919 if (desc_limit_scaled(&tr_seg) < 103)
2920 return false;
2921 base = get_desc_base(&tr_seg);
2922 #ifdef CONFIG_X86_64
2923 base |= ((u64)base3) << 32;
2924 #endif
2925 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
2926 if (r != X86EMUL_CONTINUE)
2927 return false;
2928 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2929 return false;
2930 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
2931 if (r != X86EMUL_CONTINUE)
2932 return false;
2933 if ((perm >> bit_idx) & mask)
2934 return false;
2935 return true;
2936 }
2937
2938 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2939 u16 port, u16 len)
2940 {
2941 if (ctxt->perm_ok)
2942 return true;
2943
2944 if (emulator_bad_iopl(ctxt))
2945 if (!emulator_io_port_access_allowed(ctxt, port, len))
2946 return false;
2947
2948 ctxt->perm_ok = true;
2949
2950 return true;
2951 }
2952
2953 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2954 {
2955 /*
2956 * Intel CPUs mask the counter and pointers in quite strange
2957 * manner when ECX is zero due to REP-string optimizations.
2958 */
2959 #ifdef CONFIG_X86_64
2960 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
2961 return;
2962
2963 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
2964
2965 switch (ctxt->b) {
2966 case 0xa4: /* movsb */
2967 case 0xa5: /* movsd/w */
2968 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2969 /* fall through */
2970 case 0xaa: /* stosb */
2971 case 0xab: /* stosd/w */
2972 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2973 }
2974 #endif
2975 }
2976
2977 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2978 struct tss_segment_16 *tss)
2979 {
2980 tss->ip = ctxt->_eip;
2981 tss->flag = ctxt->eflags;
2982 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2983 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2984 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2985 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2986 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2987 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2988 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2989 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2990
2991 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2992 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2993 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2994 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2995 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2996 }
2997
2998 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2999 struct tss_segment_16 *tss)
3000 {
3001 int ret;
3002 u8 cpl;
3003
3004 ctxt->_eip = tss->ip;
3005 ctxt->eflags = tss->flag | 2;
3006 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
3007 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
3008 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
3009 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
3010 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
3011 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
3012 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
3013 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
3014
3015 /*
3016 * SDM says that segment selectors are loaded before segment
3017 * descriptors
3018 */
3019 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
3020 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3021 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3022 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3023 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3024
3025 cpl = tss->cs & 3;
3026
3027 /*
3028 * Now load segment descriptors. If fault happens at this stage
3029 * it is handled in a context of new task
3030 */
3031 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
3032 X86_TRANSFER_TASK_SWITCH, NULL);
3033 if (ret != X86EMUL_CONTINUE)
3034 return ret;
3035 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3036 X86_TRANSFER_TASK_SWITCH, NULL);
3037 if (ret != X86EMUL_CONTINUE)
3038 return ret;
3039 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3040 X86_TRANSFER_TASK_SWITCH, NULL);
3041 if (ret != X86EMUL_CONTINUE)
3042 return ret;
3043 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3044 X86_TRANSFER_TASK_SWITCH, NULL);
3045 if (ret != X86EMUL_CONTINUE)
3046 return ret;
3047 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3048 X86_TRANSFER_TASK_SWITCH, NULL);
3049 if (ret != X86EMUL_CONTINUE)
3050 return ret;
3051
3052 return X86EMUL_CONTINUE;
3053 }
3054
3055 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
3056 u16 tss_selector, u16 old_tss_sel,
3057 ulong old_tss_base, struct desc_struct *new_desc)
3058 {
3059 struct tss_segment_16 tss_seg;
3060 int ret;
3061 u32 new_tss_base = get_desc_base(new_desc);
3062
3063 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
3064 if (ret != X86EMUL_CONTINUE)
3065 return ret;
3066
3067 save_state_to_tss16(ctxt, &tss_seg);
3068
3069 ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
3070 if (ret != X86EMUL_CONTINUE)
3071 return ret;
3072
3073 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
3074 if (ret != X86EMUL_CONTINUE)
3075 return ret;
3076
3077 if (old_tss_sel != 0xffff) {
3078 tss_seg.prev_task_link = old_tss_sel;
3079
3080 ret = linear_write_system(ctxt, new_tss_base,
3081 &tss_seg.prev_task_link,
3082 sizeof tss_seg.prev_task_link);
3083 if (ret != X86EMUL_CONTINUE)
3084 return ret;
3085 }
3086
3087 return load_state_from_tss16(ctxt, &tss_seg);
3088 }
3089
3090 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3091 struct tss_segment_32 *tss)
3092 {
3093 /* CR3 and ldt selector are not saved intentionally */
3094 tss->eip = ctxt->_eip;
3095 tss->eflags = ctxt->eflags;
3096 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3097 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3098 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3099 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3100 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3101 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3102 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3103 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3104
3105 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3106 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3107 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3108 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3109 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3110 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3111 }
3112
3113 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3114 struct tss_segment_32 *tss)
3115 {
3116 int ret;
3117 u8 cpl;
3118
3119 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3120 return emulate_gp(ctxt, 0);
3121 ctxt->_eip = tss->eip;
3122 ctxt->eflags = tss->eflags | 2;
3123
3124 /* General purpose registers */
3125 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3126 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3127 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3128 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3129 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3130 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3131 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3132 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3133
3134 /*
3135 * SDM says that segment selectors are loaded before segment
3136 * descriptors. This is important because CPL checks will
3137 * use CS.RPL.
3138 */
3139 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3140 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3141 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3142 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3143 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3144 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3145 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3146
3147 /*
3148 * If we're switching between Protected Mode and VM86, we need to make
3149 * sure to update the mode before loading the segment descriptors so
3150 * that the selectors are interpreted correctly.
3151 */
3152 if (ctxt->eflags & X86_EFLAGS_VM) {
3153 ctxt->mode = X86EMUL_MODE_VM86;
3154 cpl = 3;
3155 } else {
3156 ctxt->mode = X86EMUL_MODE_PROT32;
3157 cpl = tss->cs & 3;
3158 }
3159
3160 /*
3161 * Now load segment descriptors. If fault happenes at this stage
3162 * it is handled in a context of new task
3163 */
3164 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3165 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3166 if (ret != X86EMUL_CONTINUE)
3167 return ret;
3168 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3169 X86_TRANSFER_TASK_SWITCH, NULL);
3170 if (ret != X86EMUL_CONTINUE)
3171 return ret;
3172 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3173 X86_TRANSFER_TASK_SWITCH, NULL);
3174 if (ret != X86EMUL_CONTINUE)
3175 return ret;
3176 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3177 X86_TRANSFER_TASK_SWITCH, NULL);
3178 if (ret != X86EMUL_CONTINUE)
3179 return ret;
3180 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3181 X86_TRANSFER_TASK_SWITCH, NULL);
3182 if (ret != X86EMUL_CONTINUE)
3183 return ret;
3184 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3185 X86_TRANSFER_TASK_SWITCH, NULL);
3186 if (ret != X86EMUL_CONTINUE)
3187 return ret;
3188 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3189 X86_TRANSFER_TASK_SWITCH, NULL);
3190
3191 return ret;
3192 }
3193
3194 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3195 u16 tss_selector, u16 old_tss_sel,
3196 ulong old_tss_base, struct desc_struct *new_desc)
3197 {
3198 struct tss_segment_32 tss_seg;
3199 int ret;
3200 u32 new_tss_base = get_desc_base(new_desc);
3201 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3202 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3203
3204 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
3205 if (ret != X86EMUL_CONTINUE)
3206 return ret;
3207
3208 save_state_to_tss32(ctxt, &tss_seg);
3209
3210 /* Only GP registers and segment selectors are saved */
3211 ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3212 ldt_sel_offset - eip_offset);
3213 if (ret != X86EMUL_CONTINUE)
3214 return ret;
3215
3216 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
3217 if (ret != X86EMUL_CONTINUE)
3218 return ret;
3219
3220 if (old_tss_sel != 0xffff) {
3221 tss_seg.prev_task_link = old_tss_sel;
3222
3223 ret = linear_write_system(ctxt, new_tss_base,
3224 &tss_seg.prev_task_link,
3225 sizeof tss_seg.prev_task_link);
3226 if (ret != X86EMUL_CONTINUE)
3227 return ret;
3228 }
3229
3230 return load_state_from_tss32(ctxt, &tss_seg);
3231 }
3232
3233 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3234 u16 tss_selector, int idt_index, int reason,
3235 bool has_error_code, u32 error_code)
3236 {
3237 const struct x86_emulate_ops *ops = ctxt->ops;
3238 struct desc_struct curr_tss_desc, next_tss_desc;
3239 int ret;
3240 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3241 ulong old_tss_base =
3242 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3243 u32 desc_limit;
3244 ulong desc_addr, dr7;
3245
3246 /* FIXME: old_tss_base == ~0 ? */
3247
3248 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3249 if (ret != X86EMUL_CONTINUE)
3250 return ret;
3251 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3252 if (ret != X86EMUL_CONTINUE)
3253 return ret;
3254
3255 /* FIXME: check that next_tss_desc is tss */
3256
3257 /*
3258 * Check privileges. The three cases are task switch caused by...
3259 *
3260 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3261 * 2. Exception/IRQ/iret: No check is performed
3262 * 3. jmp/call to TSS/task-gate: No check is performed since the
3263 * hardware checks it before exiting.
