1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
28 #include <linux/kvm_host.h>
29 #define DPRINTF(x...) do {} while (0)
31 #include <linux/module.h>
32 #include <asm/kvm_x86_emulate.h>
35 * Opcode effective-address decode tables.
36 * Note that we only emulate instructions that have at least one memory
37 * operand (excluding implicit stack references). We assume that stack
38 * references and instruction fetches will never occur in special memory
39 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
43 /* Operand sizes: 8-bit operands or specified/overridden size. */
44 #define ByteOp (1<<0) /* 8-bit operands. */
45 /* Destination operand type. */
46 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
47 #define DstReg (2<<1) /* Register operand. */
48 #define DstMem (3<<1) /* Memory operand. */
49 #define DstMask (3<<1)
50 /* Source operand type. */
51 #define SrcNone (0<<3) /* No source operand. */
52 #define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
53 #define SrcReg (1<<3) /* Register operand. */
54 #define SrcMem (2<<3) /* Memory operand. */
55 #define SrcMem16 (3<<3) /* Memory operand (16-bit). */
56 #define SrcMem32 (4<<3) /* Memory operand (32-bit). */
57 #define SrcImm (5<<3) /* Immediate operand. */
58 #define SrcImmByte (6<<3) /* 8-bit sign-extended immediate operand. */
59 #define SrcMask (7<<3)
60 /* Generic ModRM decode. */
62 /* Destination is only written; never read. */
65 #define MemAbs (1<<9) /* Memory operand is absolute displacement */
66 #define String (1<<10) /* String instruction (rep capable) */
67 #define Stack (1<<11) /* Stack instruction (push/pop) */
68 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
69 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
70 #define GroupMask 0xff /* Group number stored in bits 0:7 */
76 static u16 opcode_table[256] = {
78 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
79 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
82 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
83 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
86 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
87 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
90 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
91 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
94 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
95 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
96 SrcImmByte, SrcImm, 0, 0,
98 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
99 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
102 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
103 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
106 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
107 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
110 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
112 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
114 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
115 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
117 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
118 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
120 0, 0, 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
123 0, 0, ImplicitOps | Mov | Stack, 0,
124 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* insb, insw/insd */
125 SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps, /* outsb, outsw/outsd */
127 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
128 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
130 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
131 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
133 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
134 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
135 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
136 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
138 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
139 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
140 0, ModRM | DstReg, 0, Group | Group1A,
142 0, 0, 0, 0, 0, 0, 0, 0,
143 0, 0, 0, 0, ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
145 ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
146 ByteOp | DstMem | SrcReg | Mov | MemAbs, DstMem | SrcReg | Mov | MemAbs,
147 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
148 ByteOp | ImplicitOps | String, ImplicitOps | String,
150 0, 0, ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
151 ByteOp | ImplicitOps | Mov | String, ImplicitOps | Mov | String,
152 ByteOp | ImplicitOps | String, ImplicitOps | String,
154 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
156 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
157 0, ImplicitOps | Stack, 0, 0,
158 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
160 0, 0, 0, 0, 0, 0, 0, 0,
162 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
163 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
166 0, 0, 0, 0, 0, 0, 0, 0,
168 0, 0, 0, 0, 0, 0, 0, 0,
170 ImplicitOps | Stack, SrcImm|ImplicitOps, 0, SrcImmByte|ImplicitOps,
174 ImplicitOps, ImplicitOps,
175 ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
177 ImplicitOps, 0, ImplicitOps, ImplicitOps,
178 0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM
181 static u16 twobyte_table[256] = {
183 0, SrcMem | ModRM | DstReg, 0, 0, 0, 0, ImplicitOps, 0,
184 ImplicitOps, ImplicitOps, 0, 0, 0, ImplicitOps | ModRM, 0, 0,
186 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
188 ModRM | ImplicitOps, ModRM, ModRM | ImplicitOps, ModRM, 0, 0, 0, 0,
189 0, 0, 0, 0, 0, 0, 0, 0,
191 ImplicitOps, 0, ImplicitOps, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
193 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
194 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
195 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
196 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
198 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
199 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
200 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
201 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
203 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
205 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
207 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
209 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
210 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
211 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
212 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
214 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
216 0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
218 0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
220 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM, 0,
221 DstMem | SrcReg | ModRM | BitOp,
222 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
223 DstReg | SrcMem16 | ModRM | Mov,
225 0, 0, DstMem | SrcImmByte | ModRM, DstMem | SrcReg | ModRM | BitOp,
226 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
227 DstReg | SrcMem16 | ModRM | Mov,
229 0, 0, 0, DstMem | SrcReg | ModRM | Mov, 0, 0, 0, ImplicitOps | ModRM,
230 0, 0, 0, 0, 0, 0, 0, 0,
232 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
234 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
236 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
239 static u16 group_table[] = {
241 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
244 static u16 group2_table[] = {
247 /* EFLAGS bit definitions. */
248 #define EFLG_OF (1<<11)
249 #define EFLG_DF (1<<10)
250 #define EFLG_SF (1<<7)
251 #define EFLG_ZF (1<<6)
252 #define EFLG_AF (1<<4)
253 #define EFLG_PF (1<<2)
254 #define EFLG_CF (1<<0)
257 * Instruction emulation:
258 * Most instructions are emulated directly via a fragment of inline assembly
259 * code. This allows us to save/restore EFLAGS and thus very easily pick up
260 * any modified flags.
263 #if defined(CONFIG_X86_64)
264 #define _LO32 "k" /* force 32-bit operand */
265 #define _STK "%%rsp" /* stack pointer */
266 #elif defined(__i386__)
267 #define _LO32 "" /* force 32-bit operand */
268 #define _STK "%%esp" /* stack pointer */
272 * These EFLAGS bits are restored from saved value during emulation, and
273 * any changes are written back to the saved value after emulation.
