emulate.c 89.7 KB
Newer Older
A
Avi Kivity 已提交
1
/******************************************************************************
2
 * emulate.c
A
Avi Kivity 已提交
3 4 5 6 7 8
 *
 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
 *
 * Copyright (c) 2005 Keir Fraser
 *
 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9
 * privileged instructions:
A
Avi Kivity 已提交
10 11
 *
 * Copyright (C) 2006 Qumranet
A
Avi Kivity 已提交
12
 * Copyright 2010 Red Hat, Inc. and/or its affilates.
A
Avi Kivity 已提交
13 14 15 16 17 18 19 20 21 22 23 24 25 26
 *
 *   Avi Kivity <avi@qumranet.com>
 *   Yaniv Kamay <yaniv@qumranet.com>
 *
 * This work is licensed under the terms of the GNU GPL, version 2.  See
 * the COPYING file in the top-level directory.
 *
 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
 */

#ifndef __KERNEL__
#include <stdio.h>
#include <stdint.h>
#include <public/xen.h>
M
Mike Day 已提交
27
#define DPRINTF(_f, _a ...) printf(_f , ## _a)
A
Avi Kivity 已提交
28
#else
29
#include <linux/kvm_host.h>
30
#include "kvm_cache_regs.h"
A
Avi Kivity 已提交
31 32 33
#define DPRINTF(x...) do {} while (0)
#endif
#include <linux/module.h>
34
#include <asm/kvm_emulate.h>
A
Avi Kivity 已提交
35

36
#include "x86.h"
37
#include "tss.h"
38

A
Avi Kivity 已提交
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
/*
 * Opcode effective-address decode tables.
 * Note that we only emulate instructions that have at least one memory
 * operand (excluding implicit stack references). We assume that stack
 * references and instruction fetches will never occur in special memory
 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
 * not be handled.
 */

/* Operand sizes: 8-bit operands or specified/overridden size. */
#define ByteOp      (1<<0)	/* 8-bit operands. */
/* Destination operand type. */
#define ImplicitOps (1<<1)	/* Implicit in opcode. No generic decode. */
#define DstReg      (2<<1)	/* Register operand. */
#define DstMem      (3<<1)	/* Memory operand. */
54
#define DstAcc      (4<<1)      /* Destination Accumulator */
55
#define DstDI       (5<<1)	/* Destination is in ES:(E)DI */
56
#define DstMem64    (6<<1)	/* 64bit memory operand */
57
#define DstMask     (7<<1)
A
Avi Kivity 已提交
58
/* Source operand type. */
59 60 61 62 63 64 65 66
#define SrcNone     (0<<4)	/* No source operand. */
#define SrcImplicit (0<<4)	/* Source operand is implicit in the opcode. */
#define SrcReg      (1<<4)	/* Register operand. */
#define SrcMem      (2<<4)	/* Memory operand. */
#define SrcMem16    (3<<4)	/* Memory operand (16-bit). */
#define SrcMem32    (4<<4)	/* Memory operand (32-bit). */
#define SrcImm      (5<<4)	/* Immediate operand. */
#define SrcImmByte  (6<<4)	/* 8-bit sign-extended immediate operand. */
67
#define SrcOne      (7<<4)	/* Implied '1' */
68
#define SrcImmUByte (8<<4)      /* 8-bit unsigned immediate operand. */
69
#define SrcImmU     (9<<4)      /* Immediate operand, unsigned */
70
#define SrcSI       (0xa<<4)	/* Source is in the DS:RSI */
71 72
#define SrcImmFAddr (0xb<<4)	/* Source is immediate far address */
#define SrcMemFAddr (0xc<<4)	/* Source is far address in memory */
73
#define SrcMask     (0xf<<4)
A
Avi Kivity 已提交
74
/* Generic ModRM decode. */
75
#define ModRM       (1<<8)
A
Avi Kivity 已提交
76
/* Destination is only written; never read. */
77 78 79
#define Mov         (1<<9)
#define BitOp       (1<<10)
#define MemAbs      (1<<11)      /* Memory operand is absolute displacement */
80 81
#define String      (1<<12)     /* String instruction (rep capable) */
#define Stack       (1<<13)     /* Stack instruction (push/pop) */
82 83 84
#define Group       (1<<14)     /* Bits 3:5 of modrm byte extend opcode */
#define GroupDual   (1<<15)     /* Alternate decoding of mod == 3 */
#define GroupMask   0xff        /* Group number stored in bits 0:7 */
85
/* Misc flags */
86
#define Lock        (1<<26) /* lock prefix is allowed for the instruction */
87
#define Priv        (1<<27) /* instruction generates #GP if current CPL != 0 */
88
#define No64	    (1<<28)
89 90 91 92 93 94
/* Source 2 operand type */
#define Src2None    (0<<29)
#define Src2CL      (1<<29)
#define Src2ImmByte (2<<29)
#define Src2One     (3<<29)
#define Src2Mask    (7<<29)
A
Avi Kivity 已提交
95

96
enum {
97
	Group1_80, Group1_81, Group1_82, Group1_83,
98
	Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
99
	Group8, Group9,
100 101
};

102
static u32 opcode_table[256] = {
A
Avi Kivity 已提交
103
	/* 0x00 - 0x07 */
104
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
105
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
106
	ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
107
	ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
A
Avi Kivity 已提交
108
	/* 0x08 - 0x0F */
109
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
110
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
111 112
	ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
	ImplicitOps | Stack | No64, 0,
A
Avi Kivity 已提交
113
	/* 0x10 - 0x17 */
114
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
115
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
116
	ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
117
	ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
A
Avi Kivity 已提交
118
	/* 0x18 - 0x1F */
119
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
120
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
121
	ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
122
	ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
A
Avi Kivity 已提交
123
	/* 0x20 - 0x27 */
124
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
125
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
126
	DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
A
Avi Kivity 已提交
127
	/* 0x28 - 0x2F */
128
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
129
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
130
	ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
A
Avi Kivity 已提交
131
	/* 0x30 - 0x37 */
132
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
133
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
134
	ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
A
Avi Kivity 已提交
135 136 137
	/* 0x38 - 0x3F */
	ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
	ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
138 139
	ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
	0, 0,
140
	/* 0x40 - 0x47 */
141
	DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
142
	/* 0x48 - 0x4F */
143
	DstReg, DstReg, DstReg, DstReg,	DstReg, DstReg, DstReg, DstReg,
144
	/* 0x50 - 0x57 */
145 146
	SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
	SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147
	/* 0x58 - 0x5F */
148 149
	DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
	DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
N
Nitin A Kamble 已提交
150
	/* 0x60 - 0x67 */
151 152
	ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
	0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
N
Nitin A Kamble 已提交
153 154
	0, 0, 0, 0,
	/* 0x68 - 0x6F */
155
	SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
156 157
	DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
	SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
158
	/* 0x70 - 0x77 */
159 160
	SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
	SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161
	/* 0x78 - 0x7F */
162 163
	SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
	SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
A
Avi Kivity 已提交
164
	/* 0x80 - 0x87 */
165 166
	Group | Group1_80, Group | Group1_81,
	Group | Group1_82, Group | Group1_83,
A
Avi Kivity 已提交
167
	ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
168
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
A
Avi Kivity 已提交
169 170 171
	/* 0x88 - 0x8F */
	ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
	ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
172
	DstMem | SrcReg | ModRM | Mov, ModRM | DstReg,
173
	ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
174 175 176
	/* 0x90 - 0x97 */
	DstReg, DstReg, DstReg, DstReg,	DstReg, DstReg, DstReg, DstReg,
	/* 0x98 - 0x9F */
177
	0, 0, SrcImmFAddr | No64, 0,
178
	ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
A
Avi Kivity 已提交
179
	/* 0xA0 - 0xA7 */
180 181
	ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
	ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
182 183
	ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
	ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
A
Avi Kivity 已提交
184
	/* 0xA8 - 0xAF */
185
	DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
186 187
	ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
	ByteOp | DstDI | String, DstDI | String,
188 189 190 191 192 193 194 195 196 197
	/* 0xB0 - 0xB7 */
	ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
	ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
	ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
	ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
	/* 0xB8 - 0xBF */
	DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
	DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
	DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
	DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
A
Avi Kivity 已提交
198
	/* 0xC0 - 0xC7 */
199
	ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
200
	0, ImplicitOps | Stack, 0, 0,
201
	ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
A
Avi Kivity 已提交
202
	/* 0xC8 - 0xCF */
203
	0, 0, 0, ImplicitOps | Stack,
204
	ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
A
Avi Kivity 已提交
205 206 207 208 209 210
	/* 0xD0 - 0xD7 */
	ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
	ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
	0, 0, 0, 0,
	/* 0xD8 - 0xDF */
	0, 0, 0, 0, 0, 0, 0, 0,
211
	/* 0xE0 - 0xE7 */
212
	0, 0, 0, 0,
213 214
	ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
	ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215
	/* 0xE8 - 0xEF */
216
	SrcImm | Stack, SrcImm | ImplicitOps,
217
	SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
218 219
	SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
	SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
A
Avi Kivity 已提交
220 221
	/* 0xF0 - 0xF7 */
	0, 0, 0, 0,
222
	ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
A
Avi Kivity 已提交
223
	/* 0xF8 - 0xFF */
224
	ImplicitOps, 0, ImplicitOps, ImplicitOps,
225
	ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
A
Avi Kivity 已提交
226 227
};

228
static u32 twobyte_table[256] = {
A
Avi Kivity 已提交
229
	/* 0x00 - 0x0F */
230 231 232 233
	0, Group | GroupDual | Group7, 0, 0,
	0, ImplicitOps, ImplicitOps | Priv, 0,
	ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
	0, ImplicitOps | ModRM, 0, 0,
A
Avi Kivity 已提交
234 235 236
	/* 0x10 - 0x1F */
	0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
	/* 0x20 - 0x2F */
237 238 239
	ModRM | ImplicitOps | Priv, ModRM | Priv,
	ModRM | ImplicitOps | Priv, ModRM | Priv,
	0, 0, 0, 0,
A
Avi Kivity 已提交
240 241
	0, 0, 0, 0, 0, 0, 0, 0,
	/* 0x30 - 0x3F */
242 243
	ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
	ImplicitOps, ImplicitOps | Priv, 0, 0,
244
	0, 0, 0, 0, 0, 0, 0, 0,
A
Avi Kivity 已提交
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261
	/* 0x40 - 0x47 */
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	/* 0x48 - 0x4F */
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
	/* 0x50 - 0x5F */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0x60 - 0x6F */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0x70 - 0x7F */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0x80 - 0x8F */
262 263
	SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
	SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
A
Avi Kivity 已提交
264 265 266
	/* 0x90 - 0x9F */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0xA0 - 0xA7 */
267 268
	ImplicitOps | Stack, ImplicitOps | Stack,
	0, DstMem | SrcReg | ModRM | BitOp,
269 270
	DstMem | SrcReg | Src2ImmByte | ModRM,
	DstMem | SrcReg | Src2CL | ModRM, 0, 0,
A
Avi Kivity 已提交
271
	/* 0xA8 - 0xAF */
272
	ImplicitOps | Stack, ImplicitOps | Stack,
273
	0, DstMem | SrcReg | ModRM | BitOp | Lock,
274 275 276
	DstMem | SrcReg | Src2ImmByte | ModRM,
	DstMem | SrcReg | Src2CL | ModRM,
	ModRM, 0,
A
Avi Kivity 已提交
277
	/* 0xB0 - 0xB7 */
278 279
	ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
	0, DstMem | SrcReg | ModRM | BitOp | Lock,
A
Avi Kivity 已提交
280 281 282
	0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
	    DstReg | SrcMem16 | ModRM | Mov,
	/* 0xB8 - 0xBF */
283 284
	0, 0,
	Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
A
Avi Kivity 已提交
285 286 287
	0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
	    DstReg | SrcMem16 | ModRM | Mov,
	/* 0xC0 - 0xCF */
288 289
	0, 0, 0, DstMem | SrcReg | ModRM | Mov,
	0, 0, 0, Group | GroupDual | Group9,
290
	0, 0, 0, 0, 0, 0, 0, 0,
A
Avi Kivity 已提交
291 292 293 294 295 296 297 298
	/* 0xD0 - 0xDF */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0xE0 - 0xEF */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	/* 0xF0 - 0xFF */
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

299
static u32 group_table[] = {
300
	[Group1_80*8] =
301 302 303 304 305 306 307 308
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM | Lock,
	ByteOp | DstMem | SrcImm | ModRM,
309
	[Group1_81*8] =
310 311 312 313 314 315 316 317
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM | Lock,
	DstMem | SrcImm | ModRM,
318
	[Group1_82*8] =
319 320 321 322 323 324 325 326
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
	ByteOp | DstMem | SrcImm | ModRM | No64,
327
	[Group1_83*8] =
328 329 330 331 332 333 334 335
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM,
336 337
	[Group1A*8] =
	DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
338
	[Group3_Byte*8] =
339
	ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
340 341 342
	ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
	0, 0, 0, 0,
	[Group3*8] =
343
	DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
344
	DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
345
	0, 0, 0, 0,
346 347 348 349
	[Group4*8] =
	ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
	0, 0, 0, 0, 0, 0,
	[Group5*8] =
350 351
	DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
	SrcMem | ModRM | Stack, 0,
352
	SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
353
	SrcMem | ModRM | Stack, 0,
354
	[Group7*8] =
355
	0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
356
	SrcNone | ModRM | DstMem | Mov, 0,
357
	SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
358 359
	[Group8*8] =
	0, 0, 0, 0,
360 361
	DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
	DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
362
	[Group9*8] =
363
	0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
364 365
};

366
static u32 group2_table[] = {
367
	[Group7*8] =
368
	SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
369
	SrcNone | ModRM | DstMem | Mov, 0,
370
	SrcMem16 | ModRM | Mov | Priv, 0,
371 372
	[Group9*8] =
	0, 0, 0, 0, 0, 0, 0, 0,
373 374
};

