search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ARM: dma-api: fix max_pfn off-by-one error in __dma_supported()
[linux/fpc-iii.git] / arch / x86 / kvm / emulate.c
blobddbc61984227c3dbee763ed3759e9a5351f32606
1 // SPDX-License-Identifier: GPL-2.0-only
2 /******************************************************************************
3 * emulate.c
4 *
5 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 *
7 * Copyright (c) 2005 Keir Fraser
8 *
9 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
10 * privileged instructions:
11 *
12 * Copyright (C) 2006 Qumranet
13 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 *
15 * Avi Kivity <avi@qumranet.com>
16 * Yaniv Kamay <yaniv@qumranet.com>
17 *
18 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
19 */
20
21 #include <linux/kvm_host.h>
22 #include "kvm_cache_regs.h"
23 #include <asm/kvm_emulate.h>
24 #include <linux/stringify.h>
25 #include <asm/fpu/api.h>
26 #include <asm/debugreg.h>
27 #include <asm/nospec-branch.h>
28
29 #include "x86.h"
30 #include "tss.h"
31 #include "mmu.h"
32 #include "pmu.h"
33
34 /*
35 * Operand types
36 */
37 #define OpNone 0ull
38 #define OpImplicit 1ull /* No generic decode */
39 #define OpReg 2ull /* Register */
40 #define OpMem 3ull /* Memory */
41 #define OpAcc 4ull /* Accumulator: AL/AX/EAX/RAX */
42 #define OpDI 5ull /* ES:DI/EDI/RDI */
43 #define OpMem64 6ull /* Memory, 64-bit */
44 #define OpImmUByte 7ull /* Zero-extended 8-bit immediate */
45 #define OpDX 8ull /* DX register */
46 #define OpCL 9ull /* CL register (for shifts) */
47 #define OpImmByte 10ull /* 8-bit sign extended immediate */
48 #define OpOne 11ull /* Implied 1 */
49 #define OpImm 12ull /* Sign extended up to 32-bit immediate */
50 #define OpMem16 13ull /* Memory operand (16-bit). */
51 #define OpMem32 14ull /* Memory operand (32-bit). */
52 #define OpImmU 15ull /* Immediate operand, zero extended */
53 #define OpSI 16ull /* SI/ESI/RSI */
54 #define OpImmFAddr 17ull /* Immediate far address */
55 #define OpMemFAddr 18ull /* Far address in memory */
56 #define OpImmU16 19ull /* Immediate operand, 16 bits, zero extended */
57 #define OpES 20ull /* ES */
58 #define OpCS 21ull /* CS */
59 #define OpSS 22ull /* SS */
60 #define OpDS 23ull /* DS */
61 #define OpFS 24ull /* FS */
62 #define OpGS 25ull /* GS */
63 #define OpMem8 26ull /* 8-bit zero extended memory operand */
64 #define OpImm64 27ull /* Sign extended 16/32/64-bit immediate */
65 #define OpXLat 28ull /* memory at BX/EBX/RBX + zero-extended AL */
66 #define OpAccLo 29ull /* Low part of extended acc (AX/AX/EAX/RAX) */
67 #define OpAccHi 30ull /* High part of extended acc (-/DX/EDX/RDX) */
68
69 #define OpBits 5 /* Width of operand field */
70 #define OpMask ((1ull << OpBits) - 1)
71
72 /*
73 * Opcode effective-address decode tables.
74 * Note that we only emulate instructions that have at least one memory
75 * operand (excluding implicit stack references). We assume that stack
76 * references and instruction fetches will never occur in special memory
77 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
78 * not be handled.
79 */
80
81 /* Operand sizes: 8-bit operands or specified/overridden size. */
82 #define ByteOp (1<<0) /* 8-bit operands. */
83 /* Destination operand type. */
84 #define DstShift 1
85 #define ImplicitOps (OpImplicit << DstShift)
86 #define DstReg (OpReg << DstShift)
87 #define DstMem (OpMem << DstShift)
88 #define DstAcc (OpAcc << DstShift)
89 #define DstDI (OpDI << DstShift)
90 #define DstMem64 (OpMem64 << DstShift)
91 #define DstMem16 (OpMem16 << DstShift)
92 #define DstImmUByte (OpImmUByte << DstShift)
93 #define DstDX (OpDX << DstShift)
94 #define DstAccLo (OpAccLo << DstShift)
95 #define DstMask (OpMask << DstShift)
96 /* Source operand type. */
97 #define SrcShift 6
98 #define SrcNone (OpNone << SrcShift)
99 #define SrcReg (OpReg << SrcShift)
100 #define SrcMem (OpMem << SrcShift)
101 #define SrcMem16 (OpMem16 << SrcShift)
102 #define SrcMem32 (OpMem32 << SrcShift)
103 #define SrcImm (OpImm << SrcShift)
104 #define SrcImmByte (OpImmByte << SrcShift)
105 #define SrcOne (OpOne << SrcShift)
106 #define SrcImmUByte (OpImmUByte << SrcShift)
107 #define SrcImmU (OpImmU << SrcShift)
108 #define SrcSI (OpSI << SrcShift)
109 #define SrcXLat (OpXLat << SrcShift)
110 #define SrcImmFAddr (OpImmFAddr << SrcShift)
111 #define SrcMemFAddr (OpMemFAddr << SrcShift)
112 #define SrcAcc (OpAcc << SrcShift)
113 #define SrcImmU16 (OpImmU16 << SrcShift)
114 #define SrcImm64 (OpImm64 << SrcShift)
115 #define SrcDX (OpDX << SrcShift)
116 #define SrcMem8 (OpMem8 << SrcShift)
117 #define SrcAccHi (OpAccHi << SrcShift)
118 #define SrcMask (OpMask << SrcShift)
119 #define BitOp (1<<11)
120 #define MemAbs (1<<12) /* Memory operand is absolute displacement */
121 #define String (1<<13) /* String instruction (rep capable) */
122 #define Stack (1<<14) /* Stack instruction (push/pop) */
123 #define GroupMask (7<<15) /* Opcode uses one of the group mechanisms */
124 #define Group (1<<15) /* Bits 3:5 of modrm byte extend opcode */
125 #define GroupDual (2<<15) /* Alternate decoding of mod == 3 */
126 #define Prefix (3<<15) /* Instruction varies with 66/f2/f3 prefix */
127 #define RMExt (4<<15) /* Opcode extension in ModRM r/m if mod == 3 */
128 #define Escape (5<<15) /* Escape to coprocessor instruction */
129 #define InstrDual (6<<15) /* Alternate instruction decoding of mod == 3 */
130 #define ModeDual (7<<15) /* Different instruction for 32/64 bit */
131 #define Sse (1<<18) /* SSE Vector instruction */
132 /* Generic ModRM decode. */
133 #define ModRM (1<<19)
134 /* Destination is only written; never read. */
135 #define Mov (1<<20)
136 /* Misc flags */
137 #define Prot (1<<21) /* instruction generates #UD if not in prot-mode */
138 #define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
139 #define NoAccess (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
140 #define Op3264 (1<<24) /* Operand is 64b in long mode, 32b otherwise */
141 #define Undefined (1<<25) /* No Such Instruction */
142 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
143 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
144 #define No64 (1<<28)
145 #define PageTable (1 << 29) /* instruction used to write page table */
146 #define NotImpl (1 << 30) /* instruction is not implemented */
147 /* Source 2 operand type */
148 #define Src2Shift (31)
149 #define Src2None (OpNone << Src2Shift)
150 #define Src2Mem (OpMem << Src2Shift)
151 #define Src2CL (OpCL << Src2Shift)
152 #define Src2ImmByte (OpImmByte << Src2Shift)
153 #define Src2One (OpOne << Src2Shift)
154 #define Src2Imm (OpImm << Src2Shift)
155 #define Src2ES (OpES << Src2Shift)
156 #define Src2CS (OpCS << Src2Shift)
157 #define Src2SS (OpSS << Src2Shift)
158 #define Src2DS (OpDS << Src2Shift)
159 #define Src2FS (OpFS << Src2Shift)
160 #define Src2GS (OpGS << Src2Shift)
161 #define Src2Mask (OpMask << Src2Shift)
162 #define Mmx ((u64)1 << 40) /* MMX Vector instruction */
163 #define AlignMask ((u64)7 << 41)
164 #define Aligned ((u64)1 << 41) /* Explicitly aligned (e.g. MOVDQA) */
165 #define Unaligned ((u64)2 << 41) /* Explicitly unaligned (e.g. MOVDQU) */
166 #define Avx ((u64)3 << 41) /* Advanced Vector Extensions */
167 #define Aligned16 ((u64)4 << 41) /* Aligned to 16 byte boundary (e.g. FXSAVE) */
168 #define Fastop ((u64)1 << 44) /* Use opcode::u.fastop */
169 #define NoWrite ((u64)1 << 45) /* No writeback */
170 #define SrcWrite ((u64)1 << 46) /* Write back src operand */
171 #define NoMod ((u64)1 << 47) /* Mod field is ignored */
172 #define Intercept ((u64)1 << 48) /* Has valid intercept field */
173 #define CheckPerm ((u64)1 << 49) /* Has valid check_perm field */
174 #define PrivUD ((u64)1 << 51) /* #UD instead of #GP on CPL > 0 */
175 #define NearBranch ((u64)1 << 52) /* Near branches */
176 #define No16 ((u64)1 << 53) /* No 16 bit operand */
177 #define IncSP ((u64)1 << 54) /* SP is incremented before ModRM calc */
178 #define TwoMemOp ((u64)1 << 55) /* Instruction has two memory operand */
179
180 #define DstXacc (DstAccLo | SrcAccHi | SrcWrite)
181
182 #define X2(x...) x, x
183 #define X3(x...) X2(x), x
184 #define X4(x...) X2(x), X2(x)
185 #define X5(x...) X4(x), x
186 #define X6(x...) X4(x), X2(x)
187 #define X7(x...) X4(x), X3(x)
188 #define X8(x...) X4(x), X4(x)
189 #define X16(x...) X8(x), X8(x)
190
191 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
192 #define FASTOP_SIZE 8
193
194 /*
195 * fastop functions have a special calling convention:
196 *
197 * dst: rax (in/out)
198 * src: rdx (in/out)
199 * src2: rcx (in)
200 * flags: rflags (in/out)
201 * ex: rsi (in:fastop pointer, out:zero if exception)
202 *
203 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
204 * different operand sizes can be reached by calculation, rather than a jump
205 * table (which would be bigger than the code).
206 *
207 * fastop functions are declared as taking a never-defined fastop parameter,
208 * so they can't be called from C directly.
209 */
210
211 struct fastop;
212
213 struct opcode {
214 u64 flags : 56;
215 u64 intercept : 8;
216 union {
217 int (*execute)(struct x86_emulate_ctxt *ctxt);
218 const struct opcode *group;
219 const struct group_dual *gdual;
220 const struct gprefix *gprefix;
221 const struct escape *esc;
222 const struct instr_dual *idual;
223 const struct mode_dual *mdual;
224 void (*fastop)(struct fastop *fake);
225 } u;
226 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
227 };
228
229 struct group_dual {
230 struct opcode mod012[8];
231 struct opcode mod3[8];
232 };
233
234 struct gprefix {
235 struct opcode pfx_no;
236 struct opcode pfx_66;
237 struct opcode pfx_f2;
238 struct opcode pfx_f3;
239 };
240
241 struct escape {
242 struct opcode op[8];
243 struct opcode high[64];
244 };
245
246 struct instr_dual {
247 struct opcode mod012;
248 struct opcode mod3;
249 };
250
251 struct mode_dual {
252 struct opcode mode32;
253 struct opcode mode64;
254 };
255
256 #define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
257
258 enum x86_transfer_type {
259 X86_TRANSFER_NONE,
260 X86_TRANSFER_CALL_JMP,
261 X86_TRANSFER_RET,
262 X86_TRANSFER_TASK_SWITCH,
263 };
264
265 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr)
266 {
267 if (!(ctxt->regs_valid & (1 << nr))) {
268 ctxt->regs_valid |= 1 << nr;
269 ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr);
270 }
271 return ctxt->_regs[nr];
272 }
273
274 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr)
275 {
276 ctxt->regs_valid |= 1 << nr;
277 ctxt->regs_dirty |= 1 << nr;
278 return &ctxt->_regs[nr];
279 }
280
281 static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr)
282 {
283 reg_read(ctxt, nr);
284 return reg_write(ctxt, nr);
285 }
286
287 static void writeback_registers(struct x86_emulate_ctxt *ctxt)
288 {
289 unsigned reg;
290
291 for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16)
292 ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
293 }
294
295 static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
296 {
297 ctxt->regs_dirty = 0;
298 ctxt->regs_valid = 0;
299 }
300
301 /*
302 * These EFLAGS bits are restored from saved value during emulation, and
303 * any changes are written back to the saved value after emulation.
304 */
305 #define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
306 X86_EFLAGS_PF|X86_EFLAGS_CF)
307
308 #ifdef CONFIG_X86_64
309 #define ON64(x) x
310 #else
311 #define ON64(x)
312 #endif
313
314 typedef void (*fastop_t)(struct fastop *);
315
316 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
317
318 #define __FOP_FUNC(name) \
319 ".align " __stringify(FASTOP_SIZE) " \n\t" \
320 ".type " name ", @function \n\t" \
321 name ":\n\t"
322
323 #define FOP_FUNC(name) \
324 __FOP_FUNC(#name)
325
326 #define __FOP_RET(name) \
327 "ret \n\t" \
328 ".size " name ", .-" name "\n\t"
329
330 #define FOP_RET(name) \
331 __FOP_RET(#name)
332
333 #define FOP_START(op) \
334 extern void em_##op(struct fastop *fake); \
335 asm(".pushsection .text, \"ax\" \n\t" \
336 ".global em_" #op " \n\t" \
337 ".align " __stringify(FASTOP_SIZE) " \n\t" \
338 "em_" #op ":\n\t"
339
340 #define FOP_END \
341 ".popsection")
342
343 #define __FOPNOP(name) \
344 __FOP_FUNC(name) \
345 __FOP_RET(name)
346
347 #define FOPNOP() \
348 __FOPNOP(__stringify(__UNIQUE_ID(nop)))
349
350 #define FOP1E(op, dst) \
351 __FOP_FUNC(#op "_" #dst) \
352 "10: " #op " %" #dst " \n\t" \
353 __FOP_RET(#op "_" #dst)
354
355 #define FOP1EEX(op, dst) \
356 FOP1E(op, dst) _ASM_EXTABLE(10b, kvm_fastop_exception)
357
358 #define FASTOP1(op) \
359 FOP_START(op) \
360 FOP1E(op##b, al) \
361 FOP1E(op##w, ax) \
362 FOP1E(op##l, eax) \
363 ON64(FOP1E(op##q, rax)) \
364 FOP_END
365
366 /* 1-operand, using src2 (for MUL/DIV r/m) */
367 #define FASTOP1SRC2(op, name) \
368 FOP_START(name) \
369 FOP1E(op, cl) \
370 FOP1E(op, cx) \
371 FOP1E(op, ecx) \
372 ON64(FOP1E(op, rcx)) \
373 FOP_END
374
375 /* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
376 #define FASTOP1SRC2EX(op, name) \
377 FOP_START(name) \
378 FOP1EEX(op, cl) \
379 FOP1EEX(op, cx) \
380 FOP1EEX(op, ecx) \
381 ON64(FOP1EEX(op, rcx)) \
382 FOP_END
383
384 #define FOP2E(op, dst, src) \
385 __FOP_FUNC(#op "_" #dst "_" #src) \
386 #op " %" #src ", %" #dst " \n\t" \
387 __FOP_RET(#op "_" #dst "_" #src)
388
389 #define FASTOP2(op) \
390 FOP_START(op) \
391 FOP2E(op##b, al, dl) \
392 FOP2E(op##w, ax, dx) \
393 FOP2E(op##l, eax, edx) \
394 ON64(FOP2E(op##q, rax, rdx)) \
395 FOP_END
396
397 /* 2 operand, word only */
398 #define FASTOP2W(op) \
399 FOP_START(op) \
400 FOPNOP() \
401 FOP2E(op##w, ax, dx) \
402 FOP2E(op##l, eax, edx) \
403 ON64(FOP2E(op##q, rax, rdx)) \
404 FOP_END
405
406 /* 2 operand, src is CL */
407 #define FASTOP2CL(op) \
408 FOP_START(op) \
409 FOP2E(op##b, al, cl) \
410 FOP2E(op##w, ax, cl) \
411 FOP2E(op##l, eax, cl) \
412 ON64(FOP2E(op##q, rax, cl)) \
413 FOP_END
414
415 /* 2 operand, src and dest are reversed */
416 #define FASTOP2R(op, name) \
417 FOP_START(name) \
418 FOP2E(op##b, dl, al) \
419 FOP2E(op##w, dx, ax) \
420 FOP2E(op##l, edx, eax) \
421 ON64(FOP2E(op##q, rdx, rax)) \
422 FOP_END
423
424 #define FOP3E(op, dst, src, src2) \
425 __FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
426 #op " %" #src2 ", %" #src ", %" #dst " \n\t"\
427 __FOP_RET(#op "_" #dst "_" #src "_" #src2)
428
429 /* 3-operand, word-only, src2=cl */
430 #define FASTOP3WCL(op) \
431 FOP_START(op) \
432 FOPNOP() \
433 FOP3E(op##w, ax, dx, cl) \
434 FOP3E(op##l, eax, edx, cl) \
435 ON64(FOP3E(op##q, rax, rdx, cl)) \
436 FOP_END
437
438 /* Special case for SETcc - 1 instruction per cc */
439 #define FOP_SETCC(op) \
440 ".align 4 \n\t" \
441 ".type " #op ", @function \n\t" \
442 #op ": \n\t" \
443 #op " %al \n\t" \
444 __FOP_RET(#op)
445
446 asm(".pushsection .fixup, \"ax\"\n"
447 ".global kvm_fastop_exception \n"
448 "kvm_fastop_exception: xor %esi, %esi; ret\n"
449 ".popsection");
450
451 FOP_START(setcc)
452 FOP_SETCC(seto)
453 FOP_SETCC(setno)
454 FOP_SETCC(setc)
455 FOP_SETCC(setnc)
456 FOP_SETCC(setz)
457 FOP_SETCC(setnz)
458 FOP_SETCC(setbe)
459 FOP_SETCC(setnbe)
460 FOP_SETCC(sets)
461 FOP_SETCC(setns)
462 FOP_SETCC(setp)
463 FOP_SETCC(setnp)
464 FOP_SETCC(setl)
465 FOP_SETCC(setnl)
466 FOP_SETCC(setle)
467 FOP_SETCC(setnle)
468 FOP_END;
469
470 FOP_START(salc)
471 FOP_FUNC(salc)
472 "pushf; sbb %al, %al; popf \n\t"
473 FOP_RET(salc)
474 FOP_END;
475
476 /*
477 * XXX: inoutclob user must know where the argument is being expanded.
478 * Relying on CONFIG_CC_HAS_ASM_GOTO would allow us to remove _fault.
479 */
480 #define asm_safe(insn, inoutclob...) \
481 ({ \
482 int _fault = 0; \
483 \
484 asm volatile("1:" insn "\n" \
485 "2:\n" \
486 ".pushsection .fixup, \"ax\"\n" \
487 "3: movl $1, %[_fault]\n" \
488 " jmp 2b\n" \
489 ".popsection\n" \
490 _ASM_EXTABLE(1b, 3b) \
491 : [_fault] "+qm"(_fault) inoutclob ); \
492 \
493 _fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
494 })
495
496 static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
497 enum x86_intercept intercept,
498 enum x86_intercept_stage stage)
499 {
500 struct x86_instruction_info info = {
501 .intercept = intercept,
502 .rep_prefix = ctxt->rep_prefix,
503 .modrm_mod = ctxt->modrm_mod,
504 .modrm_reg = ctxt->modrm_reg,
505 .modrm_rm = ctxt->modrm_rm,
506 .src_val = ctxt->src.val64,
507 .dst_val = ctxt->dst.val64,
508 .src_bytes = ctxt->src.bytes,
509 .dst_bytes = ctxt->dst.bytes,
510 .ad_bytes = ctxt->ad_bytes,
511 .next_rip = ctxt->eip,
512 };
513
514 return ctxt->ops->intercept(ctxt, &info, stage);
515 }
516
517 static void assign_masked(ulong *dest, ulong src, ulong mask)
518 {
519 *dest = (*dest & ~mask) | (src & mask);
520 }
521
522 static void assign_register(unsigned long *reg, u64 val, int bytes)
523 {
524 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
525 switch (bytes) {
526 case 1:
527 *(u8 *)reg = (u8)val;
528 break;
529 case 2:
530 *(u16 *)reg = (u16)val;
531 break;
532 case 4:
533 *reg = (u32)val;
534 break; /* 64b: zero-extend */
535 case 8:
536 *reg = val;
537 break;
538 }
539 }
540
541 static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
542 {
543 return (1UL << (ctxt->ad_bytes << 3)) - 1;
544 }
545
546 static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
547 {
548 u16 sel;
549 struct desc_struct ss;
550
551 if (ctxt->mode == X86EMUL_MODE_PROT64)
552 return ~0UL;
553 ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
554 return ~0U >> ((ss.d ^ 1) * 16); /* d=0: 0xffff; d=1: 0xffffffff */
555 }
556
557 static int stack_size(struct x86_emulate_ctxt *ctxt)
558 {
559 return (__fls(stack_mask(ctxt)) + 1) >> 3;
560 }
561
562 /* Access/update address held in a register, based on addressing mode. */
563 static inline unsigned long
564 address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
565 {
566 if (ctxt->ad_bytes == sizeof(unsigned long))
567 return reg;
568 else
569 return reg & ad_mask(ctxt);
570 }
571
572 static inline unsigned long
573 register_address(struct x86_emulate_ctxt *ctxt, int reg)
574 {
575 return address_mask(ctxt, reg_read(ctxt, reg));
576 }
577
578 static void masked_increment(ulong *reg, ulong mask, int inc)
579 {
580 assign_masked(reg, *reg + inc, mask);
581 }
582
583 static inline void
584 register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
585 {
586 ulong *preg = reg_rmw(ctxt, reg);
587
588 assign_register(preg, *preg + inc, ctxt->ad_bytes);
589 }
590
591 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
592 {
593 masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
594 }
595
596 static u32 desc_limit_scaled(struct desc_struct *desc)
597 {
598 u32 limit = get_desc_limit(desc);
599
600 return desc->g ? (limit << 12) | 0xfff : limit;
601 }
602
603 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
604 {
605 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
606 return 0;
607
608 return ctxt->ops->get_cached_segment_base(ctxt, seg);
609 }
610
611 static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
612 u32 error, bool valid)
613 {
614 WARN_ON(vec > 0x1f);
615 ctxt->exception.vector = vec;
616 ctxt->exception.error_code = error;
617 ctxt->exception.error_code_valid = valid;
618 return X86EMUL_PROPAGATE_FAULT;
619 }
620
621 static int emulate_db(struct x86_emulate_ctxt *ctxt)
622 {
623 return emulate_exception(ctxt, DB_VECTOR, 0, false);
624 }
625
626 static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
627 {
628 return emulate_exception(ctxt, GP_VECTOR, err, true);
629 }
630
631 static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
632 {
633 return emulate_exception(ctxt, SS_VECTOR, err, true);
634 }
635
636 static int emulate_ud(struct x86_emulate_ctxt *ctxt)
637 {
638 return emulate_exception(ctxt, UD_VECTOR, 0, false);
639 }
640
641 static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
642 {
643 return emulate_exception(ctxt, TS_VECTOR, err, true);
644 }
645
646 static int emulate_de(struct x86_emulate_ctxt *ctxt)
647 {
648 return emulate_exception(ctxt, DE_VECTOR, 0, false);
649 }
650
651 static int emulate_nm(struct x86_emulate_ctxt *ctxt)
652 {
653 return emulate_exception(ctxt, NM_VECTOR, 0, false);
654 }
655
656 static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
657 {
658 u16 selector;
659 struct desc_struct desc;
660
661 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
662 return selector;
663 }
664
665 static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
666 unsigned seg)
667 {
668 u16 dummy;
669 u32 base3;
670 struct desc_struct desc;
671
672 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
673 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
674 }
675
676 /*
677 * x86 defines three classes of vector instructions: explicitly
678 * aligned, explicitly unaligned, and the rest, which change behaviour
679 * depending on whether they're AVX encoded or not.