275 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
277 /* Before executing instruction: restore necessary bits in EFLAGS. */
278 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
279 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
280 "movl %"_sav",%"_LO32 _tmp"; " \
283 "movl %"_msk",%"_LO32 _tmp"; " \
284 "andl %"_LO32 _tmp",("_STK"); " \
286 "notl %"_LO32 _tmp"; " \
287 "andl %"_LO32 _tmp",("_STK"); " \
288 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
290 "orl %"_LO32 _tmp",("_STK"); " \
294 /* After executing instruction: write-back necessary bits in EFLAGS. */
295 #define _POST_EFLAGS(_sav, _msk, _tmp) \
296 /* _sav |= EFLAGS & _msk; */ \
299 "andl %"_msk",%"_LO32 _tmp"; " \
300 "orl %"_LO32 _tmp",%"_sav"; "
302 /* Raw emulation: instruction has two explicit operands. */
303 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
305 unsigned long _tmp; \
307 switch ((_dst).bytes) { \
309 __asm__ __volatile__ ( \
310 _PRE_EFLAGS("0", "4", "2") \
311 _op"w %"_wx"3,%1; " \
312 _POST_EFLAGS("0", "4", "2") \
313 : "=m" (_eflags), "=m" ((_dst).val), \
315 : _wy ((_src).val), "i" (EFLAGS_MASK)); \
318 __asm__ __volatile__ ( \
319 _PRE_EFLAGS("0", "4", "2") \
320 _op"l %"_lx"3,%1; " \
321 _POST_EFLAGS("0", "4", "2") \
322 : "=m" (_eflags), "=m" ((_dst).val), \
324 : _ly ((_src).val), "i" (EFLAGS_MASK)); \
327 __emulate_2op_8byte(_op, _src, _dst, \
328 _eflags, _qx, _qy); \
333 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
335 unsigned long _tmp; \
336 switch ((_dst).bytes) { \
338 __asm__ __volatile__ ( \
339 _PRE_EFLAGS("0", "4", "2") \
340 _op"b %"_bx"3,%1; " \
341 _POST_EFLAGS("0", "4", "2") \
342 : "=m" (_eflags), "=m" ((_dst).val), \
344 : _by ((_src).val), "i" (EFLAGS_MASK)); \
347 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
348 _wx, _wy, _lx, _ly, _qx, _qy); \
353 /* Source operand is byte-sized and may be restricted to just %cl. */
354 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
355 __emulate_2op(_op, _src, _dst, _eflags, \
356 "b", "c", "b", "c", "b", "c", "b", "c")
358 /* Source operand is byte, word, long or quad sized. */
359 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
360 __emulate_2op(_op, _src, _dst, _eflags, \
361 "b", "q", "w", "r", _LO32, "r", "", "r")
363 /* Source operand is word, long or quad sized. */
364 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
365 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
366 "w", "r", _LO32, "r", "", "r")
368 /* Instruction has only one explicit operand (no source operand). */
369 #define emulate_1op(_op, _dst, _eflags) \
371 unsigned long _tmp; \
373 switch ((_dst).bytes) { \
375 __asm__ __volatile__ ( \
376 _PRE_EFLAGS("0", "3", "2") \
378 _POST_EFLAGS("0", "3", "2") \
379 : "=m" (_eflags), "=m" ((_dst).val), \
381 : "i" (EFLAGS_MASK)); \
384 __asm__ __volatile__ ( \
385 _PRE_EFLAGS("0", "3", "2") \
387 _POST_EFLAGS("0", "3", "2") \
388 : "=m" (_eflags), "=m" ((_dst).val), \
390 : "i" (EFLAGS_MASK)); \
393 __asm__ __volatile__ ( \
394 _PRE_EFLAGS("0", "3", "2") \
396 _POST_EFLAGS("0", "3", "2") \
397 : "=m" (_eflags), "=m" ((_dst).val), \
399 : "i" (EFLAGS_MASK)); \
402 __emulate_1op_8byte(_op, _dst, _eflags); \
407 /* Emulate an instruction with quadword operands (x86/64 only). */
408 #if defined(CONFIG_X86_64)
409 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
411 __asm__ __volatile__ ( \
412 _PRE_EFLAGS("0", "4", "2") \
413 _op"q %"_qx"3,%1; " \
414 _POST_EFLAGS("0", "4", "2") \
415 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
416 : _qy ((_src).val), "i" (EFLAGS_MASK)); \
419 #define __emulate_1op_8byte(_op, _dst, _eflags) \
421 __asm__ __volatile__ ( \
422 _PRE_EFLAGS("0", "3", "2") \
424 _POST_EFLAGS("0", "3", "2") \
425 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
426 : "i" (EFLAGS_MASK)); \
429 #elif defined(__i386__)
430 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
431 #define __emulate_1op_8byte(_op, _dst, _eflags)
432 #endif /* __i386__ */
434 /* Fetch next part of the instruction being emulated. */
435 #define insn_fetch(_type, _size, _eip) \
436 ({ unsigned long _x; \
437 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
444 /* Access/update address held in a register, based on addressing mode. */
445 #define address_mask(reg) \
446 ((c->ad_bytes == sizeof(unsigned long)) ? \
447 (reg) : ((reg) & ((1UL << (c->ad_bytes << 3)) - 1)))
448 #define register_address(base, reg) \
449 ((base) + address_mask(reg))
450 #define register_address_increment(reg, inc) \
452 /* signed type ensures sign extension to long */ \
454 if (c->ad_bytes == sizeof(unsigned long)) \
458 ~((1UL << (c->ad_bytes << 3)) - 1)) | \
460 ((1UL << (c->ad_bytes << 3)) - 1)); \
463 #define JMP_REL(rel) \
465 register_address_increment(c->eip, rel); \
468 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
469 struct x86_emulate_ops *ops,
470 unsigned long linear, u8 *dest)
472 struct fetch_cache *fc = &ctxt->decode.fetch;
476 if (linear < fc->start || linear >= fc->end) {
477 size = min(15UL, PAGE_SIZE - offset_in_page(linear));
478 rc = ops->read_std(linear, fc->data, size, ctxt->vcpu);
482 fc->end = linear + size;
484 *dest = fc->data[linear - fc->start];
488 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
489 struct x86_emulate_ops *ops,
490 unsigned long eip, void *dest, unsigned size)
494 eip += ctxt->cs_base;
496 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
504 * Given the 'reg' portion of a ModRM byte, and a register block, return a
505 * pointer into the block that addresses the relevant register.
