LXR linux/drivers/kvm/x86

   1/******************************************************************************
   2 * x86_emulate.c
   3 *
   4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
   5 *
   6 * Copyright (c) 2005 Keir Fraser
   7 *
   8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
   9 * privileged instructions:
  10 *
  11 * Copyright (C) 2006 Qumranet
  12 *
  13 *   Avi Kivity <avi@qumranet.com>
  14 *   Yaniv Kamay <yaniv@qumranet.com>
  15 *
  16 * This work is licensed under the terms of the GNU GPL, version 2.  See
  17 * the COPYING file in the top-level directory.
  18 *
  19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
  20 */
  21
  22#ifndef __KERNEL__
  23#include <stdio.h>
  24#include <stdint.h>
  25#include <public/xen.h>
  26#define DPRINTF(_f, _a ...) printf( _f , ## _a )
  27#else
  28#include "kvm.h"
  29#define DPRINTF(x...) do {} while (0)
  30#endif
  31#include "x86_emulate.h"
  32#include <linux/module.h>
  33
  34/*
  35 * Opcode effective-address decode tables.
  36 * Note that we only emulate instructions that have at least one memory
  37 * operand (excluding implicit stack references). We assume that stack
  38 * references and instruction fetches will never occur in special memory
  39 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
  40 * not be handled.
  41 */
  42
  43/* Operand sizes: 8-bit operands or specified/overridden size. */
  44#define ByteOp      (1<<0)      /* 8-bit operands. */
  45/* Destination operand type. */
  46#define ImplicitOps (1<<1)      /* Implicit in opcode. No generic decode. */
  47#define DstReg      (2<<1)      /* Register operand. */
  48#define DstMem      (3<<1)      /* Memory operand. */
  49#define DstMask     (3<<1)
  50/* Source operand type. */
  51#define SrcNone     (0<<3)      /* No source operand. */
  52#define SrcImplicit (0<<3)      /* Source operand is implicit in the opcode. */
  53#define SrcReg      (1<<3)      /* Register operand. */
  54#define SrcMem      (2<<3)      /* Memory operand. */
  55#define SrcMem16    (3<<3)      /* Memory operand (16-bit). */
  56#define SrcMem32    (4<<3)      /* Memory operand (32-bit). */
  57#define SrcImm      (5<<3)      /* Immediate operand. */
  58#define SrcImmByte  (6<<3)      /* 8-bit sign-extended immediate operand. */
  59#define SrcMask     (7<<3)
  60/* Generic ModRM decode. */
  61#define ModRM       (1<<6)
  62/* Destination is only written; never read. */
  63#define Mov         (1<<7)
  64#define BitOp       (1<<8)
  65
  66static u8 opcode_table[256] = {
  67        /* 0x00 - 0x07 */
  68        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  69        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  70        0, 0, 0, 0,
  71        /* 0x08 - 0x0F */
  72        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  73        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  74        0, 0, 0, 0,
  75        /* 0x10 - 0x17 */
  76        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  77        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  78        0, 0, 0, 0,
  79        /* 0x18 - 0x1F */
  80        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  81        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  82        0, 0, 0, 0,
  83        /* 0x20 - 0x27 */
  84        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  85        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  86        SrcImmByte, SrcImm, 0, 0,
  87        /* 0x28 - 0x2F */
  88        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  89        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  90        0, 0, 0, 0,
  91        /* 0x30 - 0x37 */
  92        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  93        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  94        0, 0, 0, 0,
  95        /* 0x38 - 0x3F */
  96        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
  97        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
  98        0, 0, 0, 0,
  99        /* 0x40 - 0x4F */
 100        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 101        /* 0x50 - 0x57 */
 102        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 103        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 104        /* 0x58 - 0x5F */
 105        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 106        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 107        /* 0x60 - 0x67 */
 108        0, 0, 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
 109        0, 0, 0, 0,
 110        /* 0x68 - 0x6F */
 111        0, 0, ImplicitOps|Mov, 0,
 112        SrcNone  | ByteOp  | ImplicitOps, SrcNone  | ImplicitOps, /* insb, insw/insd */
 113        SrcNone  | ByteOp  | ImplicitOps, SrcNone  | ImplicitOps, /* outsb, outsw/outsd */
 114        /* 0x70 - 0x77 */
 115        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 116        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 117        /* 0x78 - 0x7F */
 118        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 119        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 120        /* 0x80 - 0x87 */
 121        ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
 122        ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
 123        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
 124        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
 125        /* 0x88 - 0x8F */