680 *
681 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
682 * subject to the same check. FXSAVE and FXRSTOR are checked here too as their
683 * 512 bytes of data must be aligned to a 16 byte boundary.
684 */
685 static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
686 {
687 u64 alignment = ctxt->d & AlignMask;
688
689 if (likely(size < 16))
690 return 1;
691
692 switch (alignment) {
693 case Unaligned:
694 case Avx:
695 return 1;
696 case Aligned16:
697 return 16;
698 case Aligned:
699 default:
700 return size;
701 }
702 }
703
704 static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
705 struct segmented_address addr,
706 unsigned *max_size, unsigned size,
707 bool write, bool fetch,
708 enum x86emul_mode mode, ulong *linear)
709 {
710 struct desc_struct desc;
711 bool usable;
712 ulong la;
713 u32 lim;
714 u16 sel;
715 u8 va_bits;
716
717 la = seg_base(ctxt, addr.seg) + addr.ea;
718 *max_size = 0;
719 switch (mode) {
720 case X86EMUL_MODE_PROT64:
721 *linear = la;
722 va_bits = ctxt_virt_addr_bits(ctxt);
723 if (get_canonical(la, va_bits) != la)
724 goto bad;
725
726 *max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
727 if (size > *max_size)
728 goto bad;
729 break;
730 default:
731 *linear = la = (u32)la;
732 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
733 addr.seg);
734 if (!usable)
735 goto bad;
736 /* code segment in protected mode or read-only data segment */
737 if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8))
738 || !(desc.type & 2)) && write)
739 goto bad;
740 /* unreadable code segment */
741 if (!fetch && (desc.type & 8) && !(desc.type & 2))
742 goto bad;
743 lim = desc_limit_scaled(&desc);
744 if (!(desc.type & 8) && (desc.type & 4)) {
745 /* expand-down segment */
746 if (addr.ea <= lim)
747 goto bad;
748 lim = desc.d ? 0xffffffff : 0xffff;
749 }
750 if (addr.ea > lim)
751 goto bad;
752 if (lim == 0xffffffff)
753 *max_size = ~0u;
754 else {
755 *max_size = (u64)lim + 1 - addr.ea;
756 if (size > *max_size)
757 goto bad;
758 }
759 break;
760 }
761 if (la & (insn_alignment(ctxt, size) - 1))
762 return emulate_gp(ctxt, 0);
763 return X86EMUL_CONTINUE;
764 bad:
765 if (addr.seg == VCPU_SREG_SS)
766 return emulate_ss(ctxt, 0);
767 else
768 return emulate_gp(ctxt, 0);
769 }
770
771 static int linearize(struct x86_emulate_ctxt *ctxt,
772 struct segmented_address addr,
773 unsigned size, bool write,
774 ulong *linear)
775 {
776 unsigned max_size;
777 return __linearize(ctxt, addr, &max_size, size, write, false,
778 ctxt->mode, linear);
779 }
780
781 static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
782 enum x86emul_mode mode)
783 {
784 ulong linear;
785 int rc;
786 unsigned max_size;
787 struct segmented_address addr = { .seg = VCPU_SREG_CS,
788 .ea = dst };
789
790 if (ctxt->op_bytes != sizeof(unsigned long))
791 addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
792 rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
793 if (rc == X86EMUL_CONTINUE)
794 ctxt->_eip = addr.ea;
795 return rc;
796 }
797
798 static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
799 {
800 return assign_eip(ctxt, dst, ctxt->mode);
801 }
802
803 static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
804 const struct desc_struct *cs_desc)
805 {
806 enum x86emul_mode mode = ctxt->mode;
807 int rc;
808
809 #ifdef CONFIG_X86_64
810 if (ctxt->mode >= X86EMUL_MODE_PROT16) {
811 if (cs_desc->l) {
812 u64 efer = 0;
813
814 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
815 if (efer & EFER_LMA)
816 mode = X86EMUL_MODE_PROT64;
817 } else
818 mode = X86EMUL_MODE_PROT32; /* temporary value */
819 }
820 #endif
821 if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
822 mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
823 rc = assign_eip(ctxt, dst, mode);
824 if (rc == X86EMUL_CONTINUE)
825 ctxt->mode = mode;
826 return rc;
827 }
828
829 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
830 {
831 return assign_eip_near(ctxt, ctxt->_eip + rel);
832 }
833
834 static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
835 void *data, unsigned size)
836 {
837 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
838 }
839
840 static int linear_write_system(struct x86_emulate_ctxt *ctxt,
841 ulong linear, void *data,
842 unsigned int size)
843 {
844 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
845 }
846
847 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
848 struct segmented_address addr,
849 void *data,
850 unsigned size)
851 {
852 int rc;
853 ulong linear;
854
855 rc = linearize(ctxt, addr, size, false, &linear);
856 if (rc != X86EMUL_CONTINUE)
857 return rc;
858 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
859 }
860
861 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
862 struct segmented_address addr,
863 void *data,
864 unsigned int size)
865 {
866 int rc;
867 ulong linear;
868
869 rc = linearize(ctxt, addr, size, true, &linear);
870 if (rc != X86EMUL_CONTINUE)
871 return rc;
872 return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
873 }
874
875 /*
876 * Prefetch the remaining bytes of the instruction without crossing page
877 * boundary if they are not in fetch_cache yet.
878 */
879 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
880 {
881 int rc;
882 unsigned size, max_size;
883 unsigned long linear;
884 int cur_size = ctxt->fetch.end - ctxt->fetch.data;
885 struct segmented_address addr = { .seg = VCPU_SREG_CS,
886 .ea = ctxt->eip + cur_size };
887
888 /*
889 * We do not know exactly how many bytes will be needed, and
890 * __linearize is expensive, so fetch as much as possible. We
891 * just have to avoid going beyond the 15 byte limit, the end
892 * of the segment, or the end of the page.
893 *
894 * __linearize is called with size 0 so that it does not do any
895 * boundary check itself. Instead, we use max_size to check
896 * against op_size.
897 */
898 rc = __linearize(ctxt, addr, &max_size, 0, false, true, ctxt->mode,
899 &linear);
900 if (unlikely(rc != X86EMUL_CONTINUE))
901 return rc;
902
903 size = min_t(unsigned, 15UL ^ cur_size, max_size);
904 size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
905
906 /*
907 * One instruction can only straddle two pages,
908 * and one has been loaded at the beginning of
909 * x86_decode_insn. So, if not enough bytes
910 * still, we must have hit the 15-byte boundary.
911 */
912 if (unlikely(size < op_size))
913 return emulate_gp(ctxt, 0);
914
915 rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
916 size, &ctxt->exception);
917 if (unlikely(rc != X86EMUL_CONTINUE))
918 return rc;
919 ctxt->fetch.end += size;
920 return X86EMUL_CONTINUE;
921 }
922
923 static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
924 unsigned size)
925 {
926 unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
927
928 if (unlikely(done_size < size))
929 return __do_insn_fetch_bytes(ctxt, size - done_size);
930 else
931 return X86EMUL_CONTINUE;
932 }
933
934 /* Fetch next part of the instruction being emulated. */
935 #define insn_fetch(_type, _ctxt) \
936 ({ _type _x; \
937 \
938 rc = do_insn_fetch_bytes(_ctxt, sizeof(_type)); \
939 if (rc != X86EMUL_CONTINUE) \
940 goto done; \
941 ctxt->_eip += sizeof(_type); \
942 memcpy(&_x, ctxt->fetch.ptr, sizeof(_type)); \
943 ctxt->fetch.ptr += sizeof(_type); \
944 _x; \
945 })
946
947 #define insn_fetch_arr(_arr, _size, _ctxt) \
948 ({ \
949 rc = do_insn_fetch_bytes(_ctxt, _size); \
950 if (rc != X86EMUL_CONTINUE) \
951 goto done; \
952 ctxt->_eip += (_size); \
953 memcpy(_arr, ctxt->fetch.ptr, _size); \
954 ctxt->fetch.ptr += (_size); \
955 })
956
957 /*
958 * Given the 'reg' portion of a ModRM byte, and a register block, return a
959 * pointer into the block that addresses the relevant register.
960 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
961 */
962 static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
963 int byteop)
964 {
965 void *p;
966 int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
967
968 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
969 p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
970 else
971 p = reg_rmw(ctxt, modrm_reg);
972 return p;
973 }
974
975 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
976 struct segmented_address addr,
977 u16 *size, unsigned long *address, int op_bytes)
978 {
979 int rc;
980
981 if (op_bytes == 2)
982 op_bytes = 3;
983 *address = 0;
984 rc = segmented_read_std(ctxt, addr, size, 2);
985 if (rc != X86EMUL_CONTINUE)
986 return rc;
987 addr.ea += 2;
988 rc = segmented_read_std(ctxt, addr, address, op_bytes);
989 return rc;
990 }
991
992 FASTOP2(add);
993 FASTOP2(or);
994 FASTOP2(adc);
995 FASTOP2(sbb);
996 FASTOP2(and);
997 FASTOP2(sub);
998 FASTOP2(xor);
999 FASTOP2(cmp);
1000 FASTOP2(test);
1001
1002 FASTOP1SRC2(mul, mul_ex);
1003 FASTOP1SRC2(imul, imul_ex);
1004 FASTOP1SRC2EX(div, div_ex);
1005 FASTOP1SRC2EX(idiv, idiv_ex);
1006
1007 FASTOP3WCL(shld);
1008 FASTOP3WCL(shrd);
1009
1010 FASTOP2W(imul);
1011
1012 FASTOP1(not);
1013 FASTOP1(neg);
1014 FASTOP1(inc);
1015 FASTOP1(dec);
1016
1017 FASTOP2CL(rol);
1018 FASTOP2CL(ror);
1019 FASTOP2CL(rcl);
1020 FASTOP2CL(rcr);
1021 FASTOP2CL(shl);
1022 FASTOP2CL(shr);
1023 FASTOP2CL(sar);
1024
1025 FASTOP2W(bsf);
1026 FASTOP2W(bsr);
1027 FASTOP2W(bt);
1028 FASTOP2W(bts);
1029 FASTOP2W(btr);
1030 FASTOP2W(btc);
1031
1032 FASTOP2(xadd);
1033
1034 FASTOP2R(cmp, cmp_r);
1035
1036 static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1037 {
1038 /* If src is zero, do not writeback, but update flags */
1039 if (ctxt->src.val == 0)
1040 ctxt->dst.type = OP_NONE;
1041 return fastop(ctxt, em_bsf);
1042 }
1043
1044 static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1045 {
1046 /* If src is zero, do not writeback, but update flags */
1047 if (ctxt->src.val == 0)
1048 ctxt->dst.type = OP_NONE;
1049 return fastop(ctxt, em_bsr);
1050 }
1051
1052 static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1053 {
1054 u8 rc;
1055 void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
1056
1057 flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1058 asm("push %[flags]; popf; " CALL_NOSPEC
1059 : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
1060 return rc;
1061 }
1062
1063 static void fetch_register_operand(struct operand *op)
1064 {
1065 switch (op->bytes) {
1066 case 1:
1067 op->val = *(u8 *)op->addr.reg;
1068 break;
1069 case 2:
1070 op->val = *(u16 *)op->addr.reg;
1071 break;
1072 case 4:
1073 op->val = *(u32 *)op->addr.reg;
1074 break;
1075 case 8:
1076 op->val = *(u64 *)op->addr.reg;
1077 break;
1078 }
1079 }
1080
1081 static void emulator_get_fpu(void)
1082 {
1083 fpregs_lock();
1084
1085 fpregs_assert_state_consistent();
1086 if (test_thread_flag(TIF_NEED_FPU_LOAD))
1087 switch_fpu_return();
1088 }
1089
1090 static void emulator_put_fpu(void)
1091 {
1092 fpregs_unlock();
1093 }
1094
1095 static void read_sse_reg(sse128_t *data, int reg)
1096 {
1097 emulator_get_fpu();
1098 switch (reg) {
1099 case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
1100 case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
1101 case 2: asm("movdqa %%xmm2, %0" : "=m"(*data)); break;
1102 case 3: asm("movdqa %%xmm3, %0" : "=m"(*data)); break;
1103 case 4: asm("movdqa %%xmm4, %0" : "=m"(*data)); break;
1104 case 5: asm("movdqa %%xmm5, %0" : "=m"(*data)); break;
1105 case 6: asm("movdqa %%xmm6, %0" : "=m"(*data)); break;
1106 case 7: asm("movdqa %%xmm7, %0" : "=m"(*data)); break;
1107 #ifdef CONFIG_X86_64
1108 case 8: asm("movdqa %%xmm8, %0" : "=m"(*data)); break;
1109 case 9: asm("movdqa %%xmm9, %0" : "=m"(*data)); break;
1110 case 10: asm("movdqa %%xmm10, %0" : "=m"(*data)); break;
1111 case 11: asm("movdqa %%xmm11, %0" : "=m"(*data)); break;
1112 case 12: asm("movdqa %%xmm12, %0" : "=m"(*data)); break;
1113 case 13: asm("movdqa %%xmm13, %0" : "=m"(*data)); break;
1114 case 14: asm("movdqa %%xmm14, %0" : "=m"(*data)); break;
1115 case 15: asm("movdqa %%xmm15, %0" : "=m"(*data)); break;
1116 #endif
1117 default: BUG();
1118 }
1119 emulator_put_fpu();
1120 }
1121
1122 static void write_sse_reg(sse128_t *data, int reg)
1123 {
1124 emulator_get_fpu();
1125 switch (reg) {
1126 case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
1127 case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
1128 case 2: asm("movdqa %0, %%xmm2" : : "m"(*data)); break;
1129 case 3: asm("movdqa %0, %%xmm3" : : "m"(*data)); break;
1130 case 4: asm("movdqa %0, %%xmm4" : : "m"(*data)); break;
1131 case 5: asm("movdqa %0, %%xmm5" : : "m"(*data)); break;
1132 case 6: asm("movdqa %0, %%xmm6" : : "m"(*data)); break;
1133 case 7: asm("movdqa %0, %%xmm7" : : "m"(*data)); break;
1134 #ifdef CONFIG_X86_64
1135 case 8: asm("movdqa %0, %%xmm8" : : "m"(*data)); break;
1136 case 9: asm("movdqa %0, %%xmm9" : : "m"(*data)); break;
1137 case 10: asm("movdqa %0, %%xmm10" : : "m"(*data)); break;
1138 case 11: asm("movdqa %0, %%xmm11" : : "m"(*data)); break;
1139 case 12: asm("movdqa %0, %%xmm12" : : "m"(*data)); break;
1140 case 13: asm("movdqa %0, %%xmm13" : : "m"(*data)); break;
1141 case 14: asm("movdqa %0, %%xmm14" : : "m"(*data)); break;
1142 case 15: asm("movdqa %0, %%xmm15" : : "m"(*data)); break;
1143 #endif
1144 default: BUG();
1145 }
1146 emulator_put_fpu();
1147 }
1148
1149 static void read_mmx_reg(u64 *data, int reg)
1150 {
1151 emulator_get_fpu();
1152 switch (reg) {
1153 case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
1154 case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
1155 case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
1156 case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
1157 case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
1158 case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
1159 case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
1160 case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
1161 default: BUG();
1162 }
1163 emulator_put_fpu();
1164 }
1165
1166 static void write_mmx_reg(u64 *data, int reg)
1167 {
1168 emulator_get_fpu();
1169 switch (reg) {
1170 case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
1171 case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
1172 case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
1173 case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
1174 case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
1175 case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
1176 case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
1177 case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
1178 default: BUG();
1179 }
1180 emulator_put_fpu();
1181 }
1182
1183 static int em_fninit(struct x86_emulate_ctxt *ctxt)
1184 {
1185 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1186 return emulate_nm(ctxt);
1187
1188 emulator_get_fpu();
1189 asm volatile("fninit");
1190 emulator_put_fpu();
1191 return X86EMUL_CONTINUE;
1192 }
1193
1194 static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1195 {
1196 u16 fcw;
1197
1198 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1199 return emulate_nm(ctxt);
1200
1201 emulator_get_fpu();
1202 asm volatile("fnstcw %0": "+m"(fcw));
1203 emulator_put_fpu();
1204
1205 ctxt->dst.val = fcw;
1206
1207 return X86EMUL_CONTINUE;
1208 }
1209
1210 static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1211 {
1212 u16 fsw;
1213
1214 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1215 return emulate_nm(ctxt);
1216
1217 emulator_get_fpu();
1218 asm volatile("fnstsw %0": "+m"(fsw));
1219 emulator_put_fpu();
1220
1221 ctxt->dst.val = fsw;
1222
1223 return X86EMUL_CONTINUE;
1224 }
1225
1226 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1227 struct operand *op)
1228 {
1229 unsigned reg = ctxt->modrm_reg;
1230
1231 if (!(ctxt->d & ModRM))
1232 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1233
1234 if (ctxt->d & Sse) {
1235 op->type = OP_XMM;
1236 op->bytes = 16;
1237 op->addr.xmm = reg;
1238 read_sse_reg(&op->vec_val, reg);
1239 return;
1240 }
1241 if (ctxt->d & Mmx) {
1242 reg &= 7;
1243 op->type = OP_MM;
1244 op->bytes = 8;
1245 op->addr.mm = reg;
1246 return;
1247 }
1248
1249 op->type = OP_REG;
1250 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1251 op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1252
1253 fetch_register_operand(op);
1254 op->orig_val = op->val;
1255 }
1256
1257 static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1258 {
1259 if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1260 ctxt->modrm_seg = VCPU_SREG_SS;
1261 }
1262
1263 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1264 struct operand *op)
1265 {
1266 u8 sib;
1267 int index_reg, base_reg, scale;
1268 int rc = X86EMUL_CONTINUE;
1269 ulong modrm_ea = 0;
1270
1271 ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1272 index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1273 base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1274
1275 ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1276 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1277 ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1278 ctxt->modrm_seg = VCPU_SREG_DS;
1279
1280 if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1281 op->type = OP_REG;
1282 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1283 op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1284 ctxt->d & ByteOp);
1285 if (ctxt->d & Sse) {
1286 op->type = OP_XMM;
1287 op->bytes = 16;
1288 op->addr.xmm = ctxt->modrm_rm;
1289 read_sse_reg(&op->vec_val, ctxt->modrm_rm);
1290 return rc;
1291 }
1292 if (ctxt->d & Mmx) {
1293 op->type = OP_MM;
1294 op->bytes = 8;
1295 op->addr.mm = ctxt->modrm_rm & 7;
1296 return rc;
1297 }
1298 fetch_register_operand(op);
1299 return rc;
1300 }
1301
1302 op->type = OP_MEM;
1303
1304 if (ctxt->ad_bytes == 2) {
1305 unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1306 unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1307 unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1308 unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1309
1310 /* 16-bit ModR/M decode. */
1311 switch (ctxt->modrm_mod) {
1312 case 0:
1313 if (ctxt->modrm_rm == 6)
1314 modrm_ea += insn_fetch(u16, ctxt);
1315 break;
1316 case 1:
1317 modrm_ea += insn_fetch(s8, ctxt);
1318 break;
1319 case 2:
1320 modrm_ea += insn_fetch(u16, ctxt);
1321 break;
1322 }
1323 switch (ctxt->modrm_rm) {
1324 case 0:
1325 modrm_ea += bx + si;
1326 break;
1327 case 1:
1328 modrm_ea += bx + di;
1329 break;
1330 case 2:
1331 modrm_ea += bp + si;
1332 break;
1333 case 3:
1334 modrm_ea += bp + di;
1335 break;
1336 case 4:
1337 modrm_ea += si;
1338 break;
1339 case 5:
1340 modrm_ea += di;
1341 break;
1342 case 6:
1343 if (ctxt->modrm_mod != 0)
1344 modrm_ea += bp;
1345 break;
1346 case 7:
1347 modrm_ea += bx;
1348 break;
1349 }
1350 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1351 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1352 ctxt->modrm_seg = VCPU_SREG_SS;
1353 modrm_ea = (u16)modrm_ea;
1354 } else {
1355 /* 32/64-bit ModR/M decode. */
1356 if ((ctxt->modrm_rm & 7) == 4) {
1357 sib = insn_fetch(u8, ctxt);
1358 index_reg |= (sib >> 3) & 7;
1359 base_reg |= sib & 7;
1360 scale = sib >> 6;
1361
1362 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1363 modrm_ea += insn_fetch(s32, ctxt);
1364 else {
1365 modrm_ea += reg_read(ctxt, base_reg);
1366 adjust_modrm_seg(ctxt, base_reg);
1367 /* Increment ESP on POP [ESP] */
1368 if ((ctxt->d & IncSP) &&
1369 base_reg == VCPU_REGS_RSP)
1370 modrm_ea += ctxt->op_bytes;
1371 }
1372 if (index_reg != 4)
1373 modrm_ea += reg_read(ctxt, index_reg) << scale;
1374 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1375 modrm_ea += insn_fetch(s32, ctxt);
1376 if (ctxt->mode == X86EMUL_MODE_PROT64)
1377 ctxt->rip_relative = 1;
1378 } else {
1379 base_reg = ctxt->modrm_rm;
1380 modrm_ea += reg_read(ctxt, base_reg);
1381 adjust_modrm_seg(ctxt, base_reg);
1382 }
1383 switch (ctxt->modrm_mod) {
1384 case 1:
1385 modrm_ea += insn_fetch(s8, ctxt);
1386 break;
1387 case 2:
1388 modrm_ea += insn_fetch(s32, ctxt);
1389 break;
1390 }
1391 }
1392 op->addr.mem.ea = modrm_ea;
1393 if (ctxt->ad_bytes != 8)
1394 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1395
1396 done:
1397 return rc;
1398 }
1399
1400 static int decode_abs(struct x86_emulate_ctxt *ctxt,
1401 struct operand *op)
1402 {
1403 int rc = X86EMUL_CONTINUE;
1404
1405 op->type = OP_MEM;
1406 switch (ctxt->ad_bytes) {
1407 case 2:
1408 op->addr.mem.ea = insn_fetch(u16, ctxt);
1409 break;
1410 case 4:
1411 op->addr.mem.ea = insn_fetch(u32, ctxt);
1412 break;
1413 case 8:
1414 op->addr.mem.ea = insn_fetch(u64, ctxt);
1415 break;
1416 }
1417 done:
1418 return rc;
1419 }
1420
1421 static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1422 {
1423 long sv = 0, mask;
1424
1425 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1426 mask = ~((long)ctxt->dst.bytes * 8 - 1);
1427
1428 if (ctxt->src.bytes == 2)
1429 sv = (s16)ctxt->src.val & (s16)mask;
1430 else if (ctxt->src.bytes == 4)
1431 sv = (s32)ctxt->src.val & (s32)mask;
1432 else
1433 sv = (s64)ctxt->src.val & (s64)mask;
1434
1435 ctxt->dst.addr.mem.ea = address_mask(ctxt,
1436 ctxt->dst.addr.mem.ea + (sv >> 3));
1437 }
1438
1439 /* only subword offset */
1440 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1441 }
1442
1443 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1444 unsigned long addr, void *dest, unsigned size)
1445 {
1446 int rc;
1447 struct read_cache *mc = &ctxt->mem_read;
1448
1449 if (mc->pos < mc->end)
1450 goto read_cached;
1451
1452 WARN_ON((mc->end + size) >= sizeof(mc->data));
1453
1454 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1455 &ctxt->exception);
1456 if (rc != X86EMUL_CONTINUE)
1457 return rc;
1458
1459 mc->end += size;
1460
1461 read_cached:
1462 memcpy(dest, mc->data + mc->pos, size);
1463 mc->pos += size;
1464 return X86EMUL_CONTINUE;
1465 }
1466
1467 static int segmented_read(struct x86_emulate_ctxt *ctxt,
1468 struct segmented_address addr,
1469 void *data,
1470 unsigned size)
1471 {
1472 int rc;
1473 ulong linear;
1474
1475 rc = linearize(ctxt, addr, size, false, &linear);
1476 if (rc != X86EMUL_CONTINUE)
1477 return rc;
1478 return read_emulated(ctxt, linear, data, size);
1479 }
1480
1481 static int segmented_write(struct x86_emulate_ctxt *ctxt,
1482 struct segmented_address addr,
1483 const void *data,
1484 unsigned size)
1485 {
1486 int rc;
1487 ulong linear;
1488
1489 rc = linearize(ctxt, addr, size, true, &linear);
1490 if (rc != X86EMUL_CONTINUE)
1491 return rc;
1492 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1493 &ctxt->exception);
1494 }
1495
1496 static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1497 struct segmented_address addr,
1498 const void *orig_data, const void *data,
1499 unsigned size)
1500 {
1501 int rc;
1502 ulong linear;
1503
1504 rc = linearize(ctxt, addr, size, true, &linear);
1505 if (rc != X86EMUL_CONTINUE)
1506 return rc;
1507 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1508 size, &ctxt->exception);
1509 }
1510
1511 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1512 unsigned int size, unsigned short port,
1513 void *dest)
1514 {
1515 struct read_cache *rc = &ctxt->io_read;
1516
1517 if (rc->pos == rc->end) { /* refill pio read ahead */
1518 unsigned int in_page, n;
1519 unsigned int count = ctxt->rep_prefix ?