506 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
508 static void *decode_register(u8 modrm_reg, unsigned long *regs,
513 p = ®s[modrm_reg];
514 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
515 p = (unsigned char *)®s[modrm_reg & 3] + 1;
519 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
520 struct x86_emulate_ops *ops,
522 u16 *size, unsigned long *address, int op_bytes)
529 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
533 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
538 static int test_cc(unsigned int condition, unsigned int flags)
542 switch ((condition & 15) >> 1) {
544 rc |= (flags & EFLG_OF);
546 case 1: /* b/c/nae */
547 rc |= (flags & EFLG_CF);
550 rc |= (flags & EFLG_ZF);
553 rc |= (flags & (EFLG_CF|EFLG_ZF));
556 rc |= (flags & EFLG_SF);
559 rc |= (flags & EFLG_PF);
562 rc |= (flags & EFLG_ZF);
565 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
569 /* Odd condition identifiers (lsb == 1) have inverted sense. */
570 return (!!rc ^ (condition & 1));
573 static void decode_register_operand(struct operand *op,
574 struct decode_cache *c,
577 unsigned reg = c->modrm_reg;
578 int highbyte_regs = c->rex_prefix == 0;
581 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
583 if ((c->d & ByteOp) && !inhibit_bytereg) {
584 op->ptr = decode_register(reg, c->regs, highbyte_regs);
585 op->val = *(u8 *)op->ptr;
588 op->ptr = decode_register(reg, c->regs, 0);
589 op->bytes = c->op_bytes;
592 op->val = *(u16 *)op->ptr;
595 op->val = *(u32 *)op->ptr;
598 op->val = *(u64 *) op->ptr;
602 op->orig_val = op->val;
605 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
606 struct x86_emulate_ops *ops)
608 struct decode_cache *c = &ctxt->decode;
610 int index_reg = 0, base_reg = 0, scale, rip_relative = 0;
614 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
615 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
616 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
619 c->modrm = insn_fetch(u8, 1, c->eip);
620 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
621 c->modrm_reg |= (c->modrm & 0x38) >> 3;
622 c->modrm_rm |= (c->modrm & 0x07);
626 if (c->modrm_mod == 3) {
627 c->modrm_val = *(unsigned long *)
628 decode_register(c->modrm_rm, c->regs, c->d & ByteOp);
632 if (c->ad_bytes == 2) {
633 unsigned bx = c->regs[VCPU_REGS_RBX];
634 unsigned bp = c->regs[VCPU_REGS_RBP];
635 unsigned si = c->regs[VCPU_REGS_RSI];
636 unsigned di = c->regs[VCPU_REGS_RDI];
638 /* 16-bit ModR/M decode. */
639 switch (c->modrm_mod) {
641 if (c->modrm_rm == 6)
642 c->modrm_ea += insn_fetch(u16, 2, c->eip);
645 c->modrm_ea += insn_fetch(s8, 1, c->eip);
648 c->modrm_ea += insn_fetch(u16, 2, c->eip);
651 switch (c->modrm_rm) {
653 c->modrm_ea += bx + si;
656 c->modrm_ea += bx + di;
659 c->modrm_ea += bp + si;
662 c->modrm_ea += bp + di;
671 if (c->modrm_mod != 0)
678 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
679 (c->modrm_rm == 6 && c->modrm_mod != 0))
680 if (!c->override_base)
681 c->override_base = &ctxt->ss_base;
682 c->modrm_ea = (u16)c->modrm_ea;
684 /* 32/64-bit ModR/M decode. */
685 switch (c->modrm_rm) {
688 sib = insn_fetch(u8, 1, c->eip);
689 index_reg |= (sib >> 3) & 7;
695 if (c->modrm_mod != 0)
696 c->modrm_ea += c->regs[base_reg];
699 insn_fetch(s32, 4, c->eip);
702 c->modrm_ea += c->regs[base_reg];
708 c->modrm_ea += c->regs[index_reg] << scale;
712 if (c->modrm_mod != 0)
713 c->modrm_ea += c->regs[c->modrm_rm];
714 else if (ctxt->mode == X86EMUL_MODE_PROT64)
718 c->modrm_ea += c->regs[c->modrm_rm];
721 switch (c->modrm_mod) {
723 if (c->modrm_rm == 5)
724 c->modrm_ea += insn_fetch(s32, 4, c->eip);
727 c->modrm_ea += insn_fetch(s8, 1, c->eip);
730 c->modrm_ea += insn_fetch(s32, 4, c->eip);
735 c->modrm_ea += c->eip;
736 switch (c->d & SrcMask) {
744 if (c->op_bytes == 8)
747 c->modrm_ea += c->op_bytes;
754 static int decode_abs(struct x86_emulate_ctxt *ctxt,
755 struct x86_emulate_ops *ops)
757 struct decode_cache *c = &ctxt->decode;
760 switch (c->ad_bytes) {
762 c->modrm_ea = insn_fetch(u16, 2, c->eip);
765 c->modrm_ea = insn_fetch(u32, 4, c->eip);
768 c->modrm_ea = insn_fetch(u64, 8, c->eip);
776 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
778 struct decode_cache *c = &ctxt->decode;
780 int mode = ctxt->mode;
