1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#include <linux/kvm_host.h>
24#include "kvm_cache_regs.h"
25#include <linux/module.h>
26#include <asm/kvm_emulate.h>
27
28#include "x86.h"
29#include "tss.h"
30
31
32
33
34#define OpNone 0ull
35#define OpImplicit 1ull
36#define OpReg 2ull
37#define OpMem 3ull
38#define OpAcc 4ull
39#define OpDI 5ull
40#define OpMem64 6ull
41#define OpImmUByte 7ull
42#define OpDX 8ull
43#define OpCL 9ull
44#define OpImmByte 10ull
45#define OpOne 11ull
46#define OpImm 12ull
47#define OpMem16 13ull
48#define OpMem32 14ull
49#define OpImmU 15ull
50#define OpSI 16ull
51#define OpImmFAddr 17ull
52#define OpMemFAddr 18ull
53#define OpImmU16 19ull
54#define OpES 20ull
55#define OpCS 21ull
56#define OpSS 22ull
57#define OpDS 23ull
58#define OpFS 24ull
59#define OpGS 25ull
60
61#define OpBits 5
62#define OpMask ((1ull << OpBits) - 1)
63
64
65
66
67
68
69
70
71
72
73
74#define ByteOp (1<<0)
75
76#define DstShift 1
77#define ImplicitOps (OpImplicit << DstShift)
78#define DstReg (OpReg << DstShift)
79#define DstMem (OpMem << DstShift)
80#define DstAcc (OpAcc << DstShift)
81#define DstDI (OpDI << DstShift)
82#define DstMem64 (OpMem64 << DstShift)
83#define DstImmUByte (OpImmUByte << DstShift)
84#define DstDX (OpDX << DstShift)
85#define DstMask (OpMask << DstShift)
86
87#define SrcShift 6
88#define SrcNone (OpNone << SrcShift)
89#define SrcReg (OpReg << SrcShift)
90#define SrcMem (OpMem << SrcShift)
91#define SrcMem16 (OpMem16 << SrcShift)
92#define SrcMem32 (OpMem32 << SrcShift)
93#define SrcImm (OpImm << SrcShift)
94#define SrcImmByte (OpImmByte << SrcShift)
95#define SrcOne (OpOne << SrcShift)
96#define SrcImmUByte (OpImmUByte << SrcShift)
97#define SrcImmU (OpImmU << SrcShift)
98#define SrcSI (OpSI << SrcShift)
99#define SrcImmFAddr (OpImmFAddr << SrcShift)
100#define SrcMemFAddr (OpMemFAddr << SrcShift)
101#define SrcAcc (OpAcc << SrcShift)
102#define SrcImmU16 (OpImmU16 << SrcShift)
103#define SrcDX (OpDX << SrcShift)
104#define SrcMask (OpMask << SrcShift)
105#define BitOp (1<<11)
106#define MemAbs (1<<12)
107#define String (1<<13)
108#define Stack (1<<14)
109#define GroupMask (7<<15)
110#define Group (1<<15)
111#define GroupDual (2<<15)
112#define Prefix (3<<15)
113#define RMExt (4<<15)
114#define Sse (1<<18)
115
116#define ModRM (1<<19)
117
118#define Mov (1<<20)
119
120#define Prot (1<<21)
121#define VendorSpecific (1<<22)
122#define NoAccess (1<<23)
123#define Op3264 (1<<24)
124#define Undefined (1<<25)
125#define Lock (1<<26)
126#define Priv (1<<27)
127#define No64 (1<<28)
128#define PageTable (1 << 29)
129
130#define Src2Shift (30)
131#define Src2None (OpNone << Src2Shift)
132#define Src2CL (OpCL << Src2Shift)
133#define Src2ImmByte (OpImmByte << Src2Shift)
134#define Src2One (OpOne << Src2Shift)
135#define Src2Imm (OpImm << Src2Shift)
136#define Src2ES (OpES << Src2Shift)
137#define Src2CS (OpCS << Src2Shift)
138#define Src2SS (OpSS << Src2Shift)
139#define Src2DS (OpDS << Src2Shift)
140#define Src2FS (OpFS << Src2Shift)
141#define Src2GS (OpGS << Src2Shift)
142#define Src2Mask (OpMask << Src2Shift)
143
144#define X2(x...) x, x
145#define X3(x...) X2(x), x
146#define X4(x...) X2(x), X2(x)
147#define X5(x...) X4(x), x
148#define X6(x...) X4(x), X2(x)
149#define X7(x...) X4(x), X3(x)
150#define X8(x...) X4(x), X4(x)
151#define X16(x...) X8(x), X8(x)
152
153struct opcode {
154 u64 flags : 56;
155 u64 intercept : 8;
156 union {
157 int (*execute)(struct x86_emulate_ctxt *ctxt);
158 struct opcode *group;
159 struct group_dual *gdual;
160 struct gprefix *gprefix;
161 } u;
162 int (*check_perm)(struct x86_emulate_ctxt *ctxt);
163};
164
165struct group_dual {
166 struct opcode mod012[8];
167 struct opcode mod3[8];
168};
169
170struct gprefix {
171 struct opcode pfx_no;
172 struct opcode pfx_66;
173 struct opcode pfx_f2;
174 struct opcode pfx_f3;
175};
176
177
178#define EFLG_ID (1<<21)
179#define EFLG_VIP (1<<20)
180#define EFLG_VIF (1<<19)
181#define EFLG_AC (1<<18)
182#define EFLG_VM (1<<17)
183#define EFLG_RF (1<<16)
184#define EFLG_IOPL (3<<12)
185#define EFLG_NT (1<<14)
186#define EFLG_OF (1<<11)
187#define EFLG_DF (1<<10)
188#define EFLG_IF (1<<9)
189#define EFLG_TF (1<<8)
190#define EFLG_SF (1<<7)
191#define EFLG_ZF (1<<6)
192#define EFLG_AF (1<<4)
193#define EFLG_PF (1<<2)
194#define EFLG_CF (1<<0)
195
196#define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
197#define EFLG_RESERVED_ONE_MASK 2
198
199
200
201
202
203
204
205
206#if defined(CONFIG_X86_64)
207#define _LO32 "k"
208#define _STK "%%rsp"
209#elif defined(__i386__)
210#define _LO32 ""
211#define _STK "%%esp"
212#endif
213
214
215
216
217
218#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
219
220
221#define _PRE_EFLAGS(_sav, _msk, _tmp) \
222 \
223 "movl %"_sav",%"_LO32 _tmp"; " \
224 "push %"_tmp"; " \
225 "push %"_tmp"; " \
226 "movl %"_msk",%"_LO32 _tmp"; " \
227 "andl %"_LO32 _tmp",("_STK"); " \
228 "pushf; " \
229 "notl %"_LO32 _tmp"; " \
230 "andl %"_LO32 _tmp",("_STK"); " \
231 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
232 "pop %"_tmp"; " \
233 "orl %"_LO32 _tmp",("_STK"); " \
234 "popf; " \
235 "pop %"_sav"; "
236
237
238#define _POST_EFLAGS(_sav, _msk, _tmp) \
239 \
240 "pushf; " \
241 "pop %"_tmp"; " \
242 "andl %"_msk",%"_LO32 _tmp"; " \
243 "orl %"_LO32 _tmp",%"_sav"; "
244
245#ifdef CONFIG_X86_64
246#define ON64(x) x
247#else
248#define ON64(x)
249#endif
250
251#define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
252 do { \
253 __asm__ __volatile__ ( \
254 _PRE_EFLAGS("0", "4", "2") \
255 _op _suffix " %"_x"3,%1; " \
256 _POST_EFLAGS("0", "4", "2") \
257 : "=m" ((ctxt)->eflags), \
258 "+q" (*(_dsttype*)&(ctxt)->dst.val), \
259 "=&r" (_tmp) \
260 : _y ((ctxt)->src.val), "i" (EFLAGS_MASK)); \
261 } while (0)
262
263
264
265#define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
266 do { \
267 unsigned long _tmp; \
268 \
269 switch ((ctxt)->dst.bytes) { \
270 case 2: \
271 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
272 break; \
273 case 4: \
274 ____emulate_2op(ctxt,_op,_lx,_ly,"l",u32); \
275 break; \
276 case 8: \
277 ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
278 break; \
279 } \
280 } while (0)
281
282#define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
283 do { \
284 unsigned long _tmp; \
285 switch ((ctxt)->dst.bytes) { \
286 case 1: \
287 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
288 break; \
289 default: \
290 __emulate_2op_nobyte(ctxt, _op, \
291 _wx, _wy, _lx, _ly, _qx, _qy); \
292 break; \
293 } \
294 } while (0)
295
296
297#define emulate_2op_SrcB(ctxt, _op) \
298 __emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
299
300
301#define emulate_2op_SrcV(ctxt, _op) \
302 __emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
303
304
305#define emulate_2op_SrcV_nobyte(ctxt, _op) \
306 __emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
307
308
309#define __emulate_2op_cl(ctxt, _op, _suffix, _type) \
310 do { \
311 unsigned long _tmp; \
312 _type _clv = (ctxt)->src2.val; \
313 _type _srcv = (ctxt)->src.val; \
314 _type _dstv = (ctxt)->dst.val; \
315 \
316 __asm__ __volatile__ ( \
317 _PRE_EFLAGS("0", "5", "2") \
318 _op _suffix " %4,%1 \n" \
319 _POST_EFLAGS("0", "5", "2") \
320 : "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
321 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
322 ); \
323 \
324 (ctxt)->src2.val = (unsigned long) _clv; \
325 (ctxt)->src2.val = (unsigned long) _srcv; \
326 (ctxt)->dst.val = (unsigned long) _dstv; \
327 } while (0)
328
329#define emulate_2op_cl(ctxt, _op) \
330 do { \
331 switch ((ctxt)->dst.bytes) { \
332 case 2: \
333 __emulate_2op_cl(ctxt, _op, "w", u16); \
334 break; \
335 case 4: \
336 __emulate_2op_cl(ctxt, _op, "l", u32); \
337 break; \
338 case 8: \
339 ON64(__emulate_2op_cl(ctxt, _op, "q", ulong)); \
340 break; \
341 } \
342 } while (0)
343
344#define __emulate_1op(ctxt, _op, _suffix) \
345 do { \
346 unsigned long _tmp; \
347 \
348 __asm__ __volatile__ ( \
349 _PRE_EFLAGS("0", "3", "2") \
350 _op _suffix " %1; " \
351 _POST_EFLAGS("0", "3", "2") \
352 : "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
353 "=&r" (_tmp) \
354 : "i" (EFLAGS_MASK)); \
355 } while (0)
356
357
358#define emulate_1op(ctxt, _op) \
359 do { \
360 switch ((ctxt)->dst.bytes) { \
361 case 1: __emulate_1op(ctxt, _op, "b"); break; \
362 case 2: __emulate_1op(ctxt, _op, "w"); break; \
363 case 4: __emulate_1op(ctxt, _op, "l"); break; \
364 case 8: ON64(__emulate_1op(ctxt, _op, "q")); break; \
365 } \
366 } while (0)
367
368#define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex) \
369 do { \
370 unsigned long _tmp; \
371 ulong *rax = &(ctxt)->regs[VCPU_REGS_RAX]; \
372 ulong *rdx = &(ctxt)->regs[VCPU_REGS_RDX]; \
373 \
374 __asm__ __volatile__ ( \
375 _PRE_EFLAGS("0", "5", "1") \
376 "1: \n\t" \
377 _op _suffix " %6; " \
378 "2: \n\t" \
379 _POST_EFLAGS("0", "5", "1") \
380 ".pushsection .fixup,\"ax\" \n\t" \
381 "3: movb $1, %4 \n\t" \
382 "jmp 2b \n\t" \
383 ".popsection \n\t" \
384 _ASM_EXTABLE(1b, 3b) \
385 : "=m" ((ctxt)->eflags), "=&r" (_tmp), \
386 "+a" (*rax), "+d" (*rdx), "+qm"(_ex) \
387 : "i" (EFLAGS_MASK), "m" ((ctxt)->src.val), \
388 "a" (*rax), "d" (*rdx)); \
389 } while (0)
390
391
392#define emulate_1op_rax_rdx(ctxt, _op, _ex) \
393 do { \
394 switch((ctxt)->src.bytes) { \
395 case 1: \
396 __emulate_1op_rax_rdx(ctxt, _op, "b", _ex); \
397 break; \
398 case 2: \
399 __emulate_1op_rax_rdx(ctxt, _op, "w", _ex); \
400 break; \
401 case 4: \
402 __emulate_1op_rax_rdx(ctxt, _op, "l", _ex); \
403 break; \
404 case 8: ON64( \
405 __emulate_1op_rax_rdx(ctxt, _op, "q", _ex)); \
406 break; \
407 } \
408 } while (0)
409
410static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
411 enum x86_intercept intercept,
412 enum x86_intercept_stage stage)
413{
414 struct x86_instruction_info info = {
415 .intercept = intercept,
416 .rep_prefix = ctxt->rep_prefix,
417 .modrm_mod = ctxt->modrm_mod,
418 .modrm_reg = ctxt->modrm_reg,
419 .modrm_rm = ctxt->modrm_rm,
420 .src_val = ctxt->src.val64,
421 .src_bytes = ctxt->src.bytes,
422 .dst_bytes = ctxt->dst.bytes,
423 .ad_bytes = ctxt->ad_bytes,
424 .next_rip = ctxt->eip,
425 };
426
427 return ctxt->ops->intercept(ctxt, &info, stage);
428}
429
430static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
431{
432 return (1UL << (ctxt->ad_bytes << 3)) - 1;
433}
434
435
436static inline unsigned long
437address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
438{
439 if (ctxt->ad_bytes == sizeof(unsigned long))
440 return reg;
441 else
442 return reg & ad_mask(ctxt);
443}
444
445static inline unsigned long
446register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
447{
448 return address_mask(ctxt, reg);
449}
450
451static inline void
452register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
453{
454 if (ctxt->ad_bytes == sizeof(unsigned long))
455 *reg += inc;
456 else
457 *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
458}
459
460static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
461{
462 register_address_increment(ctxt, &ctxt->_eip, rel);
463}
464
465static u32 desc_limit_scaled(struct desc_struct *desc)
466{
467 u32 limit = get_desc_limit(desc);
468
469 return desc->g ? (limit << 12) | 0xfff : limit;
470}
471
472static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
473{
474 ctxt->has_seg_override = true;
475 ctxt->seg_override = seg;
476}
477
478static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
479{
480 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
481 return 0;
482
483 return ctxt->ops->get_cached_segment_base(ctxt, seg);
484}
485
486static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
487{
488 if (!ctxt->has_seg_override)
489 return 0;
490
491 return ctxt->seg_override;
492}
493
494static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
495 u32 error, bool valid)
496{
497 ctxt->exception.vector = vec;
498 ctxt->exception.error_code = error;
499 ctxt->exception.error_code_valid = valid;
500 return X86EMUL_PROPAGATE_FAULT;
501}
502
503static int emulate_db(struct x86_emulate_ctxt *ctxt)
504{
505 return emulate_exception(ctxt, DB_VECTOR, 0, false);
506}
507
508static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
509{
510 return emulate_exception(ctxt, GP_VECTOR, err, true);
511}
512
513static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
514{
515 return emulate_exception(ctxt, SS_VECTOR, err, true);
516}
517
518static int emulate_ud(struct x86_emulate_ctxt *ctxt)
519{
520 return emulate_exception(ctxt, UD_VECTOR, 0, false);
521}
522
523static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
524{
525 return emulate_exception(ctxt, TS_VECTOR, err, true);
526}
527
528static int emulate_de(struct x86_emulate_ctxt *ctxt)
529{
530 return emulate_exception(ctxt, DE_VECTOR, 0, false);
531}
532
533static int emulate_nm(struct x86_emulate_ctxt *ctxt)
534{
535 return emulate_exception(ctxt, NM_VECTOR, 0, false);
536}
537
538static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
539{
540 u16 selector;
541 struct desc_struct desc;
542
543 ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
544 return selector;
545}
546
547static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
548 unsigned seg)
549{
550 u16 dummy;
551 u32 base3;
552 struct desc_struct desc;
553
554 ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
555 ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
556}
557
558static int __linearize(struct x86_emulate_ctxt *ctxt,
559 struct segmented_address addr,
560 unsigned size, bool write, bool fetch,
561 ulong *linear)
562{
563 struct desc_struct desc;
564 bool usable;
565 ulong la;
566 u32 lim;
567 u16 sel;
568 unsigned cpl, rpl;
569
570 la = seg_base(ctxt, addr.seg) + addr.ea;
571 switch (ctxt->mode) {
572 case X86EMUL_MODE_REAL:
573 break;
574 case X86EMUL_MODE_PROT64:
575 if (((signed long)la << 16) >> 16 != la)
576 return emulate_gp(ctxt, 0);
577 break;
578 default:
579 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
580 addr.seg);
581 if (!usable)
582 goto bad;
583
584 if (((desc.type & 8) || !(desc.type & 2)) && write)
585 goto bad;
586
587 if (!fetch && (desc.type & 8) && !(desc.type & 2))