1520 address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1521 in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1522 offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1523 PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1524 n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1525 if (n == 0)
1526 n = 1;
1527 rc->pos = rc->end = 0;
1528 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1529 return 0;
1530 rc->end = n * size;
1531 }
1532
1533 if (ctxt->rep_prefix && (ctxt->d & String) &&
1534 !(ctxt->eflags & X86_EFLAGS_DF)) {
1535 ctxt->dst.data = rc->data + rc->pos;
1536 ctxt->dst.type = OP_MEM_STR;
1537 ctxt->dst.count = (rc->end - rc->pos) / size;
1538 rc->pos = rc->end;
1539 } else {
1540 memcpy(dest, rc->data + rc->pos, size);
1541 rc->pos += size;
1542 }
1543 return 1;
1544 }
1545
1546 static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1547 u16 index, struct desc_struct *desc)
1548 {
1549 struct desc_ptr dt;
1550 ulong addr;
1551
1552 ctxt->ops->get_idt(ctxt, &dt);
1553
1554 if (dt.size < index * 8 + 7)
1555 return emulate_gp(ctxt, index << 3 | 0x2);
1556
1557 addr = dt.address + index * 8;
1558 return linear_read_system(ctxt, addr, desc, sizeof(*desc));
1559 }
1560
1561 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1562 u16 selector, struct desc_ptr *dt)
1563 {
1564 const struct x86_emulate_ops *ops = ctxt->ops;
1565 u32 base3 = 0;
1566
1567 if (selector & 1 << 2) {
1568 struct desc_struct desc;
1569 u16 sel;
1570
1571 memset(dt, 0, sizeof(*dt));
1572 if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1573 VCPU_SREG_LDTR))
1574 return;
1575
1576 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1577 dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1578 } else
1579 ops->get_gdt(ctxt, dt);
1580 }
1581
1582 static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1583 u16 selector, ulong *desc_addr_p)
1584 {
1585 struct desc_ptr dt;
1586 u16 index = selector >> 3;
1587 ulong addr;
1588
1589 get_descriptor_table_ptr(ctxt, selector, &dt);
1590
1591 if (dt.size < index * 8 + 7)
1592 return emulate_gp(ctxt, selector & 0xfffc);
1593
1594 addr = dt.address + index * 8;
1595
1596 #ifdef CONFIG_X86_64
1597 if (addr >> 32 != 0) {
1598 u64 efer = 0;
1599
1600 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1601 if (!(efer & EFER_LMA))
1602 addr &= (u32)-1;
1603 }
1604 #endif
1605
1606 *desc_addr_p = addr;
1607 return X86EMUL_CONTINUE;
1608 }
1609
1610 /* allowed just for 8 bytes segments */
1611 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1612 u16 selector, struct desc_struct *desc,
1613 ulong *desc_addr_p)
1614 {
1615 int rc;
1616
1617 rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1618 if (rc != X86EMUL_CONTINUE)
1619 return rc;
1620
1621 return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
1622 }
1623
1624 /* allowed just for 8 bytes segments */
1625 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1626 u16 selector, struct desc_struct *desc)
1627 {
1628 int rc;
1629 ulong addr;
1630
1631 rc = get_descriptor_ptr(ctxt, selector, &addr);
1632 if (rc != X86EMUL_CONTINUE)
1633 return rc;
1634
1635 return linear_write_system(ctxt, addr, desc, sizeof(*desc));
1636 }
1637
1638 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1639 u16 selector, int seg, u8 cpl,
1640 enum x86_transfer_type transfer,
1641 struct desc_struct *desc)
1642 {
1643 struct desc_struct seg_desc, old_desc;
1644 u8 dpl, rpl;
1645 unsigned err_vec = GP_VECTOR;
1646 u32 err_code = 0;
1647 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1648 ulong desc_addr;
1649 int ret;
1650 u16 dummy;
1651 u32 base3 = 0;
1652
1653 memset(&seg_desc, 0, sizeof(seg_desc));
1654
1655 if (ctxt->mode == X86EMUL_MODE_REAL) {
1656 /* set real mode segment descriptor (keep limit etc. for
1657 * unreal mode) */
1658 ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1659 set_desc_base(&seg_desc, selector << 4);
1660 goto load;
1661 } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1662 /* VM86 needs a clean new segment descriptor */
1663 set_desc_base(&seg_desc, selector << 4);
1664 set_desc_limit(&seg_desc, 0xffff);
1665 seg_desc.type = 3;
1666 seg_desc.p = 1;
1667 seg_desc.s = 1;
1668 seg_desc.dpl = 3;
1669 goto load;
1670 }
1671
1672 rpl = selector & 3;
1673
1674 /* TR should be in GDT only */
1675 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1676 goto exception;
1677
1678 /* NULL selector is not valid for TR, CS and (except for long mode) SS */
1679 if (null_selector) {
1680 if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1681 goto exception;
1682
1683 if (seg == VCPU_SREG_SS) {
1684 if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1685 goto exception;
1686
1687 /*
1688 * ctxt->ops->set_segment expects the CPL to be in
1689 * SS.DPL, so fake an expand-up 32-bit data segment.
1690 */
1691 seg_desc.type = 3;
1692 seg_desc.p = 1;
1693 seg_desc.s = 1;
1694 seg_desc.dpl = cpl;
1695 seg_desc.d = 1;
1696 seg_desc.g = 1;
1697 }
1698
1699 /* Skip all following checks */
1700 goto load;
1701 }
1702
1703 ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1704 if (ret != X86EMUL_CONTINUE)
1705 return ret;
1706
1707 err_code = selector & 0xfffc;
1708 err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1709 GP_VECTOR;
1710
1711 /* can't load system descriptor into segment selector */
1712 if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1713 if (transfer == X86_TRANSFER_CALL_JMP)
1714 return X86EMUL_UNHANDLEABLE;
1715 goto exception;
1716 }
1717
1718 if (!seg_desc.p) {
1719 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1720 goto exception;
1721 }
1722
1723 dpl = seg_desc.dpl;
1724
1725 switch (seg) {
1726 case VCPU_SREG_SS:
1727 /*
1728 * segment is not a writable data segment or segment
1729 * selector's RPL != CPL or segment selector's RPL != CPL
1730 */
1731 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1732 goto exception;
1733 break;
1734 case VCPU_SREG_CS:
1735 if (!(seg_desc.type & 8))
1736 goto exception;
1737
1738 if (seg_desc.type & 4) {
1739 /* conforming */
1740 if (dpl > cpl)
1741 goto exception;
1742 } else {
1743 /* nonconforming */
1744 if (rpl > cpl || dpl != cpl)
1745 goto exception;
1746 }
1747 /* in long-mode d/b must be clear if l is set */
1748 if (seg_desc.d && seg_desc.l) {
1749 u64 efer = 0;
1750
1751 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1752 if (efer & EFER_LMA)
1753 goto exception;
1754 }
1755
1756 /* CS(RPL) <- CPL */
1757 selector = (selector & 0xfffc) | cpl;
1758 break;
1759 case VCPU_SREG_TR:
1760 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1761 goto exception;
1762 old_desc = seg_desc;
1763 seg_desc.type |= 2; /* busy */
1764 ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1765 sizeof(seg_desc), &ctxt->exception);
1766 if (ret != X86EMUL_CONTINUE)
1767 return ret;
1768 break;
1769 case VCPU_SREG_LDTR:
1770 if (seg_desc.s || seg_desc.type != 2)
1771 goto exception;
1772 break;
1773 default: /* DS, ES, FS, or GS */
1774 /*
1775 * segment is not a data or readable code segment or
1776 * ((segment is a data or nonconforming code segment)
1777 * and (both RPL and CPL > DPL))
1778 */
1779 if ((seg_desc.type & 0xa) == 0x8 ||
1780 (((seg_desc.type & 0xc) != 0xc) &&
1781 (rpl > dpl && cpl > dpl)))
1782 goto exception;
1783 break;
1784 }
1785
1786 if (seg_desc.s) {
1787 /* mark segment as accessed */
1788 if (!(seg_desc.type & 1)) {
1789 seg_desc.type |= 1;
1790 ret = write_segment_descriptor(ctxt, selector,
1791 &seg_desc);
1792 if (ret != X86EMUL_CONTINUE)
1793 return ret;
1794 }
1795 } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1796 ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
1797 if (ret != X86EMUL_CONTINUE)
1798 return ret;
1799 if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1800 ((u64)base3 << 32), ctxt))
1801 return emulate_gp(ctxt, 0);
1802 }
1803 load:
1804 ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1805 if (desc)
1806 *desc = seg_desc;
1807 return X86EMUL_CONTINUE;
1808 exception:
1809 return emulate_exception(ctxt, err_vec, err_code, true);
1810 }
1811
1812 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1813 u16 selector, int seg)
1814 {
1815 u8 cpl = ctxt->ops->cpl(ctxt);
1816
1817 /*
1818 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1819 * they can load it at CPL<3 (Intel's manual says only LSS can,
1820 * but it's wrong).
1821 *
1822 * However, the Intel manual says that putting IST=1/DPL=3 in
1823 * an interrupt gate will result in SS=3 (the AMD manual instead
1824 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1825 * and only forbid it here.
1826 */
1827 if (seg == VCPU_SREG_SS && selector == 3 &&
1828 ctxt->mode == X86EMUL_MODE_PROT64)
1829 return emulate_exception(ctxt, GP_VECTOR, 0, true);
1830
1831 return __load_segment_descriptor(ctxt, selector, seg, cpl,
1832 X86_TRANSFER_NONE, NULL);
1833 }
1834
1835 static void write_register_operand(struct operand *op)
1836 {
1837 return assign_register(op->addr.reg, op->val, op->bytes);
1838 }
1839
1840 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1841 {
1842 switch (op->type) {
1843 case OP_REG:
1844 write_register_operand(op);
1845 break;
1846 case OP_MEM:
1847 if (ctxt->lock_prefix)
1848 return segmented_cmpxchg(ctxt,
1849 op->addr.mem,
1850 &op->orig_val,
1851 &op->val,
1852 op->bytes);
1853 else
1854 return segmented_write(ctxt,
1855 op->addr.mem,
1856 &op->val,
1857 op->bytes);
1858 break;
1859 case OP_MEM_STR:
1860 return segmented_write(ctxt,
1861 op->addr.mem,
1862 op->data,
1863 op->bytes * op->count);
1864 break;
1865 case OP_XMM:
1866 write_sse_reg(&op->vec_val, op->addr.xmm);
1867 break;
1868 case OP_MM:
1869 write_mmx_reg(&op->mm_val, op->addr.mm);
1870 break;
1871 case OP_NONE:
1872 /* no writeback */
1873 break;
1874 default:
1875 break;
1876 }
1877 return X86EMUL_CONTINUE;
1878 }
1879
1880 static int push(struct x86_emulate_ctxt *ctxt, void *data, int bytes)
1881 {
1882 struct segmented_address addr;
1883
1884 rsp_increment(ctxt, -bytes);
1885 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1886 addr.seg = VCPU_SREG_SS;
1887
1888 return segmented_write(ctxt, addr, data, bytes);
1889 }
1890
1891 static int em_push(struct x86_emulate_ctxt *ctxt)
1892 {
1893 /* Disable writeback. */
1894 ctxt->dst.type = OP_NONE;
1895 return push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1896 }
1897
1898 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1899 void *dest, int len)
1900 {
1901 int rc;
1902 struct segmented_address addr;
1903
1904 addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1905 addr.seg = VCPU_SREG_SS;
1906 rc = segmented_read(ctxt, addr, dest, len);
1907 if (rc != X86EMUL_CONTINUE)
1908 return rc;
1909
1910 rsp_increment(ctxt, len);
1911 return rc;
1912 }
1913
1914 static int em_pop(struct x86_emulate_ctxt *ctxt)
1915 {
1916 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1917 }
1918
1919 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1920 void *dest, int len)
1921 {
1922 int rc;
1923 unsigned long val, change_mask;
1924 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1925 int cpl = ctxt->ops->cpl(ctxt);
1926
1927 rc = emulate_pop(ctxt, &val, len);
1928 if (rc != X86EMUL_CONTINUE)
1929 return rc;
1930
1931 change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1932 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1933 X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1934 X86_EFLAGS_AC | X86_EFLAGS_ID;
1935
1936 switch(ctxt->mode) {
1937 case X86EMUL_MODE_PROT64:
1938 case X86EMUL_MODE_PROT32:
1939 case X86EMUL_MODE_PROT16:
1940 if (cpl == 0)
1941 change_mask |= X86_EFLAGS_IOPL;
1942 if (cpl <= iopl)
1943 change_mask |= X86_EFLAGS_IF;
1944 break;
1945 case X86EMUL_MODE_VM86:
1946 if (iopl < 3)
1947 return emulate_gp(ctxt, 0);
1948 change_mask |= X86_EFLAGS_IF;
1949 break;
1950 default: /* real mode */
1951 change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1952 break;
1953 }
1954
1955 *(unsigned long *)dest =
1956 (ctxt->eflags & ~change_mask) | (val & change_mask);
1957
1958 return rc;
1959 }
1960
1961 static int em_popf(struct x86_emulate_ctxt *ctxt)
1962 {
1963 ctxt->dst.type = OP_REG;
1964 ctxt->dst.addr.reg = &ctxt->eflags;
1965 ctxt->dst.bytes = ctxt->op_bytes;
1966 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1967 }
1968
1969 static int em_enter(struct x86_emulate_ctxt *ctxt)
1970 {
1971 int rc;
1972 unsigned frame_size = ctxt->src.val;
1973 unsigned nesting_level = ctxt->src2.val & 31;
1974 ulong rbp;
1975
1976 if (nesting_level)
1977 return X86EMUL_UNHANDLEABLE;
1978
1979 rbp = reg_read(ctxt, VCPU_REGS_RBP);
1980 rc = push(ctxt, &rbp, stack_size(ctxt));
1981 if (rc != X86EMUL_CONTINUE)
1982 return rc;
1983 assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1984 stack_mask(ctxt));
1985 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1986 reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1987 stack_mask(ctxt));
1988 return X86EMUL_CONTINUE;
1989 }
1990
1991 static int em_leave(struct x86_emulate_ctxt *ctxt)
1992 {
1993 assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1994 stack_mask(ctxt));
1995 return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1996 }
1997
1998 static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1999 {
2000 int seg = ctxt->src2.val;
2001
2002 ctxt->src.val = get_segment_selector(ctxt, seg);
2003 if (ctxt->op_bytes == 4) {
2004 rsp_increment(ctxt, -2);
2005 ctxt->op_bytes = 2;
2006 }
2007
2008 return em_push(ctxt);
2009 }
2010
2011 static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
2012 {
2013 int seg = ctxt->src2.val;
2014 unsigned long selector;
2015 int rc;
2016
2017 rc = emulate_pop(ctxt, &selector, 2);
2018 if (rc != X86EMUL_CONTINUE)
2019 return rc;
2020
2021 if (ctxt->modrm_reg == VCPU_SREG_SS)
2022 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2023 if (ctxt->op_bytes > 2)
2024 rsp_increment(ctxt, ctxt->op_bytes - 2);
2025
2026 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
2027 return rc;
2028 }
2029
2030 static int em_pusha(struct x86_emulate_ctxt *ctxt)
2031 {
2032 unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
2033 int rc = X86EMUL_CONTINUE;
2034 int reg = VCPU_REGS_RAX;
2035
2036 while (reg <= VCPU_REGS_RDI) {
2037 (reg == VCPU_REGS_RSP) ?