781 int def_op_bytes, def_ad_bytes, group;
783 /* Shadow copy of register state. Committed on successful emulation. */
785 memset(c, 0, sizeof(struct decode_cache));
786 c->eip = ctxt->vcpu->arch.rip;
787 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
790 case X86EMUL_MODE_REAL:
791 case X86EMUL_MODE_PROT16:
792 def_op_bytes = def_ad_bytes = 2;
794 case X86EMUL_MODE_PROT32:
795 def_op_bytes = def_ad_bytes = 4;
798 case X86EMUL_MODE_PROT64:
807 c->op_bytes = def_op_bytes;
808 c->ad_bytes = def_ad_bytes;
810 /* Legacy prefixes. */
812 switch (c->b = insn_fetch(u8, 1, c->eip)) {
813 case 0x66: /* operand-size override */
814 /* switch between 2/4 bytes */
815 c->op_bytes = def_op_bytes ^ 6;
817 case 0x67: /* address-size override */
818 if (mode == X86EMUL_MODE_PROT64)
819 /* switch between 4/8 bytes */
820 c->ad_bytes = def_ad_bytes ^ 12;
822 /* switch between 2/4 bytes */
823 c->ad_bytes = def_ad_bytes ^ 6;
825 case 0x2e: /* CS override */
826 c->override_base = &ctxt->cs_base;
828 case 0x3e: /* DS override */
829 c->override_base = &ctxt->ds_base;
831 case 0x26: /* ES override */
832 c->override_base = &ctxt->es_base;
834 case 0x64: /* FS override */
835 c->override_base = &ctxt->fs_base;
837 case 0x65: /* GS override */
838 c->override_base = &ctxt->gs_base;
840 case 0x36: /* SS override */
841 c->override_base = &ctxt->ss_base;
843 case 0x40 ... 0x4f: /* REX */
844 if (mode != X86EMUL_MODE_PROT64)
846 c->rex_prefix = c->b;
848 case 0xf0: /* LOCK */
851 case 0xf2: /* REPNE/REPNZ */
852 c->rep_prefix = REPNE_PREFIX;
854 case 0xf3: /* REP/REPE/REPZ */
855 c->rep_prefix = REPE_PREFIX;
861 /* Any legacy prefix after a REX prefix nullifies its effect. */
870 if (c->rex_prefix & 8)
871 c->op_bytes = 8; /* REX.W */
873 /* Opcode byte(s). */
874 c->d = opcode_table[c->b];
876 /* Two-byte opcode? */
879 c->b = insn_fetch(u8, 1, c->eip);
880 c->d = twobyte_table[c->b];
885 group = c->d & GroupMask;
886 c->modrm = insn_fetch(u8, 1, c->eip);
889 group = (group << 3) + ((c->modrm >> 3) & 7);
890 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
891 c->d = group2_table[group];
893 c->d = group_table[group];
898 DPRINTF("Cannot emulate %02x\n", c->b);
902 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
905 /* ModRM and SIB bytes. */
907 rc = decode_modrm(ctxt, ops);
908 else if (c->d & MemAbs)
909 rc = decode_abs(ctxt, ops);
913 if (!c->override_base)
914 c->override_base = &ctxt->ds_base;
915 if (mode == X86EMUL_MODE_PROT64 &&
916 c->override_base != &ctxt->fs_base &&
917 c->override_base != &ctxt->gs_base)
918 c->override_base = NULL;
920 if (c->override_base)
921 c->modrm_ea += *c->override_base;
923 if (c->ad_bytes != 8)
924 c->modrm_ea = (u32)c->modrm_ea;
926 * Decode and fetch the source operand: register, memory
929 switch (c->d & SrcMask) {
933 decode_register_operand(&c->src, c, 0);
942 c->src.bytes = (c->d & ByteOp) ? 1 :
944 /* Don't fetch the address for invlpg: it could be unmapped. */
945 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
949 * For instructions with a ModR/M byte, switch to register
952 if ((c->d & ModRM) && c->modrm_mod == 3) {
953 c->src.type = OP_REG;
956 c->src.type = OP_MEM;
959 c->src.type = OP_IMM;
960 c->src.ptr = (unsigned long *)c->eip;
961 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
962 if (c->src.bytes == 8)
964 /* NB. Immediates are sign-extended as necessary. */
965 switch (c->src.bytes) {
967 c->src.val = insn_fetch(s8, 1, c->eip);
970 c->src.val = insn_fetch(s16, 2, c->eip);
973 c->src.val = insn_fetch(s32, 4, c->eip);
978 c->src.type = OP_IMM;
979 c->src.ptr = (unsigned long *)c->eip;
981 c->src.val = insn_fetch(s8, 1, c->eip);
985 /* Decode and fetch the destination operand: register or memory. */
986 switch (c->d & DstMask) {
988 /* Special instructions do their own operand decoding. */
991 decode_register_operand(&c->dst, c,
992 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
995 if ((c->d & ModRM) && c->modrm_mod == 3) {
996 c->dst.type = OP_REG;
999 c->dst.type = OP_MEM;
1004 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1007 static inline void emulate_push(struct x86_emulate_ctxt *ctxt)
1009 struct decode_cache *c = &ctxt->decode;
1011 c->dst.type = OP_MEM;
1012 c->dst.bytes = c->op_bytes;
1013 c->dst.val = c->src.val;