 126        ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
 127        ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 128        0, ModRM | DstReg, 0, DstMem | SrcNone | ModRM | Mov,
 129        /* 0x90 - 0x9F */
 130        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps, ImplicitOps, 0, 0,
 131        /* 0xA0 - 0xA7 */
 132        ByteOp | DstReg | SrcMem | Mov, DstReg | SrcMem | Mov,
 133        ByteOp | DstMem | SrcReg | Mov, DstMem | SrcReg | Mov,
 134        ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
 135        ByteOp | ImplicitOps, ImplicitOps,
 136        /* 0xA8 - 0xAF */
 137        0, 0, ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
 138        ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
 139        ByteOp | ImplicitOps, ImplicitOps,
 140        /* 0xB0 - 0xBF */
 141        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 142        /* 0xC0 - 0xC7 */
 143        ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
 144        0, ImplicitOps, 0, 0,
 145        ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
 146        /* 0xC8 - 0xCF */
 147        0, 0, 0, 0, 0, 0, 0, 0,
 148        /* 0xD0 - 0xD7 */
 149        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
 150        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
 151        0, 0, 0, 0,
 152        /* 0xD8 - 0xDF */
 153        0, 0, 0, 0, 0, 0, 0, 0,
 154        /* 0xE0 - 0xE7 */
 155        0, 0, 0, 0, 0, 0, 0, 0,
 156        /* 0xE8 - 0xEF */
 157        ImplicitOps, SrcImm|ImplicitOps, 0, SrcImmByte|ImplicitOps, 0, 0, 0, 0,
 158        /* 0xF0 - 0xF7 */
 159        0, 0, 0, 0,
 160        ImplicitOps, 0,
 161        ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
 162        /* 0xF8 - 0xFF */
 163        0, 0, 0, 0,
 164        0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM
 165};
 166
 167static u16 twobyte_table[256] = {
 168        /* 0x00 - 0x0F */
 169        0, SrcMem | ModRM | DstReg, 0, 0, 0, 0, ImplicitOps, 0,
 170        ImplicitOps, ImplicitOps, 0, 0, 0, ImplicitOps | ModRM, 0, 0,
 171        /* 0x10 - 0x1F */
 172        0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
 173        /* 0x20 - 0x2F */
 174        ModRM | ImplicitOps, ModRM, ModRM | ImplicitOps, ModRM, 0, 0, 0, 0,
 175        0, 0, 0, 0, 0, 0, 0, 0,
 176        /* 0x30 - 0x3F */
 177        ImplicitOps, 0, ImplicitOps, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 178        /* 0x40 - 0x47 */
 179        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 180        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 181        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 182        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 183        /* 0x48 - 0x4F */
 184        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 185        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 186        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 187        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
 188        /* 0x50 - 0x5F */
 189        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 190        /* 0x60 - 0x6F */
 191        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 192        /* 0x70 - 0x7F */
 193        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 194        /* 0x80 - 0x8F */
 195        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 196        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 197        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 198        ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
 199        /* 0x90 - 0x9F */
 200        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 201        /* 0xA0 - 0xA7 */
 202        0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
 203        /* 0xA8 - 0xAF */
 204        0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
 205        /* 0xB0 - 0xB7 */
 206        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM, 0,
 207            DstMem | SrcReg | ModRM | BitOp,
 208        0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
 209            DstReg | SrcMem16 | ModRM | Mov,
 210        /* 0xB8 - 0xBF */
 211        0, 0, DstMem | SrcImmByte | ModRM, DstMem | SrcReg | ModRM | BitOp,
 212        0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
 213            DstReg | SrcMem16 | ModRM | Mov,
 214        /* 0xC0 - 0xCF */
 215        0, 0, 0, DstMem | SrcReg | ModRM | Mov, 0, 0, 0, ImplicitOps | ModRM,
 216        0, 0, 0, 0, 0, 0, 0, 0,
 217        /* 0xD0 - 0xDF */
 218        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 219        /* 0xE0 - 0xEF */
 220        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 221        /* 0xF0 - 0xFF */
 222        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 223};
 224
 225/* Type, address-of, and value of an instruction's operand. */
 226struct operand {
 227        enum { OP_REG, OP_MEM, OP_IMM } type;
 228        unsigned int bytes;
 229        unsigned long val, orig_val, *ptr;
 230};
 231
 232/* EFLAGS bit definitions. */
 233#define EFLG_OF (1<<11)
 234#define EFLG_DF (1<<10)
 235#define EFLG_SF (1<<7)
 236#define EFLG_ZF (1<<6)
 237#define EFLG_AF (1<<4)
 238#define EFLG_PF (1<<2)
 239#define EFLG_CF (1<<0)
 240
 241/*
 242 * Instruction emulation:
 243 * Most instructions are emulated directly via a fragment of inline assembly
 244 * code. This allows us to save/restore EFLAGS and thus very easily pick up
 245 * any modified flags.