2038 (ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
2039
2040 rc = em_push(ctxt);
2041 if (rc != X86EMUL_CONTINUE)
2042 return rc;
2043
2044 ++reg;
2045 }
2046
2047 return rc;
2048 }
2049
2050 static int em_pushf(struct x86_emulate_ctxt *ctxt)
2051 {
2052 ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
2053 return em_push(ctxt);
2054 }
2055
2056 static int em_popa(struct x86_emulate_ctxt *ctxt)
2057 {
2058 int rc = X86EMUL_CONTINUE;
2059 int reg = VCPU_REGS_RDI;
2060 u32 val;
2061
2062 while (reg >= VCPU_REGS_RAX) {
2063 if (reg == VCPU_REGS_RSP) {
2064 rsp_increment(ctxt, ctxt->op_bytes);
2065 --reg;
2066 }
2067
2068 rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2069 if (rc != X86EMUL_CONTINUE)
2070 break;
2071 assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2072 --reg;
2073 }
2074 return rc;
2075 }
2076
2077 static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2078 {
2079 const struct x86_emulate_ops *ops = ctxt->ops;
2080 int rc;
2081 struct desc_ptr dt;
2082 gva_t cs_addr;
2083 gva_t eip_addr;
2084 u16 cs, eip;
2085
2086 /* TODO: Add limit checks */
2087 ctxt->src.val = ctxt->eflags;
2088 rc = em_push(ctxt);
2089 if (rc != X86EMUL_CONTINUE)
2090 return rc;
2091
2092 ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2093
2094 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2095 rc = em_push(ctxt);
2096 if (rc != X86EMUL_CONTINUE)
2097 return rc;
2098
2099 ctxt->src.val = ctxt->_eip;
2100 rc = em_push(ctxt);
2101 if (rc != X86EMUL_CONTINUE)
2102 return rc;
2103
2104 ops->get_idt(ctxt, &dt);
2105
2106 eip_addr = dt.address + (irq << 2);
2107 cs_addr = dt.address + (irq << 2) + 2;
2108
2109 rc = linear_read_system(ctxt, cs_addr, &cs, 2);
2110 if (rc != X86EMUL_CONTINUE)
2111 return rc;
2112
2113 rc = linear_read_system(ctxt, eip_addr, &eip, 2);
2114 if (rc != X86EMUL_CONTINUE)
2115 return rc;
2116
2117 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2118 if (rc != X86EMUL_CONTINUE)
2119 return rc;
2120
2121 ctxt->_eip = eip;
2122
2123 return rc;
2124 }
2125
2126 int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2127 {
2128 int rc;
2129
2130 invalidate_registers(ctxt);
2131 rc = __emulate_int_real(ctxt, irq);
2132 if (rc == X86EMUL_CONTINUE)
2133 writeback_registers(ctxt);
2134 return rc;
2135 }
2136
2137 static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2138 {
2139 switch(ctxt->mode) {
2140 case X86EMUL_MODE_REAL:
2141 return __emulate_int_real(ctxt, irq);
2142 case X86EMUL_MODE_VM86:
2143 case X86EMUL_MODE_PROT16:
2144 case X86EMUL_MODE_PROT32:
2145 case X86EMUL_MODE_PROT64:
2146 default:
2147 /* Protected mode interrupts unimplemented yet */
2148 return X86EMUL_UNHANDLEABLE;
2149 }
2150 }
2151
2152 static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2153 {
2154 int rc = X86EMUL_CONTINUE;
2155 unsigned long temp_eip = 0;
2156 unsigned long temp_eflags = 0;
2157 unsigned long cs = 0;
2158 unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2159 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2160 X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2161 X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2162 X86_EFLAGS_AC | X86_EFLAGS_ID |
2163 X86_EFLAGS_FIXED;
2164 unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2165 X86_EFLAGS_VIP;
2166
2167 /* TODO: Add stack limit check */
2168
2169 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2170
2171 if (rc != X86EMUL_CONTINUE)
2172 return rc;
2173
2174 if (temp_eip & ~0xffff)
2175 return emulate_gp(ctxt, 0);
2176
2177 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2178
2179 if (rc != X86EMUL_CONTINUE)
2180 return rc;
2181
2182 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2183
2184 if (rc != X86EMUL_CONTINUE)
2185 return rc;
2186
2187 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2188
2189 if (rc != X86EMUL_CONTINUE)
2190 return rc;
2191
2192 ctxt->_eip = temp_eip;
2193
2194 if (ctxt->op_bytes == 4)
2195 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2196 else if (ctxt->op_bytes == 2) {
2197 ctxt->eflags &= ~0xffff;
2198 ctxt->eflags |= temp_eflags;
2199 }
2200
2201 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2202 ctxt->eflags |= X86_EFLAGS_FIXED;
2203 ctxt->ops->set_nmi_mask(ctxt, false);
2204
2205 return rc;
2206 }
2207
2208 static int em_iret(struct x86_emulate_ctxt *ctxt)
2209 {
2210 switch(ctxt->mode) {
2211 case X86EMUL_MODE_REAL:
2212 return emulate_iret_real(ctxt);
2213 case X86EMUL_MODE_VM86:
2214 case X86EMUL_MODE_PROT16:
2215 case X86EMUL_MODE_PROT32:
2216 case X86EMUL_MODE_PROT64:
2217 default:
2218 /* iret from protected mode unimplemented yet */
2219 return X86EMUL_UNHANDLEABLE;
2220 }
2221 }
2222
2223 static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2224 {
2225 int rc;
2226 unsigned short sel;
2227 struct desc_struct new_desc;
2228 u8 cpl = ctxt->ops->cpl(ctxt);
2229
2230 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2231
2232 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2233 X86_TRANSFER_CALL_JMP,
2234 &new_desc);
2235 if (rc != X86EMUL_CONTINUE)
2236 return rc;
2237
2238 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
2239 /* Error handling is not implemented. */
2240 if (rc != X86EMUL_CONTINUE)
2241 return X86EMUL_UNHANDLEABLE;
2242
2243 return rc;
2244 }
2245
2246 static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2247 {
2248 return assign_eip_near(ctxt, ctxt->src.val);
2249 }
2250
2251 static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2252 {
2253 int rc;
2254 long int old_eip;
2255
2256 old_eip = ctxt->_eip;
2257 rc = assign_eip_near(ctxt, ctxt->src.val);
2258 if (rc != X86EMUL_CONTINUE)
2259 return rc;
2260 ctxt->src.val = old_eip;
2261 rc = em_push(ctxt);
2262 return rc;
2263 }
2264
2265 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2266 {
2267 u64 old = ctxt->dst.orig_val64;
2268
2269 if (ctxt->dst.bytes == 16)
2270 return X86EMUL_UNHANDLEABLE;
2271
2272 if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2273 ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2274 *reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2275 *reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2276 ctxt->eflags &= ~X86_EFLAGS_ZF;
2277 } else {
2278 ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2279 (u32) reg_read(ctxt, VCPU_REGS_RBX);
2280
2281 ctxt->eflags |= X86_EFLAGS_ZF;
2282 }
2283 return X86EMUL_CONTINUE;
2284 }
2285
2286 static int em_ret(struct x86_emulate_ctxt *ctxt)
2287 {
2288 int rc;
2289 unsigned long eip;
2290
2291 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2292 if (rc != X86EMUL_CONTINUE)
2293 return rc;
2294
2295 return assign_eip_near(ctxt, eip);
2296 }
2297
2298 static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2299 {
2300 int rc;
2301 unsigned long eip, cs;
2302 int cpl = ctxt->ops->cpl(ctxt);
2303 struct desc_struct new_desc;
2304
2305 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2306 if (rc != X86EMUL_CONTINUE)
2307 return rc;
2308 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2309 if (rc != X86EMUL_CONTINUE)
2310 return rc;
2311 /* Outer-privilege level return is not implemented */
2312 if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
2313 return X86EMUL_UNHANDLEABLE;
2314 rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2315 X86_TRANSFER_RET,
2316 &new_desc);
2317 if (rc != X86EMUL_CONTINUE)
2318 return rc;
2319 rc = assign_eip_far(ctxt, eip, &new_desc);
2320 /* Error handling is not implemented. */
2321 if (rc != X86EMUL_CONTINUE)
2322 return X86EMUL_UNHANDLEABLE;
2323
2324 return rc;
2325 }
2326
2327 static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2328 {
2329 int rc;
2330
2331 rc = em_ret_far(ctxt);
2332 if (rc != X86EMUL_CONTINUE)
2333 return rc;
2334 rsp_increment(ctxt, ctxt->src.val);
2335 return X86EMUL_CONTINUE;
2336 }
2337
2338 static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2339 {
2340 /* Save real source value, then compare EAX against destination. */
2341 ctxt->dst.orig_val = ctxt->dst.val;
2342 ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2343 ctxt->src.orig_val = ctxt->src.val;
2344 ctxt->src.val = ctxt->dst.orig_val;
2345 fastop(ctxt, em_cmp);
2346
2347 if (ctxt->eflags & X86_EFLAGS_ZF) {
2348 /* Success: write back to memory; no update of EAX */
2349 ctxt->src.type = OP_NONE;
2350 ctxt->dst.val = ctxt->src.orig_val;
2351 } else {
2352 /* Failure: write the value we saw to EAX. */
2353 ctxt->src.type = OP_REG;
2354 ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2355 ctxt->src.val = ctxt->dst.orig_val;
2356 /* Create write-cycle to dest by writing the same value */
2357 ctxt->dst.val = ctxt->dst.orig_val;
2358 }
2359 return X86EMUL_CONTINUE;
2360 }
2361
2362 static int em_lseg(struct x86_emulate_ctxt *ctxt)
2363 {
2364 int seg = ctxt->src2.val;
2365 unsigned short sel;
2366 int rc;
2367
2368 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2369
2370 rc = load_segment_descriptor(ctxt, sel, seg);
2371 if (rc != X86EMUL_CONTINUE)
2372 return rc;
2373
2374 ctxt->dst.val = ctxt->src.val;
2375 return rc;
2376 }
2377
2378 static int emulator_has_longmode(struct x86_emulate_ctxt *ctxt)
2379 {
2380 #ifdef CONFIG_X86_64
2381 return ctxt->ops->guest_has_long_mode(ctxt);
2382 #else
2383 return false;
2384 #endif
2385 }
2386
2387 static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
2388 {
2389 desc->g = (flags >> 23) & 1;
2390 desc->d = (flags >> 22) & 1;
2391 desc->l = (flags >> 21) & 1;
2392 desc->avl = (flags >> 20) & 1;
2393 desc->p = (flags >> 15) & 1;
2394 desc->dpl = (flags >> 13) & 3;
2395 desc->s = (flags >> 12) & 1;
2396 desc->type = (flags >> 8) & 15;
2397 }
2398
2399 static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, const char *smstate,
2400 int n)
2401 {
2402 struct desc_struct desc;
2403 int offset;
2404 u16 selector;
2405
2406 selector = GET_SMSTATE(u32, smstate, 0x7fa8 + n * 4);
2407
2408 if (n < 3)
2409 offset = 0x7f84 + n * 12;
2410 else
2411 offset = 0x7f2c + (n - 3) * 12;
2412
2413 set_desc_base(&desc, GET_SMSTATE(u32, smstate, offset + 8));
2414 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, offset + 4));
2415 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, offset));
2416 ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
2417 return X86EMUL_CONTINUE;
2418 }
2419
2420 #ifdef CONFIG_X86_64
2421 static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, const char *smstate,
2422 int n)
2423 {
2424 struct desc_struct desc;
2425 int offset;
2426 u16 selector;
2427 u32 base3;
2428
2429 offset = 0x7e00 + n * 16;
2430
2431 selector = GET_SMSTATE(u16, smstate, offset);
2432 rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smstate, offset + 2) << 8);
2433 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, offset + 4));
2434 set_desc_base(&desc, GET_SMSTATE(u32, smstate, offset + 8));
2435 base3 = GET_SMSTATE(u32, smstate, offset + 12);
2436
2437 ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
2438 return X86EMUL_CONTINUE;
2439 }
2440 #endif
2441
2442 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
2443 u64 cr0, u64 cr3, u64 cr4)
2444 {
2445 int bad;
2446 u64 pcid;
2447
2448 /* In order to later set CR4.PCIDE, CR3[11:0] must be zero. */
2449 pcid = 0;
2450 if (cr4 & X86_CR4_PCIDE) {
2451 pcid = cr3 & 0xfff;
2452 cr3 &= ~0xfff;
2453 }
2454
2455 bad = ctxt->ops->set_cr(ctxt, 3, cr3);
2456 if (bad)
2457 return X86EMUL_UNHANDLEABLE;
2458
2459 /*
2460 * First enable PAE, long mode needs it before CR0.PG = 1 is set.
2461 * Then enable protected mode. However, PCID cannot be enabled
2462 * if EFER.LMA=0, so set it separately.
2463 */
2464 bad = ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2465 if (bad)
2466 return X86EMUL_UNHANDLEABLE;
2467
2468 bad = ctxt->ops->set_cr(ctxt, 0, cr0);
2469 if (bad)
2470 return X86EMUL_UNHANDLEABLE;
2471
2472 if (cr4 & X86_CR4_PCIDE) {
2473 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
2474 if (bad)
2475 return X86EMUL_UNHANDLEABLE;
2476 if (pcid) {
2477 bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
2478 if (bad)
2479 return X86EMUL_UNHANDLEABLE;
2480 }
2481
2482 }
2483
2484 return X86EMUL_CONTINUE;
2485 }
2486
2487 static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
2488 const char *smstate)
2489 {
2490 struct desc_struct desc;
2491 struct desc_ptr dt;
2492 u16 selector;
2493 u32 val, cr0, cr3, cr4;
2494 int i;
2495
2496 cr0 = GET_SMSTATE(u32, smstate, 0x7ffc);
2497 cr3 = GET_SMSTATE(u32, smstate, 0x7ff8);
2498 ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
2499 ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0);
2500
2501 for (i = 0; i < 8; i++)
2502 *reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
2503
2504 val = GET_SMSTATE(u32, smstate, 0x7fcc);
2505 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2506 val = GET_SMSTATE(u32, smstate, 0x7fc8);
2507 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2508
2509 selector = GET_SMSTATE(u32, smstate, 0x7fc4);
2510 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7f64));
2511 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7f60));
2512 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7f5c));
2513 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
2514
2515 selector = GET_SMSTATE(u32, smstate, 0x7fc0);
2516 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7f80));
2517 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7f7c));
2518 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7f78));
2519 ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
2520
2521 dt.address = GET_SMSTATE(u32, smstate, 0x7f74);
2522 dt.size = GET_SMSTATE(u32, smstate, 0x7f70);
2523 ctxt->ops->set_gdt(ctxt, &dt);
2524
2525 dt.address = GET_SMSTATE(u32, smstate, 0x7f58);
2526 dt.size = GET_SMSTATE(u32, smstate, 0x7f54);
2527 ctxt->ops->set_idt(ctxt, &dt);
2528
2529 for (i = 0; i < 6; i++) {
2530 int r = rsm_load_seg_32(ctxt, smstate, i);
2531 if (r != X86EMUL_CONTINUE)
2532 return r;
2533 }
2534
2535 cr4 = GET_SMSTATE(u32, smstate, 0x7f14);
2536
2537 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7ef8));
2538
2539 return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2540 }
2541
2542 #ifdef CONFIG_X86_64
2543 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
2544 const char *smstate)
2545 {
2546 struct desc_struct desc;
2547 struct desc_ptr dt;
2548 u64 val, cr0, cr3, cr4;
2549 u32 base3;
2550 u16 selector;
2551 int i, r;
2552
2553 for (i = 0; i < 16; i++)
2554 *reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
2555
2556 ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);
2557 ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7f70) | X86_EFLAGS_FIXED;
2558
2559 val = GET_SMSTATE(u32, smstate, 0x7f68);
2560 ctxt->ops->set_dr(ctxt, 6, (val & DR6_VOLATILE) | DR6_FIXED_1);
2561 val = GET_SMSTATE(u32, smstate, 0x7f60);
2562 ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
2563
2564 cr0 = GET_SMSTATE(u64, smstate, 0x7f58);
2565 cr3 = GET_SMSTATE(u64, smstate, 0x7f50);
2566 cr4 = GET_SMSTATE(u64, smstate, 0x7f48);
2567 ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7f00));
2568 val = GET_SMSTATE(u64, smstate, 0x7ed0);
2569 ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA);
2570
2571 selector = GET_SMSTATE(u32, smstate, 0x7e90);
2572 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7e92) << 8);
2573 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7e94));
2574 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7e98));
2575 base3 = GET_SMSTATE(u32, smstate, 0x7e9c);
2576 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
2577
2578 dt.size = GET_SMSTATE(u32, smstate, 0x7e84);
2579 dt.address = GET_SMSTATE(u64, smstate, 0x7e88);
2580 ctxt->ops->set_idt(ctxt, &dt);
2581
2582 selector = GET_SMSTATE(u32, smstate, 0x7e70);
2583 rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, 0x7e72) << 8);
2584 set_desc_limit(&desc, GET_SMSTATE(u32, smstate, 0x7e74));
2585 set_desc_base(&desc, GET_SMSTATE(u32, smstate, 0x7e78));
2586 base3 = GET_SMSTATE(u32, smstate, 0x7e7c);
2587 ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
2588
2589 dt.size = GET_SMSTATE(u32, smstate, 0x7e64);
2590 dt.address = GET_SMSTATE(u64, smstate, 0x7e68);
2591 ctxt->ops->set_gdt(ctxt, &dt);
2592
2593 r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
2594 if (r != X86EMUL_CONTINUE)
2595 return r;
2596
2597 for (i = 0; i < 6; i++) {
2598 r = rsm_load_seg_64(ctxt, smstate, i);
2599 if (r != X86EMUL_CONTINUE)
2600 return r;
2601 }
2602
2603 return X86EMUL_CONTINUE;
2604 }
2605 #endif
2606
2607 static int em_rsm(struct x86_emulate_ctxt *ctxt)
2608 {
2609 unsigned long cr0, cr4, efer;
2610 char buf[512];
2611 u64 smbase;
2612 int ret;
2613
2614 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
2615 return emulate_ud(ctxt);
2616
2617 smbase = ctxt->ops->get_smbase(ctxt);
2618
2619 ret = ctxt->ops->read_phys(ctxt, smbase + 0xfe00, buf, sizeof(buf));
2620 if (ret != X86EMUL_CONTINUE)
2621 return X86EMUL_UNHANDLEABLE;
2622
2623 if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
2624 ctxt->ops->set_nmi_mask(ctxt, false);
2625
2626 ctxt->ops->set_hflags(ctxt, ctxt->ops->get_hflags(ctxt) &
2627 ~(X86EMUL_SMM_INSIDE_NMI_MASK | X86EMUL_SMM_MASK));
2628
2629 /*
2630 * Get back to real mode, to prepare a safe state in which to load
2631 * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
2632 * supports long mode.
2633 */
2634 if (emulator_has_longmode(ctxt)) {
2635 struct desc_struct cs_desc;
2636
2637 /* Zero CR4.PCIDE before CR0.PG. */
2638 cr4 = ctxt->ops->get_cr(ctxt, 4);
2639 if (cr4 & X86_CR4_PCIDE)
2640 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
2641
2642 /* A 32-bit code segment is required to clear EFER.LMA. */
2643 memset(&cs_desc, 0, sizeof(cs_desc));
2644 cs_desc.type = 0xb;
2645 cs_desc.s = cs_desc.g = cs_desc.p = 1;
2646 ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
2647 }
2648
2649 /* For the 64-bit case, this will clear EFER.LMA. */
2650 cr0 = ctxt->ops->get_cr(ctxt, 0);
2651 if (cr0 & X86_CR0_PE)
2652 ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
2653
2654 if (emulator_has_longmode(ctxt)) {
2655 /* Clear CR4.PAE before clearing EFER.LME. */
2656 cr4 = ctxt->ops->get_cr(ctxt, 4);
2657 if (cr4 & X86_CR4_PAE)
2658 ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
2659
2660 /* And finally go back to 32-bit mode. */
2661 efer = 0;
2662 ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
2663 }
2664
2665 /*
2666 * Give pre_leave_smm() a chance to make ISA-specific changes to the
2667 * vCPU state (e.g. enter guest mode) before loading state from the SMM
2668 * state-save area.
2669 */
2670 if (ctxt->ops->pre_leave_smm(ctxt, buf))
2671 return X86EMUL_UNHANDLEABLE;
2672
2673 #ifdef CONFIG_X86_64
2674 if (emulator_has_longmode(ctxt))
2675 ret = rsm_load_state_64(ctxt, buf);
2676 else
2677 #endif
2678 ret = rsm_load_state_32(ctxt, buf);
2679
2680 if (ret != X86EMUL_CONTINUE) {
2681 /* FIXME: should triple fault */
2682 return X86EMUL_UNHANDLEABLE;
2683 }
2684
2685 ctxt->ops->post_leave_smm(ctxt);
2686
2687 return X86EMUL_CONTINUE;
2688 }
2689
2690 static void
2691 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
2692 struct desc_struct *cs, struct desc_struct *ss)
2693 {
2694 cs->l = 0; /* will be adjusted later */
2695 set_desc_base(cs, 0); /* flat segment */
2696 cs->g = 1; /* 4kb granularity */
2697 set_desc_limit(cs, 0xfffff); /* 4GB limit */
2698 cs->type = 0x0b; /* Read, Execute, Accessed */
2699 cs->s = 1;
2700 cs->dpl = 0; /* will be adjusted later */
2701 cs->p = 1;
2702 cs->d = 1;
2703 cs->avl = 0;
2704
2705 set_desc_base(ss, 0); /* flat segment */
2706 set_desc_limit(ss, 0xfffff); /* 4GB limit */
2707 ss->g = 1; /* 4kb granularity */
2708 ss->s = 1;
2709 ss->type = 0x03; /* Read/Write, Accessed */
2710 ss->d = 1; /* 32bit stack segment */
2711 ss->dpl = 0;
2712 ss->p = 1;
2713 ss->l = 0;
2714 ss->avl = 0;
2715 }
2716
2717 static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
2718 {
2719 u32 eax, ebx, ecx, edx;
2720
2721 eax = ecx = 0;
2722 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2723 return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2724 && ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
2725 && edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
2726 }
2727
2728 static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
2729 {
2730 const struct x86_emulate_ops *ops = ctxt->ops;
2731 u32 eax, ebx, ecx, edx;
2732
2733 /*
2734 * syscall should always be enabled in longmode - so only become
2735 * vendor specific (cpuid) if other modes are active...
2736 */
2737 if (ctxt->mode == X86EMUL_MODE_PROT64)
2738 return true;
2739
2740 eax = 0x00000000;
2741 ecx = 0x00000000;
2742 ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
2743 /*
2744 * Intel ("GenuineIntel")
2745 * remark: Intel CPUs only support "syscall" in 64bit
2746 * longmode. Also an 64bit guest with a
2747 * 32bit compat-app running will #UD !! While this
2748 * behaviour can be fixed (by emulating) into AMD
2749 * response - CPUs of AMD can't behave like Intel.
2750 */
2751 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
2752 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
2753 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
2754 return false;
2755
2756 /* AMD ("AuthenticAMD") */
2757 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
2758 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
2759 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
2760 return true;
2761
2762 /* AMD ("AMDisbetter!") */
2763 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
2764 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
2765 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
2766 return true;
2767
2768 /* Hygon ("HygonGenuine") */
2769 if (ebx == X86EMUL_CPUID_VENDOR_HygonGenuine_ebx &&
2770 ecx == X86EMUL_CPUID_VENDOR_HygonGenuine_ecx &&
2771 edx == X86EMUL_CPUID_VENDOR_HygonGenuine_edx)
2772 return true;
2773
2774 /*
2775 * default: (not Intel, not AMD, not Hygon), apply Intel's
2776 * stricter rules...
2777 */
2778 return false;
2779 }
2780
2781 static int em_syscall(struct x86_emulate_ctxt *ctxt)
2782 {
2783 const struct x86_emulate_ops *ops = ctxt->ops;
2784 struct desc_struct cs, ss;
2785 u64 msr_data;
2786 u16 cs_sel, ss_sel;
2787 u64 efer = 0;
2788
2789 /* syscall is not available in real mode */
2790 if (ctxt->mode == X86EMUL_MODE_REAL ||
2791 ctxt->mode == X86EMUL_MODE_VM86)
2792 return emulate_ud(ctxt);
2793
2794 if (!(em_syscall_is_enabled(ctxt)))
2795 return emulate_ud(ctxt);
2796
2797 ops->get_msr(ctxt, MSR_EFER, &efer);
2798 if (!(efer & EFER_SCE))
2799 return emulate_ud(ctxt);
2800
2801 setup_syscalls_segments(ctxt, &cs, &ss);
2802 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2803 msr_data >>= 32;
2804 cs_sel = (u16)(msr_data & 0xfffc);
2805 ss_sel = (u16)(msr_data + 8);
2806
2807 if (efer & EFER_LMA) {
2808 cs.d = 0;
2809 cs.l = 1;
2810 }
2811 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2812 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2813
2814 *reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2815 if (efer & EFER_LMA) {
2816 #ifdef CONFIG_X86_64
2817 *reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2818
2819 ops->get_msr(ctxt,
2820 ctxt->mode == X86EMUL_MODE_PROT64 ?
2821 MSR_LSTAR : MSR_CSTAR, &msr_data);
2822 ctxt->_eip = msr_data;
2823
2824 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2825 ctxt->eflags &= ~msr_data;
2826 ctxt->eflags |= X86_EFLAGS_FIXED;
2827 #endif
2828 } else {
2829 /* legacy mode */
2830 ops->get_msr(ctxt, MSR_STAR, &msr_data);
2831 ctxt->_eip = (u32)msr_data;
2832
2833 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2834 }
2835
2836 ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2837 return X86EMUL_CONTINUE;
2838 }
2839
2840 static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2841 {
2842 const struct x86_emulate_ops *ops = ctxt->ops;
2843 struct desc_struct cs, ss;
2844 u64 msr_data;
2845 u16 cs_sel, ss_sel;
2846 u64 efer = 0;
2847
2848 ops->get_msr(ctxt, MSR_EFER, &efer);
2849 /* inject #GP if in real mode */
2850 if (ctxt->mode == X86EMUL_MODE_REAL)
2851 return emulate_gp(ctxt, 0);
2852
2853 /*
2854 * Not recognized on AMD in compat mode (but is recognized in legacy
2855 * mode).
2856 */
2857 if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2858 && !vendor_intel(ctxt))
2859 return emulate_ud(ctxt);
2860
2861 /* sysenter/sysexit have not been tested in 64bit mode. */
2862 if (ctxt->mode == X86EMUL_MODE_PROT64)
2863 return X86EMUL_UNHANDLEABLE;
2864
2865 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2866 if ((msr_data & 0xfffc) == 0x0)
2867 return emulate_gp(ctxt, 0);
2868
2869 setup_syscalls_segments(ctxt, &cs, &ss);
2870 ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2871 cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2872 ss_sel = cs_sel + 8;
2873 if (efer & EFER_LMA) {
2874 cs.d = 0;
2875 cs.l = 1;
2876 }
2877
2878 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2879 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2880
2881 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2882 ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2883
2884 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2885 *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2886 (u32)msr_data;
2887
2888 return X86EMUL_CONTINUE;
2889 }
2890
2891 static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2892 {
2893 const struct x86_emulate_ops *ops = ctxt->ops;
2894 struct desc_struct cs, ss;
2895 u64 msr_data, rcx, rdx;
2896 int usermode;
2897 u16 cs_sel = 0, ss_sel = 0;
2898
2899 /* inject #GP if in real mode or Virtual 8086 mode */
2900 if (ctxt->mode == X86EMUL_MODE_REAL ||
2901 ctxt->mode == X86EMUL_MODE_VM86)
2902 return emulate_gp(ctxt, 0);
2903
2904 setup_syscalls_segments(ctxt, &cs, &ss);
2905
2906 if ((ctxt->rex_prefix & 0x8) != 0x0)
2907 usermode = X86EMUL_MODE_PROT64;
2908 else
2909 usermode = X86EMUL_MODE_PROT32;
2910
2911 rcx = reg_read(ctxt, VCPU_REGS_RCX);
2912 rdx = reg_read(ctxt, VCPU_REGS_RDX);
2913
2914 cs.dpl = 3;
2915 ss.dpl = 3;
2916 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2917 switch (usermode) {
2918 case X86EMUL_MODE_PROT32:
2919 cs_sel = (u16)(msr_data + 16);
2920 if ((msr_data & 0xfffc) == 0x0)
2921 return emulate_gp(ctxt, 0);
2922 ss_sel = (u16)(msr_data + 24);
2923 rcx = (u32)rcx;
2924 rdx = (u32)rdx;
2925 break;
2926 case X86EMUL_MODE_PROT64:
2927 cs_sel = (u16)(msr_data + 32);
2928 if (msr_data == 0x0)
2929 return emulate_gp(ctxt, 0);
2930 ss_sel = cs_sel + 8;
2931 cs.d = 0;
2932 cs.l = 1;
2933 if (emul_is_noncanonical_address(rcx, ctxt) ||
2934 emul_is_noncanonical_address(rdx, ctxt))
2935 return emulate_gp(ctxt, 0);
2936 break;
2937 }
2938 cs_sel |= SEGMENT_RPL_MASK;
2939 ss_sel |= SEGMENT_RPL_MASK;
2940
2941 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2942 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2943
2944 ctxt->_eip = rdx;
2945 *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2946
2947 return X86EMUL_CONTINUE;
2948 }
2949
2950 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2951 {
2952 int iopl;
2953 if (ctxt->mode == X86EMUL_MODE_REAL)
2954 return false;
2955 if (ctxt->mode == X86EMUL_MODE_VM86)
2956 return true;
2957 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2958 return ctxt->ops->cpl(ctxt) > iopl;
2959 }
2960
2961 #define VMWARE_PORT_VMPORT (0x5658)
2962 #define VMWARE_PORT_VMRPC (0x5659)
2963
2964 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2965 u16 port, u16 len)
2966 {
2967 const struct x86_emulate_ops *ops = ctxt->ops;
2968 struct desc_struct tr_seg;
2969 u32 base3;
2970 int r;
2971 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2972 unsigned mask = (1 << len) - 1;
2973 unsigned long base;
2974
2975 /*
2976 * VMware allows access to these ports even if denied
2977 * by TSS I/O permission bitmap. Mimic behavior.