A
Avi Kivity 已提交
375
/* EFLAGS bit definitions. */
376 377 378 379
#define EFLG_ID (1<<21)
#define EFLG_VIP (1<<20)
#define EFLG_VIF (1<<19)
#define EFLG_AC (1<<18)
380 381
#define EFLG_VM (1<<17)
#define EFLG_RF (1<<16)
382 383
#define EFLG_IOPL (3<<12)
#define EFLG_NT (1<<14)
A
Avi Kivity 已提交
384 385
#define EFLG_OF (1<<11)
#define EFLG_DF (1<<10)
386
#define EFLG_IF (1<<9)
387
#define EFLG_TF (1<<8)
A
Avi Kivity 已提交
388 389 390 391 392 393 394 395 396 397 398 399 400
#define EFLG_SF (1<<7)
#define EFLG_ZF (1<<6)
#define EFLG_AF (1<<4)
#define EFLG_PF (1<<2)
#define EFLG_CF (1<<0)

/*
 * Instruction emulation:
 * Most instructions are emulated directly via a fragment of inline assembly
 * code. This allows us to save/restore EFLAGS and thus very easily pick up
 * any modified flags.
 */

401
#if defined(CONFIG_X86_64)
A
Avi Kivity 已提交
402 403 404 405 406 407 408 409 410 411 412 413 414 415
#define _LO32 "k"		/* force 32-bit operand */
#define _STK  "%%rsp"		/* stack pointer */
#elif defined(__i386__)
#define _LO32 ""		/* force 32-bit operand */
#define _STK  "%%esp"		/* stack pointer */
#endif

/*
 * These EFLAGS bits are restored from saved value during emulation, and
 * any changes are written back to the saved value after emulation.
 */
#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)

/* Before executing instruction: restore necessary bits in EFLAGS. */
416 417 418 419 420 421 422 423 424 425 426 427 428 429 430
#define _PRE_EFLAGS(_sav, _msk, _tmp)					\
	/* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
	"movl %"_sav",%"_LO32 _tmp"; "                                  \
	"push %"_tmp"; "                                                \
	"push %"_tmp"; "                                                \
	"movl %"_msk",%"_LO32 _tmp"; "                                  \
	"andl %"_LO32 _tmp",("_STK"); "                                 \
	"pushf; "                                                       \
	"notl %"_LO32 _tmp"; "                                          \
	"andl %"_LO32 _tmp",("_STK"); "                                 \
	"andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); "	\
	"pop  %"_tmp"; "                                                \
	"orl  %"_LO32 _tmp",("_STK"); "                                 \
	"popf; "                                                        \
	"pop  %"_sav"; "
A
Avi Kivity 已提交
431 432 433 434 435 436 437 438 439

/* After executing instruction: write-back necessary bits in EFLAGS. */
#define _POST_EFLAGS(_sav, _msk, _tmp) \
	/* _sav |= EFLAGS & _msk; */		\
	"pushf; "				\
	"pop  %"_tmp"; "			\
	"andl %"_msk",%"_LO32 _tmp"; "		\
	"orl  %"_LO32 _tmp",%"_sav"; "

440 441 442 443 444 445
#ifdef CONFIG_X86_64
#define ON64(x) x
#else
#define ON64(x)
#endif

446 447 448 449 450 451 452 453 454
#define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix)	\
	do {								\
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "4", "2")			\
			_op _suffix " %"_x"3,%1; "			\
			_POST_EFLAGS("0", "4", "2")			\
			: "=m" (_eflags), "=m" ((_dst).val),		\
			  "=&r" (_tmp)					\
			: _y ((_src).val), "i" (EFLAGS_MASK));		\
455
	} while (0)
456 457


A
Avi Kivity 已提交
458 459
/* Raw emulation: instruction has two explicit operands. */
#define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
460 461 462 463 464 465 466 467 468 469 470 471 472 473
	do {								\
		unsigned long _tmp;					\
									\
		switch ((_dst).bytes) {					\
		case 2:							\
			____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
			break;						\
		case 4:							\
			____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
			break;						\
		case 8:							\
			ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
			break;						\
		}							\
A
Avi Kivity 已提交
474 475 476 477
	} while (0)

#define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
	do {								     \
478
		unsigned long _tmp;					     \
M
Mike Day 已提交
479
		switch ((_dst).bytes) {				             \
A
Avi Kivity 已提交
480
		case 1:							     \
481
			____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b");  \
A
Avi Kivity 已提交
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504
			break;						     \
		default:						     \
			__emulate_2op_nobyte(_op, _src, _dst, _eflags,	     \
					     _wx, _wy, _lx, _ly, _qx, _qy);  \
			break;						     \
		}							     \
	} while (0)

/* Source operand is byte-sized and may be restricted to just %cl. */
#define emulate_2op_SrcB(_op, _src, _dst, _eflags)                      \
	__emulate_2op(_op, _src, _dst, _eflags,				\
		      "b", "c", "b", "c", "b", "c", "b", "c")

/* Source operand is byte, word, long or quad sized. */
#define emulate_2op_SrcV(_op, _src, _dst, _eflags)                      \
	__emulate_2op(_op, _src, _dst, _eflags,				\
		      "b", "q", "w", "r", _LO32, "r", "", "r")

/* Source operand is word, long or quad sized. */
#define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags)               \
	__emulate_2op_nobyte(_op, _src, _dst, _eflags,			\
			     "w", "r", _LO32, "r", "", "r")

505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543
/* Instruction has three operands and one operand is stored in ECX register */
#define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) 	\
	do {									\
		unsigned long _tmp;						\
		_type _clv  = (_cl).val;  					\
		_type _srcv = (_src).val;    					\
		_type _dstv = (_dst).val;					\
										\
		__asm__ __volatile__ (						\
			_PRE_EFLAGS("0", "5", "2")				\
			_op _suffix " %4,%1 \n"					\
			_POST_EFLAGS("0", "5", "2")				\
			: "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp)		\
			: "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK)		\
			); 							\
										\
		(_cl).val  = (unsigned long) _clv;				\
		(_src).val = (unsigned long) _srcv;				\
		(_dst).val = (unsigned long) _dstv;				\
	} while (0)

#define emulate_2op_cl(_op, _cl, _src, _dst, _eflags)				\
	do {									\
		switch ((_dst).bytes) {						\
		case 2:								\
			__emulate_2op_cl(_op, _cl, _src, _dst, _eflags,  	\
						"w", unsigned short);         	\
			break;							\
		case 4: 							\
			__emulate_2op_cl(_op, _cl, _src, _dst, _eflags,  	\
						"l", unsigned int);           	\
			break;							\
		case 8:								\
			ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags,	\
						"q", unsigned long));  		\
			break;							\
		}								\
	} while (0)

544
#define __emulate_1op(_op, _dst, _eflags, _suffix)			\
A
Avi Kivity 已提交
545 546 547
	do {								\
		unsigned long _tmp;					\
									\
548 549 550 551 552 553 554 555 556 557 558 559
		__asm__ __volatile__ (					\
			_PRE_EFLAGS("0", "3", "2")			\
			_op _suffix " %1; "				\
			_POST_EFLAGS("0", "3", "2")			\
			: "=m" (_eflags), "+m" ((_dst).val),		\
			  "=&r" (_tmp)					\
			: "i" (EFLAGS_MASK));				\
	} while (0)

/* Instruction has only one explicit operand (no source operand). */
#define emulate_1op(_op, _dst, _eflags)                                    \
	do {								\
M
Mike Day 已提交
560
		switch ((_dst).bytes) {				        \
561 562 563 564
		case 1:	__emulate_1op(_op, _dst, _eflags, "b"); break;	\
		case 2:	__emulate_1op(_op, _dst, _eflags, "w"); break;	\
		case 4:	__emulate_1op(_op, _dst, _eflags, "l"); break;	\
		case 8:	ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
A
Avi Kivity 已提交
565 566 567 568 569 570
		}							\
	} while (0)

/* Fetch next part of the instruction being emulated. */
#define insn_fetch(_type, _size, _eip)                                  \
({	unsigned long _x;						\
571
	rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size));		\
572
	if (rc != X86EMUL_CONTINUE)					\
A
Avi Kivity 已提交
573 574 575 576 577
		goto done;						\
	(_eip) += (_size);						\
	(_type)_x;							\
})

578 579 580 581 582 583 584
#define insn_fetch_arr(_arr, _size, _eip)                                \
({	rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size));		\
	if (rc != X86EMUL_CONTINUE)					\
		goto done;						\
	(_eip) += (_size);						\
})

585 586 587 588 589
static inline unsigned long ad_mask(struct decode_cache *c)
{
	return (1UL << (c->ad_bytes << 3)) - 1;
}

A
Avi Kivity 已提交
590
/* Access/update address held in a register, based on addressing mode. */
591 592 593 594 595 596 597 598 599 600 601 602 603 604 605
static inline unsigned long
address_mask(struct decode_cache *c, unsigned long reg)
{
	if (c->ad_bytes == sizeof(unsigned long))
		return reg;
	else
		return reg & ad_mask(c);
}

static inline unsigned long
register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
{
	return base + address_mask(c, reg);
}

606 607 608 609 610 611 612 613
static inline void
register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
{
	if (c->ad_bytes == sizeof(unsigned long))
		*reg += inc;
	else
		*reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
}
A
Avi Kivity 已提交
614

615 616 617 618
static inline void jmp_rel(struct decode_cache *c, int rel)
{
	register_address_increment(c, &c->eip, rel);
}
619

620 621 622 623 624 625
static void set_seg_override(struct decode_cache *c, int seg)
{
	c->has_seg_override = true;
	c->seg_override = seg;
}

626 627
static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
			      struct x86_emulate_ops *ops, int seg)
628 629 630 631
{
	if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
		return 0;

632
	return ops->get_cached_segment_base(seg, ctxt->vcpu);
633 634 635
}

static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
636
				       struct x86_emulate_ops *ops,
637 638 639 640 641
				       struct decode_cache *c)
{
	if (!c->has_seg_override)
		return 0;

642
	return seg_base(ctxt, ops, c->seg_override);
643 644
}

645 646
static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
			     struct x86_emulate_ops *ops)
647
{
648
	return seg_base(ctxt, ops, VCPU_SREG_ES);
649 650
}

651 652
static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
			     struct x86_emulate_ops *ops)
653
{
654
	return seg_base(ctxt, ops, VCPU_SREG_SS);
655 656
}

657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687
static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
				      u32 error, bool valid)
{
	ctxt->exception = vec;
	ctxt->error_code = error;
	ctxt->error_code_valid = valid;
	ctxt->restart = false;
}

static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
{
	emulate_exception(ctxt, GP_VECTOR, err, true);
}

static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
		       int err)
{
	ctxt->cr2 = addr;
	emulate_exception(ctxt, PF_VECTOR, err, true);
}

static void emulate_ud(struct x86_emulate_ctxt *ctxt)
{
	emulate_exception(ctxt, UD_VECTOR, 0, false);
}

static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
{
	emulate_exception(ctxt, TS_VECTOR, err, true);
}

688 689
static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
			      struct x86_emulate_ops *ops,
690
			      unsigned long eip, u8 *dest)
691 692 693
{
	struct fetch_cache *fc = &ctxt->decode.fetch;
	int rc;
694
	int size, cur_size;
695

696 697 698 699 700
	if (eip == fc->end) {
		cur_size = fc->end - fc->start;
		size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
		rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
				size, ctxt->vcpu, NULL);
701
		if (rc != X86EMUL_CONTINUE)
702
			return rc;
703
		fc->end += size;
704
	}
705
	*dest = fc->data[eip - fc->start];
706
	return X86EMUL_CONTINUE;
707 708 709 710 711 712
}

static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
			 struct x86_emulate_ops *ops,
			 unsigned long eip, void *dest, unsigned size)
{
713
	int rc;
714

715
	/* x86 instructions are limited to 15 bytes. */
716
	if (eip + size - ctxt->eip > 15)
717
		return X86EMUL_UNHANDLEABLE;
718 719
	while (size--) {
		rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
720
		if (rc != X86EMUL_CONTINUE)
721 722
			return rc;
	}
723
	return X86EMUL_CONTINUE;
724 725
}

726 727 728 729 730 731 732
/*
 * Given the 'reg' portion of a ModRM byte, and a register block, return a
 * pointer into the block that addresses the relevant register.
 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
 */
static void *decode_register(u8 modrm_reg, unsigned long *regs,
			     int highbyte_regs)
A
Avi Kivity 已提交
733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751
{
	void *p;

	p = &regs[modrm_reg];
	if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
		p = (unsigned char *)&regs[modrm_reg & 3] + 1;
	return p;
}

static int read_descriptor(struct x86_emulate_ctxt *ctxt,
			   struct x86_emulate_ops *ops,
			   void *ptr,
			   u16 *size, unsigned long *address, int op_bytes)
{
	int rc;

	if (op_bytes == 2)
		op_bytes = 3;
	*address = 0;
752
	rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
753
			   ctxt->vcpu, NULL);
754
	if (rc != X86EMUL_CONTINUE)
A
Avi Kivity 已提交
755
		return rc;
756
	rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
757
			   ctxt->vcpu, NULL);
A
Avi Kivity 已提交
758 759 760
	return rc;
}

761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795
static int test_cc(unsigned int condition, unsigned int flags)
{
	int rc = 0;

	switch ((condition & 15) >> 1) {
	case 0: /* o */
		rc |= (flags & EFLG_OF);
		break;
	case 1: /* b/c/nae */
		rc |= (flags & EFLG_CF);
		break;
	case 2: /* z/e */
		rc |= (flags & EFLG_ZF);
		break;
	case 3: /* be/na */
		rc |= (flags & (EFLG_CF|EFLG_ZF));
		break;
	case 4: /* s */
		rc |= (flags & EFLG_SF);
		break;
	case 5: /* p/pe */
		rc |= (flags & EFLG_PF);
		break;
	case 7: /* le/ng */
		rc |= (flags & EFLG_ZF);
		/* fall through */
	case 6: /* l/nge */
		rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
		break;
	}

	/* Odd condition identifiers (lsb == 1) have inverted sense. */
	return (!!rc ^ (condition & 1));
}

796 797 798 799
static void decode_register_operand(struct operand *op,
				    struct decode_cache *c,
				    int inhibit_bytereg)
{
800
	unsigned reg = c->modrm_reg;
801
	int highbyte_regs = c->rex_prefix == 0;
802 803 804

	if (!(c->d & ModRM))
		reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
805 806
	op->type = OP_REG;
	if ((c->d & ByteOp) && !inhibit_bytereg) {
807
		op->ptr = decode_register(reg, c->regs, highbyte_regs);
808 809 810
		op->val = *(u8 *)op->ptr;
		op->bytes = 1;
	} else {
811
		op->ptr = decode_register(reg, c->regs, 0);
812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827
		op->bytes = c->op_bytes;
		switch (op->bytes) {
		case 2:
			op->val = *(u16 *)op->ptr;
			break;
		case 4:
			op->val = *(u32 *)op->ptr;
			break;
		case 8:
			op->val = *(u64 *) op->ptr;
			break;
		}
	}
	op->orig_val = op->val;
}