1014 register_address_increment(c->regs[VCPU_REGS_RSP], -c->op_bytes);
1015 c->dst.ptr = (void *) register_address(ctxt->ss_base,
1016 c->regs[VCPU_REGS_RSP]);
1019 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1020 struct x86_emulate_ops *ops)
1022 struct decode_cache *c = &ctxt->decode;
1025 rc = ops->read_std(register_address(ctxt->ss_base,
1026 c->regs[VCPU_REGS_RSP]),
1027 &c->dst.val, c->dst.bytes, ctxt->vcpu);
1031 register_address_increment(c->regs[VCPU_REGS_RSP], c->dst.bytes);
1036 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1038 struct decode_cache *c = &ctxt->decode;
1039 switch (c->modrm_reg) {
1041 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1044 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1047 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1050 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1052 case 4: /* sal/shl */
1053 case 6: /* sal/shl */
1054 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1057 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1060 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1065 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1066 struct x86_emulate_ops *ops)
1068 struct decode_cache *c = &ctxt->decode;
1071 switch (c->modrm_reg) {
1072 case 0 ... 1: /* test */
1074 * Special case in Grp3: test has an immediate
1077 c->src.type = OP_IMM;
1078 c->src.ptr = (unsigned long *)c->eip;
1079 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1080 if (c->src.bytes == 8)
1082 switch (c->src.bytes) {
1084 c->src.val = insn_fetch(s8, 1, c->eip);
1087 c->src.val = insn_fetch(s16, 2, c->eip);
1090 c->src.val = insn_fetch(s32, 4, c->eip);
1093 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1096 c->dst.val = ~c->dst.val;
1099 emulate_1op("neg", c->dst, ctxt->eflags);
1102 DPRINTF("Cannot emulate %02x\n", c->b);
1103 rc = X86EMUL_UNHANDLEABLE;
1110 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1111 struct x86_emulate_ops *ops)
1113 struct decode_cache *c = &ctxt->decode;
1116 switch (c->modrm_reg) {
1118 emulate_1op("inc", c->dst, ctxt->eflags);
1121 emulate_1op("dec", c->dst, ctxt->eflags);
1123 case 4: /* jmp abs */
1125 c->eip = c->dst.val;
1127 DPRINTF("Cannot emulate %02x\n", c->b);
1128 return X86EMUL_UNHANDLEABLE;
1133 /* 64-bit mode: PUSH always pushes a 64-bit operand. */
1135 if (ctxt->mode == X86EMUL_MODE_PROT64) {
1137 rc = ops->read_std((unsigned long)c->dst.ptr,
1138 &c->dst.val, 8, ctxt->vcpu);
1142 register_address_increment(c->regs[VCPU_REGS_RSP],
1144 rc = ops->write_emulated(register_address(ctxt->ss_base,
1145 c->regs[VCPU_REGS_RSP]), &c->dst.val,
1146 c->dst.bytes, ctxt->vcpu);
1149 c->dst.type = OP_NONE;
1152 DPRINTF("Cannot emulate %02x\n", c->b);
1153 return X86EMUL_UNHANDLEABLE;
1158 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1159 struct x86_emulate_ops *ops,
1160 unsigned long memop)
1162 struct decode_cache *c = &ctxt->decode;
1166 rc = ops->read_emulated(memop, &old, 8, ctxt->vcpu);
1170 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1171 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1173 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1174 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1175 ctxt->eflags &= ~EFLG_ZF;
1178 new = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1179 (u32) c->regs[VCPU_REGS_RBX];
1181 rc = ops->cmpxchg_emulated(memop, &old, &new, 8, ctxt->vcpu);
1184 ctxt->eflags |= EFLG_ZF;
1189 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1190 struct x86_emulate_ops *ops)
1193 struct decode_cache *c = &ctxt->decode;
1195 switch (c->dst.type) {
1197 /* The 4-byte case *is* correct:
1198 * in 64-bit mode we zero-extend.
1200 switch (c->dst.bytes) {
1202 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1205 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1208 *c->dst.ptr = (u32)c->dst.val;
1209 break; /* 64b: zero-ext */
1211 *c->dst.ptr = c->dst.val;
1217 rc = ops->cmpxchg_emulated(
1218 (unsigned long)c->dst.ptr,
1224 rc = ops->write_emulated(
1225 (unsigned long)c->dst.ptr,
1242 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1244 unsigned long memop = 0;
1246 unsigned long saved_eip = 0;
1247 struct decode_cache *c = &ctxt->decode;
1250 /* Shadow copy of register state. Committed on successful emulation.