2978 */
2979 if (enable_vmware_backdoor &&
2980 ((port == VMWARE_PORT_VMPORT) || (port == VMWARE_PORT_VMRPC)))
2981 return true;
2982
2983 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2984 if (!tr_seg.p)
2985 return false;
2986 if (desc_limit_scaled(&tr_seg) < 103)
2987 return false;
2988 base = get_desc_base(&tr_seg);
2989 #ifdef CONFIG_X86_64
2990 base |= ((u64)base3) << 32;
2991 #endif
2992 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
2993 if (r != X86EMUL_CONTINUE)
2994 return false;
2995 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2996 return false;
2997 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
2998 if (r != X86EMUL_CONTINUE)
2999 return false;
3000 if ((perm >> bit_idx) & mask)
3001 return false;
3002 return true;
3003 }
3004
3005 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
3006 u16 port, u16 len)
3007 {
3008 if (ctxt->perm_ok)
3009 return true;
3010
3011 if (emulator_bad_iopl(ctxt))
3012 if (!emulator_io_port_access_allowed(ctxt, port, len))
3013 return false;
3014
3015 ctxt->perm_ok = true;
3016
3017 return true;
3018 }
3019
3020 static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
3021 {
3022 /*
3023 * Intel CPUs mask the counter and pointers in quite strange
3024 * manner when ECX is zero due to REP-string optimizations.
3025 */
3026 #ifdef CONFIG_X86_64
3027 if (ctxt->ad_bytes != 4 || !vendor_intel(ctxt))
3028 return;
3029
3030 *reg_write(ctxt, VCPU_REGS_RCX) = 0;
3031
3032 switch (ctxt->b) {
3033 case 0xa4: /* movsb */
3034 case 0xa5: /* movsd/w */
3035 *reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
3036 /* fall through */
3037 case 0xaa: /* stosb */
3038 case 0xab: /* stosd/w */
3039 *reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
3040 }
3041 #endif
3042 }
3043
3044 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
3045 struct tss_segment_16 *tss)
3046 {
3047 tss->ip = ctxt->_eip;
3048 tss->flag = ctxt->eflags;
3049 tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
3050 tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
3051 tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
3052 tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
3053 tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
3054 tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
3055 tss->si = reg_read(ctxt, VCPU_REGS_RSI);
3056 tss->di = reg_read(ctxt, VCPU_REGS_RDI);
3057
3058 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3059 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3060 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3061 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3062 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
3063 }
3064
3065 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
3066 struct tss_segment_16 *tss)
3067 {
3068 int ret;
3069 u8 cpl;
3070
3071 ctxt->_eip = tss->ip;
3072 ctxt->eflags = tss->flag | 2;
3073 *reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
3074 *reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
3075 *reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
3076 *reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
3077 *reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
3078 *reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
3079 *reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
3080 *reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
3081
3082 /*
3083 * SDM says that segment selectors are loaded before segment
3084 * descriptors
3085 */
3086 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
3087 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3088 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3089 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3090 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3091
3092 cpl = tss->cs & 3;
3093
3094 /*
3095 * Now load segment descriptors. If fault happens at this stage
3096 * it is handled in a context of new task
3097 */
3098 ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
3099 X86_TRANSFER_TASK_SWITCH, NULL);
3100 if (ret != X86EMUL_CONTINUE)
3101 return ret;
3102 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3103 X86_TRANSFER_TASK_SWITCH, NULL);
3104 if (ret != X86EMUL_CONTINUE)
3105 return ret;
3106 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3107 X86_TRANSFER_TASK_SWITCH, NULL);
3108 if (ret != X86EMUL_CONTINUE)
3109 return ret;
3110 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3111 X86_TRANSFER_TASK_SWITCH, NULL);
3112 if (ret != X86EMUL_CONTINUE)
3113 return ret;
3114 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3115 X86_TRANSFER_TASK_SWITCH, NULL);
3116 if (ret != X86EMUL_CONTINUE)
3117 return ret;
3118
3119 return X86EMUL_CONTINUE;
3120 }
3121
3122 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
3123 u16 tss_selector, u16 old_tss_sel,
3124 ulong old_tss_base, struct desc_struct *new_desc)
3125 {
3126 struct tss_segment_16 tss_seg;
3127 int ret;
3128 u32 new_tss_base = get_desc_base(new_desc);
3129
3130 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3131 if (ret != X86EMUL_CONTINUE)
3132 return ret;
3133
3134 save_state_to_tss16(ctxt, &tss_seg);
3135
3136 ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3137 if (ret != X86EMUL_CONTINUE)
3138 return ret;
3139
3140 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
3141 if (ret != X86EMUL_CONTINUE)
3142 return ret;
3143
3144 if (old_tss_sel != 0xffff) {
3145 tss_seg.prev_task_link = old_tss_sel;
3146
3147 ret = linear_write_system(ctxt, new_tss_base,
3148 &tss_seg.prev_task_link,
3149 sizeof(tss_seg.prev_task_link));
3150 if (ret != X86EMUL_CONTINUE)
3151 return ret;
3152 }
3153
3154 return load_state_from_tss16(ctxt, &tss_seg);
3155 }
3156
3157 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
3158 struct tss_segment_32 *tss)
3159 {
3160 /* CR3 and ldt selector are not saved intentionally */
3161 tss->eip = ctxt->_eip;
3162 tss->eflags = ctxt->eflags;
3163 tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
3164 tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
3165 tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
3166 tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
3167 tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
3168 tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
3169 tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
3170 tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
3171
3172 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
3173 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
3174 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
3175 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
3176 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
3177 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
3178 }
3179
3180 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
3181 struct tss_segment_32 *tss)
3182 {
3183 int ret;
3184 u8 cpl;
3185
3186 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
3187 return emulate_gp(ctxt, 0);
3188 ctxt->_eip = tss->eip;
3189 ctxt->eflags = tss->eflags | 2;
3190
3191 /* General purpose registers */
3192 *reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
3193 *reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
3194 *reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
3195 *reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
3196 *reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
3197 *reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
3198 *reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
3199 *reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
3200
3201 /*
3202 * SDM says that segment selectors are loaded before segment
3203 * descriptors. This is important because CPL checks will
3204 * use CS.RPL.
3205 */
3206 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
3207 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
3208 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
3209 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
3210 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
3211 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
3212 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
3213
3214 /*
3215 * If we're switching between Protected Mode and VM86, we need to make
3216 * sure to update the mode before loading the segment descriptors so
3217 * that the selectors are interpreted correctly.
3218 */
3219 if (ctxt->eflags & X86_EFLAGS_VM) {
3220 ctxt->mode = X86EMUL_MODE_VM86;
3221 cpl = 3;
3222 } else {
3223 ctxt->mode = X86EMUL_MODE_PROT32;
3224 cpl = tss->cs & 3;
3225 }
3226
3227 /*
3228 * Now load segment descriptors. If fault happenes at this stage
3229 * it is handled in a context of new task
3230 */
3231 ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
3232 cpl, X86_TRANSFER_TASK_SWITCH, NULL);
3233 if (ret != X86EMUL_CONTINUE)
3234 return ret;
3235 ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
3236 X86_TRANSFER_TASK_SWITCH, NULL);
3237 if (ret != X86EMUL_CONTINUE)
3238 return ret;
3239 ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
3240 X86_TRANSFER_TASK_SWITCH, NULL);
3241 if (ret != X86EMUL_CONTINUE)
3242 return ret;
3243 ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
3244 X86_TRANSFER_TASK_SWITCH, NULL);
3245 if (ret != X86EMUL_CONTINUE)
3246 return ret;
3247 ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
3248 X86_TRANSFER_TASK_SWITCH, NULL);
3249 if (ret != X86EMUL_CONTINUE)
3250 return ret;
3251 ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
3252 X86_TRANSFER_TASK_SWITCH, NULL);
3253 if (ret != X86EMUL_CONTINUE)
3254 return ret;
3255 ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
3256 X86_TRANSFER_TASK_SWITCH, NULL);
3257
3258 return ret;
3259 }
3260
3261 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
3262 u16 tss_selector, u16 old_tss_sel,
3263 ulong old_tss_base, struct desc_struct *new_desc)
3264 {
3265 struct tss_segment_32 tss_seg;
3266 int ret;
3267 u32 new_tss_base = get_desc_base(new_desc);
3268 u32 eip_offset = offsetof(struct tss_segment_32, eip);
3269 u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
3270
3271 ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
3272 if (ret != X86EMUL_CONTINUE)
3273 return ret;
3274
3275 save_state_to_tss32(ctxt, &tss_seg);
3276
3277 /* Only GP registers and segment selectors are saved */
3278 ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
3279 ldt_sel_offset - eip_offset);
3280 if (ret != X86EMUL_CONTINUE)
3281 return ret;
3282
3283 ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
3284 if (ret != X86EMUL_CONTINUE)
3285 return ret;
3286
3287 if (old_tss_sel != 0xffff) {
3288 tss_seg.prev_task_link = old_tss_sel;
3289
3290 ret = linear_write_system(ctxt, new_tss_base,
3291 &tss_seg.prev_task_link,
3292 sizeof(tss_seg.prev_task_link));
3293 if (ret != X86EMUL_CONTINUE)
3294 return ret;
3295 }
3296
3297 return load_state_from_tss32(ctxt, &tss_seg);
3298 }
3299
3300 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
3301 u16 tss_selector, int idt_index, int reason,
3302 bool has_error_code, u32 error_code)
3303 {
3304 const struct x86_emulate_ops *ops = ctxt->ops;
3305 struct desc_struct curr_tss_desc, next_tss_desc;
3306 int ret;
3307 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
3308 ulong old_tss_base =
3309 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
3310 u32 desc_limit;
3311 ulong desc_addr, dr7;
3312
3313 /* FIXME: old_tss_base == ~0 ? */
3314
3315 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
3316 if (ret != X86EMUL_CONTINUE)
3317 return ret;
3318 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
3319 if (ret != X86EMUL_CONTINUE)
3320 return ret;
3321
3322 /* FIXME: check that next_tss_desc is tss */
3323
3324 /*
3325 * Check privileges. The three cases are task switch caused by...
3326 *
3327 * 1. jmp/call/int to task gate: Check against DPL of the task gate
3328 * 2. Exception/IRQ/iret: No check is performed
3329 * 3. jmp/call to TSS/task-gate: No check is performed since the
3330 * hardware checks it before exiting.
3331 */
3332 if (reason == TASK_SWITCH_GATE) {
3333 if (idt_index != -1) {
3334 /* Software interrupts */
3335 struct desc_struct task_gate_desc;
3336 int dpl;
3337
3338 ret = read_interrupt_descriptor(ctxt, idt_index,
3339 &task_gate_desc);
3340 if (ret != X86EMUL_CONTINUE)
3341 return ret;
3342
3343 dpl = task_gate_desc.dpl;
3344 if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
3345 return emulate_gp(ctxt, (idt_index << 3) | 0x2);
3346 }
3347 }
3348
3349 desc_limit = desc_limit_scaled(&next_tss_desc);
3350 if (!next_tss_desc.p ||
3351 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
3352 desc_limit < 0x2b)) {
3353 return emulate_ts(ctxt, tss_selector & 0xfffc);
3354 }
3355
3356 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
3357 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
3358 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
3359 }
3360
3361 if (reason == TASK_SWITCH_IRET)
3362 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
3363
3364 /* set back link to prev task only if NT bit is set in eflags
3365 note that old_tss_sel is not used after this point */
3366 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
3367 old_tss_sel = 0xffff;
3368
3369 if (next_tss_desc.type & 8)
3370 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
3371 old_tss_base, &next_tss_desc);
3372 else
3373 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
3374 old_tss_base, &next_tss_desc);
3375 if (ret != X86EMUL_CONTINUE)
3376 return ret;
3377
3378 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
3379 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
3380
3381 if (reason != TASK_SWITCH_IRET) {
3382 next_tss_desc.type |= (1 << 1); /* set busy flag */
3383 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
3384 }
3385
3386 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
3387 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
3388
3389 if (has_error_code) {
3390 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
3391 ctxt->lock_prefix = 0;
3392 ctxt->src.val = (unsigned long) error_code;
3393 ret = em_push(ctxt);
3394 }
3395
3396 ops->get_dr(ctxt, 7, &dr7);
3397 ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
3398
3399 return ret;
3400 }
3401
3402 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
3403 u16 tss_selector, int idt_index, int reason,
3404 bool has_error_code, u32 error_code)
3405 {
3406 int rc;
3407
3408 invalidate_registers(ctxt);
3409 ctxt->_eip = ctxt->eip;
3410 ctxt->dst.type = OP_NONE;
3411
3412 rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3413 has_error_code, error_code);
3414
3415 if (rc == X86EMUL_CONTINUE) {
3416 ctxt->eip = ctxt->_eip;
3417 writeback_registers(ctxt);
3418 }
3419
3420 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3421 }
3422
3423 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3424 struct operand *op)
3425 {
3426 int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3427
3428 register_address_increment(ctxt, reg, df * op->bytes);
3429 op->addr.mem.ea = register_address(ctxt, reg);
3430 }
3431
3432 static int em_das(struct x86_emulate_ctxt *ctxt)
3433 {
3434 u8 al, old_al;
3435 bool af, cf, old_cf;
3436
3437 cf = ctxt->eflags & X86_EFLAGS_CF;
3438 al = ctxt->dst.val;
3439
3440 old_al = al;
3441 old_cf = cf;
3442 cf = false;
3443 af = ctxt->eflags & X86_EFLAGS_AF;
3444 if ((al & 0x0f) > 9 || af) {
3445 al -= 6;
3446 cf = old_cf | (al >= 250);
3447 af = true;
3448 } else {
3449 af = false;
3450 }
3451 if (old_al > 0x99 || old_cf) {
3452 al -= 0x60;
3453 cf = true;
3454 }
3455
3456 ctxt->dst.val = al;
3457 /* Set PF, ZF, SF */
3458 ctxt->src.type = OP_IMM;
3459 ctxt->src.val = 0;
3460 ctxt->src.bytes = 1;
3461 fastop(ctxt, em_or);
3462 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3463 if (cf)
3464 ctxt->eflags |= X86_EFLAGS_CF;
3465 if (af)
3466 ctxt->eflags |= X86_EFLAGS_AF;
3467 return X86EMUL_CONTINUE;
3468 }
3469
3470 static int em_aam(struct x86_emulate_ctxt *ctxt)
3471 {
3472 u8 al, ah;
3473
3474 if (ctxt->src.val == 0)
3475 return emulate_de(ctxt);
3476
3477 al = ctxt->dst.val & 0xff;
3478 ah = al / ctxt->src.val;
3479 al %= ctxt->src.val;
3480
3481 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3482
3483 /* Set PF, ZF, SF */
3484 ctxt->src.type = OP_IMM;
3485 ctxt->src.val = 0;
3486 ctxt->src.bytes = 1;
3487 fastop(ctxt, em_or);
3488
3489 return X86EMUL_CONTINUE;
3490 }
3491
3492 static int em_aad(struct x86_emulate_ctxt *ctxt)
3493 {
3494 u8 al = ctxt->dst.val & 0xff;
3495 u8 ah = (ctxt->dst.val >> 8) & 0xff;
3496
3497 al = (al + (ah * ctxt->src.val)) & 0xff;
3498
3499 ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3500
3501 /* Set PF, ZF, SF */
3502 ctxt->src.type = OP_IMM;
3503 ctxt->src.val = 0;
3504 ctxt->src.bytes = 1;
3505 fastop(ctxt, em_or);
3506
3507 return X86EMUL_CONTINUE;
3508 }
3509
3510 static int em_call(struct x86_emulate_ctxt *ctxt)
3511 {
3512 int rc;
3513 long rel = ctxt->src.val;
3514
3515 ctxt->src.val = (unsigned long)ctxt->_eip;
3516 rc = jmp_rel(ctxt, rel);
3517 if (rc != X86EMUL_CONTINUE)
3518 return rc;
3519 return em_push(ctxt);
3520 }
3521
3522 static int em_call_far(struct x86_emulate_ctxt *ctxt)
3523 {
3524 u16 sel, old_cs;
3525 ulong old_eip;
3526 int rc;
3527 struct desc_struct old_desc, new_desc;
3528 const struct x86_emulate_ops *ops = ctxt->ops;
3529 int cpl = ctxt->ops->cpl(ctxt);
3530 enum x86emul_mode prev_mode = ctxt->mode;
3531
3532 old_eip = ctxt->_eip;
3533 ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3534
3535 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3536 rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3537 X86_TRANSFER_CALL_JMP, &new_desc);
3538 if (rc != X86EMUL_CONTINUE)
3539 return rc;
3540
3541 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
3542 if (rc != X86EMUL_CONTINUE)
3543 goto fail;
3544
3545 ctxt->src.val = old_cs;
3546 rc = em_push(ctxt);
3547 if (rc != X86EMUL_CONTINUE)
3548 goto fail;
3549
3550 ctxt->src.val = old_eip;
3551 rc = em_push(ctxt);
3552 /* If we failed, we tainted the memory, but the very least we should
3553 restore cs */
3554 if (rc != X86EMUL_CONTINUE) {
3555 pr_warn_once("faulting far call emulation tainted memory\n");
3556 goto fail;
3557 }
3558 return rc;
3559 fail:
3560 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3561 ctxt->mode = prev_mode;
3562 return rc;
3563
3564 }
3565
3566 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3567 {
3568 int rc;
3569 unsigned long eip;
3570
3571 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3572 if (rc != X86EMUL_CONTINUE)
3573 return rc;
3574 rc = assign_eip_near(ctxt, eip);
3575 if (rc != X86EMUL_CONTINUE)
3576 return rc;
3577 rsp_increment(ctxt, ctxt->src.val);
3578 return X86EMUL_CONTINUE;
3579 }
3580
3581 static int em_xchg(struct x86_emulate_ctxt *ctxt)
3582 {
3583 /* Write back the register source. */
3584 ctxt->src.val = ctxt->dst.val;
3585 write_register_operand(&ctxt->src);
3586
3587 /* Write back the memory destination with implicit LOCK prefix. */
3588 ctxt->dst.val = ctxt->src.orig_val;
3589 ctxt->lock_prefix = 1;
3590 return X86EMUL_CONTINUE;
3591 }
3592
3593 static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3594 {
3595 ctxt->dst.val = ctxt->src2.val;
3596 return fastop(ctxt, em_imul);
3597 }
3598
3599 static int em_cwd(struct x86_emulate_ctxt *ctxt)
3600 {
3601 ctxt->dst.type = OP_REG;
3602 ctxt->dst.bytes = ctxt->src.bytes;
3603 ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3604 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3605
3606 return X86EMUL_CONTINUE;
3607 }
3608
3609 static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3610 {
3611 u64 tsc_aux = 0;
3612
3613 if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
3614 return emulate_gp(ctxt, 0);
3615 ctxt->dst.val = tsc_aux;
3616 return X86EMUL_CONTINUE;
3617 }
3618
3619 static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3620 {
3621 u64 tsc = 0;
3622
3623 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3624 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3625 *reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3626 return X86EMUL_CONTINUE;
3627 }
3628
3629 static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3630 {
3631 u64 pmc;
3632
3633 if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3634 return emulate_gp(ctxt, 0);
3635 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3636 *reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3637 return X86EMUL_CONTINUE;
3638 }
3639
3640 static int em_mov(struct x86_emulate_ctxt *ctxt)
3641 {
3642 memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3643 return X86EMUL_CONTINUE;
3644 }
3645
3646 static int em_movbe(struct x86_emulate_ctxt *ctxt)
3647 {
3648 u16 tmp;
3649
3650 if (!ctxt->ops->guest_has_movbe(ctxt))
3651 return emulate_ud(ctxt);
3652
3653 switch (ctxt->op_bytes) {
3654 case 2:
3655 /*
3656 * From MOVBE definition: "...When the operand size is 16 bits,
3657 * the upper word of the destination register remains unchanged
3658 * ..."
3659 *
3660 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3661 * rules so we have to do the operation almost per hand.