588 goto bad;
589 lim = desc_limit_scaled(&desc);
590 if ((desc.type & 8) || !(desc.type & 4)) {
591
592 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
593 goto bad;
594 } else {
595
596 if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
597 goto bad;
598 lim = desc.d ? 0xffffffff : 0xffff;
599 if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
600 goto bad;
601 }
602 cpl = ctxt->ops->cpl(ctxt);
603 rpl = sel & 3;
604 cpl = max(cpl, rpl);
605 if (!(desc.type & 8)) {
606
607 if (cpl > desc.dpl)
608 goto bad;
609 } else if ((desc.type & 8) && !(desc.type & 4)) {
610
611 if (cpl != desc.dpl)
612 goto bad;
613 } else if ((desc.type & 8) && (desc.type & 4)) {
614
615 if (cpl < desc.dpl)
616 goto bad;
617 }
618 break;
619 }
620 if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
621 la &= (u32)-1;
622 *linear = la;
623 return X86EMUL_CONTINUE;
624bad:
625 if (addr.seg == VCPU_SREG_SS)
626 return emulate_ss(ctxt, addr.seg);
627 else
628 return emulate_gp(ctxt, addr.seg);
629}
630
631static int linearize(struct x86_emulate_ctxt *ctxt,
632 struct segmented_address addr,
633 unsigned size, bool write,
634 ulong *linear)
635{
636 return __linearize(ctxt, addr, size, write, false, linear);
637}
638
639
640static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
641 struct segmented_address addr,
642 void *data,
643 unsigned size)
644{
645 int rc;
646 ulong linear;
647
648 rc = linearize(ctxt, addr, size, false, &linear);
649 if (rc != X86EMUL_CONTINUE)
650 return rc;
651 return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
652}
653
654
655
656
657
658
659
660
661static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
662{
663 struct fetch_cache *fc = &ctxt->fetch;
664 int rc;
665 int size, cur_size;
666
667 if (ctxt->_eip == fc->end) {
668 unsigned long linear;
669 struct segmented_address addr = { .seg = VCPU_SREG_CS,
670 .ea = ctxt->_eip };
671 cur_size = fc->end - fc->start;
672 size = min(15UL - cur_size,
673 PAGE_SIZE - offset_in_page(ctxt->_eip));
674 rc = __linearize(ctxt, addr, size, false, true, &linear);
675 if (unlikely(rc != X86EMUL_CONTINUE))
676 return rc;
677 rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
678 size, &ctxt->exception);
679 if (unlikely(rc != X86EMUL_CONTINUE))
680 return rc;
681 fc->end += size;
682 }
683 *dest = fc->data[ctxt->_eip - fc->start];
684 ctxt->_eip++;
685 return X86EMUL_CONTINUE;
686}
687
688static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
689 void *dest, unsigned size)
690{
691 int rc;
692
693
694 if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
695 return X86EMUL_UNHANDLEABLE;
696 while (size--) {
697 rc = do_insn_fetch_byte(ctxt, dest++);
698 if (rc != X86EMUL_CONTINUE)
699 return rc;
700 }
701 return X86EMUL_CONTINUE;
702}
703
704
705#define insn_fetch(_type, _ctxt) \
706({ unsigned long _x; \
707 rc = do_insn_fetch(_ctxt, &_x, sizeof(_type)); \
708 if (rc != X86EMUL_CONTINUE) \
709 goto done; \
710 (_type)_x; \
711})
712
713#define insn_fetch_arr(_arr, _size, _ctxt) \
714({ rc = do_insn_fetch(_ctxt, _arr, (_size)); \
715 if (rc != X86EMUL_CONTINUE) \
716 goto done; \
717})
718
719
720
721
722
723
724static void *decode_register(u8 modrm_reg, unsigned long *regs,
725 int highbyte_regs)
726{
727 void *p;
728
729 p = ®s[modrm_reg];
730 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
731 p = (unsigned char *)®s[modrm_reg & 3] + 1;
732 return p;
733}
734
735static int read_descriptor(struct x86_emulate_ctxt *ctxt,
736 struct segmented_address addr,
737 u16 *size, unsigned long *address, int op_bytes)
738{
739 int rc;
740
741 if (op_bytes == 2)
742 op_bytes = 3;
743 *address = 0;
744 rc = segmented_read_std(ctxt, addr, size, 2);
745 if (rc != X86EMUL_CONTINUE)
746 return rc;
747 addr.ea += 2;
748 rc = segmented_read_std(ctxt, addr, address, op_bytes);
749 return rc;
750}
751
752static int test_cc(unsigned int condition, unsigned int flags)
753{
754 int rc = 0;
755
756 switch ((condition & 15) >> 1) {
757 case 0:
758 rc |= (flags & EFLG_OF);
759 break;
760 case 1:
761 rc |= (flags & EFLG_CF);
762 break;
763 case 2:
764 rc |= (flags & EFLG_ZF);
765 break;
766 case 3:
767 rc |= (flags & (EFLG_CF|EFLG_ZF));
768 break;
769 case 4:
770 rc |= (flags & EFLG_SF);
771 break;
772 case 5:
773 rc |= (flags & EFLG_PF);
774 break;
775 case 7:
776 rc |= (flags & EFLG_ZF);
777
778 case 6:
779 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
780 break;
781 }
782
783
784 return (!!rc ^ (condition & 1));
785}
786
787static void fetch_register_operand(struct operand *op)
788{
789 switch (op->bytes) {
790 case 1:
791 op->val = *(u8 *)op->addr.reg;
792 break;
793 case 2:
794 op->val = *(u16 *)op->addr.reg;
795 break;
796 case 4:
797 op->val = *(u32 *)op->addr.reg;
798 break;
799 case 8:
800 op->val = *(u64 *)op->addr.reg;
801 break;
802 }
803}
804
805static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
806{
807 ctxt->ops->get_fpu(ctxt);
808 switch (reg) {
809 case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
810 case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
811 case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
812 case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
813 case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
814 case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
815 case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
816 case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
817#ifdef CONFIG_X86_64
818 case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
819 case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
820 case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
821 case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
822 case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
823 case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
824 case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
825 case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
826#endif
827 default: BUG();
828 }
829 ctxt->ops->put_fpu(ctxt);
830}
831
832static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
833 int reg)
834{
835 ctxt->ops->get_fpu(ctxt);
836 switch (reg) {
837 case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
838 case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
839 case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
840 case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
841 case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
842 case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
843 case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
844 case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
845#ifdef CONFIG_X86_64
846 case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
847 case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
848 case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
849 case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
850 case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
851 case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
852 case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
853 case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
854#endif
855 default: BUG();
856 }
857 ctxt->ops->put_fpu(ctxt);
858}
859
860static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
861 struct operand *op,
862 int inhibit_bytereg)
863{
864 unsigned reg = ctxt->modrm_reg;
865 int highbyte_regs = ctxt->rex_prefix == 0;
866
867 if (!(ctxt->d & ModRM))
868 reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
869
870 if (ctxt->d & Sse) {
871 op->type = OP_XMM;
872 op->bytes = 16;
873 op->addr.xmm = reg;
874 read_sse_reg(ctxt, &op->vec_val, reg);
875 return;
876 }
877
878 op->type = OP_REG;
879 if ((ctxt->d & ByteOp) && !inhibit_bytereg) {
880 op->addr.reg = decode_register(reg, ctxt->regs, highbyte_regs);
881 op->bytes = 1;
882 } else {
883 op->addr.reg = decode_register(reg, ctxt->regs, 0);
884 op->bytes = ctxt->op_bytes;
885 }
886 fetch_register_operand(op);
887 op->orig_val = op->val;
888}
889
890static int decode_modrm(struct x86_emulate_ctxt *ctxt,
891 struct operand *op)
892{
893 u8 sib;
894 int index_reg = 0, base_reg = 0, scale;
895 int rc = X86EMUL_CONTINUE;
896 ulong modrm_ea = 0;
897
898 if (ctxt->rex_prefix) {
899 ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1;
900 index_reg = (ctxt->rex_prefix & 2) << 2;
901 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3;
902 }
903
904 ctxt->modrm = insn_fetch(u8, ctxt);
905 ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
906 ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
907 ctxt->modrm_rm |= (ctxt->modrm & 0x07);
908 ctxt->modrm_seg = VCPU_SREG_DS;
909
910 if (ctxt->modrm_mod == 3) {
911 op->type = OP_REG;
912 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
913 op->addr.reg = decode_register(ctxt->modrm_rm,
914 ctxt->regs, ctxt->d & ByteOp);
915 if (ctxt->d & Sse) {
916 op->type = OP_XMM;
917 op->bytes = 16;
918 op->addr.xmm = ctxt->modrm_rm;
919 read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
920 return rc;
921 }
922 fetch_register_operand(op);
923 return rc;
924 }
925
926 op->type = OP_MEM;
927
928 if (ctxt->ad_bytes == 2) {
929 unsigned bx = ctxt->regs[VCPU_REGS_RBX];
930 unsigned bp = ctxt->regs[VCPU_REGS_RBP];
931 unsigned si = ctxt->regs[VCPU_REGS_RSI];
932 unsigned di = ctxt->regs[VCPU_REGS_RDI];
933
934
935 switch (ctxt->modrm_mod) {
936 case 0:
937 if (ctxt->modrm_rm == 6)
938 modrm_ea += insn_fetch(u16, ctxt);
939 break;
940 case 1:
941 modrm_ea += insn_fetch(s8, ctxt);
942 break;
943 case 2:
944 modrm_ea += insn_fetch(u16, ctxt);
945 break;
946 }
947 switch (ctxt->modrm_rm) {
948 case 0:
949 modrm_ea += bx + si;
950 break;
951 case 1:
952 modrm_ea += bx + di;
953 break;
954 case 2:
955 modrm_ea += bp + si;
956 break;
957 case 3:
958 modrm_ea += bp + di;
959 break;
960 case 4:
961 modrm_ea += si;
962 break;
963 case 5:
964 modrm_ea += di;
965 break;
966 case 6:
967 if (ctxt->modrm_mod != 0)
968 modrm_ea += bp;
969 break;
970 case 7:
971 modrm_ea += bx;
972 break;
973 }
974 if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
975 (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
976 ctxt->modrm_seg = VCPU_SREG_SS;
977 modrm_ea = (u16)modrm_ea;
978 } else {
979
980 if ((ctxt->modrm_rm & 7) == 4) {
981 sib = insn_fetch(u8, ctxt);
982 index_reg |= (sib >> 3) & 7;
983 base_reg |= sib & 7;
984 scale = sib >> 6;
985
986 if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
987 modrm_ea += insn_fetch(s32, ctxt);
988 else
989 modrm_ea += ctxt->regs[base_reg];
990 if (index_reg != 4)
991 modrm_ea += ctxt->regs[index_reg] << scale;
992 } else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
993 if (ctxt->mode == X86EMUL_MODE_PROT64)
994 ctxt->rip_relative = 1;
995 } else
996 modrm_ea += ctxt->regs[ctxt->modrm_rm];
997 switch (ctxt->modrm_mod) {
998 case 0:
999 if (ctxt->modrm_rm == 5)
1000 modrm_ea += insn_fetch(s32, ctxt);
1001 break;
1002 case 1:
1003 modrm_ea += insn_fetch(s8, ctxt);
1004 break;
1005 case 2:
1006 modrm_ea += insn_fetch(s32, ctxt);
1007 break;
1008 }
1009 }
1010 op->addr.mem.ea = modrm_ea;
1011done:
1012 return rc;
1013}
1014
1015static int decode_abs(struct x86_emulate_ctxt *ctxt,
1016 struct operand *op)
1017{
1018 int rc = X86EMUL_CONTINUE;
1019
1020 op->type = OP_MEM;
1021 switch (ctxt->ad_bytes) {
1022 case 2:
1023 op->addr.mem.ea = insn_fetch(u16, ctxt);
1024 break;
1025 case 4:
1026 op->addr.mem.ea = insn_fetch(u32, ctxt);
1027 break;
1028 case 8:
1029 op->addr.mem.ea = insn_fetch(u64, ctxt);
1030 break;
1031 }
1032done:
1033 return rc;
1034}
1035
1036static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1037{
1038 long sv = 0, mask;
1039
1040 if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1041 mask = ~(ctxt->dst.bytes * 8 - 1);
1042
1043 if (ctxt->src.bytes == 2)
1044 sv = (s16)ctxt->src.val & (s16)mask;
1045 else if (ctxt->src.bytes == 4)
1046 sv = (s32)ctxt->src.val & (s32)mask;
1047
1048 ctxt->dst.addr.mem.ea += (sv >> 3);
1049 }
1050
1051
1052 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1053}
1054
1055static int read_emulated(struct x86_emulate_ctxt *ctxt,
1056 unsigned long addr, void *dest, unsigned size)
1057{
1058 int rc;
1059 struct read_cache *mc = &ctxt->mem_read;
1060
1061 while (size) {
1062 int n = min(size, 8u);
1063 size -= n;
1064 if (mc->pos < mc->end)
1065 goto read_cached;
1066
1067 rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
1068 &ctxt->exception);
1069 if (rc != X86EMUL_CONTINUE)
1070 return rc;
1071 mc->end += n;
1072
1073 read_cached:
1074 memcpy(dest, mc->data + mc->pos, n);
1075 mc->pos += n;
1076 dest += n;
1077 addr += n;
1078 }
1079 return X86EMUL_CONTINUE;
1080}
1081
1082static int segmented_read(struct x86_emulate_ctxt *ctxt,
1083 struct segmented_address addr,
1084 void *data,
1085 unsigned size)
1086{
1087 int rc;
1088 ulong linear;
1089
1090 rc = linearize(ctxt, addr, size, false, &linear);
1091 if (rc != X86EMUL_CONTINUE)
1092 return rc;
1093 return read_emulated(ctxt, linear, data, size);
1094}
1095
1096static int segmented_write(struct x86_emulate_ctxt *ctxt,
1097 struct segmented_address addr,
1098 const void *data,
1099 unsigned size)
1100{
1101 int rc;
1102 ulong linear;
1103
1104 rc = linearize(ctxt, addr, size, true, &linear);
1105 if (rc != X86EMUL_CONTINUE)
1106 return rc;
1107 return ctxt->ops->write_emulated(ctxt, linear, data, size,
1108 &ctxt->exception);
1109}
1110
1111static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1112 struct segmented_address addr,
1113 const void *orig_data, const void *data,
1114 unsigned size)
1115{
1116 int rc;
1117 ulong linear;
1118
1119 rc = linearize(ctxt, addr, size, true, &linear);
1120 if (rc != X86EMUL_CONTINUE)
1121 return rc;
1122 return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1123 size, &ctxt->exception);
1124}
1125
1126static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1127 unsigned int size, unsigned short port,
1128 void *dest)
1129{
1130 struct read_cache *rc = &ctxt->io_read;
1131
1132 if (rc->pos == rc->end) {
1133 unsigned int in_page, n;
1134 unsigned int count = ctxt->rep_prefix ?