828 829 830 831 832
static int decode_modrm(struct x86_emulate_ctxt *ctxt,
			struct x86_emulate_ops *ops)
{
	struct decode_cache *c = &ctxt->decode;
	u8 sib;
833
	int index_reg = 0, base_reg = 0, scale;
834
	int rc = X86EMUL_CONTINUE;
835 836 837 838 839 840 841 842 843 844 845 846 847 848 849

	if (c->rex_prefix) {
		c->modrm_reg = (c->rex_prefix & 4) << 1;	/* REX.R */
		index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
		c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
	}

	c->modrm = insn_fetch(u8, 1, c->eip);
	c->modrm_mod |= (c->modrm & 0xc0) >> 6;
	c->modrm_reg |= (c->modrm & 0x38) >> 3;
	c->modrm_rm |= (c->modrm & 0x07);
	c->modrm_ea = 0;
	c->use_modrm_ea = 1;

	if (c->modrm_mod == 3) {
850 851 852
		c->modrm_ptr = decode_register(c->modrm_rm,
					       c->regs, c->d & ByteOp);
		c->modrm_val = *(unsigned long *)c->modrm_ptr;
853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903
		return rc;
	}

	if (c->ad_bytes == 2) {
		unsigned bx = c->regs[VCPU_REGS_RBX];
		unsigned bp = c->regs[VCPU_REGS_RBP];
		unsigned si = c->regs[VCPU_REGS_RSI];
		unsigned di = c->regs[VCPU_REGS_RDI];

		/* 16-bit ModR/M decode. */
		switch (c->modrm_mod) {
		case 0:
			if (c->modrm_rm == 6)
				c->modrm_ea += insn_fetch(u16, 2, c->eip);
			break;
		case 1:
			c->modrm_ea += insn_fetch(s8, 1, c->eip);
			break;
		case 2:
			c->modrm_ea += insn_fetch(u16, 2, c->eip);
			break;
		}
		switch (c->modrm_rm) {
		case 0:
			c->modrm_ea += bx + si;
			break;
		case 1:
			c->modrm_ea += bx + di;
			break;
		case 2:
			c->modrm_ea += bp + si;
			break;
		case 3:
			c->modrm_ea += bp + di;
			break;
		case 4:
			c->modrm_ea += si;
			break;
		case 5:
			c->modrm_ea += di;
			break;
		case 6:
			if (c->modrm_mod != 0)
				c->modrm_ea += bp;
			break;
		case 7:
			c->modrm_ea += bx;
			break;
		}
		if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
		    (c->modrm_rm == 6 && c->modrm_mod != 0))
904 905
			if (!c->has_seg_override)
				set_seg_override(c, VCPU_SREG_SS);
906 907 908
		c->modrm_ea = (u16)c->modrm_ea;
	} else {
		/* 32/64-bit ModR/M decode. */
909
		if ((c->modrm_rm & 7) == 4) {
910 911 912 913 914
			sib = insn_fetch(u8, 1, c->eip);
			index_reg |= (sib >> 3) & 7;
			base_reg |= sib & 7;
			scale = sib >> 6;

915 916 917
			if ((base_reg & 7) == 5 && c->modrm_mod == 0)
				c->modrm_ea += insn_fetch(s32, 4, c->eip);
			else
918
				c->modrm_ea += c->regs[base_reg];
919
			if (index_reg != 4)
920
				c->modrm_ea += c->regs[index_reg] << scale;
921 922
		} else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
			if (ctxt->mode == X86EMUL_MODE_PROT64)
923
				c->rip_relative = 1;
924
		} else
925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946
			c->modrm_ea += c->regs[c->modrm_rm];
		switch (c->modrm_mod) {
		case 0:
			if (c->modrm_rm == 5)
				c->modrm_ea += insn_fetch(s32, 4, c->eip);
			break;
		case 1:
			c->modrm_ea += insn_fetch(s8, 1, c->eip);
			break;
		case 2:
			c->modrm_ea += insn_fetch(s32, 4, c->eip);
			break;
		}
	}
done:
	return rc;
}

static int decode_abs(struct x86_emulate_ctxt *ctxt,
		      struct x86_emulate_ops *ops)
{
	struct decode_cache *c = &ctxt->decode;
947
	int rc = X86EMUL_CONTINUE;
948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963

	switch (c->ad_bytes) {
	case 2:
		c->modrm_ea = insn_fetch(u16, 2, c->eip);
		break;
	case 4:
		c->modrm_ea = insn_fetch(u32, 4, c->eip);
		break;
	case 8:
		c->modrm_ea = insn_fetch(u64, 8, c->eip);
		break;
	}
done:
	return rc;
}

A
Avi Kivity 已提交
964
int
965
x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
A
Avi Kivity 已提交
966
{
967
	struct decode_cache *c = &ctxt->decode;
968
	int rc = X86EMUL_CONTINUE;
A
Avi Kivity 已提交
969
	int mode = ctxt->mode;
970
	int def_op_bytes, def_ad_bytes, group;
A
Avi Kivity 已提交
971 972


973 974 975
	/* we cannot decode insn before we complete previous rep insn */
	WARN_ON(ctxt->restart);

976
	c->eip = ctxt->eip;
977
	c->fetch.start = c->fetch.end = c->eip;
978
	ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
A
Avi Kivity 已提交
979 980 981

	switch (mode) {
	case X86EMUL_MODE_REAL:
982
	case X86EMUL_MODE_VM86:
A
Avi Kivity 已提交
983
	case X86EMUL_MODE_PROT16:
984
		def_op_bytes = def_ad_bytes = 2;
A
Avi Kivity 已提交
985 986
		break;
	case X86EMUL_MODE_PROT32:
987
		def_op_bytes = def_ad_bytes = 4;
A
Avi Kivity 已提交
988
		break;
989
#ifdef CONFIG_X86_64
A
Avi Kivity 已提交
990
	case X86EMUL_MODE_PROT64:
991 992
		def_op_bytes = 4;
		def_ad_bytes = 8;
A
Avi Kivity 已提交
993 994 995 996 997 998
		break;
#endif
	default:
		return -1;
	}

999 1000 1001
	c->op_bytes = def_op_bytes;
	c->ad_bytes = def_ad_bytes;

A
Avi Kivity 已提交
1002
	/* Legacy prefixes. */
1003
	for (;;) {
1004
		switch (c->b = insn_fetch(u8, 1, c->eip)) {
A
Avi Kivity 已提交
1005
		case 0x66:	/* operand-size override */
1006 1007
			/* switch between 2/4 bytes */
			c->op_bytes = def_op_bytes ^ 6;
A
Avi Kivity 已提交
1008 1009 1010
			break;
		case 0x67:	/* address-size override */
			if (mode == X86EMUL_MODE_PROT64)
1011
				/* switch between 4/8 bytes */
1012
				c->ad_bytes = def_ad_bytes ^ 12;
A
Avi Kivity 已提交
1013
			else
1014
				/* switch between 2/4 bytes */
1015
				c->ad_bytes = def_ad_bytes ^ 6;
A
Avi Kivity 已提交
1016
			break;
1017
		case 0x26:	/* ES override */
A
Avi Kivity 已提交
1018
		case 0x2e:	/* CS override */
1019
		case 0x36:	/* SS override */
A
Avi Kivity 已提交
1020
		case 0x3e:	/* DS override */
1021
			set_seg_override(c, (c->b >> 3) & 3);
A
Avi Kivity 已提交
1022 1023 1024
			break;
		case 0x64:	/* FS override */
		case 0x65:	/* GS override */
1025
			set_seg_override(c, c->b & 7);
A
Avi Kivity 已提交
1026
			break;
1027 1028 1029
		case 0x40 ... 0x4f: /* REX */
			if (mode != X86EMUL_MODE_PROT64)
				goto done_prefixes;
1030
			c->rex_prefix = c->b;
1031
			continue;
A
Avi Kivity 已提交
1032
		case 0xf0:	/* LOCK */
1033
			c->lock_prefix = 1;
A
Avi Kivity 已提交
1034
			break;
1035
		case 0xf2:	/* REPNE/REPNZ */
1036 1037
			c->rep_prefix = REPNE_PREFIX;
			break;
A
Avi Kivity 已提交
1038
		case 0xf3:	/* REP/REPE/REPZ */
1039
			c->rep_prefix = REPE_PREFIX;
A
Avi Kivity 已提交
1040 1041 1042 1043
			break;
		default:
			goto done_prefixes;
		}
1044 1045 1046

		/* Any legacy prefix after a REX prefix nullifies its effect. */

1047
		c->rex_prefix = 0;
A
Avi Kivity 已提交
1048 1049 1050 1051 1052
	}

done_prefixes:

	/* REX prefix. */
1053
	if (c->rex_prefix)
1054
		if (c->rex_prefix & 8)
1055
			c->op_bytes = 8;	/* REX.W */
A
Avi Kivity 已提交
1056 1057

	/* Opcode byte(s). */
1058 1059
	c->d = opcode_table[c->b];
	if (c->d == 0) {
A
Avi Kivity 已提交
1060
		/* Two-byte opcode? */
1061 1062 1063 1064
		if (c->b == 0x0f) {
			c->twobyte = 1;
			c->b = insn_fetch(u8, 1, c->eip);
			c->d = twobyte_table[c->b];
A
Avi Kivity 已提交
1065
		}
1066
	}
A
Avi Kivity 已提交
1067

1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083
	if (c->d & Group) {
		group = c->d & GroupMask;
		c->modrm = insn_fetch(u8, 1, c->eip);
		--c->eip;

		group = (group << 3) + ((c->modrm >> 3) & 7);
		if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
			c->d = group2_table[group];
		else
			c->d = group_table[group];
	}

	/* Unrecognised? */
	if (c->d == 0) {
		DPRINTF("Cannot emulate %02x\n", c->b);
		return -1;
A
Avi Kivity 已提交
1084 1085
	}

1086 1087 1088
	if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
		c->op_bytes = 8;

A
Avi Kivity 已提交
1089
	/* ModRM and SIB bytes. */
1090 1091 1092 1093
	if (c->d & ModRM)
		rc = decode_modrm(ctxt, ops);
	else if (c->d & MemAbs)
		rc = decode_abs(ctxt, ops);
1094
	if (rc != X86EMUL_CONTINUE)
1095
		goto done;
A
Avi Kivity 已提交
1096

1097 1098
	if (!c->has_seg_override)
		set_seg_override(c, VCPU_SREG_DS);
1099

1100
	if (!(!c->twobyte && c->b == 0x8d))
1101
		c->modrm_ea += seg_override_base(ctxt, ops, c);
1102 1103 1104

	if (c->ad_bytes != 8)
		c->modrm_ea = (u32)c->modrm_ea;
1105 1106 1107 1108

	if (c->rip_relative)
		c->modrm_ea += c->eip;

A
Avi Kivity 已提交
1109 1110 1111 1112
	/*
	 * Decode and fetch the source operand: register, memory
	 * or immediate.
	 */
1113
	switch (c->d & SrcMask) {
A
Avi Kivity 已提交
1114 1115 1116
	case SrcNone:
		break;
	case SrcReg:
1117
		decode_register_operand(&c->src, c, 0);
A
Avi Kivity 已提交
1118 1119
		break;
	case SrcMem16:
1120
		c->src.bytes = 2;
A
Avi Kivity 已提交
1121 1122
		goto srcmem_common;
	case SrcMem32:
1123
		c->src.bytes = 4;
A
Avi Kivity 已提交
1124 1125
		goto srcmem_common;
	case SrcMem:
1126 1127
		c->src.bytes = (c->d & ByteOp) ? 1 :
							   c->op_bytes;
1128
		/* Don't fetch the address for invlpg: it could be unmapped. */
M
Mike Day 已提交
1129
		if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1130
			break;
M
Mike Day 已提交
1131
	srcmem_common:
1132 1133 1134 1135
		/*
		 * For instructions with a ModR/M byte, switch to register
		 * access if Mod = 3.
		 */
1136 1137
		if ((c->d & ModRM) && c->modrm_mod == 3) {
			c->src.type = OP_REG;
1138
			c->src.val = c->modrm_val;
1139
			c->src.ptr = c->modrm_ptr;
1140 1141
			break;
		}
1142
		c->src.type = OP_MEM;
1143 1144
		c->src.ptr = (unsigned long *)c->modrm_ea;
		c->src.val = 0;
A
Avi Kivity 已提交
1145 1146
		break;
	case SrcImm:
1147
	case SrcImmU:
1148 1149 1150 1151 1152
		c->src.type = OP_IMM;
		c->src.ptr = (unsigned long *)c->eip;
		c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
		if (c->src.bytes == 8)
			c->src.bytes = 4;
A
Avi Kivity 已提交
1153
		/* NB. Immediates are sign-extended as necessary. */
1154
		switch (c->src.bytes) {
A
Avi Kivity 已提交
1155
		case 1:
1156
			c->src.val = insn_fetch(s8, 1, c->eip);
A
Avi Kivity 已提交
1157 1158
			break;
		case 2:
1159
			c->src.val = insn_fetch(s16, 2, c->eip);
A
Avi Kivity 已提交
1160 1161
			break;
		case 4:
1162
			c->src.val = insn_fetch(s32, 4, c->eip);
A
Avi Kivity 已提交
1163 1164
			break;
		}
1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177
		if ((c->d & SrcMask) == SrcImmU) {
			switch (c->src.bytes) {
			case 1:
				c->src.val &= 0xff;
				break;
			case 2:
				c->src.val &= 0xffff;
				break;
			case 4:
				c->src.val &= 0xffffffff;
				break;
			}
		}
A
Avi Kivity 已提交
1178 1179
		break;
	case SrcImmByte:
1180
	case SrcImmUByte:
1181 1182 1183
		c->src.type = OP_IMM;
		c->src.ptr = (unsigned long *)c->eip;
		c->src.bytes = 1;
1184 1185 1186 1187
		if ((c->d & SrcMask) == SrcImmByte)
			c->src.val = insn_fetch(s8, 1, c->eip);
		else
			c->src.val = insn_fetch(u8, 1, c->eip);
A
Avi Kivity 已提交
1188
		break;
1189 1190 1191 1192
	case SrcOne:
		c->src.bytes = 1;
		c->src.val = 1;
		break;
1193 1194 1195 1196
	case SrcSI:
		c->src.type = OP_MEM;
		c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
		c->src.ptr = (unsigned long *)
1197
			register_address(c,  seg_override_base(ctxt, ops, c),
1198 1199 1200
					 c->regs[VCPU_REGS_RSI]);
		c->src.val = 0;
		break;
1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211
	case SrcImmFAddr:
		c->src.type = OP_IMM;
		c->src.ptr = (unsigned long *)c->eip;
		c->src.bytes = c->op_bytes + 2;
		insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
		break;
	case SrcMemFAddr:
		c->src.type = OP_MEM;
		c->src.ptr = (unsigned long *)c->modrm_ea;
		c->src.bytes = c->op_bytes + 2;
		break;
A
Avi Kivity 已提交
1212 1213
	}