1251 * NOTE: we can copy them from vcpu as x86_decode_insn() doesn't
1255 memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
1258 if (((c->d & ModRM) && (c->modrm_mod != 3)) || (c->d & MemAbs))
1259 memop = c->modrm_ea;
1261 if (c->rep_prefix && (c->d & String)) {
1262 /* All REP prefixes have the same first termination condition */
1263 if (c->regs[VCPU_REGS_RCX] == 0) {
1264 ctxt->vcpu->arch.rip = c->eip;
1267 /* The second termination condition only applies for REPE
1268 * and REPNE. Test if the repeat string operation prefix is
1269 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
1270 * corresponding termination condition according to:
1271 * - if REPE/REPZ and ZF = 0 then done
1272 * - if REPNE/REPNZ and ZF = 1 then done
1274 if ((c->b == 0xa6) || (c->b == 0xa7) ||
1275 (c->b == 0xae) || (c->b == 0xaf)) {
1276 if ((c->rep_prefix == REPE_PREFIX) &&
1277 ((ctxt->eflags & EFLG_ZF) == 0)) {
1278 ctxt->vcpu->arch.rip = c->eip;
1281 if ((c->rep_prefix == REPNE_PREFIX) &&
1282 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF)) {
1283 ctxt->vcpu->arch.rip = c->eip;
1287 c->regs[VCPU_REGS_RCX]--;
1288 c->eip = ctxt->vcpu->arch.rip;
1291 if (c->src.type == OP_MEM) {
1292 c->src.ptr = (unsigned long *)memop;
1294 rc = ops->read_emulated((unsigned long)c->src.ptr,
1300 c->src.orig_val = c->src.val;
1303 if ((c->d & DstMask) == ImplicitOps)
1307 if (c->dst.type == OP_MEM) {
1308 c->dst.ptr = (unsigned long *)memop;
1309 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1312 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1314 c->dst.ptr = (void *)c->dst.ptr +
1315 (c->src.val & mask) / 8;
1317 if (!(c->d & Mov) &&
1318 /* optimisation - avoid slow emulated read */
1319 ((rc = ops->read_emulated((unsigned long)c->dst.ptr,
1321 c->dst.bytes, ctxt->vcpu)) != 0))
1324 c->dst.orig_val = c->dst.val;
1334 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
1338 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
1342 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
1346 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
1350 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
1352 case 0x24: /* and al imm8 */
1353 c->dst.type = OP_REG;
1354 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1355 c->dst.val = *(u8 *)c->dst.ptr;
1357 c->dst.orig_val = c->dst.val;
1359 case 0x25: /* and ax imm16, or eax imm32 */
1360 c->dst.type = OP_REG;
1361 c->dst.bytes = c->op_bytes;
1362 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1363 if (c->op_bytes == 2)
1364 c->dst.val = *(u16 *)c->dst.ptr;
1366 c->dst.val = *(u32 *)c->dst.ptr;
1367 c->dst.orig_val = c->dst.val;
1371 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
1375 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
1379 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
1381 case 0x40 ... 0x47: /* inc r16/r32 */
1382 emulate_1op("inc", c->dst, ctxt->eflags);
1384 case 0x48 ... 0x4f: /* dec r16/r32 */
1385 emulate_1op("dec", c->dst, ctxt->eflags);
1387 case 0x50 ... 0x57: /* push reg */
1388 c->dst.type = OP_MEM;
1389 c->dst.bytes = c->op_bytes;
1390 c->dst.val = c->src.val;
1391 register_address_increment(c->regs[VCPU_REGS_RSP],
1393 c->dst.ptr = (void *) register_address(
1394 ctxt->ss_base, c->regs[VCPU_REGS_RSP]);
1396 case 0x58 ... 0x5f: /* pop reg */
1398 if ((rc = ops->read_std(register_address(ctxt->ss_base,
1399 c->regs[VCPU_REGS_RSP]), c->dst.ptr,
1400 c->op_bytes, ctxt->vcpu)) != 0)
1403 register_address_increment(c->regs[VCPU_REGS_RSP],
1405 c->dst.type = OP_NONE; /* Disable writeback. */
1407 case 0x63: /* movsxd */
1408 if (ctxt->mode != X86EMUL_MODE_PROT64)
1409 goto cannot_emulate;
1410 c->dst.val = (s32) c->src.val;
1412 case 0x6a: /* push imm8 */
1414 c->src.val = insn_fetch(s8, 1, c->eip);
1417 case 0x6c: /* insb */
1418 case 0x6d: /* insw/insd */
1419 if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
1421 (c->d & ByteOp) ? 1 : c->op_bytes,
1423 address_mask(c->regs[VCPU_REGS_RCX]) : 1,
1424 (ctxt->eflags & EFLG_DF),
1425 register_address(ctxt->es_base,
1426 c->regs[VCPU_REGS_RDI]),
1428 c->regs[VCPU_REGS_RDX]) == 0) {
1433 case 0x6e: /* outsb */
1434 case 0x6f: /* outsw/outsd */
1435 if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
1437 (c->d & ByteOp) ? 1 : c->op_bytes,
1439 address_mask(c->regs[VCPU_REGS_RCX]) : 1,
1440 (ctxt->eflags & EFLG_DF),
1441 register_address(c->override_base ?
1444 c->regs[VCPU_REGS_RSI]),
1446 c->regs[VCPU_REGS_RDX]) == 0) {
1451 case 0x70 ... 0x7f: /* jcc (short) */ {
1452 int rel = insn_fetch(s8, 1, c->eip);
1454 if (test_cc(c->b, ctxt->eflags))
1458 case 0x80 ... 0x83: /* Grp1 */
1459 switch (c->modrm_reg) {
1479 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1481 case 0x86 ... 0x87: /* xchg */
1482 /* Write back the register source. */
1483 switch (c->dst.bytes) {
1485 *(u8 *) c->src.ptr = (u8) c->dst.val;
1488 *(u16 *) c->src.ptr = (u16) c->dst.val;