1135 address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) : 1;
1136 in_page = (ctxt->eflags & EFLG_DF) ?
1137 offset_in_page(ctxt->regs[VCPU_REGS_RDI]) :
1138 PAGE_SIZE - offset_in_page(ctxt->regs[VCPU_REGS_RDI]);
1139 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1140 count);
1141 if (n == 0)
1142 n = 1;
1143 rc->pos = rc->end = 0;
1144 if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1145 return 0;
1146 rc->end = n * size;
1147 }
1148
1149 memcpy(dest, rc->data + rc->pos, size);
1150 rc->pos += size;
1151 return 1;
1152}
1153
1154static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1155 u16 selector, struct desc_ptr *dt)
1156{
1157 struct x86_emulate_ops *ops = ctxt->ops;
1158
1159 if (selector & 1 << 2) {
1160 struct desc_struct desc;
1161 u16 sel;
1162
1163 memset (dt, 0, sizeof *dt);
1164 if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1165 return;
1166
1167 dt->size = desc_limit_scaled(&desc);
1168 dt->address = get_desc_base(&desc);
1169 } else
1170 ops->get_gdt(ctxt, dt);
1171}
1172
1173
1174static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1175 u16 selector, struct desc_struct *desc)
1176{
1177 struct desc_ptr dt;
1178 u16 index = selector >> 3;
1179 ulong addr;
1180
1181 get_descriptor_table_ptr(ctxt, selector, &dt);
1182
1183 if (dt.size < index * 8 + 7)
1184 return emulate_gp(ctxt, selector & 0xfffc);
1185
1186 addr = dt.address + index * 8;
1187 return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
1188 &ctxt->exception);
1189}
1190
1191
1192static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1193 u16 selector, struct desc_struct *desc)
1194{
1195 struct desc_ptr dt;
1196 u16 index = selector >> 3;
1197 ulong addr;
1198
1199 get_descriptor_table_ptr(ctxt, selector, &dt);
1200
1201 if (dt.size < index * 8 + 7)
1202 return emulate_gp(ctxt, selector & 0xfffc);
1203
1204 addr = dt.address + index * 8;
1205 return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
1206 &ctxt->exception);
1207}
1208
1209
1210static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1211 u16 selector, int seg)
1212{
1213 struct desc_struct seg_desc;
1214 u8 dpl, rpl, cpl;
1215 unsigned err_vec = GP_VECTOR;
1216 u32 err_code = 0;
1217 bool null_selector = !(selector & ~0x3);
1218 int ret;
1219
1220 memset(&seg_desc, 0, sizeof seg_desc);
1221
1222 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1223 || ctxt->mode == X86EMUL_MODE_REAL) {
1224
1225 set_desc_base(&seg_desc, selector << 4);
1226 set_desc_limit(&seg_desc, 0xffff);
1227 seg_desc.type = 3;
1228 seg_desc.p = 1;
1229 seg_desc.s = 1;
1230 goto load;
1231 }
1232
1233
1234 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1235 && null_selector)
1236 goto exception;
1237
1238
1239 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1240 goto exception;
1241
1242 if (null_selector)
1243 goto load;
1244
1245 ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1246 if (ret != X86EMUL_CONTINUE)
1247 return ret;
1248
1249 err_code = selector & 0xfffc;
1250 err_vec = GP_VECTOR;
1251
1252
1253 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1254 goto exception;
1255
1256 if (!seg_desc.p) {
1257 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1258 goto exception;
1259 }
1260
1261 rpl = selector & 3;
1262 dpl = seg_desc.dpl;
1263 cpl = ctxt->ops->cpl(ctxt);
1264
1265 switch (seg) {
1266 case VCPU_SREG_SS:
1267
1268
1269
1270
1271 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1272 goto exception;
1273 break;
1274 case VCPU_SREG_CS:
1275 if (!(seg_desc.type & 8))
1276 goto exception;
1277
1278 if (seg_desc.type & 4) {
1279
1280 if (dpl > cpl)
1281 goto exception;
1282 } else {
1283
1284 if (rpl > cpl || dpl != cpl)
1285 goto exception;
1286 }
1287
1288 selector = (selector & 0xfffc) | cpl;
1289 break;
1290 case VCPU_SREG_TR:
1291 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1292 goto exception;
1293 break;
1294 case VCPU_SREG_LDTR:
1295 if (seg_desc.s || seg_desc.type != 2)
1296 goto exception;
1297 break;
1298 default:
1299
1300
1301
1302
1303
1304 if ((seg_desc.type & 0xa) == 0x8 ||
1305 (((seg_desc.type & 0xc) != 0xc) &&
1306 (rpl > dpl && cpl > dpl)))
1307 goto exception;
1308 break;
1309 }
1310
1311 if (seg_desc.s) {
1312
1313 seg_desc.type |= 1;
1314 ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1315 if (ret != X86EMUL_CONTINUE)
1316 return ret;
1317 }
1318load:
1319 ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1320 return X86EMUL_CONTINUE;
1321exception:
1322 emulate_exception(ctxt, err_vec, err_code, true);
1323 return X86EMUL_PROPAGATE_FAULT;
1324}
1325
1326static void write_register_operand(struct operand *op)
1327{
1328
1329 switch (op->bytes) {
1330 case 1:
1331 *(u8 *)op->addr.reg = (u8)op->val;
1332 break;
1333 case 2:
1334 *(u16 *)op->addr.reg = (u16)op->val;
1335 break;
1336 case 4:
1337 *op->addr.reg = (u32)op->val;
1338 break;
1339 case 8:
1340 *op->addr.reg = op->val;
1341 break;
1342 }
1343}
1344
1345static int writeback(struct x86_emulate_ctxt *ctxt)
1346{
1347 int rc;
1348
1349 switch (ctxt->dst.type) {
1350 case OP_REG:
1351 write_register_operand(&ctxt->dst);
1352 break;
1353 case OP_MEM:
1354 if (ctxt->lock_prefix)
1355 rc = segmented_cmpxchg(ctxt,
1356 ctxt->dst.addr.mem,
1357 &ctxt->dst.orig_val,
1358 &ctxt->dst.val,
1359 ctxt->dst.bytes);
1360 else
1361 rc = segmented_write(ctxt,
1362 ctxt->dst.addr.mem,
1363 &ctxt->dst.val,
1364 ctxt->dst.bytes);
1365 if (rc != X86EMUL_CONTINUE)
1366 return rc;
1367 break;
1368 case OP_XMM:
1369 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
1370 break;
1371 case OP_NONE:
1372
1373 break;
1374 default:
1375 break;
1376 }
1377 return X86EMUL_CONTINUE;
1378}
1379
1380static int em_push(struct x86_emulate_ctxt *ctxt)
1381{
1382 struct segmented_address addr;
1383
1384 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], -ctxt->op_bytes);
1385 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1386 addr.seg = VCPU_SREG_SS;
1387
1388
1389 ctxt->dst.type = OP_NONE;
1390 return segmented_write(ctxt, addr, &ctxt->src.val, ctxt->op_bytes);
1391}
1392
1393static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1394 void *dest, int len)
1395{
1396 int rc;
1397 struct segmented_address addr;
1398
1399 addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1400 addr.seg = VCPU_SREG_SS;
1401 rc = segmented_read(ctxt, addr, dest, len);
1402 if (rc != X86EMUL_CONTINUE)
1403 return rc;
1404
1405 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], len);
1406 return rc;
1407}
1408
1409static int em_pop(struct x86_emulate_ctxt *ctxt)
1410{
1411 return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1412}
1413
1414static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1415 void *dest, int len)
1416{
1417 int rc;
1418 unsigned long val, change_mask;
1419 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1420 int cpl = ctxt->ops->cpl(ctxt);
1421
1422 rc = emulate_pop(ctxt, &val, len);
1423 if (rc != X86EMUL_CONTINUE)
1424 return rc;
1425
1426 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1427 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1428
1429 switch(ctxt->mode) {
1430 case X86EMUL_MODE_PROT64:
1431 case X86EMUL_MODE_PROT32:
1432 case X86EMUL_MODE_PROT16:
1433 if (cpl == 0)
1434 change_mask |= EFLG_IOPL;
1435 if (cpl <= iopl)
1436 change_mask |= EFLG_IF;
1437 break;
1438 case X86EMUL_MODE_VM86:
1439 if (iopl < 3)
1440 return emulate_gp(ctxt, 0);
1441 change_mask |= EFLG_IF;
1442 break;
1443 default:
1444 change_mask |= (EFLG_IOPL | EFLG_IF);
1445 break;
1446 }
1447
1448 *(unsigned long *)dest =
1449 (ctxt->eflags & ~change_mask) | (val & change_mask);
1450
1451 return rc;
1452}
1453
1454static int em_popf(struct x86_emulate_ctxt *ctxt)
1455{
1456 ctxt->dst.type = OP_REG;
1457 ctxt->dst.addr.reg = &ctxt->eflags;
1458 ctxt->dst.bytes = ctxt->op_bytes;
1459 return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1460}
1461
1462static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1463{
1464 int seg = ctxt->src2.val;
1465
1466 ctxt->src.val = get_segment_selector(ctxt, seg);
1467
1468 return em_push(ctxt);
1469}
1470
1471static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1472{
1473 int seg = ctxt->src2.val;
1474 unsigned long selector;
1475 int rc;
1476
1477 rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1478 if (rc != X86EMUL_CONTINUE)
1479 return rc;
1480
1481 rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1482 return rc;
1483}
1484
1485static int em_pusha(struct x86_emulate_ctxt *ctxt)
1486{
1487 unsigned long old_esp = ctxt->regs[VCPU_REGS_RSP];
1488 int rc = X86EMUL_CONTINUE;
1489 int reg = VCPU_REGS_RAX;
1490
1491 while (reg <= VCPU_REGS_RDI) {
1492 (reg == VCPU_REGS_RSP) ?
1493 (ctxt->src.val = old_esp) : (ctxt->src.val = ctxt->regs[reg]);
1494
1495 rc = em_push(ctxt);
1496 if (rc != X86EMUL_CONTINUE)
1497 return rc;
1498
1499 ++reg;
1500 }
1501
1502 return rc;
1503}
1504
1505static int em_pushf(struct x86_emulate_ctxt *ctxt)
1506{
1507 ctxt->src.val = (unsigned long)ctxt->eflags;
1508 return em_push(ctxt);
1509}
1510
1511static int em_popa(struct x86_emulate_ctxt *ctxt)
1512{
1513 int rc = X86EMUL_CONTINUE;
1514 int reg = VCPU_REGS_RDI;
1515
1516 while (reg >= VCPU_REGS_RAX) {
1517 if (reg == VCPU_REGS_RSP) {
1518 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP],
1519 ctxt->op_bytes);
1520 --reg;
1521 }
1522
1523 rc = emulate_pop(ctxt, &ctxt->regs[reg], ctxt->op_bytes);
1524 if (rc != X86EMUL_CONTINUE)
1525 break;
1526 --reg;
1527 }
1528 return rc;
1529}
1530
1531int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1532{
1533 struct x86_emulate_ops *ops = ctxt->ops;
1534 int rc;
1535 struct desc_ptr dt;
1536 gva_t cs_addr;
1537 gva_t eip_addr;
1538 u16 cs, eip;
1539
1540
1541 ctxt->src.val = ctxt->eflags;
1542 rc = em_push(ctxt);
1543 if (rc != X86EMUL_CONTINUE)
1544 return rc;
1545
1546 ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
1547
1548 ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1549 rc = em_push(ctxt);
1550 if (rc != X86EMUL_CONTINUE)
1551 return rc;
1552
1553 ctxt->src.val = ctxt->_eip;
1554 rc = em_push(ctxt);
1555 if (rc != X86EMUL_CONTINUE)
1556 return rc;
1557
1558 ops->get_idt(ctxt, &dt);
1559
1560 eip_addr = dt.address + (irq << 2);
1561 cs_addr = dt.address + (irq << 2) + 2;
1562
1563 rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1564 if (rc != X86EMUL_CONTINUE)
1565 return rc;
1566
1567 rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1568 if (rc != X86EMUL_CONTINUE)
1569 return rc;
1570
1571 rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1572 if (rc != X86EMUL_CONTINUE)
1573 return rc;
1574
1575 ctxt->_eip = eip;
1576
1577 return rc;
1578}
1579
1580static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1581{
1582 switch(ctxt->mode) {
1583 case X86EMUL_MODE_REAL:
1584 return emulate_int_real(ctxt, irq);
1585 case X86EMUL_MODE_VM86:
1586 case X86EMUL_MODE_PROT16:
1587 case X86EMUL_MODE_PROT32:
1588 case X86EMUL_MODE_PROT64:
1589 default:
1590
1591 return X86EMUL_UNHANDLEABLE;
1592 }
1593}
1594
1595static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1596{
1597 int rc = X86EMUL_CONTINUE;
1598 unsigned long temp_eip = 0;
1599 unsigned long temp_eflags = 0;
1600 unsigned long cs = 0;
1601 unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
1602 EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
1603 EFLG_AC | EFLG_ID | (1 << 1);
1604 unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1605
1606
1607
1608 rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1609
1610 if (rc != X86EMUL_CONTINUE)
1611 return rc;
1612
1613 if (temp_eip & ~0xffff)
1614 return emulate_gp(ctxt, 0);
1615
1616 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1617
1618 if (rc != X86EMUL_CONTINUE)
1619 return rc;
1620
1621 rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1622
1623 if (rc != X86EMUL_CONTINUE)
1624 return rc;
1625
1626 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1627
1628 if (rc != X86EMUL_CONTINUE)
1629 return rc;
1630
1631 ctxt->_eip = temp_eip;
1632
1633
1634 if (ctxt->op_bytes == 4)
1635 ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1636 else if (ctxt->op_bytes == 2) {
1637 ctxt->eflags &= ~0xffff;
1638 ctxt->eflags |= temp_eflags;
1639 }
1640
1641 ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK;
1642 ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
1643
1644 return rc;
1645}
1646
1647static int em_iret(struct x86_emulate_ctxt *ctxt)
1648{
1649 switch(ctxt->mode) {
1650 case X86EMUL_MODE_REAL:
1651 return emulate_iret_real(ctxt);
1652 case X86EMUL_MODE_VM86:
1653 case X86EMUL_MODE_PROT16:
1654 case X86EMUL_MODE_PROT32:
1655 case X86EMUL_MODE_PROT64:
1656 default:
1657
1658 return X86EMUL_UNHANDLEABLE;
1659 }
1660}
1661
1662static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1663{
1664 int rc;
1665 unsigned short sel;
1666
1667 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1668
1669 rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1670 if (rc != X86EMUL_CONTINUE)
1671 return rc;
1672
1673 ctxt->_eip = 0;
1674 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1675 return X86EMUL_CONTINUE;
1676}
1677
1678static int em_grp2(struct x86_emulate_ctxt *ctxt)
1679{
1680 switch (ctxt->modrm_reg) {
1681 case 0:
1682 emulate_2op_SrcB(ctxt, "rol");
1683 break;
1684 case 1:
1685 emulate_2op_SrcB(ctxt, "ror");
1686 break;
1687 case 2:
1688 emulate_2op_SrcB(ctxt, "rcl");
1689 break;
1690 case 3:
1691 emulate_2op_SrcB(ctxt, "rcr");
1692 break;
1693 case 4:
1694 case 6:
1695 emulate_2op_SrcB(ctxt, "sal");
1696 break;
1697 case 5:
1698 emulate_2op_SrcB(ctxt, "shr");
1699 break;
1700 case 7:
1701 emulate_2op_SrcB(ctxt, "sar");
1702 break;
1703 }
1704 return X86EMUL_CONTINUE;
