emulate.c 115.3 KB
Newer Older
A
Avi Kivity 已提交
1
/******************************************************************************
2
 * emulate.c
A
Avi Kivity 已提交
3 4 5 6 7 8
 *
 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
 *
 * Copyright (c) 2005 Keir Fraser
 *
 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9
 * privileged instructions:
A
Avi Kivity 已提交
10 11
 *
 * Copyright (C) 2006 Qumranet
N
Nicolas Kaiser 已提交
12
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
A
Avi Kivity 已提交
13 14 15 16 17 18 19 20 21 22
 *
 *   Avi Kivity <avi@qumranet.com>
 *   Yaniv Kamay <yaniv@qumranet.com>
 *
 * This work is licensed under the terms of the GNU GPL, version 2.  See
 * the COPYING file in the top-level directory.
 *
 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
 */

23
#include <linux/kvm_host.h>
24
#include "kvm_cache_regs.h"
A
Avi Kivity 已提交
25
#include <linux/module.h>
26
#include <asm/kvm_emulate.h>
A
Avi Kivity 已提交
27

28
#include "x86.h"
29
#include "tss.h"
30

31 32 33
/*
 * Operand types
 */
34 35 36 37 38 39 40 41 42
#define OpNone             0ull
#define OpImplicit         1ull  /* No generic decode */
#define OpReg              2ull  /* Register */
#define OpMem              3ull  /* Memory */
#define OpAcc              4ull  /* Accumulator: AL/AX/EAX/RAX */
#define OpDI               5ull  /* ES:DI/EDI/RDI */
#define OpMem64            6ull  /* Memory, 64-bit */
#define OpImmUByte         7ull  /* Zero-extended 8-bit immediate */
#define OpDX               8ull  /* DX register */
43 44 45 46
#define OpCL               9ull  /* CL register (for shifts) */
#define OpImmByte         10ull  /* 8-bit sign extended immediate */
#define OpOne             11ull  /* Implied 1 */
#define OpImm             12ull  /* Sign extended immediate */
47 48 49 50 51 52 53
#define OpMem16           13ull  /* Memory operand (16-bit). */
#define OpMem32           14ull  /* Memory operand (32-bit). */
#define OpImmU            15ull  /* Immediate operand, zero extended */
#define OpSI              16ull  /* SI/ESI/RSI */
#define OpImmFAddr        17ull  /* Immediate far address */
#define OpMemFAddr        18ull  /* Far address in memory */
#define OpImmU16          19ull  /* Immediate operand, 16 bits, zero extended */
54 55 56 57 58 59
#define OpES              20ull  /* ES */
#define OpCS              21ull  /* CS */
#define OpSS              22ull  /* SS */
#define OpDS              23ull  /* DS */
#define OpFS              24ull  /* FS */
#define OpGS              25ull  /* GS */
60
#define OpMem8            26ull  /* 8-bit zero extended memory operand */
61 62

#define OpBits             5  /* Width of operand field */
63
#define OpMask             ((1ull << OpBits) - 1)
64

A
Avi Kivity 已提交
65 66 67 68 69 70 71 72 73 74
/*
 * Opcode effective-address decode tables.
 * Note that we only emulate instructions that have at least one memory
 * operand (excluding implicit stack references). We assume that stack
 * references and instruction fetches will never occur in special memory
 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
 * not be handled.
 */

/* Operand sizes: 8-bit operands or specified/overridden size. */
75
#define ByteOp      (1<<0)	/* 8-bit operands. */
A
Avi Kivity 已提交
76
/* Destination operand type. */
77 78 79 80 81 82 83 84 85 86
#define DstShift    1
#define ImplicitOps (OpImplicit << DstShift)
#define DstReg      (OpReg << DstShift)
#define DstMem      (OpMem << DstShift)
#define DstAcc      (OpAcc << DstShift)
#define DstDI       (OpDI << DstShift)
#define DstMem64    (OpMem64 << DstShift)
#define DstImmUByte (OpImmUByte << DstShift)
#define DstDX       (OpDX << DstShift)
#define DstMask     (OpMask << DstShift)
A
Avi Kivity 已提交
87
/* Source operand type. */
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
#define SrcShift    6
#define SrcNone     (OpNone << SrcShift)
#define SrcReg      (OpReg << SrcShift)
#define SrcMem      (OpMem << SrcShift)
#define SrcMem16    (OpMem16 << SrcShift)
#define SrcMem32    (OpMem32 << SrcShift)
#define SrcImm      (OpImm << SrcShift)
#define SrcImmByte  (OpImmByte << SrcShift)
#define SrcOne      (OpOne << SrcShift)
#define SrcImmUByte (OpImmUByte << SrcShift)
#define SrcImmU     (OpImmU << SrcShift)
#define SrcSI       (OpSI << SrcShift)
#define SrcImmFAddr (OpImmFAddr << SrcShift)
#define SrcMemFAddr (OpMemFAddr << SrcShift)
#define SrcAcc      (OpAcc << SrcShift)
#define SrcImmU16   (OpImmU16 << SrcShift)
#define SrcDX       (OpDX << SrcShift)
105
#define SrcMem8     (OpMem8 << SrcShift)
106
#define SrcMask     (OpMask << SrcShift)
107 108 109 110 111 112 113 114 115 116
#define BitOp       (1<<11)
#define MemAbs      (1<<12)      /* Memory operand is absolute displacement */
#define String      (1<<13)     /* String instruction (rep capable) */
#define Stack       (1<<14)     /* Stack instruction (push/pop) */
#define GroupMask   (7<<15)     /* Opcode uses one of the group mechanisms */
#define Group       (1<<15)     /* Bits 3:5 of modrm byte extend opcode */
#define GroupDual   (2<<15)     /* Alternate decoding of mod == 3 */
#define Prefix      (3<<15)     /* Instruction varies with 66/f2/f3 prefix */
#define RMExt       (4<<15)     /* Opcode extension in ModRM r/m if mod == 3 */
#define Sse         (1<<18)     /* SSE Vector instruction */
117 118 119 120
/* Generic ModRM decode. */
#define ModRM       (1<<19)
/* Destination is only written; never read. */
#define Mov         (1<<20)
121
/* Misc flags */
122
#define Prot        (1<<21) /* instruction generates #UD if not in prot-mode */
123
#define VendorSpecific (1<<22) /* Vendor specific instruction */
124
#define NoAccess    (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
125
#define Op3264      (1<<24) /* Operand is 64b in long mode, 32b otherwise */
126
#define Undefined   (1<<25) /* No Such Instruction */
127
#define Lock        (1<<26) /* lock prefix is allowed for the instruction */
128
#define Priv        (1<<27) /* instruction generates #GP if current CPL != 0 */
129
#define No64	    (1<<28)
130
#define PageTable   (1 << 29)   /* instruction used to write page table */
131
/* Source 2 operand type */
132
#define Src2Shift   (30)
133 134 135 136 137
#define Src2None    (OpNone << Src2Shift)
#define Src2CL      (OpCL << Src2Shift)
#define Src2ImmByte (OpImmByte << Src2Shift)
#define Src2One     (OpOne << Src2Shift)
#define Src2Imm     (OpImm << Src2Shift)
138 139 140 141 142 143
#define Src2ES      (OpES << Src2Shift)
#define Src2CS      (OpCS << Src2Shift)
#define Src2SS      (OpSS << Src2Shift)
#define Src2DS      (OpDS << Src2Shift)
#define Src2FS      (OpFS << Src2Shift)
#define Src2GS      (OpGS << Src2Shift)
144
#define Src2Mask    (OpMask << Src2Shift)
A
Avi Kivity 已提交
145
#define Mmx         ((u64)1 << 40)  /* MMX Vector instruction */
146 147 148
#define Aligned     ((u64)1 << 41)  /* Explicitly aligned (e.g. MOVDQA) */
#define Unaligned   ((u64)1 << 42)  /* Explicitly unaligned (e.g. MOVDQU) */
#define Avx         ((u64)1 << 43)  /* Advanced Vector Extensions */
A
Avi Kivity 已提交
149

150 151 152 153 154 155 156 157
#define X2(x...) x, x
#define X3(x...) X2(x), x
#define X4(x...) X2(x), X2(x)
#define X5(x...) X4(x), x
#define X6(x...) X4(x), X2(x)
#define X7(x...) X4(x), X3(x)
#define X8(x...) X4(x), X4(x)
#define X16(x...) X8(x), X8(x)
158

159
struct opcode {
160 161
	u64 flags : 56;
	u64 intercept : 8;
162
	union {
163
		int (*execute)(struct x86_emulate_ctxt *ctxt);
164 165
		struct opcode *group;
		struct group_dual *gdual;
166
		struct gprefix *gprefix;
167
	} u;
168
	int (*check_perm)(struct x86_emulate_ctxt *ctxt);
169 170 171 172 173
};

struct group_dual {
	struct opcode mod012[8];
	struct opcode mod3[8];
174 175
};

176 177 178 179 180 181 182
struct gprefix {
	struct opcode pfx_no;
	struct opcode pfx_66;
	struct opcode pfx_f2;
	struct opcode pfx_f3;
};

A
Avi Kivity 已提交
183
/* EFLAGS bit definitions. */
184 185 186 187
#define EFLG_ID (1<<21)
#define EFLG_VIP (1<<20)
#define EFLG_VIF (1<<19)
#define EFLG_AC (1<<18)
188 189
#define EFLG_VM (1<<17)
#define EFLG_RF (1<<16)
190 191
#define EFLG_IOPL (3<<12)
#define EFLG_NT (1<<14)
A
Avi Kivity 已提交
192 193
#define EFLG_OF (1<<11)
#define EFLG_DF (1<<10)
194
#define EFLG_IF (1<<9)
195
#define EFLG_TF (1<<8)
A
Avi Kivity 已提交
196 197 198 199 200 201
#define EFLG_SF (1<<7)
#define EFLG_ZF (1<<6)
#define EFLG_AF (1<<4)
#define EFLG_PF (1<<2)
#define EFLG_CF (1<<0)

202 203 204
#define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
#define EFLG_RESERVED_ONE_MASK 2

A
Avi Kivity 已提交
205 206 207 208 209 210 211
/*
 * Instruction emulation:
 * Most instructions are emulated directly via a fragment of inline assembly
 * code. This allows us to save/restore EFLAGS and thus very easily pick up
 * any modified flags.
 */

212
#if defined(CONFIG_X86_64)
A
Avi Kivity 已提交
213 214 215 216 217 218 219 220 221 222 223 224 225 226
#define _LO32 "k"		/* force 32-bit operand */
#define _STK  "%%rsp"		/* stack pointer */
#elif defined(__i386__)
#define _LO32 ""		/* force 32-bit operand */
#define _STK  "%%esp"		/* stack pointer */
#endif

/*
 * These EFLAGS bits are restored from saved value during emulation, and
 * any changes are written back to the saved value after emulation.
 */
#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)

/* Before executing instruction: restore necessary bits in EFLAGS. */
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
#define _PRE_EFLAGS(_sav, _msk, _tmp)					\
	/* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
	"movl %"_sav",%"_LO32 _tmp"; "                                  \
	"push %"_tmp"; "                                                \
	"push %"_tmp"; "                                                \
	"movl %"_msk",%"_LO32 _tmp"; "                                  \
	"andl %"_LO32 _tmp",("_STK"); "                                 \
	"pushf; "                                                       \
	"notl %"_LO32 _tmp"; "                                          \
	"andl %"_LO32 _tmp",("_STK"); "                                 \
	"andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); "	\
	"pop  %"_tmp"; "                                                \
	"orl  %"_LO32 _tmp",("_STK"); "                                 \
	"popf; "                                                        \
	"pop  %"_sav"; "
A
Avi Kivity 已提交
242 243 244 245 246 247 248 249 250

/* After executing instruction: write-back necessary bits in EFLAGS. */
#define _POST_EFLAGS(_sav, _msk, _tmp) \
	/* _sav |= EFLAGS & _msk; */		\
	"pushf; "				\
	"pop  %"_tmp"; "			\
	"andl %"_msk",%"_LO32 _tmp"; "		\
	"orl  %"_LO32 _tmp",%"_sav"; "

251 252 253 254 255 256
#ifdef CONFIG_X86_64
#define ON64(x) x
#else
#define ON64(x)
#endif

257
#define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype)	\
258 259 260 261 262
	do {								\
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "4", "2")			\
			_op _suffix " %"_x"3,%1; "			\
			_POST_EFLAGS("0", "4", "2")			\
263 264
			: "=m" ((ctxt)->eflags),			\
			  "+q" (*(_dsttype*)&(ctxt)->dst.val),		\
265
			  "=&r" (_tmp)					\
266
			: _y ((ctxt)->src.val), "i" (EFLAGS_MASK));	\
267
	} while (0)
268 269


A
Avi Kivity 已提交
270
/* Raw emulation: instruction has two explicit operands. */
271
#define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy)		\
272 273 274
	do {								\
		unsigned long _tmp;					\
									\
275
		switch ((ctxt)->dst.bytes) {				\
276
		case 2:							\
277
			____emulate_2op(ctxt,_op,_wx,_wy,"w",u16);	\
278 279
			break;						\
		case 4:							\
280
			____emulate_2op(ctxt,_op,_lx,_ly,"l",u32);	\
281 282
			break;						\
		case 8:							\
283
			ON64(____emulate_2op(ctxt,_op,_qx,_qy,"q",u64)); \
284 285
			break;						\
		}							\
A
Avi Kivity 已提交
286 287
	} while (0)

288
#define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy)		     \
A
Avi Kivity 已提交
289
	do {								     \
290
		unsigned long _tmp;					     \
291
		switch ((ctxt)->dst.bytes) {				     \
A
Avi Kivity 已提交
292
		case 1:							     \
293
			____emulate_2op(ctxt,_op,_bx,_by,"b",u8);	     \
A
Avi Kivity 已提交
294 295
			break;						     \
		default:						     \
296
			__emulate_2op_nobyte(ctxt, _op,			     \
A
Avi Kivity 已提交
297 298 299 300 301 302
					     _wx, _wy, _lx, _ly, _qx, _qy);  \
			break;						     \
		}							     \
	} while (0)

/* Source operand is byte-sized and may be restricted to just %cl. */
303 304
#define emulate_2op_SrcB(ctxt, _op)					\
	__emulate_2op(ctxt, _op, "b", "c", "b", "c", "b", "c", "b", "c")
A
Avi Kivity 已提交
305 306

/* Source operand is byte, word, long or quad sized. */
307 308
#define emulate_2op_SrcV(ctxt, _op)					\
	__emulate_2op(ctxt, _op, "b", "q", "w", "r", _LO32, "r", "", "r")
A
Avi Kivity 已提交
309 310

/* Source operand is word, long or quad sized. */
311 312
#define emulate_2op_SrcV_nobyte(ctxt, _op)				\
	__emulate_2op_nobyte(ctxt, _op, "w", "r", _LO32, "r", "", "r")
A
Avi Kivity 已提交
313

314
/* Instruction has three operands and one operand is stored in ECX register */
315
#define __emulate_2op_cl(ctxt, _op, _suffix, _type)		\
316 317
	do {								\
		unsigned long _tmp;					\
318 319 320
		_type _clv  = (ctxt)->src2.val;				\
		_type _srcv = (ctxt)->src.val;				\
		_type _dstv = (ctxt)->dst.val;				\
321 322 323 324 325
									\
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "5", "2")			\
			_op _suffix " %4,%1 \n"				\
			_POST_EFLAGS("0", "5", "2")			\
326
			: "=m" ((ctxt)->eflags), "+r" (_dstv), "=&r" (_tmp) \
327 328 329
			: "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK)	\
			);						\
									\
330 331 332
		(ctxt)->src2.val  = (unsigned long) _clv;		\
		(ctxt)->src2.val = (unsigned long) _srcv;		\
		(ctxt)->dst.val = (unsigned long) _dstv;		\
333 334
	} while (0)

335
#define emulate_2op_cl(ctxt, _op)					\
336
	do {								\
337
		switch ((ctxt)->dst.bytes) {				\
338
		case 2:							\
339
			__emulate_2op_cl(ctxt, _op, "w", u16);		\
340 341
			break;						\
		case 4:							\
342
			__emulate_2op_cl(ctxt, _op, "l", u32);		\
343 344
			break;						\
		case 8:							\
345
			ON64(__emulate_2op_cl(ctxt, _op, "q", ulong));	\
346 347
			break;						\
		}							\
348 349
	} while (0)

350
#define __emulate_1op(ctxt, _op, _suffix)				\
A
Avi Kivity 已提交
351 352 353
	do {								\
		unsigned long _tmp;					\
									\
354 355 356 357
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "3", "2")			\
			_op _suffix " %1; "				\
			_POST_EFLAGS("0", "3", "2")			\
358
			: "=m" ((ctxt)->eflags), "+m" ((ctxt)->dst.val), \
359 360 361 362 363
			  "=&r" (_tmp)					\
			: "i" (EFLAGS_MASK));				\
	} while (0)

/* Instruction has only one explicit operand (no source operand). */
364
#define emulate_1op(ctxt, _op)						\
365
	do {								\
366 367 368 369 370
		switch ((ctxt)->dst.bytes) {				\
		case 1:	__emulate_1op(ctxt, _op, "b"); break;		\
		case 2:	__emulate_1op(ctxt, _op, "w"); break;		\
		case 4:	__emulate_1op(ctxt, _op, "l"); break;		\
		case 8:	ON64(__emulate_1op(ctxt, _op, "q")); break;	\
A
Avi Kivity 已提交
371 372 373
		}							\
	} while (0)

374
#define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex)			\
375 376
	do {								\
		unsigned long _tmp;					\
377 378
		ulong *rax = &(ctxt)->regs[VCPU_REGS_RAX];		\
		ulong *rdx = &(ctxt)->regs[VCPU_REGS_RDX];		\
379 380 381 382 383 384 385 386 387 388 389 390
									\
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "5", "1")			\
			"1: \n\t"					\
			_op _suffix " %6; "				\
			"2: \n\t"					\
			_POST_EFLAGS("0", "5", "1")			\
			".pushsection .fixup,\"ax\" \n\t"		\
			"3: movb $1, %4 \n\t"				\
			"jmp 2b \n\t"					\
			".popsection \n\t"				\
			_ASM_EXTABLE(1b, 3b)				\
391 392 393 394
			: "=m" ((ctxt)->eflags), "=&r" (_tmp),		\
			  "+a" (*rax), "+d" (*rdx), "+qm"(_ex)		\
			: "i" (EFLAGS_MASK), "m" ((ctxt)->src.val),	\
			  "a" (*rax), "d" (*rdx));			\
395 396
	} while (0)

397
/* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
398
#define emulate_1op_rax_rdx(ctxt, _op, _ex)	\
399
	do {								\
400
		switch((ctxt)->src.bytes) {				\
401
		case 1:							\
402
			__emulate_1op_rax_rdx(ctxt, _op, "b", _ex);	\
403 404
			break;						\
		case 2:							\
405
			__emulate_1op_rax_rdx(ctxt, _op, "w", _ex);	\
406 407
			break;						\
		case 4:							\
408
			__emulate_1op_rax_rdx(ctxt, _op, "l", _ex);	\
409 410
			break;						\
		case 8: ON64(						\
411
			__emulate_1op_rax_rdx(ctxt, _op, "q", _ex));	\
412 413 414 415
			break;						\
		}							\
	} while (0)

416 417 418 419 420 421
static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
				    enum x86_intercept intercept,
				    enum x86_intercept_stage stage)
{
	struct x86_instruction_info info = {
		.intercept  = intercept,
422 423 424 425 426 427 428 429
		.rep_prefix = ctxt->rep_prefix,
		.modrm_mod  = ctxt->modrm_mod,
		.modrm_reg  = ctxt->modrm_reg,
		.modrm_rm   = ctxt->modrm_rm,
		.src_val    = ctxt->src.val64,
		.src_bytes  = ctxt->src.bytes,
		.dst_bytes  = ctxt->dst.bytes,
		.ad_bytes   = ctxt->ad_bytes,
430 431 432
		.next_rip   = ctxt->eip,
	};