3662 */
3663 tmp = (u16)ctxt->src.val;
3664 ctxt->dst.val &= ~0xffffUL;
3665 ctxt->dst.val |= (unsigned long)swab16(tmp);
3666 break;
3667 case 4:
3668 ctxt->dst.val = swab32((u32)ctxt->src.val);
3669 break;
3670 case 8:
3671 ctxt->dst.val = swab64(ctxt->src.val);
3672 break;
3673 default:
3674 BUG();
3675 }
3676 return X86EMUL_CONTINUE;
3677 }
3678
3679 static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3680 {
3681 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
3682 return emulate_gp(ctxt, 0);
3683
3684 /* Disable writeback. */
3685 ctxt->dst.type = OP_NONE;
3686 return X86EMUL_CONTINUE;
3687 }
3688
3689 static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3690 {
3691 unsigned long val;
3692
3693 if (ctxt->mode == X86EMUL_MODE_PROT64)
3694 val = ctxt->src.val & ~0ULL;
3695 else
3696 val = ctxt->src.val & ~0U;
3697
3698 /* #UD condition is already handled. */
3699 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3700 return emulate_gp(ctxt, 0);
3701
3702 /* Disable writeback. */
3703 ctxt->dst.type = OP_NONE;
3704 return X86EMUL_CONTINUE;
3705 }
3706
3707 static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3708 {
3709 u64 msr_data;
3710
3711 msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3712 | ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3713 if (ctxt->ops->set_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), msr_data))
3714 return emulate_gp(ctxt, 0);
3715
3716 return X86EMUL_CONTINUE;
3717 }
3718
3719 static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3720 {
3721 u64 msr_data;
3722
3723 if (ctxt->ops->get_msr(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &msr_data))
3724 return emulate_gp(ctxt, 0);
3725
3726 *reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3727 *reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3728 return X86EMUL_CONTINUE;
3729 }
3730
3731 static int em_store_sreg(struct x86_emulate_ctxt *ctxt, int segment)
3732 {
3733 if (segment > VCPU_SREG_GS &&
3734 (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3735 ctxt->ops->cpl(ctxt) > 0)
3736 return emulate_gp(ctxt, 0);
3737
3738 ctxt->dst.val = get_segment_selector(ctxt, segment);
3739 if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3740 ctxt->dst.bytes = 2;
3741 return X86EMUL_CONTINUE;
3742 }
3743
3744 static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3745 {
3746 if (ctxt->modrm_reg > VCPU_SREG_GS)
3747 return emulate_ud(ctxt);
3748
3749 return em_store_sreg(ctxt, ctxt->modrm_reg);
3750 }
3751
3752 static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3753 {
3754 u16 sel = ctxt->src.val;
3755
3756 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3757 return emulate_ud(ctxt);
3758
3759 if (ctxt->modrm_reg == VCPU_SREG_SS)
3760 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3761
3762 /* Disable writeback. */
3763 ctxt->dst.type = OP_NONE;
3764 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3765 }
3766
3767 static int em_sldt(struct x86_emulate_ctxt *ctxt)
3768 {
3769 return em_store_sreg(ctxt, VCPU_SREG_LDTR);
3770 }
3771
3772 static int em_lldt(struct x86_emulate_ctxt *ctxt)
3773 {
3774 u16 sel = ctxt->src.val;
3775
3776 /* Disable writeback. */
3777 ctxt->dst.type = OP_NONE;
3778 return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3779 }
3780
3781 static int em_str(struct x86_emulate_ctxt *ctxt)
3782 {
3783 return em_store_sreg(ctxt, VCPU_SREG_TR);
3784 }
3785
3786 static int em_ltr(struct x86_emulate_ctxt *ctxt)
3787 {
3788 u16 sel = ctxt->src.val;
3789
3790 /* Disable writeback. */
3791 ctxt->dst.type = OP_NONE;
3792 return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3793 }
3794
3795 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3796 {
3797 int rc;
3798 ulong linear;
3799
3800 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
3801 if (rc == X86EMUL_CONTINUE)
3802 ctxt->ops->invlpg(ctxt, linear);
3803 /* Disable writeback. */
3804 ctxt->dst.type = OP_NONE;
3805 return X86EMUL_CONTINUE;
3806 }
3807
3808 static int em_clts(struct x86_emulate_ctxt *ctxt)
3809 {
3810 ulong cr0;
3811
3812 cr0 = ctxt->ops->get_cr(ctxt, 0);
3813 cr0 &= ~X86_CR0_TS;
3814 ctxt->ops->set_cr(ctxt, 0, cr0);
3815 return X86EMUL_CONTINUE;
3816 }
3817
3818 static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3819 {
3820 int rc = ctxt->ops->fix_hypercall(ctxt);
3821
3822 if (rc != X86EMUL_CONTINUE)
3823 return rc;
3824
3825 /* Let the processor re-execute the fixed hypercall */
3826 ctxt->_eip = ctxt->eip;
3827 /* Disable writeback. */
3828 ctxt->dst.type = OP_NONE;
3829 return X86EMUL_CONTINUE;
3830 }
3831
3832 static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3833 void (*get)(struct x86_emulate_ctxt *ctxt,
3834 struct desc_ptr *ptr))
3835 {
3836 struct desc_ptr desc_ptr;
3837
3838 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3839 ctxt->ops->cpl(ctxt) > 0)
3840 return emulate_gp(ctxt, 0);
3841
3842 if (ctxt->mode == X86EMUL_MODE_PROT64)
3843 ctxt->op_bytes = 8;
3844 get(ctxt, &desc_ptr);
3845 if (ctxt->op_bytes == 2) {
3846 ctxt->op_bytes = 4;
3847 desc_ptr.address &= 0x00ffffff;
3848 }
3849 /* Disable writeback. */
3850 ctxt->dst.type = OP_NONE;
3851 return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3852 &desc_ptr, 2 + ctxt->op_bytes);
3853 }
3854
3855 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3856 {
3857 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3858 }
3859
3860 static int em_sidt(struct x86_emulate_ctxt *ctxt)
3861 {
3862 return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3863 }
3864
3865 static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3866 {
3867 struct desc_ptr desc_ptr;
3868 int rc;
3869
3870 if (ctxt->mode == X86EMUL_MODE_PROT64)
3871 ctxt->op_bytes = 8;
3872 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3873 &desc_ptr.size, &desc_ptr.address,
3874 ctxt->op_bytes);
3875 if (rc != X86EMUL_CONTINUE)
3876 return rc;
3877 if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3878 emul_is_noncanonical_address(desc_ptr.address, ctxt))
3879 return emulate_gp(ctxt, 0);
3880 if (lgdt)
3881 ctxt->ops->set_gdt(ctxt, &desc_ptr);
3882 else
3883 ctxt->ops->set_idt(ctxt, &desc_ptr);
3884 /* Disable writeback. */
3885 ctxt->dst.type = OP_NONE;
3886 return X86EMUL_CONTINUE;
3887 }
3888
3889 static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3890 {
3891 return em_lgdt_lidt(ctxt, true);
3892 }
3893
3894 static int em_lidt(struct x86_emulate_ctxt *ctxt)
3895 {
3896 return em_lgdt_lidt(ctxt, false);
3897 }
3898
3899 static int em_smsw(struct x86_emulate_ctxt *ctxt)
3900 {
3901 if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3902 ctxt->ops->cpl(ctxt) > 0)
3903 return emulate_gp(ctxt, 0);
3904
3905 if (ctxt->dst.type == OP_MEM)
3906 ctxt->dst.bytes = 2;
3907 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3908 return X86EMUL_CONTINUE;
3909 }
3910
3911 static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3912 {
3913 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3914 | (ctxt->src.val & 0x0f));
3915 ctxt->dst.type = OP_NONE;
3916 return X86EMUL_CONTINUE;
3917 }
3918
3919 static int em_loop(struct x86_emulate_ctxt *ctxt)
3920 {
3921 int rc = X86EMUL_CONTINUE;
3922
3923 register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3924 if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3925 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3926 rc = jmp_rel(ctxt, ctxt->src.val);
3927
3928 return rc;
3929 }
3930
3931 static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3932 {
3933 int rc = X86EMUL_CONTINUE;
3934
3935 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3936 rc = jmp_rel(ctxt, ctxt->src.val);
3937
3938 return rc;
3939 }
3940
3941 static int em_in(struct x86_emulate_ctxt *ctxt)
3942 {
3943 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3944 &ctxt->dst.val))
3945 return X86EMUL_IO_NEEDED;
3946
3947 return X86EMUL_CONTINUE;
3948 }
3949
3950 static int em_out(struct x86_emulate_ctxt *ctxt)
3951 {
3952 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3953 &ctxt->src.val, 1);
3954 /* Disable writeback. */
3955 ctxt->dst.type = OP_NONE;
3956 return X86EMUL_CONTINUE;
3957 }
3958
3959 static int em_cli(struct x86_emulate_ctxt *ctxt)
3960 {
3961 if (emulator_bad_iopl(ctxt))
3962 return emulate_gp(ctxt, 0);
3963
3964 ctxt->eflags &= ~X86_EFLAGS_IF;
3965 return X86EMUL_CONTINUE;
3966 }
3967
3968 static int em_sti(struct x86_emulate_ctxt *ctxt)
3969 {
3970 if (emulator_bad_iopl(ctxt))
3971 return emulate_gp(ctxt, 0);
3972
3973 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3974 ctxt->eflags |= X86_EFLAGS_IF;
3975 return X86EMUL_CONTINUE;
3976 }
3977
3978 static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3979 {
3980 u32 eax, ebx, ecx, edx;
3981 u64 msr = 0;
3982
3983 ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3984 if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3985 ctxt->ops->cpl(ctxt)) {
3986 return emulate_gp(ctxt, 0);
3987 }
3988
3989 eax = reg_read(ctxt, VCPU_REGS_RAX);
3990 ecx = reg_read(ctxt, VCPU_REGS_RCX);
3991 ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
3992 *reg_write(ctxt, VCPU_REGS_RAX) = eax;
3993 *reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3994 *reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3995 *reg_write(ctxt, VCPU_REGS_RDX) = edx;
3996 return X86EMUL_CONTINUE;
3997 }
3998
3999 static int em_sahf(struct x86_emulate_ctxt *ctxt)
4000 {
4001 u32 flags;
4002
4003 flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
4004 X86_EFLAGS_SF;
4005 flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
4006
4007 ctxt->eflags &= ~0xffUL;
4008 ctxt->eflags |= flags | X86_EFLAGS_FIXED;
4009 return X86EMUL_CONTINUE;
4010 }
4011
4012 static int em_lahf(struct x86_emulate_ctxt *ctxt)
4013 {
4014 *reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
4015 *reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
4016 return X86EMUL_CONTINUE;
4017 }
4018
4019 static int em_bswap(struct x86_emulate_ctxt *ctxt)
4020 {
4021 switch (ctxt->op_bytes) {
4022 #ifdef CONFIG_X86_64
4023 case 8:
4024 asm("bswap %0" : "+r"(ctxt->dst.val));
4025 break;
4026 #endif
4027 default:
4028 asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
4029 break;
4030 }
4031 return X86EMUL_CONTINUE;
4032 }
4033
4034 static int em_clflush(struct x86_emulate_ctxt *ctxt)
4035 {
4036 /* emulating clflush regardless of cpuid */
4037 return X86EMUL_CONTINUE;
4038 }
4039
4040 static int em_movsxd(struct x86_emulate_ctxt *ctxt)
4041 {
4042 ctxt->dst.val = (s32) ctxt->src.val;
4043 return X86EMUL_CONTINUE;
4044 }
4045
4046 static int check_fxsr(struct x86_emulate_ctxt *ctxt)
4047 {
4048 if (!ctxt->ops->guest_has_fxsr(ctxt))
4049 return emulate_ud(ctxt);
4050
4051 if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
4052 return emulate_nm(ctxt);
4053
4054 /*
4055 * Don't emulate a case that should never be hit, instead of working
4056 * around a lack of fxsave64/fxrstor64 on old compilers.
4057 */
4058 if (ctxt->mode >= X86EMUL_MODE_PROT64)
4059 return X86EMUL_UNHANDLEABLE;
4060
4061 return X86EMUL_CONTINUE;
4062 }
4063
4064 /*
4065 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
4066 * and restore MXCSR.
4067 */
4068 static size_t __fxstate_size(int nregs)
4069 {
4070 return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
4071 }
4072
4073 static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
4074 {
4075 bool cr4_osfxsr;
4076 if (ctxt->mode == X86EMUL_MODE_PROT64)
4077 return __fxstate_size(16);
4078
4079 cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
4080 return __fxstate_size(cr4_osfxsr ? 8 : 0);
4081 }
4082
4083 /*
4084 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
4085 * 1) 16 bit mode
4086 * 2) 32 bit mode
4087 * - like (1), but FIP and FDP (foo) are only 16 bit. At least Intel CPUs
4088 * preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
4089 * save and restore
4090 * 3) 64-bit mode with REX.W prefix
4091 * - like (2), but XMM 8-15 are being saved and restored
4092 * 4) 64-bit mode without REX.W prefix
4093 * - like (3), but FIP and FDP are 64 bit
4094 *
4095 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
4096 * desired result. (4) is not emulated.
4097 *
4098 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
4099 * and FPU DS) should match.
4100 */
4101 static int em_fxsave(struct x86_emulate_ctxt *ctxt)
4102 {
4103 struct fxregs_state fx_state;
4104 int rc;
4105
4106 rc = check_fxsr(ctxt);
4107 if (rc != X86EMUL_CONTINUE)
4108 return rc;
4109
4110 emulator_get_fpu();
4111
4112 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
4113
4114 emulator_put_fpu();
4115
4116 if (rc != X86EMUL_CONTINUE)
4117 return rc;
4118
4119 return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
4120 fxstate_size(ctxt));
4121 }
4122
4123 /*
4124 * FXRSTOR might restore XMM registers not provided by the guest. Fill
4125 * in the host registers (via FXSAVE) instead, so they won't be modified.
4126 * (preemption has to stay disabled until FXRSTOR).
4127 *
4128 * Use noinline to keep the stack for other functions called by callers small.
4129 */
4130 static noinline int fxregs_fixup(struct fxregs_state *fx_state,
4131 const size_t used_size)
4132 {
4133 struct fxregs_state fx_tmp;
4134 int rc;
4135
4136 rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
4137 memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
4138 __fxstate_size(16) - used_size);
4139
4140 return rc;
4141 }
4142
4143 static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
4144 {
4145 struct fxregs_state fx_state;
4146 int rc;
4147 size_t size;
4148
4149 rc = check_fxsr(ctxt);
4150 if (rc != X86EMUL_CONTINUE)
4151 return rc;
4152
4153 size = fxstate_size(ctxt);
4154 rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
4155 if (rc != X86EMUL_CONTINUE)
4156 return rc;
4157
4158 emulator_get_fpu();
4159
4160 if (size < __fxstate_size(16)) {
4161 rc = fxregs_fixup(&fx_state, size);
4162 if (rc != X86EMUL_CONTINUE)
4163 goto out;
4164 }
4165
4166 if (fx_state.mxcsr >> 16) {
4167 rc = emulate_gp(ctxt, 0);
4168 goto out;
4169 }
4170
4171 if (rc == X86EMUL_CONTINUE)
4172 rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
4173
4174 out:
4175 emulator_put_fpu();
4176
4177 return rc;
4178 }
4179
4180 static int em_xsetbv(struct x86_emulate_ctxt *ctxt)
4181 {
4182 u32 eax, ecx, edx;
4183
4184 eax = reg_read(ctxt, VCPU_REGS_RAX);
4185 edx = reg_read(ctxt, VCPU_REGS_RDX);
4186 ecx = reg_read(ctxt, VCPU_REGS_RCX);
4187
4188 if (ctxt->ops->set_xcr(ctxt, ecx, ((u64)edx << 32) | eax))
4189 return emulate_gp(ctxt, 0);
4190
4191 return X86EMUL_CONTINUE;
4192 }
4193
4194 static bool valid_cr(int nr)
4195 {
4196 switch (nr) {
4197 case 0:
4198 case 2 ... 4:
4199 case 8:
4200 return true;
4201 default:
4202 return false;
4203 }
4204 }
4205
4206 static int check_cr_read(struct x86_emulate_ctxt *ctxt)
4207 {
4208 if (!valid_cr(ctxt->modrm_reg))
4209 return emulate_ud(ctxt);
4210
4211 return X86EMUL_CONTINUE;
4212 }
4213
4214 static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4215 {
4216 u64 new_val = ctxt->src.val64;
4217 int cr = ctxt->modrm_reg;
4218 u64 efer = 0;
4219
4220 static u64 cr_reserved_bits[] = {
4221 0xffffffff00000000ULL,
4222 0, 0, 0, /* CR3 checked later */
4223 CR4_RESERVED_BITS,
4224 0, 0, 0,
4225 CR8_RESERVED_BITS,
4226 };
4227
4228 if (!valid_cr(cr))
4229 return emulate_ud(ctxt);
4230
4231 if (new_val & cr_reserved_bits[cr])
4232 return emulate_gp(ctxt, 0);
4233
4234 switch (cr) {
4235 case 0: {
4236 u64 cr4;
4237 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
4238 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
4239 return emulate_gp(ctxt, 0);
4240
4241 cr4 = ctxt->ops->get_cr(ctxt, 4);
4242 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4243
4244 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
4245 !(cr4 & X86_CR4_PAE))
4246 return emulate_gp(ctxt, 0);
4247
4248 break;
4249 }
4250 case 3: {
4251 u64 rsvd = 0;
4252
4253 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4254 if (efer & EFER_LMA) {
4255 u64 maxphyaddr;
4256 u32 eax, ebx, ecx, edx;
4257
4258 eax = 0x80000008;
4259 ecx = 0;
4260 if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx,
4261 &edx, false))
4262 maxphyaddr = eax & 0xff;
4263 else
4264 maxphyaddr = 36;
4265 rsvd = rsvd_bits(maxphyaddr, 63);
4266 if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PCIDE)
4267 rsvd &= ~X86_CR3_PCID_NOFLUSH;
4268 }
4269
4270 if (new_val & rsvd)
4271 return emulate_gp(ctxt, 0);
4272
4273 break;
4274 }
4275 case 4: {
4276 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4277
4278 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
4279 return emulate_gp(ctxt, 0);
4280
4281 break;
4282 }
4283 }
4284
4285 return X86EMUL_CONTINUE;
4286 }
4287
4288 static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
4289 {
4290 unsigned long dr7;
4291
4292 ctxt->ops->get_dr(ctxt, 7, &dr7);
4293
4294 /* Check if DR7.Global_Enable is set */
4295 return dr7 & (1 << 13);
4296 }
4297
4298 static int check_dr_read(struct x86_emulate_ctxt *ctxt)
4299 {
4300 int dr = ctxt->modrm_reg;
4301 u64 cr4;
4302
4303 if (dr > 7)
4304 return emulate_ud(ctxt);
4305
4306 cr4 = ctxt->ops->get_cr(ctxt, 4);
4307 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
4308 return emulate_ud(ctxt);
4309
4310 if (check_dr7_gd(ctxt)) {
4311 ulong dr6;
4312
4313 ctxt->ops->get_dr(ctxt, 6, &dr6);
4314 dr6 &= ~DR_TRAP_BITS;
4315 dr6 |= DR6_BD | DR6_RTM;
4316 ctxt->ops->set_dr(ctxt, 6, dr6);
4317 return emulate_db(ctxt);
4318 }
4319
4320 return X86EMUL_CONTINUE;
4321 }
4322
4323 static int check_dr_write(struct x86_emulate_ctxt *ctxt)
4324 {
4325 u64 new_val = ctxt->src.val64;
4326 int dr = ctxt->modrm_reg;
4327
4328 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
4329 return emulate_gp(ctxt, 0);
4330
4331 return check_dr_read(ctxt);
4332 }
4333
4334 static int check_svme(struct x86_emulate_ctxt *ctxt)
4335 {
4336 u64 efer = 0;
4337
4338 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4339
4340 if (!(efer & EFER_SVME))
4341 return emulate_ud(ctxt);
4342
4343 return X86EMUL_CONTINUE;
4344 }
4345
4346 static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
4347 {
4348 u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
4349
4350 /* Valid physical address? */
4351 if (rax & 0xffff000000000000ULL)
4352 return emulate_gp(ctxt, 0);
4353
4354 return check_svme(ctxt);
4355 }
4356
4357 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
4358 {
4359 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4360
4361 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
4362 return emulate_ud(ctxt);
4363
4364 return X86EMUL_CONTINUE;
4365 }
4366
4367 static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
4368 {
4369 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
4370 u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
4371
4372 /*
4373 * VMware allows access to these Pseduo-PMCs even when read via RDPMC
4374 * in Ring3 when CR4.PCE=0.
4375 */
4376 if (enable_vmware_backdoor && is_vmware_backdoor_pmc(rcx))
4377 return X86EMUL_CONTINUE;
4378
4379 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
4380 ctxt->ops->check_pmc(ctxt, rcx))
4381 return emulate_gp(ctxt, 0);
4382
4383 return X86EMUL_CONTINUE;
4384 }
4385
4386 static int check_perm_in(struct x86_emulate_ctxt *ctxt)
4387 {
4388 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
4389 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
4390 return emulate_gp(ctxt, 0);
4391
4392 return X86EMUL_CONTINUE;
4393 }
4394
4395 static int check_perm_out(struct x86_emulate_ctxt *ctxt)
4396 {
4397 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
4398 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
4399 return emulate_gp(ctxt, 0);
4400
4401 return X86EMUL_CONTINUE;
4402 }
4403
4404 #define D(_y) { .flags = (_y) }
4405 #define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
4406 #define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
4407 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4408 #define N D(NotImpl)
4409 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
4410 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
4411 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
4412 #define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
4413 #define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
4414 #define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
4415 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
4416 #define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
4417 #define II(_f, _e, _i) \
4418 { .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
4419 #define IIP(_f, _e, _i, _p) \
4420 { .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
4421 .intercept = x86_intercept_##_i, .check_perm = (_p) }
4422 #define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
4423
4424 #define D2bv(_f) D((_f) | ByteOp), D(_f)
4425 #define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
4426 #define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
4427 #define F2bv(_f, _e) F((_f) | ByteOp, _e), F(_f, _e)
4428 #define I2bvIP(_f, _e, _i, _p) \
4429 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
4430
4431 #define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e), \
4432 F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
4433 F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
4434
4435 static const struct opcode group7_rm0[] = {
4436 N,
4437 I(SrcNone | Priv | EmulateOnUD, em_hypercall),
4438 N, N, N, N, N, N,
4439 };
4440
4441 static const struct opcode group7_rm1[] = {
4442 DI(SrcNone | Priv, monitor),
4443 DI(SrcNone | Priv, mwait),
4444 N, N, N, N, N, N,
4445 };
4446
4447 static const struct opcode group7_rm2[] = {
4448 N,
4449 II(ImplicitOps | Priv, em_xsetbv, xsetbv),
4450 N, N, N, N, N, N,
4451 };
4452
4453 static const struct opcode group7_rm3[] = {
4454 DIP(SrcNone | Prot | Priv, vmrun, check_svme_pa),
4455 II(SrcNone | Prot | EmulateOnUD, em_hypercall, vmmcall),
4456 DIP(SrcNone | Prot | Priv, vmload, check_svme_pa),
4457 DIP(SrcNone | Prot | Priv, vmsave, check_svme_pa),
4458 DIP(SrcNone | Prot | Priv, stgi, check_svme),
4459 DIP(SrcNone | Prot | Priv, clgi, check_svme),
4460 DIP(SrcNone | Prot | Priv, skinit, check_svme),
4461 DIP(SrcNone | Prot | Priv, invlpga, check_svme),
4462 };
4463
4464 static const struct opcode group7_rm7[] = {
4465 N,
4466 DIP(SrcNone, rdtscp, check_rdtsc),
4467 N, N, N, N, N, N,
4468 };
4469
4470 static const struct opcode group1[] = {
4471 F(Lock, em_add),
4472 F(Lock | PageTable, em_or),
4473 F(Lock, em_adc),
4474 F(Lock, em_sbb),
4475 F(Lock | PageTable, em_and),
4476 F(Lock, em_sub),
4477 F(Lock, em_xor),
4478 F(NoWrite, em_cmp),
4479 };
4480
4481 static const struct opcode group1A[] = {
4482 I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4483 };
4484
4485 static const struct opcode group2[] = {
4486 F(DstMem | ModRM, em_rol),
4487 F(DstMem | ModRM, em_ror),
4488 F(DstMem | ModRM, em_rcl),
4489 F(DstMem | ModRM, em_rcr),
4490 F(DstMem | ModRM, em_shl),
4491 F(DstMem | ModRM, em_shr),
4492 F(DstMem | ModRM, em_shl),
4493 F(DstMem | ModRM, em_sar),
4494 };
4495
4496 static const struct opcode group3[] = {
4497 F(DstMem | SrcImm | NoWrite, em_test),
4498 F(DstMem | SrcImm | NoWrite, em_test),
4499 F(DstMem | SrcNone | Lock, em_not),
4500 F(DstMem | SrcNone | Lock, em_neg),
4501 F(DstXacc | Src2Mem, em_mul_ex),
4502 F(DstXacc | Src2Mem, em_imul_ex),
4503 F(DstXacc | Src2Mem, em_div_ex),
4504 F(DstXacc | Src2Mem, em_idiv_ex),
4505 };
4506
4507 static const struct opcode group4[] = {
4508 F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4509 F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4510 N, N, N, N, N, N,
4511 };
4512
4513 static const struct opcode group5[] = {
4514 F(DstMem | SrcNone | Lock, em_inc),
4515 F(DstMem | SrcNone | Lock, em_dec),
4516 I(SrcMem | NearBranch, em_call_near_abs),
4517 I(SrcMemFAddr | ImplicitOps, em_call_far),
4518 I(SrcMem | NearBranch, em_jmp_abs),
4519 I(SrcMemFAddr | ImplicitOps, em_jmp_far),
4520 I(SrcMem | Stack | TwoMemOp, em_push), D(Undefined),
4521 };
4522
4523 static const struct opcode group6[] = {
4524 II(Prot | DstMem, em_sldt, sldt),
4525 II(Prot | DstMem, em_str, str),
4526 II(Prot | Priv | SrcMem16, em_lldt, lldt),
4527 II(Prot | Priv | SrcMem16, em_ltr, ltr),
4528 N, N, N, N,
4529 };
4530
4531 static const struct group_dual group7 = { {
4532 II(Mov | DstMem, em_sgdt, sgdt),
4533 II(Mov | DstMem, em_sidt, sidt),
4534 II(SrcMem | Priv, em_lgdt, lgdt),
4535 II(SrcMem | Priv, em_lidt, lidt),
4536 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4537 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4538 II(SrcMem | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
4539 }, {
4540 EXT(0, group7_rm0),
4541 EXT(0, group7_rm1),
4542 EXT(0, group7_rm2),
4543 EXT(0, group7_rm3),
4544 II(SrcNone | DstMem | Mov, em_smsw, smsw), N,
4545 II(SrcMem16 | Mov | Priv, em_lmsw, lmsw),
4546 EXT(0, group7_rm7),
4547 } };
4548
4549 static const struct opcode group8[] = {
4550 N, N, N, N,
4551 F(DstMem | SrcImmByte | NoWrite, em_bt),
4552 F(DstMem | SrcImmByte | Lock | PageTable, em_bts),
4553 F(DstMem | SrcImmByte | Lock, em_btr),
4554 F(DstMem | SrcImmByte | Lock | PageTable, em_btc),
4555 };
4556
4557 /*
4558 * The "memory" destination is actually always a register, since we come
4559 * from the register case of group9.