1705}
1706
1707static int em_not(struct x86_emulate_ctxt *ctxt)
1708{
1709 ctxt->dst.val = ~ctxt->dst.val;
1710 return X86EMUL_CONTINUE;
1711}
1712
1713static int em_neg(struct x86_emulate_ctxt *ctxt)
1714{
1715 emulate_1op(ctxt, "neg");
1716 return X86EMUL_CONTINUE;
1717}
1718
1719static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
1720{
1721 u8 ex = 0;
1722
1723 emulate_1op_rax_rdx(ctxt, "mul", ex);
1724 return X86EMUL_CONTINUE;
1725}
1726
1727static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
1728{
1729 u8 ex = 0;
1730
1731 emulate_1op_rax_rdx(ctxt, "imul", ex);
1732 return X86EMUL_CONTINUE;
1733}
1734
1735static int em_div_ex(struct x86_emulate_ctxt *ctxt)
1736{
1737 u8 de = 0;
1738
1739 emulate_1op_rax_rdx(ctxt, "div", de);
1740 if (de)
1741 return emulate_de(ctxt);
1742 return X86EMUL_CONTINUE;
1743}
1744
1745static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
1746{
1747 u8 de = 0;
1748
1749 emulate_1op_rax_rdx(ctxt, "idiv", de);
1750 if (de)
1751 return emulate_de(ctxt);
1752 return X86EMUL_CONTINUE;
1753}
1754
1755static int em_grp45(struct x86_emulate_ctxt *ctxt)
1756{
1757 int rc = X86EMUL_CONTINUE;
1758
1759 switch (ctxt->modrm_reg) {
1760 case 0:
1761 emulate_1op(ctxt, "inc");
1762 break;
1763 case 1:
1764 emulate_1op(ctxt, "dec");
1765 break;
1766 case 2: {
1767 long int old_eip;
1768 old_eip = ctxt->_eip;
1769 ctxt->_eip = ctxt->src.val;
1770 ctxt->src.val = old_eip;
1771 rc = em_push(ctxt);
1772 break;
1773 }
1774 case 4:
1775 ctxt->_eip = ctxt->src.val;
1776 break;
1777 case 5:
1778 rc = em_jmp_far(ctxt);
1779 break;
1780 case 6:
1781 rc = em_push(ctxt);
1782 break;
1783 }
1784 return rc;
1785}
1786
1787static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1788{
1789 u64 old = ctxt->dst.orig_val64;
1790
1791 if (((u32) (old >> 0) != (u32) ctxt->regs[VCPU_REGS_RAX]) ||
1792 ((u32) (old >> 32) != (u32) ctxt->regs[VCPU_REGS_RDX])) {
1793 ctxt->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1794 ctxt->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1795 ctxt->eflags &= ~EFLG_ZF;
1796 } else {
1797 ctxt->dst.val64 = ((u64)ctxt->regs[VCPU_REGS_RCX] << 32) |
1798 (u32) ctxt->regs[VCPU_REGS_RBX];
1799
1800 ctxt->eflags |= EFLG_ZF;
1801 }
1802 return X86EMUL_CONTINUE;
1803}
1804
1805static int em_ret(struct x86_emulate_ctxt *ctxt)
1806{
1807 ctxt->dst.type = OP_REG;
1808 ctxt->dst.addr.reg = &ctxt->_eip;
1809 ctxt->dst.bytes = ctxt->op_bytes;
1810 return em_pop(ctxt);
1811}
1812
1813static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1814{
1815 int rc;
1816 unsigned long cs;
1817
1818 rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1819 if (rc != X86EMUL_CONTINUE)
1820 return rc;
1821 if (ctxt->op_bytes == 4)
1822 ctxt->_eip = (u32)ctxt->_eip;
1823 rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1824 if (rc != X86EMUL_CONTINUE)
1825 return rc;
1826 rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1827 return rc;
1828}
1829
1830static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
1831{
1832
1833 ctxt->src.orig_val = ctxt->src.val;
1834 ctxt->src.val = ctxt->regs[VCPU_REGS_RAX];
1835 emulate_2op_SrcV(ctxt, "cmp");
1836
1837 if (ctxt->eflags & EFLG_ZF) {
1838
1839 ctxt->dst.val = ctxt->src.orig_val;
1840 } else {
1841
1842 ctxt->dst.type = OP_REG;
1843 ctxt->dst.addr.reg = (unsigned long *)&ctxt->regs[VCPU_REGS_RAX];
1844 }
1845 return X86EMUL_CONTINUE;
1846}
1847
1848static int em_lseg(struct x86_emulate_ctxt *ctxt)
1849{
1850 int seg = ctxt->src2.val;
1851 unsigned short sel;
1852 int rc;
1853
1854 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1855
1856 rc = load_segment_descriptor(ctxt, sel, seg);
1857 if (rc != X86EMUL_CONTINUE)
1858 return rc;
1859
1860 ctxt->dst.val = ctxt->src.val;
1861 return rc;
1862}
1863
1864static void
1865setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1866 struct desc_struct *cs, struct desc_struct *ss)
1867{
1868 u16 selector;
1869
1870 memset(cs, 0, sizeof(struct desc_struct));
1871 ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1872 memset(ss, 0, sizeof(struct desc_struct));
1873
1874 cs->l = 0;
1875 set_desc_base(cs, 0);
1876 cs->g = 1;
1877 set_desc_limit(cs, 0xfffff);
1878 cs->type = 0x0b;
1879 cs->s = 1;
1880 cs->dpl = 0;
1881 cs->p = 1;
1882 cs->d = 1;
1883
1884 set_desc_base(ss, 0);
1885 set_desc_limit(ss, 0xfffff);
1886 ss->g = 1;
1887 ss->s = 1;
1888 ss->type = 0x03;
1889 ss->d = 1;
1890 ss->dpl = 0;
1891 ss->p = 1;
1892}
1893
1894static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
1895{
1896 struct x86_emulate_ops *ops = ctxt->ops;
1897 u32 eax, ebx, ecx, edx;
1898
1899
1900
1901
1902
1903 if (ctxt->mode == X86EMUL_MODE_PROT64)
1904 return true;
1905
1906 eax = 0x00000000;
1907 ecx = 0x00000000;
1908 if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
1909
1910
1911
1912
1913
1914
1915
1916
1917 if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
1918 ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
1919 edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
1920 return false;
1921
1922
1923 if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
1924 ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
1925 edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
1926 return true;
1927
1928
1929 if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
1930 ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
1931 edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
1932 return true;
1933 }
1934
1935
1936 return false;
1937}
1938
1939static int em_syscall(struct x86_emulate_ctxt *ctxt)
1940{
1941 struct x86_emulate_ops *ops = ctxt->ops;
1942 struct desc_struct cs, ss;
1943 u64 msr_data;
1944 u16 cs_sel, ss_sel;
1945 u64 efer = 0;
1946
1947
1948 if (ctxt->mode == X86EMUL_MODE_REAL ||
1949 ctxt->mode == X86EMUL_MODE_VM86)
1950 return emulate_ud(ctxt);
1951
1952 if (!(em_syscall_is_enabled(ctxt)))
1953 return emulate_ud(ctxt);
1954
1955 ops->get_msr(ctxt, MSR_EFER, &efer);
1956 setup_syscalls_segments(ctxt, &cs, &ss);
1957
1958 if (!(efer & EFER_SCE))
1959 return emulate_ud(ctxt);
1960
1961 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1962 msr_data >>= 32;
1963 cs_sel = (u16)(msr_data & 0xfffc);
1964 ss_sel = (u16)(msr_data + 8);
1965
1966 if (efer & EFER_LMA) {
1967 cs.d = 0;
1968 cs.l = 1;
1969 }
1970 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1971 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1972
1973 ctxt->regs[VCPU_REGS_RCX] = ctxt->_eip;
1974 if (efer & EFER_LMA) {
1975#ifdef CONFIG_X86_64
1976 ctxt->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1977
1978 ops->get_msr(ctxt,
1979 ctxt->mode == X86EMUL_MODE_PROT64 ?
1980 MSR_LSTAR : MSR_CSTAR, &msr_data);
1981 ctxt->_eip = msr_data;
1982
1983 ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
1984 ctxt->eflags &= ~(msr_data | EFLG_RF);
1985#endif
1986 } else {
1987
1988 ops->get_msr(ctxt, MSR_STAR, &msr_data);
1989 ctxt->_eip = (u32)msr_data;
1990
1991 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1992 }
1993
1994 return X86EMUL_CONTINUE;
1995}
1996
1997static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1998{
1999 struct x86_emulate_ops *ops = ctxt->ops;
2000 struct desc_struct cs, ss;
2001 u64 msr_data;
2002 u16 cs_sel, ss_sel;
2003 u64 efer = 0;
2004
2005 ops->get_msr(ctxt, MSR_EFER, &efer);
2006
2007 if (ctxt->mode == X86EMUL_MODE_REAL)
2008 return emulate_gp(ctxt, 0);
2009
2010
2011
2012
2013 if (ctxt->mode == X86EMUL_MODE_PROT64)
2014 return emulate_ud(ctxt);
2015
2016 setup_syscalls_segments(ctxt, &cs, &ss);
2017
2018 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2019 switch (ctxt->mode) {
2020 case X86EMUL_MODE_PROT32:
2021 if ((msr_data & 0xfffc) == 0x0)
2022 return emulate_gp(ctxt, 0);
2023 break;
2024 case X86EMUL_MODE_PROT64:
2025 if (msr_data == 0x0)
2026 return emulate_gp(ctxt, 0);
2027 break;
2028 }
2029
2030 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2031 cs_sel = (u16)msr_data;
2032 cs_sel &= ~SELECTOR_RPL_MASK;
2033 ss_sel = cs_sel + 8;
2034 ss_sel &= ~SELECTOR_RPL_MASK;
2035 if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2036 cs.d = 0;
2037 cs.l = 1;
2038 }
2039
2040 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2041 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2042
2043 ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2044 ctxt->_eip = msr_data;
2045
2046 ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2047 ctxt->regs[VCPU_REGS_RSP] = msr_data;
2048
2049 return X86EMUL_CONTINUE;
2050}
2051
2052static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2053{
2054 struct x86_emulate_ops *ops = ctxt->ops;
2055 struct desc_struct cs, ss;
2056 u64 msr_data;
2057 int usermode;
2058 u16 cs_sel = 0, ss_sel = 0;
2059
2060
2061 if (ctxt->mode == X86EMUL_MODE_REAL ||
2062 ctxt->mode == X86EMUL_MODE_VM86)
2063 return emulate_gp(ctxt, 0);
2064
2065 setup_syscalls_segments(ctxt, &cs, &ss);
2066
2067 if ((ctxt->rex_prefix & 0x8) != 0x0)
2068 usermode = X86EMUL_MODE_PROT64;
2069 else
2070 usermode = X86EMUL_MODE_PROT32;
2071
2072 cs.dpl = 3;
2073 ss.dpl = 3;
2074 ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2075 switch (usermode) {
2076 case X86EMUL_MODE_PROT32:
2077 cs_sel = (u16)(msr_data + 16);
2078 if ((msr_data & 0xfffc) == 0x0)
2079 return emulate_gp(ctxt, 0);
2080 ss_sel = (u16)(msr_data + 24);
2081 break;
2082 case X86EMUL_MODE_PROT64:
2083 cs_sel = (u16)(msr_data + 32);
2084 if (msr_data == 0x0)
2085 return emulate_gp(ctxt, 0);
2086 ss_sel = cs_sel + 8;
2087 cs.d = 0;
2088 cs.l = 1;
2089 break;
2090 }
2091 cs_sel |= SELECTOR_RPL_MASK;
2092 ss_sel |= SELECTOR_RPL_MASK;
2093
2094 ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2095 ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2096
2097 ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
2098 ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
2099
2100 return X86EMUL_CONTINUE;
2101}
2102
2103static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2104{
2105 int iopl;
2106 if (ctxt->mode == X86EMUL_MODE_REAL)
2107 return false;
2108 if (ctxt->mode == X86EMUL_MODE_VM86)
2109 return true;
2110 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2111 return ctxt->ops->cpl(ctxt) > iopl;
2112}
2113
2114static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2115 u16 port, u16 len)
2116{
2117 struct x86_emulate_ops *ops = ctxt->ops;
2118 struct desc_struct tr_seg;
2119 u32 base3;
2120 int r;
2121 u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2122 unsigned mask = (1 << len) - 1;
2123 unsigned long base;
2124
2125 ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2126 if (!tr_seg.p)
2127 return false;
2128 if (desc_limit_scaled(&tr_seg) < 103)
2129 return false;
2130 base = get_desc_base(&tr_seg);
2131#ifdef CONFIG_X86_64
2132 base |= ((u64)base3) << 32;
2133#endif
2134 r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2135 if (r != X86EMUL_CONTINUE)
2136 return false;
2137 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2138 return false;
2139 r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2140 if (r != X86EMUL_CONTINUE)
2141 return false;
2142 if ((perm >> bit_idx) & mask)
2143 return false;
2144 return true;
2145}
2146
2147static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2148 u16 port, u16 len)
2149{
2150 if (ctxt->perm_ok)
2151 return true;
2152
2153 if (emulator_bad_iopl(ctxt))
2154 if (!emulator_io_port_access_allowed(ctxt, port, len))
2155 return false;
2156
2157 ctxt->perm_ok = true;
2158
2159 return true;
2160}
2161
2162static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2163 struct tss_segment_16 *tss)
2164{
2165 tss->ip = ctxt->_eip;
2166 tss->flag = ctxt->eflags;
2167 tss->ax = ctxt->regs[VCPU_REGS_RAX];
2168 tss->cx = ctxt->regs[VCPU_REGS_RCX];
2169 tss->dx = ctxt->regs[VCPU_REGS_RDX];
2170 tss->bx = ctxt->regs[VCPU_REGS_RBX];
2171 tss->sp = ctxt->regs[VCPU_REGS_RSP];
2172 tss->bp = ctxt->regs[VCPU_REGS_RBP];
2173 tss->si = ctxt->regs[VCPU_REGS_RSI];
2174 tss->di = ctxt->regs[VCPU_REGS_RDI];
2175
2176 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2177 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2178 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2179 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2180 tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2181}
2182
2183static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2184 struct tss_segment_16 *tss)
2185{
2186 int ret;
2187
2188 ctxt->_eip = tss->ip;
2189 ctxt->eflags = tss->flag | 2;
2190 ctxt->regs[VCPU_REGS_RAX] = tss->ax;
2191 ctxt->regs[VCPU_REGS_RCX] = tss->cx;
2192 ctxt->regs[VCPU_REGS_RDX] = tss->dx;
2193 ctxt->regs[VCPU_REGS_RBX] = tss->bx;
2194 ctxt->regs[VCPU_REGS_RSP] = tss->sp;
2195 ctxt->regs[VCPU_REGS_RBP] = tss->bp;
2196 ctxt->regs[VCPU_REGS_RSI] = tss->si;
2197 ctxt->regs[VCPU_REGS_RDI] = tss->di;
2198
2199
2200
2201
2202
2203 set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2204 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2205 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2206 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2207 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2208
2209
2210
2211
2212
2213 ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2214 if (ret != X86EMUL_CONTINUE)
2215 return ret;
2216 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2217 if (ret != X86EMUL_CONTINUE)
2218 return ret;
2219 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2220 if (ret != X86EMUL_CONTINUE)
2221 return ret;
2222 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2223 if (ret != X86EMUL_CONTINUE)
2224 return ret;
2225 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2226 if (ret != X86EMUL_CONTINUE)
2227 return ret;
2228