433
	return ctxt->ops->intercept(ctxt, &info, stage);
434 435
}

A
Avi Kivity 已提交
436 437 438 439 440
static void assign_masked(ulong *dest, ulong src, ulong mask)
{
	*dest = (*dest & ~mask) | (src & mask);
}

441
static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
442
{
443
	return (1UL << (ctxt->ad_bytes << 3)) - 1;
444 445
}

A
Avi Kivity 已提交
446 447 448 449 450 451 452 453 454 455 456
static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
{
	u16 sel;
	struct desc_struct ss;

	if (ctxt->mode == X86EMUL_MODE_PROT64)
		return ~0UL;
	ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
	return ~0U >> ((ss.d ^ 1) * 16);  /* d=0: 0xffff; d=1: 0xffffffff */
}

A
Avi Kivity 已提交
457
/* Access/update address held in a register, based on addressing mode. */
458
static inline unsigned long
459
address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
460
{
461
	if (ctxt->ad_bytes == sizeof(unsigned long))
462 463
		return reg;
	else
464
		return reg & ad_mask(ctxt);
465 466 467
}

static inline unsigned long
468
register_address(struct x86_emulate_ctxt *ctxt, unsigned long reg)
469
{
470
	return address_mask(ctxt, reg);
471 472
}

473
static inline void
474
register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, int inc)
475
{
476
	if (ctxt->ad_bytes == sizeof(unsigned long))
477 478
		*reg += inc;
	else
479
		*reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
480
}
A
Avi Kivity 已提交
481

482
static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
483
{
484
	register_address_increment(ctxt, &ctxt->_eip, rel);
485
}
486

487 488 489 490 491 492 493
static u32 desc_limit_scaled(struct desc_struct *desc)
{
	u32 limit = get_desc_limit(desc);

	return desc->g ? (limit << 12) | 0xfff : limit;
}

494
static void set_seg_override(struct x86_emulate_ctxt *ctxt, int seg)
495
{
496 497
	ctxt->has_seg_override = true;
	ctxt->seg_override = seg;
498 499
}

500
static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
501 502 503 504
{
	if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
		return 0;

505
	return ctxt->ops->get_cached_segment_base(ctxt, seg);
506 507
}

508
static unsigned seg_override(struct x86_emulate_ctxt *ctxt)
509
{
510
	if (!ctxt->has_seg_override)
511 512
		return 0;

513
	return ctxt->seg_override;
514 515
}

516 517
static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
			     u32 error, bool valid)
518
{
519 520 521
	ctxt->exception.vector = vec;
	ctxt->exception.error_code = error;
	ctxt->exception.error_code_valid = valid;
522
	return X86EMUL_PROPAGATE_FAULT;
523 524
}

525 526 527 528 529
static int emulate_db(struct x86_emulate_ctxt *ctxt)
{
	return emulate_exception(ctxt, DB_VECTOR, 0, false);
}

530
static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
531
{
532
	return emulate_exception(ctxt, GP_VECTOR, err, true);
533 534
}

535 536 537 538 539
static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
{
	return emulate_exception(ctxt, SS_VECTOR, err, true);
}

540
static int emulate_ud(struct x86_emulate_ctxt *ctxt)
541
{
542
	return emulate_exception(ctxt, UD_VECTOR, 0, false);
543 544
}

545
static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
546
{
547
	return emulate_exception(ctxt, TS_VECTOR, err, true);
548 549
}

550 551
static int emulate_de(struct x86_emulate_ctxt *ctxt)
{
552
	return emulate_exception(ctxt, DE_VECTOR, 0, false);
553 554
}

A
Avi Kivity 已提交
555 556 557 558 559
static int emulate_nm(struct x86_emulate_ctxt *ctxt)
{
	return emulate_exception(ctxt, NM_VECTOR, 0, false);
}

560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579
static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
{
	u16 selector;
	struct desc_struct desc;

	ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
	return selector;
}

static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
				 unsigned seg)
{
	u16 dummy;
	u32 base3;
	struct desc_struct desc;

	ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
	ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
}

580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602
/*
 * x86 defines three classes of vector instructions: explicitly
 * aligned, explicitly unaligned, and the rest, which change behaviour
 * depending on whether they're AVX encoded or not.
 *
 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
 * subject to the same check.
 */
static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
{
	if (likely(size < 16))
		return false;

	if (ctxt->d & Aligned)
		return true;
	else if (ctxt->d & Unaligned)
		return false;
	else if (ctxt->d & Avx)
		return false;
	else
		return true;
}

603
static int __linearize(struct x86_emulate_ctxt *ctxt,
604
		     struct segmented_address addr,
605
		     unsigned size, bool write, bool fetch,
606 607
		     ulong *linear)
{
608 609
	struct desc_struct desc;
	bool usable;
610
	ulong la;
611
	u32 lim;
612
	u16 sel;
613
	unsigned cpl, rpl;
614

615
	la = seg_base(ctxt, addr.seg) + addr.ea;
616 617 618 619 620 621 622 623
	switch (ctxt->mode) {
	case X86EMUL_MODE_REAL:
		break;
	case X86EMUL_MODE_PROT64:
		if (((signed long)la << 16) >> 16 != la)
			return emulate_gp(ctxt, 0);
		break;
	default:
624 625
		usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
						addr.seg);
626 627 628 629 630 631
		if (!usable)
			goto bad;
		/* code segment or read-only data segment */
		if (((desc.type & 8) || !(desc.type & 2)) && write)
			goto bad;
		/* unreadable code segment */
632
		if (!fetch && (desc.type & 8) && !(desc.type & 2))
633 634 635 636 637 638 639 640 641 642 643 644 645 646
			goto bad;
		lim = desc_limit_scaled(&desc);
		if ((desc.type & 8) || !(desc.type & 4)) {
			/* expand-up segment */
			if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
				goto bad;
		} else {
			/* exapand-down segment */
			if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
				goto bad;
			lim = desc.d ? 0xffffffff : 0xffff;
			if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
				goto bad;
		}
647
		cpl = ctxt->ops->cpl(ctxt);
648
		rpl = sel & 3;
649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664
		cpl = max(cpl, rpl);
		if (!(desc.type & 8)) {
			/* data segment */
			if (cpl > desc.dpl)
				goto bad;
		} else if ((desc.type & 8) && !(desc.type & 4)) {
			/* nonconforming code segment */
			if (cpl != desc.dpl)
				goto bad;
		} else if ((desc.type & 8) && (desc.type & 4)) {
			/* conforming code segment */
			if (cpl < desc.dpl)
				goto bad;
		}
		break;
	}
665
	if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
666
		la &= (u32)-1;
667 668
	if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
		return emulate_gp(ctxt, 0);
669 670
	*linear = la;
	return X86EMUL_CONTINUE;
671 672 673 674 675
bad:
	if (addr.seg == VCPU_SREG_SS)
		return emulate_ss(ctxt, addr.seg);
	else
		return emulate_gp(ctxt, addr.seg);
676 677
}

678 679 680 681 682 683 684 685 686
static int linearize(struct x86_emulate_ctxt *ctxt,
		     struct segmented_address addr,
		     unsigned size, bool write,
		     ulong *linear)
{
	return __linearize(ctxt, addr, size, write, false, linear);
}


687 688 689 690 691
static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
			      struct segmented_address addr,
			      void *data,
			      unsigned size)
{
692 693 694
	int rc;
	ulong linear;

695
	rc = linearize(ctxt, addr, size, false, &linear);
696 697
	if (rc != X86EMUL_CONTINUE)
		return rc;
698
	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
699 700
}

701 702 703 704 705 706 707 708
/*
 * Fetch the next byte of the instruction being emulated which is pointed to
 * by ctxt->_eip, then increment ctxt->_eip.
 *
 * Also prefetch the remaining bytes of the instruction without crossing page
 * boundary if they are not in fetch_cache yet.
 */
static int do_insn_fetch_byte(struct x86_emulate_ctxt *ctxt, u8 *dest)
709
{
710
	struct fetch_cache *fc = &ctxt->fetch;
711
	int rc;
712
	int size, cur_size;
713

714
	if (ctxt->_eip == fc->end) {
715
		unsigned long linear;
716 717
		struct segmented_address addr = { .seg = VCPU_SREG_CS,
						  .ea  = ctxt->_eip };
718
		cur_size = fc->end - fc->start;
719 720
		size = min(15UL - cur_size,
			   PAGE_SIZE - offset_in_page(ctxt->_eip));
721
		rc = __linearize(ctxt, addr, size, false, true, &linear);
722
		if (unlikely(rc != X86EMUL_CONTINUE))
723
			return rc;
724 725
		rc = ctxt->ops->fetch(ctxt, linear, fc->data + cur_size,
				      size, &ctxt->exception);
726
		if (unlikely(rc != X86EMUL_CONTINUE))
727
			return rc;
728
		fc->end += size;
729
	}
730 731
	*dest = fc->data[ctxt->_eip - fc->start];
	ctxt->_eip++;
732
	return X86EMUL_CONTINUE;
733 734 735
}

static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
736
			 void *dest, unsigned size)
737
{
738
	int rc;
739

740
	/* x86 instructions are limited to 15 bytes. */
741
	if (unlikely(ctxt->_eip + size - ctxt->eip > 15))
742
		return X86EMUL_UNHANDLEABLE;
743
	while (size--) {
744
		rc = do_insn_fetch_byte(ctxt, dest++);
745
		if (rc != X86EMUL_CONTINUE)
746 747
			return rc;
	}
748
	return X86EMUL_CONTINUE;
749 750
}

751
/* Fetch next part of the instruction being emulated. */
752
#define insn_fetch(_type, _ctxt)					\
753
({	unsigned long _x;						\
754
	rc = do_insn_fetch(_ctxt, &_x, sizeof(_type));			\
755 756 757 758 759
	if (rc != X86EMUL_CONTINUE)					\
		goto done;						\
	(_type)_x;							\
})

760 761
#define insn_fetch_arr(_arr, _size, _ctxt)				\
({	rc = do_insn_fetch(_ctxt, _arr, (_size));			\
762 763 764 765
	if (rc != X86EMUL_CONTINUE)					\
		goto done;						\
})

766 767 768 769 770 771 772
/*
 * Given the 'reg' portion of a ModRM byte, and a register block, return a
 * pointer into the block that addresses the relevant register.
 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
 */
static void *decode_register(u8 modrm_reg, unsigned long *regs,
			     int highbyte_regs)
A
Avi Kivity 已提交
773 774 775 776 777 778 779 780 781 782
{
	void *p;

	p = &regs[modrm_reg];
	if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
		p = (unsigned char *)&regs[modrm_reg & 3] + 1;
	return p;
}

static int read_descriptor(struct x86_emulate_ctxt *ctxt,
783
			   struct segmented_address addr,
A
Avi Kivity 已提交
784 785 786 787 788 789 790
			   u16 *size, unsigned long *address, int op_bytes)
{
	int rc;

	if (op_bytes == 2)
		op_bytes = 3;
	*address = 0;
791
	rc = segmented_read_std(ctxt, addr, size, 2);
792
	if (rc != X86EMUL_CONTINUE)
A
Avi Kivity 已提交
793
		return rc;
794
	addr.ea += 2;
795
	rc = segmented_read_std(ctxt, addr, address, op_bytes);
A
Avi Kivity 已提交
796 797 798
	return rc;
}

799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833
static int test_cc(unsigned int condition, unsigned int flags)
{
	int rc = 0;

	switch ((condition & 15) >> 1) {
	case 0: /* o */
		rc |= (flags & EFLG_OF);
		break;
	case 1: /* b/c/nae */
		rc |= (flags & EFLG_CF);
		break;
	case 2: /* z/e */
		rc |= (flags & EFLG_ZF);
		break;
	case 3: /* be/na */
		rc |= (flags & (EFLG_CF|EFLG_ZF));
		break;
	case 4: /* s */
		rc |= (flags & EFLG_SF);
		break;
	case 5: /* p/pe */
		rc |= (flags & EFLG_PF);
		break;
	case 7: /* le/ng */
		rc |= (flags & EFLG_ZF);
		/* fall through */
	case 6: /* l/nge */
		rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
		break;
	}

	/* Odd condition identifiers (lsb == 1) have inverted sense. */
	return (!!rc ^ (condition & 1));
}

834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851
static void fetch_register_operand(struct operand *op)
{
	switch (op->bytes) {
	case 1:
		op->val = *(u8 *)op->addr.reg;
		break;
	case 2:
		op->val = *(u16 *)op->addr.reg;
		break;
	case 4:
		op->val = *(u32 *)op->addr.reg;
		break;
	case 8:
		op->val = *(u64 *)op->addr.reg;
		break;
	}
}

A
Avi Kivity 已提交
852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906
static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
{
	ctxt->ops->get_fpu(ctxt);
	switch (reg) {
	case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
	case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
	case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
	case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
	case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
	case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
	case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
	case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
#ifdef CONFIG_X86_64
	case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
	case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
	case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
	case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
	case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
	case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
	case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
	case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
#endif
	default: BUG();
	}
	ctxt->ops->put_fpu(ctxt);
}

static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
			  int reg)
{
	ctxt->ops->get_fpu(ctxt);
	switch (reg) {
	case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
	case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
	case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
	case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
	case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
	case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
	case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
	case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
#ifdef CONFIG_X86_64
	case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
	case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
	case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
	case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
	case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
	case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
	case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
	case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
#endif
	default: BUG();
	}
	ctxt->ops->put_fpu(ctxt);
}

A
Avi Kivity 已提交
907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940
static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
{
	ctxt->ops->get_fpu(ctxt);
	switch (reg) {
	case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
	case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
	case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
	case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
	case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
	case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
	case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
	case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
	default: BUG();
	}
	ctxt->ops->put_fpu(ctxt);
}

static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
{
	ctxt->ops->get_fpu(ctxt);
	switch (reg) {
	case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
	case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
	case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
	case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
	case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
	case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
	case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
	case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
	default: BUG();
	}
	ctxt->ops->put_fpu(ctxt);
}

A
Avi Kivity 已提交
941
static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
942
				    struct operand *op)
943
{
944 945
	unsigned reg = ctxt->modrm_reg;
	int highbyte_regs = ctxt->rex_prefix == 0;
946

947 948
	if (!(ctxt->d & ModRM))
		reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
A
Avi Kivity 已提交
949

950
	if (ctxt->d & Sse) {
A
Avi Kivity 已提交
951 952 953 954 955 956
		op->type = OP_XMM;
		op->bytes = 16;
		op->addr.xmm = reg;
		read_sse_reg(ctxt, &op->vec_val, reg);
		return;
	}
A
Avi Kivity 已提交
957 958 959 960 961 962 963
	if (ctxt->d & Mmx) {
		reg &= 7;
		op->type = OP_MM;
		op->bytes = 8;
		op->addr.mm = reg;
		return;
	}
A
Avi Kivity 已提交
964

965
	op->type = OP_REG;
966
	if (ctxt->d & ByteOp) {
967
		op->addr.reg = decode_register(reg, ctxt->regs, highbyte_regs);
968 969
		op->bytes = 1;
	} else {
970 971
		op->addr.reg = decode_register(reg, ctxt->regs, 0);
		op->bytes = ctxt->op_bytes;
972
	}
973
	fetch_register_operand(op);
974 975 976
	op->orig_val = op->val;
}

977
static int decode_modrm(struct x86_emulate_ctxt *ctxt,
978
			struct operand *op)
979 980
{
	u8 sib;
981
	int index_reg = 0, base_reg = 0, scale;
982
	int rc = X86EMUL_CONTINUE;
983
	ulong modrm_ea = 0;
984

985 986 987 988
	if (ctxt->rex_prefix) {
		ctxt->modrm_reg = (ctxt->rex_prefix & 4) << 1;	/* REX.R */
		index_reg = (ctxt->rex_prefix & 2) << 2; /* REX.X */
		ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
989 990
	}

991 992 993 994
	ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
	ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
	ctxt->modrm_rm |= (ctxt->modrm & 0x07);
	ctxt->modrm_seg = VCPU_SREG_DS;
995

996
	if (ctxt->modrm_mod == 3) {
997
		op->type = OP_REG;
998 999 1000 1001
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
		op->addr.reg = decode_register(ctxt->modrm_rm,
					       ctxt->regs, ctxt->d & ByteOp);
		if (ctxt->d & Sse) {
A
Avi Kivity 已提交
1002 1003
			op->type = OP_XMM;
			op->bytes = 16;
1004 1005
			op->addr.xmm = ctxt->modrm_rm;
			read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
A
Avi Kivity 已提交
1006 1007
			return rc;
		}
A
Avi Kivity 已提交
1008 1009 1010 1011 1012 1013
		if (ctxt->d & Mmx) {
			op->type = OP_MM;
			op->bytes = 8;
			op->addr.xmm = ctxt->modrm_rm & 7;
			return rc;
		}
1014
		fetch_register_operand(op);
1015 1016 1017
		return rc;
	}

1018 1019
	op->type = OP_MEM;

1020 1021 1022 1023 1024
	if (ctxt->ad_bytes == 2) {
		unsigned bx = ctxt->regs[VCPU_REGS_RBX];
		unsigned bp = ctxt->regs[VCPU_REGS_RBP];
		unsigned si = ctxt->regs[VCPU_REGS_RSI];
		unsigned di = ctxt->regs[VCPU_REGS_RDI];
1025 1026

		/* 16-bit ModR/M decode. */
1027
		switch (ctxt->modrm_mod) {
1028
		case 0:
1029
			if (ctxt->modrm_rm == 6)
1030
				modrm_ea += insn_fetch(u16, ctxt);
1031 1032
			break;
		case 1:
1033
			modrm_ea += insn_fetch(s8, ctxt);
1034 1035
			break;
		case 2:
1036
			modrm_ea += insn_fetch(u16, ctxt);
1037 1038
			break;
		}
1039
		switch (ctxt->modrm_rm) {
1040
		case 0:
1041
			modrm_ea += bx + si;
1042 1043
			break;
		case 1:
1044
			modrm_ea += bx + di;
1045 1046
			break;
		case 2:
1047
			modrm_ea += bp + si;
1048 1049
			break;
		case 3:
1050
			modrm_ea += bp + di;
1051 1052
			break;
		case 4:
1053
			modrm_ea += si;
1054 1055
			break;
		case 5:
1056
			modrm_ea += di;
1057 1058
			break;
		case 6:
1059
			if (ctxt->modrm_mod != 0)
1060
				modrm_ea += bp;
1061 1062
			break;
		case 7:
1063
			modrm_ea += bx;
1064 1065
			break;
		}
1066 1067 1068
		if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
		    (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
			ctxt->modrm_seg = VCPU_SREG_SS;
1069
		modrm_ea = (u16)modrm_ea;
1070 1071
	} else {
		/* 32/64-bit ModR/M decode. */
1072
		if ((ctxt->modrm_rm & 7) == 4) {
1073
			sib = insn_fetch(u8, ctxt);
1074 1075 1076 1077
			index_reg |= (sib >> 3) & 7;
			base_reg |= sib & 7;
			scale = sib >> 6;