1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236
	/*
	 * Decode and fetch the second source operand: register, memory
	 * or immediate.
	 */
	switch (c->d & Src2Mask) {
	case Src2None:
		break;
	case Src2CL:
		c->src2.bytes = 1;
		c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
		break;
	case Src2ImmByte:
		c->src2.type = OP_IMM;
		c->src2.ptr = (unsigned long *)c->eip;
		c->src2.bytes = 1;
		c->src2.val = insn_fetch(u8, 1, c->eip);
		break;
	case Src2One:
		c->src2.bytes = 1;
		c->src2.val = 1;
		break;
	}

1237
	/* Decode and fetch the destination operand: register or memory. */
1238
	switch (c->d & DstMask) {
1239 1240
	case ImplicitOps:
		/* Special instructions do their own operand decoding. */
1241
		return 0;
1242
	case DstReg:
1243
		decode_register_operand(&c->dst, c,
1244
			 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1245 1246
		break;
	case DstMem:
1247
	case DstMem64:
1248
		if ((c->d & ModRM) && c->modrm_mod == 3) {
1249
			c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1250
			c->dst.type = OP_REG;
1251
			c->dst.val = c->dst.orig_val = c->modrm_val;
1252
			c->dst.ptr = c->modrm_ptr;
1253 1254
			break;
		}
1255
		c->dst.type = OP_MEM;
1256
		c->dst.ptr = (unsigned long *)c->modrm_ea;
1257 1258 1259 1260
		if ((c->d & DstMask) == DstMem64)
			c->dst.bytes = 8;
		else
			c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1261 1262 1263 1264 1265 1266 1267
		c->dst.val = 0;
		if (c->d & BitOp) {
			unsigned long mask = ~(c->dst.bytes * 8 - 1);

			c->dst.ptr = (void *)c->dst.ptr +
						   (c->src.val & mask) / 8;
		}
1268
		break;
1269 1270
	case DstAcc:
		c->dst.type = OP_REG;
1271
		c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1272
		c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1273
		switch (c->dst.bytes) {
1274 1275 1276 1277 1278 1279 1280 1281 1282
			case 1:
				c->dst.val = *(u8 *)c->dst.ptr;
				break;
			case 2:
				c->dst.val = *(u16 *)c->dst.ptr;
				break;
			case 4:
				c->dst.val = *(u32 *)c->dst.ptr;
				break;
1283 1284 1285
			case 8:
				c->dst.val = *(u64 *)c->dst.ptr;
				break;
1286 1287 1288
		}
		c->dst.orig_val = c->dst.val;
		break;
1289 1290 1291 1292
	case DstDI:
		c->dst.type = OP_MEM;
		c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
		c->dst.ptr = (unsigned long *)
1293
			register_address(c, es_base(ctxt, ops),
1294 1295 1296
					 c->regs[VCPU_REGS_RDI]);
		c->dst.val = 0;
		break;
1297 1298 1299 1300 1301 1302
	}

done:
	return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
}

1303 1304 1305 1306 1307 1308
static int read_emulated(struct x86_emulate_ctxt *ctxt,
			 struct x86_emulate_ops *ops,
			 unsigned long addr, void *dest, unsigned size)
{
	int rc;
	struct read_cache *mc = &ctxt->decode.mem_read;
1309
	u32 err;
1310 1311 1312 1313 1314 1315 1316

	while (size) {
		int n = min(size, 8u);
		size -= n;
		if (mc->pos < mc->end)
			goto read_cached;

1317 1318 1319
		rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
					ctxt->vcpu);
		if (rc == X86EMUL_PROPAGATE_FAULT)
1320
			emulate_pf(ctxt, addr, err);
1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333
		if (rc != X86EMUL_CONTINUE)
			return rc;
		mc->end += n;

	read_cached:
		memcpy(dest, mc->data + mc->pos, n);
		mc->pos += n;
		dest += n;
		addr += n;
	}
	return X86EMUL_CONTINUE;
}

1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363
static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
			   struct x86_emulate_ops *ops,
			   unsigned int size, unsigned short port,
			   void *dest)
{
	struct read_cache *rc = &ctxt->decode.io_read;

	if (rc->pos == rc->end) { /* refill pio read ahead */
		struct decode_cache *c = &ctxt->decode;
		unsigned int in_page, n;
		unsigned int count = c->rep_prefix ?
			address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
		in_page = (ctxt->eflags & EFLG_DF) ?
			offset_in_page(c->regs[VCPU_REGS_RDI]) :
			PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
		n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
			count);
		if (n == 0)
			n = 1;
		rc->pos = rc->end = 0;
		if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
			return 0;
		rc->end = n * size;
	}

	memcpy(dest, rc->data + rc->pos, size);
	rc->pos += size;
	return 1;
}

1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400
static u32 desc_limit_scaled(struct desc_struct *desc)
{
	u32 limit = get_desc_limit(desc);

	return desc->g ? (limit << 12) | 0xfff : limit;
}

static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
				     struct x86_emulate_ops *ops,
				     u16 selector, struct desc_ptr *dt)
{
	if (selector & 1 << 2) {
		struct desc_struct desc;
		memset (dt, 0, sizeof *dt);
		if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
			return;

		dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
		dt->address = get_desc_base(&desc);
	} else
		ops->get_gdt(dt, ctxt->vcpu);
}

/* allowed just for 8 bytes segments */
static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				   struct x86_emulate_ops *ops,
				   u16 selector, struct desc_struct *desc)
{
	struct desc_ptr dt;
	u16 index = selector >> 3;
	int ret;
	u32 err;
	ulong addr;

	get_descriptor_table_ptr(ctxt, ops, selector, &dt);

	if (dt.size < index * 8 + 7) {
1401
		emulate_gp(ctxt, selector & 0xfffc);
1402 1403 1404 1405 1406
		return X86EMUL_PROPAGATE_FAULT;
	}
	addr = dt.address + index * 8;
	ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,  &err);
	if (ret == X86EMUL_PROPAGATE_FAULT)
1407
		emulate_pf(ctxt, addr, err);
1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425

       return ret;
}

/* allowed just for 8 bytes segments */
static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				    struct x86_emulate_ops *ops,
				    u16 selector, struct desc_struct *desc)
{
	struct desc_ptr dt;
	u16 index = selector >> 3;
	u32 err;
	ulong addr;
	int ret;

	get_descriptor_table_ptr(ctxt, ops, selector, &dt);

	if (dt.size < index * 8 + 7) {
1426
		emulate_gp(ctxt, selector & 0xfffc);
1427 1428 1429 1430 1431 1432
		return X86EMUL_PROPAGATE_FAULT;
	}

	addr = dt.address + index * 8;
	ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
	if (ret == X86EMUL_PROPAGATE_FAULT)
1433
		emulate_pf(ctxt, addr, err);
1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551

	return ret;
}

static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
				   struct x86_emulate_ops *ops,
				   u16 selector, int seg)
{
	struct desc_struct seg_desc;
	u8 dpl, rpl, cpl;
	unsigned err_vec = GP_VECTOR;
	u32 err_code = 0;
	bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
	int ret;

	memset(&seg_desc, 0, sizeof seg_desc);

	if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
	    || ctxt->mode == X86EMUL_MODE_REAL) {
		/* set real mode segment descriptor */
		set_desc_base(&seg_desc, selector << 4);
		set_desc_limit(&seg_desc, 0xffff);
		seg_desc.type = 3;
		seg_desc.p = 1;
		seg_desc.s = 1;
		goto load;
	}

	/* NULL selector is not valid for TR, CS and SS */
	if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
	    && null_selector)
		goto exception;

	/* TR should be in GDT only */
	if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
		goto exception;

	if (null_selector) /* for NULL selector skip all following checks */
		goto load;

	ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
	if (ret != X86EMUL_CONTINUE)
		return ret;

	err_code = selector & 0xfffc;
	err_vec = GP_VECTOR;

	/* can't load system descriptor into segment selecor */
	if (seg <= VCPU_SREG_GS && !seg_desc.s)
		goto exception;

	if (!seg_desc.p) {
		err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
		goto exception;
	}

	rpl = selector & 3;
	dpl = seg_desc.dpl;
	cpl = ops->cpl(ctxt->vcpu);

	switch (seg) {
	case VCPU_SREG_SS:
		/*
		 * segment is not a writable data segment or segment
		 * selector's RPL != CPL or segment selector's RPL != CPL
		 */
		if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
			goto exception;
		break;
	case VCPU_SREG_CS:
		if (!(seg_desc.type & 8))
			goto exception;

		if (seg_desc.type & 4) {
			/* conforming */
			if (dpl > cpl)
				goto exception;
		} else {
			/* nonconforming */
			if (rpl > cpl || dpl != cpl)
				goto exception;
		}
		/* CS(RPL) <- CPL */
		selector = (selector & 0xfffc) | cpl;
		break;
	case VCPU_SREG_TR:
		if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
			goto exception;
		break;
	case VCPU_SREG_LDTR:
		if (seg_desc.s || seg_desc.type != 2)
			goto exception;
		break;
	default: /*  DS, ES, FS, or GS */
		/*
		 * segment is not a data or readable code segment or
		 * ((segment is a data or nonconforming code segment)
		 * and (both RPL and CPL > DPL))
		 */
		if ((seg_desc.type & 0xa) == 0x8 ||
		    (((seg_desc.type & 0xc) != 0xc) &&
		     (rpl > dpl && cpl > dpl)))
			goto exception;
		break;
	}

	if (seg_desc.s) {
		/* mark segment as accessed */
		seg_desc.type |= 1;
		ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
		if (ret != X86EMUL_CONTINUE)
			return ret;
	}
load:
	ops->set_segment_selector(selector, seg, ctxt->vcpu);
	ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
	return X86EMUL_CONTINUE;
exception:
1552
	emulate_exception(ctxt, err_vec, err_code, true);
1553 1554 1555
	return X86EMUL_PROPAGATE_FAULT;
}

1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613
static inline int writeback(struct x86_emulate_ctxt *ctxt,
			    struct x86_emulate_ops *ops)
{
	int rc;
	struct decode_cache *c = &ctxt->decode;
	u32 err;

	switch (c->dst.type) {
	case OP_REG:
		/* The 4-byte case *is* correct:
		 * in 64-bit mode we zero-extend.
		 */
		switch (c->dst.bytes) {
		case 1:
			*(u8 *)c->dst.ptr = (u8)c->dst.val;
			break;
		case 2:
			*(u16 *)c->dst.ptr = (u16)c->dst.val;
			break;
		case 4:
			*c->dst.ptr = (u32)c->dst.val;
			break;	/* 64b: zero-ext */
		case 8:
			*c->dst.ptr = c->dst.val;
			break;
		}
		break;
	case OP_MEM:
		if (c->lock_prefix)
			rc = ops->cmpxchg_emulated(
					(unsigned long)c->dst.ptr,
					&c->dst.orig_val,
					&c->dst.val,
					c->dst.bytes,
					&err,
					ctxt->vcpu);
		else
			rc = ops->write_emulated(
					(unsigned long)c->dst.ptr,
					&c->dst.val,
					c->dst.bytes,
					&err,
					ctxt->vcpu);
		if (rc == X86EMUL_PROPAGATE_FAULT)
			emulate_pf(ctxt,
					      (unsigned long)c->dst.ptr, err);
		if (rc != X86EMUL_CONTINUE)
			return rc;
		break;
	case OP_NONE:
		/* no writeback */
		break;
	default:
		break;
	}
	return X86EMUL_CONTINUE;
}

1614 1615
static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
				struct x86_emulate_ops *ops)
1616 1617 1618 1619 1620 1621
{
	struct decode_cache *c = &ctxt->decode;

	c->dst.type  = OP_MEM;
	c->dst.bytes = c->op_bytes;
	c->dst.val = c->src.val;
1622
	register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1623
	c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1624 1625 1626
					       c->regs[VCPU_REGS_RSP]);
}

1627
static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1628 1629
		       struct x86_emulate_ops *ops,
		       void *dest, int len)
1630 1631 1632 1633
{
	struct decode_cache *c = &ctxt->decode;
	int rc;

1634
	rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1635 1636
						       c->regs[VCPU_REGS_RSP]),
			   dest, len);
1637
	if (rc != X86EMUL_CONTINUE)
1638 1639
		return rc;

1640
	register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1641 1642
	return rc;
}
1643

1644 1645 1646 1647 1648 1649 1650
static int emulate_popf(struct x86_emulate_ctxt *ctxt,
		       struct x86_emulate_ops *ops,
		       void *dest, int len)
{
	int rc;
	unsigned long val, change_mask;
	int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1651
	int cpl = ops->cpl(ctxt->vcpu);
1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670

	rc = emulate_pop(ctxt, ops, &val, len);
	if (rc != X86EMUL_CONTINUE)
		return rc;

	change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
		| EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;

	switch(ctxt->mode) {
	case X86EMUL_MODE_PROT64:
	case X86EMUL_MODE_PROT32:
	case X86EMUL_MODE_PROT16:
		if (cpl == 0)
			change_mask |= EFLG_IOPL;
		if (cpl <= iopl)
			change_mask |= EFLG_IF;
		break;
	case X86EMUL_MODE_VM86:
		if (iopl < 3) {
1671
			emulate_gp(ctxt, 0);
1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686
			return X86EMUL_PROPAGATE_FAULT;
		}
		change_mask |= EFLG_IF;
		break;
	default: /* real mode */
		change_mask |= (EFLG_IOPL | EFLG_IF);
		break;
	}