4560 */
4561 static const struct gprefix pfx_0f_c7_7 = {
4562 N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdtscp),
4563 };
4564
4565
4566 static const struct group_dual group9 = { {
4567 N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4568 }, {
4569 N, N, N, N, N, N, N,
4570 GP(0, &pfx_0f_c7_7),
4571 } };
4572
4573 static const struct opcode group11[] = {
4574 I(DstMem | SrcImm | Mov | PageTable, em_mov),
4575 X7(D(Undefined)),
4576 };
4577
4578 static const struct gprefix pfx_0f_ae_7 = {
4579 I(SrcMem | ByteOp, em_clflush), N, N, N,
4580 };
4581
4582 static const struct group_dual group15 = { {
4583 I(ModRM | Aligned16, em_fxsave),
4584 I(ModRM | Aligned16, em_fxrstor),
4585 N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4586 }, {
4587 N, N, N, N, N, N, N, N,
4588 } };
4589
4590 static const struct gprefix pfx_0f_6f_0f_7f = {
4591 I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4592 };
4593
4594 static const struct instr_dual instr_dual_0f_2b = {
4595 I(0, em_mov), N
4596 };
4597
4598 static const struct gprefix pfx_0f_2b = {
4599 ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4600 };
4601
4602 static const struct gprefix pfx_0f_10_0f_11 = {
4603 I(Unaligned, em_mov), I(Unaligned, em_mov), N, N,
4604 };
4605
4606 static const struct gprefix pfx_0f_28_0f_29 = {
4607 I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4608 };
4609
4610 static const struct gprefix pfx_0f_e7 = {
4611 N, I(Sse, em_mov), N, N,
4612 };
4613
4614 static const struct escape escape_d9 = { {
4615 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4616 }, {
4617 /* 0xC0 - 0xC7 */
4618 N, N, N, N, N, N, N, N,
4619 /* 0xC8 - 0xCF */
4620 N, N, N, N, N, N, N, N,
4621 /* 0xD0 - 0xC7 */
4622 N, N, N, N, N, N, N, N,
4623 /* 0xD8 - 0xDF */
4624 N, N, N, N, N, N, N, N,
4625 /* 0xE0 - 0xE7 */
4626 N, N, N, N, N, N, N, N,
4627 /* 0xE8 - 0xEF */
4628 N, N, N, N, N, N, N, N,
4629 /* 0xF0 - 0xF7 */
4630 N, N, N, N, N, N, N, N,
4631 /* 0xF8 - 0xFF */
4632 N, N, N, N, N, N, N, N,
4633 } };
4634
4635 static const struct escape escape_db = { {
4636 N, N, N, N, N, N, N, N,
4637 }, {
4638 /* 0xC0 - 0xC7 */
4639 N, N, N, N, N, N, N, N,
4640 /* 0xC8 - 0xCF */
4641 N, N, N, N, N, N, N, N,
4642 /* 0xD0 - 0xC7 */
4643 N, N, N, N, N, N, N, N,
4644 /* 0xD8 - 0xDF */
4645 N, N, N, N, N, N, N, N,
4646 /* 0xE0 - 0xE7 */
4647 N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4648 /* 0xE8 - 0xEF */
4649 N, N, N, N, N, N, N, N,
4650 /* 0xF0 - 0xF7 */
4651 N, N, N, N, N, N, N, N,
4652 /* 0xF8 - 0xFF */
4653 N, N, N, N, N, N, N, N,
4654 } };
4655
4656 static const struct escape escape_dd = { {
4657 N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4658 }, {
4659 /* 0xC0 - 0xC7 */
4660 N, N, N, N, N, N, N, N,
4661 /* 0xC8 - 0xCF */
4662 N, N, N, N, N, N, N, N,
4663 /* 0xD0 - 0xC7 */
4664 N, N, N, N, N, N, N, N,
4665 /* 0xD8 - 0xDF */
4666 N, N, N, N, N, N, N, N,
4667 /* 0xE0 - 0xE7 */
4668 N, N, N, N, N, N, N, N,
4669 /* 0xE8 - 0xEF */
4670 N, N, N, N, N, N, N, N,
4671 /* 0xF0 - 0xF7 */
4672 N, N, N, N, N, N, N, N,
4673 /* 0xF8 - 0xFF */
4674 N, N, N, N, N, N, N, N,
4675 } };
4676
4677 static const struct instr_dual instr_dual_0f_c3 = {
4678 I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4679 };
4680
4681 static const struct mode_dual mode_dual_63 = {
4682 N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4683 };
4684
4685 static const struct opcode opcode_table[256] = {
4686 /* 0x00 - 0x07 */
4687 F6ALU(Lock, em_add),
4688 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4689 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4690 /* 0x08 - 0x0F */
4691 F6ALU(Lock | PageTable, em_or),
4692 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4693 N,
4694 /* 0x10 - 0x17 */
4695 F6ALU(Lock, em_adc),
4696 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4697 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4698 /* 0x18 - 0x1F */
4699 F6ALU(Lock, em_sbb),
4700 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4701 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4702 /* 0x20 - 0x27 */
4703 F6ALU(Lock | PageTable, em_and), N, N,
4704 /* 0x28 - 0x2F */
4705 F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4706 /* 0x30 - 0x37 */
4707 F6ALU(Lock, em_xor), N, N,
4708 /* 0x38 - 0x3F */
4709 F6ALU(NoWrite, em_cmp), N, N,
4710 /* 0x40 - 0x4F */
4711 X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4712 /* 0x50 - 0x57 */
4713 X8(I(SrcReg | Stack, em_push)),
4714 /* 0x58 - 0x5F */
4715 X8(I(DstReg | Stack, em_pop)),
4716 /* 0x60 - 0x67 */
4717 I(ImplicitOps | Stack | No64, em_pusha),
4718 I(ImplicitOps | Stack | No64, em_popa),
4719 N, MD(ModRM, &mode_dual_63),
4720 N, N, N, N,
4721 /* 0x68 - 0x6F */
4722 I(SrcImm | Mov | Stack, em_push),
4723 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4724 I(SrcImmByte | Mov | Stack, em_push),
4725 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4726 I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4727 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4728 /* 0x70 - 0x7F */
4729 X16(D(SrcImmByte | NearBranch)),
4730 /* 0x80 - 0x87 */
4731 G(ByteOp | DstMem | SrcImm, group1),
4732 G(DstMem | SrcImm, group1),
4733 G(ByteOp | DstMem | SrcImm | No64, group1),
4734 G(DstMem | SrcImmByte, group1),
4735 F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4736 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4737 /* 0x88 - 0x8F */
4738 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4739 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4740 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4741 D(ModRM | SrcMem | NoAccess | DstReg),
4742 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4743 G(0, group1A),
4744 /* 0x90 - 0x97 */
4745 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4746 /* 0x98 - 0x9F */
4747 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4748 I(SrcImmFAddr | No64, em_call_far), N,
4749 II(ImplicitOps | Stack, em_pushf, pushf),
4750 II(ImplicitOps | Stack, em_popf, popf),
4751 I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4752 /* 0xA0 - 0xA7 */
4753 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4754 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4755 I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4756 F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4757 /* 0xA8 - 0xAF */
4758 F2bv(DstAcc | SrcImm | NoWrite, em_test),
4759 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4760 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4761 F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4762 /* 0xB0 - 0xB7 */
4763 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4764 /* 0xB8 - 0xBF */
4765 X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4766 /* 0xC0 - 0xC7 */
4767 G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4768 I(ImplicitOps | NearBranch | SrcImmU16, em_ret_near_imm),
4769 I(ImplicitOps | NearBranch, em_ret),
4770 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4771 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4772 G(ByteOp, group11), G(0, group11),
4773 /* 0xC8 - 0xCF */
4774 I(Stack | SrcImmU16 | Src2ImmByte, em_enter), I(Stack, em_leave),
4775 I(ImplicitOps | SrcImmU16, em_ret_far_imm),
4776 I(ImplicitOps, em_ret_far),
4777 D(ImplicitOps), DI(SrcImmByte, intn),
4778 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
4779 /* 0xD0 - 0xD7 */
4780 G(Src2One | ByteOp, group2), G(Src2One, group2),
4781 G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4782 I(DstAcc | SrcImmUByte | No64, em_aam),
4783 I(DstAcc | SrcImmUByte | No64, em_aad),
4784 F(DstAcc | ByteOp | No64, em_salc),
4785 I(DstAcc | SrcXLat | ByteOp, em_mov),
4786 /* 0xD8 - 0xDF */
4787 N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4788 /* 0xE0 - 0xE7 */
4789 X3(I(SrcImmByte | NearBranch, em_loop)),
4790 I(SrcImmByte | NearBranch, em_jcxz),
4791 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
4792 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4793 /* 0xE8 - 0xEF */
4794 I(SrcImm | NearBranch, em_call), D(SrcImm | ImplicitOps | NearBranch),
4795 I(SrcImmFAddr | No64, em_jmp_far),
4796 D(SrcImmByte | ImplicitOps | NearBranch),
4797 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
4798 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4799 /* 0xF0 - 0xF7 */
4800 N, DI(ImplicitOps, icebp), N, N,
4801 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4802 G(ByteOp, group3), G(0, group3),
4803 /* 0xF8 - 0xFF */
4804 D(ImplicitOps), D(ImplicitOps),
4805 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4806 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4807 };
4808
4809 static const struct opcode twobyte_table[256] = {
4810 /* 0x00 - 0x0F */
4811 G(0, group6), GD(0, &group7), N, N,
4812 N, I(ImplicitOps | EmulateOnUD, em_syscall),
4813 II(ImplicitOps | Priv, em_clts, clts), N,
4814 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4815 N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4816 /* 0x10 - 0x1F */
4817 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_10_0f_11),
4818 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_10_0f_11),
4819 N, N, N, N, N, N,
4820 D(ImplicitOps | ModRM | SrcMem | NoAccess),
4821 N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
4822 /* 0x20 - 0x2F */
4823 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
4824 DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4825 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4826 check_cr_write),
4827 IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4828 check_dr_write),
4829 N, N, N, N,
4830 GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4831 GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4832 N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4833 N, N, N, N,
4834 /* 0x30 - 0x3F */
4835 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4836 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4837 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4838 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4839 I(ImplicitOps | EmulateOnUD, em_sysenter),
4840 I(ImplicitOps | Priv | EmulateOnUD, em_sysexit),
4841 N, N,
4842 N, N, N, N, N, N, N, N,
4843 /* 0x40 - 0x4F */
4844 X16(D(DstReg | SrcMem | ModRM)),
4845 /* 0x50 - 0x5F */
4846 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4847 /* 0x60 - 0x6F */
4848 N, N, N, N,
4849 N, N, N, N,
4850 N, N, N, N,
4851 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4852 /* 0x70 - 0x7F */
4853 N, N, N, N,
4854 N, N, N, N,
4855 N, N, N, N,
4856 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4857 /* 0x80 - 0x8F */
4858 X16(D(SrcImm | NearBranch)),
4859 /* 0x90 - 0x9F */
4860 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4861 /* 0xA0 - 0xA7 */
4862 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4863 II(ImplicitOps, em_cpuid, cpuid),
4864 F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4865 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4866 F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4867 /* 0xA8 - 0xAF */
4868 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4869 II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4870 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4871 F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4872 F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4873 GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4874 /* 0xB0 - 0xB7 */
4875 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4876 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4877 F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4878 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4879 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4880 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4881 /* 0xB8 - 0xBF */
4882 N, N,
4883 G(BitOp, group8),
4884 F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4885 I(DstReg | SrcMem | ModRM, em_bsf_c),
4886 I(DstReg | SrcMem | ModRM, em_bsr_c),
4887 D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4888 /* 0xC0 - 0xC7 */
4889 F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4890 N, ID(0, &instr_dual_0f_c3),
4891 N, N, N, GD(0, &group9),
4892 /* 0xC8 - 0xCF */
4893 X8(I(DstReg, em_bswap)),
4894 /* 0xD0 - 0xDF */
4895 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4896 /* 0xE0 - 0xEF */
4897 N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4898 N, N, N, N, N, N, N, N,
4899 /* 0xF0 - 0xFF */
4900 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4901 };
4902
4903 static const struct instr_dual instr_dual_0f_38_f0 = {
4904 I(DstReg | SrcMem | Mov, em_movbe), N
4905 };
4906
4907 static const struct instr_dual instr_dual_0f_38_f1 = {
4908 I(DstMem | SrcReg | Mov, em_movbe), N
4909 };
4910
4911 static const struct gprefix three_byte_0f_38_f0 = {
4912 ID(0, &instr_dual_0f_38_f0), N, N, N
4913 };
4914
4915 static const struct gprefix three_byte_0f_38_f1 = {
4916 ID(0, &instr_dual_0f_38_f1), N, N, N
4917 };
4918
4919 /*
4920 * Insns below are selected by the prefix which indexed by the third opcode
4921 * byte.
4922 */
4923 static const struct opcode opcode_map_0f_38[256] = {
4924 /* 0x00 - 0x7f */
4925 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4926 /* 0x80 - 0xef */
4927 X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4928 /* 0xf0 - 0xf1 */
4929 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4930 GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4931 /* 0xf2 - 0xff */
4932 N, N, X4(N), X8(N)
4933 };
4934
4935 #undef D
4936 #undef N
4937 #undef G
4938 #undef GD
4939 #undef I
4940 #undef GP
4941 #undef EXT
4942 #undef MD
4943 #undef ID
4944
4945 #undef D2bv
4946 #undef D2bvIP
4947 #undef I2bv
4948 #undef I2bvIP
4949 #undef I6ALU
4950
4951 static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4952 {
4953 unsigned size;
4954
4955 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4956 if (size == 8)
4957 size = 4;
4958 return size;
4959 }
4960
4961 static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4962 unsigned size, bool sign_extension)
4963 {
4964 int rc = X86EMUL_CONTINUE;
4965
4966 op->type = OP_IMM;
4967 op->bytes = size;
4968 op->addr.mem.ea = ctxt->_eip;
4969 /* NB. Immediates are sign-extended as necessary. */
4970 switch (op->bytes) {
4971 case 1:
4972 op->val = insn_fetch(s8, ctxt);
4973 break;
4974 case 2:
4975 op->val = insn_fetch(s16, ctxt);
4976 break;
4977 case 4:
4978 op->val = insn_fetch(s32, ctxt);
4979 break;
4980 case 8:
4981 op->val = insn_fetch(s64, ctxt);
4982 break;
4983 }
4984 if (!sign_extension) {
4985 switch (op->bytes) {
4986 case 1:
4987 op->val &= 0xff;
4988 break;
4989 case 2:
4990 op->val &= 0xffff;
4991 break;
4992 case 4:
4993 op->val &= 0xffffffff;
4994 break;
4995 }
4996 }
4997 done:
4998 return rc;
4999 }
5000
5001 static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
5002 unsigned d)
5003 {
5004 int rc = X86EMUL_CONTINUE;
5005
5006 switch (d) {
5007 case OpReg:
5008 decode_register_operand(ctxt, op);
5009 break;
5010 case OpImmUByte:
5011 rc = decode_imm(ctxt, op, 1, false);
5012 break;
5013 case OpMem:
5014 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5015 mem_common:
5016 *op = ctxt->memop;
5017 ctxt->memopp = op;
5018 if (ctxt->d & BitOp)
5019 fetch_bit_operand(ctxt);
5020 op->orig_val = op->val;
5021 break;
5022 case OpMem64:
5023 ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
5024 goto mem_common;
5025 case OpAcc:
5026 op->type = OP_REG;
5027 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5028 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
5029 fetch_register_operand(op);
5030 op->orig_val = op->val;
5031 break;
5032 case OpAccLo:
5033 op->type = OP_REG;
5034 op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
5035 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
5036 fetch_register_operand(op);
5037 op->orig_val = op->val;
5038 break;
5039 case OpAccHi:
5040 if (ctxt->d & ByteOp) {
5041 op->type = OP_NONE;
5042 break;
5043 }
5044 op->type = OP_REG;
5045 op->bytes = ctxt->op_bytes;
5046 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
5047 fetch_register_operand(op);
5048 op->orig_val = op->val;
5049 break;
5050 case OpDI:
5051 op->type = OP_MEM;
5052 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5053 op->addr.mem.ea =
5054 register_address(ctxt, VCPU_REGS_RDI);
5055 op->addr.mem.seg = VCPU_SREG_ES;
5056 op->val = 0;
5057 op->count = 1;
5058 break;
5059 case OpDX:
5060 op->type = OP_REG;
5061 op->bytes = 2;
5062 op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
5063 fetch_register_operand(op);
5064 break;
5065 case OpCL:
5066 op->type = OP_IMM;
5067 op->bytes = 1;
5068 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
5069 break;
5070 case OpImmByte:
5071 rc = decode_imm(ctxt, op, 1, true);
5072 break;
5073 case OpOne:
5074 op->type = OP_IMM;
5075 op->bytes = 1;
5076 op->val = 1;
5077 break;
5078 case OpImm:
5079 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
5080 break;
5081 case OpImm64:
5082 rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
5083 break;
5084 case OpMem8:
5085 ctxt->memop.bytes = 1;
5086 if (ctxt->memop.type == OP_REG) {
5087 ctxt->memop.addr.reg = decode_register(ctxt,
5088 ctxt->modrm_rm, true);
5089 fetch_register_operand(&ctxt->memop);
5090 }
5091 goto mem_common;
5092 case OpMem16:
5093 ctxt->memop.bytes = 2;
5094 goto mem_common;
5095 case OpMem32:
5096 ctxt->memop.bytes = 4;
5097 goto mem_common;
5098 case OpImmU16:
5099 rc = decode_imm(ctxt, op, 2, false);
5100 break;
5101 case OpImmU:
5102 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
5103 break;
5104 case OpSI:
5105 op->type = OP_MEM;
5106 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5107 op->addr.mem.ea =
5108 register_address(ctxt, VCPU_REGS_RSI);
5109 op->addr.mem.seg = ctxt->seg_override;
5110 op->val = 0;
5111 op->count = 1;
5112 break;
5113 case OpXLat:
5114 op->type = OP_MEM;
5115 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
5116 op->addr.mem.ea =
5117 address_mask(ctxt,
5118 reg_read(ctxt, VCPU_REGS_RBX) +
5119 (reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
5120 op->addr.mem.seg = ctxt->seg_override;
5121 op->val = 0;
5122 break;
5123 case OpImmFAddr:
5124 op->type = OP_IMM;
5125 op->addr.mem.ea = ctxt->_eip;
5126 op->bytes = ctxt->op_bytes + 2;
5127 insn_fetch_arr(op->valptr, op->bytes, ctxt);
5128 break;
5129 case OpMemFAddr:
5130 ctxt->memop.bytes = ctxt->op_bytes + 2;
5131 goto mem_common;
5132 case OpES:
5133 op->type = OP_IMM;
5134 op->val = VCPU_SREG_ES;
5135 break;
5136 case OpCS:
5137 op->type = OP_IMM;
5138 op->val = VCPU_SREG_CS;
5139 break;
5140 case OpSS:
5141 op->type = OP_IMM;
5142 op->val = VCPU_SREG_SS;
5143 break;
5144 case OpDS:
5145 op->type = OP_IMM;
5146 op->val = VCPU_SREG_DS;
5147 break;
5148 case OpFS:
5149 op->type = OP_IMM;
5150 op->val = VCPU_SREG_FS;
5151 break;
5152 case OpGS:
5153 op->type = OP_IMM;
5154 op->val = VCPU_SREG_GS;
5155 break;
5156 case OpImplicit:
5157 /* Special instructions do their own operand decoding. */
5158 default:
5159 op->type = OP_NONE; /* Disable writeback. */
5160 break;
5161 }
5162
5163 done:
5164 return rc;
5165 }
5166
5167 int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
5168 {
5169 int rc = X86EMUL_CONTINUE;
5170 int mode = ctxt->mode;
5171 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
5172 bool op_prefix = false;
5173 bool has_seg_override = false;
5174 struct opcode opcode;
5175 u16 dummy;
5176 struct desc_struct desc;
5177
5178 ctxt->memop.type = OP_NONE;
5179 ctxt->memopp = NULL;
5180 ctxt->_eip = ctxt->eip;
5181 ctxt->fetch.ptr = ctxt->fetch.data;
5182 ctxt->fetch.end = ctxt->fetch.data + insn_len;
5183 ctxt->opcode_len = 1;
5184 if (insn_len > 0)
5185 memcpy(ctxt->fetch.data, insn, insn_len);
5186 else {
5187 rc = __do_insn_fetch_bytes(ctxt, 1);
5188 if (rc != X86EMUL_CONTINUE)
5189 goto done;
5190 }
5191
5192 switch (mode) {
5193 case X86EMUL_MODE_REAL:
5194 case X86EMUL_MODE_VM86:
5195 def_op_bytes = def_ad_bytes = 2;
5196 ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
5197 if (desc.d)
5198 def_op_bytes = def_ad_bytes = 4;
5199 break;
5200 case X86EMUL_MODE_PROT16:
5201 def_op_bytes = def_ad_bytes = 2;
5202 break;
5203 case X86EMUL_MODE_PROT32:
5204 def_op_bytes = def_ad_bytes = 4;
5205 break;
5206 #ifdef CONFIG_X86_64
5207 case X86EMUL_MODE_PROT64:
5208 def_op_bytes = 4;
5209 def_ad_bytes = 8;
5210 break;
5211 #endif
5212 default:
5213 return EMULATION_FAILED;
5214 }
5215
5216 ctxt->op_bytes = def_op_bytes;
5217 ctxt->ad_bytes = def_ad_bytes;
5218
5219 /* Legacy prefixes. */
5220 for (;;) {
5221 switch (ctxt->b = insn_fetch(u8, ctxt)) {
5222 case 0x66: /* operand-size override */
5223 op_prefix = true;
5224 /* switch between 2/4 bytes */
5225 ctxt->op_bytes = def_op_bytes ^ 6;
5226 break;
5227 case 0x67: /* address-size override */
5228 if (mode == X86EMUL_MODE_PROT64)
5229 /* switch between 4/8 bytes */
5230 ctxt->ad_bytes = def_ad_bytes ^ 12;
5231 else
5232 /* switch between 2/4 bytes */
5233 ctxt->ad_bytes = def_ad_bytes ^ 6;
5234 break;
5235 case 0x26: /* ES override */
5236 has_seg_override = true;
5237 ctxt->seg_override = VCPU_SREG_ES;
5238 break;
5239 case 0x2e: /* CS override */
5240 has_seg_override = true;
5241 ctxt->seg_override = VCPU_SREG_CS;
5242 break;
5243 case 0x36: /* SS override */
5244 has_seg_override = true;
5245 ctxt->seg_override = VCPU_SREG_SS;
5246 break;
5247 case 0x3e: /* DS override */
5248 has_seg_override = true;
5249 ctxt->seg_override = VCPU_SREG_DS;
5250 break;
5251 case 0x64: /* FS override */
5252 has_seg_override = true;
5253 ctxt->seg_override = VCPU_SREG_FS;
5254 break;
5255 case 0x65: /* GS override */
5256 has_seg_override = true;
5257 ctxt->seg_override = VCPU_SREG_GS;
5258 break;
5259 case 0x40 ... 0x4f: /* REX */
5260 if (mode != X86EMUL_MODE_PROT64)
5261 goto done_prefixes;
5262 ctxt->rex_prefix = ctxt->b;
5263 continue;
5264 case 0xf0: /* LOCK */
5265 ctxt->lock_prefix = 1;
5266 break;
5267 case 0xf2: /* REPNE/REPNZ */
5268 case 0xf3: /* REP/REPE/REPZ */
5269 ctxt->rep_prefix = ctxt->b;
5270 break;
5271 default:
5272 goto done_prefixes;
5273 }
5274
5275 /* Any legacy prefix after a REX prefix nullifies its effect. */
5276
5277 ctxt->rex_prefix = 0;
5278 }
5279
5280 done_prefixes:
5281
5282 /* REX prefix. */
5283 if (ctxt->rex_prefix & 8)
5284 ctxt->op_bytes = 8; /* REX.W */
5285
5286 /* Opcode byte(s). */
5287 opcode = opcode_table[ctxt->b];
5288 /* Two-byte opcode? */
5289 if (ctxt->b == 0x0f) {
5290 ctxt->opcode_len = 2;
5291 ctxt->b = insn_fetch(u8, ctxt);
5292 opcode = twobyte_table[ctxt->b];
5293
5294 /* 0F_38 opcode map */
5295 if (ctxt->b == 0x38) {
5296 ctxt->opcode_len = 3;
5297 ctxt->b = insn_fetch(u8, ctxt);
5298 opcode = opcode_map_0f_38[ctxt->b];
5299 }
5300 }
5301 ctxt->d = opcode.flags;
5302
5303 if (ctxt->d & ModRM)
5304 ctxt->modrm = insn_fetch(u8, ctxt);
5305
5306 /* vex-prefix instructions are not implemented */
5307 if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
5308 (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
5309 ctxt->d = NotImpl;
5310 }
5311
5312 while (ctxt->d & GroupMask) {
5313 switch (ctxt->d & GroupMask) {
5314 case Group:
5315 goffset = (ctxt->modrm >> 3) & 7;
5316 opcode = opcode.u.group[goffset];
5317 break;
5318 case GroupDual:
5319 goffset = (ctxt->modrm >> 3) & 7;
5320 if ((ctxt->modrm >> 6) == 3)
5321 opcode = opcode.u.gdual->mod3[goffset];
5322 else
5323 opcode = opcode.u.gdual->mod012[goffset];
5324 break;
5325 case RMExt:
5326 goffset = ctxt->modrm & 7;
5327 opcode = opcode.u.group[goffset];
5328 break;
5329 case Prefix:
5330 if (ctxt->rep_prefix && op_prefix)
5331 return EMULATION_FAILED;
5332 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
5333 switch (simd_prefix) {
5334 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
5335 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
5336 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
5337 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
5338 }
5339 break;
5340 case Escape:
5341 if (ctxt->modrm > 0xbf) {
5342 size_t size = ARRAY_SIZE(opcode.u.esc->high);
5343 u32 index = array_index_nospec(
5344 ctxt->modrm - 0xc0, size);
5345
5346 opcode = opcode.u.esc->high[index];
5347 } else {
5348 opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
5349 }
5350 break;
5351 case InstrDual:
5352 if ((ctxt->modrm >> 6) == 3)
5353 opcode = opcode.u.idual->mod3;
5354 else
5355 opcode = opcode.u.idual->mod012;
5356 break;
5357 case ModeDual:
5358 if (ctxt->mode == X86EMUL_MODE_PROT64)
5359 opcode = opcode.u.mdual->mode64;
5360 else
5361 opcode = opcode.u.mdual->mode32;
5362 break;
5363 default:
5364 return EMULATION_FAILED;
5365 }
5366
5367 ctxt->d &= ~(u64)GroupMask;
5368 ctxt->d |= opcode.flags;
5369 }
5370
5371 /* Unrecognised? */
5372 if (ctxt->d == 0)
5373 return EMULATION_FAILED;
5374
5375 ctxt->execute = opcode.u.execute;
5376
5377 if (unlikely(ctxt->ud) && likely(!(ctxt->d & EmulateOnUD)))
5378 return EMULATION_FAILED;
5379
5380 if (unlikely(ctxt->d &
5381 (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
5382 No16))) {
5383 /*
5384 * These are copied unconditionally here, and checked unconditionally
5385 * in x86_emulate_insn.