1078
			if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1079
				modrm_ea += insn_fetch(s32, ctxt);
1080
			else
1081
				modrm_ea += ctxt->regs[base_reg];
1082
			if (index_reg != 4)
1083 1084
				modrm_ea += ctxt->regs[index_reg] << scale;
		} else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1085
			if (ctxt->mode == X86EMUL_MODE_PROT64)
1086
				ctxt->rip_relative = 1;
1087
		} else
1088 1089
			modrm_ea += ctxt->regs[ctxt->modrm_rm];
		switch (ctxt->modrm_mod) {
1090
		case 0:
1091
			if (ctxt->modrm_rm == 5)
1092
				modrm_ea += insn_fetch(s32, ctxt);
1093 1094
			break;
		case 1:
1095
			modrm_ea += insn_fetch(s8, ctxt);
1096 1097
			break;
		case 2:
1098
			modrm_ea += insn_fetch(s32, ctxt);
1099 1100 1101
			break;
		}
	}
1102
	op->addr.mem.ea = modrm_ea;
1103 1104 1105 1106 1107
done:
	return rc;
}

static int decode_abs(struct x86_emulate_ctxt *ctxt,
1108
		      struct operand *op)
1109
{
1110
	int rc = X86EMUL_CONTINUE;
1111

1112
	op->type = OP_MEM;
1113
	switch (ctxt->ad_bytes) {
1114
	case 2:
1115
		op->addr.mem.ea = insn_fetch(u16, ctxt);
1116 1117
		break;
	case 4:
1118
		op->addr.mem.ea = insn_fetch(u32, ctxt);
1119 1120
		break;
	case 8:
1121
		op->addr.mem.ea = insn_fetch(u64, ctxt);
1122 1123 1124 1125 1126 1127
		break;
	}
done:
	return rc;
}

1128
static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1129
{
1130
	long sv = 0, mask;
1131

1132 1133
	if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
		mask = ~(ctxt->dst.bytes * 8 - 1);
1134

1135 1136 1137 1138
		if (ctxt->src.bytes == 2)
			sv = (s16)ctxt->src.val & (s16)mask;
		else if (ctxt->src.bytes == 4)
			sv = (s32)ctxt->src.val & (s32)mask;
1139

1140
		ctxt->dst.addr.mem.ea += (sv >> 3);
1141
	}
1142 1143

	/* only subword offset */
1144
	ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1145 1146
}

1147 1148
static int read_emulated(struct x86_emulate_ctxt *ctxt,
			 unsigned long addr, void *dest, unsigned size)
A
Avi Kivity 已提交
1149
{
1150
	int rc;
1151
	struct read_cache *mc = &ctxt->mem_read;
A
Avi Kivity 已提交
1152

1153 1154 1155 1156 1157
	while (size) {
		int n = min(size, 8u);
		size -= n;
		if (mc->pos < mc->end)
			goto read_cached;
1158

1159 1160
		rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
					      &ctxt->exception);
1161 1162 1163
		if (rc != X86EMUL_CONTINUE)
			return rc;
		mc->end += n;
A
Avi Kivity 已提交
1164

1165 1166 1167 1168 1169
	read_cached:
		memcpy(dest, mc->data + mc->pos, n);
		mc->pos += n;
		dest += n;
		addr += n;
A
Avi Kivity 已提交
1170
	}
1171 1172
	return X86EMUL_CONTINUE;
}
A
Avi Kivity 已提交
1173

1174 1175 1176 1177 1178
static int segmented_read(struct x86_emulate_ctxt *ctxt,
			  struct segmented_address addr,
			  void *data,
			  unsigned size)
{
1179 1180 1181
	int rc;
	ulong linear;

1182
	rc = linearize(ctxt, addr, size, false, &linear);
1183 1184
	if (rc != X86EMUL_CONTINUE)
		return rc;
1185
	return read_emulated(ctxt, linear, data, size);
1186 1187 1188 1189 1190 1191 1192
}

static int segmented_write(struct x86_emulate_ctxt *ctxt,
			   struct segmented_address addr,
			   const void *data,
			   unsigned size)
{
1193 1194 1195
	int rc;
	ulong linear;

1196
	rc = linearize(ctxt, addr, size, true, &linear);
1197 1198
	if (rc != X86EMUL_CONTINUE)
		return rc;
1199 1200
	return ctxt->ops->write_emulated(ctxt, linear, data, size,
					 &ctxt->exception);
1201 1202 1203 1204 1205 1206 1207
}

static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
			     struct segmented_address addr,
			     const void *orig_data, const void *data,
			     unsigned size)
{
1208 1209 1210
	int rc;
	ulong linear;

1211
	rc = linearize(ctxt, addr, size, true, &linear);
1212 1213
	if (rc != X86EMUL_CONTINUE)
		return rc;
1214 1215
	return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
					   size, &ctxt->exception);
1216 1217
}

1218 1219 1220 1221
static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
			   unsigned int size, unsigned short port,
			   void *dest)
{
1222
	struct read_cache *rc = &ctxt->io_read;
1223

1224 1225
	if (rc->pos == rc->end) { /* refill pio read ahead */
		unsigned int in_page, n;
1226 1227
		unsigned int count = ctxt->rep_prefix ?
			address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) : 1;
1228
		in_page = (ctxt->eflags & EFLG_DF) ?
1229 1230
			offset_in_page(ctxt->regs[VCPU_REGS_RDI]) :
			PAGE_SIZE - offset_in_page(ctxt->regs[VCPU_REGS_RDI]);
1231 1232 1233 1234 1235
		n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
			count);
		if (n == 0)
			n = 1;
		rc->pos = rc->end = 0;
1236
		if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1237 1238
			return 0;
		rc->end = n * size;
A
Avi Kivity 已提交
1239 1240
	}

1241 1242 1243 1244
	memcpy(dest, rc->data + rc->pos, size);
	rc->pos += size;
	return 1;
}
A
Avi Kivity 已提交
1245

1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261
static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
				     u16 index, struct desc_struct *desc)
{
	struct desc_ptr dt;
	ulong addr;

	ctxt->ops->get_idt(ctxt, &dt);

	if (dt.size < index * 8 + 7)
		return emulate_gp(ctxt, index << 3 | 0x2);

	addr = dt.address + index * 8;
	return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
				   &ctxt->exception);
}

1262 1263 1264
static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
				     u16 selector, struct desc_ptr *dt)
{
1265 1266
	struct x86_emulate_ops *ops = ctxt->ops;

1267 1268
	if (selector & 1 << 2) {
		struct desc_struct desc;
1269 1270
		u16 sel;

1271
		memset (dt, 0, sizeof *dt);
1272
		if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
1273
			return;
1274

1275 1276 1277
		dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
		dt->address = get_desc_base(&desc);
	} else
1278
		ops->get_gdt(ctxt, dt);
1279
}
1280

1281 1282 1283 1284 1285 1286 1287
/* allowed just for 8 bytes segments */
static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				   u16 selector, struct desc_struct *desc)
{
	struct desc_ptr dt;
	u16 index = selector >> 3;
	ulong addr;
1288

1289
	get_descriptor_table_ptr(ctxt, selector, &dt);
1290

1291 1292
	if (dt.size < index * 8 + 7)
		return emulate_gp(ctxt, selector & 0xfffc);
1293

1294 1295 1296
	addr = dt.address + index * 8;
	return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
				   &ctxt->exception);
1297
}
1298

1299 1300 1301 1302 1303 1304 1305
/* allowed just for 8 bytes segments */
static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				    u16 selector, struct desc_struct *desc)
{
	struct desc_ptr dt;
	u16 index = selector >> 3;
	ulong addr;
A
Avi Kivity 已提交
1306

1307
	get_descriptor_table_ptr(ctxt, selector, &dt);
1308

1309 1310
	if (dt.size < index * 8 + 7)
		return emulate_gp(ctxt, selector & 0xfffc);
A
Avi Kivity 已提交
1311

1312
	addr = dt.address + index * 8;
1313 1314
	return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
				    &ctxt->exception);
1315
}
1316

1317
/* Does not support long mode */
1318 1319 1320 1321 1322 1323 1324 1325 1326
static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				   u16 selector, int seg)
{
	struct desc_struct seg_desc;
	u8 dpl, rpl, cpl;
	unsigned err_vec = GP_VECTOR;
	u32 err_code = 0;
	bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
	int ret;
1327

1328
	memset(&seg_desc, 0, sizeof seg_desc);
1329

1330 1331 1332 1333 1334 1335 1336 1337
	if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
	    || ctxt->mode == X86EMUL_MODE_REAL) {
		/* set real mode segment descriptor */
		set_desc_base(&seg_desc, selector << 4);
		set_desc_limit(&seg_desc, 0xffff);
		seg_desc.type = 3;
		seg_desc.p = 1;
		seg_desc.s = 1;
1338 1339
		if (ctxt->mode == X86EMUL_MODE_VM86)
			seg_desc.dpl = 3;
1340 1341 1342
		goto load;
	}

1343 1344 1345 1346 1347 1348 1349 1350
	rpl = selector & 3;
	cpl = ctxt->ops->cpl(ctxt);

	/* NULL selector is not valid for TR, CS and SS (except for long mode) */
	if ((seg == VCPU_SREG_CS
	     || (seg == VCPU_SREG_SS
		 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
	     || seg == VCPU_SREG_TR)
1351 1352 1353 1354 1355 1356 1357 1358 1359 1360
	    && null_selector)
		goto exception;

	/* TR should be in GDT only */
	if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
		goto exception;

	if (null_selector) /* for NULL selector skip all following checks */
		goto load;

1361
	ret = read_segment_descriptor(ctxt, selector, &seg_desc);
1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386
	if (ret != X86EMUL_CONTINUE)
		return ret;

	err_code = selector & 0xfffc;
	err_vec = GP_VECTOR;

	/* can't load system descriptor into segment selecor */
	if (seg <= VCPU_SREG_GS && !seg_desc.s)
		goto exception;

	if (!seg_desc.p) {
		err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
		goto exception;
	}

	dpl = seg_desc.dpl;

	switch (seg) {
	case VCPU_SREG_SS:
		/*
		 * segment is not a writable data segment or segment
		 * selector's RPL != CPL or segment selector's RPL != CPL
		 */
		if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
			goto exception;
A
Avi Kivity 已提交
1387
		break;
1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402
	case VCPU_SREG_CS:
		if (!(seg_desc.type & 8))
			goto exception;

		if (seg_desc.type & 4) {
			/* conforming */
			if (dpl > cpl)
				goto exception;
		} else {
			/* nonconforming */
			if (rpl > cpl || dpl != cpl)
				goto exception;
		}
		/* CS(RPL) <- CPL */
		selector = (selector & 0xfffc) | cpl;
A
Avi Kivity 已提交
1403
		break;
1404 1405 1406 1407 1408 1409 1410 1411 1412
	case VCPU_SREG_TR:
		if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
			goto exception;
		break;
	case VCPU_SREG_LDTR:
		if (seg_desc.s || seg_desc.type != 2)
			goto exception;
		break;
	default: /*  DS, ES, FS, or GS */
1413
		/*
1414 1415 1416
		 * segment is not a data or readable code segment or
		 * ((segment is a data or nonconforming code segment)
		 * and (both RPL and CPL > DPL))
1417
		 */
1418 1419 1420 1421
		if ((seg_desc.type & 0xa) == 0x8 ||
		    (((seg_desc.type & 0xc) != 0xc) &&
		     (rpl > dpl && cpl > dpl)))
			goto exception;
A
Avi Kivity 已提交
1422
		break;
1423 1424 1425 1426 1427
	}

	if (seg_desc.s) {
		/* mark segment as accessed */
		seg_desc.type |= 1;
1428
		ret = write_segment_descriptor(ctxt, selector, &seg_desc);
1429 1430 1431 1432
		if (ret != X86EMUL_CONTINUE)
			return ret;
	}
load:
1433
	ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1434 1435 1436 1437 1438 1439
	return X86EMUL_CONTINUE;
exception:
	emulate_exception(ctxt, err_vec, err_code, true);
	return X86EMUL_PROPAGATE_FAULT;
}

1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458
static void write_register_operand(struct operand *op)
{
	/* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
	switch (op->bytes) {
	case 1:
		*(u8 *)op->addr.reg = (u8)op->val;
		break;
	case 2:
		*(u16 *)op->addr.reg = (u16)op->val;
		break;
	case 4:
		*op->addr.reg = (u32)op->val;
		break;	/* 64b: zero-extend */
	case 8:
		*op->addr.reg = op->val;
		break;
	}
}

1459
static int writeback(struct x86_emulate_ctxt *ctxt)
1460 1461 1462
{
	int rc;

1463
	switch (ctxt->dst.type) {
1464
	case OP_REG:
1465
		write_register_operand(&ctxt->dst);
A
Avi Kivity 已提交
1466
		break;
1467
	case OP_MEM:
1468
		if (ctxt->lock_prefix)
1469
			rc = segmented_cmpxchg(ctxt,
1470 1471 1472 1473
					       ctxt->dst.addr.mem,
					       &ctxt->dst.orig_val,
					       &ctxt->dst.val,
					       ctxt->dst.bytes);
1474
		else
1475
			rc = segmented_write(ctxt,
1476 1477 1478
					     ctxt->dst.addr.mem,
					     &ctxt->dst.val,
					     ctxt->dst.bytes);
1479 1480
		if (rc != X86EMUL_CONTINUE)
			return rc;
1481
		break;
A
Avi Kivity 已提交
1482
	case OP_XMM:
1483
		write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
A
Avi Kivity 已提交
1484
		break;
A
Avi Kivity 已提交
1485 1486 1487
	case OP_MM:
		write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
		break;
1488 1489
	case OP_NONE:
		/* no writeback */
1490
		break;
1491
	default:
1492
		break;
A
Avi Kivity 已提交
1493
	}
1494 1495
	return X86EMUL_CONTINUE;
}
A
Avi Kivity 已提交
1496

1497
static int em_push(struct x86_emulate_ctxt *ctxt)
1498
{
1499
	struct segmented_address addr;
1500

1501 1502
	register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], -ctxt->op_bytes);
	addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1503 1504 1505
	addr.seg = VCPU_SREG_SS;

	/* Disable writeback. */
1506 1507
	ctxt->dst.type = OP_NONE;
	return segmented_write(ctxt, addr, &ctxt->src.val, ctxt->op_bytes);
1508
}
1509

1510 1511 1512 1513
static int emulate_pop(struct x86_emulate_ctxt *ctxt,
		       void *dest, int len)
{
	int rc;
1514
	struct segmented_address addr;
1515

1516
	addr.ea = register_address(ctxt, ctxt->regs[VCPU_REGS_RSP]);
1517
	addr.seg = VCPU_SREG_SS;
1518
	rc = segmented_read(ctxt, addr, dest, len);
1519 1520 1521
	if (rc != X86EMUL_CONTINUE)
		return rc;

1522
	register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], len);
1523
	return rc;
1524 1525
}

1526 1527
static int em_pop(struct x86_emulate_ctxt *ctxt)
{
1528
	return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1529 1530
}

1531
static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1532
			void *dest, int len)
1533 1534
{
	int rc;
1535 1536
	unsigned long val, change_mask;
	int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1537
	int cpl = ctxt->ops->cpl(ctxt);
1538

1539
	rc = emulate_pop(ctxt, &val, len);
1540 1541
	if (rc != X86EMUL_CONTINUE)
		return rc;
1542

1543 1544
	change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
		| EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1545

1546 1547 1548 1549 1550 1551 1552 1553 1554 1555
	switch(ctxt->mode) {
	case X86EMUL_MODE_PROT64:
	case X86EMUL_MODE_PROT32:
	case X86EMUL_MODE_PROT16:
		if (cpl == 0)
			change_mask |= EFLG_IOPL;
		if (cpl <= iopl)
			change_mask |= EFLG_IF;
		break;
	case X86EMUL_MODE_VM86:
1556 1557
		if (iopl < 3)
			return emulate_gp(ctxt, 0);
1558 1559 1560 1561 1562
		change_mask |= EFLG_IF;
		break;
	default: /* real mode */
		change_mask |= (EFLG_IOPL | EFLG_IF);
		break;
1563
	}
1564 1565 1566 1567 1568

	*(unsigned long *)dest =
		(ctxt->eflags & ~change_mask) | (val & change_mask);

	return rc;
1569 1570
}

1571 1572
static int em_popf(struct x86_emulate_ctxt *ctxt)
{
1573 1574 1575 1576
	ctxt->dst.type = OP_REG;
	ctxt->dst.addr.reg = &ctxt->eflags;
	ctxt->dst.bytes = ctxt->op_bytes;
	return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1577 1578
}

A
Avi Kivity 已提交
1579 1580 1581 1582 1583 1584 1585
static int em_leave(struct x86_emulate_ctxt *ctxt)
{
	assign_masked(&ctxt->regs[VCPU_REGS_RSP], ctxt->regs[VCPU_REGS_RBP],
		      stack_mask(ctxt));
	return emulate_pop(ctxt, &ctxt->regs[VCPU_REGS_RBP], ctxt->op_bytes);
}

1586
static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1587
{
1588 1589
	int seg = ctxt->src2.val;

1590
	ctxt->src.val = get_segment_selector(ctxt, seg);
1591

1592
	return em_push(ctxt);
1593 1594
}

1595
static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1596
{
1597
	int seg = ctxt->src2.val;
1598 1599
	unsigned long selector;
	int rc;
1600

1601
	rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
1602 1603 1604
	if (rc != X86EMUL_CONTINUE)
		return rc;

1605
	rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1606
	return rc;
1607 1608
}

1609
static int em_pusha(struct x86_emulate_ctxt *ctxt)
1610
{
1611
	unsigned long old_esp = ctxt->regs[VCPU_REGS_RSP];
1612 1613
	int rc = X86EMUL_CONTINUE;
	int reg = VCPU_REGS_RAX;
1614

1615 1616
	while (reg <= VCPU_REGS_RDI) {
		(reg == VCPU_REGS_RSP) ?
1617
		(ctxt->src.val = old_esp) : (ctxt->src.val = ctxt->regs[reg]);
1618

1619
		rc = em_push(ctxt);
1620 1621
		if (rc != X86EMUL_CONTINUE)
			return rc;
1622

1623
		++reg;
1624 1625
	}

1626
	return rc;
1627 1628
}

1629 1630
static int em_pushf(struct x86_emulate_ctxt *ctxt)
{
1631
	ctxt->src.val =  (unsigned long)ctxt->eflags;
1632 1633 1634
	return em_push(ctxt);
}

1635
static int em_popa(struct x86_emulate_ctxt *ctxt)
1636
{
1637 1638
	int rc = X86EMUL_CONTINUE;
	int reg = VCPU_REGS_RDI;
1639

1640 1641
	while (reg >= VCPU_REGS_RAX) {
		if (reg == VCPU_REGS_RSP) {
1642 1643
			register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP],
							ctxt->op_bytes);
1644 1645
			--reg;
		}
1646

1647
		rc = emulate_pop(ctxt, &ctxt->regs[reg], ctxt->op_bytes);
1648 1649 1650
		if (rc != X86EMUL_CONTINUE)
			break;
		--reg;
1651
	}
1652
	return rc;
1653 1654
}

1655
int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
1656
{
1657
	struct x86_emulate_ops *ops = ctxt->ops;
1658
	int rc;
1659 1660 1661 1662 1663 1664
	struct desc_ptr dt;
	gva_t cs_addr;
	gva_t eip_addr;
	u16 cs, eip;

	/* TODO: Add limit checks */
1665
	ctxt->src.val = ctxt->eflags;
1666
	rc = em_push(ctxt);
1667 1668
	if (rc != X86EMUL_CONTINUE)
		return rc;
1669 1670 1671

	ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);

1672
	ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
1673
	rc = em_push(ctxt);
1674 1675
	if (rc != X86EMUL_CONTINUE)
		return rc;
1676

1677
	ctxt->src.val = ctxt->_eip;
1678
	rc = em_push(ctxt);
1679 1680 1681
	if (rc != X86EMUL_CONTINUE)
		return rc;