	*(unsigned long *)dest =
		(ctxt->eflags & ~change_mask) | (val & change_mask);

	return rc;
}

1687 1688
static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
			      struct x86_emulate_ops *ops, int seg)
1689 1690 1691
{
	struct decode_cache *c = &ctxt->decode;

1692
	c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1693

1694
	emulate_push(ctxt, ops);
1695 1696 1697 1698 1699 1700 1701 1702 1703 1704
}

static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
			     struct x86_emulate_ops *ops, int seg)
{
	struct decode_cache *c = &ctxt->decode;
	unsigned long selector;
	int rc;

	rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1705
	if (rc != X86EMUL_CONTINUE)
1706 1707
		return rc;

1708
	rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1709 1710 1711
	return rc;
}

1712
static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1713
			  struct x86_emulate_ops *ops)
1714 1715 1716
{
	struct decode_cache *c = &ctxt->decode;
	unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1717
	int rc = X86EMUL_CONTINUE;
1718 1719 1720 1721 1722 1723
	int reg = VCPU_REGS_RAX;

	while (reg <= VCPU_REGS_RDI) {
		(reg == VCPU_REGS_RSP) ?
		(c->src.val = old_esp) : (c->src.val = c->regs[reg]);

1724
		emulate_push(ctxt, ops);
1725 1726 1727 1728 1729

		rc = writeback(ctxt, ops);
		if (rc != X86EMUL_CONTINUE)
			return rc;

1730 1731
		++reg;
	}
1732 1733 1734 1735 1736

	/* Disable writeback. */
	c->dst.type = OP_NONE;

	return rc;
1737 1738 1739 1740 1741 1742
}

static int emulate_popa(struct x86_emulate_ctxt *ctxt,
			struct x86_emulate_ops *ops)
{
	struct decode_cache *c = &ctxt->decode;
1743
	int rc = X86EMUL_CONTINUE;
1744 1745 1746 1747 1748 1749 1750 1751 1752 1753
	int reg = VCPU_REGS_RDI;

	while (reg >= VCPU_REGS_RAX) {
		if (reg == VCPU_REGS_RSP) {
			register_address_increment(c, &c->regs[VCPU_REGS_RSP],
							c->op_bytes);
			--reg;
		}

		rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1754
		if (rc != X86EMUL_CONTINUE)
1755 1756 1757 1758 1759 1760
			break;
		--reg;
	}
	return rc;
}

1761 1762 1763 1764 1765
static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
				struct x86_emulate_ops *ops)
{
	struct decode_cache *c = &ctxt->decode;

1766
	return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1767 1768
}

1769
static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1770
{
1771
	struct decode_cache *c = &ctxt->decode;
1772 1773
	switch (c->modrm_reg) {
	case 0:	/* rol */
1774
		emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1775 1776
		break;
	case 1:	/* ror */
1777
		emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1778 1779
		break;
	case 2:	/* rcl */
1780
		emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1781 1782
		break;
	case 3:	/* rcr */
1783
		emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1784 1785 1786
		break;
	case 4:	/* sal/shl */
	case 6:	/* sal/shl */
1787
		emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1788 1789
		break;
	case 5:	/* shr */
1790
		emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1791 1792
		break;
	case 7:	/* sar */
1793
		emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1794 1795 1796 1797 1798
		break;
	}
}

static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1799
			       struct x86_emulate_ops *ops)
1800 1801 1802 1803 1804
{
	struct decode_cache *c = &ctxt->decode;

	switch (c->modrm_reg) {
	case 0 ... 1:	/* test */
1805
		emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1806 1807 1808 1809 1810
		break;
	case 2:	/* not */
		c->dst.val = ~c->dst.val;
		break;
	case 3:	/* neg */
1811
		emulate_1op("neg", c->dst, ctxt->eflags);
1812 1813
		break;
	default:
1814
		return 0;
1815
	}
1816
	return 1;
1817 1818 1819
}

static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1820
			       struct x86_emulate_ops *ops)
1821 1822 1823 1824 1825
{
	struct decode_cache *c = &ctxt->decode;

	switch (c->modrm_reg) {
	case 0:	/* inc */
1826
		emulate_1op("inc", c->dst, ctxt->eflags);
1827 1828
		break;
	case 1:	/* dec */
1829
		emulate_1op("dec", c->dst, ctxt->eflags);
1830
		break;
1831 1832 1833 1834 1835
	case 2: /* call near abs */ {
		long int old_eip;
		old_eip = c->eip;
		c->eip = c->src.val;
		c->src.val = old_eip;
1836
		emulate_push(ctxt, ops);
1837 1838
		break;
	}
1839
	case 4: /* jmp abs */
1840
		c->eip = c->src.val;
1841 1842
		break;
	case 6:	/* push */
1843
		emulate_push(ctxt, ops);
1844 1845
		break;
	}
1846
	return X86EMUL_CONTINUE;
1847 1848 1849
}

static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1850
			       struct x86_emulate_ops *ops)
1851 1852
{
	struct decode_cache *c = &ctxt->decode;
1853
	u64 old = c->dst.orig_val;
1854 1855 1856 1857 1858 1859

	if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
	    ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {

		c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
		c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1860
		ctxt->eflags &= ~EFLG_ZF;
1861
	} else {
1862
		c->dst.val = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1863 1864
		       (u32) c->regs[VCPU_REGS_RBX];

1865
		ctxt->eflags |= EFLG_ZF;
1866
	}
1867
	return X86EMUL_CONTINUE;
1868 1869
}

1870 1871 1872 1873 1874 1875 1876 1877
static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
			   struct x86_emulate_ops *ops)
{
	struct decode_cache *c = &ctxt->decode;
	int rc;
	unsigned long cs;

	rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1878
	if (rc != X86EMUL_CONTINUE)
1879 1880 1881 1882
		return rc;
	if (c->op_bytes == 4)
		c->eip = (u32)c->eip;
	rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1883
	if (rc != X86EMUL_CONTINUE)
1884
		return rc;
1885
	rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1886 1887 1888
	return rc;
}

1889 1890
static inline void
setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1891 1892
			struct x86_emulate_ops *ops, struct desc_struct *cs,
			struct desc_struct *ss)
1893
{
1894 1895 1896
	memset(cs, 0, sizeof(struct desc_struct));
	ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
	memset(ss, 0, sizeof(struct desc_struct));
1897 1898

	cs->l = 0;		/* will be adjusted later */
1899
	set_desc_base(cs, 0);	/* flat segment */
1900
	cs->g = 1;		/* 4kb granularity */
1901
	set_desc_limit(cs, 0xfffff);	/* 4GB limit */
1902 1903 1904
	cs->type = 0x0b;	/* Read, Execute, Accessed */
	cs->s = 1;
	cs->dpl = 0;		/* will be adjusted later */
1905 1906
	cs->p = 1;
	cs->d = 1;
1907

1908 1909
	set_desc_base(ss, 0);	/* flat segment */
	set_desc_limit(ss, 0xfffff);	/* 4GB limit */
1910 1911 1912
	ss->g = 1;		/* 4kb granularity */
	ss->s = 1;
	ss->type = 0x03;	/* Read/Write, Accessed */
1913
	ss->d = 1;		/* 32bit stack segment */
1914
	ss->dpl = 0;
1915
	ss->p = 1;
1916 1917 1918
}

static int
1919
emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1920 1921
{
	struct decode_cache *c = &ctxt->decode;
1922
	struct desc_struct cs, ss;
1923
	u64 msr_data;
1924
	u16 cs_sel, ss_sel;
1925 1926

	/* syscall is not available in real mode */
1927 1928
	if (ctxt->mode == X86EMUL_MODE_REAL ||
	    ctxt->mode == X86EMUL_MODE_VM86) {
1929
		emulate_ud(ctxt);
1930 1931
		return X86EMUL_PROPAGATE_FAULT;
	}
1932

1933
	setup_syscalls_segments(ctxt, ops, &cs, &ss);
1934

1935
	ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1936
	msr_data >>= 32;
1937 1938
	cs_sel = (u16)(msr_data & 0xfffc);
	ss_sel = (u16)(msr_data + 8);
1939 1940

	if (is_long_mode(ctxt->vcpu)) {
1941
		cs.d = 0;
1942 1943
		cs.l = 1;
	}
1944 1945 1946 1947
	ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
	ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1948 1949 1950 1951 1952 1953

	c->regs[VCPU_REGS_RCX] = c->eip;
	if (is_long_mode(ctxt->vcpu)) {
#ifdef CONFIG_X86_64
		c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;

1954 1955 1956
		ops->get_msr(ctxt->vcpu,
			     ctxt->mode == X86EMUL_MODE_PROT64 ?
			     MSR_LSTAR : MSR_CSTAR, &msr_data);
1957 1958
		c->eip = msr_data;

1959
		ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1960 1961 1962 1963
		ctxt->eflags &= ~(msr_data | EFLG_RF);
#endif
	} else {
		/* legacy mode */
1964
		ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1965 1966 1967 1968 1969
		c->eip = (u32)msr_data;

		ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
	}

1970
	return X86EMUL_CONTINUE;
1971 1972
}

1973
static int
1974
emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1975 1976
{
	struct decode_cache *c = &ctxt->decode;
1977
	struct desc_struct cs, ss;
1978
	u64 msr_data;
1979
	u16 cs_sel, ss_sel;
1980

1981 1982
	/* inject #GP if in real mode */
	if (ctxt->mode == X86EMUL_MODE_REAL) {
1983
		emulate_gp(ctxt, 0);
1984
		return X86EMUL_PROPAGATE_FAULT;
1985 1986 1987 1988 1989
	}

	/* XXX sysenter/sysexit have not been tested in 64bit mode.
	* Therefore, we inject an #UD.
	*/
1990
	if (ctxt->mode == X86EMUL_MODE_PROT64) {
1991
		emulate_ud(ctxt);
1992 1993
		return X86EMUL_PROPAGATE_FAULT;
	}
1994

1995
	setup_syscalls_segments(ctxt, ops, &cs, &ss);
1996

1997
	ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
1998 1999 2000
	switch (ctxt->mode) {
	case X86EMUL_MODE_PROT32:
		if ((msr_data & 0xfffc) == 0x0) {
2001
			emulate_gp(ctxt, 0);
2002
			return X86EMUL_PROPAGATE_FAULT;
2003 2004 2005 2006
		}
		break;
	case X86EMUL_MODE_PROT64:
		if (msr_data == 0x0) {
2007
			emulate_gp(ctxt, 0);
2008
			return X86EMUL_PROPAGATE_FAULT;
2009 2010 2011 2012 2013
		}
		break;
	}

	ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2014 2015 2016 2017
	cs_sel = (u16)msr_data;
	cs_sel &= ~SELECTOR_RPL_MASK;
	ss_sel = cs_sel + 8;
	ss_sel &= ~SELECTOR_RPL_MASK;
2018 2019
	if (ctxt->mode == X86EMUL_MODE_PROT64
		|| is_long_mode(ctxt->vcpu)) {
2020
		cs.d = 0;
2021 2022 2023
		cs.l = 1;
	}

2024 2025 2026 2027
	ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
	ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2028

2029
	ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2030 2031
	c->eip = msr_data;

2032
	ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2033 2034
	c->regs[VCPU_REGS_RSP] = msr_data;

2035
	return X86EMUL_CONTINUE;
2036 2037
}

2038
static int
2039
emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2040 2041
{
	struct decode_cache *c = &ctxt->decode;
2042
	struct desc_struct cs, ss;
2043 2044
	u64 msr_data;
	int usermode;
2045
	u16 cs_sel, ss_sel;
2046

2047 2048 2049
	/* inject #GP if in real mode or Virtual 8086 mode */
	if (ctxt->mode == X86EMUL_MODE_REAL ||
	    ctxt->mode == X86EMUL_MODE_VM86) {
2050
		emulate_gp(ctxt, 0);
2051
		return X86EMUL_PROPAGATE_FAULT;
2052 2053
	}

2054
	setup_syscalls_segments(ctxt, ops, &cs, &ss);
2055 2056 2057 2058 2059 2060 2061 2062

	if ((c->rex_prefix & 0x8) != 0x0)
		usermode = X86EMUL_MODE_PROT64;
	else
		usermode = X86EMUL_MODE_PROT32;

	cs.dpl = 3;
	ss.dpl = 3;
2063
	ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2064 2065
	switch (usermode) {
	case X86EMUL_MODE_PROT32:
2066
		cs_sel = (u16)(msr_data + 16);
2067
		if ((msr_data & 0xfffc) == 0x0) {
2068
			emulate_gp(ctxt, 0);
2069
			return X86EMUL_PROPAGATE_FAULT;
2070
		}
2071
		ss_sel = (u16)(msr_data + 24);
2072 2073
		break;
	case X86EMUL_MODE_PROT64:
2074
		cs_sel = (u16)(msr_data + 32);
2075
		if (msr_data == 0x0) {
2076
			emulate_gp(ctxt, 0);
2077
			return X86EMUL_PROPAGATE_FAULT;
2078
		}
2079 2080
		ss_sel = cs_sel + 8;
		cs.d = 0;
2081 2082 2083
		cs.l = 1;
		break;
	}
2084 2085
	cs_sel |= SELECTOR_RPL_MASK;
	ss_sel |= SELECTOR_RPL_MASK;
2086

2087 2088 2089 2090
	ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
	ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2091

2092 2093
	c->eip = c->regs[VCPU_REGS_RDX];
	c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2094

2095
	return X86EMUL_CONTINUE;
2096 2097
}

2098 2099
static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
			      struct x86_emulate_ops *ops)
2100 2101 2102 2103 2104 2105 2106
{
	int iopl;
	if (ctxt->mode == X86EMUL_MODE_REAL)
		return false;
	if (ctxt->mode == X86EMUL_MODE_VM86)
		return true;
	iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2107
	return ops->cpl(ctxt->vcpu) > iopl;
2108 2109 2110 2111 2112 2113
}

static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
					    struct x86_emulate_ops *ops,
					    u16 port, u16 len)
{
2114
	struct desc_struct tr_seg;
2115 2116 2117 2118 2119
	int r;
	u16 io_bitmap_ptr;
	u8 perm, bit_idx = port & 0x7;
	unsigned mask = (1 << len) - 1;