1491 *c->src.ptr = (u32) c->dst.val;
1492 break; /* 64b reg: zero-extend */
1494 *c->src.ptr = c->dst.val;
1498 * Write back the memory destination with implicit LOCK
1501 c->dst.val = c->src.val;
1504 case 0x88 ... 0x8b: /* mov */
1506 case 0x8d: /* lea r16/r32, m */
1507 c->dst.val = c->modrm_val;
1509 case 0x8f: /* pop (sole member of Grp1a) */
1510 rc = emulate_grp1a(ctxt, ops);
1514 case 0x9c: /* pushf */
1515 c->src.val = (unsigned long) ctxt->eflags;
1518 case 0x9d: /* popf */
1519 c->dst.ptr = (unsigned long *) &ctxt->eflags;
1520 goto pop_instruction;
1521 case 0xa0 ... 0xa1: /* mov */
1522 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
1523 c->dst.val = c->src.val;
1525 case 0xa2 ... 0xa3: /* mov */
1526 c->dst.val = (unsigned long)c->regs[VCPU_REGS_RAX];
1528 case 0xa4 ... 0xa5: /* movs */
1529 c->dst.type = OP_MEM;
1530 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1531 c->dst.ptr = (unsigned long *)register_address(
1533 c->regs[VCPU_REGS_RDI]);
1534 if ((rc = ops->read_emulated(register_address(
1535 c->override_base ? *c->override_base :
1537 c->regs[VCPU_REGS_RSI]),
1539 c->dst.bytes, ctxt->vcpu)) != 0)
1541 register_address_increment(c->regs[VCPU_REGS_RSI],
1542 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
1544 register_address_increment(c->regs[VCPU_REGS_RDI],
1545 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
1548 case 0xa6 ... 0xa7: /* cmps */
1549 c->src.type = OP_NONE; /* Disable writeback. */
1550 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1551 c->src.ptr = (unsigned long *)register_address(
1552 c->override_base ? *c->override_base :
1554 c->regs[VCPU_REGS_RSI]);
1555 if ((rc = ops->read_emulated((unsigned long)c->src.ptr,
1561 c->dst.type = OP_NONE; /* Disable writeback. */
1562 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1563 c->dst.ptr = (unsigned long *)register_address(
1565 c->regs[VCPU_REGS_RDI]);
1566 if ((rc = ops->read_emulated((unsigned long)c->dst.ptr,
1572 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
1574 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
1576 register_address_increment(c->regs[VCPU_REGS_RSI],
1577 (ctxt->eflags & EFLG_DF) ? -c->src.bytes
1579 register_address_increment(c->regs[VCPU_REGS_RDI],
1580 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
1584 case 0xaa ... 0xab: /* stos */
1585 c->dst.type = OP_MEM;
1586 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1587 c->dst.ptr = (unsigned long *)register_address(
1589 c->regs[VCPU_REGS_RDI]);
1590 c->dst.val = c->regs[VCPU_REGS_RAX];
1591 register_address_increment(c->regs[VCPU_REGS_RDI],
1592 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
1595 case 0xac ... 0xad: /* lods */
1596 c->dst.type = OP_REG;
1597 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1598 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
1599 if ((rc = ops->read_emulated(register_address(
1600 c->override_base ? *c->override_base :
1602 c->regs[VCPU_REGS_RSI]),
1607 register_address_increment(c->regs[VCPU_REGS_RSI],
1608 (ctxt->eflags & EFLG_DF) ? -c->dst.bytes
1611 case 0xae ... 0xaf: /* scas */
1612 DPRINTF("Urk! I don't handle SCAS.\n");
1613 goto cannot_emulate;
1617 case 0xc3: /* ret */
1618 c->dst.ptr = &c->eip;
1619 goto pop_instruction;
1620 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
1622 c->dst.val = c->src.val;
1624 case 0xd0 ... 0xd1: /* Grp2 */
1628 case 0xd2 ... 0xd3: /* Grp2 */
1629 c->src.val = c->regs[VCPU_REGS_RCX];
1632 case 0xe8: /* call (near) */ {
1634 switch (c->op_bytes) {
1636 rel = insn_fetch(s16, 2, c->eip);
1639 rel = insn_fetch(s32, 4, c->eip);
1642 DPRINTF("Call: Invalid op_bytes\n");
1643 goto cannot_emulate;
1645 c->src.val = (unsigned long) c->eip;
1647 c->op_bytes = c->ad_bytes;
1651 case 0xe9: /* jmp rel */
1652 case 0xeb: /* jmp rel short */
1653 JMP_REL(c->src.val);
1654 c->dst.type = OP_NONE; /* Disable writeback. */
1656 case 0xf4: /* hlt */
1657 ctxt->vcpu->arch.halt_request = 1;
1659 case 0xf5: /* cmc */
1660 /* complement carry flag from eflags reg */
1661 ctxt->eflags ^= EFLG_CF;
1662 c->dst.type = OP_NONE; /* Disable writeback. */
1664 case 0xf6 ... 0xf7: /* Grp3 */
1665 rc = emulate_grp3(ctxt, ops);
1669 case 0xf8: /* clc */
1670 ctxt->eflags &= ~EFLG_CF;
1671 c->dst.type = OP_NONE; /* Disable writeback. */
1673 case 0xfa: /* cli */
1674 ctxt->eflags &= ~X86_EFLAGS_IF;
1675 c->dst.type = OP_NONE; /* Disable writeback. */
1677 case 0xfb: /* sti */
1678 ctxt->eflags |= X86_EFLAGS_IF;
1679 c->dst.type = OP_NONE; /* Disable writeback. */
1681 case 0xfe ... 0xff: /* Grp4/Grp5 */
1682 rc = emulate_grp45(ctxt, ops);
1689 rc = writeback(ctxt, ops);
1693 /* Commit shadow register state. */
1694 memcpy(ctxt->vcpu->arch.regs, c->regs, sizeof c->regs);
1695 ctxt->vcpu->arch.rip = c->eip;
1698 if (rc == X86EMUL_UNHANDLEABLE) {
1706 case 0x01: /* lgdt, lidt, lmsw */