1682
	ops->get_idt(ctxt, &dt);
1683 1684 1685 1686

	eip_addr = dt.address + (irq << 2);
	cs_addr = dt.address + (irq << 2) + 2;

1687
	rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
1688 1689 1690
	if (rc != X86EMUL_CONTINUE)
		return rc;

1691
	rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
1692 1693 1694
	if (rc != X86EMUL_CONTINUE)
		return rc;

1695
	rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
1696 1697 1698
	if (rc != X86EMUL_CONTINUE)
		return rc;

1699
	ctxt->_eip = eip;
1700 1701 1702 1703

	return rc;
}

1704
static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
1705 1706 1707
{
	switch(ctxt->mode) {
	case X86EMUL_MODE_REAL:
1708
		return emulate_int_real(ctxt, irq);
1709 1710 1711 1712 1713 1714 1715 1716 1717 1718
	case X86EMUL_MODE_VM86:
	case X86EMUL_MODE_PROT16:
	case X86EMUL_MODE_PROT32:
	case X86EMUL_MODE_PROT64:
	default:
		/* Protected mode interrupts unimplemented yet */
		return X86EMUL_UNHANDLEABLE;
	}
}

1719
static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
1720
{
1721 1722 1723 1724 1725 1726 1727 1728
	int rc = X86EMUL_CONTINUE;
	unsigned long temp_eip = 0;
	unsigned long temp_eflags = 0;
	unsigned long cs = 0;
	unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
			     EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
			     EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
	unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
1729

1730
	/* TODO: Add stack limit check */
1731

1732
	rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
1733

1734 1735
	if (rc != X86EMUL_CONTINUE)
		return rc;
1736

1737 1738
	if (temp_eip & ~0xffff)
		return emulate_gp(ctxt, 0);
1739

1740
	rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1741

1742 1743
	if (rc != X86EMUL_CONTINUE)
		return rc;
1744

1745
	rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
1746

1747 1748
	if (rc != X86EMUL_CONTINUE)
		return rc;
1749

1750
	rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1751

1752 1753
	if (rc != X86EMUL_CONTINUE)
		return rc;
1754

1755
	ctxt->_eip = temp_eip;
1756 1757


1758
	if (ctxt->op_bytes == 4)
1759
		ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
1760
	else if (ctxt->op_bytes == 2) {
1761 1762
		ctxt->eflags &= ~0xffff;
		ctxt->eflags |= temp_eflags;
1763
	}
1764 1765 1766 1767 1768

	ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
	ctxt->eflags |= EFLG_RESERVED_ONE_MASK;

	return rc;
1769 1770
}

1771
static int em_iret(struct x86_emulate_ctxt *ctxt)
1772
{
1773 1774
	switch(ctxt->mode) {
	case X86EMUL_MODE_REAL:
1775
		return emulate_iret_real(ctxt);
1776 1777 1778 1779
	case X86EMUL_MODE_VM86:
	case X86EMUL_MODE_PROT16:
	case X86EMUL_MODE_PROT32:
	case X86EMUL_MODE_PROT64:
1780
	default:
1781 1782
		/* iret from protected mode unimplemented yet */
		return X86EMUL_UNHANDLEABLE;
1783 1784 1785
	}
}

1786 1787 1788 1789 1790
static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
{
	int rc;
	unsigned short sel;

1791
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1792

1793
	rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1794 1795 1796
	if (rc != X86EMUL_CONTINUE)
		return rc;

1797 1798
	ctxt->_eip = 0;
	memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1799 1800 1801
	return X86EMUL_CONTINUE;
}

1802
static int em_grp2(struct x86_emulate_ctxt *ctxt)
1803
{
1804
	switch (ctxt->modrm_reg) {
1805
	case 0:	/* rol */
1806
		emulate_2op_SrcB(ctxt, "rol");
1807 1808
		break;
	case 1:	/* ror */
1809
		emulate_2op_SrcB(ctxt, "ror");
1810 1811
		break;
	case 2:	/* rcl */
1812
		emulate_2op_SrcB(ctxt, "rcl");
1813 1814
		break;
	case 3:	/* rcr */
1815
		emulate_2op_SrcB(ctxt, "rcr");
1816 1817 1818
		break;
	case 4:	/* sal/shl */
	case 6:	/* sal/shl */
1819
		emulate_2op_SrcB(ctxt, "sal");
1820 1821
		break;
	case 5:	/* shr */
1822
		emulate_2op_SrcB(ctxt, "shr");
1823 1824
		break;
	case 7:	/* sar */
1825
		emulate_2op_SrcB(ctxt, "sar");
1826 1827
		break;
	}
1828
	return X86EMUL_CONTINUE;
1829 1830
}

1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859
static int em_not(struct x86_emulate_ctxt *ctxt)
{
	ctxt->dst.val = ~ctxt->dst.val;
	return X86EMUL_CONTINUE;
}

static int em_neg(struct x86_emulate_ctxt *ctxt)
{
	emulate_1op(ctxt, "neg");
	return X86EMUL_CONTINUE;
}

static int em_mul_ex(struct x86_emulate_ctxt *ctxt)
{
	u8 ex = 0;

	emulate_1op_rax_rdx(ctxt, "mul", ex);
	return X86EMUL_CONTINUE;
}

static int em_imul_ex(struct x86_emulate_ctxt *ctxt)
{
	u8 ex = 0;

	emulate_1op_rax_rdx(ctxt, "imul", ex);
	return X86EMUL_CONTINUE;
}

static int em_div_ex(struct x86_emulate_ctxt *ctxt)
1860
{
1861
	u8 de = 0;
1862

1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873
	emulate_1op_rax_rdx(ctxt, "div", de);
	if (de)
		return emulate_de(ctxt);
	return X86EMUL_CONTINUE;
}

static int em_idiv_ex(struct x86_emulate_ctxt *ctxt)
{
	u8 de = 0;

	emulate_1op_rax_rdx(ctxt, "idiv", de);
1874 1875
	if (de)
		return emulate_de(ctxt);
1876
	return X86EMUL_CONTINUE;
1877 1878
}

1879
static int em_grp45(struct x86_emulate_ctxt *ctxt)
1880
{
1881
	int rc = X86EMUL_CONTINUE;
1882

1883
	switch (ctxt->modrm_reg) {
1884
	case 0:	/* inc */
1885
		emulate_1op(ctxt, "inc");
1886 1887
		break;
	case 1:	/* dec */
1888
		emulate_1op(ctxt, "dec");
1889
		break;
1890 1891
	case 2: /* call near abs */ {
		long int old_eip;
1892 1893 1894
		old_eip = ctxt->_eip;
		ctxt->_eip = ctxt->src.val;
		ctxt->src.val = old_eip;
1895
		rc = em_push(ctxt);
1896 1897
		break;
	}
1898
	case 4: /* jmp abs */
1899
		ctxt->_eip = ctxt->src.val;
1900
		break;
1901 1902 1903
	case 5: /* jmp far */
		rc = em_jmp_far(ctxt);
		break;
1904
	case 6:	/* push */
1905
		rc = em_push(ctxt);
1906 1907
		break;
	}
1908
	return rc;
1909 1910
}

1911
static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1912
{
1913
	u64 old = ctxt->dst.orig_val64;
1914

1915 1916 1917 1918
	if (((u32) (old >> 0) != (u32) ctxt->regs[VCPU_REGS_RAX]) ||
	    ((u32) (old >> 32) != (u32) ctxt->regs[VCPU_REGS_RDX])) {
		ctxt->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
		ctxt->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1919
		ctxt->eflags &= ~EFLG_ZF;
1920
	} else {
1921 1922
		ctxt->dst.val64 = ((u64)ctxt->regs[VCPU_REGS_RCX] << 32) |
			(u32) ctxt->regs[VCPU_REGS_RBX];
1923

1924
		ctxt->eflags |= EFLG_ZF;
1925
	}
1926
	return X86EMUL_CONTINUE;
1927 1928
}

1929 1930
static int em_ret(struct x86_emulate_ctxt *ctxt)
{
1931 1932 1933
	ctxt->dst.type = OP_REG;
	ctxt->dst.addr.reg = &ctxt->_eip;
	ctxt->dst.bytes = ctxt->op_bytes;
1934 1935 1936
	return em_pop(ctxt);
}

1937
static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1938 1939 1940 1941
{
	int rc;
	unsigned long cs;

1942
	rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1943
	if (rc != X86EMUL_CONTINUE)
1944
		return rc;
1945 1946 1947
	if (ctxt->op_bytes == 4)
		ctxt->_eip = (u32)ctxt->_eip;
	rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1948
	if (rc != X86EMUL_CONTINUE)
1949
		return rc;
1950
	rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1951 1952 1953
	return rc;
}

1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971
static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
{
	/* Save real source value, then compare EAX against destination. */
	ctxt->src.orig_val = ctxt->src.val;
	ctxt->src.val = ctxt->regs[VCPU_REGS_RAX];
	emulate_2op_SrcV(ctxt, "cmp");

	if (ctxt->eflags & EFLG_ZF) {
		/* Success: write back to memory. */
		ctxt->dst.val = ctxt->src.orig_val;
	} else {
		/* Failure: write the value we saw to EAX. */
		ctxt->dst.type = OP_REG;
		ctxt->dst.addr.reg = (unsigned long *)&ctxt->regs[VCPU_REGS_RAX];
	}
	return X86EMUL_CONTINUE;
}

1972
static int em_lseg(struct x86_emulate_ctxt *ctxt)
1973
{
1974
	int seg = ctxt->src2.val;
1975 1976 1977
	unsigned short sel;
	int rc;

1978
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1979

1980
	rc = load_segment_descriptor(ctxt, sel, seg);
1981 1982 1983
	if (rc != X86EMUL_CONTINUE)
		return rc;

1984
	ctxt->dst.val = ctxt->src.val;
1985 1986 1987
	return rc;
}

1988
static void
1989
setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1990
			struct desc_struct *cs, struct desc_struct *ss)
1991
{
1992 1993
	u16 selector;

1994
	memset(cs, 0, sizeof(struct desc_struct));
1995
	ctxt->ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
1996
	memset(ss, 0, sizeof(struct desc_struct));
1997 1998

	cs->l = 0;		/* will be adjusted later */
1999
	set_desc_base(cs, 0);	/* flat segment */
2000
	cs->g = 1;		/* 4kb granularity */
2001
	set_desc_limit(cs, 0xfffff);	/* 4GB limit */
2002 2003 2004
	cs->type = 0x0b;	/* Read, Execute, Accessed */
	cs->s = 1;
	cs->dpl = 0;		/* will be adjusted later */
2005 2006
	cs->p = 1;
	cs->d = 1;
2007

2008 2009
	set_desc_base(ss, 0);	/* flat segment */
	set_desc_limit(ss, 0xfffff);	/* 4GB limit */
2010 2011 2012
	ss->g = 1;		/* 4kb granularity */
	ss->s = 1;
	ss->type = 0x03;	/* Read/Write, Accessed */
2013
	ss->d = 1;		/* 32bit stack segment */
2014
	ss->dpl = 0;
2015
	ss->p = 1;
2016 2017
}

2018 2019 2020 2021 2022
static bool vendor_intel(struct x86_emulate_ctxt *ctxt)
{
	u32 eax, ebx, ecx, edx;

	eax = ecx = 0;
2023 2024
	ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
	return ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx
2025 2026 2027 2028
		&& ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx
		&& edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx;
}

2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042
static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
{
	struct x86_emulate_ops *ops = ctxt->ops;
	u32 eax, ebx, ecx, edx;

	/*
	 * syscall should always be enabled in longmode - so only become
	 * vendor specific (cpuid) if other modes are active...
	 */
	if (ctxt->mode == X86EMUL_MODE_PROT64)
		return true;

	eax = 0x00000000;
	ecx = 0x00000000;
2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067
	ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
	/*
	 * Intel ("GenuineIntel")
	 * remark: Intel CPUs only support "syscall" in 64bit
	 * longmode. Also an 64bit guest with a
	 * 32bit compat-app running will #UD !! While this
	 * behaviour can be fixed (by emulating) into AMD
	 * response - CPUs of AMD can't behave like Intel.
	 */
	if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
	    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
	    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
		return false;

	/* AMD ("AuthenticAMD") */
	if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
	    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
	    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
		return true;

	/* AMD ("AMDisbetter!") */
	if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
	    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
	    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
		return true;
2068 2069 2070 2071 2072

	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
	return false;
}

2073
static int em_syscall(struct x86_emulate_ctxt *ctxt)
2074
{
2075
	struct x86_emulate_ops *ops = ctxt->ops;
2076
	struct desc_struct cs, ss;
2077
	u64 msr_data;
2078
	u16 cs_sel, ss_sel;
2079
	u64 efer = 0;
2080 2081

	/* syscall is not available in real mode */
2082
	if (ctxt->mode == X86EMUL_MODE_REAL ||
2083 2084
	    ctxt->mode == X86EMUL_MODE_VM86)
		return emulate_ud(ctxt);
2085

2086 2087 2088
	if (!(em_syscall_is_enabled(ctxt)))
		return emulate_ud(ctxt);

2089
	ops->get_msr(ctxt, MSR_EFER, &efer);
2090
	setup_syscalls_segments(ctxt, &cs, &ss);
2091

2092 2093 2094
	if (!(efer & EFER_SCE))
		return emulate_ud(ctxt);

2095
	ops->get_msr(ctxt, MSR_STAR, &msr_data);
2096
	msr_data >>= 32;
2097 2098
	cs_sel = (u16)(msr_data & 0xfffc);
	ss_sel = (u16)(msr_data + 8);
2099

2100
	if (efer & EFER_LMA) {
2101
		cs.d = 0;
2102 2103
		cs.l = 1;
	}
2104 2105
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2106

2107
	ctxt->regs[VCPU_REGS_RCX] = ctxt->_eip;
2108
	if (efer & EFER_LMA) {
2109
#ifdef CONFIG_X86_64
2110
		ctxt->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
2111

2112
		ops->get_msr(ctxt,
2113 2114
			     ctxt->mode == X86EMUL_MODE_PROT64 ?
			     MSR_LSTAR : MSR_CSTAR, &msr_data);
2115
		ctxt->_eip = msr_data;
2116

2117
		ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2118 2119 2120 2121
		ctxt->eflags &= ~(msr_data | EFLG_RF);
#endif
	} else {
		/* legacy mode */
2122
		ops->get_msr(ctxt, MSR_STAR, &msr_data);
2123
		ctxt->_eip = (u32)msr_data;
2124 2125 2126 2127

		ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
	}

2128
	return X86EMUL_CONTINUE;
2129 2130
}

2131
static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2132
{
2133
	struct x86_emulate_ops *ops = ctxt->ops;
2134
	struct desc_struct cs, ss;
2135
	u64 msr_data;
2136
	u16 cs_sel, ss_sel;
2137
	u64 efer = 0;
2138

2139
	ops->get_msr(ctxt, MSR_EFER, &efer);
2140
	/* inject #GP if in real mode */
2141 2142
	if (ctxt->mode == X86EMUL_MODE_REAL)
		return emulate_gp(ctxt, 0);
2143

2144 2145 2146 2147 2148 2149 2150 2151
	/*
	 * Not recognized on AMD in compat mode (but is recognized in legacy
	 * mode).
	 */
	if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
	    && !vendor_intel(ctxt))
		return emulate_ud(ctxt);

2152 2153 2154
	/* XXX sysenter/sysexit have not been tested in 64bit mode.
	* Therefore, we inject an #UD.
	*/
2155 2156
	if (ctxt->mode == X86EMUL_MODE_PROT64)
		return emulate_ud(ctxt);
2157

2158
	setup_syscalls_segments(ctxt, &cs, &ss);
2159

2160
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2161 2162
	switch (ctxt->mode) {
	case X86EMUL_MODE_PROT32:
2163 2164
		if ((msr_data & 0xfffc) == 0x0)
			return emulate_gp(ctxt, 0);
2165 2166
		break;
	case X86EMUL_MODE_PROT64:
2167 2168
		if (msr_data == 0x0)
			return emulate_gp(ctxt, 0);
2169 2170 2171 2172
		break;
	}

	ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2173 2174 2175 2176
	cs_sel = (u16)msr_data;
	cs_sel &= ~SELECTOR_RPL_MASK;
	ss_sel = cs_sel + 8;
	ss_sel &= ~SELECTOR_RPL_MASK;
2177
	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2178
		cs.d = 0;
2179 2180 2181
		cs.l = 1;
	}

2182 2183
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2184

2185
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2186
	ctxt->_eip = msr_data;
2187

2188
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2189
	ctxt->regs[VCPU_REGS_RSP] = msr_data;
2190

2191
	return X86EMUL_CONTINUE;
2192 2193
}

2194
static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2195
{
2196
	struct x86_emulate_ops *ops = ctxt->ops;
2197
	struct desc_struct cs, ss;
2198 2199
	u64 msr_data;
	int usermode;
X
Xiao Guangrong 已提交
2200
	u16 cs_sel = 0, ss_sel = 0;
2201

2202 2203
	/* inject #GP if in real mode or Virtual 8086 mode */
	if (ctxt->mode == X86EMUL_MODE_REAL ||
2204 2205
	    ctxt->mode == X86EMUL_MODE_VM86)
		return emulate_gp(ctxt, 0);
2206

2207
	setup_syscalls_segments(ctxt, &cs, &ss);
2208

2209
	if ((ctxt->rex_prefix & 0x8) != 0x0)
2210 2211 2212 2213 2214 2215
		usermode = X86EMUL_MODE_PROT64;
	else
		usermode = X86EMUL_MODE_PROT32;

	cs.dpl = 3;
	ss.dpl = 3;
2216
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2217 2218
	switch (usermode) {
	case X86EMUL_MODE_PROT32:
2219
		cs_sel = (u16)(msr_data + 16);
2220 2221
		if ((msr_data & 0xfffc) == 0x0)
			return emulate_gp(ctxt, 0);
2222
		ss_sel = (u16)(msr_data + 24);
2223 2224
		break;
	case X86EMUL_MODE_PROT64:
2225
		cs_sel = (u16)(msr_data + 32);
2226 2227
		if (msr_data == 0x0)
			return emulate_gp(ctxt, 0);
2228 2229
		ss_sel = cs_sel + 8;
		cs.d = 0;
2230 2231 2232
		cs.l = 1;
		break;
	}
2233 2234
	cs_sel |= SELECTOR_RPL_MASK;
	ss_sel |= SELECTOR_RPL_MASK;
2235

2236 2237
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2238

2239 2240
	ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
	ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
2241

2242
	return X86EMUL_CONTINUE;
2243 2244
}

2245
static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2246 2247 2248 2249 2250 2251 2252
{
	int iopl;
	if (ctxt->mode == X86EMUL_MODE_REAL)
		return false;
	if (ctxt->mode == X86EMUL_MODE_VM86)
		return true;
	iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2253
	return ctxt->ops->cpl(ctxt) > iopl;
2254 2255 2256 2257 2258
}

static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
					    u16 port, u16 len)
{
2259
	struct x86_emulate_ops *ops = ctxt->ops;
2260
	struct desc_struct tr_seg;
2261
	u32 base3;
2262
	int r;
2263
	u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2264
	unsigned mask = (1 << len) - 1;
2265
	unsigned long base;
2266

2267
	ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2268
	if (!tr_seg.p)
2269
		return false;
2270
	if (desc_limit_scaled(&tr_seg) < 103)
2271
		return false;
2272 2273 2274 2275
	base = get_desc_base(&tr_seg);
#ifdef CONFIG_X86_64
	base |= ((u64)base3) << 32;
#endif
2276
	r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
2277 2278
	if (r != X86EMUL_CONTINUE)
		return false;
2279
	if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2280
		return false;
2281
	r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
2282 2283 2284 2285 2286 2287 2288 2289 2290 2291
	if (r != X86EMUL_CONTINUE)
		return false;
	if ((perm >> bit_idx) & mask)
		return false;
	return true;
}

static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
				 u16 port, u16 len)
{
2292 2293 2294
	if (ctxt->perm_ok)
		return true;