2120 2121
	ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
	if (!tr_seg.p)
2122
		return false;
2123
	if (desc_limit_scaled(&tr_seg) < 103)
2124
		return false;
2125 2126
	r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
			  ctxt->vcpu, NULL);
2127 2128
	if (r != X86EMUL_CONTINUE)
		return false;
2129
	if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2130
		return false;
2131 2132
	r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
			  &perm, 1, ctxt->vcpu, NULL);
2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143
	if (r != X86EMUL_CONTINUE)
		return false;
	if ((perm >> bit_idx) & mask)
		return false;
	return true;
}

static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
				 struct x86_emulate_ops *ops,
				 u16 port, u16 len)
{
2144
	if (emulator_bad_iopl(ctxt, ops))
2145 2146 2147 2148 2149
		if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
			return false;
	return true;
}

2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237
static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
				struct x86_emulate_ops *ops,
				struct tss_segment_16 *tss)
{
	struct decode_cache *c = &ctxt->decode;

	tss->ip = c->eip;
	tss->flag = ctxt->eflags;
	tss->ax = c->regs[VCPU_REGS_RAX];
	tss->cx = c->regs[VCPU_REGS_RCX];
	tss->dx = c->regs[VCPU_REGS_RDX];
	tss->bx = c->regs[VCPU_REGS_RBX];
	tss->sp = c->regs[VCPU_REGS_RSP];
	tss->bp = c->regs[VCPU_REGS_RBP];
	tss->si = c->regs[VCPU_REGS_RSI];
	tss->di = c->regs[VCPU_REGS_RDI];

	tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
	tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
	tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
	tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
	tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
}

static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
				 struct x86_emulate_ops *ops,
				 struct tss_segment_16 *tss)
{
	struct decode_cache *c = &ctxt->decode;
	int ret;

	c->eip = tss->ip;
	ctxt->eflags = tss->flag | 2;
	c->regs[VCPU_REGS_RAX] = tss->ax;
	c->regs[VCPU_REGS_RCX] = tss->cx;
	c->regs[VCPU_REGS_RDX] = tss->dx;
	c->regs[VCPU_REGS_RBX] = tss->bx;
	c->regs[VCPU_REGS_RSP] = tss->sp;
	c->regs[VCPU_REGS_RBP] = tss->bp;
	c->regs[VCPU_REGS_RSI] = tss->si;
	c->regs[VCPU_REGS_RDI] = tss->di;

	/*
	 * SDM says that segment selectors are loaded before segment
	 * descriptors
	 */
	ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
	ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
	ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
	ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);

	/*
	 * Now load segment descriptors. If fault happenes at this stage
	 * it is handled in a context of new task
	 */
	ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
	if (ret != X86EMUL_CONTINUE)
		return ret;

	return X86EMUL_CONTINUE;
}

static int task_switch_16(struct x86_emulate_ctxt *ctxt,
			  struct x86_emulate_ops *ops,
			  u16 tss_selector, u16 old_tss_sel,
			  ulong old_tss_base, struct desc_struct *new_desc)
{
	struct tss_segment_16 tss_seg;
	int ret;
	u32 err, new_tss_base = get_desc_base(new_desc);

	ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			    &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2238
		emulate_pf(ctxt, old_tss_base, err);
2239 2240 2241 2242 2243 2244 2245 2246 2247
		return ret;
	}

	save_state_to_tss16(ctxt, ops, &tss_seg);

	ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			     &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2248
		emulate_pf(ctxt, old_tss_base, err);
2249 2250 2251 2252 2253 2254 2255
		return ret;
	}

	ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			    &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2256
		emulate_pf(ctxt, new_tss_base, err);
2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268
		return ret;
	}

	if (old_tss_sel != 0xffff) {
		tss_seg.prev_task_link = old_tss_sel;

		ret = ops->write_std(new_tss_base,
				     &tss_seg.prev_task_link,
				     sizeof tss_seg.prev_task_link,
				     ctxt->vcpu, &err);
		if (ret == X86EMUL_PROPAGATE_FAULT) {
			/* FIXME: need to provide precise fault address */
2269
			emulate_pf(ctxt, new_tss_base, err);
2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310
			return ret;
		}
	}

	return load_state_from_tss16(ctxt, ops, &tss_seg);
}

static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
				struct x86_emulate_ops *ops,
				struct tss_segment_32 *tss)
{
	struct decode_cache *c = &ctxt->decode;

	tss->cr3 = ops->get_cr(3, ctxt->vcpu);
	tss->eip = c->eip;
	tss->eflags = ctxt->eflags;
	tss->eax = c->regs[VCPU_REGS_RAX];
	tss->ecx = c->regs[VCPU_REGS_RCX];
	tss->edx = c->regs[VCPU_REGS_RDX];
	tss->ebx = c->regs[VCPU_REGS_RBX];
	tss->esp = c->regs[VCPU_REGS_RSP];
	tss->ebp = c->regs[VCPU_REGS_RBP];
	tss->esi = c->regs[VCPU_REGS_RSI];
	tss->edi = c->regs[VCPU_REGS_RDI];

	tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
	tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
	tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
	tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
	tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
	tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
	tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
}

static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
				 struct x86_emulate_ops *ops,
				 struct tss_segment_32 *tss)
{
	struct decode_cache *c = &ctxt->decode;
	int ret;

2311
	if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2312
		emulate_gp(ctxt, 0);
2313 2314
		return X86EMUL_PROPAGATE_FAULT;
	}
2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379
	c->eip = tss->eip;
	ctxt->eflags = tss->eflags | 2;
	c->regs[VCPU_REGS_RAX] = tss->eax;
	c->regs[VCPU_REGS_RCX] = tss->ecx;
	c->regs[VCPU_REGS_RDX] = tss->edx;
	c->regs[VCPU_REGS_RBX] = tss->ebx;
	c->regs[VCPU_REGS_RSP] = tss->esp;
	c->regs[VCPU_REGS_RBP] = tss->ebp;
	c->regs[VCPU_REGS_RSI] = tss->esi;
	c->regs[VCPU_REGS_RDI] = tss->edi;

	/*
	 * SDM says that segment selectors are loaded before segment
	 * descriptors
	 */
	ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
	ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
	ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
	ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
	ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
	ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
	ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);

	/*
	 * Now load segment descriptors. If fault happenes at this stage
	 * it is handled in a context of new task
	 */
	ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
	if (ret != X86EMUL_CONTINUE)
		return ret;

	return X86EMUL_CONTINUE;
}

static int task_switch_32(struct x86_emulate_ctxt *ctxt,
			  struct x86_emulate_ops *ops,
			  u16 tss_selector, u16 old_tss_sel,
			  ulong old_tss_base, struct desc_struct *new_desc)
{
	struct tss_segment_32 tss_seg;
	int ret;
	u32 err, new_tss_base = get_desc_base(new_desc);

	ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			    &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2380
		emulate_pf(ctxt, old_tss_base, err);
2381 2382 2383 2384 2385 2386 2387 2388 2389
		return ret;
	}

	save_state_to_tss32(ctxt, ops, &tss_seg);

	ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			     &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2390
		emulate_pf(ctxt, old_tss_base, err);
2391 2392 2393 2394 2395 2396 2397
		return ret;
	}

	ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
			    &err);
	if (ret == X86EMUL_PROPAGATE_FAULT) {
		/* FIXME: need to provide precise fault address */
2398
		emulate_pf(ctxt, new_tss_base, err);
2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410
		return ret;
	}

	if (old_tss_sel != 0xffff) {
		tss_seg.prev_task_link = old_tss_sel;

		ret = ops->write_std(new_tss_base,
				     &tss_seg.prev_task_link,
				     sizeof tss_seg.prev_task_link,
				     ctxt->vcpu, &err);
		if (ret == X86EMUL_PROPAGATE_FAULT) {
			/* FIXME: need to provide precise fault address */
2411
			emulate_pf(ctxt, new_tss_base, err);
2412 2413 2414 2415 2416 2417 2418 2419
			return ret;
		}
	}

	return load_state_from_tss32(ctxt, ops, &tss_seg);
}

static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2420 2421 2422
				   struct x86_emulate_ops *ops,
				   u16 tss_selector, int reason,
				   bool has_error_code, u32 error_code)
2423 2424 2425 2426 2427
{
	struct desc_struct curr_tss_desc, next_tss_desc;
	int ret;
	u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
	ulong old_tss_base =
2428
		ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2429
	u32 desc_limit;
2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444

	/* FIXME: old_tss_base == ~0 ? */

	ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
	if (ret != X86EMUL_CONTINUE)
		return ret;
	ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
	if (ret != X86EMUL_CONTINUE)
		return ret;

	/* FIXME: check that next_tss_desc is tss */

	if (reason != TASK_SWITCH_IRET) {
		if ((tss_selector & 3) > next_tss_desc.dpl ||
		    ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2445
			emulate_gp(ctxt, 0);
2446 2447 2448 2449
			return X86EMUL_PROPAGATE_FAULT;
		}
	}

2450 2451 2452 2453
	desc_limit = desc_limit_scaled(&next_tss_desc);
	if (!next_tss_desc.p ||
	    ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
	     desc_limit < 0x2b)) {
2454
		emulate_ts(ctxt, tss_selector & 0xfffc);
2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477
		return X86EMUL_PROPAGATE_FAULT;
	}

	if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
		curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
		write_segment_descriptor(ctxt, ops, old_tss_sel,
					 &curr_tss_desc);
	}

	if (reason == TASK_SWITCH_IRET)
		ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;

	/* set back link to prev task only if NT bit is set in eflags
	   note that old_tss_sel is not used afetr this point */
	if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
		old_tss_sel = 0xffff;

	if (next_tss_desc.type & 8)
		ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
				     old_tss_base, &next_tss_desc);
	else
		ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
				     old_tss_base, &next_tss_desc);
2478 2479
	if (ret != X86EMUL_CONTINUE)
		return ret;
2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493

	if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
		ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;

	if (reason != TASK_SWITCH_IRET) {
		next_tss_desc.type |= (1 << 1); /* set busy flag */
		write_segment_descriptor(ctxt, ops, tss_selector,
					 &next_tss_desc);
	}

	ops->set_cr(0,  ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
	ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
	ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);

2494 2495 2496 2497 2498 2499
	if (has_error_code) {
		struct decode_cache *c = &ctxt->decode;

		c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
		c->lock_prefix = 0;
		c->src.val = (unsigned long) error_code;
2500
		emulate_push(ctxt, ops);
2501 2502
	}

2503 2504 2505 2506 2507
	return ret;
}

int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
			 struct x86_emulate_ops *ops,
2508 2509
			 u16 tss_selector, int reason,
			 bool has_error_code, u32 error_code)
2510 2511 2512 2513 2514
{
	struct decode_cache *c = &ctxt->decode;
	int rc;

	c->eip = ctxt->eip;
2515
	c->dst.type = OP_NONE;
2516

2517 2518
	rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
				     has_error_code, error_code);
2519 2520

	if (rc == X86EMUL_CONTINUE) {
2521
		rc = writeback(ctxt, ops);
2522 2523
		if (rc == X86EMUL_CONTINUE)
			ctxt->eip = c->eip;
2524 2525
	}

2526
	return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2527 2528
}

2529
static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2530
			    int reg, struct operand *op)
2531 2532 2533 2534
{
	struct decode_cache *c = &ctxt->decode;
	int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;

2535 2536
	register_address_increment(c, &c->regs[reg], df * op->bytes);
	op->ptr = (unsigned long *)register_address(c,  base, c->regs[reg]);
2537 2538
}

2539
int
2540
x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2541 2542 2543
{
	u64 msr_data;
	struct decode_cache *c = &ctxt->decode;
2544
	int rc = X86EMUL_CONTINUE;
2545
	int saved_dst_type = c->dst.type;
2546

2547
	ctxt->decode.mem_read.pos = 0;
2548

2549
	if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2550
		emulate_ud(ctxt);
2551 2552 2553
		goto done;
	}

2554
	/* LOCK prefix is allowed only with some instructions */
2555
	if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2556
		emulate_ud(ctxt);
2557 2558 2559
		goto done;
	}

2560
	/* Privileged instruction can be executed only in CPL=0 */
2561
	if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2562
		emulate_gp(ctxt, 0);
2563 2564 2565
		goto done;
	}

2566
	if (c->rep_prefix && (c->d & String)) {
2567
		ctxt->restart = true;
2568
		/* All REP prefixes have the same first termination condition */
2569
		if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2570 2571
		string_done:
			ctxt->restart = false;
2572
			ctxt->eip = c->eip;
2573 2574 2575 2576 2577 2578 2579 2580 2581 2582
			goto done;
		}
		/* The second termination condition only applies for REPE
		 * and REPNE. Test if the repeat string operation prefix is
		 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
		 * corresponding termination condition according to:
		 * 	- if REPE/REPZ and ZF = 0 then done
		 * 	- if REPNE/REPNZ and ZF = 1 then done
		 */
		if ((c->b == 0xa6) || (c->b == 0xa7) ||
2583
		    (c->b == 0xae) || (c->b == 0xaf)) {
2584
			if ((c->rep_prefix == REPE_PREFIX) &&
2585 2586
			    ((ctxt->eflags & EFLG_ZF) == 0))
				goto string_done;
2587
			if ((c->rep_prefix == REPNE_PREFIX) &&
2588 2589
			    ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
				goto string_done;
2590
		}
2591
		c->eip = ctxt->eip;
2592 2593
	}

2594
	if (c->src.type == OP_MEM) {
2595
		rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2596
					c->src.valptr, c->src.bytes);
2597
		if (rc != X86EMUL_CONTINUE)
2598 2599 2600 2601
			goto done;
		c->src.orig_val = c->src.val;
	}

2602
	if (c->src2.type == OP_MEM) {
2603 2604
		rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
					&c->src2.val, c->src2.bytes);
2605 2606 2607 2608
		if (rc != X86EMUL_CONTINUE)
			goto done;
	}

2609 2610 2611 2612
	if ((c->d & DstMask) == ImplicitOps)
		goto special_insn;


2613 2614
	if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
		/* optimisation - avoid slow emulated read if Mov */
2615 2616
		rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
				   &c->dst.val, c->dst.bytes);
2617 2618
		if (rc != X86EMUL_CONTINUE)
			goto done;
2619
	}
2620
	c->dst.orig_val = c->dst.val;
2621