3264 */
3265 if (reason == TASK_SWITCH_GATE) {
3266 if (idt_index != -1) {
3267 /* Software interrupts */
3268 struct desc_struct task_gate_desc;
3269 int dpl;
3270
3271 ret = read_interrupt_descriptor(ctxt, idt_index,
3272 &task_gate_desc);
3273 if (ret != X86EMUL_CONTINUE)
3274 return ret;
3275
3276 dpl = task_gate_desc.dpl;
3277 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3278 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3279 }
3280 }
3281
3282 desc_limit = desc_limit_scaled(&next_tss_desc);
3283 if (!next_tss_desc.p ||
3284 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3285 desc_limit < 0x2b)) {
3286 return emulate_ts(ctxt, tss_selector & 0xfffc);
3287 }
3288
3289 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3290 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3291 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3292 }
3293
3294 if (reason == TASK_SWITCH_IRET)
3295 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3296
3297 /* set back link to prev task only if NT bit is set in eflags
3298 note that old_tss_sel is not used after this point */
3299 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3300 old_tss_sel = 0xffff;
3301
3302 if (next_tss_desc.type & 8)
3303 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3304 old_tss_base, &next_tss_desc);
3305 else
3306 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3307 old_tss_base, &next_tss_desc);
3308 if (ret != X86EMUL_CONTINUE)
3309 return ret;
3310
3311 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3312 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3313
3314 if (reason != TASK_SWITCH_IRET) {
3315 next_tss_desc.type |= (1 << 1); /* set busy flag */
3316 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3317 }
3318
3319 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3320 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3321
3322 if (has_error_code) {
3323 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3324 ctxt->lock_prefix = 0;
3325 ctxt->src.val = (unsigned long) error_code;
3326 ret = em_push(ctxt);
3327 }
3328
3329 ops->get_dr(ctxt, 7, &dr7);
3330 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3331
3332 return ret;
3333 }
3334
3335 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3336 u16 tss_selector, int idt_index, int reason,
3337 bool has_error_code, u32 error_code)
3338 {
3339 int rc;
3340
3341 invalidate_registers(ctxt);
3342 ctxt->_eip = ctxt->eip;
3343 ctxt->dst.type = OP_NONE;
3344
3345 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3346 has_error_code, error_code);
3347
3348 if (rc == X86EMUL_CONTINUE) {
3349 ctxt->eip = ctxt->_eip;
3350 writeback_registers(ctxt);
3351 }
3352
3353 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3354 }
3355
3356 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3357 struct operand *op)
3358 {
3359 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3360
3361 register_address_increment(ctxt, reg, df * op->bytes);
3362 op->addr.mem.ea = register_address(ctxt, reg);
3363 }
3364
3365 static int em_das(struct x86_emulate_ctxt *ctxt)
3366 {
3367 u8 al, old_al;
3368 bool af, cf, old_cf;
3369
3370 cf = ctxt->eflags & X86_EFLAGS_CF;
3371 al = ctxt->dst.val;
3372
3373 old_al = al;
3374 old_cf = cf;
3375 cf = false;
3376 af = ctxt->eflags & X86_EFLAGS_AF;
3377 if ((al & 0x0f) > 9 || af) {
3378 al -= 6;
3379 cf = old_cf | (al >= 250);
3380 af = true;
3381 } else {
3382 af = false;
3383 }
3384 if (old_al > 0x99 || old_cf) {
3385 al -= 0x60;
3386 cf = true;
3387 }
3388
3389 ctxt->dst.val = al;
3390 /* Set PF, ZF, SF */
3391 ctxt->src.type = OP_IMM;
3392 ctxt->src.val = 0;
3393 ctxt->src.bytes = 1;
3394 fastop(ctxt, em_or);
3395 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3396 if (cf)
3397 ctxt->eflags |= X86_EFLAGS_CF;
3398 if (af)
3399 ctxt->eflags |= X86_EFLAGS_AF;
3400 return X86EMUL_CONTINUE;
3401 }
3402
3403 static int em_aam(struct x86_emulate_ctxt *ctxt)
3404 {
3405 u8 al, ah;
3406
3407 if (ctxt->src.val == 0)
3408 return emulate_de(ctxt);
3409
3410 al = ctxt->dst.val & 0xff;
3411 ah = al / ctxt->src.val;
3412 al %= ctxt->src.val;
3413
3414 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3415
3416 /* Set PF, ZF, SF */
3417 ctxt->src.type = OP_IMM;
3418 ctxt->src.val = 0;
3419 ctxt->src.bytes = 1;
3420 fastop(ctxt, em_or);
3421
3422 return X86EMUL_CONTINUE;
3423 }
3424
3425 static int em_aad(struct x86_emulate_ctxt *ctxt)
3426 {
3427 u8 al = ctxt->dst.val & 0xff;
3428 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3429
3430 al = (al + (ah * ctxt->src.val)) & 0xff;
3431
3432 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3433
3434 /* Set PF, ZF, SF */
3435 ctxt->src.type = OP_IMM;
3436 ctxt->src.val = 0;
3437 ctxt->src.bytes = 1;
3438 fastop(ctxt, em_or);
3439
3440 return X86EMUL_CONTINUE;
3441 }
3442
3443 static int em_call(struct x86_emulate_ctxt *ctxt)
3444 {
3445 int rc;
3446 long rel = ctxt->src.val;
3447
3448 ctxt->src.val = (unsigned long)ctxt->_eip;
3449 rc = jmp_rel(ctxt, rel);
3450 if (rc != X86EMUL_CONTINUE)
3451 return rc;
3452 return em_push(ctxt);
3453 }
3454
3455 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3456 {
3457 u16 sel, old_cs;
3458 ulong old_eip;
3459 int rc;
3460 struct desc_struct old_desc, new_desc;
3461 const struct x86_emulate_ops *ops = ctxt->ops;
3462 int cpl = ctxt->ops->cpl(ctxt);
3463 enum x86emul_mode prev_mode = ctxt->mode;
3464
3465 old_eip = ctxt->_eip;
3466 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3467
3468 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3469 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3470 X86_TRANSFER_CALL_JMP, &new_desc);
3471 if (rc != X86EMUL_CONTINUE)
3472 return rc;
3473
3474 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3475 if (rc != X86EMUL_CONTINUE)
3476 goto fail;
3477
3478 ctxt->src.val = old_cs;
3479 rc = em_push(ctxt);
3480 if (rc != X86EMUL_CONTINUE)
3481 goto fail;
3482
3483 ctxt->src.val = old_eip;
3484 rc = em_push(ctxt);
3485 /* If we failed, we tainted the memory, but the very least we should
3486 restore cs */
3487 if (rc != X86EMUL_CONTINUE) {
3488 pr_warn_once("faulting far call emulation tainted memory\n");
3489 goto fail;
3490 }
3491 return rc;
3492 fail:
3493 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3494 ctxt->mode = prev_mode;
3495 return rc;
3496
3497 }
3498
3499 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3500 {
3501 int rc;
3502 unsigned long eip;
3503
3504 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3505 if (rc != X86EMUL_CONTINUE)
3506 return rc;
3507 rc = assign_eip_near(ctxt, eip);
3508 if (rc != X86EMUL_CONTINUE)
3509 return rc;
3510 rsp_increment(ctxt, ctxt->src.val);
3511 return X86EMUL_CONTINUE;
3512 }
3513
3514 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3515 {
3516 /* Write back the register source. */
3517 ctxt->src.val = ctxt->dst.val;
3518 write_register_operand(&ctxt->src);
3519
3520 /* Write back the memory destination with implicit LOCK prefix. */
3521 ctxt->dst.val = ctxt->src.orig_val;
3522 ctxt->lock_prefix = 1;
3523 return X86EMUL_CONTINUE;
3524 }
3525
3526 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3527 {
3528 ctxt->dst.val = ctxt->src2.val;
3529 return fastop(ctxt, em_imul);
3530 }
3531
3532 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3533 {
3534 ctxt->dst.type = OP_REG;
3535 ctxt->dst.bytes = ctxt->src.bytes;
3536 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3537 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3538
3539 return X86EMUL_CONTINUE;
3540 }
3541
3542 static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3543 {
3544 u64 tsc_aux = 0;
3545
3546 if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
3547 return emulate_ud(ctxt);
3548 ctxt->dst.val = tsc_aux;
3549 return X86EMUL_CONTINUE;
3550 }
3551
3552 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3553 {
3554 u64 tsc = 0;
3555
3556 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3557 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3558 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3559 return X86EMUL_CONTINUE;
3560 }
3561
3562 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3563 {
3564 u64 pmc;
3565
3566 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3567 return emulate_gp(ctxt, 0);
3568 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3569 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3570 return X86EMUL_CONTINUE;
3571 }
3572
3573 static int em_mov(struct x86_emulate_ctxt *ctxt)
3574 {
3575 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3576 return X86EMUL_CONTINUE;
3577 }
3578
3579 #define FFL(x) bit(X86_FEATURE_##x)
3580
3581 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3582 {
3583 u32 ebx, ecx, edx, eax = 1;
3584 u16 tmp;
3585
3586 /*
3587 * Check MOVBE is set in the guest-visible CPUID leaf.
3588 */
3589 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3590 if (!(ecx & FFL(MOVBE)))
3591 return emulate_ud(ctxt);
3592
3593 switch (ctxt->op_bytes) {
3594 case 2:
3595 /*
3596 * From MOVBE definition: "...When the operand size is 16 bits,
3597 * the upper word of the destination register remains unchanged
3598 * ..."
3599 *
3600 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3601 * rules so we have to do the operation almost per hand.