5386 */
5387 ctxt->check_perm = opcode.check_perm;
5388 ctxt->intercept = opcode.intercept;
5389
5390 if (ctxt->d & NotImpl)
5391 return EMULATION_FAILED;
5392
5393 if (mode == X86EMUL_MODE_PROT64) {
5394 if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
5395 ctxt->op_bytes = 8;
5396 else if (ctxt->d & NearBranch)
5397 ctxt->op_bytes = 8;
5398 }
5399
5400 if (ctxt->d & Op3264) {
5401 if (mode == X86EMUL_MODE_PROT64)
5402 ctxt->op_bytes = 8;
5403 else
5404 ctxt->op_bytes = 4;
5405 }
5406
5407 if ((ctxt->d & No16) && ctxt->op_bytes == 2)
5408 ctxt->op_bytes = 4;
5409
5410 if (ctxt->d & Sse)
5411 ctxt->op_bytes = 16;
5412 else if (ctxt->d & Mmx)
5413 ctxt->op_bytes = 8;
5414 }
5415
5416 /* ModRM and SIB bytes. */
5417 if (ctxt->d & ModRM) {
5418 rc = decode_modrm(ctxt, &ctxt->memop);
5419 if (!has_seg_override) {
5420 has_seg_override = true;
5421 ctxt->seg_override = ctxt->modrm_seg;
5422 }
5423 } else if (ctxt->d & MemAbs)
5424 rc = decode_abs(ctxt, &ctxt->memop);
5425 if (rc != X86EMUL_CONTINUE)
5426 goto done;
5427
5428 if (!has_seg_override)
5429 ctxt->seg_override = VCPU_SREG_DS;
5430
5431 ctxt->memop.addr.mem.seg = ctxt->seg_override;
5432
5433 /*
5434 * Decode and fetch the source operand: register, memory
5435 * or immediate.
5436 */
5437 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5438 if (rc != X86EMUL_CONTINUE)
5439 goto done;
5440
5441 /*
5442 * Decode and fetch the second source operand: register, memory
5443 * or immediate.
5444 */
5445 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5446 if (rc != X86EMUL_CONTINUE)
5447 goto done;
5448
5449 /* Decode and fetch the destination operand: register or memory. */
5450 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5451
5452 if (ctxt->rip_relative && likely(ctxt->memopp))
5453 ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5454 ctxt->memopp->addr.mem.ea + ctxt->_eip);
5455
5456 done:
5457 if (rc == X86EMUL_PROPAGATE_FAULT)
5458 ctxt->have_exception = true;
5459 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5460 }
5461
5462 bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5463 {
5464 return ctxt->d & PageTable;
5465 }
5466
5467 static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5468 {
5469 /* The second termination condition only applies for REPE
5470 * and REPNE. Test if the repeat string operation prefix is
5471 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5472 * corresponding termination condition according to:
5473 * - if REPE/REPZ and ZF = 0 then done
5474 * - if REPNE/REPNZ and ZF = 1 then done
5475 */
5476 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5477 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5478 && (((ctxt->rep_prefix == REPE_PREFIX) &&
5479 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5480 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
5481 ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5482 return true;
5483
5484 return false;
5485 }
5486
5487 static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5488 {
5489 int rc;
5490
5491 emulator_get_fpu();
5492 rc = asm_safe("fwait");
5493 emulator_put_fpu();
5494
5495 if (unlikely(rc != X86EMUL_CONTINUE))
5496 return emulate_exception(ctxt, MF_VECTOR, 0, false);
5497
5498 return X86EMUL_CONTINUE;
5499 }
5500
5501 static void fetch_possible_mmx_operand(struct operand *op)
5502 {
5503 if (op->type == OP_MM)
5504 read_mmx_reg(&op->mm_val, op->addr.mm);
5505 }
5506
5507 static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop)
5508 {
5509 ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5510
5511 if (!(ctxt->d & ByteOp))
5512 fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5513
5514 asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5515 : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5516 [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5517 : "c"(ctxt->src2.val));
5518
5519 ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5520 if (!fop) /* exception is returned in fop variable */
5521 return emulate_de(ctxt);
5522 return X86EMUL_CONTINUE;
5523 }
5524
5525 void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5526 {
5527 memset(&ctxt->rip_relative, 0,
5528 (void *)&ctxt->modrm - (void *)&ctxt->rip_relative);
5529
5530 ctxt->io_read.pos = 0;
5531 ctxt->io_read.end = 0;
5532 ctxt->mem_read.end = 0;
5533 }
5534
5535 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5536 {
5537 const struct x86_emulate_ops *ops = ctxt->ops;
5538 int rc = X86EMUL_CONTINUE;
5539 int saved_dst_type = ctxt->dst.type;
5540 unsigned emul_flags;
5541
5542 ctxt->mem_read.pos = 0;
5543
5544 /* LOCK prefix is allowed only with some instructions */
5545 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5546 rc = emulate_ud(ctxt);
5547 goto done;
5548 }
5549
5550 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5551 rc = emulate_ud(ctxt);
5552 goto done;
5553 }
5554
5555 emul_flags = ctxt->ops->get_hflags(ctxt);
5556 if (unlikely(ctxt->d &
5557 (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5558 if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5559 (ctxt->d & Undefined)) {
5560 rc = emulate_ud(ctxt);
5561 goto done;
5562 }
5563
5564 if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5565 || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5566 rc = emulate_ud(ctxt);
5567 goto done;
5568 }
5569
5570 if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5571 rc = emulate_nm(ctxt);
5572 goto done;
5573 }
5574
5575 if (ctxt->d & Mmx) {
5576 rc = flush_pending_x87_faults(ctxt);
5577 if (rc != X86EMUL_CONTINUE)
5578 goto done;
5579 /*
5580 * Now that we know the fpu is exception safe, we can fetch
5581 * operands from it.
5582 */
5583 fetch_possible_mmx_operand(&ctxt->src);
5584 fetch_possible_mmx_operand(&ctxt->src2);
5585 if (!(ctxt->d & Mov))
5586 fetch_possible_mmx_operand(&ctxt->dst);
5587 }
5588
5589 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
5590 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5591 X86_ICPT_PRE_EXCEPT);
5592 if (rc != X86EMUL_CONTINUE)
5593 goto done;
5594 }
5595
5596 /* Instruction can only be executed in protected mode */
5597 if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5598 rc = emulate_ud(ctxt);
5599 goto done;
5600 }
5601
5602 /* Privileged instruction can be executed only in CPL=0 */
5603 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5604 if (ctxt->d & PrivUD)
5605 rc = emulate_ud(ctxt);
5606 else
5607 rc = emulate_gp(ctxt, 0);
5608 goto done;
5609 }
5610
5611 /* Do instruction specific permission checks */
5612 if (ctxt->d & CheckPerm) {
5613 rc = ctxt->check_perm(ctxt);
5614 if (rc != X86EMUL_CONTINUE)
5615 goto done;
5616 }
5617
5618 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5619 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5620 X86_ICPT_POST_EXCEPT);
5621 if (rc != X86EMUL_CONTINUE)
5622 goto done;
5623 }
5624
5625 if (ctxt->rep_prefix && (ctxt->d & String)) {
5626 /* All REP prefixes have the same first termination condition */
5627 if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5628 string_registers_quirk(ctxt);
5629 ctxt->eip = ctxt->_eip;
5630 ctxt->eflags &= ~X86_EFLAGS_RF;
5631 goto done;
5632 }
5633 }
5634 }
5635
5636 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5637 rc = segmented_read(ctxt, ctxt->src.addr.mem,
5638 ctxt->src.valptr, ctxt->src.bytes);
5639 if (rc != X86EMUL_CONTINUE)
5640 goto done;
5641 ctxt->src.orig_val64 = ctxt->src.val64;
5642 }
5643
5644 if (ctxt->src2.type == OP_MEM) {
5645 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5646 &ctxt->src2.val, ctxt->src2.bytes);
5647 if (rc != X86EMUL_CONTINUE)
5648 goto done;
5649 }
5650
5651 if ((ctxt->d & DstMask) == ImplicitOps)
5652 goto special_insn;
5653
5654
5655 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5656 /* optimisation - avoid slow emulated read if Mov */
5657 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5658 &ctxt->dst.val, ctxt->dst.bytes);
5659 if (rc != X86EMUL_CONTINUE) {
5660 if (!(ctxt->d & NoWrite) &&
5661 rc == X86EMUL_PROPAGATE_FAULT &&
5662 ctxt->exception.vector == PF_VECTOR)
5663 ctxt->exception.error_code |= PFERR_WRITE_MASK;
5664 goto done;
5665 }
5666 }
5667 /* Copy full 64-bit value for CMPXCHG8B. */
5668 ctxt->dst.orig_val64 = ctxt->dst.val64;
5669
5670 special_insn:
5671
5672 if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
5673 rc = emulator_check_intercept(ctxt, ctxt->intercept,
5674 X86_ICPT_POST_MEMACCESS);
5675 if (rc != X86EMUL_CONTINUE)
5676 goto done;
5677 }
5678
5679 if (ctxt->rep_prefix && (ctxt->d & String))
5680 ctxt->eflags |= X86_EFLAGS_RF;
5681 else
5682 ctxt->eflags &= ~X86_EFLAGS_RF;
5683
5684 if (ctxt->execute) {
5685 if (ctxt->d & Fastop)
5686 rc = fastop(ctxt, (fastop_t)ctxt->execute);
5687 else
5688 rc = ctxt->execute(ctxt);
5689 if (rc != X86EMUL_CONTINUE)
5690 goto done;
5691 goto writeback;
5692 }
5693
5694 if (ctxt->opcode_len == 2)
5695 goto twobyte_insn;
5696 else if (ctxt->opcode_len == 3)
5697 goto threebyte_insn;
5698
5699 switch (ctxt->b) {
5700 case 0x70 ... 0x7f: /* jcc (short) */
5701 if (test_cc(ctxt->b, ctxt->eflags))
5702 rc = jmp_rel(ctxt, ctxt->src.val);
5703 break;
5704 case 0x8d: /* lea r16/r32, m */
5705 ctxt->dst.val = ctxt->src.addr.mem.ea;
5706 break;
5707 case 0x90 ... 0x97: /* nop / xchg reg, rax */
5708 if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5709 ctxt->dst.type = OP_NONE;
5710 else
5711 rc = em_xchg(ctxt);
5712 break;
5713 case 0x98: /* cbw/cwde/cdqe */
5714 switch (ctxt->op_bytes) {
5715 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5716 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5717 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5718 }
5719 break;
5720 case 0xcc: /* int3 */
5721 rc = emulate_int(ctxt, 3);
5722 break;
5723 case 0xcd: /* int n */
5724 rc = emulate_int(ctxt, ctxt->src.val);
5725 break;
5726 case 0xce: /* into */
5727 if (ctxt->eflags & X86_EFLAGS_OF)
5728 rc = emulate_int(ctxt, 4);
5729 break;
5730 case 0xe9: /* jmp rel */
5731 case 0xeb: /* jmp rel short */
5732 rc = jmp_rel(ctxt, ctxt->src.val);
5733 ctxt->dst.type = OP_NONE; /* Disable writeback. */
5734 break;
5735 case 0xf4: /* hlt */
5736 ctxt->ops->halt(ctxt);
5737 break;
5738 case 0xf5: /* cmc */
5739 /* complement carry flag from eflags reg */
5740 ctxt->eflags ^= X86_EFLAGS_CF;
5741 break;
5742 case 0xf8: /* clc */
5743 ctxt->eflags &= ~X86_EFLAGS_CF;
5744 break;
5745 case 0xf9: /* stc */
5746 ctxt->eflags |= X86_EFLAGS_CF;
5747 break;
5748 case 0xfc: /* cld */
5749 ctxt->eflags &= ~X86_EFLAGS_DF;
5750 break;
5751 case 0xfd: /* std */
5752 ctxt->eflags |= X86_EFLAGS_DF;
5753 break;
5754 default:
5755 goto cannot_emulate;
5756 }
5757
5758 if (rc != X86EMUL_CONTINUE)
5759 goto done;
5760
5761 writeback:
5762 if (ctxt->d & SrcWrite) {
5763 BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5764 rc = writeback(ctxt, &ctxt->src);
5765 if (rc != X86EMUL_CONTINUE)
5766 goto done;
5767 }
5768 if (!(ctxt->d & NoWrite)) {
5769 rc = writeback(ctxt, &ctxt->dst);
5770 if (rc != X86EMUL_CONTINUE)
5771 goto done;
5772 }
5773
5774 /*
5775 * restore dst type in case the decoding will be reused
5776 * (happens for string instruction )
5777 */
5778 ctxt->dst.type = saved_dst_type;
5779
5780 if ((ctxt->d & SrcMask) == SrcSI)
5781 string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5782
5783 if ((ctxt->d & DstMask) == DstDI)
5784 string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5785
5786 if (ctxt->rep_prefix && (ctxt->d & String)) {
5787 unsigned int count;
5788 struct read_cache *r = &ctxt->io_read;
5789 if ((ctxt->d & SrcMask) == SrcSI)
5790 count = ctxt->src.count;
5791 else
5792 count = ctxt->dst.count;
5793 register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5794
5795 if (!string_insn_completed(ctxt)) {
5796 /*
5797 * Re-enter guest when pio read ahead buffer is empty
5798 * or, if it is not used, after each 1024 iteration.
5799 */
5800 if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5801 (r->end == 0 || r->end != r->pos)) {
5802 /*
5803 * Reset read cache. Usually happens before
5804 * decode, but since instruction is restarted
5805 * we have to do it here.
5806 */
5807 ctxt->mem_read.end = 0;
5808 writeback_registers(ctxt);
5809 return EMULATION_RESTART;
5810 }
5811 goto done; /* skip rip writeback */
5812 }
5813 ctxt->eflags &= ~X86_EFLAGS_RF;
5814 }
5815
5816 ctxt->eip = ctxt->_eip;
5817
5818 done:
5819 if (rc == X86EMUL_PROPAGATE_FAULT) {
5820 WARN_ON(ctxt->exception.vector > 0x1f);
5821 ctxt->have_exception = true;
5822 }
5823 if (rc == X86EMUL_INTERCEPTED)
5824 return EMULATION_INTERCEPTED;
5825
5826 if (rc == X86EMUL_CONTINUE)
5827 writeback_registers(ctxt);
5828
5829 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5830
5831 twobyte_insn:
5832 switch (ctxt->b) {
5833 case 0x09: /* wbinvd */
5834 (ctxt->ops->wbinvd)(ctxt);
5835 break;
5836 case 0x08: /* invd */
5837 case 0x0d: /* GrpP (prefetch) */
5838 case 0x18: /* Grp16 (prefetch/nop) */
5839 case 0x1f: /* nop */
5840 break;
5841 case 0x20: /* mov cr, reg */
5842 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5843 break;
5844 case 0x21: /* mov from dr to reg */
5845 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
5846 break;
5847 case 0x40 ... 0x4f: /* cmov */
5848 if (test_cc(ctxt->b, ctxt->eflags))
5849 ctxt->dst.val = ctxt->src.val;
5850 else if (ctxt->op_bytes != 4)
5851 ctxt->dst.type = OP_NONE; /* no writeback */
5852 break;
5853 case 0x80 ... 0x8f: /* jnz rel, etc*/
5854 if (test_cc(ctxt->b, ctxt->eflags))
5855 rc = jmp_rel(ctxt, ctxt->src.val);
5856 break;
5857 case 0x90 ... 0x9f: /* setcc r/m8 */
5858 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5859 break;
5860 case 0xb6 ... 0xb7: /* movzx */
5861 ctxt->dst.bytes = ctxt->op_bytes;
5862 ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5863 : (u16) ctxt->src.val;
5864 break;
5865 case 0xbe ... 0xbf: /* movsx */
5866 ctxt->dst.bytes = ctxt->op_bytes;
5867 ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5868 (s16) ctxt->src.val;
5869 break;
5870 default:
5871 goto cannot_emulate;
5872 }
5873
5874 threebyte_insn:
5875
5876 if (rc != X86EMUL_CONTINUE)
5877 goto done;
5878
5879 goto writeback;
5880
5881 cannot_emulate:
5882 return EMULATION_FAILED;
5883 }
5884
5885 void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5886 {
5887 invalidate_registers(ctxt);
5888 }
5889
5890 void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5891 {
5892 writeback_registers(ctxt);
5893 }
5894
5895 bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5896 {
5897 if (ctxt->rep_prefix && (ctxt->d & String))
5898 return false;
5899
5900 if (ctxt->d & TwoMemOp)
5901 return false;
5902
5903 return true;
5904 }
Linux with added FPC-III support