1707 switch (c->modrm_reg) {
1709 unsigned long address;
1711 case 0: /* vmcall */
1712 if (c->modrm_mod != 3 || c->modrm_rm != 1)
1713 goto cannot_emulate;
1715 rc = kvm_fix_hypercall(ctxt->vcpu);
1719 kvm_emulate_hypercall(ctxt->vcpu);
1722 rc = read_descriptor(ctxt, ops, c->src.ptr,
1723 &size, &address, c->op_bytes);
1726 realmode_lgdt(ctxt->vcpu, size, address);
1728 case 3: /* lidt/vmmcall */
1729 if (c->modrm_mod == 3 && c->modrm_rm == 1) {
1730 rc = kvm_fix_hypercall(ctxt->vcpu);
1733 kvm_emulate_hypercall(ctxt->vcpu);
1735 rc = read_descriptor(ctxt, ops, c->src.ptr,
1740 realmode_lidt(ctxt->vcpu, size, address);
1744 if (c->modrm_mod != 3)
1745 goto cannot_emulate;
1746 *(u16 *)&c->regs[c->modrm_rm]
1747 = realmode_get_cr(ctxt->vcpu, 0);
1750 if (c->modrm_mod != 3)
1751 goto cannot_emulate;
1752 realmode_lmsw(ctxt->vcpu, (u16)c->modrm_val,
1756 emulate_invlpg(ctxt->vcpu, memop);
1759 goto cannot_emulate;
1761 /* Disable writeback. */
1762 c->dst.type = OP_NONE;
1765 emulate_clts(ctxt->vcpu);
1766 c->dst.type = OP_NONE;
1768 case 0x08: /* invd */
1769 case 0x09: /* wbinvd */
1770 case 0x0d: /* GrpP (prefetch) */
1771 case 0x18: /* Grp16 (prefetch/nop) */
1772 c->dst.type = OP_NONE;
1774 case 0x20: /* mov cr, reg */
1775 if (c->modrm_mod != 3)
1776 goto cannot_emulate;
1777 c->regs[c->modrm_rm] =
1778 realmode_get_cr(ctxt->vcpu, c->modrm_reg);
1779 c->dst.type = OP_NONE; /* no writeback */
1781 case 0x21: /* mov from dr to reg */
1782 if (c->modrm_mod != 3)
1783 goto cannot_emulate;
1784 rc = emulator_get_dr(ctxt, c->modrm_reg, &c->regs[c->modrm_rm]);
1786 goto cannot_emulate;
1787 c->dst.type = OP_NONE; /* no writeback */
1789 case 0x22: /* mov reg, cr */
1790 if (c->modrm_mod != 3)
1791 goto cannot_emulate;
1792 realmode_set_cr(ctxt->vcpu,
1793 c->modrm_reg, c->modrm_val, &ctxt->eflags);
1794 c->dst.type = OP_NONE;
1796 case 0x23: /* mov from reg to dr */
1797 if (c->modrm_mod != 3)
1798 goto cannot_emulate;
1799 rc = emulator_set_dr(ctxt, c->modrm_reg,
1800 c->regs[c->modrm_rm]);
1802 goto cannot_emulate;
1803 c->dst.type = OP_NONE; /* no writeback */
1807 msr_data = (u32)c->regs[VCPU_REGS_RAX]
1808 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
1809 rc = kvm_set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data);
1811 kvm_inject_gp(ctxt->vcpu, 0);
1812 c->eip = ctxt->vcpu->arch.rip;
1814 rc = X86EMUL_CONTINUE;
1815 c->dst.type = OP_NONE;
1819 rc = kvm_get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data);
1821 kvm_inject_gp(ctxt->vcpu, 0);
1822 c->eip = ctxt->vcpu->arch.rip;
1824 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
1825 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
1827 rc = X86EMUL_CONTINUE;
1828 c->dst.type = OP_NONE;
1830 case 0x40 ... 0x4f: /* cmov */
1831 c->dst.val = c->dst.orig_val = c->src.val;
1832 if (!test_cc(c->b, ctxt->eflags))
1833 c->dst.type = OP_NONE; /* no writeback */
1835 case 0x80 ... 0x8f: /* jnz rel, etc*/ {
1838 switch (c->op_bytes) {
1840 rel = insn_fetch(s16, 2, c->eip);
1843 rel = insn_fetch(s32, 4, c->eip);
1846 rel = insn_fetch(s64, 8, c->eip);
1849 DPRINTF("jnz: Invalid op_bytes\n");
1850 goto cannot_emulate;
1852 if (test_cc(c->b, ctxt->eflags))
1854 c->dst.type = OP_NONE;
1859 c->dst.type = OP_NONE;
1860 /* only subword offset */
1861 c->src.val &= (c->dst.bytes << 3) - 1;
1862 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
1866 /* only subword offset */
1867 c->src.val &= (c->dst.bytes << 3) - 1;
1868 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
1870 case 0xb0 ... 0xb1: /* cmpxchg */
1872 * Save real source value, then compare EAX against
1875 c->src.orig_val = c->src.val;
1876 c->src.val = c->regs[VCPU_REGS_RAX];
1877 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
1878 if (ctxt->eflags & EFLG_ZF) {
1879 /* Success: write back to memory. */
1880 c->dst.val = c->src.orig_val;
1882 /* Failure: write the value we saw to EAX. */
1883 c->dst.type = OP_REG;
1884 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
1889 /* only subword offset */
1890 c->src.val &= (c->dst.bytes << 3) - 1;
1891 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
1893 case 0xb6 ... 0xb7: /* movzx */
1894 c->dst.bytes = c->op_bytes;
1895 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
1898 case 0xba: /* Grp8 */
1899 switch (c->modrm_reg & 3) {
1912 /* only subword offset */
1913 c->src.val &= (c->dst.bytes << 3) - 1;
1914 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
1916 case 0xbe ... 0xbf: /* movsx */
1917 c->dst.bytes = c->op_bytes;
1918 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
1921 case 0xc3: /* movnti */
1922 c->dst.bytes = c->op_bytes;
1923 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
1926 case 0xc7: /* Grp9 (cmpxchg8b) */
1927 rc = emulate_grp9(ctxt, ops, memop);
1930 c->dst.type = OP_NONE;
1936 DPRINTF("Cannot emulate %02x\n", c->b);
projects / linux-2.6 / blob