3602 */
3603 tmp = (u16)ctxt->src.val;
3604 ctxt->dst.val &= ~0xffffUL;
3605 ctxt->dst.val |= (unsigned long)swab16(tmp);
3606 break;
3607 case 4:
3608 ctxt->dst.val = swab32((u32)ctxt->src.val);
3609 break;
3610 case 8:
3611 ctxt->dst.val = swab64(ctxt->src.val);
3612 break;
3613 default:
3614 BUG();
3615 }
3616 return X86EMUL_CONTINUE;
3617 }
3618
3619 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3620 {
3621 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3622 return emulate_gp(ctxt, 0);
3623
3624 /* Disable writeback. */
3625 ctxt->dst.type = OP_NONE;
3626 return X86EMUL_CONTINUE;
3627 }
3628
3629 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3630 {
3631 unsigned long val;
3632
3633 if (ctxt->mode == X86EMUL_MODE_PROT64)
3634 val = ctxt->src.val & ~0ULL;
3635 else
3636 val = ctxt->src.val & ~0U;
3637
3638 /* #UD condition is already handled. */
3639 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3640 return emulate_gp(ctxt, 0);
3641
3642 /* Disable writeback. */
3643 ctxt->dst.type = OP_NONE;
3644 return X86EMUL_CONTINUE;
3645 }
3646
3647 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3648 {
3649 u64 msr_data;
3650
3651 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3652 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3653 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3654 return emulate_gp(ctxt, 0);
3655
3656 return X86EMUL_CONTINUE;
3657 }
3658
3659 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3660 {
3661 u64 msr_data;
3662
3663 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3664 return emulate_gp(ctxt, 0);
3665
3666 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3667 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3668 return X86EMUL_CONTINUE;
3669 }
3670
3671 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3672 {
3673 if (ctxt->modrm_reg > VCPU_SREG_GS)
3674 return emulate_ud(ctxt);
3675
3676 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
3677 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3678 ctxt->dst.bytes = 2;
3679 return X86EMUL_CONTINUE;
3680 }
3681
3682 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3683 {
3684 u16 sel = ctxt->src.val;
3685
3686 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3687 return emulate_ud(ctxt);
3688
3689 if (ctxt->modrm_reg == VCPU_SREG_SS)
3690 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3691
3692 /* Disable writeback. */
3693 ctxt->dst.type = OP_NONE;
3694 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3695 }
3696
3697 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3698 {
3699 u16 sel = ctxt->src.val;
3700
3701 /* Disable writeback. */
3702 ctxt->dst.type = OP_NONE;
3703 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3704 }
3705
3706 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3707 {
3708 u16 sel = ctxt->src.val;
3709
3710 /* Disable writeback. */
3711 ctxt->dst.type = OP_NONE;
3712 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3713 }
3714
3715 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3716 {
3717 int rc;
3718 ulong linear;
3719
3720 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3721 if (rc == X86EMUL_CONTINUE)
3722 ctxt->ops->invlpg(ctxt, linear);
3723 /* Disable writeback. */
3724 ctxt->dst.type = OP_NONE;
3725 return X86EMUL_CONTINUE;
3726 }
3727
3728 static int em_clts(struct x86_emulate_ctxt *ctxt)
3729 {
3730 ulong cr0;
3731
3732 cr0 = ctxt->ops->get_cr(ctxt, 0);
3733 cr0 &= ~X86_CR0_TS;
3734 ctxt->ops->set_cr(ctxt, 0, cr0);
3735 return X86EMUL_CONTINUE;
3736 }
3737
3738 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3739 {
3740 int rc = ctxt->ops->fix_hypercall(ctxt);
3741
3742 if (rc != X86EMUL_CONTINUE)
3743 return rc;
3744
3745 /* Let the processor re-execute the fixed hypercall */
3746 ctxt->_eip = ctxt->eip;
3747 /* Disable writeback. */
3748 ctxt->dst.type = OP_NONE;
3749 return X86EMUL_CONTINUE;
3750 }
3751
3752 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3753 void (*get)(struct x86_emulate_ctxt *ctxt,
3754 struct desc_ptr *ptr))
3755 {
3756 struct desc_ptr desc_ptr;
3757
3758 if (ctxt->mode == X86EMUL_MODE_PROT64)
3759 ctxt->op_bytes = 8;
3760 get(ctxt, &desc_ptr);
3761 if (ctxt->op_bytes == 2) {
3762 ctxt->op_bytes = 4;
3763 desc_ptr.address &= 0x00ffffff;
3764 }
3765 /* Disable writeback. */
3766 ctxt->dst.type = OP_NONE;
3767 return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3768 &desc_ptr, 2 + ctxt->op_bytes);
3769 }
3770
3771 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3772 {
3773 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3774 }
3775
3776 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3777 {
3778 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3779 }
3780
3781 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3782 {
3783 struct desc_ptr desc_ptr;
3784 int rc;
3785
3786 if (ctxt->mode == X86EMUL_MODE_PROT64)
3787 ctxt->op_bytes = 8;
3788 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3789 &desc_ptr.size, &desc_ptr.address,
3790 ctxt->op_bytes);
3791 if (rc != X86EMUL_CONTINUE)
3792 return rc;
3793 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3794 emul_is_noncanonical_address(desc_ptr.address, ctxt))
3795 return emulate_gp(ctxt, 0);
3796 if (lgdt)
3797 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3798 else
3799 ctxt->ops->set_idt(ctxt, &desc_ptr);
3800 /* Disable writeback. */
3801 ctxt->dst.type = OP_NONE;
3802 return X86EMUL_CONTINUE;
3803 }
3804
3805 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3806 {
3807 return em_lgdt_lidt(ctxt, true);
3808 }
3809
3810 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3811 {
3812 return em_lgdt_lidt(ctxt, false);
3813 }
3814
3815 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3816 {
3817 if (ctxt->dst.type == OP_MEM)
3818 ctxt->dst.bytes = 2;
3819 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3820 return X86EMUL_CONTINUE;
3821 }
3822
3823 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3824 {
3825 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3826 | (ctxt->src.val & 0x0f));
3827 ctxt->dst.type = OP_NONE;
3828 return X86EMUL_CONTINUE;
3829 }
3830
3831 static int em_loop(struct x86_emulate_ctxt *ctxt)
3832 {
3833 int rc = X86EMUL_CONTINUE;
3834
3835 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3836 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3837 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3838 rc = jmp_rel(ctxt, ctxt->src.val);
3839
3840 return rc;
3841 }
3842
3843 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3844 {
3845 int rc = X86EMUL_CONTINUE;
3846
3847 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3848 rc = jmp_rel(ctxt, ctxt->src.val);
3849
3850 return rc;
3851 }
3852
3853 static int em_in(struct x86_emulate_ctxt *ctxt)
3854 {
3855 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3856 &ctxt->dst.val))
3857 return X86EMUL_IO_NEEDED;
3858
3859 return X86EMUL_CONTINUE;
3860 }
3861
3862 static int em_out(struct x86_emulate_ctxt *ctxt)
3863 {
3864 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3865 &ctxt->src.val, 1);
3866 /* Disable writeback. */
3867 ctxt->dst.type = OP_NONE;
3868 return X86EMUL_CONTINUE;
3869 }
3870
3871 static int em_cli(struct x86_emulate_ctxt *ctxt)
3872 {
3873 if (emulator_bad_iopl(ctxt))
3874 return emulate_gp(ctxt, 0);
3875
3876 ctxt->eflags &= ~X86_EFLAGS_IF;
3877 return X86EMUL_CONTINUE;
3878 }
3879
3880 static int em_sti(struct x86_emulate_ctxt *ctxt)
3881 {
3882 if (emulator_bad_iopl(ctxt))
3883 return emulate_gp(ctxt, 0);
3884
3885 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3886 ctxt->eflags |= X86_EFLAGS_IF;
3887 return X86EMUL_CONTINUE;
3888 }
3889
3890 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3891 {
3892 u32 eax, ebx, ecx, edx;
3893 u64 msr = 0;
3894
3895 ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3896 if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3897 ctxt->ops->cpl(ctxt)) {
3898 return emulate_gp(ctxt, 0);
3899 }
3900
3901 eax = reg_read(ctxt, VCPU_REGS_RAX);
3902 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3903 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
3904 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3905 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3906 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3907 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3908 return X86EMUL_CONTINUE;
3909 }
3910
3911 static int em_sahf(struct x86_emulate_ctxt *ctxt)
3912 {
3913 u32 flags;
3914
3915 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3916 X86_EFLAGS_SF;
3917 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3918
3919 ctxt->eflags &= ~0xffUL;
3920 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3921 return X86EMUL_CONTINUE;
3922 }
3923
3924 static int em_lahf(struct x86_emulate_ctxt *ctxt)
3925 {
3926 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3927 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3928 return X86EMUL_CONTINUE;
3929 }
3930
3931 static int em_bswap(struct x86_emulate_ctxt *ctxt)
3932 {
3933 switch (ctxt->op_bytes) {
3934 #ifdef CONFIG_X86_64
3935 case 8:
3936 asm("bswap %0" : "+r"(ctxt->dst.val));
3937 break;
3938 #endif
3939 default:
3940 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3941 break;
3942 }
3943 return X86EMUL_CONTINUE;
3944 }
3945
3946 static int em_clflush(struct x86_emulate_ctxt *ctxt)
3947 {
3948 /* emulating clflush regardless of cpuid */
3949 return X86EMUL_CONTINUE;
3950 }
3951
3952 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3953 {
3954 ctxt->dst.val = (s32) ctxt->src.val;
3955 return X86EMUL_CONTINUE;
3956 }
3957
3958 static int check_fxsr(struct x86_emulate_ctxt *ctxt)
3959 {
3960 u32 eax = 1, ebx, ecx = 0, edx;
3961
3962 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3963 if (!(edx & FFL(FXSR)))
3964 return emulate_ud(ctxt);
3965
3966 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
3967 return emulate_nm(ctxt);
3968
3969 /*
3970 * Don't emulate a case that should never be hit, instead of working
3971 * around a lack of fxsave64/fxrstor64 on old compilers.
3972 */
3973 if (ctxt->mode >= X86EMUL_MODE_PROT64)
3974 return X86EMUL_UNHANDLEABLE;
3975
3976 return X86EMUL_CONTINUE;
3977 }
3978
3979 /*
3980 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
3981 * and restore MXCSR.
3982 */
3983 static size_t __fxstate_size(int nregs)
3984 {
3985 return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
3986 }
3987
3988 static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
3989 {
3990 bool cr4_osfxsr;
3991 if (ctxt->mode == X86EMUL_MODE_PROT64)
3992 return __fxstate_size(16);
3993
3994 cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
3995 return __fxstate_size(cr4_osfxsr ? 8 : 0);
3996 }
3997
3998 /*
3999 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
4000 * 1) 16 bit mode
4001 * 2) 32 bit mode
4002 * - like (1), but FIP and FDP (foo) are only 16 bit. At least Intel CPUs
4003 * preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
4004 * save and restore
4005 * 3) 64-bit mode with REX.W prefix
4006 * - like (2), but XMM 8-15 are being saved and restored
4007 * 4) 64-bit mode without REX.W prefix
4008 * - like (3), but FIP and FDP are 64 bit
4009 *
4010 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
4011 * desired result. (4) is not emulated.
4012 *
4013 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
4014 * and FPU DS) should match.
4015 */
4016 static int em_fxsave(struct x86_emulate_ctxt *ctxt)
4017 {
4018 struct fxregs_state fx_state;
4019 int rc;
4020
4021 rc = check_fxsr(ctxt);
4022 if (rc != X86EMUL_CONTINUE)
4023 return rc;
4024
4025 ctxt->ops->get_fpu(ctxt);
4026
4027 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
4028
4029 ctxt->ops->put_fpu(ctxt);
4030
4031 if (rc != X86EMUL_CONTINUE)
4032 return rc;
4033
4034 return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
4035 fxstate_size(ctxt));
4036 }
4037
4038 /*
4039 * FXRSTOR might restore XMM registers not provided by the guest. Fill
4040 * in the host registers (via FXSAVE) instead, so they won't be modified.
4041 * (preemption has to stay disabled until FXRSTOR).
4042 *
4043 * Use noinline to keep the stack for other functions called by callers small.