2295 2296
	if (emulator_bad_iopl(ctxt))
		if (!emulator_io_port_access_allowed(ctxt, port, len))
2297
			return false;
2298 2299 2300

	ctxt->perm_ok = true;

2301 2302 2303
	return true;
}

2304 2305 2306
static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
				struct tss_segment_16 *tss)
{
2307
	tss->ip = ctxt->_eip;
2308
	tss->flag = ctxt->eflags;
2309 2310 2311 2312 2313 2314 2315 2316
	tss->ax = ctxt->regs[VCPU_REGS_RAX];
	tss->cx = ctxt->regs[VCPU_REGS_RCX];
	tss->dx = ctxt->regs[VCPU_REGS_RDX];
	tss->bx = ctxt->regs[VCPU_REGS_RBX];
	tss->sp = ctxt->regs[VCPU_REGS_RSP];
	tss->bp = ctxt->regs[VCPU_REGS_RBP];
	tss->si = ctxt->regs[VCPU_REGS_RSI];
	tss->di = ctxt->regs[VCPU_REGS_RDI];
2317

2318 2319 2320 2321 2322
	tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
	tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
	tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
	tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
	tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2323 2324 2325 2326 2327 2328 2329
}

static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
				 struct tss_segment_16 *tss)
{
	int ret;

2330
	ctxt->_eip = tss->ip;
2331
	ctxt->eflags = tss->flag | 2;
2332 2333 2334 2335 2336 2337 2338 2339
	ctxt->regs[VCPU_REGS_RAX] = tss->ax;
	ctxt->regs[VCPU_REGS_RCX] = tss->cx;
	ctxt->regs[VCPU_REGS_RDX] = tss->dx;
	ctxt->regs[VCPU_REGS_RBX] = tss->bx;
	ctxt->regs[VCPU_REGS_RSP] = tss->sp;
	ctxt->regs[VCPU_REGS_RBP] = tss->bp;
	ctxt->regs[VCPU_REGS_RSI] = tss->si;
	ctxt->regs[VCPU_REGS_RDI] = tss->di;
2340 2341 2342 2343 2344

	/*
	 * SDM says that segment selectors are loaded before segment
	 * descriptors
	 */
2345 2346 2347 2348 2349
	set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
	set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
	set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
	set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
	set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2350 2351 2352 2353 2354

	/*
	 * Now load segment descriptors. If fault happenes at this stage
	 * it is handled in a context of new task
	 */
2355
	ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
2356 2357
	if (ret != X86EMUL_CONTINUE)
		return ret;
2358
	ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2359 2360
	if (ret != X86EMUL_CONTINUE)
		return ret;
2361
	ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2362 2363
	if (ret != X86EMUL_CONTINUE)
		return ret;
2364
	ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2365 2366
	if (ret != X86EMUL_CONTINUE)
		return ret;
2367
	ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2368 2369 2370 2371 2372 2373 2374 2375 2376 2377
	if (ret != X86EMUL_CONTINUE)
		return ret;

	return X86EMUL_CONTINUE;
}

static int task_switch_16(struct x86_emulate_ctxt *ctxt,
			  u16 tss_selector, u16 old_tss_sel,
			  ulong old_tss_base, struct desc_struct *new_desc)
{
2378
	struct x86_emulate_ops *ops = ctxt->ops;
2379 2380
	struct tss_segment_16 tss_seg;
	int ret;
2381
	u32 new_tss_base = get_desc_base(new_desc);
2382

2383
	ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2384
			    &ctxt->exception);
2385
	if (ret != X86EMUL_CONTINUE)
2386 2387 2388
		/* FIXME: need to provide precise fault address */
		return ret;

2389
	save_state_to_tss16(ctxt, &tss_seg);
2390

2391
	ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2392
			     &ctxt->exception);
2393
	if (ret != X86EMUL_CONTINUE)
2394 2395 2396
		/* FIXME: need to provide precise fault address */
		return ret;

2397
	ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2398
			    &ctxt->exception);
2399
	if (ret != X86EMUL_CONTINUE)
2400 2401 2402 2403 2404 2405
		/* FIXME: need to provide precise fault address */
		return ret;

	if (old_tss_sel != 0xffff) {
		tss_seg.prev_task_link = old_tss_sel;

2406
		ret = ops->write_std(ctxt, new_tss_base,
2407 2408
				     &tss_seg.prev_task_link,
				     sizeof tss_seg.prev_task_link,
2409
				     &ctxt->exception);
2410
		if (ret != X86EMUL_CONTINUE)
2411 2412 2413 2414
			/* FIXME: need to provide precise fault address */
			return ret;
	}

2415
	return load_state_from_tss16(ctxt, &tss_seg);
2416 2417 2418 2419 2420
}

static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
				struct tss_segment_32 *tss)
{
2421
	tss->cr3 = ctxt->ops->get_cr(ctxt, 3);
2422
	tss->eip = ctxt->_eip;
2423
	tss->eflags = ctxt->eflags;
2424 2425 2426 2427 2428 2429 2430 2431
	tss->eax = ctxt->regs[VCPU_REGS_RAX];
	tss->ecx = ctxt->regs[VCPU_REGS_RCX];
	tss->edx = ctxt->regs[VCPU_REGS_RDX];
	tss->ebx = ctxt->regs[VCPU_REGS_RBX];
	tss->esp = ctxt->regs[VCPU_REGS_RSP];
	tss->ebp = ctxt->regs[VCPU_REGS_RBP];
	tss->esi = ctxt->regs[VCPU_REGS_RSI];
	tss->edi = ctxt->regs[VCPU_REGS_RDI];
2432

2433 2434 2435 2436 2437 2438 2439
	tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
	tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
	tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
	tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
	tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
	tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
	tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2440 2441 2442 2443 2444 2445 2446
}

static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
				 struct tss_segment_32 *tss)
{
	int ret;

2447
	if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2448
		return emulate_gp(ctxt, 0);
2449
	ctxt->_eip = tss->eip;
2450
	ctxt->eflags = tss->eflags | 2;
2451 2452

	/* General purpose registers */
2453 2454 2455 2456 2457 2458 2459 2460
	ctxt->regs[VCPU_REGS_RAX] = tss->eax;
	ctxt->regs[VCPU_REGS_RCX] = tss->ecx;
	ctxt->regs[VCPU_REGS_RDX] = tss->edx;
	ctxt->regs[VCPU_REGS_RBX] = tss->ebx;
	ctxt->regs[VCPU_REGS_RSP] = tss->esp;
	ctxt->regs[VCPU_REGS_RBP] = tss->ebp;
	ctxt->regs[VCPU_REGS_RSI] = tss->esi;
	ctxt->regs[VCPU_REGS_RDI] = tss->edi;
2461 2462 2463 2464 2465

	/*
	 * SDM says that segment selectors are loaded before segment
	 * descriptors
	 */
2466 2467 2468 2469 2470 2471 2472
	set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
	set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
	set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
	set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
	set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
	set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
	set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2473

2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491
	/*
	 * If we're switching between Protected Mode and VM86, we need to make
	 * sure to update the mode before loading the segment descriptors so
	 * that the selectors are interpreted correctly.
	 *
	 * Need to get rflags to the vcpu struct immediately because it
	 * influences the CPL which is checked at least when loading the segment
	 * descriptors and when pushing an error code to the new kernel stack.
	 *
	 * TODO Introduce a separate ctxt->ops->set_cpl callback
	 */
	if (ctxt->eflags & X86_EFLAGS_VM)
		ctxt->mode = X86EMUL_MODE_VM86;
	else
		ctxt->mode = X86EMUL_MODE_PROT32;

	ctxt->ops->set_rflags(ctxt, ctxt->eflags);

2492 2493 2494 2495
	/*
	 * Now load segment descriptors. If fault happenes at this stage
	 * it is handled in a context of new task
	 */
2496
	ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2497 2498
	if (ret != X86EMUL_CONTINUE)
		return ret;
2499
	ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
2500 2501
	if (ret != X86EMUL_CONTINUE)
		return ret;
2502
	ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
2503 2504
	if (ret != X86EMUL_CONTINUE)
		return ret;
2505
	ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
2506 2507
	if (ret != X86EMUL_CONTINUE)
		return ret;
2508
	ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
2509 2510
	if (ret != X86EMUL_CONTINUE)
		return ret;
2511
	ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
2512 2513
	if (ret != X86EMUL_CONTINUE)
		return ret;
2514
	ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
2515 2516 2517 2518 2519 2520 2521 2522 2523 2524
	if (ret != X86EMUL_CONTINUE)
		return ret;

	return X86EMUL_CONTINUE;
}

static int task_switch_32(struct x86_emulate_ctxt *ctxt,
			  u16 tss_selector, u16 old_tss_sel,
			  ulong old_tss_base, struct desc_struct *new_desc)
{
2525
	struct x86_emulate_ops *ops = ctxt->ops;
2526 2527
	struct tss_segment_32 tss_seg;
	int ret;
2528
	u32 new_tss_base = get_desc_base(new_desc);
2529

2530
	ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2531
			    &ctxt->exception);
2532
	if (ret != X86EMUL_CONTINUE)
2533 2534 2535
		/* FIXME: need to provide precise fault address */
		return ret;

2536
	save_state_to_tss32(ctxt, &tss_seg);
2537

2538
	ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
2539
			     &ctxt->exception);
2540
	if (ret != X86EMUL_CONTINUE)
2541 2542 2543
		/* FIXME: need to provide precise fault address */
		return ret;

2544
	ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
2545
			    &ctxt->exception);
2546
	if (ret != X86EMUL_CONTINUE)
2547 2548 2549 2550 2551 2552
		/* FIXME: need to provide precise fault address */
		return ret;

	if (old_tss_sel != 0xffff) {
		tss_seg.prev_task_link = old_tss_sel;

2553
		ret = ops->write_std(ctxt, new_tss_base,
2554 2555
				     &tss_seg.prev_task_link,
				     sizeof tss_seg.prev_task_link,
2556
				     &ctxt->exception);
2557
		if (ret != X86EMUL_CONTINUE)
2558 2559 2560 2561
			/* FIXME: need to provide precise fault address */
			return ret;
	}

2562
	return load_state_from_tss32(ctxt, &tss_seg);
2563 2564 2565
}

static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2566
				   u16 tss_selector, int idt_index, int reason,
2567
				   bool has_error_code, u32 error_code)
2568
{
2569
	struct x86_emulate_ops *ops = ctxt->ops;
2570 2571
	struct desc_struct curr_tss_desc, next_tss_desc;
	int ret;
2572
	u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2573
	ulong old_tss_base =
2574
		ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2575
	u32 desc_limit;
2576 2577 2578

	/* FIXME: old_tss_base == ~0 ? */

2579
	ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2580 2581
	if (ret != X86EMUL_CONTINUE)
		return ret;
2582
	ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2583 2584 2585 2586 2587
	if (ret != X86EMUL_CONTINUE)
		return ret;

	/* FIXME: check that next_tss_desc is tss */

2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613
	/*
	 * Check privileges. The three cases are task switch caused by...
	 *
	 * 1. jmp/call/int to task gate: Check against DPL of the task gate
	 * 2. Exception/IRQ/iret: No check is performed
	 * 3. jmp/call to TSS: Check agains DPL of the TSS
	 */
	if (reason == TASK_SWITCH_GATE) {
		if (idt_index != -1) {
			/* Software interrupts */
			struct desc_struct task_gate_desc;
			int dpl;

			ret = read_interrupt_descriptor(ctxt, idt_index,
							&task_gate_desc);
			if (ret != X86EMUL_CONTINUE)
				return ret;

			dpl = task_gate_desc.dpl;
			if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
				return emulate_gp(ctxt, (idt_index << 3) | 0x2);
		}
	} else if (reason != TASK_SWITCH_IRET) {
		int dpl = next_tss_desc.dpl;
		if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
			return emulate_gp(ctxt, tss_selector);
2614 2615
	}

2616

2617 2618 2619 2620
	desc_limit = desc_limit_scaled(&next_tss_desc);
	if (!next_tss_desc.p ||
	    ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
	     desc_limit < 0x2b)) {
2621
		emulate_ts(ctxt, tss_selector & 0xfffc);
2622 2623 2624 2625 2626
		return X86EMUL_PROPAGATE_FAULT;
	}

	if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
		curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2627
		write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638
	}

	if (reason == TASK_SWITCH_IRET)
		ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;

	/* set back link to prev task only if NT bit is set in eflags
	   note that old_tss_sel is not used afetr this point */
	if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
		old_tss_sel = 0xffff;

	if (next_tss_desc.type & 8)
2639
		ret = task_switch_32(ctxt, tss_selector, old_tss_sel,
2640 2641
				     old_tss_base, &next_tss_desc);
	else
2642
		ret = task_switch_16(ctxt, tss_selector, old_tss_sel,
2643
				     old_tss_base, &next_tss_desc);
2644 2645
	if (ret != X86EMUL_CONTINUE)
		return ret;
2646 2647 2648 2649 2650 2651

	if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
		ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;

	if (reason != TASK_SWITCH_IRET) {
		next_tss_desc.type |= (1 << 1); /* set busy flag */
2652
		write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2653 2654
	}

2655
	ops->set_cr(ctxt, 0,  ops->get_cr(ctxt, 0) | X86_CR0_TS);
2656
	ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2657

2658
	if (has_error_code) {
2659 2660 2661
		ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
		ctxt->lock_prefix = 0;
		ctxt->src.val = (unsigned long) error_code;
2662
		ret = em_push(ctxt);
2663 2664
	}

2665 2666 2667 2668
	return ret;
}

int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2669
			 u16 tss_selector, int idt_index, int reason,
2670
			 bool has_error_code, u32 error_code)
2671 2672 2673
{
	int rc;

2674 2675
	ctxt->_eip = ctxt->eip;
	ctxt->dst.type = OP_NONE;
2676

2677
	rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
2678
				     has_error_code, error_code);
2679

2680
	if (rc == X86EMUL_CONTINUE)
2681
		ctxt->eip = ctxt->_eip;
2682

2683
	return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
2684 2685
}

2686
static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
2687
			    int reg, struct operand *op)
2688 2689 2690
{
	int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;

2691 2692
	register_address_increment(ctxt, &ctxt->regs[reg], df * op->bytes);
	op->addr.mem.ea = register_address(ctxt, ctxt->regs[reg]);
2693
	op->addr.mem.seg = seg;
2694 2695
}

2696 2697 2698 2699 2700 2701
static int em_das(struct x86_emulate_ctxt *ctxt)
{
	u8 al, old_al;
	bool af, cf, old_cf;

	cf = ctxt->eflags & X86_EFLAGS_CF;
2702
	al = ctxt->dst.val;
2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719

	old_al = al;
	old_cf = cf;
	cf = false;
	af = ctxt->eflags & X86_EFLAGS_AF;
	if ((al & 0x0f) > 9 || af) {
		al -= 6;
		cf = old_cf | (al >= 250);
		af = true;
	} else {
		af = false;
	}
	if (old_al > 0x99 || old_cf) {
		al -= 0x60;
		cf = true;
	}

2720
	ctxt->dst.val = al;
2721
	/* Set PF, ZF, SF */
2722 2723 2724
	ctxt->src.type = OP_IMM;
	ctxt->src.val = 0;
	ctxt->src.bytes = 1;
2725
	emulate_2op_SrcV(ctxt, "or");
2726 2727 2728 2729 2730 2731 2732 2733
	ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
	if (cf)
		ctxt->eflags |= X86_EFLAGS_CF;
	if (af)
		ctxt->eflags |= X86_EFLAGS_AF;
	return X86EMUL_CONTINUE;
}

2734 2735 2736 2737 2738 2739 2740 2741 2742
static int em_call(struct x86_emulate_ctxt *ctxt)
{
	long rel = ctxt->src.val;

	ctxt->src.val = (unsigned long)ctxt->_eip;
	jmp_rel(ctxt, rel);
	return em_push(ctxt);
}

2743 2744 2745 2746 2747 2748
static int em_call_far(struct x86_emulate_ctxt *ctxt)
{
	u16 sel, old_cs;
	ulong old_eip;
	int rc;

2749
	old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2750
	old_eip = ctxt->_eip;
2751

2752
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2753
	if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
2754 2755
		return X86EMUL_CONTINUE;

2756 2757
	ctxt->_eip = 0;
	memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
2758

2759
	ctxt->src.val = old_cs;
2760
	rc = em_push(ctxt);
2761 2762 2763
	if (rc != X86EMUL_CONTINUE)
		return rc;

2764
	ctxt->src.val = old_eip;
2765
	return em_push(ctxt);
2766 2767
}

2768 2769 2770 2771
static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
{
	int rc;

2772 2773 2774 2775
	ctxt->dst.type = OP_REG;
	ctxt->dst.addr.reg = &ctxt->_eip;
	ctxt->dst.bytes = ctxt->op_bytes;
	rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
2776 2777
	if (rc != X86EMUL_CONTINUE)
		return rc;
2778
	register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
2779 2780 2781
	return X86EMUL_CONTINUE;
}

2782 2783
static int em_add(struct x86_emulate_ctxt *ctxt)
{
2784
	emulate_2op_SrcV(ctxt, "add");
2785 2786 2787 2788 2789
	return X86EMUL_CONTINUE;
}

static int em_or(struct x86_emulate_ctxt *ctxt)
{
2790
	emulate_2op_SrcV(ctxt, "or");
2791 2792 2793 2794 2795
	return X86EMUL_CONTINUE;
}

static int em_adc(struct x86_emulate_ctxt *ctxt)
{
2796
	emulate_2op_SrcV(ctxt, "adc");
2797 2798 2799 2800 2801
	return X86EMUL_CONTINUE;
}

static int em_sbb(struct x86_emulate_ctxt *ctxt)
{
2802
	emulate_2op_SrcV(ctxt, "sbb");
2803 2804 2805 2806 2807
	return X86EMUL_CONTINUE;
}

static int em_and(struct x86_emulate_ctxt *ctxt)
{
2808
	emulate_2op_SrcV(ctxt, "and");
2809 2810 2811 2812 2813
	return X86EMUL_CONTINUE;
}

static int em_sub(struct x86_emulate_ctxt *ctxt)
{
2814
	emulate_2op_SrcV(ctxt, "sub");
2815 2816 2817 2818 2819
	return X86EMUL_CONTINUE;
}

static int em_xor(struct x86_emulate_ctxt *ctxt)
{
2820
	emulate_2op_SrcV(ctxt, "xor");
2821 2822 2823 2824 2825
	return X86EMUL_CONTINUE;
}

static int em_cmp(struct x86_emulate_ctxt *ctxt)
{
2826
	emulate_2op_SrcV(ctxt, "cmp");
2827
	/* Disable writeback. */
2828
	ctxt->dst.type = OP_NONE;
2829 2830 2831
	return X86EMUL_CONTINUE;
}

2832 2833
static int em_test(struct x86_emulate_ctxt *ctxt)
{
2834
	emulate_2op_SrcV(ctxt, "test");
2835 2836
	/* Disable writeback. */
	ctxt->dst.type = OP_NONE;
2837 2838 2839
	return X86EMUL_CONTINUE;
}

2840 2841 2842
static int em_xchg(struct x86_emulate_ctxt *ctxt)
{
	/* Write back the register source. */
2843 2844
	ctxt->src.val = ctxt->dst.val;
	write_register_operand(&ctxt->src);
2845 2846

	/* Write back the memory destination with implicit LOCK prefix. */
2847 2848
	ctxt->dst.val = ctxt->src.orig_val;
	ctxt->lock_prefix = 1;
2849 2850 2851
	return X86EMUL_CONTINUE;
}