2622 2623
special_insn:

2624
	if (c->twobyte)
A
Avi Kivity 已提交
2625 2626
		goto twobyte_insn;

2627
	switch (c->b) {
A
Avi Kivity 已提交
2628 2629
	case 0x00 ... 0x05:
	      add:		/* add */
2630
		emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2631
		break;
2632
	case 0x06:		/* push es */
2633
		emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2634 2635 2636
		break;
	case 0x07:		/* pop es */
		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2637
		if (rc != X86EMUL_CONTINUE)
2638 2639
			goto done;
		break;
A
Avi Kivity 已提交
2640 2641
	case 0x08 ... 0x0d:
	      or:		/* or */
2642
		emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2643
		break;
2644
	case 0x0e:		/* push cs */
2645
		emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2646
		break;
A
Avi Kivity 已提交
2647 2648
	case 0x10 ... 0x15:
	      adc:		/* adc */
2649
		emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2650
		break;
2651
	case 0x16:		/* push ss */
2652
		emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2653 2654 2655
		break;
	case 0x17:		/* pop ss */
		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2656
		if (rc != X86EMUL_CONTINUE)
2657 2658
			goto done;
		break;
A
Avi Kivity 已提交
2659 2660
	case 0x18 ... 0x1d:
	      sbb:		/* sbb */
2661
		emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2662
		break;
2663
	case 0x1e:		/* push ds */
2664
		emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2665 2666 2667
		break;
	case 0x1f:		/* pop ds */
		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2668
		if (rc != X86EMUL_CONTINUE)
2669 2670
			goto done;
		break;
2671
	case 0x20 ... 0x25:
A
Avi Kivity 已提交
2672
	      and:		/* and */
2673
		emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2674 2675 2676
		break;
	case 0x28 ... 0x2d:
	      sub:		/* sub */
2677
		emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2678 2679 2680
		break;
	case 0x30 ... 0x35:
	      xor:		/* xor */
2681
		emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2682 2683 2684
		break;
	case 0x38 ... 0x3d:
	      cmp:		/* cmp */
2685
		emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2686
		break;
2687 2688 2689 2690 2691 2692 2693
	case 0x40 ... 0x47: /* inc r16/r32 */
		emulate_1op("inc", c->dst, ctxt->eflags);
		break;
	case 0x48 ... 0x4f: /* dec r16/r32 */
		emulate_1op("dec", c->dst, ctxt->eflags);
		break;
	case 0x50 ... 0x57:  /* push reg */
2694
		emulate_push(ctxt, ops);
2695 2696 2697
		break;
	case 0x58 ... 0x5f: /* pop reg */
	pop_instruction:
2698
		rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2699
		if (rc != X86EMUL_CONTINUE)
2700 2701
			goto done;
		break;
2702
	case 0x60:	/* pusha */
2703 2704 2705
		rc = emulate_pusha(ctxt, ops);
		if (rc != X86EMUL_CONTINUE)
			goto done;
2706 2707 2708
		break;
	case 0x61:	/* popa */
		rc = emulate_popa(ctxt, ops);
2709
		if (rc != X86EMUL_CONTINUE)
2710 2711
			goto done;
		break;
A
Avi Kivity 已提交
2712
	case 0x63:		/* movsxd */
2713
		if (ctxt->mode != X86EMUL_MODE_PROT64)
A
Avi Kivity 已提交
2714
			goto cannot_emulate;
2715
		c->dst.val = (s32) c->src.val;
A
Avi Kivity 已提交
2716
		break;
2717
	case 0x68: /* push imm */
2718
	case 0x6a: /* push imm8 */
2719
		emulate_push(ctxt, ops);
2720 2721 2722
		break;
	case 0x6c:		/* insb */
	case 0x6d:		/* insw/insd */
2723
		c->dst.bytes = min(c->dst.bytes, 4u);
2724
		if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2725
					  c->dst.bytes)) {
2726
			emulate_gp(ctxt, 0);
2727 2728
			goto done;
		}
2729 2730
		if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
				     c->regs[VCPU_REGS_RDX], &c->dst.val))
2731 2732
			goto done; /* IO is needed, skip writeback */
		break;
2733 2734
	case 0x6e:		/* outsb */
	case 0x6f:		/* outsw/outsd */
2735
		c->src.bytes = min(c->src.bytes, 4u);
2736
		if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2737
					  c->src.bytes)) {
2738
			emulate_gp(ctxt, 0);
2739 2740
			goto done;
		}
2741 2742 2743 2744 2745
		ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
				      &c->src.val, 1, ctxt->vcpu);

		c->dst.type = OP_NONE; /* nothing to writeback */
		break;
2746
	case 0x70 ... 0x7f: /* jcc (short) */
2747
		if (test_cc(c->b, ctxt->eflags))
2748
			jmp_rel(c, c->src.val);
2749
		break;
A
Avi Kivity 已提交
2750
	case 0x80 ... 0x83:	/* Grp1 */
2751
		switch (c->modrm_reg) {
A
Avi Kivity 已提交
2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770
		case 0:
			goto add;
		case 1:
			goto or;
		case 2:
			goto adc;
		case 3:
			goto sbb;
		case 4:
			goto and;
		case 5:
			goto sub;
		case 6:
			goto xor;
		case 7:
			goto cmp;
		}
		break;
	case 0x84 ... 0x85:
2771
	test:
2772
		emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
2773 2774
		break;
	case 0x86 ... 0x87:	/* xchg */
2775
	xchg:
A
Avi Kivity 已提交
2776
		/* Write back the register source. */
2777
		switch (c->dst.bytes) {
A
Avi Kivity 已提交
2778
		case 1:
2779
			*(u8 *) c->src.ptr = (u8) c->dst.val;
A
Avi Kivity 已提交
2780 2781
			break;
		case 2:
2782
			*(u16 *) c->src.ptr = (u16) c->dst.val;
A
Avi Kivity 已提交
2783 2784
			break;
		case 4:
2785
			*c->src.ptr = (u32) c->dst.val;
A
Avi Kivity 已提交
2786 2787
			break;	/* 64b reg: zero-extend */
		case 8:
2788
			*c->src.ptr = c->dst.val;
A
Avi Kivity 已提交
2789 2790 2791 2792 2793 2794
			break;
		}
		/*
		 * Write back the memory destination with implicit LOCK
		 * prefix.
		 */
2795 2796
		c->dst.val = c->src.val;
		c->lock_prefix = 1;
A
Avi Kivity 已提交
2797 2798
		break;
	case 0x88 ... 0x8b:	/* mov */
2799
		goto mov;
2800 2801
	case 0x8c:  /* mov r/m, sreg */
		if (c->modrm_reg > VCPU_SREG_GS) {
2802
			emulate_ud(ctxt);
2803
			goto done;
2804
		}
2805
		c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2806
		break;
N
Nitin A Kamble 已提交
2807
	case 0x8d: /* lea r16/r32, m */
2808
		c->dst.val = c->modrm_ea;
N
Nitin A Kamble 已提交
2809
		break;
2810 2811 2812 2813
	case 0x8e: { /* mov seg, r/m16 */
		uint16_t sel;

		sel = c->src.val;
2814

2815 2816
		if (c->modrm_reg == VCPU_SREG_CS ||
		    c->modrm_reg > VCPU_SREG_GS) {
2817
			emulate_ud(ctxt);
2818 2819 2820
			goto done;
		}

2821
		if (c->modrm_reg == VCPU_SREG_SS)
2822
			ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2823

2824
		rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2825 2826 2827 2828

		c->dst.type = OP_NONE;  /* Disable writeback. */
		break;
	}
A
Avi Kivity 已提交
2829
	case 0x8f:		/* pop (sole member of Grp1a) */
2830
		rc = emulate_grp1a(ctxt, ops);
2831
		if (rc != X86EMUL_CONTINUE)
A
Avi Kivity 已提交
2832 2833
			goto done;
		break;
2834
	case 0x90: /* nop / xchg r8,rax */
2835 2836
		if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
			c->dst.type = OP_NONE;  /* nop */
2837 2838 2839
			break;
		}
	case 0x91 ... 0x97: /* xchg reg,rax */
2840 2841
		c->src.type = OP_REG;
		c->src.bytes = c->op_bytes;
2842 2843 2844
		c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
		c->src.val = *(c->src.ptr);
		goto xchg;
N
Nitin A Kamble 已提交
2845
	case 0x9c: /* pushf */
2846
		c->src.val =  (unsigned long) ctxt->eflags;
2847
		emulate_push(ctxt, ops);
2848
		break;
N
Nitin A Kamble 已提交
2849
	case 0x9d: /* popf */
A
Avi Kivity 已提交
2850
		c->dst.type = OP_REG;
2851
		c->dst.ptr = (unsigned long *) &ctxt->eflags;
A
Avi Kivity 已提交
2852
		c->dst.bytes = c->op_bytes;
2853 2854 2855 2856
		rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
		if (rc != X86EMUL_CONTINUE)
			goto done;
		break;
2857 2858 2859 2860 2861 2862 2863
	case 0xa0 ... 0xa1:	/* mov */
		c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
		c->dst.val = c->src.val;
		break;
	case 0xa2 ... 0xa3:	/* mov */
		c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
		break;
A
Avi Kivity 已提交
2864
	case 0xa4 ... 0xa5:	/* movs */
2865
		goto mov;
A
Avi Kivity 已提交
2866
	case 0xa6 ... 0xa7:	/* cmps */
2867 2868
		c->dst.type = OP_NONE; /* Disable writeback. */
		DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2869
		goto cmp;
2870 2871
	case 0xa8 ... 0xa9:	/* test ax, imm */
		goto test;
A
Avi Kivity 已提交
2872
	case 0xaa ... 0xab:	/* stos */
2873
		c->dst.val = c->regs[VCPU_REGS_RAX];
A
Avi Kivity 已提交
2874 2875
		break;
	case 0xac ... 0xad:	/* lods */
2876
		goto mov;
A
Avi Kivity 已提交
2877 2878 2879
	case 0xae ... 0xaf:	/* scas */
		DPRINTF("Urk! I don't handle SCAS.\n");
		goto cannot_emulate;
2880
	case 0xb0 ... 0xbf: /* mov r, imm */
2881
		goto mov;
2882 2883 2884
	case 0xc0 ... 0xc1:
		emulate_grp2(ctxt);
		break;
2885
	case 0xc3: /* ret */
A
Avi Kivity 已提交
2886
		c->dst.type = OP_REG;
2887
		c->dst.ptr = &c->eip;
A
Avi Kivity 已提交
2888
		c->dst.bytes = c->op_bytes;
2889
		goto pop_instruction;
2890 2891 2892 2893
	case 0xc6 ... 0xc7:	/* mov (sole member of Grp11) */
	mov:
		c->dst.val = c->src.val;
		break;
2894 2895
	case 0xcb:		/* ret far */
		rc = emulate_ret_far(ctxt, ops);
2896
		if (rc != X86EMUL_CONTINUE)
2897 2898
			goto done;
		break;
2899 2900 2901 2902 2903 2904 2905 2906
	case 0xd0 ... 0xd1:	/* Grp2 */
		c->src.val = 1;
		emulate_grp2(ctxt);
		break;
	case 0xd2 ... 0xd3:	/* Grp2 */
		c->src.val = c->regs[VCPU_REGS_RCX];
		emulate_grp2(ctxt);
		break;
2907 2908
	case 0xe4: 	/* inb */
	case 0xe5: 	/* in */
2909
		goto do_io_in;
2910 2911
	case 0xe6: /* outb */
	case 0xe7: /* out */
2912
		goto do_io_out;
2913
	case 0xe8: /* call (near) */ {
2914
		long int rel = c->src.val;
2915
		c->src.val = (unsigned long) c->eip;
2916
		jmp_rel(c, rel);
2917
		emulate_push(ctxt, ops);
2918
		break;
2919 2920
	}
	case 0xe9: /* jmp rel */
2921
		goto jmp;
2922 2923
	case 0xea: { /* jmp far */
		unsigned short sel;
2924
	jump_far:
2925 2926 2927
		memcpy(&sel, c->src.valptr + c->op_bytes, 2);

		if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2928
			goto done;
2929

2930 2931
		c->eip = 0;
		memcpy(&c->eip, c->src.valptr, c->op_bytes);
2932
		break;
2933
	}
2934 2935
	case 0xeb:
	      jmp:		/* jmp rel short */
2936
		jmp_rel(c, c->src.val);
2937
		c->dst.type = OP_NONE; /* Disable writeback. */
2938
		break;
2939 2940
	case 0xec: /* in al,dx */
	case 0xed: /* in (e/r)ax,dx */
2941 2942 2943 2944
		c->src.val = c->regs[VCPU_REGS_RDX];
	do_io_in:
		c->dst.bytes = min(c->dst.bytes, 4u);
		if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2945
			emulate_gp(ctxt, 0);
2946 2947
			goto done;
		}
2948 2949
		if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
				     &c->dst.val))
2950 2951
			goto done; /* IO is needed */
		break;
2952 2953
	case 0xee: /* out al,dx */
	case 0xef: /* out (e/r)ax,dx */
2954 2955 2956 2957
		c->src.val = c->regs[VCPU_REGS_RDX];
	do_io_out:
		c->dst.bytes = min(c->dst.bytes, 4u);
		if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2958
			emulate_gp(ctxt, 0);
2959 2960
			goto done;
		}
2961 2962 2963
		ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
				      ctxt->vcpu);
		c->dst.type = OP_NONE;	/* Disable writeback. */
2964
		break;
2965
	case 0xf4:              /* hlt */
2966
		ctxt->vcpu->arch.halt_request = 1;
2967
		break;
2968 2969 2970 2971 2972
	case 0xf5:	/* cmc */
		/* complement carry flag from eflags reg */
		ctxt->eflags ^= EFLG_CF;
		c->dst.type = OP_NONE;	/* Disable writeback. */
		break;
2973
	case 0xf6 ... 0xf7:	/* Grp3 */
2974 2975
		if (!emulate_grp3(ctxt, ops))
			goto cannot_emulate;
2976
		break;
2977 2978 2979 2980 2981
	case 0xf8: /* clc */
		ctxt->eflags &= ~EFLG_CF;
		c->dst.type = OP_NONE;	/* Disable writeback. */
		break;
	case 0xfa: /* cli */
2982
		if (emulator_bad_iopl(ctxt, ops))
2983
			emulate_gp(ctxt, 0);
2984 2985 2986 2987
		else {
			ctxt->eflags &= ~X86_EFLAGS_IF;
			c->dst.type = OP_NONE;	/* Disable writeback. */
		}
2988 2989
		break;
	case 0xfb: /* sti */
2990
		if (emulator_bad_iopl(ctxt, ops))
2991
			emulate_gp(ctxt, 0);
2992
		else {
2993
			ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
2994 2995 2996
			ctxt->eflags |= X86_EFLAGS_IF;
			c->dst.type = OP_NONE;	/* Disable writeback. */
		}
2997
		break;
2998 2999 3000 3001 3002 3003 3004 3005
	case 0xfc: /* cld */
		ctxt->eflags &= ~EFLG_DF;
		c->dst.type = OP_NONE;	/* Disable writeback. */
		break;
	case 0xfd: /* std */
		ctxt->eflags |= EFLG_DF;
		c->dst.type = OP_NONE;	/* Disable writeback. */
		break;
3006 3007
	case 0xfe: /* Grp4 */
	grp45:
3008
		rc = emulate_grp45(ctxt, ops);
3009
		if (rc != X86EMUL_CONTINUE)
3010 3011
			goto done;
		break;
3012 3013 3014 3015
	case 0xff: /* Grp5 */
		if (c->modrm_reg == 5)
			goto jump_far;
		goto grp45;
A
Avi Kivity 已提交
3016
	}
3017 3018 3019

writeback:
	rc = writeback(ctxt, ops);
3020
	if (rc != X86EMUL_CONTINUE)
3021 3022
		goto done;