4044 */
4045 static noinline int fxregs_fixup(struct fxregs_state *fx_state,
4046 const size_t used_size)
4047 {
4048 struct fxregs_state fx_tmp;
4049 int rc;
4050
4051 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
4052 memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
4053 __fxstate_size(16) - used_size);
4054
4055 return rc;
4056 }
4057
4058 static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
4059 {
4060 struct fxregs_state fx_state;
4061 int rc;
4062 size_t size;
4063
4064 rc = check_fxsr(ctxt);
4065 if (rc != X86EMUL_CONTINUE)
4066 return rc;
4067
4068 size = fxstate_size(ctxt);
4069 rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
4070 if (rc != X86EMUL_CONTINUE)
4071 return rc;
4072
4073 ctxt->ops->get_fpu(ctxt);
4074
4075 if (size < __fxstate_size(16)) {
4076 rc = fxregs_fixup(&fx_state, size);
4077 if (rc != X86EMUL_CONTINUE)
4078 goto out;
4079 }
4080
4081 if (fx_state.mxcsr >> 16) {
4082 rc = emulate_gp(ctxt, 0);
4083 goto out;
4084 }
4085
4086 if (rc == X86EMUL_CONTINUE)
4087 rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
4088
4089 out:
4090 ctxt->ops->put_fpu(ctxt);
4091
4092 return rc;
4093 }
4094
4095 static bool valid_cr(int nr)
4096 {
4097 switch (nr) {
4098 case 0:
4099 case 2 ... 4:
4100 case 8:
4101 return true;
4102 default:
4103 return false;
4104 }
4105 }
4106
4107 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
4108 {
4109 if (!valid_cr(ctxt->modrm_reg))
4110 return emulate_ud(ctxt);
4111
4112 return X86EMUL_CONTINUE;
4113 }
4114
4115 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4116 {
4117 u64 new_val = ctxt->src.val64;
4118 int cr = ctxt->modrm_reg;
4119 u64 efer = 0;
4120
4121 static u64 cr_reserved_bits[] = {
4122 0xffffffff00000000ULL,
4123 0, 0, 0, /* CR3 checked later */
4124 CR4_RESERVED_BITS,
4125 0, 0, 0,
4126 CR8_RESERVED_BITS,
4127 };
4128
4129 if (!valid_cr(cr))
4130 return emulate_ud(ctxt);
4131
4132 if (new_val & cr_reserved_bits[cr])
4133 return emulate_gp(ctxt, 0);
4134
4135 switch (cr) {
4136 case 0: {
4137 u64 cr4;
4138 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
4139 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
4140 return emulate_gp(ctxt, 0);
4141
4142 cr4 = ctxt->ops->get_cr(ctxt, 4);
4143 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4144
4145 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
4146 !(cr4 & X86_CR4_PAE))
4147 return emulate_gp(ctxt, 0);
4148
4149 break;
4150 }
4151 case 3: {
4152 u64 rsvd = 0;
4153
4154 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4155 if (efer & EFER_LMA) {
4156 u64 maxphyaddr;
4157 u32 eax, ebx, ecx, edx;
4158
4159 eax = 0x80000008;
4160 ecx = 0;
4161 if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx,
4162 &edx, false))
4163 maxphyaddr = eax & 0xff;
4164 else
4165 maxphyaddr = 36;
4166 rsvd = rsvd_bits(maxphyaddr, 63);
4167 if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PCIDE)
4168 rsvd &= ~CR3_PCID_INVD;
4169 }
4170
4171 if (new_val & rsvd)
4172 return emulate_gp(ctxt, 0);
4173
4174 break;
4175 }
4176 case 4: {
4177 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4178
4179 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
4180 return emulate_gp(ctxt, 0);
4181
4182 break;
4183 }
4184 }
4185
4186 return X86EMUL_CONTINUE;
4187 }
4188
4189 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
4190 {
4191 unsigned long dr7;
4192
4193 ctxt->ops->get_dr(ctxt, 7, &dr7);
4194
4195 /* Check if DR7.Global_Enable is set */
4196 return dr7 & (1 << 13);
4197 }
4198
4199 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
4200 {
4201 int dr = ctxt->modrm_reg;
4202 u64 cr4;
4203
4204 if (dr > 7)
4205 return emulate_ud(ctxt);
4206
4207 cr4 = ctxt->ops->get_cr(ctxt, 4);
4208 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
4209 return emulate_ud(ctxt);
4210
4211 if (check_dr7_gd(ctxt)) {
4212 ulong dr6;
4213
4214 ctxt->ops->get_dr(ctxt, 6, &dr6);
4215 dr6 &= ~15;
4216 dr6 |= DR6_BD | DR6_RTM;
4217 ctxt->ops->set_dr(ctxt, 6, dr6);
4218 return emulate_db(ctxt);
4219 }
4220
4221 return X86EMUL_CONTINUE;
4222 }
4223
4224 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
4225 {
4226 u64 new_val = ctxt->src.val64;
4227 int dr = ctxt->modrm_reg;
4228
4229 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
4230 return emulate_gp(ctxt, 0);
4231
4232 return check_dr_read(ctxt);
4233 }
4234
4235 static int check_svme(struct x86_emulate_ctxt *ctxt)
4236 {
4237 u64 efer = 0;
4238
4239 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4240
4241 if (!(efer & EFER_SVME))
4242 return emulate_ud(ctxt);
4243
4244 return X86EMUL_CONTINUE;
4245 }
4246
4247 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4248 {
4249 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4250
4251 /* Valid physical address? */
4252 if (rax & 0xffff000000000000ULL)
4253 return emulate_gp(ctxt, 0);
4254
4255 return check_svme(ctxt);
4256 }
4257
4258 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4259 {
4260 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4261
4262 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4263 return emulate_ud(ctxt);
4264
4265 return X86EMUL_CONTINUE;
4266 }
4267
4268 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4269 {
4270 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4271 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4272
4273 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4274 ctxt->ops->check_pmc(ctxt, rcx))
4275 return emulate_gp(ctxt, 0);
4276
4277 return X86EMUL_CONTINUE;
4278 }
4279
4280 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4281 {
4282 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4283 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4284 return emulate_gp(ctxt, 0);
4285
4286 return X86EMUL_CONTINUE;
4287 }
4288
4289 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4290 {
4291 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4292 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4293 return emulate_gp(ctxt, 0);
4294
4295 return X86EMUL_CONTINUE;
4296 }
4297
4298 #define D(_y) { .flags = (_y) }
4299 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4300 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4301 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4302 #define N D(NotImpl)
4303 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4304 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4305 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4306 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4307 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4308 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4309 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4310 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4311 #define II(_f, _e, _i) \
4312 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4313 #define IIP(_f, _e, _i, _p) \
4314 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4315 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4316 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4317
4318 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4319 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4320 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4321 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4322 #define I2bvIP(_f, _e, _i, _p) \
4323 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4324
4325 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4326 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4327 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4328
4329 static const struct opcode group7_rm0[] = {
4330 N,
4331 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4332 N, N, N, N, N, N,
4333 };
4334
4335 static const struct opcode group7_rm1[] = {
4336 DI(SrcNone | Priv, monitor),
4337 DI(SrcNone | Priv, mwait),
4338 N, N, N, N, N, N,
4339 };
4340
4341 static const struct opcode group7_rm3[] = {
4342 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4343 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4344 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4345 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4346 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4347 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4348 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4349 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4350 };
4351
4352 static const struct opcode group7_rm7[] = {
4353 N,
4354 DIP(SrcNone, rdtscp, check_rdtsc),
4355 N, N, N, N, N, N,
4356 };
4357
4358 static const struct opcode group1[] = {
4359 F(Lock, em_add),
4360 F(Lock | PageTable, em_or),
4361 F(Lock, em_adc),
4362 F(Lock, em_sbb),
4363 F(Lock | PageTable, em_and),
4364 F(Lock, em_sub),
4365 F(Lock, em_xor),
4366 F(NoWrite, em_cmp),
4367 };
4368
4369 static const struct opcode group1A[] = {
4370 I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4371 };
4372
4373 static const struct opcode group2[] = {
4374 F(DstMem | ModRM, em_rol),
4375 F(DstMem | ModRM, em_ror),
4376 F(DstMem | ModRM, em_rcl),
4377 F(DstMem | ModRM, em_rcr),
4378 F(DstMem | ModRM, em_shl),
4379 F(DstMem | ModRM, em_shr),
4380 F(DstMem | ModRM, em_shl),
4381 F(DstMem | ModRM, em_sar),
4382 };
4383
4384 static const struct opcode group3[] = {
4385 F(DstMem | SrcImm | NoWrite, em_test),
4386 F(DstMem | SrcImm | NoWrite, em_test),
4387 F(DstMem | SrcNone | Lock, em_not),
4388 F(DstMem | SrcNone | Lock, em_neg),
4389 F(DstXacc | Src2Mem, em_mul_ex),
4390 F(DstXacc | Src2Mem, em_imul_ex),
4391 F(DstXacc | Src2Mem, em_div_ex),
4392 F(DstXacc | Src2Mem, em_idiv_ex),
4393 };
4394
4395 static const struct opcode group4[] = {
4396 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4397 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4398 N, N, N, N, N, N,
4399 };
4400
4401 static const struct opcode group5[] = {
4402 F(DstMem | SrcNone | Lock, em_inc),
4403 F(DstMem | SrcNone | Lock, em_dec),
4404 I(SrcMem | NearBranch, em_call_near_abs),
4405 I(SrcMemFAddr | ImplicitOps, em_call_far),
4406 I(SrcMem | NearBranch, em_jmp_abs),
4407 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4408 I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined),
4409 };
4410
4411 static const struct opcode group6[] = {
4412 DI(Prot | DstMem, sldt),
4413 DI(Prot | DstMem, str),
4414 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4415 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4416 N, N, N, N,
4417 };
4418
4419 static const struct group_dual group7 = { {
4420 II(Mov | DstMem, em_sgdt, sgdt),
4421 II(Mov | DstMem, em_sidt, sidt),
4422 II(SrcMem | Priv, em_lgdt, lgdt),
4423 II(SrcMem | Priv, em_lidt, lidt),
4424 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4425 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4426 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4427 }, {
4428 EXT(0, group7_rm0),
4429 EXT(0, group7_rm1),
4430 N, EXT(0, group7_rm3),
4431 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4432 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4433 EXT(0, group7_rm7),
4434 } };
4435
4436 static const struct opcode group8[] = {
4437 N, N, N, N,
4438 F(DstMem | SrcImmByte | NoWrite, em_bt),
4439 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4440 F(DstMem | SrcImmByte | Lock, em_btr),
4441 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4442 };
4443
4444 /*
4445 * The "memory" destination is actually always a register, since we come
4446 * from the register case of group9.