2229 return X86EMUL_CONTINUE;
2230}
2231
2232static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2233 u16 tss_selector, u16 old_tss_sel,
2234 ulong old_tss_base, struct desc_struct *new_desc)
2235{
2236 struct x86_emulate_ops *ops = ctxt->ops;
2237 struct tss_segment_16 tss_seg;
2238 int ret;
2239 u32 new_tss_base = get_desc_base(new_desc);
2240
2241 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2242 &ctxt->exception);
2243 if (ret != X86EMUL_CONTINUE)
2244
2245 return ret;
2246
2247 save_state_to_tss16(ctxt, &tss_seg);
2248
2249 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2250 &ctxt->exception);
2251 if (ret != X86EMUL_CONTINUE)
2252
2253 return ret;
2254
2255 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2256 &ctxt->exception);
2257 if (ret != X86EMUL_CONTINUE)
2258
2259 return ret;
2260
2261 if (old_tss_sel != 0xffff) {
2262 tss_seg.prev_task_link = old_tss_sel;
2263
2264 ret = ops->write_std(ctxt, new_tss_base,
2265 &tss_seg.prev_task_link,
2266 sizeof tss_seg.prev_task_link,
2267 &ctxt->exception);
2268 if (ret != X86EMUL_CONTINUE)
2269
2270 return ret;
2271 }
2272
2273 return load_state_from_tss16(ctxt, &tss_seg);
2274}
2275
2276static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2277 struct tss_segment_32 *tss)
2278{
2279 tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2280 tss->eip = ctxt->_eip;
2281 tss->eflags = ctxt->eflags;
2282 tss->eax = ctxt->regs[VCPU_REGS_RAX];
2283 tss->ecx = ctxt->regs[VCPU_REGS_RCX];
2284 tss->edx = ctxt->regs[VCPU_REGS_RDX];
2285 tss->ebx = ctxt->regs[VCPU_REGS_RBX];
2286 tss->esp = ctxt->regs[VCPU_REGS_RSP];
2287 tss->ebp = ctxt->regs[VCPU_REGS_RBP];
2288 tss->esi = ctxt->regs[VCPU_REGS_RSI];
2289 tss->edi = ctxt->regs[VCPU_REGS_RDI];
2290
2291 tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2292 tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2293 tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2294 tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2295 tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2296 tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2297 tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2298}
2299
2300static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2301 struct tss_segment_32 *tss)
2302{
2303 int ret;
2304
2305 if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2306 return emulate_gp(ctxt, 0);
2307 ctxt->_eip = tss->eip;
2308 ctxt->eflags = tss->eflags | 2;
2309 ctxt->regs[VCPU_REGS_RAX] = tss->eax;
2310 ctxt->regs[VCPU_REGS_RCX] = tss->ecx;
2311 ctxt->regs[VCPU_REGS_RDX] = tss->edx;
2312 ctxt->regs[VCPU_REGS_RBX] = tss->ebx;
2313 ctxt->regs[VCPU_REGS_RSP] = tss->esp;
2314 ctxt->regs[VCPU_REGS_RBP] = tss->ebp;
2315 ctxt->regs[VCPU_REGS_RSI] = tss->esi;
2316 ctxt->regs[VCPU_REGS_RDI] = tss->edi;
2317
2318
2319
2320
2321
2322 set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2323 set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2324 set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2325 set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2326 set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2327 set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2328 set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2329
2330
2331
2332
2333
2334 ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2335 if (ret != X86EMUL_CONTINUE)
2336 return ret;
2337 ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2338 if (ret != X86EMUL_CONTINUE)
2339 return ret;
2340 ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2341 if (ret != X86EMUL_CONTINUE)
2342 return ret;
2343 ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2344 if (ret != X86EMUL_CONTINUE)
2345 return ret;
2346 ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2347 if (ret != X86EMUL_CONTINUE)
2348 return ret;
2349 ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2350 if (ret != X86EMUL_CONTINUE)
2351 return ret;
2352 ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2353 if (ret != X86EMUL_CONTINUE)
2354 return ret;
2355
2356 return X86EMUL_CONTINUE;
2357}
2358
2359static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2360 u16 tss_selector, u16 old_tss_sel,
2361 ulong old_tss_base, struct desc_struct *new_desc)
2362{
2363 struct x86_emulate_ops *ops = ctxt->ops;
2364 struct tss_segment_32 tss_seg;
2365 int ret;
2366 u32 new_tss_base = get_desc_base(new_desc);
2367
2368 ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2369 &ctxt->exception);
2370 if (ret != X86EMUL_CONTINUE)
2371
2372 return ret;
2373
2374 save_state_to_tss32(ctxt, &tss_seg);
2375
2376 ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2377 &ctxt->exception);
2378 if (ret != X86EMUL_CONTINUE)
2379
2380 return ret;
2381
2382 ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2383 &ctxt->exception);
2384 if (ret != X86EMUL_CONTINUE)
2385
2386 return ret;
2387
2388 if (old_tss_sel != 0xffff) {
2389 tss_seg.prev_task_link = old_tss_sel;
2390
2391 ret = ops->write_std(ctxt, new_tss_base,
2392 &tss_seg.prev_task_link,
2393 sizeof tss_seg.prev_task_link,
2394 &ctxt->exception);
2395 if (ret != X86EMUL_CONTINUE)
2396
2397 return ret;
2398 }
2399
2400 return load_state_from_tss32(ctxt, &tss_seg);
2401}
2402
2403static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2404 u16 tss_selector, int reason,
2405 bool has_error_code, u32 error_code)
2406{
2407 struct x86_emulate_ops *ops = ctxt->ops;
2408 struct desc_struct curr_tss_desc, next_tss_desc;
2409 int ret;
2410 u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2411 ulong old_tss_base =
2412 ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2413 u32 desc_limit;
2414
2415
2416
2417 ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2418 if (ret != X86EMUL_CONTINUE)
2419 return ret;
2420 ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2421 if (ret != X86EMUL_CONTINUE)
2422 return ret;
2423
2424
2425
2426 if (reason != TASK_SWITCH_IRET) {
2427 if ((tss_selector & 3) > next_tss_desc.dpl ||
2428 ops->cpl(ctxt) > next_tss_desc.dpl)
2429 return emulate_gp(ctxt, 0);
2430 }
2431
2432 desc_limit = desc_limit_scaled(&next_tss_desc);
2433 if (!next_tss_desc.p ||
2434 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2435 desc_limit < 0x2b)) {
2436 emulate_ts(ctxt, tss_selector & 0xfffc);
2437 return X86EMUL_PROPAGATE_FAULT;
2438 }
2439
2440 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2441 curr_tss_desc.type &= ~(1 << 1);
2442 write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2443 }
2444
2445 if (reason == TASK_SWITCH_IRET)
2446 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2447
2448
2449
2450 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2451 old_tss_sel = 0xffff;
2452
2453 if (next_tss_desc.type & 8)
2454 ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2455 old_tss_base, &next_tss_desc);
2456 else
2457 ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2458 old_tss_base, &next_tss_desc);
2459 if (ret != X86EMUL_CONTINUE)
2460 return ret;
2461
2462 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2463 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2464
2465 if (reason != TASK_SWITCH_IRET) {
2466 next_tss_desc.type |= (1 << 1);
2467 write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2468 }
2469
2470 ops->set_cr(ctxt, 0, ops->get_cr(ctxt, 0) | X86_CR0_TS);
2471 ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2472
2473 if (has_error_code) {
2474 ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2475 ctxt->lock_prefix = 0;
2476 ctxt->src.val = (unsigned long) error_code;
2477 ret = em_push(ctxt);
2478 }
2479
2480 return ret;
2481}
2482
2483int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2484 u16 tss_selector, int reason,
2485 bool has_error_code, u32 error_code)
2486{
2487 int rc;
2488
2489 ctxt->_eip = ctxt->eip;
2490 ctxt->dst.type = OP_NONE;
2491
2492 rc = emulator_do_task_switch(ctxt, tss_selector, reason,
2493 has_error_code, error_code);
2494
2495 if (rc == X86EMUL_CONTINUE)
2496 ctxt->eip = ctxt->_eip;
2497
2498 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2499}
2500
2501static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2502 int reg, struct operand *op)
2503{
2504 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2505
2506 register_address_increment(ctxt, &ctxt->regs[reg], df * op->bytes);
2507 op->addr.mem.ea = register_address(ctxt, ctxt->regs[reg]);
2508 op->addr.mem.seg = seg;
2509}
2510
2511static int em_das(struct x86_emulate_ctxt *ctxt)
2512{
2513 u8 al, old_al;
2514 bool af, cf, old_cf;
2515
2516 cf = ctxt->eflags & X86_EFLAGS_CF;
2517 al = ctxt->dst.val;
2518
2519 old_al = al;
2520 old_cf = cf;
2521 cf = false;
2522 af = ctxt->eflags & X86_EFLAGS_AF;
2523 if ((al & 0x0f) > 9 || af) {
2524 al -= 6;
2525 cf = old_cf | (al >= 250);
2526 af = true;
2527 } else {
2528 af = false;
2529 }
2530 if (old_al > 0x99 || old_cf) {
2531 al -= 0x60;
2532 cf = true;
2533 }
2534
2535 ctxt->dst.val = al;
2536
2537 ctxt->src.type = OP_IMM;
2538 ctxt->src.val = 0;
2539 ctxt->src.bytes = 1;
2540 emulate_2op_SrcV(ctxt, "or");
2541 ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
2542 if (cf)
2543 ctxt->eflags |= X86_EFLAGS_CF;
2544 if (af)
2545 ctxt->eflags |= X86_EFLAGS_AF;
2546 return X86EMUL_CONTINUE;
2547}
2548
2549static int em_call(struct x86_emulate_ctxt *ctxt)
2550{
2551 long rel = ctxt->src.val;
2552
2553 ctxt->src.val = (unsigned long)ctxt->_eip;
2554 jmp_rel(ctxt, rel);
2555 return em_push(ctxt);
2556}
2557
2558static int em_call_far(struct x86_emulate_ctxt *ctxt)
2559{
2560 u16 sel, old_cs;
2561 ulong old_eip;
2562 int rc;
2563
2564 old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2565 old_eip = ctxt->_eip;
2566
2567 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2568 if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2569 return X86EMUL_CONTINUE;
2570
2571 ctxt->_eip = 0;
2572 memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2573
2574 ctxt->src.val = old_cs;
2575 rc = em_push(ctxt);
2576 if (rc != X86EMUL_CONTINUE)
2577 return rc;
2578
2579 ctxt->src.val = old_eip;
2580 return em_push(ctxt);
2581}
2582
2583static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
2584{
2585 int rc;
2586
2587 ctxt->dst.type = OP_REG;
2588 ctxt->dst.addr.reg = &ctxt->_eip;
2589 ctxt->dst.bytes = ctxt->op_bytes;
2590 rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2591 if (rc != X86EMUL_CONTINUE)
2592 return rc;
2593 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
2594 return X86EMUL_CONTINUE;
2595}
2596
2597static int em_add(struct x86_emulate_ctxt *ctxt)
2598{
2599 emulate_2op_SrcV(ctxt, "add");
2600 return X86EMUL_CONTINUE;
2601}
2602
2603static int em_or(struct x86_emulate_ctxt *ctxt)
2604{
2605 emulate_2op_SrcV(ctxt, "or");
2606 return X86EMUL_CONTINUE;
2607}
2608
2609static int em_adc(struct x86_emulate_ctxt *ctxt)
2610{
2611 emulate_2op_SrcV(ctxt, "adc");
2612 return X86EMUL_CONTINUE;
2613}
2614
2615static int em_sbb(struct x86_emulate_ctxt *ctxt)
2616{
2617 emulate_2op_SrcV(ctxt, "sbb");
2618 return X86EMUL_CONTINUE;
2619}
2620
2621static int em_and(struct x86_emulate_ctxt *ctxt)
2622{
2623 emulate_2op_SrcV(ctxt, "and");
2624 return X86EMUL_CONTINUE;
2625}
2626
2627static int em_sub(struct x86_emulate_ctxt *ctxt)
2628{
2629 emulate_2op_SrcV(ctxt, "sub");
2630 return X86EMUL_CONTINUE;
2631}
2632
2633static int em_xor(struct x86_emulate_ctxt *ctxt)
2634{
2635 emulate_2op_SrcV(ctxt, "xor");
2636 return X86EMUL_CONTINUE;
2637}
2638
2639static int em_cmp(struct x86_emulate_ctxt *ctxt)
2640{
2641 emulate_2op_SrcV(ctxt, "cmp");
2642
2643 ctxt->dst.type = OP_NONE;
2644 return X86EMUL_CONTINUE;
2645}
2646
2647static int em_test(struct x86_emulate_ctxt *ctxt)
2648{
2649 emulate_2op_SrcV(ctxt, "test");
2650
2651 ctxt->dst.type = OP_NONE;
2652 return X86EMUL_CONTINUE;
2653}
2654
2655static int em_xchg(struct x86_emulate_ctxt *ctxt)
2656{
2657
2658 ctxt->src.val = ctxt->dst.val;
2659 write_register_operand(&ctxt->src);
2660
2661
2662 ctxt->dst.val = ctxt->src.orig_val;
2663 ctxt->lock_prefix = 1;
2664 return X86EMUL_CONTINUE;
2665}
2666
2667static int em_imul(struct x86_emulate_ctxt *ctxt)
2668{
2669 emulate_2op_SrcV_nobyte(ctxt, "imul");
2670 return X86EMUL_CONTINUE;
2671}
2672
2673static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
2674{
2675 ctxt->dst.val = ctxt->src2.val;
2676 return em_imul(ctxt);
2677}
2678
2679static int em_cwd(struct x86_emulate_ctxt *ctxt)
2680{
2681 ctxt->dst.type = OP_REG;
2682 ctxt->dst.bytes = ctxt->src.bytes;
2683 ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
2684 ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2685
2686 return X86EMUL_CONTINUE;
2687}
2688
2689static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
2690{
2691 u64 tsc = 0;
2692
2693 ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2694 ctxt->regs[VCPU_REGS_RAX] = (u32)tsc;
2695 ctxt->regs[VCPU_REGS_RDX] = tsc >> 32;
2696 return X86EMUL_CONTINUE;
2697}
2698
2699static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
2700{
2701 u64 pmc;
2702
2703 if (ctxt->ops->read_pmc(ctxt, ctxt->regs[VCPU_REGS_RCX], &pmc))
2704 return emulate_gp(ctxt, 0);
2705 ctxt->regs[VCPU_REGS_RAX] = (u32)pmc;
2706 ctxt->regs[VCPU_REGS_RDX] = pmc >> 32;
2707 return X86EMUL_CONTINUE;
2708}
2709
2710static int em_mov(struct x86_emulate_ctxt *ctxt)
2711{
2712 ctxt->dst.val = ctxt->src.val;
2713 return X86EMUL_CONTINUE;
2714}
2715
2716static int em_cr_write(struct x86_emulate_ctxt *ctxt)
2717{
2718 if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
2719 return emulate_gp(ctxt, 0);
2720
2721
2722 ctxt->dst.type = OP_NONE;
2723 return X86EMUL_CONTINUE;
2724}
2725
2726static int em_dr_write(struct x86_emulate_ctxt *ctxt)
2727{
2728 unsigned long val;
2729