2852
static int em_imul(struct x86_emulate_ctxt *ctxt)
2853
{
2854
	emulate_2op_SrcV_nobyte(ctxt, "imul");
2855 2856 2857
	return X86EMUL_CONTINUE;
}

2858 2859
static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
{
2860
	ctxt->dst.val = ctxt->src2.val;
2861 2862 2863
	return em_imul(ctxt);
}

2864 2865
static int em_cwd(struct x86_emulate_ctxt *ctxt)
{
2866 2867 2868 2869
	ctxt->dst.type = OP_REG;
	ctxt->dst.bytes = ctxt->src.bytes;
	ctxt->dst.addr.reg = &ctxt->regs[VCPU_REGS_RDX];
	ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
2870 2871 2872 2873

	return X86EMUL_CONTINUE;
}

2874 2875 2876 2877
static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
{
	u64 tsc = 0;

2878
	ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
2879 2880
	ctxt->regs[VCPU_REGS_RAX] = (u32)tsc;
	ctxt->regs[VCPU_REGS_RDX] = tsc >> 32;
2881 2882 2883
	return X86EMUL_CONTINUE;
}

2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894
static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
{
	u64 pmc;

	if (ctxt->ops->read_pmc(ctxt, ctxt->regs[VCPU_REGS_RCX], &pmc))
		return emulate_gp(ctxt, 0);
	ctxt->regs[VCPU_REGS_RAX] = (u32)pmc;
	ctxt->regs[VCPU_REGS_RDX] = pmc >> 32;
	return X86EMUL_CONTINUE;
}

2895 2896
static int em_mov(struct x86_emulate_ctxt *ctxt)
{
S
Stefan Hajnoczi 已提交
2897
	memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
2898 2899 2900
	return X86EMUL_CONTINUE;
}

2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928
static int em_cr_write(struct x86_emulate_ctxt *ctxt)
{
	if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
		return emulate_gp(ctxt, 0);

	/* Disable writeback. */
	ctxt->dst.type = OP_NONE;
	return X86EMUL_CONTINUE;
}

static int em_dr_write(struct x86_emulate_ctxt *ctxt)
{
	unsigned long val;

	if (ctxt->mode == X86EMUL_MODE_PROT64)
		val = ctxt->src.val & ~0ULL;
	else
		val = ctxt->src.val & ~0U;

	/* #UD condition is already handled. */
	if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
		return emulate_gp(ctxt, 0);

	/* Disable writeback. */
	ctxt->dst.type = OP_NONE;
	return X86EMUL_CONTINUE;
}

2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952
static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
{
	u64 msr_data;

	msr_data = (u32)ctxt->regs[VCPU_REGS_RAX]
		| ((u64)ctxt->regs[VCPU_REGS_RDX] << 32);
	if (ctxt->ops->set_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], msr_data))
		return emulate_gp(ctxt, 0);

	return X86EMUL_CONTINUE;
}

static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
{
	u64 msr_data;

	if (ctxt->ops->get_msr(ctxt, ctxt->regs[VCPU_REGS_RCX], &msr_data))
		return emulate_gp(ctxt, 0);

	ctxt->regs[VCPU_REGS_RAX] = (u32)msr_data;
	ctxt->regs[VCPU_REGS_RDX] = msr_data >> 32;
	return X86EMUL_CONTINUE;
}

2953 2954
static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
{
2955
	if (ctxt->modrm_reg > VCPU_SREG_GS)
2956 2957
		return emulate_ud(ctxt);

2958
	ctxt->dst.val = get_segment_selector(ctxt, ctxt->modrm_reg);
2959 2960 2961 2962 2963
	return X86EMUL_CONTINUE;
}

static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
{
2964
	u16 sel = ctxt->src.val;
2965

2966
	if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
2967 2968
		return emulate_ud(ctxt);

2969
	if (ctxt->modrm_reg == VCPU_SREG_SS)
2970 2971 2972
		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;

	/* Disable writeback. */
2973 2974
	ctxt->dst.type = OP_NONE;
	return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
2975 2976
}

2977 2978
static int em_invlpg(struct x86_emulate_ctxt *ctxt)
{
2979 2980 2981
	int rc;
	ulong linear;

2982
	rc = linearize(ctxt, ctxt->src.addr.mem, 1, false, &linear);
2983
	if (rc == X86EMUL_CONTINUE)
2984
		ctxt->ops->invlpg(ctxt, linear);
2985
	/* Disable writeback. */
2986
	ctxt->dst.type = OP_NONE;
2987 2988 2989
	return X86EMUL_CONTINUE;
}

2990 2991 2992 2993 2994 2995 2996 2997 2998 2999
static int em_clts(struct x86_emulate_ctxt *ctxt)
{
	ulong cr0;

	cr0 = ctxt->ops->get_cr(ctxt, 0);
	cr0 &= ~X86_CR0_TS;
	ctxt->ops->set_cr(ctxt, 0, cr0);
	return X86EMUL_CONTINUE;
}

3000 3001 3002 3003
static int em_vmcall(struct x86_emulate_ctxt *ctxt)
{
	int rc;

3004
	if (ctxt->modrm_mod != 3 || ctxt->modrm_rm != 1)
3005 3006 3007 3008 3009 3010 3011
		return X86EMUL_UNHANDLEABLE;

	rc = ctxt->ops->fix_hypercall(ctxt);
	if (rc != X86EMUL_CONTINUE)
		return rc;

	/* Let the processor re-execute the fixed hypercall */
3012
	ctxt->_eip = ctxt->eip;
3013
	/* Disable writeback. */
3014
	ctxt->dst.type = OP_NONE;
3015 3016 3017 3018 3019 3020 3021 3022
	return X86EMUL_CONTINUE;
}

static int em_lgdt(struct x86_emulate_ctxt *ctxt)
{
	struct desc_ptr desc_ptr;
	int rc;

3023 3024
	if (ctxt->mode == X86EMUL_MODE_PROT64)
		ctxt->op_bytes = 8;
3025
	rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3026
			     &desc_ptr.size, &desc_ptr.address,
3027
			     ctxt->op_bytes);
3028 3029 3030 3031
	if (rc != X86EMUL_CONTINUE)
		return rc;
	ctxt->ops->set_gdt(ctxt, &desc_ptr);
	/* Disable writeback. */
3032
	ctxt->dst.type = OP_NONE;
3033 3034 3035
	return X86EMUL_CONTINUE;
}

3036
static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
3037 3038 3039
{
	int rc;

3040 3041
	rc = ctxt->ops->fix_hypercall(ctxt);

3042
	/* Disable writeback. */
3043
	ctxt->dst.type = OP_NONE;
3044 3045 3046 3047 3048 3049 3050 3051
	return rc;
}

static int em_lidt(struct x86_emulate_ctxt *ctxt)
{
	struct desc_ptr desc_ptr;
	int rc;

3052 3053
	if (ctxt->mode == X86EMUL_MODE_PROT64)
		ctxt->op_bytes = 8;
3054
	rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3055
			     &desc_ptr.size, &desc_ptr.address,
3056
			     ctxt->op_bytes);
3057 3058 3059 3060
	if (rc != X86EMUL_CONTINUE)
		return rc;
	ctxt->ops->set_idt(ctxt, &desc_ptr);
	/* Disable writeback. */
3061
	ctxt->dst.type = OP_NONE;
3062 3063 3064 3065 3066
	return X86EMUL_CONTINUE;
}

static int em_smsw(struct x86_emulate_ctxt *ctxt)
{
3067 3068
	ctxt->dst.bytes = 2;
	ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3069 3070 3071 3072 3073 3074
	return X86EMUL_CONTINUE;
}

static int em_lmsw(struct x86_emulate_ctxt *ctxt)
{
	ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3075 3076
			  | (ctxt->src.val & 0x0f));
	ctxt->dst.type = OP_NONE;
3077 3078 3079
	return X86EMUL_CONTINUE;
}

3080 3081
static int em_loop(struct x86_emulate_ctxt *ctxt)
{
3082 3083 3084 3085
	register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
	if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
	    (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
		jmp_rel(ctxt, ctxt->src.val);
3086 3087 3088 3089 3090 3091

	return X86EMUL_CONTINUE;
}

static int em_jcxz(struct x86_emulate_ctxt *ctxt)
{
3092 3093
	if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
		jmp_rel(ctxt, ctxt->src.val);
3094 3095 3096 3097

	return X86EMUL_CONTINUE;
}

3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115
static int em_in(struct x86_emulate_ctxt *ctxt)
{
	if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
			     &ctxt->dst.val))
		return X86EMUL_IO_NEEDED;

	return X86EMUL_CONTINUE;
}

static int em_out(struct x86_emulate_ctxt *ctxt)
{
	ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
				    &ctxt->src.val, 1);
	/* Disable writeback. */
	ctxt->dst.type = OP_NONE;
	return X86EMUL_CONTINUE;
}

3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134
static int em_cli(struct x86_emulate_ctxt *ctxt)
{
	if (emulator_bad_iopl(ctxt))
		return emulate_gp(ctxt, 0);

	ctxt->eflags &= ~X86_EFLAGS_IF;
	return X86EMUL_CONTINUE;
}

static int em_sti(struct x86_emulate_ctxt *ctxt)
{
	if (emulator_bad_iopl(ctxt))
		return emulate_gp(ctxt, 0);

	ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
	ctxt->eflags |= X86_EFLAGS_IF;
	return X86EMUL_CONTINUE;
}

3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163
static int em_bt(struct x86_emulate_ctxt *ctxt)
{
	/* Disable writeback. */
	ctxt->dst.type = OP_NONE;
	/* only subword offset */
	ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;

	emulate_2op_SrcV_nobyte(ctxt, "bt");
	return X86EMUL_CONTINUE;
}

static int em_bts(struct x86_emulate_ctxt *ctxt)
{
	emulate_2op_SrcV_nobyte(ctxt, "bts");
	return X86EMUL_CONTINUE;
}

static int em_btr(struct x86_emulate_ctxt *ctxt)
{
	emulate_2op_SrcV_nobyte(ctxt, "btr");
	return X86EMUL_CONTINUE;
}

static int em_btc(struct x86_emulate_ctxt *ctxt)
{
	emulate_2op_SrcV_nobyte(ctxt, "btc");
	return X86EMUL_CONTINUE;
}

3164 3165
static int em_bsf(struct x86_emulate_ctxt *ctxt)
{
3166
	emulate_2op_SrcV_nobyte(ctxt, "bsf");
3167 3168 3169 3170 3171
	return X86EMUL_CONTINUE;
}

static int em_bsr(struct x86_emulate_ctxt *ctxt)
{
3172
	emulate_2op_SrcV_nobyte(ctxt, "bsr");
3173 3174 3175
	return X86EMUL_CONTINUE;
}

A
Avi Kivity 已提交
3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189
static int em_cpuid(struct x86_emulate_ctxt *ctxt)
{
	u32 eax, ebx, ecx, edx;

	eax = ctxt->regs[VCPU_REGS_RAX];
	ecx = ctxt->regs[VCPU_REGS_RCX];
	ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx);
	ctxt->regs[VCPU_REGS_RAX] = eax;
	ctxt->regs[VCPU_REGS_RBX] = ebx;
	ctxt->regs[VCPU_REGS_RCX] = ecx;
	ctxt->regs[VCPU_REGS_RDX] = edx;
	return X86EMUL_CONTINUE;
}

3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203
static bool valid_cr(int nr)
{
	switch (nr) {
	case 0:
	case 2 ... 4:
	case 8:
		return true;
	default:
		return false;
	}
}

static int check_cr_read(struct x86_emulate_ctxt *ctxt)
{
3204
	if (!valid_cr(ctxt->modrm_reg))
3205 3206 3207 3208 3209 3210 3211
		return emulate_ud(ctxt);

	return X86EMUL_CONTINUE;
}

static int check_cr_write(struct x86_emulate_ctxt *ctxt)
{
3212 3213
	u64 new_val = ctxt->src.val64;
	int cr = ctxt->modrm_reg;
3214
	u64 efer = 0;
3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231

	static u64 cr_reserved_bits[] = {
		0xffffffff00000000ULL,
		0, 0, 0, /* CR3 checked later */
		CR4_RESERVED_BITS,
		0, 0, 0,
		CR8_RESERVED_BITS,
	};

	if (!valid_cr(cr))
		return emulate_ud(ctxt);

	if (new_val & cr_reserved_bits[cr])
		return emulate_gp(ctxt, 0);

	switch (cr) {
	case 0: {
3232
		u64 cr4;
3233 3234 3235 3236
		if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
		    ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
			return emulate_gp(ctxt, 0);

3237 3238
		cr4 = ctxt->ops->get_cr(ctxt, 4);
		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3239 3240 3241 3242 3243 3244 3245 3246 3247 3248

		if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
		    !(cr4 & X86_CR4_PAE))
			return emulate_gp(ctxt, 0);

		break;
		}
	case 3: {
		u64 rsvd = 0;

3249 3250
		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
		if (efer & EFER_LMA)
3251
			rsvd = CR3_L_MODE_RESERVED_BITS;
3252
		else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
3253
			rsvd = CR3_PAE_RESERVED_BITS;
3254
		else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
3255 3256 3257 3258 3259 3260 3261 3262
			rsvd = CR3_NONPAE_RESERVED_BITS;

		if (new_val & rsvd)
			return emulate_gp(ctxt, 0);

		break;
		}
	case 4: {
3263
		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274

		if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
			return emulate_gp(ctxt, 0);

		break;
		}
	}

	return X86EMUL_CONTINUE;
}

3275 3276 3277 3278
static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
{
	unsigned long dr7;

3279
	ctxt->ops->get_dr(ctxt, 7, &dr7);
3280 3281 3282 3283 3284 3285 3286

	/* Check if DR7.Global_Enable is set */
	return dr7 & (1 << 13);
}

static int check_dr_read(struct x86_emulate_ctxt *ctxt)
{
3287
	int dr = ctxt->modrm_reg;
3288 3289 3290 3291 3292
	u64 cr4;

	if (dr > 7)
		return emulate_ud(ctxt);

3293
	cr4 = ctxt->ops->get_cr(ctxt, 4);
3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304
	if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
		return emulate_ud(ctxt);

	if (check_dr7_gd(ctxt))
		return emulate_db(ctxt);

	return X86EMUL_CONTINUE;
}

static int check_dr_write(struct x86_emulate_ctxt *ctxt)
{
3305 3306
	u64 new_val = ctxt->src.val64;
	int dr = ctxt->modrm_reg;
3307 3308 3309 3310 3311 3312 3313

	if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
		return emulate_gp(ctxt, 0);

	return check_dr_read(ctxt);
}

3314 3315 3316 3317
static int check_svme(struct x86_emulate_ctxt *ctxt)
{
	u64 efer;

3318
	ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3319 3320 3321 3322 3323 3324 3325 3326 3327

	if (!(efer & EFER_SVME))
		return emulate_ud(ctxt);

	return X86EMUL_CONTINUE;
}

static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
{
3328
	u64 rax = ctxt->regs[VCPU_REGS_RAX];
3329 3330

	/* Valid physical address? */
3331
	if (rax & 0xffff000000000000ULL)
3332 3333 3334 3335 3336
		return emulate_gp(ctxt, 0);

	return check_svme(ctxt);
}

3337 3338
static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
{
3339
	u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3340

3341
	if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3342 3343 3344 3345 3346
		return emulate_ud(ctxt);

	return X86EMUL_CONTINUE;
}

3347 3348
static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
{
3349
	u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3350
	u64 rcx = ctxt->regs[VCPU_REGS_RCX];
3351

3352
	if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3353 3354 3355 3356 3357 3358
	    (rcx > 3))
		return emulate_gp(ctxt, 0);

	return X86EMUL_CONTINUE;
}

3359 3360
static int check_perm_in(struct x86_emulate_ctxt *ctxt)
{
3361 3362
	ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
	if (!emulator_io_permited(ctxt, ctxt->src.val, ctxt->dst.bytes))
3363 3364 3365 3366 3367 3368 3369
		return emulate_gp(ctxt, 0);

	return X86EMUL_CONTINUE;
}

static int check_perm_out(struct x86_emulate_ctxt *ctxt)
{
3370 3371
	ctxt->src.bytes = min(ctxt->src.bytes, 4u);
	if (!emulator_io_permited(ctxt, ctxt->dst.val, ctxt->src.bytes))
3372 3373 3374 3375 3376
		return emulate_gp(ctxt, 0);

	return X86EMUL_CONTINUE;
}

3377
#define D(_y) { .flags = (_y) }
3378
#define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
3379 3380
#define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
		      .check_perm = (_p) }
3381
#define N    D(0)
3382
#define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3383 3384
#define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
#define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3385
#define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3386 3387
#define II(_f, _e, _i) \
	{ .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
3388 3389 3390
#define IIP(_f, _e, _i, _p) \
	{ .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
	  .check_perm = (_p) }
3391
#define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3392

3393
#define D2bv(_f)      D((_f) | ByteOp), D(_f)
3394
#define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3395
#define I2bv(_f, _e)  I((_f) | ByteOp, _e), I(_f, _e)
3396 3397
#define I2bvIP(_f, _e, _i, _p) \
	IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3398

3399 3400 3401
#define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e),		\
		I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e),	\
		I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3402

3403
static struct opcode group7_rm1[] = {
3404 3405
	DI(SrcNone | Priv, monitor),
	DI(SrcNone | Priv, mwait),
3406 3407 3408
	N, N, N, N, N, N,
};

3409
static struct opcode group7_rm3[] = {
3410 3411 3412 3413 3414 3415 3416 3417
	DIP(SrcNone | Prot | Priv,		vmrun,		check_svme_pa),
	II(SrcNone  | Prot | VendorSpecific,	em_vmmcall,	vmmcall),
	DIP(SrcNone | Prot | Priv,		vmload,		check_svme_pa),
	DIP(SrcNone | Prot | Priv,		vmsave,		check_svme_pa),
	DIP(SrcNone | Prot | Priv,		stgi,		check_svme),
	DIP(SrcNone | Prot | Priv,		clgi,		check_svme),
	DIP(SrcNone | Prot | Priv,		skinit,		check_svme),
	DIP(SrcNone | Prot | Priv,		invlpga,	check_svme),
3418
};
3419

3420 3421
static struct opcode group7_rm7[] = {
	N,
3422
	DIP(SrcNone, rdtscp, check_rdtsc),
3423 3424
	N, N, N, N, N, N,
};
3425

3426
static struct opcode group1[] = {
3427
	I(Lock, em_add),
3428
	I(Lock | PageTable, em_or),
3429 3430
	I(Lock, em_adc),
	I(Lock, em_sbb),
3431
	I(Lock | PageTable, em_and),
3432 3433 3434
	I(Lock, em_sub),
	I(Lock, em_xor),
	I(0, em_cmp),
3435 3436 3437
};

static struct opcode group1A[] = {
3438
	I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
3439 3440 3441
};

static struct opcode group3[] = {
3442 3443 3444 3445 3446 3447 3448 3449
	I(DstMem | SrcImm, em_test),
	I(DstMem | SrcImm, em_test),
	I(DstMem | SrcNone | Lock, em_not),
	I(DstMem | SrcNone | Lock, em_neg),
	I(SrcMem, em_mul_ex),
	I(SrcMem, em_imul_ex),
	I(SrcMem, em_div_ex),
	I(SrcMem, em_idiv_ex),
3450 3451 3452
};

static struct opcode group4[] = {
3453 3454
	I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
	I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
3455 3456 3457 3458
	N, N, N, N, N, N,
};

static struct opcode group5[] = {
3459 3460 3461 3462 3463 3464 3465
	I(DstMem | SrcNone | Lock,		em_grp45),
	I(DstMem | SrcNone | Lock,		em_grp45),
	I(SrcMem | Stack,			em_grp45),
	I(SrcMemFAddr | ImplicitOps | Stack,	em_call_far),
	I(SrcMem | Stack,			em_grp45),
	I(SrcMemFAddr | ImplicitOps,		em_grp45),
	I(SrcMem | Stack,			em_grp45), N,
3466 3467
};