4447 */
4448 static const struct gprefix pfx_0f_c7_7 = {
4449 N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdtscp),
4450 };
4451
4452
4453 static const struct group_dual group9 = { {
4454 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4455 }, {
4456 N, N, N, N, N, N, N,
4457 GP(0, &pfx_0f_c7_7),
4458 } };
4459
4460 static const struct opcode group11[] = {
4461 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4462 X7(D(Undefined)),
4463 };
4464
4465 static const struct gprefix pfx_0f_ae_7 = {
4466 I(SrcMem | ByteOp, em_clflush), N, N, N,
4467 };
4468
4469 static const struct group_dual group15 = { {
4470 I(ModRM | Aligned16, em_fxsave),
4471 I(ModRM | Aligned16, em_fxrstor),
4472 N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4473 }, {
4474 N, N, N, N, N, N, N, N,
4475 } };
4476
4477 static const struct gprefix pfx_0f_6f_0f_7f = {
4478 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4479 };
4480
4481 static const struct instr_dual instr_dual_0f_2b = {
4482 I(0, em_mov), N
4483 };
4484
4485 static const struct gprefix pfx_0f_2b = {
4486 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4487 };
4488
4489 static const struct gprefix pfx_0f_28_0f_29 = {
4490 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4491 };
4492
4493 static const struct gprefix pfx_0f_e7 = {
4494 N, I(Sse, em_mov), N, N,
4495 };
4496
4497 static const struct escape escape_d9 = { {
4498 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4499 }, {
4500 /* 0xC0 - 0xC7 */
4501 N, N, N, N, N, N, N, N,
4502 /* 0xC8 - 0xCF */
4503 N, N, N, N, N, N, N, N,
4504 /* 0xD0 - 0xC7 */
4505 N, N, N, N, N, N, N, N,
4506 /* 0xD8 - 0xDF */
4507 N, N, N, N, N, N, N, N,
4508 /* 0xE0 - 0xE7 */
4509 N, N, N, N, N, N, N, N,
4510 /* 0xE8 - 0xEF */
4511 N, N, N, N, N, N, N, N,
4512 /* 0xF0 - 0xF7 */
4513 N, N, N, N, N, N, N, N,
4514 /* 0xF8 - 0xFF */
4515 N, N, N, N, N, N, N, N,
4516 } };
4517
4518 static const struct escape escape_db = { {
4519 N, N, N, N, N, N, N, N,
4520 }, {
4521 /* 0xC0 - 0xC7 */
4522 N, N, N, N, N, N, N, N,
4523 /* 0xC8 - 0xCF */
4524 N, N, N, N, N, N, N, N,
4525 /* 0xD0 - 0xC7 */
4526 N, N, N, N, N, N, N, N,
4527 /* 0xD8 - 0xDF */
4528 N, N, N, N, N, N, N, N,
4529 /* 0xE0 - 0xE7 */
4530 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4531 /* 0xE8 - 0xEF */
4532 N, N, N, N, N, N, N, N,
4533 /* 0xF0 - 0xF7 */
4534 N, N, N, N, N, N, N, N,
4535 /* 0xF8 - 0xFF */
4536 N, N, N, N, N, N, N, N,
4537 } };
4538
4539 static const struct escape escape_dd = { {
4540 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4541 }, {
4542 /* 0xC0 - 0xC7 */
4543 N, N, N, N, N, N, N, N,
4544 /* 0xC8 - 0xCF */
4545 N, N, N, N, N, N, N, N,
4546 /* 0xD0 - 0xC7 */
4547 N, N, N, N, N, N, N, N,
4548 /* 0xD8 - 0xDF */
4549 N, N, N, N, N, N, N, N,
4550 /* 0xE0 - 0xE7 */
4551 N, N, N, N, N, N, N, N,
4552 /* 0xE8 - 0xEF */
4553 N, N, N, N, N, N, N, N,
4554 /* 0xF0 - 0xF7 */
4555 N, N, N, N, N, N, N, N,
4556 /* 0xF8 - 0xFF */
4557 N, N, N, N, N, N, N, N,
4558 } };
4559
4560 static const struct instr_dual instr_dual_0f_c3 = {
4561 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4562 };
4563
4564 static const struct mode_dual mode_dual_63 = {
4565 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4566 };
4567
4568 static const struct opcode opcode_table[256] = {
4569 /* 0x00 - 0x07 */
4570 F6ALU(Lock, em_add),
4571 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4572 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4573 /* 0x08 - 0x0F */
4574 F6ALU(Lock | PageTable, em_or),
4575 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4576 N,
4577 /* 0x10 - 0x17 */
4578 F6ALU(Lock, em_adc),
4579 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4580 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4581 /* 0x18 - 0x1F */
4582 F6ALU(Lock, em_sbb),
4583 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4584 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4585 /* 0x20 - 0x27 */
4586 F6ALU(Lock | PageTable, em_and), N, N,
4587 /* 0x28 - 0x2F */
4588 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4589 /* 0x30 - 0x37 */
4590 F6ALU(Lock, em_xor), N, N,
4591 /* 0x38 - 0x3F */
4592 F6ALU(NoWrite, em_cmp), N, N,
4593 /* 0x40 - 0x4F */
4594 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4595 /* 0x50 - 0x57 */
4596 X8(I(SrcReg | Stack, em_push)),
4597 /* 0x58 - 0x5F */
4598 X8(I(DstReg | Stack, em_pop)),
4599 /* 0x60 - 0x67 */
4600 I(ImplicitOps | Stack | No64, em_pusha),
4601 I(ImplicitOps | Stack | No64, em_popa),
4602 N, MD(ModRM, &mode_dual_63),
4603 N, N, N, N,
4604 /* 0x68 - 0x6F */
4605 I(SrcImm | Mov | Stack, em_push),
4606 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4607 I(SrcImmByte | Mov | Stack, em_push),
4608 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4609 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4610 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4611 /* 0x70 - 0x7F */
4612 X16(D(SrcImmByte | NearBranch)),
4613 /* 0x80 - 0x87 */
4614 G(ByteOp | DstMem | SrcImm, group1),
4615 G(DstMem | SrcImm, group1),
4616 G(ByteOp | DstMem | SrcImm | No64, group1),
4617 G(DstMem | SrcImmByte, group1),
4618 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4619 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4620 /* 0x88 - 0x8F */
4621 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4622 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4623 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4624 D(ModRM | SrcMem | NoAccess | DstReg),
4625 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4626 G(0, group1A),
4627 /* 0x90 - 0x97 */
4628 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4629 /* 0x98 - 0x9F */
4630 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4631 I(SrcImmFAddr | No64, em_call_far), N,
4632 II(ImplicitOps | Stack, em_pushf, pushf),
4633 II(ImplicitOps | Stack, em_popf, popf),
4634 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4635 /* 0xA0 - 0xA7 */
4636 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4637 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4638 I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4639 F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4640 /* 0xA8 - 0xAF */
4641 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4642 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4643 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4644 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4645 /* 0xB0 - 0xB7 */
4646 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4647 /* 0xB8 - 0xBF */
4648 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4649 /* 0xC0 - 0xC7 */
4650 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4651 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4652 I(ImplicitOps | NearBranch, em_ret),
4653 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4654 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4655 G(ByteOp, group11), G(0, group11),
4656 /* 0xC8 - 0xCF */
4657 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4658 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4659 I(ImplicitOps, em_ret_far),
4660 D(ImplicitOps), DI(SrcImmByte, intn),
4661 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4662 /* 0xD0 - 0xD7 */
4663 G(Src2One | ByteOp, group2), G(Src2One, group2),
4664 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4665 I(DstAcc | SrcImmUByte | No64, em_aam),
4666 I(DstAcc | SrcImmUByte | No64, em_aad),
4667 F(DstAcc | ByteOp | No64, em_salc),
4668 I(DstAcc | SrcXLat | ByteOp, em_mov),
4669 /* 0xD8 - 0xDF */
4670 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4671 /* 0xE0 - 0xE7 */
4672 X3(I(SrcImmByte | NearBranch, em_loop)),
4673 I(SrcImmByte | NearBranch, em_jcxz),
4674 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4675 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4676 /* 0xE8 - 0xEF */
4677 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4678 I(SrcImmFAddr | No64, em_jmp_far),
4679 D(SrcImmByte | ImplicitOps | NearBranch),
4680 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4681 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4682 /* 0xF0 - 0xF7 */
4683 N, DI(ImplicitOps, icebp), N, N,
4684 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4685 G(ByteOp, group3), G(0, group3),
4686 /* 0xF8 - 0xFF */
4687 D(ImplicitOps), D(ImplicitOps),
4688 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4689 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4690 };
4691
4692 static const struct opcode twobyte_table[256] = {
4693 /* 0x00 - 0x0F */
4694 G(0, group6), GD(0, &group7), N, N,
4695 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4696 II(ImplicitOps | Priv, em_clts, clts), N,
4697 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4698 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4699 /* 0x10 - 0x1F */
4700 N, N, N, N, N, N, N, N,
4701 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4702 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4703 /* 0x20 - 0x2F */
4704 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4705 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4706 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4707 check_cr_write),
4708 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4709 check_dr_write),
4710 N, N, N, N,
4711 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4712 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4713 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4714 N, N, N, N,
4715 /* 0x30 - 0x3F */
4716 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4717 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4718 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4719 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4720 I(ImplicitOps | EmulateOnUD, em_sysenter),
4721 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4722 N, N,
4723 N, N, N, N, N, N, N, N,
4724 /* 0x40 - 0x4F */
4725 X16(D(DstReg | SrcMem | ModRM)),
4726 /* 0x50 - 0x5F */
4727 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4728 /* 0x60 - 0x6F */
4729 N, N, N, N,
4730 N, N, N, N,
4731 N, N, N, N,
4732 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4733 /* 0x70 - 0x7F */
4734 N, N, N, N,
4735 N, N, N, N,
4736 N, N, N, N,
4737 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4738 /* 0x80 - 0x8F */
4739 X16(D(SrcImm | NearBranch)),
4740 /* 0x90 - 0x9F */
4741 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4742 /* 0xA0 - 0xA7 */
4743 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4744 II(ImplicitOps, em_cpuid, cpuid),
4745 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4746 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4747 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4748 /* 0xA8 - 0xAF */
4749 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4750 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4751 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4752 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4753 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4754 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4755 /* 0xB0 - 0xB7 */
4756 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4757 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4758 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4759 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4760 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4761 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4762 /* 0xB8 - 0xBF */
4763 N, N,
4764 G(BitOp, group8),
4765 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4766 I(DstReg | SrcMem | ModRM, em_bsf_c),
4767 I(DstReg | SrcMem | ModRM, em_bsr_c),
4768 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4769 /* 0xC0 - 0xC7 */
4770 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4771 N, ID(0, &instr_dual_0f_c3),
4772 N, N, N, GD(0, &group9),
4773 /* 0xC8 - 0xCF */
4774 X8(I(DstReg, em_bswap)),
4775 /* 0xD0 - 0xDF */
4776 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4777 /* 0xE0 - 0xEF */
4778 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4779 N, N, N, N, N, N, N, N,
4780 /* 0xF0 - 0xFF */
4781 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4782 };
4783
4784 static const struct instr_dual instr_dual_0f_38_f0 = {
4785 I(DstReg | SrcMem | Mov, em_movbe), N
4786 };
4787
4788 static const struct instr_dual instr_dual_0f_38_f1 = {
4789 I(DstMem | SrcReg | Mov, em_movbe), N
4790 };
4791
4792 static const struct gprefix three_byte_0f_38_f0 = {
4793 ID(0, &instr_dual_0f_38_f0), N, N, N
4794 };
4795
4796 static const struct gprefix three_byte_0f_38_f1 = {
4797 ID(0, &instr_dual_0f_38_f1), N, N, N
4798 };
4799
4800 /*
4801 * Insns below are selected by the prefix which indexed by the third opcode
4802 * byte.