3023 3024 3025 3026 3027 3028
	/*
	 * restore dst type in case the decoding will be reused
	 * (happens for string instruction )
	 */
	c->dst.type = saved_dst_type;

3029
	if ((c->d & SrcMask) == SrcSI)
3030 3031
		string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
				VCPU_REGS_RSI, &c->src);
3032 3033

	if ((c->d & DstMask) == DstDI)
3034 3035
		string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
				&c->dst);
3036

3037
	if (c->rep_prefix && (c->d & String)) {
3038
		struct read_cache *rc = &ctxt->decode.io_read;
3039
		register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3040 3041 3042 3043 3044 3045
		/*
		 * Re-enter guest when pio read ahead buffer is empty or,
		 * if it is not used, after each 1024 iteration.
		 */
		if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
		    (rc->end != 0 && rc->end == rc->pos))
3046 3047
			ctxt->restart = false;
	}
3048 3049 3050 3051 3052
	/*
	 * reset read cache here in case string instruction is restared
	 * without decoding
	 */
	ctxt->decode.mem_read.end = 0;
3053
	ctxt->eip = c->eip;
3054 3055

done:
3056
	return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
A
Avi Kivity 已提交
3057 3058

twobyte_insn:
3059
	switch (c->b) {
A
Avi Kivity 已提交
3060
	case 0x01: /* lgdt, lidt, lmsw */
3061
		switch (c->modrm_reg) {
A
Avi Kivity 已提交
3062 3063 3064
			u16 size;
			unsigned long address;

3065
		case 0: /* vmcall */
3066
			if (c->modrm_mod != 3 || c->modrm_rm != 1)
3067 3068
				goto cannot_emulate;

3069
			rc = kvm_fix_hypercall(ctxt->vcpu);
3070
			if (rc != X86EMUL_CONTINUE)
3071 3072
				goto done;

3073
			/* Let the processor re-execute the fixed hypercall */
3074
			c->eip = ctxt->eip;
3075 3076
			/* Disable writeback. */
			c->dst.type = OP_NONE;
3077
			break;
A
Avi Kivity 已提交
3078
		case 2: /* lgdt */
3079 3080
			rc = read_descriptor(ctxt, ops, c->src.ptr,
					     &size, &address, c->op_bytes);
3081
			if (rc != X86EMUL_CONTINUE)
A
Avi Kivity 已提交
3082 3083
				goto done;
			realmode_lgdt(ctxt->vcpu, size, address);
3084 3085
			/* Disable writeback. */
			c->dst.type = OP_NONE;
A
Avi Kivity 已提交
3086
			break;
3087
		case 3: /* lidt/vmmcall */
3088 3089 3090 3091
			if (c->modrm_mod == 3) {
				switch (c->modrm_rm) {
				case 1:
					rc = kvm_fix_hypercall(ctxt->vcpu);
3092
					if (rc != X86EMUL_CONTINUE)
3093 3094 3095 3096 3097
						goto done;
					break;
				default:
					goto cannot_emulate;
				}
3098
			} else {
3099
				rc = read_descriptor(ctxt, ops, c->src.ptr,
3100
						     &size, &address,
3101
						     c->op_bytes);
3102
				if (rc != X86EMUL_CONTINUE)
3103 3104 3105
					goto done;
				realmode_lidt(ctxt->vcpu, size, address);
			}
3106 3107
			/* Disable writeback. */
			c->dst.type = OP_NONE;
A
Avi Kivity 已提交
3108 3109
			break;
		case 4: /* smsw */
3110
			c->dst.bytes = 2;
3111
			c->dst.val = ops->get_cr(0, ctxt->vcpu);
A
Avi Kivity 已提交
3112 3113
			break;
		case 6: /* lmsw */
3114 3115
			ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
				    (c->src.val & 0x0f), ctxt->vcpu);
3116
			c->dst.type = OP_NONE;
A
Avi Kivity 已提交
3117
			break;
3118
		case 5: /* not defined */
3119
			emulate_ud(ctxt);
3120
			goto done;
A
Avi Kivity 已提交
3121
		case 7: /* invlpg*/
3122
			emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3123 3124
			/* Disable writeback. */
			c->dst.type = OP_NONE;
A
Avi Kivity 已提交
3125 3126 3127 3128 3129
			break;
		default:
			goto cannot_emulate;
		}
		break;
3130
	case 0x05: 		/* syscall */
3131
		rc = emulate_syscall(ctxt, ops);
3132 3133
		if (rc != X86EMUL_CONTINUE)
			goto done;
3134 3135
		else
			goto writeback;
3136
		break;
3137 3138 3139 3140 3141
	case 0x06:
		emulate_clts(ctxt->vcpu);
		c->dst.type = OP_NONE;
		break;
	case 0x09:		/* wbinvd */
3142 3143 3144 3145
		kvm_emulate_wbinvd(ctxt->vcpu);
		c->dst.type = OP_NONE;
		break;
	case 0x08:		/* invd */
3146 3147 3148 3149 3150
	case 0x0d:		/* GrpP (prefetch) */
	case 0x18:		/* Grp16 (prefetch/nop) */
		c->dst.type = OP_NONE;
		break;
	case 0x20: /* mov cr, reg */
3151 3152 3153 3154
		switch (c->modrm_reg) {
		case 1:
		case 5 ... 7:
		case 9 ... 15:
3155
			emulate_ud(ctxt);
3156 3157
			goto done;
		}
3158
		c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3159 3160
		c->dst.type = OP_NONE;	/* no writeback */
		break;
A
Avi Kivity 已提交
3161
	case 0x21: /* mov from dr to reg */
3162 3163
		if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
		    (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3164
			emulate_ud(ctxt);
3165 3166
			goto done;
		}
3167
		ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3168
		c->dst.type = OP_NONE;	/* no writeback */
A
Avi Kivity 已提交
3169
		break;
3170
	case 0x22: /* mov reg, cr */
3171
		if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3172
			emulate_gp(ctxt, 0);
3173 3174
			goto done;
		}
3175 3176
		c->dst.type = OP_NONE;
		break;
A
Avi Kivity 已提交
3177
	case 0x23: /* mov from reg to dr */
3178 3179
		if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
		    (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3180
			emulate_ud(ctxt);
3181 3182
			goto done;
		}
3183

3184 3185 3186 3187
		if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
				((ctxt->mode == X86EMUL_MODE_PROT64) ?
				 ~0ULL : ~0U), ctxt->vcpu) < 0) {
			/* #UD condition is already handled by the code above */
3188
			emulate_gp(ctxt, 0);
3189 3190 3191
			goto done;
		}

3192
		c->dst.type = OP_NONE;	/* no writeback */
A
Avi Kivity 已提交
3193
		break;
3194 3195 3196 3197
	case 0x30:
		/* wrmsr */
		msr_data = (u32)c->regs[VCPU_REGS_RAX]
			| ((u64)c->regs[VCPU_REGS_RDX] << 32);
3198
		if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3199
			emulate_gp(ctxt, 0);
3200
			goto done;
3201 3202 3203 3204 3205 3206
		}
		rc = X86EMUL_CONTINUE;
		c->dst.type = OP_NONE;
		break;
	case 0x32:
		/* rdmsr */
3207
		if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3208
			emulate_gp(ctxt, 0);
3209
			goto done;
3210 3211 3212 3213 3214 3215 3216
		} else {
			c->regs[VCPU_REGS_RAX] = (u32)msr_data;
			c->regs[VCPU_REGS_RDX] = msr_data >> 32;
		}
		rc = X86EMUL_CONTINUE;
		c->dst.type = OP_NONE;
		break;
3217
	case 0x34:		/* sysenter */
3218
		rc = emulate_sysenter(ctxt, ops);
3219 3220
		if (rc != X86EMUL_CONTINUE)
			goto done;
3221 3222
		else
			goto writeback;
3223 3224
		break;
	case 0x35:		/* sysexit */
3225
		rc = emulate_sysexit(ctxt, ops);
3226 3227
		if (rc != X86EMUL_CONTINUE)
			goto done;
3228 3229
		else
			goto writeback;
3230
		break;
A
Avi Kivity 已提交
3231
	case 0x40 ... 0x4f:	/* cmov */
3232
		c->dst.val = c->dst.orig_val = c->src.val;
3233 3234
		if (!test_cc(c->b, ctxt->eflags))
			c->dst.type = OP_NONE; /* no writeback */
A
Avi Kivity 已提交
3235
		break;
3236
	case 0x80 ... 0x8f: /* jnz rel, etc*/
3237
		if (test_cc(c->b, ctxt->eflags))
3238
			jmp_rel(c, c->src.val);
3239 3240
		c->dst.type = OP_NONE;
		break;
3241
	case 0xa0:	  /* push fs */
3242
		emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3243 3244 3245
		break;
	case 0xa1:	 /* pop fs */
		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3246
		if (rc != X86EMUL_CONTINUE)
3247 3248
			goto done;
		break;
3249 3250
	case 0xa3:
	      bt:		/* bt */
Q
Qing He 已提交
3251
		c->dst.type = OP_NONE;
3252 3253
		/* only subword offset */
		c->src.val &= (c->dst.bytes << 3) - 1;
3254
		emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3255
		break;
3256 3257 3258 3259
	case 0xa4: /* shld imm8, r, r/m */
	case 0xa5: /* shld cl, r, r/m */
		emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
		break;
3260
	case 0xa8:	/* push gs */
3261
		emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3262 3263 3264
		break;
	case 0xa9:	/* pop gs */
		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3265
		if (rc != X86EMUL_CONTINUE)
3266 3267
			goto done;
		break;
3268 3269
	case 0xab:
	      bts:		/* bts */
3270 3271
		/* only subword offset */
		c->src.val &= (c->dst.bytes << 3) - 1;
3272
		emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3273
		break;
3274 3275 3276 3277
	case 0xac: /* shrd imm8, r, r/m */
	case 0xad: /* shrd cl, r, r/m */
		emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
		break;
3278 3279
	case 0xae:              /* clflush */
		break;
A
Avi Kivity 已提交
3280 3281 3282 3283 3284
	case 0xb0 ... 0xb1:	/* cmpxchg */
		/*
		 * Save real source value, then compare EAX against
		 * destination.
		 */
3285 3286
		c->src.orig_val = c->src.val;
		c->src.val = c->regs[VCPU_REGS_RAX];
3287 3288
		emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
		if (ctxt->eflags & EFLG_ZF) {
A
Avi Kivity 已提交
3289
			/* Success: write back to memory. */
3290
			c->dst.val = c->src.orig_val;
A
Avi Kivity 已提交
3291 3292
		} else {
			/* Failure: write the value we saw to EAX. */
3293 3294
			c->dst.type = OP_REG;
			c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
A
Avi Kivity 已提交
3295 3296 3297 3298
		}
		break;
	case 0xb3:
	      btr:		/* btr */
3299 3300
		/* only subword offset */
		c->src.val &= (c->dst.bytes << 3) - 1;
3301
		emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
A
Avi Kivity 已提交
3302 3303
		break;
	case 0xb6 ... 0xb7:	/* movzx */
3304 3305 3306
		c->dst.bytes = c->op_bytes;
		c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
						       : (u16) c->src.val;
A
Avi Kivity 已提交
3307 3308
		break;
	case 0xba:		/* Grp8 */
3309
		switch (c->modrm_reg & 3) {
A
Avi Kivity 已提交
3310 3311 3312 3313 3314 3315 3316 3317 3318 3319
		case 0:
			goto bt;
		case 1:
			goto bts;
		case 2:
			goto btr;
		case 3:
			goto btc;
		}
		break;
3320 3321
	case 0xbb:
	      btc:		/* btc */
3322 3323
		/* only subword offset */
		c->src.val &= (c->dst.bytes << 3) - 1;
3324
		emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3325
		break;
A
Avi Kivity 已提交
3326
	case 0xbe ... 0xbf:	/* movsx */
3327 3328 3329
		c->dst.bytes = c->op_bytes;
		c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
							(s16) c->src.val;
A
Avi Kivity 已提交
3330
		break;
3331
	case 0xc3:		/* movnti */
3332 3333 3334
		c->dst.bytes = c->op_bytes;
		c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
							(u64) c->src.val;
3335
		break;
A
Avi Kivity 已提交
3336
	case 0xc7:		/* Grp9 (cmpxchg8b) */
3337
		rc = emulate_grp9(ctxt, ops);
3338
		if (rc != X86EMUL_CONTINUE)
3339 3340
			goto done;
		break;
A
Avi Kivity 已提交
3341 3342 3343 3344
	}
	goto writeback;

cannot_emulate:
3345
	DPRINTF("Cannot emulate %02x\n", c->b);
A
Avi Kivity 已提交
3346 3347
	return -1;
}