3468
static struct opcode group6[] = {
3469 3470 3471 3472
	DI(Prot,	sldt),
	DI(Prot,	str),
	DI(Prot | Priv,	lldt),
	DI(Prot | Priv,	ltr),
3473 3474 3475
	N, N, N, N,
};

3476
static struct group_dual group7 = { {
3477 3478 3479 3480 3481 3482 3483
	DI(Mov | DstMem | Priv,			sgdt),
	DI(Mov | DstMem | Priv,			sidt),
	II(SrcMem | Priv,			em_lgdt, lgdt),
	II(SrcMem | Priv,			em_lidt, lidt),
	II(SrcNone | DstMem | Mov,		em_smsw, smsw), N,
	II(SrcMem16 | Mov | Priv,		em_lmsw, lmsw),
	II(SrcMem | ByteOp | Priv | NoAccess,	em_invlpg, invlpg),
3484
}, {
3485
	I(SrcNone | Priv | VendorSpecific,	em_vmcall),
3486
	EXT(0, group7_rm1),
3487
	N, EXT(0, group7_rm3),
3488 3489 3490
	II(SrcNone | DstMem | Mov,		em_smsw, smsw), N,
	II(SrcMem16 | Mov | Priv,		em_lmsw, lmsw),
	EXT(0, group7_rm7),
3491 3492 3493 3494
} };

static struct opcode group8[] = {
	N, N, N, N,
3495 3496 3497 3498
	I(DstMem | SrcImmByte,				em_bt),
	I(DstMem | SrcImmByte | Lock | PageTable,	em_bts),
	I(DstMem | SrcImmByte | Lock,			em_btr),
	I(DstMem | SrcImmByte | Lock | PageTable,	em_btc),
3499 3500 3501
};

static struct group_dual group9 = { {
3502
	N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
3503 3504 3505 3506
}, {
	N, N, N, N, N, N, N, N,
} };

3507
static struct opcode group11[] = {
3508
	I(DstMem | SrcImm | Mov | PageTable, em_mov),
3509
	X7(D(Undefined)),
3510 3511
};

3512
static struct gprefix pfx_0f_6f_0f_7f = {
3513
	I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
3514 3515
};

3516 3517 3518 3519
static struct gprefix pfx_vmovntpx = {
	I(0, em_mov), N, N, N,
};

3520 3521
static struct opcode opcode_table[256] = {
	/* 0x00 - 0x07 */
3522
	I6ALU(Lock, em_add),
3523 3524
	I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
	I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
3525
	/* 0x08 - 0x0F */
3526
	I6ALU(Lock | PageTable, em_or),
3527 3528
	I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
	N,
3529
	/* 0x10 - 0x17 */
3530
	I6ALU(Lock, em_adc),
3531 3532
	I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
	I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
3533
	/* 0x18 - 0x1F */
3534
	I6ALU(Lock, em_sbb),
3535 3536
	I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
	I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
3537
	/* 0x20 - 0x27 */
3538
	I6ALU(Lock | PageTable, em_and), N, N,
3539
	/* 0x28 - 0x2F */
3540
	I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
3541
	/* 0x30 - 0x37 */
3542
	I6ALU(Lock, em_xor), N, N,
3543
	/* 0x38 - 0x3F */
3544
	I6ALU(0, em_cmp), N, N,
3545 3546 3547
	/* 0x40 - 0x4F */
	X16(D(DstReg)),
	/* 0x50 - 0x57 */
3548
	X8(I(SrcReg | Stack, em_push)),
3549
	/* 0x58 - 0x5F */
3550
	X8(I(DstReg | Stack, em_pop)),
3551
	/* 0x60 - 0x67 */
3552 3553
	I(ImplicitOps | Stack | No64, em_pusha),
	I(ImplicitOps | Stack | No64, em_popa),
3554 3555 3556
	N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
	N, N, N, N,
	/* 0x68 - 0x6F */
3557 3558
	I(SrcImm | Mov | Stack, em_push),
	I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
3559 3560
	I(SrcImmByte | Mov | Stack, em_push),
	I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
3561 3562
	I2bvIP(DstDI | SrcDX | Mov | String, em_in, ins, check_perm_in), /* insb, insw/insd */
	I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
3563 3564 3565
	/* 0x70 - 0x7F */
	X16(D(SrcImmByte)),
	/* 0x80 - 0x87 */
3566 3567 3568 3569
	G(ByteOp | DstMem | SrcImm, group1),
	G(DstMem | SrcImm, group1),
	G(ByteOp | DstMem | SrcImm | No64, group1),
	G(DstMem | SrcImmByte, group1),
3570
	I2bv(DstMem | SrcReg | ModRM, em_test),
3571
	I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
3572
	/* 0x88 - 0x8F */
3573
	I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
3574
	I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
3575
	I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
3576 3577 3578
	D(ModRM | SrcMem | NoAccess | DstReg),
	I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
	G(0, group1A),
3579
	/* 0x90 - 0x97 */
3580
	DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
3581
	/* 0x98 - 0x9F */
3582
	D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
3583
	I(SrcImmFAddr | No64, em_call_far), N,
3584 3585
	II(ImplicitOps | Stack, em_pushf, pushf),
	II(ImplicitOps | Stack, em_popf, popf), N, N,
3586
	/* 0xA0 - 0xA7 */
3587
	I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
3588
	I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
3589
	I2bv(SrcSI | DstDI | Mov | String, em_mov),
3590
	I2bv(SrcSI | DstDI | String, em_cmp),
3591
	/* 0xA8 - 0xAF */
3592
	I2bv(DstAcc | SrcImm, em_test),
3593 3594
	I2bv(SrcAcc | DstDI | Mov | String, em_mov),
	I2bv(SrcSI | DstAcc | Mov | String, em_mov),
3595
	I2bv(SrcAcc | DstDI | String, em_cmp),
3596
	/* 0xB0 - 0xB7 */
3597
	X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
3598
	/* 0xB8 - 0xBF */
3599
	X8(I(DstReg | SrcImm | Mov, em_mov)),
3600
	/* 0xC0 - 0xC7 */
3601
	D2bv(DstMem | SrcImmByte | ModRM),
3602
	I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
3603
	I(ImplicitOps | Stack, em_ret),
3604 3605
	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
3606
	G(ByteOp, group11), G(0, group11),
3607
	/* 0xC8 - 0xCF */
A
Avi Kivity 已提交
3608
	N, I(Stack, em_leave), N, I(ImplicitOps | Stack, em_ret_far),
3609
	D(ImplicitOps), DI(SrcImmByte, intn),
3610
	D(ImplicitOps | No64), II(ImplicitOps, em_iret, iret),
3611
	/* 0xD0 - 0xD7 */
3612
	D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
3613 3614 3615 3616
	N, N, N, N,
	/* 0xD8 - 0xDF */
	N, N, N, N, N, N, N, N,
	/* 0xE0 - 0xE7 */
3617 3618
	X3(I(SrcImmByte, em_loop)),
	I(SrcImmByte, em_jcxz),
3619 3620
	I2bvIP(SrcImmUByte | DstAcc, em_in,  in,  check_perm_in),
	I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
3621
	/* 0xE8 - 0xEF */
3622
	I(SrcImm | Stack, em_call), D(SrcImm | ImplicitOps),
3623
	I(SrcImmFAddr | No64, em_jmp_far), D(SrcImmByte | ImplicitOps),
3624 3625
	I2bvIP(SrcDX | DstAcc, em_in,  in,  check_perm_in),
	I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
3626
	/* 0xF0 - 0xF7 */
3627
	N, DI(ImplicitOps, icebp), N, N,
3628 3629
	DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
	G(ByteOp, group3), G(0, group3),
3630
	/* 0xF8 - 0xFF */
3631 3632
	D(ImplicitOps), D(ImplicitOps),
	I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
3633 3634 3635 3636 3637
	D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
};

static struct opcode twobyte_table[256] = {
	/* 0x00 - 0x0F */
3638
	G(0, group6), GD(0, &group7), N, N,
3639 3640
	N, I(ImplicitOps | VendorSpecific, em_syscall),
	II(ImplicitOps | Priv, em_clts, clts), N,
3641
	DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
3642 3643 3644 3645
	N, D(ImplicitOps | ModRM), N, N,
	/* 0x10 - 0x1F */
	N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
	/* 0x20 - 0x2F */
3646
	DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
3647
	DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
3648 3649
	IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
	IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
3650
	N, N, N, N,
3651 3652
	N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
	N, N, N, N,
3653
	/* 0x30 - 0x3F */
3654
	II(ImplicitOps | Priv, em_wrmsr, wrmsr),
3655
	IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
3656
	II(ImplicitOps | Priv, em_rdmsr, rdmsr),
3657
	IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
3658 3659
	I(ImplicitOps | VendorSpecific, em_sysenter),
	I(ImplicitOps | Priv | VendorSpecific, em_sysexit),
3660
	N, N,
3661 3662 3663 3664 3665 3666
	N, N, N, N, N, N, N, N,
	/* 0x40 - 0x4F */
	X16(D(DstReg | SrcMem | ModRM | Mov)),
	/* 0x50 - 0x5F */
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
	/* 0x60 - 0x6F */
3667 3668 3669 3670
	N, N, N, N,
	N, N, N, N,
	N, N, N, N,
	N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
3671
	/* 0x70 - 0x7F */
3672 3673 3674 3675
	N, N, N, N,
	N, N, N, N,
	N, N, N, N,
	N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
3676 3677 3678
	/* 0x80 - 0x8F */
	X16(D(SrcImm)),
	/* 0x90 - 0x9F */
3679
	X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
3680
	/* 0xA0 - 0xA7 */
3681
	I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
A
Avi Kivity 已提交
3682
	II(ImplicitOps, em_cpuid, cpuid), I(DstMem | SrcReg | ModRM | BitOp, em_bt),
3683 3684 3685
	D(DstMem | SrcReg | Src2ImmByte | ModRM),
	D(DstMem | SrcReg | Src2CL | ModRM), N, N,
	/* 0xA8 - 0xAF */
3686
	I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
3687
	DI(ImplicitOps, rsm),
3688
	I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
3689 3690
	D(DstMem | SrcReg | Src2ImmByte | ModRM),
	D(DstMem | SrcReg | Src2CL | ModRM),
3691
	D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
3692
	/* 0xB0 - 0xB7 */
3693
	I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
3694
	I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
3695
	I(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
3696 3697
	I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
	I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
3698
	D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3699 3700
	/* 0xB8 - 0xBF */
	N, N,
3701 3702
	G(BitOp, group8),
	I(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
3703
	I(DstReg | SrcMem | ModRM, em_bsf), I(DstReg | SrcMem | ModRM, em_bsr),
3704
	D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
3705
	/* 0xC0 - 0xCF */
3706
	D2bv(DstMem | SrcReg | ModRM | Lock),
3707
	N, D(DstMem | SrcReg | ModRM | Mov),
3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722
	N, N, N, GD(0, &group9),
	N, N, N, N, N, N, N, N,
	/* 0xD0 - 0xDF */
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
	/* 0xE0 - 0xEF */
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
	/* 0xF0 - 0xFF */
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
};

#undef D
#undef N
#undef G
#undef GD
#undef I
3723
#undef GP
3724
#undef EXT
3725

3726
#undef D2bv
3727
#undef D2bvIP
3728
#undef I2bv
3729
#undef I2bvIP
3730
#undef I6ALU
3731

3732
static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
3733 3734 3735
{
	unsigned size;

3736
	size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748
	if (size == 8)
		size = 4;
	return size;
}

static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
		      unsigned size, bool sign_extension)
{
	int rc = X86EMUL_CONTINUE;

	op->type = OP_IMM;
	op->bytes = size;
3749
	op->addr.mem.ea = ctxt->_eip;
3750 3751 3752
	/* NB. Immediates are sign-extended as necessary. */
	switch (op->bytes) {
	case 1:
3753
		op->val = insn_fetch(s8, ctxt);
3754 3755
		break;
	case 2:
3756
		op->val = insn_fetch(s16, ctxt);
3757 3758
		break;
	case 4:
3759
		op->val = insn_fetch(s32, ctxt);
3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778
		break;
	}
	if (!sign_extension) {
		switch (op->bytes) {
		case 1:
			op->val &= 0xff;
			break;
		case 2:
			op->val &= 0xffff;
			break;
		case 4:
			op->val &= 0xffffffff;
			break;
		}
	}
done:
	return rc;
}

3779 3780 3781 3782 3783 3784 3785
static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
			  unsigned d)
{
	int rc = X86EMUL_CONTINUE;

	switch (d) {
	case OpReg:
3786
		decode_register_operand(ctxt, op);
3787 3788
		break;
	case OpImmUByte:
3789
		rc = decode_imm(ctxt, op, 1, false);
3790 3791
		break;
	case OpMem:
3792
		ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
3793 3794 3795 3796
	mem_common:
		*op = ctxt->memop;
		ctxt->memopp = op;
		if ((ctxt->d & BitOp) && op == &ctxt->dst)
3797 3798 3799
			fetch_bit_operand(ctxt);
		op->orig_val = op->val;
		break;
3800 3801 3802
	case OpMem64:
		ctxt->memop.bytes = 8;
		goto mem_common;
3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823
	case OpAcc:
		op->type = OP_REG;
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
		op->addr.reg = &ctxt->regs[VCPU_REGS_RAX];
		fetch_register_operand(op);
		op->orig_val = op->val;
		break;
	case OpDI:
		op->type = OP_MEM;
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
		op->addr.mem.ea =
			register_address(ctxt, ctxt->regs[VCPU_REGS_RDI]);
		op->addr.mem.seg = VCPU_SREG_ES;
		op->val = 0;
		break;
	case OpDX:
		op->type = OP_REG;
		op->bytes = 2;
		op->addr.reg = &ctxt->regs[VCPU_REGS_RDX];
		fetch_register_operand(op);
		break;
3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837
	case OpCL:
		op->bytes = 1;
		op->val = ctxt->regs[VCPU_REGS_RCX] & 0xff;
		break;
	case OpImmByte:
		rc = decode_imm(ctxt, op, 1, true);
		break;
	case OpOne:
		op->bytes = 1;
		op->val = 1;
		break;
	case OpImm:
		rc = decode_imm(ctxt, op, imm_size(ctxt), true);
		break;
3838 3839 3840
	case OpMem8:
		ctxt->memop.bytes = 1;
		goto mem_common;
3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869
	case OpMem16:
		ctxt->memop.bytes = 2;
		goto mem_common;
	case OpMem32:
		ctxt->memop.bytes = 4;
		goto mem_common;
	case OpImmU16:
		rc = decode_imm(ctxt, op, 2, false);
		break;
	case OpImmU:
		rc = decode_imm(ctxt, op, imm_size(ctxt), false);
		break;
	case OpSI:
		op->type = OP_MEM;
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
		op->addr.mem.ea =
			register_address(ctxt, ctxt->regs[VCPU_REGS_RSI]);
		op->addr.mem.seg = seg_override(ctxt);
		op->val = 0;
		break;
	case OpImmFAddr:
		op->type = OP_IMM;
		op->addr.mem.ea = ctxt->_eip;
		op->bytes = ctxt->op_bytes + 2;
		insn_fetch_arr(op->valptr, op->bytes, ctxt);
		break;
	case OpMemFAddr:
		ctxt->memop.bytes = ctxt->op_bytes + 2;
		goto mem_common;
3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887
	case OpES:
		op->val = VCPU_SREG_ES;
		break;
	case OpCS:
		op->val = VCPU_SREG_CS;
		break;
	case OpSS:
		op->val = VCPU_SREG_SS;
		break;
	case OpDS:
		op->val = VCPU_SREG_DS;
		break;
	case OpFS:
		op->val = VCPU_SREG_FS;
		break;
	case OpGS:
		op->val = VCPU_SREG_GS;
		break;
3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898
	case OpImplicit:
		/* Special instructions do their own operand decoding. */
	default:
		op->type = OP_NONE; /* Disable writeback. */
		break;
	}

done:
	return rc;
}

3899
int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3900 3901 3902
{
	int rc = X86EMUL_CONTINUE;
	int mode = ctxt->mode;
3903
	int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
3904
	bool op_prefix = false;
3905
	struct opcode opcode;
3906

3907 3908
	ctxt->memop.type = OP_NONE;
	ctxt->memopp = NULL;
3909 3910 3911
	ctxt->_eip = ctxt->eip;
	ctxt->fetch.start = ctxt->_eip;
	ctxt->fetch.end = ctxt->fetch.start + insn_len;
3912
	if (insn_len > 0)
3913
		memcpy(ctxt->fetch.data, insn, insn_len);
3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930

	switch (mode) {
	case X86EMUL_MODE_REAL:
	case X86EMUL_MODE_VM86:
	case X86EMUL_MODE_PROT16:
		def_op_bytes = def_ad_bytes = 2;
		break;
	case X86EMUL_MODE_PROT32:
		def_op_bytes = def_ad_bytes = 4;
		break;
#ifdef CONFIG_X86_64
	case X86EMUL_MODE_PROT64:
		def_op_bytes = 4;
		def_ad_bytes = 8;
		break;
#endif
	default:
3931
		return EMULATION_FAILED;
3932 3933
	}

3934 3935
	ctxt->op_bytes = def_op_bytes;
	ctxt->ad_bytes = def_ad_bytes;
3936 3937 3938

	/* Legacy prefixes. */
	for (;;) {
3939
		switch (ctxt->b = insn_fetch(u8, ctxt)) {
3940
		case 0x66:	/* operand-size override */
3941
			op_prefix = true;
3942
			/* switch between 2/4 bytes */
3943
			ctxt->op_bytes = def_op_bytes ^ 6;
3944 3945 3946 3947
			break;
		case 0x67:	/* address-size override */
			if (mode == X86EMUL_MODE_PROT64)
				/* switch between 4/8 bytes */
3948
				ctxt->ad_bytes = def_ad_bytes ^ 12;
3949 3950
			else
				/* switch between 2/4 bytes */
3951
				ctxt->ad_bytes = def_ad_bytes ^ 6;
3952 3953 3954 3955 3956
			break;
		case 0x26:	/* ES override */
		case 0x2e:	/* CS override */
		case 0x36:	/* SS override */
		case 0x3e:	/* DS override */
3957
			set_seg_override(ctxt, (ctxt->b >> 3) & 3);
3958 3959 3960
			break;
		case 0x64:	/* FS override */
		case 0x65:	/* GS override */
3961
			set_seg_override(ctxt, ctxt->b & 7);
3962 3963 3964 3965
			break;
		case 0x40 ... 0x4f: /* REX */
			if (mode != X86EMUL_MODE_PROT64)
				goto done_prefixes;
3966
			ctxt->rex_prefix = ctxt->b;
3967 3968
			continue;
		case 0xf0:	/* LOCK */
3969
			ctxt->lock_prefix = 1;
3970 3971 3972
			break;
		case 0xf2:	/* REPNE/REPNZ */
		case 0xf3:	/* REP/REPE/REPZ */
3973
			ctxt->rep_prefix = ctxt->b;
3974 3975 3976 3977 3978 3979 3980
			break;
		default:
			goto done_prefixes;
		}

		/* Any legacy prefix after a REX prefix nullifies its effect. */

3981
		ctxt->rex_prefix = 0;
3982 3983 3984 3985 3986
	}

done_prefixes:

	/* REX prefix. */
3987 3988
	if (ctxt->rex_prefix & 8)
		ctxt->op_bytes = 8;	/* REX.W */
3989 3990