4803 */
4804 static const struct opcode opcode_map_0f_38[256] = {
4805 /* 0x00 - 0x7f */
4806 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4807 /* 0x80 - 0xef */
4808 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4809 /* 0xf0 - 0xf1 */
4810 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4811 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4812 /* 0xf2 - 0xff */
4813 N, N, X4(N), X8(N)
4814 };
4815
4816 #undef D
4817 #undef N
4818 #undef G
4819 #undef GD
4820 #undef I
4821 #undef GP
4822 #undef EXT
4823 #undef MD
4824 #undef ID
4825
4826 #undef D2bv
4827 #undef D2bvIP
4828 #undef I2bv
4829 #undef I2bvIP
4830 #undef I6ALU
4831
4832 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4833 {
4834 unsigned size;
4835
4836 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4837 if (size == 8)
4838 size = 4;
4839 return size;
4840 }
4841
4842 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4843 unsigned size, bool sign_extension)
4844 {
4845 int rc = X86EMUL_CONTINUE;
4846
4847 op->type = OP_IMM;
4848 op->bytes = size;
4849 op->addr.mem.ea = ctxt->_eip;
4850 /* NB. Immediates are sign-extended as necessary. */
4851 switch (op->bytes) {
4852 case 1:
4853 op->val = insn_fetch(s8, ctxt);
4854 break;
4855 case 2:
4856 op->val = insn_fetch(s16, ctxt);
4857 break;
4858 case 4:
4859 op->val = insn_fetch(s32, ctxt);
4860 break;
4861 case 8:
4862 op->val = insn_fetch(s64, ctxt);
4863 break;
4864 }
4865 if (!sign_extension) {
4866 switch (op->bytes) {
4867 case 1:
4868 op->val &= 0xff;
4869 break;
4870 case 2:
4871 op->val &= 0xffff;
4872 break;
4873 case 4:
4874 op->val &= 0xffffffff;
4875 break;
4876 }
4877 }
4878 done:
4879 return rc;
4880 }
4881
4882 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4883 unsigned d)
4884 {
4885 int rc = X86EMUL_CONTINUE;
4886
4887 switch (d) {
4888 case OpReg:
4889 decode_register_operand(ctxt, op);
4890 break;
4891 case OpImmUByte:
4892 rc = decode_imm(ctxt, op, 1, false);
4893 break;
4894 case OpMem:
4895 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4896 mem_common:
4897 *op = ctxt->memop;
4898 ctxt->memopp = op;
4899 if (ctxt->d & BitOp)
4900 fetch_bit_operand(ctxt);
4901 op->orig_val = op->val;
4902 break;
4903 case OpMem64:
4904 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4905 goto mem_common;
4906 case OpAcc:
4907 op->type = OP_REG;
4908 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4909 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4910 fetch_register_operand(op);
4911 op->orig_val = op->val;
4912 break;
4913 case OpAccLo:
4914 op->type = OP_REG;
4915 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4916 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4917 fetch_register_operand(op);
4918 op->orig_val = op->val;
4919 break;
4920 case OpAccHi:
4921 if (ctxt->d & ByteOp) {
4922 op->type = OP_NONE;
4923 break;
4924 }
4925 op->type = OP_REG;
4926 op->bytes = ctxt->op_bytes;
4927 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4928 fetch_register_operand(op);
4929 op->orig_val = op->val;
4930 break;
4931 case OpDI:
4932 op->type = OP_MEM;
4933 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4934 op->addr.mem.ea =
4935 register_address(ctxt, VCPU_REGS_RDI);
4936 op->addr.mem.seg = VCPU_SREG_ES;
4937 op->val = 0;
4938 op->count = 1;
4939 break;
4940 case OpDX:
4941 op->type = OP_REG;
4942 op->bytes = 2;
4943 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4944 fetch_register_operand(op);
4945 break;
4946 case OpCL:
4947 op->type = OP_IMM;
4948 op->bytes = 1;
4949 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4950 break;
4951 case OpImmByte:
4952 rc = decode_imm(ctxt, op, 1, true);
4953 break;
4954 case OpOne:
4955 op->type = OP_IMM;
4956 op->bytes = 1;
4957 op->val = 1;
4958 break;
4959 case OpImm:
4960 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4961 break;
4962 case OpImm64:
4963 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4964 break;
4965 case OpMem8:
4966 ctxt->memop.bytes = 1;
4967 if (ctxt->memop.type == OP_REG) {
4968 ctxt->memop.addr.reg = decode_register(ctxt,
4969 ctxt->modrm_rm, true);
4970 fetch_register_operand(&ctxt->memop);
4971 }
4972 goto mem_common;
4973 case OpMem16:
4974 ctxt->memop.bytes = 2;
4975 goto mem_common;
4976 case OpMem32:
4977 ctxt->memop.bytes = 4;
4978 goto mem_common;
4979 case OpImmU16:
4980 rc = decode_imm(ctxt, op, 2, false);
4981 break;
4982 case OpImmU:
4983 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4984 break;
4985 case OpSI:
4986 op->type = OP_MEM;
4987 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4988 op->addr.mem.ea =
4989 register_address(ctxt, VCPU_REGS_RSI);
4990 op->addr.mem.seg = ctxt->seg_override;
4991 op->val = 0;
4992 op->count = 1;
4993 break;
4994 case OpXLat:
4995 op->type = OP_MEM;
4996 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4997 op->addr.mem.ea =
4998 address_mask(ctxt,
4999 reg_read(ctxt, VCPU_REGS_RBX) +
5000 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
5001 op->addr.mem.seg = ctxt->seg_override;
5002 op->val = 0;
5003 break;
5004 case OpImmFAddr:
5005 op->type = OP_IMM;
5006 op->addr.mem.ea = ctxt->_eip;
5007 op->bytes = ctxt->op_bytes + 2;
5008 insn_fetch_arr(op->valptr, op->bytes, ctxt);
5009 break;
5010 case OpMemFAddr:
5011 ctxt->memop.bytes = ctxt->op_bytes + 2;
5012 goto mem_common;
5013 case OpES:
5014 op->type = OP_IMM;
5015 op->val = VCPU_SREG_ES;
5016 break;
5017 case OpCS:
5018 op->type = OP_IMM;
5019 op->val = VCPU_SREG_CS;
5020 break;
5021 case OpSS:
5022 op->type = OP_IMM;
5023 op->val = VCPU_SREG_SS;
5024 break;
5025 case OpDS:
5026 op->type = OP_IMM;
5027 op->val = VCPU_SREG_DS;
5028 break;
5029 case OpFS:
5030 op->type = OP_IMM;
5031 op->val = VCPU_SREG_FS;
5032 break;
5033 case OpGS:
5034 op->type = OP_IMM;
5035 op->val = VCPU_SREG_GS;
5036 break;
5037 case OpImplicit:
5038 /* Special instructions do their own operand decoding. */
5039 default:
5040 op->type = OP_NONE; /* Disable writeback. */
5041 break;
5042 }
5043
5044 done:
5045 return rc;
5046 }
5047
5048 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
5049 {
5050 int rc = X86EMUL_CONTINUE;
5051 int mode = ctxt->mode;
5052 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
5053 bool op_prefix = false;
5054 bool has_seg_override = false;
5055 struct opcode opcode;
5056 u16 dummy;
5057 struct desc_struct desc;
5058
5059 ctxt->memop.type = OP_NONE;
5060 ctxt->memopp = NULL;
5061 ctxt->_eip = ctxt->eip;
5062 ctxt->fetch.ptr = ctxt->fetch.data;
5063 ctxt->fetch.end = ctxt->fetch.data + insn_len;
5064 ctxt->opcode_len = 1;
5065 ctxt->intercept = x86_intercept_none;
5066 if (insn_len > 0)
5067 memcpy(ctxt->fetch.data, insn, insn_len);
5068 else {
5069 rc = __do_insn_fetch_bytes(ctxt, 1);
5070 if (rc != X86EMUL_CONTINUE)
5071 return rc;
5072 }
5073
5074 switch (mode) {
5075 case X86EMUL_MODE_REAL:
5076 case X86EMUL_MODE_VM86:
5077 def_op_bytes = def_ad_bytes = 2;
5078 ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
5079 if (desc.d)
5080 def_op_bytes = def_ad_bytes = 4;
5081 break;
5082 case X86EMUL_MODE_PROT16:
5083 def_op_bytes = def_ad_bytes = 2;
5084 break;
5085 case X86EMUL_MODE_PROT32:
5086 def_op_bytes = def_ad_bytes = 4;
5087 break;
5088 #ifdef CONFIG_X86_64
5089 case X86EMUL_MODE_PROT64:
5090 def_op_bytes = 4;
5091 def_ad_bytes = 8;
5092 break;
5093 #endif
5094 default:
5095 return EMULATION_FAILED;
5096 }
5097
5098 ctxt->op_bytes = def_op_bytes;
5099 ctxt->ad_bytes = def_ad_bytes;
5100
5101 /* Legacy prefixes. */
5102 for (;;) {
5103 switch (ctxt->b = insn_fetch(u8, ctxt)) {
5104 case 0x66: /* operand-size override */
5105 op_prefix = true;
5106 /* switch between 2/4 bytes */
5107 ctxt->op_bytes = def_op_bytes ^ 6;
5108 break;
5109 case 0x67: /* address-size override */
5110 if (mode == X86EMUL_MODE_PROT64)
5111 /* switch between 4/8 bytes */
5112 ctxt->ad_bytes = def_ad_bytes ^ 12;
5113 else
5114 /* switch between 2/4 bytes */
5115 ctxt->ad_bytes = def_ad_bytes ^ 6;
5116 break;
5117 case 0x26: /* ES override */
5118 has_seg_override = true;
5119 ctxt->seg_override = VCPU_SREG_ES;
5120 break;
5121 case 0x2e: /* CS override */
5122 has_seg_override = true;
5123 ctxt->seg_override = VCPU_SREG_CS;
5124 break;
5125 case 0x36: /* SS override */
5126 has_seg_override = true;
5127 ctxt->seg_override = VCPU_SREG_SS;
5128 break;
5129 case 0x3e: /* DS override */
5130 has_seg_override = true;
5131 ctxt->seg_override = VCPU_SREG_DS;
5132 break;
5133 case 0x64: /* FS override */
5134 has_seg_override = true;
5135 ctxt->seg_override = VCPU_SREG_FS;
5136 break;
5137 case 0x65: /* GS override */
5138 has_seg_override = true;
5139 ctxt->seg_override = VCPU_SREG_GS;
5140 break;
5141 case 0x40 ... 0x4f: /* REX */
5142 if (mode != X86EMUL_MODE_PROT64)
5143 goto done_prefixes;
5144 ctxt->rex_prefix = ctxt->b;
5145 continue;
5146 case 0xf0: /* LOCK */
5147 ctxt->lock_prefix = 1;
5148 break;
5149 case 0xf2: /* REPNE/REPNZ */