2730 if (ctxt->mode == X86EMUL_MODE_PROT64)
2731 val = ctxt->src.val & ~0ULL;
2732 else
2733 val = ctxt->src.val & ~0U;
2734
2735
2736 if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
2737 return emulate_gp(ctxt, 0);
2738
2739
2740 ctxt->dst.type = OP_NONE;
2741 return X86EMUL_CONTINUE;
2742}
2743
2744static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
2745{
2746 u64 msr_data;
2747
2748 msr_data = (u32)ctxt->regs[VCPU_REGS_RAX]
2749 | ((u64)ctxt->regs[VCPU_REGS_RDX] << 32);
2750 if (ctxt->ops->set_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], msr_data))
2751 return emulate_gp(ctxt, 0);
2752
2753 return X86EMUL_CONTINUE;
2754}
2755
2756static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
2757{
2758 u64 msr_data;
2759
2760 if (ctxt->ops->get_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], &msr_data))
2761 return emulate_gp(ctxt, 0);
2762
2763 ctxt->regs[VCPU_REGS_RAX] = (u32)msr_data;
2764 ctxt->regs[VCPU_REGS_RDX] = msr_data >> 32;
2765 return X86EMUL_CONTINUE;
2766}
2767
2768static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
2769{
2770 if (ctxt->modrm_reg > VCPU_SREG_GS)
2771 return emulate_ud(ctxt);
2772
2773 ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
2774 return X86EMUL_CONTINUE;
2775}
2776
2777static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
2778{
2779 u16 sel = ctxt->src.val;
2780
2781 if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
2782 return emulate_ud(ctxt);
2783
2784 if (ctxt->modrm_reg == VCPU_SREG_SS)
2785 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2786
2787
2788 ctxt->dst.type = OP_NONE;
2789 return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
2790}
2791
2792static int em_movdqu(struct x86_emulate_ctxt *ctxt)
2793{
2794 memcpy(&ctxt->dst.vec_val, &ctxt->src.vec_val, ctxt->op_bytes);
2795 return X86EMUL_CONTINUE;
2796}
2797
2798static int em_invlpg(struct x86_emulate_ctxt *ctxt)
2799{
2800 int rc;
2801 ulong linear;
2802
2803 rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
2804 if (rc == X86EMUL_CONTINUE)
2805 ctxt->ops->invlpg(ctxt, linear);
2806
2807 ctxt->dst.type = OP_NONE;
2808 return X86EMUL_CONTINUE;
2809}
2810
2811static int em_clts(struct x86_emulate_ctxt *ctxt)
2812{
2813 ulong cr0;
2814
2815 cr0 = ctxt->ops->get_cr(ctxt, 0);
2816 cr0 &= ~X86_CR0_TS;
2817 ctxt->ops->set_cr(ctxt, 0, cr0);
2818 return X86EMUL_CONTINUE;
2819}
2820
2821static int em_vmcall(struct x86_emulate_ctxt *ctxt)
2822{
2823 int rc;
2824
2825 if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
2826 return X86EMUL_UNHANDLEABLE;
2827
2828 rc = ctxt->ops->fix_hypercall(ctxt);
2829 if (rc != X86EMUL_CONTINUE)
2830 return rc;
2831
2832
2833 ctxt->_eip = ctxt->eip;
2834
2835 ctxt->dst.type = OP_NONE;
2836 return X86EMUL_CONTINUE;
2837}
2838
2839static int em_lgdt(struct x86_emulate_ctxt *ctxt)
2840{
2841 struct desc_ptr desc_ptr;
2842 int rc;
2843
2844 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2845 &desc_ptr.size, &desc_ptr.address,
2846 ctxt->op_bytes);
2847 if (rc != X86EMUL_CONTINUE)
2848 return rc;
2849 ctxt->ops->set_gdt(ctxt, &desc_ptr);
2850
2851 ctxt->dst.type = OP_NONE;
2852 return X86EMUL_CONTINUE;
2853}
2854
2855static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
2856{
2857 int rc;
2858
2859 rc = ctxt->ops->fix_hypercall(ctxt);
2860
2861
2862 ctxt->dst.type = OP_NONE;
2863 return rc;
2864}
2865
2866static int em_lidt(struct x86_emulate_ctxt *ctxt)
2867{
2868 struct desc_ptr desc_ptr;
2869 int rc;
2870
2871 rc = read_descriptor(ctxt, ctxt->src.addr.mem,
2872 &desc_ptr.size, &desc_ptr.address,
2873 ctxt->op_bytes);
2874 if (rc != X86EMUL_CONTINUE)
2875 return rc;
2876 ctxt->ops->set_idt(ctxt, &desc_ptr);
2877
2878 ctxt->dst.type = OP_NONE;
2879 return X86EMUL_CONTINUE;
2880}
2881
2882static int em_smsw(struct x86_emulate_ctxt *ctxt)
2883{
2884 ctxt->dst.bytes = 2;
2885 ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
2886 return X86EMUL_CONTINUE;
2887}
2888
2889static int em_lmsw(struct x86_emulate_ctxt *ctxt)
2890{
2891 ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
2892 | (ctxt->src.val & 0x0f));
2893 ctxt->dst.type = OP_NONE;
2894 return X86EMUL_CONTINUE;
2895}
2896
2897static int em_loop(struct x86_emulate_ctxt *ctxt)
2898{
2899 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
2900 if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
2901 (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
2902 jmp_rel(ctxt, ctxt->src.val);
2903
2904 return X86EMUL_CONTINUE;
2905}
2906
2907static int em_jcxz(struct x86_emulate_ctxt *ctxt)
2908{
2909 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
2910 jmp_rel(ctxt, ctxt->src.val);
2911
2912 return X86EMUL_CONTINUE;
2913}
2914
2915static int em_in(struct x86_emulate_ctxt *ctxt)
2916{
2917 if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
2918 &ctxt->dst.val))
2919 return X86EMUL_IO_NEEDED;
2920
2921 return X86EMUL_CONTINUE;
2922}
2923
2924static int em_out(struct x86_emulate_ctxt *ctxt)
2925{
2926 ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
2927 &ctxt->src.val, 1);
2928
2929 ctxt->dst.type = OP_NONE;
2930 return X86EMUL_CONTINUE;
2931}
2932
2933static int em_cli(struct x86_emulate_ctxt *ctxt)
2934{
2935 if (emulator_bad_iopl(ctxt))
2936 return emulate_gp(ctxt, 0);
2937
2938 ctxt->eflags &= ~X86_EFLAGS_IF;
2939 return X86EMUL_CONTINUE;
2940}
2941
2942static int em_sti(struct x86_emulate_ctxt *ctxt)
2943{
2944 if (emulator_bad_iopl(ctxt))
2945 return emulate_gp(ctxt, 0);
2946
2947 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2948 ctxt->eflags |= X86_EFLAGS_IF;
2949 return X86EMUL_CONTINUE;
2950}
2951
2952static int em_bt(struct x86_emulate_ctxt *ctxt)
2953{
2954
2955 ctxt->dst.type = OP_NONE;
2956
2957 ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
2958
2959 emulate_2op_SrcV_nobyte(ctxt, "bt");
2960 return X86EMUL_CONTINUE;
2961}
2962
2963static int em_bts(struct x86_emulate_ctxt *ctxt)
2964{
2965 emulate_2op_SrcV_nobyte(ctxt, "bts");
2966 return X86EMUL_CONTINUE;
2967}
2968
2969static int em_btr(struct x86_emulate_ctxt *ctxt)
2970{
2971 emulate_2op_SrcV_nobyte(ctxt, "btr");
2972 return X86EMUL_CONTINUE;
2973}
2974
2975static int em_btc(struct x86_emulate_ctxt *ctxt)
2976{
2977 emulate_2op_SrcV_nobyte(ctxt, "btc");
2978 return X86EMUL_CONTINUE;
2979}
2980
2981static int em_bsf(struct x86_emulate_ctxt *ctxt)
2982{
2983 u8 zf;
2984
2985 __asm__ ("bsf %2, %0; setz %1"
2986 : "=r"(ctxt->dst.val), "=q"(zf)
2987 : "r"(ctxt->src.val));
2988
2989 ctxt->eflags &= ~X86_EFLAGS_ZF;
2990 if (zf) {
2991 ctxt->eflags |= X86_EFLAGS_ZF;
2992
2993 ctxt->dst.type = OP_NONE;
2994 }
2995 return X86EMUL_CONTINUE;
2996}
2997
2998static int em_bsr(struct x86_emulate_ctxt *ctxt)
2999{
3000 u8 zf;
3001
3002 __asm__ ("bsr %2, %0; setz %1"
3003 : "=r"(ctxt->dst.val), "=q"(zf)
3004 : "r"(ctxt->src.val));
3005
3006 ctxt->eflags &= ~X86_EFLAGS_ZF;
3007 if (zf) {
3008 ctxt->eflags |= X86_EFLAGS_ZF;
3009
3010 ctxt->dst.type = OP_NONE;
3011 }
3012 return X86EMUL_CONTINUE;
3013}
3014
3015static bool valid_cr(int nr)
3016{
3017 switch (nr) {
3018 case 0:
3019 case 2 ... 4:
3020 case 8:
3021 return true;
3022 default:
3023 return false;
3024 }
3025}
3026
3027static int check_cr_read(struct x86_emulate_ctxt *ctxt)
3028{
3029 if (!valid_cr(ctxt->modrm_reg))
3030 return emulate_ud(ctxt);
3031
3032 return X86EMUL_CONTINUE;
3033}
3034
3035static int check_cr_write(struct x86_emulate_ctxt *ctxt)
3036{
3037 u64 new_val = ctxt->src.val64;
3038 int cr = ctxt->modrm_reg;
3039 u64 efer = 0;
3040
3041 static u64 cr_reserved_bits[] = {
3042 0xffffffff00000000ULL,
3043 0, 0, 0,
3044 CR4_RESERVED_BITS,
3045 0, 0, 0,
3046 CR8_RESERVED_BITS,
3047 };
3048
3049 if (!valid_cr(cr))
3050 return emulate_ud(ctxt);
3051
3052 if (new_val & cr_reserved_bits[cr])
3053 return emulate_gp(ctxt, 0);
3054
3055 switch (cr) {
3056 case 0: {
3057 u64 cr4;
3058 if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
3059 ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
3060 return emulate_gp(ctxt, 0);
3061
3062 cr4 = ctxt->ops->get_cr(ctxt, 4);
3063 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3064
3065 if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
3066 !(cr4 & X86_CR4_PAE))
3067 return emulate_gp(ctxt, 0);
3068
3069 break;
3070 }
3071 case 3: {
3072 u64 rsvd = 0;
3073
3074 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3075 if (efer & EFER_LMA)
3076 rsvd = CR3_L_MODE_RESERVED_BITS;
3077 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3078 rsvd = CR3_PAE_RESERVED_BITS;
3079 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3080 rsvd = CR3_NONPAE_RESERVED_BITS;
3081
3082 if (new_val & rsvd)
3083 return emulate_gp(ctxt, 0);
3084
3085 break;
3086 }
3087 case 4: {
3088 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3089
3090 if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
3091 return emulate_gp(ctxt, 0);
3092
3093 break;
3094 }
3095 }
3096
3097 return X86EMUL_CONTINUE;
3098}
3099
3100static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
3101{
3102 unsigned long dr7;
3103
3104 ctxt->ops->get_dr(ctxt, 7, &dr7);
3105
3106
3107 return dr7 & (1 << 13);
3108}
3109
3110static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3111{
3112 int dr = ctxt->modrm_reg;
3113 u64 cr4;
3114
3115 if (dr > 7)
3116 return emulate_ud(ctxt);
3117
3118 cr4 = ctxt->ops->get_cr(ctxt, 4);
3119 if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3120 return emulate_ud(ctxt);
3121
3122 if (check_dr7_gd(ctxt))
3123 return emulate_db(ctxt);
3124
3125 return X86EMUL_CONTINUE;
3126}
3127
3128static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3129{
3130 u64 new_val = ctxt->src.val64;
3131 int dr = ctxt->modrm_reg;
3132
3133 if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3134 return emulate_gp(ctxt, 0);
3135
3136 return check_dr_read(ctxt);
3137}
3138
3139static int check_svme(struct x86_emulate_ctxt *ctxt)
3140{
3141 u64 efer;
3142
3143 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3144
3145 if (!(efer & EFER_SVME))
3146 return emulate_ud(ctxt);
3147
3148 return X86EMUL_CONTINUE;
3149}
3150
3151static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3152{
3153 u64 rax = ctxt->regs[VCPU_REGS_RAX];
3154
3155
3156 if (rax & 0xffff000000000000ULL)
3157 return emulate_gp(ctxt, 0);
3158
3159 return check_svme(ctxt);
3160}
3161
3162static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3163{
3164 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3165
3166 if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3167 return emulate_ud(ctxt);
3168
3169 return X86EMUL_CONTINUE;
3170}
3171
3172static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3173{
3174 u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3175 u64 rcx = ctxt->regs[VCPU_REGS_RCX];
3176
3177 if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3178 (rcx > 3))
3179 return emulate_gp(ctxt, 0);
3180
3181 return X86EMUL_CONTINUE;
3182}
3183
3184static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3185{
3186 ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3187 if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3188 return emulate_gp(ctxt, 0);
3189
3190 return X86EMUL_CONTINUE;
3191}
3192
3193static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3194{
3195 ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3196 if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3197 return emulate_gp(ctxt, 0);
3198
3199 return X86EMUL_CONTINUE;
3200}
3201
3202#define D(_y) { .flags = (_y) }
3203#define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3204#define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
3205 .check_perm = (_p) }
3206#define N D(0)
3207#define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3208#define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
3209#define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
3210#define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3211#define II(_f, _e, _i) \
3212 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3213#define IIP(_f, _e, _i, _p) \
3214 { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
3215 .check_perm = (_p) }
3216#define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3217
3218#define D2bv(_f) D((_f) | ByteOp), D(_f)
3219#define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3220#define I2bv(_f, _e) I((_f) | ByteOp, _e), I(_f, _e)
3221#define I2bvIP(_f, _e, _i, _p) \
3222 IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3223
3224#define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e), \
3225 I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e), \
3226 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3227
3228static struct opcode group7_rm1[] = {
3229 DI(SrcNone | ModRM | Priv, monitor),
3230 DI(SrcNone | ModRM | Priv, mwait),
3231 N, N, N, N, N, N,
3232};
3233
3234static struct opcode group7_rm3[] = {
3235 DIP(SrcNone | ModRM | Prot | Priv, vmrun, check_svme_pa),
3236 II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
3237 DIP(SrcNone | ModRM | Prot | Priv, vmload, check_svme_pa),
3238 DIP(SrcNone | ModRM | Prot | Priv, vmsave, check_svme_pa),
3239 DIP(SrcNone | ModRM | Prot | Priv, stgi, check_svme),
3240 DIP(SrcNone | ModRM | Prot | Priv, clgi, check_svme),
3241 DIP(SrcNone | ModRM | Prot | Priv, skinit, check_svme),
3242 DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
3243};
3244
3245static struct opcode group7_rm7[] = {
3246 N,
3247 DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
3248 N, N, N, N, N, N,
3249};
3250
3251static struct opcode group1[] = {
3252 I(Lock, em_add),
3253 I(Lock | PageTable, em_or),
3254 I(Lock, em_adc),
3255 I(Lock, em_sbb),
3256 I(Lock | PageTable, em_and),
3257 I(Lock, em_sub),
3258 I(Lock, em_xor),