	/* Opcode byte(s). */
3991
	opcode = opcode_table[ctxt->b];
3992
	/* Two-byte opcode? */
3993 3994
	if (ctxt->b == 0x0f) {
		ctxt->twobyte = 1;
3995
		ctxt->b = insn_fetch(u8, ctxt);
3996
		opcode = twobyte_table[ctxt->b];
3997
	}
3998
	ctxt->d = opcode.flags;
3999

4000 4001 4002
	if (ctxt->d & ModRM)
		ctxt->modrm = insn_fetch(u8, ctxt);

4003 4004
	while (ctxt->d & GroupMask) {
		switch (ctxt->d & GroupMask) {
4005
		case Group:
4006
			goffset = (ctxt->modrm >> 3) & 7;
4007 4008 4009
			opcode = opcode.u.group[goffset];
			break;
		case GroupDual:
4010 4011
			goffset = (ctxt->modrm >> 3) & 7;
			if ((ctxt->modrm >> 6) == 3)
4012 4013 4014 4015 4016
				opcode = opcode.u.gdual->mod3[goffset];
			else
				opcode = opcode.u.gdual->mod012[goffset];
			break;
		case RMExt:
4017
			goffset = ctxt->modrm & 7;
4018
			opcode = opcode.u.group[goffset];
4019 4020
			break;
		case Prefix:
4021
			if (ctxt->rep_prefix && op_prefix)
4022
				return EMULATION_FAILED;
4023
			simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4024 4025 4026 4027 4028 4029 4030 4031
			switch (simd_prefix) {
			case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
			case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
			case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
			case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
			}
			break;
		default:
4032
			return EMULATION_FAILED;
4033
		}
4034

4035
		ctxt->d &= ~(u64)GroupMask;
4036
		ctxt->d |= opcode.flags;
4037 4038
	}

4039 4040 4041
	ctxt->execute = opcode.u.execute;
	ctxt->check_perm = opcode.check_perm;
	ctxt->intercept = opcode.intercept;
4042 4043

	/* Unrecognised? */
4044
	if (ctxt->d == 0 || (ctxt->d & Undefined))
4045
		return EMULATION_FAILED;
4046

4047
	if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
4048
		return EMULATION_FAILED;
4049

4050 4051
	if (mode == X86EMUL_MODE_PROT64 && (ctxt->d & Stack))
		ctxt->op_bytes = 8;
4052

4053
	if (ctxt->d & Op3264) {
4054
		if (mode == X86EMUL_MODE_PROT64)
4055
			ctxt->op_bytes = 8;
4056
		else
4057
			ctxt->op_bytes = 4;
4058 4059
	}

4060 4061
	if (ctxt->d & Sse)
		ctxt->op_bytes = 16;
A
Avi Kivity 已提交
4062 4063
	else if (ctxt->d & Mmx)
		ctxt->op_bytes = 8;
A
Avi Kivity 已提交
4064

4065
	/* ModRM and SIB bytes. */
4066
	if (ctxt->d & ModRM) {
4067
		rc = decode_modrm(ctxt, &ctxt->memop);
4068 4069 4070
		if (!ctxt->has_seg_override)
			set_seg_override(ctxt, ctxt->modrm_seg);
	} else if (ctxt->d & MemAbs)
4071
		rc = decode_abs(ctxt, &ctxt->memop);
4072 4073 4074
	if (rc != X86EMUL_CONTINUE)
		goto done;

4075 4076
	if (!ctxt->has_seg_override)
		set_seg_override(ctxt, VCPU_SREG_DS);
4077

4078
	ctxt->memop.addr.mem.seg = seg_override(ctxt);
4079

4080 4081
	if (ctxt->memop.type == OP_MEM && ctxt->ad_bytes != 8)
		ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
4082 4083 4084 4085 4086

	/*
	 * Decode and fetch the source operand: register, memory
	 * or immediate.
	 */
4087
	rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
4088 4089 4090
	if (rc != X86EMUL_CONTINUE)
		goto done;

4091 4092 4093 4094
	/*
	 * Decode and fetch the second source operand: register, memory
	 * or immediate.
	 */
4095
	rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
4096 4097 4098
	if (rc != X86EMUL_CONTINUE)
		goto done;

4099
	/* Decode and fetch the destination operand: register or memory. */
4100
	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
4101 4102

done:
4103 4104
	if (ctxt->memopp && ctxt->memopp->type == OP_MEM && ctxt->rip_relative)
		ctxt->memopp->addr.mem.ea += ctxt->_eip;
4105

4106
	return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
4107 4108
}

4109 4110 4111 4112 4113
bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
{
	return ctxt->d & PageTable;
}

4114 4115 4116 4117 4118 4119 4120 4121 4122
static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
{
	/* The second termination condition only applies for REPE
	 * and REPNE. Test if the repeat string operation prefix is
	 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
	 * corresponding termination condition according to:
	 * 	- if REPE/REPZ and ZF = 0 then done
	 * 	- if REPNE/REPNZ and ZF = 1 then done
	 */
4123 4124 4125
	if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
	     (ctxt->b == 0xae) || (ctxt->b == 0xaf))
	    && (((ctxt->rep_prefix == REPE_PREFIX) &&
4126
		 ((ctxt->eflags & EFLG_ZF) == 0))
4127
		|| ((ctxt->rep_prefix == REPNE_PREFIX) &&
4128 4129 4130 4131 4132 4133
		    ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
		return true;

	return false;
}

A
Avi Kivity 已提交
4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146
static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
{
	bool fault = false;

	ctxt->ops->get_fpu(ctxt);
	asm volatile("1: fwait \n\t"
		     "2: \n\t"
		     ".pushsection .fixup,\"ax\" \n\t"
		     "3: \n\t"
		     "movb $1, %[fault] \n\t"
		     "jmp 2b \n\t"
		     ".popsection \n\t"
		     _ASM_EXTABLE(1b, 3b)
4147
		     : [fault]"+qm"(fault));
A
Avi Kivity 已提交
4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162
	ctxt->ops->put_fpu(ctxt);

	if (unlikely(fault))
		return emulate_exception(ctxt, MF_VECTOR, 0, false);

	return X86EMUL_CONTINUE;
}

static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
				       struct operand *op)
{
	if (op->type == OP_MM)
		read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
}

4163
int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
4164
{
4165
	struct x86_emulate_ops *ops = ctxt->ops;
4166
	int rc = X86EMUL_CONTINUE;
4167
	int saved_dst_type = ctxt->dst.type;
4168

4169
	ctxt->mem_read.pos = 0;
4170

4171
	if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
4172
		rc = emulate_ud(ctxt);
4173 4174 4175
		goto done;
	}

4176
	/* LOCK prefix is allowed only with some instructions */
4177
	if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
4178
		rc = emulate_ud(ctxt);
4179 4180 4181
		goto done;
	}

4182
	if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
4183
		rc = emulate_ud(ctxt);
4184 4185 4186
		goto done;
	}

A
Avi Kivity 已提交
4187 4188
	if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
	    || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
A
Avi Kivity 已提交
4189 4190 4191 4192
		rc = emulate_ud(ctxt);
		goto done;
	}

A
Avi Kivity 已提交
4193
	if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
A
Avi Kivity 已提交
4194 4195 4196 4197
		rc = emulate_nm(ctxt);
		goto done;
	}

A
Avi Kivity 已提交
4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211
	if (ctxt->d & Mmx) {
		rc = flush_pending_x87_faults(ctxt);
		if (rc != X86EMUL_CONTINUE)
			goto done;
		/*
		 * Now that we know the fpu is exception safe, we can fetch
		 * operands from it.
		 */
		fetch_possible_mmx_operand(ctxt, &ctxt->src);
		fetch_possible_mmx_operand(ctxt, &ctxt->src2);
		if (!(ctxt->d & Mov))
			fetch_possible_mmx_operand(ctxt, &ctxt->dst);
	}

4212 4213
	if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
		rc = emulator_check_intercept(ctxt, ctxt->intercept,
4214
					      X86_ICPT_PRE_EXCEPT);
4215 4216 4217 4218
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

4219
	/* Privileged instruction can be executed only in CPL=0 */
4220
	if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
4221
		rc = emulate_gp(ctxt, 0);
4222 4223 4224
		goto done;
	}

4225
	/* Instruction can only be executed in protected mode */
4226
	if ((ctxt->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
4227 4228 4229 4230
		rc = emulate_ud(ctxt);
		goto done;
	}

4231
	/* Do instruction specific permission checks */
4232 4233
	if (ctxt->check_perm) {
		rc = ctxt->check_perm(ctxt);
4234 4235 4236 4237
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

4238 4239
	if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
		rc = emulator_check_intercept(ctxt, ctxt->intercept,
4240
					      X86_ICPT_POST_EXCEPT);
4241 4242 4243 4244
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

4245
	if (ctxt->rep_prefix && (ctxt->d & String)) {
4246
		/* All REP prefixes have the same first termination condition */
4247 4248
		if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0) {
			ctxt->eip = ctxt->_eip;
4249 4250 4251 4252
			goto done;
		}
	}

4253 4254 4255
	if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
		rc = segmented_read(ctxt, ctxt->src.addr.mem,
				    ctxt->src.valptr, ctxt->src.bytes);
4256
		if (rc != X86EMUL_CONTINUE)
4257
			goto done;
4258
		ctxt->src.orig_val64 = ctxt->src.val64;
4259 4260
	}

4261 4262 4263
	if (ctxt->src2.type == OP_MEM) {
		rc = segmented_read(ctxt, ctxt->src2.addr.mem,
				    &ctxt->src2.val, ctxt->src2.bytes);
4264 4265 4266 4267
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

4268
	if ((ctxt->d & DstMask) == ImplicitOps)
4269 4270 4271
		goto special_insn;


4272
	if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
4273
		/* optimisation - avoid slow emulated read if Mov */
4274 4275
		rc = segmented_read(ctxt, ctxt->dst.addr.mem,
				   &ctxt->dst.val, ctxt->dst.bytes);
4276 4277
		if (rc != X86EMUL_CONTINUE)
			goto done;
4278
	}
4279
	ctxt->dst.orig_val = ctxt->dst.val;
4280

4281 4282
special_insn:

4283 4284
	if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
		rc = emulator_check_intercept(ctxt, ctxt->intercept,
4285
					      X86_ICPT_POST_MEMACCESS);
4286 4287 4288 4289
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

4290 4291
	if (ctxt->execute) {
		rc = ctxt->execute(ctxt);
4292 4293 4294 4295 4296
		if (rc != X86EMUL_CONTINUE)
			goto done;
		goto writeback;
	}

4297
	if (ctxt->twobyte)
A
Avi Kivity 已提交
4298 4299
		goto twobyte_insn;

4300
	switch (ctxt->b) {
4301
	case 0x40 ... 0x47: /* inc r16/r32 */
4302
		emulate_1op(ctxt, "inc");
4303 4304
		break;
	case 0x48 ... 0x4f: /* dec r16/r32 */
4305
		emulate_1op(ctxt, "dec");
4306
		break;
A
Avi Kivity 已提交
4307
	case 0x63:		/* movsxd */
4308
		if (ctxt->mode != X86EMUL_MODE_PROT64)
A
Avi Kivity 已提交
4309
			goto cannot_emulate;
4310
		ctxt->dst.val = (s32) ctxt->src.val;
A
Avi Kivity 已提交
4311
		break;
4312
	case 0x70 ... 0x7f: /* jcc (short) */
4313 4314
		if (test_cc(ctxt->b, ctxt->eflags))
			jmp_rel(ctxt, ctxt->src.val);
4315
		break;
N
Nitin A Kamble 已提交
4316
	case 0x8d: /* lea r16/r32, m */
4317
		ctxt->dst.val = ctxt->src.addr.mem.ea;
N
Nitin A Kamble 已提交
4318
		break;
4319
	case 0x90 ... 0x97: /* nop / xchg reg, rax */
4320
		if (ctxt->dst.addr.reg == &ctxt->regs[VCPU_REGS_RAX])
4321
			break;
4322 4323
		rc = em_xchg(ctxt);
		break;
4324
	case 0x98: /* cbw/cwde/cdqe */
4325 4326 4327 4328
		switch (ctxt->op_bytes) {
		case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
		case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
		case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
4329 4330
		}
		break;
4331
	case 0xc0 ... 0xc1:
4332
		rc = em_grp2(ctxt);
4333
		break;
4334
	case 0xcc:		/* int3 */
4335 4336
		rc = emulate_int(ctxt, 3);
		break;
4337
	case 0xcd:		/* int n */
4338
		rc = emulate_int(ctxt, ctxt->src.val);
4339 4340
		break;
	case 0xce:		/* into */
4341 4342
		if (ctxt->eflags & EFLG_OF)
			rc = emulate_int(ctxt, 4);
4343
		break;
4344
	case 0xd0 ... 0xd1:	/* Grp2 */
4345
		rc = em_grp2(ctxt);
4346 4347
		break;
	case 0xd2 ... 0xd3:	/* Grp2 */
4348
		ctxt->src.val = ctxt->regs[VCPU_REGS_RCX];
4349
		rc = em_grp2(ctxt);
4350
		break;
4351
	case 0xe9: /* jmp rel */
4352
	case 0xeb: /* jmp rel short */
4353 4354
		jmp_rel(ctxt, ctxt->src.val);
		ctxt->dst.type = OP_NONE; /* Disable writeback. */
4355
		break;
4356
	case 0xf4:              /* hlt */
4357
		ctxt->ops->halt(ctxt);
4358
		break;
4359 4360 4361 4362 4363 4364 4365
	case 0xf5:	/* cmc */
		/* complement carry flag from eflags reg */
		ctxt->eflags ^= EFLG_CF;
		break;
	case 0xf8: /* clc */
		ctxt->eflags &= ~EFLG_CF;
		break;
4366 4367 4368
	case 0xf9: /* stc */
		ctxt->eflags |= EFLG_CF;
		break;
4369 4370 4371 4372 4373 4374
	case 0xfc: /* cld */
		ctxt->eflags &= ~EFLG_DF;
		break;
	case 0xfd: /* std */
		ctxt->eflags |= EFLG_DF;
		break;
4375 4376
	default:
		goto cannot_emulate;
A
Avi Kivity 已提交
4377
	}
4378

4379 4380 4381
	if (rc != X86EMUL_CONTINUE)
		goto done;

4382
writeback:
4383
	rc = writeback(ctxt);
4384
	if (rc != X86EMUL_CONTINUE)
4385 4386
		goto done;

4387 4388 4389 4390
	/*
	 * restore dst type in case the decoding will be reused
	 * (happens for string instruction )
	 */
4391
	ctxt->dst.type = saved_dst_type;
4392

4393 4394 4395
	if ((ctxt->d & SrcMask) == SrcSI)
		string_addr_inc(ctxt, seg_override(ctxt),
				VCPU_REGS_RSI, &ctxt->src);
4396

4397
	if ((ctxt->d & DstMask) == DstDI)
4398
		string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
4399
				&ctxt->dst);
4400

4401 4402 4403
	if (ctxt->rep_prefix && (ctxt->d & String)) {
		struct read_cache *r = &ctxt->io_read;
		register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
4404

4405 4406 4407 4408 4409
		if (!string_insn_completed(ctxt)) {
			/*
			 * Re-enter guest when pio read ahead buffer is empty
			 * or, if it is not used, after each 1024 iteration.
			 */
4410
			if ((r->end != 0 || ctxt->regs[VCPU_REGS_RCX] & 0x3ff) &&
4411 4412 4413 4414 4415 4416
			    (r->end == 0 || r->end != r->pos)) {
				/*
				 * Reset read cache. Usually happens before
				 * decode, but since instruction is restarted
				 * we have to do it here.
				 */
4417
				ctxt->mem_read.end = 0;
4418 4419 4420
				return EMULATION_RESTART;
			}
			goto done; /* skip rip writeback */
4421
		}
4422
	}
4423

4424
	ctxt->eip = ctxt->_eip;
4425 4426

done:
4427 4428
	if (rc == X86EMUL_PROPAGATE_FAULT)
		ctxt->have_exception = true;
4429 4430 4431
	if (rc == X86EMUL_INTERCEPTED)
		return EMULATION_INTERCEPTED;

4432
	return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
A
Avi Kivity 已提交
4433 4434

twobyte_insn:
4435
	switch (ctxt->b) {
4436
	case 0x09:		/* wbinvd */
4437
		(ctxt->ops->wbinvd)(ctxt);
4438 4439
		break;
	case 0x08:		/* invd */
4440 4441 4442 4443
	case 0x0d:		/* GrpP (prefetch) */
	case 0x18:		/* Grp16 (prefetch/nop) */
		break;
	case 0x20: /* mov cr, reg */
4444
		ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
4445
		break;
A
Avi Kivity 已提交
4446
	case 0x21: /* mov from dr to reg */
4447
		ops->get_dr(ctxt, ctxt->modrm_reg, &ctxt->dst.val);
A
Avi Kivity 已提交
4448 4449
		break;
	case 0x40 ... 0x4f:	/* cmov */
4450 4451 4452
		ctxt->dst.val = ctxt->dst.orig_val = ctxt->src.val;
		if (!test_cc(ctxt->b, ctxt->eflags))
			ctxt->dst.type = OP_NONE; /* no writeback */
A
Avi Kivity 已提交
4453
		break;
4454
	case 0x80 ... 0x8f: /* jnz rel, etc*/
4455 4456
		if (test_cc(ctxt->b, ctxt->eflags))
			jmp_rel(ctxt, ctxt->src.val);
4457
		break;
4458
	case 0x90 ... 0x9f:     /* setcc r/m8 */
4459
		ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
4460
		break;
4461 4462
	case 0xa4: /* shld imm8, r, r/m */
	case 0xa5: /* shld cl, r, r/m */
4463
		emulate_2op_cl(ctxt, "shld");
4464 4465 4466
		break;
	case 0xac: /* shrd imm8, r, r/m */
	case 0xad: /* shrd cl, r, r/m */
4467
		emulate_2op_cl(ctxt, "shrd");
4468
		break;
4469 4470
	case 0xae:              /* clflush */
		break;
A
Avi Kivity 已提交
4471
	case 0xb6 ... 0xb7:	/* movzx */
4472 4473 4474
		ctxt->dst.bytes = ctxt->op_bytes;
		ctxt->dst.val = (ctxt->d & ByteOp) ? (u8) ctxt->src.val
						       : (u16) ctxt->src.val;
A
Avi Kivity 已提交
4475 4476
		break;
	case 0xbe ... 0xbf:	/* movsx */
4477 4478 4479
		ctxt->dst.bytes = ctxt->op_bytes;
		ctxt->dst.val = (ctxt->d & ByteOp) ? (s8) ctxt->src.val :
							(s16) ctxt->src.val;
A
Avi Kivity 已提交
4480
		break;
4481
	case 0xc0 ... 0xc1:	/* xadd */
4482
		emulate_2op_SrcV(ctxt, "add");
4483
		/* Write back the register source. */
4484 4485
		ctxt->src.val = ctxt->dst.orig_val;
		write_register_operand(&ctxt->src);
4486
		break;
4487
	case 0xc3:		/* movnti */
4488 4489 4490
		ctxt->dst.bytes = ctxt->op_bytes;
		ctxt->dst.val = (ctxt->op_bytes == 4) ? (u32) ctxt->src.val :
							(u64) ctxt->src.val;
4491
		break;
4492 4493
	default:
		goto cannot_emulate;
A
Avi Kivity 已提交
4494
	}
4495 4496 4497 4498

	if (rc != X86EMUL_CONTINUE)
		goto done;

A
Avi Kivity 已提交
4499 4500 4501
	goto writeback;

cannot_emulate:
4502
	return EMULATION_FAILED;
A
Avi Kivity 已提交
4503
}