5150 case 0xf3: /* REP/REPE/REPZ */
5151 ctxt->rep_prefix = ctxt->b;
5152 break;
5153 default:
5154 goto done_prefixes;
5155 }
5156
5157 /* Any legacy prefix after a REX prefix nullifies its effect. */
5158
5159 ctxt->rex_prefix = 0;
5160 }
5161
5162 done_prefixes:
5163
5164 /* REX prefix. */
5165 if (ctxt->rex_prefix & 8)
5166 ctxt->op_bytes = 8; /* REX.W */
5167
5168 /* Opcode byte(s). */
5169 opcode = opcode_table[ctxt->b];
5170 /* Two-byte opcode? */
5171 if (ctxt->b == 0x0f) {
5172 ctxt->opcode_len = 2;
5173 ctxt->b = insn_fetch(u8, ctxt);
5174 opcode = twobyte_table[ctxt->b];
5175
5176 /* 0F_38 opcode map */
5177 if (ctxt->b == 0x38) {
5178 ctxt->opcode_len = 3;
5179 ctxt->b = insn_fetch(u8, ctxt);
5180 opcode = opcode_map_0f_38[ctxt->b];
5181 }
5182 }
5183 ctxt->d = opcode.flags;
5184
5185 if (ctxt->d & ModRM)
5186 ctxt->modrm = insn_fetch(u8, ctxt);
5187
5188 /* vex-prefix instructions are not implemented */
5189 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
5190 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
5191 ctxt->d = NotImpl;
5192 }
5193
5194 while (ctxt->d & GroupMask) {
5195 switch (ctxt->d & GroupMask) {
5196 case Group:
5197 goffset = (ctxt->modrm >> 3) & 7;
5198 opcode = opcode.u.group[goffset];
5199 break;
5200 case GroupDual:
5201 goffset = (ctxt->modrm >> 3) & 7;
5202 if ((ctxt->modrm >> 6) == 3)
5203 opcode = opcode.u.gdual->mod3[goffset];
5204 else
5205 opcode = opcode.u.gdual->mod012[goffset];
5206 break;
5207 case RMExt:
5208 goffset = ctxt->modrm & 7;
5209 opcode = opcode.u.group[goffset];
5210 break;
5211 case Prefix:
5212 if (ctxt->rep_prefix && op_prefix)
5213 return EMULATION_FAILED;
5214 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
5215 switch (simd_prefix) {
5216 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
5217 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
5218 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
5219 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
5220 }
5221 break;
5222 case Escape:
5223 if (ctxt->modrm > 0xbf) {
5224 size_t size = ARRAY_SIZE(opcode.u.esc->high);
5225 u32 index = array_index_nospec(
5226 ctxt->modrm - 0xc0, size);
5227
5228 opcode = opcode.u.esc->high[index];
5229 } else {
5230 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
5231 }
5232 break;
5233 case InstrDual:
5234 if ((ctxt->modrm >> 6) == 3)
5235 opcode = opcode.u.idual->mod3;
5236 else
5237 opcode = opcode.u.idual->mod012;
5238 break;
5239 case ModeDual:
5240 if (ctxt->mode == X86EMUL_MODE_PROT64)
5241 opcode = opcode.u.mdual->mode64;
5242 else
5243 opcode = opcode.u.mdual->mode32;
5244 break;
5245 default:
5246 return EMULATION_FAILED;
5247 }
5248
5249 ctxt->d &= ~(u64)GroupMask;
5250 ctxt->d |= opcode.flags;
5251 }
5252
5253 /* Unrecognised? */
5254 if (ctxt->d == 0)
5255 return EMULATION_FAILED;
5256
5257 ctxt->execute = opcode.u.execute;
5258
5259 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
5260 return EMULATION_FAILED;
5261
5262 if (unlikely(ctxt->d &
5263 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
5264 No16))) {
5265 /*
5266 * These are copied unconditionally here, and checked unconditionally
5267 * in x86_emulate_insn.
5268 */
5269 ctxt->check_perm = opcode.check_perm;
5270 ctxt->intercept = opcode.intercept;
5271
5272 if (ctxt->d & NotImpl)
5273 return EMULATION_FAILED;
5274
5275 if (mode == X86EMUL_MODE_PROT64) {
5276 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
5277 ctxt->op_bytes = 8;
5278 else if (ctxt->d & NearBranch)
5279 ctxt->op_bytes = 8;
5280 }
5281
5282 if (ctxt->d & Op3264) {
5283 if (mode == X86EMUL_MODE_PROT64)
5284 ctxt->op_bytes = 8;
5285 else
5286 ctxt->op_bytes = 4;
5287 }
5288
5289 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5290 ctxt->op_bytes = 4;
5291
5292 if (ctxt->d & Sse)
5293 ctxt->op_bytes = 16;
5294 else if (ctxt->d & Mmx)
5295 ctxt->op_bytes = 8;
5296 }
5297
5298 /* ModRM and SIB bytes. */
5299 if (ctxt->d & ModRM) {
5300 rc = decode_modrm(ctxt, &ctxt->memop);
5301 if (!has_seg_override) {
5302 has_seg_override = true;
5303 ctxt->seg_override = ctxt->modrm_seg;
5304 }
5305 } else if (ctxt->d & MemAbs)
5306 rc = decode_abs(ctxt, &ctxt->memop);
5307 if (rc != X86EMUL_CONTINUE)
5308 goto done;
5309
5310 if (!has_seg_override)
5311 ctxt->seg_override = VCPU_SREG_DS;
5312
5313 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5314
5315 /*
5316 * Decode and fetch the source operand: register, memory
5317 * or immediate.
5318 */
5319 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5320 if (rc != X86EMUL_CONTINUE)
5321 goto done;
5322
5323 /*
5324 * Decode and fetch the second source operand: register, memory
5325 * or immediate.
5326 */
5327 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5328 if (rc != X86EMUL_CONTINUE)
5329 goto done;
5330
5331 /* Decode and fetch the destination operand: register or memory. */
5332 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5333
5334 if (ctxt->rip_relative && likely(ctxt->memopp))
5335 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5336 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5337
5338 done:
5339 if (rc == X86EMUL_PROPAGATE_FAULT)
5340 ctxt->have_exception = true;
5341 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5342 }
5343
5344 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5345 {
5346 return ctxt->d & PageTable;
5347 }
5348
5349 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5350 {
5351 /* The second termination condition only applies for REPE
5352 * and REPNE. Test if the repeat string operation prefix is
5353 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5354 * corresponding termination condition according to:
5355 * - if REPE/REPZ and ZF = 0 then done
5356 * - if REPNE/REPNZ and ZF = 1 then done
5357 */
5358 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5359 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5360 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5361 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5362 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5363 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5364 return true;
5365
5366 return false;
5367 }
5368
5369 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5370 {
5371 int rc;
5372
5373 ctxt->ops->get_fpu(ctxt);
5374 rc = asm_safe("fwait");
5375 ctxt->ops->put_fpu(ctxt);
5376
5377 if (unlikely(rc != X86EMUL_CONTINUE))
5378 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5379
5380 return X86EMUL_CONTINUE;
5381 }
5382
5383 static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
5384 struct operand *op)
5385 {
5386 if (op->type == OP_MM)
5387 read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
5388 }
5389
5390 static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
5391 {
5392 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5393
5394 if (!(ctxt->d & ByteOp))
5395 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5396
5397 asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5398 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5399 [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5400 : "c"(ctxt->src2.val));
5401
5402 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5403 if (!fop) /* exception is returned in fop variable */
5404 return emulate_de(ctxt);
5405 return X86EMUL_CONTINUE;
5406 }
5407
5408 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5409 {
5410 memset(&ctxt->rip_relative, 0,
5411 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5412
5413 ctxt->io_read.pos = 0;
5414 ctxt->io_read.end = 0;
5415 ctxt->mem_read.end = 0;
5416 }
5417
5418 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5419 {
5420 const struct x86_emulate_ops *ops = ctxt->ops;
5421 int rc = X86EMUL_CONTINUE;
5422 int saved_dst_type = ctxt->dst.type;
5423 unsigned emul_flags;
5424
5425 ctxt->mem_read.pos = 0;
5426
5427 /* LOCK prefix is allowed only with some instructions */
5428 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5429 rc = emulate_ud(ctxt);
5430 goto done;
5431 }
5432
5433 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5434 rc = emulate_ud(ctxt);
5435 goto done;
5436 }
5437
5438 emul_flags = ctxt->ops->get_hflags(ctxt);
5439 if (unlikely(ctxt->d &
5440 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5441 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5442 (ctxt->d & Undefined)) {
5443 rc = emulate_ud(ctxt);
5444 goto done;
5445 }
5446
5447 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5448 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5449 rc = emulate_ud(ctxt);
5450 goto done;
5451 }
5452
5453 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5454 rc = emulate_nm(ctxt);
5455 goto done;
5456 }
5457
5458 if (ctxt->d & Mmx) {
5459 rc = flush_pending_x87_faults(ctxt);
5460 if (rc != X86EMUL_CONTINUE)
5461 goto done;
5462 /*
5463 * Now that we know the fpu is exception safe, we can fetch
5464 * operands from it.