3259 I(0, em_cmp),
3260};
3261
3262static struct opcode group1A[] = {
3263 I(DstMem | SrcNone | ModRM | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3264};
3265
3266static struct opcode group3[] = {
3267 I(DstMem | SrcImm | ModRM, em_test),
3268 I(DstMem | SrcImm | ModRM, em_test),
3269 I(DstMem | SrcNone | ModRM | Lock, em_not),
3270 I(DstMem | SrcNone | ModRM | Lock, em_neg),
3271 I(SrcMem | ModRM, em_mul_ex),
3272 I(SrcMem | ModRM, em_imul_ex),
3273 I(SrcMem | ModRM, em_div_ex),
3274 I(SrcMem | ModRM, em_idiv_ex),
3275};
3276
3277static struct opcode group4[] = {
3278 I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
3279 I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
3280 N, N, N, N, N, N,
3281};
3282
3283static struct opcode group5[] = {
3284 I(DstMem | SrcNone | ModRM | Lock, em_grp45),
3285 I(DstMem | SrcNone | ModRM | Lock, em_grp45),
3286 I(SrcMem | ModRM | Stack, em_grp45),
3287 I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
3288 I(SrcMem | ModRM | Stack, em_grp45),
3289 I(SrcMemFAddr | ModRM | ImplicitOps, em_grp45),
3290 I(SrcMem | ModRM | Stack, em_grp45), N,
3291};
3292
3293static struct opcode group6[] = {
3294 DI(ModRM | Prot, sldt),
3295 DI(ModRM | Prot, str),
3296 DI(ModRM | Prot | Priv, lldt),
3297 DI(ModRM | Prot | Priv, ltr),
3298 N, N, N, N,
3299};
3300
3301static struct group_dual group7 = { {
3302 DI(ModRM | Mov | DstMem | Priv, sgdt),
3303 DI(ModRM | Mov | DstMem | Priv, sidt),
3304 II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
3305 II(ModRM | SrcMem | Priv, em_lidt, lidt),
3306 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3307 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
3308 II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
3309}, {
3310 I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
3311 EXT(0, group7_rm1),
3312 N, EXT(0, group7_rm3),
3313 II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
3314 II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
3315} };
3316
3317static struct opcode group8[] = {
3318 N, N, N, N,
3319 I(DstMem | SrcImmByte | ModRM, em_bt),
3320 I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_bts),
3321 I(DstMem | SrcImmByte | ModRM | Lock, em_btr),
3322 I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_btc),
3323};
3324
3325static struct group_dual group9 = { {
3326 N, I(DstMem64 | ModRM | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3327}, {
3328 N, N, N, N, N, N, N, N,
3329} };
3330
3331static struct opcode group11[] = {
3332 I(DstMem | SrcImm | ModRM | Mov | PageTable, em_mov),
3333 X7(D(Undefined)),
3334};
3335
3336static struct gprefix pfx_0f_6f_0f_7f = {
3337 N, N, N, I(Sse, em_movdqu),
3338};
3339
3340static struct opcode opcode_table[256] = {
3341
3342 I6ALU(Lock, em_add),
3343 I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
3344 I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3345
3346 I6ALU(Lock | PageTable, em_or),
3347 I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
3348 N,
3349
3350 I6ALU(Lock, em_adc),
3351 I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
3352 I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3353
3354 I6ALU(Lock, em_sbb),
3355 I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
3356 I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3357
3358 I6ALU(Lock | PageTable, em_and), N, N,
3359
3360 I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3361
3362 I6ALU(Lock, em_xor), N, N,
3363
3364 I6ALU(0, em_cmp), N, N,
3365
3366 X16(D(DstReg)),
3367
3368 X8(I(SrcReg | Stack, em_push)),
3369
3370 X8(I(DstReg | Stack, em_pop)),
3371
3372 I(ImplicitOps | Stack | No64, em_pusha),
3373 I(ImplicitOps | Stack | No64, em_popa),
3374 N, D(DstReg | SrcMem32 | ModRM | Mov) ,
3375 N, N, N, N,
3376
3377 I(SrcImm | Mov | Stack, em_push),
3378 I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3379 I(SrcImmByte | Mov | Stack, em_push),
3380 I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3381 I2bvIP(DstDI | SrcDX | Mov | String, em_in, ins, check_perm_in),
3382 I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out),
3383
3384 X16(D(SrcImmByte)),
3385
3386 G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
3387 G(DstMem | SrcImm | ModRM | Group, group1),
3388 G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
3389 G(DstMem | SrcImmByte | ModRM | Group, group1),
3390 I2bv(DstMem | SrcReg | ModRM, em_test),
3391 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3392
3393 I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3394 I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3395 I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3396 D(ModRM | SrcMem | NoAccess | DstReg),
3397 I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
3398 G(0, group1A),
3399
3400 DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3401
3402 D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3403 I(SrcImmFAddr | No64, em_call_far), N,
3404 II(ImplicitOps | Stack, em_pushf, pushf),
3405 II(ImplicitOps | Stack, em_popf, popf), N, N,
3406
3407 I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3408 I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3409 I2bv(SrcSI | DstDI | Mov | String, em_mov),
3410 I2bv(SrcSI | DstDI | String, em_cmp),
3411
3412 I2bv(DstAcc | SrcImm, em_test),
3413 I2bv(SrcAcc | DstDI | Mov | String, em_mov),
3414 I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3415 I2bv(SrcAcc | DstDI | String, em_cmp),
3416
3417 X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3418
3419 X8(I(DstReg | SrcImm | Mov, em_mov)),
3420
3421 D2bv(DstMem | SrcImmByte | ModRM),
3422 I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3423 I(ImplicitOps | Stack, em_ret),
3424 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
3425 I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3426 G(ByteOp, group11), G(0, group11),
3427
3428 N, N, N, I(ImplicitOps | Stack, em_ret_far),
3429 D(ImplicitOps), DI(SrcImmByte, intn),
3430 D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3431
3432 D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3433 N, N, N, N,
3434
3435 N, N, N, N, N, N, N, N,
3436
3437 X3(I(SrcImmByte, em_loop)),
3438 I(SrcImmByte, em_jcxz),
3439 I2bvIP(SrcImmUByte | DstAcc, em_in, in, check_perm_in),
3440 I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3441
3442 I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3443 I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3444 I2bvIP(SrcDX | DstAcc, em_in, in, check_perm_in),
3445 I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3446
3447 N, DI(ImplicitOps, icebp), N, N,
3448 DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
3449 G(ByteOp, group3), G(0, group3),
3450
3451 D(ImplicitOps), D(ImplicitOps),
3452 I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3453 D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
3454};
3455
3456static struct opcode twobyte_table[256] = {
3457
3458 G(0, group6), GD(0, &group7), N, N,
3459 N, I(ImplicitOps | VendorSpecific, em_syscall),
3460 II(ImplicitOps | Priv, em_clts, clts), N,
3461 DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3462 N, D(ImplicitOps | ModRM), N, N,
3463
3464 N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
3465
3466 DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3467 DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3468 IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
3469 IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3470 N, N, N, N,
3471 N, N, N, N, N, N, N, N,
3472
3473 II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3474 IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3475 II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3476 IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3477 I(ImplicitOps | VendorSpecific, em_sysenter),
3478 I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3479 N, N,
3480 N, N, N, N, N, N, N, N,
3481
3482 X16(D(DstReg | SrcMem | ModRM | Mov)),
3483
3484 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3485
3486 N, N, N, N,
3487 N, N, N, N,
3488 N, N, N, N,
3489 N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3490
3491 N, N, N, N,
3492 N, N, N, N,
3493 N, N, N, N,
3494 N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3495
3496 X16(D(SrcImm)),
3497
3498 X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3499
3500 I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
3501 DI(ImplicitOps, cpuid), I(DstMem | SrcReg | ModRM | BitOp, em_bt),
3502 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3503 D(DstMem | SrcReg | Src2CL | ModRM), N, N,
3504
3505 I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3506 DI(ImplicitOps, rsm),
3507 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3508 D(DstMem | SrcReg | Src2ImmByte | ModRM),
3509 D(DstMem | SrcReg | Src2CL | ModRM),
3510 D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3511
3512 I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3513 I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3514 I(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3515 I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
3516 I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3517 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3518
3519 N, N,
3520 G(BitOp, group8),
3521 I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3522 I(DstReg | SrcMem | ModRM, em_bsf), I(DstReg | SrcMem | ModRM, em_bsr),
3523 D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3524
3525 D2bv(DstMem | SrcReg | ModRM | Lock),
3526 N, D(DstMem | SrcReg | ModRM | Mov),
3527 N, N, N, GD(0, &group9),
3528 N, N, N, N, N, N, N, N,
3529
3530 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3531
3532 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
3533
3534 N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
3535};
3536
3537#undef D
3538#undef N
3539#undef G
3540#undef GD
3541#undef I
3542#undef GP
3543#undef EXT
3544
3545#undef D2bv
3546#undef D2bvIP
3547#undef I2bv
3548#undef I2bvIP
3549#undef I6ALU
3550
3551static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3552{
3553 unsigned size;
3554
3555 size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3556 if (size == 8)
3557 size = 4;
3558 return size;
3559}
3560
3561static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
3562 unsigned size, bool sign_extension)
3563{
3564 int rc = X86EMUL_CONTINUE;
3565
3566 op->type = OP_IMM;
3567 op->bytes = size;
3568 op->addr.mem.ea = ctxt->_eip;
3569
3570 switch (op->bytes) {
3571 case 1:
3572 op->val = insn_fetch(s8, ctxt);
3573 break;
3574 case 2:
3575 op->val = insn_fetch(s16, ctxt);
3576 break;
3577 case 4:
3578 op->val = insn_fetch(s32, ctxt);
3579 break;
3580 }
3581 if (!sign_extension) {
3582 switch (op->bytes) {
3583 case 1:
3584 op->val &= 0xff;
3585 break;
3586 case 2:
3587 op->val &= 0xffff;
3588 break;
3589 case 4:
3590 op->val &= 0xffffffff;
3591 break;
3592 }
3593 }
3594done:
3595 return rc;
3596}
3597
3598static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
3599 unsigned d)
3600{
3601 int rc = X86EMUL_CONTINUE;
3602
3603 switch (d) {
3604 case OpReg:
3605 decode_register_operand(ctxt, op,
3606 op == &ctxt->dst &&
3607 ctxt->twobyte && (ctxt->b == 0xb6 || ctxt->b == 0xb7));
3608 break;
3609 case OpImmUByte:
3610 rc = decode_imm(ctxt, op, 1, false);
3611 break;
3612 case OpMem:
3613 ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3614 mem_common:
3615 *op = ctxt->memop;
3616 ctxt->memopp = op;
3617 if ((ctxt->d & BitOp) && op == &ctxt->dst)
3618 fetch_bit_operand(ctxt);
3619 op->orig_val = op->val;
3620 break;
3621 case OpMem64:
3622 ctxt->memop.bytes = 8;
3623 goto mem_common;
3624 case OpAcc:
3625 op->type = OP_REG;
3626 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3627 op->addr.reg = &ctxt->regs[VCPU_REGS_RAX];
3628 fetch_register_operand(op);
3629 op->orig_val = op->val;
3630 break;
3631 case OpDI:
3632 op->type = OP_MEM;
3633 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3634 op->addr.mem.ea =
3635 register_address(ctxt, ctxt->regs[VCPU_REGS_RDI]);
3636 op->addr.mem.seg = VCPU_SREG_ES;
3637 op->val = 0;
3638 break;
3639 case OpDX:
3640 op->type = OP_REG;
3641 op->bytes = 2;
3642 op->addr.reg = &ctxt->regs[VCPU_REGS_RDX];
3643 fetch_register_operand(op);
3644 break;
3645 case OpCL:
3646 op->bytes = 1;
3647 op->val = ctxt->regs[VCPU_REGS_RCX] & 0xff;
3648 break;
3649 case OpImmByte:
3650 rc = decode_imm(ctxt, op, 1, true);
3651 break;
3652 case OpOne:
3653 op->bytes = 1;
3654 op->val = 1;
3655 break;
3656 case OpImm:
3657 rc = decode_imm(ctxt, op, imm_size(ctxt), true);
3658 break;
3659 case OpMem16:
3660 ctxt->memop.bytes = 2;
3661 goto mem_common;
3662 case OpMem32:
3663 ctxt->memop.bytes = 4;
3664 goto mem_common;
3665 case OpImmU16:
3666 rc = decode_imm(ctxt, op, 2, false);
3667 break;
3668 case OpImmU:
3669 rc = decode_imm(ctxt, op, imm_size(ctxt), false);
3670 break;
3671 case OpSI:
3672 op->type = OP_MEM;
3673 op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3674 op->addr.mem.ea =
3675 register_address(ctxt, ctxt->regs[VCPU_REGS_RSI]);
3676 op->addr.mem.seg = seg_override(ctxt);
3677 op->val = 0;
3678 break;
3679 case OpImmFAddr:
3680 op->type = OP_IMM;
3681 op->addr.mem.ea = ctxt->_eip;
3682 op->bytes = ctxt->op_bytes + 2;
3683 insn_fetch_arr(op->valptr, op->bytes, ctxt);
3684 break;
3685 case OpMemFAddr:
3686 ctxt->memop.bytes = ctxt->op_bytes + 2;
3687 goto mem_common;
3688 case OpES:
3689 op->val = VCPU_SREG_ES;
3690 break;
3691 case OpCS:
3692 op->val = VCPU_SREG_CS;
3693 break;
3694 case OpSS:
3695 op->val = VCPU_SREG_SS;
3696 break;
3697 case OpDS:
3698 op->val = VCPU_SREG_DS;
3699 break;
3700 case OpFS:
3701 op->val = VCPU_SREG_FS;
3702 break;
3703 case OpGS:
3704 op->val = VCPU_SREG_GS;
3705 break;
3706 case OpImplicit:
3707
3708 default:
3709 op->type = OP_NONE;
3710 break;
3711 }
3712
3713done:
3714 return rc;
3715}
3716
3717int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3718{
3719 int rc = X86EMUL_CONTINUE;
3720 int mode = ctxt->mode;
3721 int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3722 bool op_prefix = false;
3723 struct opcode opcode;
3724
3725 ctxt->memop.type = OP_NONE;
3726 ctxt->memopp = NULL;
3727 ctxt->_eip = ctxt->eip;
3728 ctxt->fetch.start = ctxt->_eip;
3729 ctxt->fetch.end = ctxt->fetch.start + insn_len;
3730 if (insn_len > 0)
3731 memcpy(ctxt->fetch.data, insn, insn_len);
3732
3733 switch (mode) {
3734 case X86EMUL_MODE_REAL:
3735 case X86EMUL_MODE_VM86:
3736 case X86EMUL_MODE_PROT16:
3737 def_op_bytes = def_ad_bytes = 2;
3738 break;
3739 case X86EMUL_MODE_PROT32:
3740 def_op_bytes = def_ad_bytes = 4;
3741 break;
3742#ifdef CONFIG_X86_64
3743 case X86EMUL_MODE_PROT64:
3744 def_op_bytes = 4;
3745 def_ad_bytes = 8;
3746 break;
3747#endif
3748 default:
3749 return EMULATION_FAILED;
3750 }
3751
3752 ctxt->op_bytes = def_op_bytes;
3753 ctxt->ad_bytes = def_ad_bytes;
3754
3755
3756 for (;;) {
3757 switch (ctxt->b = insn_fetch(u8, ctxt)) {
3758 case 0x66:
3759 op_prefix = true;
3760
3761 ctxt->op_bytes = def_op_bytes ^ 6;
3762 break;
3763 case 0x67:
3764 if (mode == X86EMUL_MODE_PROT64)
3765
3766 ctxt->ad_bytes = def_ad_bytes ^ 12;
3767 else
3768
3769 ctxt->ad_bytes = def_ad_bytes ^ 6;
3770 break;
3771 case 0x26:
3772 case 0x2e:
3773 case 0x36:
3774 case 0x3e:
3775 set_seg_override(ctxt, (ctxt->b >> 3) & 3);
3776 break;
3777 case 0x64:
3778 case 0x65:
3779 set_seg_override(ctxt, ctxt->b & 7);
3780 break;
3781 case 0x40 ... 0x4f:
3782 if (mode != X86EMUL_MODE_PROT64)
3783 goto done_prefixes;
3784 ctxt->rex_prefix = ctxt->b;
3785 continue;
3786 case 0xf0:
3787 ctxt->lock_prefix = 1;
3788 break;
3789 case 0xf2:
3790 case 0xf3:
3791 ctxt->rep_prefix = ctxt->b;
3792 break;
3793 default:
3794 goto done_prefixes;
3795 }
3796
3797
3798
3799 ctxt->rex_prefix = 0;
3800 }
3801
3802done_prefixes:
3803
3804
3805 if (ctxt->rex_prefix & 8)
3806 ctxt->op_bytes = 8;
3807
3808
3809 opcode = opcode_table[ctxt->b];
3810
3811 if (ctxt->b == 0x0f) {
3812 ctxt->twobyte = 1;
3813 ctxt->b = insn_fetch(u8, ctxt);
3814 opcode = twobyte_table[ctxt->b];
3815 }
3816 ctxt->d = opcode.flags;
3817
3818 while (ctxt->d & GroupMask) {
3819 switch (ctxt->d & GroupMask) {
3820 case Group:
3821 ctxt->modrm = insn_fetch(u8, ctxt);
3822 --ctxt->_eip;
3823 goffset = (ctxt->modrm >> 3) & 7;
3824 opcode = opcode.u.group[goffset];
3825 break;
3826 case GroupDual:
3827 ctxt->modrm = insn_fetch(u8, ctxt);
3828 --ctxt->_eip;
3829 goffset = (ctxt->modrm >> 3) & 7;
3830 if ((ctxt->modrm >> 6) == 3)
3831 opcode = opcode.u.gdual->mod3[goffset];
3832 else
3833 opcode = opcode.u.gdual->mod012[goffset];
3834 break;
3835 case RMExt:
3836 goffset = ctxt->modrm & 7;
3837 opcode = opcode.u.group[goffset];
3838 break;
3839 case Prefix:
3840 if (ctxt->rep_prefix && op_prefix)
3841 return EMULATION_FAILED;
3842 simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
3843 switch (simd_prefix) {
3844 case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
3845 case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
3846 case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
3847 case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
3848 }
3849 break;
3850 default:
3851 return EMULATION_FAILED;
3852 }
3853
3854 ctxt->d &= ~(u64)GroupMask;
3855 ctxt->d |= opcode.flags;
3856 }
3857
3858 ctxt->execute = opcode.u.execute;
3859 ctxt->check_perm = opcode.check_perm;
3860 ctxt->intercept = opcode.intercept;
3861
3862
3863 if (ctxt->d == 0 || (ctxt->d & Undefined))
3864 return EMULATION_FAILED;
3865
3866 if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
3867 return EMULATION_FAILED;
3868
3869 if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
3870 ctxt->op_bytes = 8;
3871
3872 if (ctxt->d & Op3264) {
3873 if (mode == X86EMUL_MODE_PROT64)
3874 ctxt->op_bytes = 8;
3875 else
3876 ctxt->op_bytes = 4;
3877 }
3878
3879 if (ctxt->d & Sse)
3880 ctxt->op_bytes = 16;
3881
3882
3883 if (ctxt->d & ModRM) {
3884 rc = decode_modrm(ctxt, &ctxt->memop);
3885 if (!ctxt->has_seg_override)
3886 set_seg_override(ctxt, ctxt->modrm_seg);
3887 } else if (ctxt->d & MemAbs)
3888 rc = decode_abs(ctxt, &ctxt->memop);
3889 if (rc != X86EMUL_CONTINUE)
3890 goto done;
3891
3892 if (!ctxt->has_seg_override)
3893 set_seg_override(ctxt, VCPU_SREG_DS);
3894
3895 ctxt->memop.addr.mem.seg = seg_override(ctxt);
3896
3897 if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
3898 ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
3899
3900
3901
3902
3903
3904 rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
3905 if (rc != X86EMUL_CONTINUE)
3906 goto done;
3907
3908
3909
3910
3911
3912 rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
3913 if (rc != X86EMUL_CONTINUE)
3914 goto done;
3915
3916
3917 rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
3918
3919done:
3920 if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
3921 ctxt->memopp->addr.mem.ea += ctxt->_eip;
3922
3923 return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
3924}
3925
3926bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
3927{
3928 return ctxt->d & PageTable;
3929}
3930
3931static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
3932{
3933
3934
3935
3936
3937
3938
3939
3940 if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
3941 (ctxt->b == 0xae) || (ctxt->b == 0xaf))
3942 && (((ctxt->rep_prefix == REPE_PREFIX) &&
3943 ((ctxt->eflags & EFLG_ZF) == 0))
3944 || ((ctxt->rep_prefix == REPNE_PREFIX) &&
3945 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
3946 return true;
3947
3948 return false;
3949}
3950
3951int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
3952{
3953 struct x86_emulate_ops *ops = ctxt->ops;
3954 int rc = X86EMUL_CONTINUE;
3955 int saved_dst_type = ctxt->dst.type;
3956
3957 ctxt->mem_read.pos = 0;
3958
3959 if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
3960 rc = emulate_ud(ctxt);
3961 goto done;
3962 }
3963
3964
3965 if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
3966 rc = emulate_ud(ctxt);
3967 goto done;
3968 }
3969
3970 if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
3971 rc = emulate_ud(ctxt);
3972 goto done;
3973 }
3974
3975 if ((ctxt->d & Sse)
3976 && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)
3977 || !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
3978 rc = emulate_ud(ctxt);
3979 goto done;
3980 }
3981
3982 if ((ctxt->d & Sse) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
3983 rc = emulate_nm(ctxt);
3984 goto done;
3985 }
3986
3987 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
3988 rc = emulator_check_intercept(ctxt, ctxt->intercept,
3989 X86_ICPT_PRE_EXCEPT);
3990 if (rc != X86EMUL_CONTINUE)
3991 goto done;
3992 }
3993
3994
3995 if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
3996 rc = emulate_gp(ctxt, 0);
3997 goto done;
3998 }
3999
4000
4001 if ((ctxt->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
4002 rc = emulate_ud(ctxt);
4003 goto done;
4004 }
4005
4006
4007 if (ctxt->check_perm) {
4008 rc = ctxt->check_perm(ctxt);
4009 if (rc != X86EMUL_CONTINUE)
4010 goto done;
4011 }
4012
4013 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4014 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4015 X86_ICPT_POST_EXCEPT);
4016 if (rc != X86EMUL_CONTINUE)
4017 goto done;
4018 }
4019
4020 if (ctxt->rep_prefix && (ctxt->d & String)) {
4021
4022 if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) {
4023 ctxt->eip = ctxt->_eip;
4024 goto done;
4025 }
4026 }
4027
4028 if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
4029 rc = segmented_read(ctxt, ctxt->src.addr.mem,
4030 ctxt->src.valptr, ctxt->src.bytes);
4031 if (rc != X86EMUL_CONTINUE)
4032 goto done;
4033 ctxt->src.orig_val64 = ctxt->src.val64;
4034 }
4035
4036 if (ctxt->src2.type == OP_MEM) {
4037 rc = segmented_read(ctxt, ctxt->src2.addr.mem,
4038 &ctxt->src2.val, ctxt->src2.bytes);
4039 if (rc != X86EMUL_CONTINUE)
4040 goto done;
4041 }
4042
4043 if ((ctxt->d & DstMask) == ImplicitOps)
4044 goto special_insn;
4045
4046
4047 if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4048
4049 rc = segmented_read(ctxt, ctxt->dst.addr.mem,
4050 &ctxt->dst.val, ctxt->dst.bytes);
4051 if (rc != X86EMUL_CONTINUE)
4052 goto done;
4053 }
4054 ctxt->dst.orig_val = ctxt->dst.val;
4055
4056special_insn:
4057
4058 if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
4059 rc = emulator_check_intercept(ctxt, ctxt->intercept,
4060 X86_ICPT_POST_MEMACCESS);
4061 if (rc != X86EMUL_CONTINUE)
4062 goto done;
4063 }
4064
4065 if (ctxt->execute) {
4066 rc = ctxt->execute(ctxt);
4067 if (rc != X86EMUL_CONTINUE)
4068 goto done;
4069 goto writeback;
4070 }
4071
4072 if (ctxt->twobyte)
4073 goto twobyte_insn;
4074
4075 switch (ctxt->b) {
4076 case 0x40 ... 0x47:
4077 emulate_1op(ctxt, "inc");
4078 break;
4079 case 0x48 ... 0x4f:
4080 emulate_1op(ctxt, "dec");
4081 break;
4082 case 0x63:
4083 if (ctxt->mode != X86EMUL_MODE_PROT64)
4084 goto cannot_emulate;
4085 ctxt->dst.val = (s32) ctxt->src.val;
4086 break;
4087 case 0x70 ... 0x7f:
4088 if (test_cc(ctxt->b, ctxt->eflags))
4089 jmp_rel(ctxt, ctxt->src.val);
4090 break;
4091 case 0x8d:
4092 ctxt->dst.val = ctxt->src.addr.mem.ea;
4093 break;
4094 case 0x90 ... 0x97:
4095 if (ctxt->dst.addr.reg == &ctxt->regs[VCPU_REGS_RAX])
4096 break;
4097 rc = em_xchg(ctxt);
4098 break;
4099 case 0x98:
4100 switch (ctxt->op_bytes) {
4101 case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
4102 case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
4103 case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4104 }
4105 break;
4106 case 0xc0 ... 0xc1:
4107 rc = em_grp2(ctxt);
4108 break;
4109 case 0xcc:
4110 rc = emulate_int(ctxt, 3);
4111 break;
4112 case 0xcd:
4113 rc = emulate_int(ctxt, ctxt->src.val);
4114 break;
4115 case 0xce:
4116 if (ctxt->eflags & EFLG_OF)
4117 rc = emulate_int(ctxt, 4);
4118 break;
4119 case 0xd0 ... 0xd1:
4120 rc = em_grp2(ctxt);
4121 break;
4122 case 0xd2 ... 0xd3:
4123 ctxt->src.val = ctxt->regs[VCPU_REGS_RCX];
4124 rc = em_grp2(ctxt);
4125 break;
4126 case 0xe9:
4127 case 0xeb:
4128 jmp_rel(ctxt, ctxt->src.val);
4129 ctxt->dst.type = OP_NONE;
4130 break;
4131 case 0xf4:
4132 ctxt->ops->halt(ctxt);
4133 break;
4134 case 0xf5:
4135
4136 ctxt->eflags ^= EFLG_CF;
4137 break;
4138 case 0xf8:
4139 ctxt->eflags &= ~EFLG_CF;
4140 break;
4141 case 0xf9:
4142 ctxt->eflags |= EFLG_CF;
4143 break;
4144 case 0xfc:
4145 ctxt->eflags &= ~EFLG_DF;
4146 break;
4147 case 0xfd:
4148 ctxt->eflags |= EFLG_DF;
4149 break;
4150 default:
4151 goto cannot_emulate;
4152 }
4153
4154 if (rc != X86EMUL_CONTINUE)
4155 goto done;
4156
4157writeback:
4158 rc = writeback(ctxt);
4159 if (rc != X86EMUL_CONTINUE)
4160 goto done;
4161
4162
4163
4164
4165
4166 ctxt->dst.type = saved_dst_type;
4167
4168 if ((ctxt->d & SrcMask) == SrcSI)
4169 string_addr_inc(ctxt, seg_override(ctxt),
4170 VCPU_REGS_RSI, &ctxt->src);
4171
4172 if ((ctxt->d & DstMask) == DstDI)
4173 string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
4174 &ctxt->dst);
4175
4176 if (ctxt->rep_prefix && (ctxt->d & String)) {
4177 struct read_cache *r = &ctxt->io_read;
4178 register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
4179
4180 if (!string_insn_completed(ctxt)) {
4181
4182
4183
4184
4185 if ((r->end != 0 || ctxt->regs[VCPU_REGS_RCX] & 0x3ff) &&
4186 (r->end == 0 || r->end != r->pos)) {
4187
4188
4189
4190
4191
4192 ctxt->mem_read.end = 0;
4193 return EMULATION_RESTART;
4194 }
4195 goto done;
4196 }
4197 }
4198
4199 ctxt->eip = ctxt->_eip;
4200
4201done:
4202 if (rc == X86EMUL_PROPAGATE_FAULT)
4203 ctxt->have_exception = true;
4204 if (rc == X86EMUL_INTERCEPTED)
4205 return EMULATION_INTERCEPTED;
4206
4207 return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
4208
4209twobyte_insn:
4210 switch (ctxt->b) {
4211 case 0x09:
4212 (ctxt->ops->wbinvd)(ctxt);
4213 break;
4214 case 0x08:
4215 case 0x0d:
4216 case 0x18:
4217 break;
4218 case 0x20:
4219 ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4220 break;
4221 case 0x21:
4222 ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
4223 break;
4224 case 0x40 ... 0x4f:
4225 ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
4226 if (!test_cc(ctxt->b, ctxt->eflags))
4227 ctxt->dst.type = OP_NONE;
4228 break;
4229 case 0x80 ... 0x8f:
4230 if (test_cc(ctxt->b, ctxt->eflags))
4231 jmp_rel(ctxt, ctxt->src.val);
4232 break;
4233 case 0x90 ... 0x9f:
4234 ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4235 break;
4236 case 0xa4:
4237 case 0xa5:
4238 emulate_2op_cl(ctxt, "shld");
4239 break;
4240 case 0xac:
4241 case 0xad:
4242 emulate_2op_cl(ctxt, "shrd");
4243 break;
4244 case 0xae:
4245 break;
4246 case 0xb6 ... 0xb7:
4247 ctxt->dst.bytes = ctxt->op_bytes;
4248 ctxt->dst.val = (ctxt->d & ByteOp) ? (u8) ctxt->src.val
4249 : (u16) ctxt->src.val;
4250 break;
4251 case 0xbe ... 0xbf:
4252 ctxt->dst.bytes = ctxt->op_bytes;
4253 ctxt->dst.val = (ctxt->d & ByteOp) ? (s8) ctxt->src.val :
4254 (s16) ctxt->src.val;
4255 break;
4256 case 0xc0 ... 0xc1:
4257 emulate_2op_SrcV(ctxt, "add");
4258
4259 ctxt->src.val = ctxt->dst.orig_val;
4260 write_register_operand(&ctxt->src);
4261 break;
4262 case 0xc3:
4263 ctxt->dst.bytes = ctxt->op_bytes;
4264 ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
4265 (u64) ctxt->src.val;
4266 break;
4267 default:
4268 goto cannot_emulate;
4269 }
4270
4271 if (rc != X86EMUL_CONTINUE)
4272 goto done;
4273
4274 goto writeback;
4275
4276cannot_emulate:
4277 return EMULATION_FAILED;
4278}
4279