5465 */
5466 fetch_possible_mmx_operand(ctxt, &ctxt->src);
5467 fetch_possible_mmx_operand(ctxt, &ctxt->src2);
5468 if (!(ctxt->d & Mov))
5469 fetch_possible_mmx_operand(ctxt, &ctxt->dst);
5470 }
5471
5472 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5473 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5474 X86_ICPT_PRE_EXCEPT);
5475 if (rc != X86EMUL_CONTINUE)
5476 goto done;
5477 }
5478
5479 /* Instruction can only be executed in protected mode */
5480 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5481 rc = emulate_ud(ctxt);
5482 goto done;
5483 }
5484
5485 /* Privileged instruction can be executed only in CPL=0 */
5486 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5487 if (ctxt->d & PrivUD)
5488 rc = emulate_ud(ctxt);
5489 else
5490 rc = emulate_gp(ctxt, 0);
5491 goto done;
5492 }
5493
5494 /* Do instruction specific permission checks */
5495 if (ctxt->d & CheckPerm) {
5496 rc = ctxt->check_perm(ctxt);
5497 if (rc != X86EMUL_CONTINUE)
5498 goto done;
5499 }
5500
5501 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5502 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5503 X86_ICPT_POST_EXCEPT);
5504 if (rc != X86EMUL_CONTINUE)
5505 goto done;
5506 }
5507
5508 if (ctxt->rep_prefix && (ctxt->d & String)) {
5509 /* All REP prefixes have the same first termination condition */
5510 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5511 string_registers_quirk(ctxt);
5512 ctxt->eip = ctxt->_eip;
5513 ctxt->eflags &= ~X86_EFLAGS_RF;
5514 goto done;
5515 }
5516 }
5517 }
5518
5519 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5520 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5521 ctxt->src.valptr, ctxt->src.bytes);
5522 if (rc != X86EMUL_CONTINUE)
5523 goto done;
5524 ctxt->src.orig_val64 = ctxt->src.val64;
5525 }
5526
5527 if (ctxt->src2.type == OP_MEM) {
5528 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5529 &ctxt->src2.val, ctxt->src2.bytes);
5530 if (rc != X86EMUL_CONTINUE)
5531 goto done;
5532 }
5533
5534 if ((ctxt->d & DstMask) == ImplicitOps)
5535 goto special_insn;
5536
5537
5538 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5539 /* optimisation - avoid slow emulated read if Mov */
5540 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5541 &ctxt->dst.val, ctxt->dst.bytes);
5542 if (rc != X86EMUL_CONTINUE) {
5543 if (!(ctxt->d & NoWrite) &&
5544 rc == X86EMUL_PROPAGATE_FAULT &&
5545 ctxt->exception.vector == PF_VECTOR)
5546 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5547 goto done;
5548 }
5549 }
5550 /* Copy full 64-bit value for CMPXCHG8B. */
5551 ctxt->dst.orig_val64 = ctxt->dst.val64;
5552
5553 special_insn:
5554
5555 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5556 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5557 X86_ICPT_POST_MEMACCESS);
5558 if (rc != X86EMUL_CONTINUE)
5559 goto done;
5560 }
5561
5562 if (ctxt->rep_prefix && (ctxt->d & String))
5563 ctxt->eflags |= X86_EFLAGS_RF;
5564 else
5565 ctxt->eflags &= ~X86_EFLAGS_RF;
5566
5567 if (ctxt->execute) {
5568 if (ctxt->d & Fastop) {
5569 void (*fop)(struct fastop *) = (void *)ctxt->execute;
5570 rc = fastop(ctxt, fop);
5571 if (rc != X86EMUL_CONTINUE)
5572 goto done;
5573 goto writeback;
5574 }
5575 rc = ctxt->execute(ctxt);
5576 if (rc != X86EMUL_CONTINUE)
5577 goto done;
5578 goto writeback;
5579 }
5580
5581 if (ctxt->opcode_len == 2)
5582 goto twobyte_insn;
5583 else if (ctxt->opcode_len == 3)
5584 goto threebyte_insn;
5585
5586 switch (ctxt->b) {
5587 case 0x70 ... 0x7f: /* jcc (short) */
5588 if (test_cc(ctxt->b, ctxt->eflags))
5589 rc = jmp_rel(ctxt, ctxt->src.val);
5590 break;
5591 case 0x8d: /* lea r16/r32, m */
5592 ctxt->dst.val = ctxt->src.addr.mem.ea;
5593 break;
5594 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5595 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5596 ctxt->dst.type = OP_NONE;
5597 else
5598 rc = em_xchg(ctxt);
5599 break;
5600 case 0x98: /* cbw/cwde/cdqe */
5601 switch (ctxt->op_bytes) {
5602 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5603 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5604 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5605 }
5606 break;
5607 case 0xcc: /* int3 */
5608 rc = emulate_int(ctxt, 3);
5609 break;
5610 case 0xcd: /* int n */
5611 rc = emulate_int(ctxt, ctxt->src.val);
5612 break;
5613 case 0xce: /* into */
5614 if (ctxt->eflags & X86_EFLAGS_OF)
5615 rc = emulate_int(ctxt, 4);
5616 break;
5617 case 0xe9: /* jmp rel */
5618 case 0xeb: /* jmp rel short */
5619 rc = jmp_rel(ctxt, ctxt->src.val);
5620 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5621 break;
5622 case 0xf4: /* hlt */
5623 ctxt->ops->halt(ctxt);
5624 break;
5625 case 0xf5: /* cmc */
5626 /* complement carry flag from eflags reg */
5627 ctxt->eflags ^= X86_EFLAGS_CF;
5628 break;
5629 case 0xf8: /* clc */
5630 ctxt->eflags &= ~X86_EFLAGS_CF;
5631 break;
5632 case 0xf9: /* stc */
5633 ctxt->eflags |= X86_EFLAGS_CF;
5634 break;
5635 case 0xfc: /* cld */
5636 ctxt->eflags &= ~X86_EFLAGS_DF;
5637 break;
5638 case 0xfd: /* std */
5639 ctxt->eflags |= X86_EFLAGS_DF;
5640 break;
5641 default:
5642 goto cannot_emulate;
5643 }
5644
5645 if (rc != X86EMUL_CONTINUE)
5646 goto done;
5647
5648 writeback:
5649 if (ctxt->d & SrcWrite) {
5650 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5651 rc = writeback(ctxt, &ctxt->src);
5652 if (rc != X86EMUL_CONTINUE)
5653 goto done;
5654 }
5655 if (!(ctxt->d & NoWrite)) {
5656 rc = writeback(ctxt, &ctxt->dst);
5657 if (rc != X86EMUL_CONTINUE)
5658 goto done;
5659 }
5660
5661 /*
5662 * restore dst type in case the decoding will be reused
5663 * (happens for string instruction )
5664 */
5665 ctxt->dst.type = saved_dst_type;
5666
5667 if ((ctxt->d & SrcMask) == SrcSI)
5668 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5669
5670 if ((ctxt->d & DstMask) == DstDI)
5671 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5672
5673 if (ctxt->rep_prefix && (ctxt->d & String)) {
5674 unsigned int count;
5675 struct read_cache *r = &ctxt->io_read;
5676 if ((ctxt->d & SrcMask) == SrcSI)
5677 count = ctxt->src.count;
5678 else
5679 count = ctxt->dst.count;
5680 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5681
5682 if (!string_insn_completed(ctxt)) {
5683 /*
5684 * Re-enter guest when pio read ahead buffer is empty
5685 * or, if it is not used, after each 1024 iteration.
5686 */
5687 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5688 (r->end == 0 || r->end != r->pos)) {
5689 /*
5690 * Reset read cache. Usually happens before
5691 * decode, but since instruction is restarted
5692 * we have to do it here.
5693 */
5694 ctxt->mem_read.end = 0;
5695 writeback_registers(ctxt);
5696 return EMULATION_RESTART;
5697 }
5698 goto done; /* skip rip writeback */
5699 }
5700 ctxt->eflags &= ~X86_EFLAGS_RF;
5701 }
5702
5703 ctxt->eip = ctxt->_eip;
5704
5705 done:
5706 if (rc == X86EMUL_PROPAGATE_FAULT) {
5707 WARN_ON(ctxt->exception.vector > 0x1f);
5708 ctxt->have_exception = true;
5709 }
5710 if (rc == X86EMUL_INTERCEPTED)
5711 return EMULATION_INTERCEPTED;
5712
5713 if (rc == X86EMUL_CONTINUE)
5714 writeback_registers(ctxt);
5715
5716 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5717
5718 twobyte_insn:
5719 switch (ctxt->b) {
5720 case 0x09: /* wbinvd */
5721 (ctxt->ops->wbinvd)(ctxt);
5722 break;
5723 case 0x08: /* invd */
5724 case 0x0d: /* GrpP (prefetch) */
5725 case 0x18: /* Grp16 (prefetch/nop) */
5726 case 0x1f: /* nop */
5727 break;
5728 case 0x20: /* mov cr, reg */
5729 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5730 break;
5731 case 0x21: /* mov from dr to reg */
5732 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5733 break;
5734 case 0x40 ... 0x4f: /* cmov */
5735 if (test_cc(ctxt->b, ctxt->eflags))
5736 ctxt->dst.val = ctxt->src.val;
5737 else if (ctxt->op_bytes != 4)
5738 ctxt->dst.type = OP_NONE; /* no writeback */
5739 break;
5740 case 0x80 ... 0x8f: /* jnz rel, etc*/
5741 if (test_cc(ctxt->b, ctxt->eflags))
5742 rc = jmp_rel(ctxt, ctxt->src.val);
5743 break;
5744 case 0x90 ... 0x9f: /* setcc r/m8 */
5745 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5746 break;
5747 case 0xb6 ... 0xb7: /* movzx */
5748 ctxt->dst.bytes = ctxt->op_bytes;
5749 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5750 : (u16) ctxt->src.val;
5751 break;
5752 case 0xbe ... 0xbf: /* movsx */
5753 ctxt->dst.bytes = ctxt->op_bytes;
5754 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5755 (s16) ctxt->src.val;
5756 break;
5757 default:
5758 goto cannot_emulate;
5759 }
5760
5761 threebyte_insn:
5762
5763 if (rc != X86EMUL_CONTINUE)
5764 goto done;
5765
5766 goto writeback;
5767
5768 cannot_emulate:
5769 return EMULATION_FAILED;
5770 }
5771
5772 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5773 {
5774 invalidate_registers(ctxt);
5775 }
5776
5777 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5778 {
5779 writeback_registers(ctxt);
5780 }
5781
5782 bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5783 {
5784 if (ctxt->rep_prefix && (ctxt->d & String))
5785 return false;
5786
5787 if (ctxt->d & TwoMemOp)
5788 return false;
5789
5790 return true;
5791 }
Linux with added FPC-III support