 246 */
 247
 248#if defined(CONFIG_X86_64)
 249#define _LO32 "k"               /* force 32-bit operand */
 250#define _STK  "%%rsp"           /* stack pointer */
 251#elif defined(__i386__)
 252#define _LO32 ""                /* force 32-bit operand */
 253#define _STK  "%%esp"           /* stack pointer */
 254#endif
 255
 256/*
 257 * These EFLAGS bits are restored from saved value during emulation, and
 258 * any changes are written back to the saved value after emulation.
 259 */
 260#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
 261
 262/* Before executing instruction: restore necessary bits in EFLAGS. */
 263#define _PRE_EFLAGS(_sav, _msk, _tmp) \
 264        /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); */        \
 265        "push %"_sav"; "                                        \
 266        "movl %"_msk",%"_LO32 _tmp"; "                          \
 267        "andl %"_LO32 _tmp",("_STK"); "                         \
 268        "pushf; "                                               \
 269        "notl %"_LO32 _tmp"; "                                  \
 270        "andl %"_LO32 _tmp",("_STK"); "                         \
 271        "pop  %"_tmp"; "                                        \
 272        "orl  %"_LO32 _tmp",("_STK"); "                         \
 273        "popf; "                                                \
 274        /* _sav &= ~msk; */                                     \
 275        "movl %"_msk",%"_LO32 _tmp"; "                          \
 276        "notl %"_LO32 _tmp"; "                                  \
 277        "andl %"_LO32 _tmp",%"_sav"; "
 278
 279/* After executing instruction: write-back necessary bits in EFLAGS. */
 280#define _POST_EFLAGS(_sav, _msk, _tmp) \
 281        /* _sav |= EFLAGS & _msk; */            \
 282        "pushf; "                               \
 283        "pop  %"_tmp"; "                        \
 284        "andl %"_msk",%"_LO32 _tmp"; "          \
 285        "orl  %"_LO32 _tmp",%"_sav"; "
 286
 287/* Raw emulation: instruction has two explicit operands. */
 288#define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
 289        do {                                                                \
 290                unsigned long _tmp;                                         \
 291                                                                            \
 292                switch ((_dst).bytes) {                                     \
 293                case 2:                                                     \
 294                        __asm__ __volatile__ (                              \
 295                                _PRE_EFLAGS("0","4","2")                    \
 296                                _op"w %"_wx"3,%1; "                         \
 297                                _POST_EFLAGS("0","4","2")                   \
 298                                : "=m" (_eflags), "=m" ((_dst).val),        \
 299                                  "=&r" (_tmp)                              \
 300                                : _wy ((_src).val), "i" (EFLAGS_MASK) );    \
 301                        break;                                              \
 302                case 4:                                                     \
 303                        __asm__ __volatile__ (                              \
 304                                _PRE_EFLAGS("0","4","2")                    \
 305                                _op"l %"_lx"3,%1; "                         \
 306                                _POST_EFLAGS("0","4","2")                   \
 307                                : "=m" (_eflags), "=m" ((_dst).val),        \
 308                                  "=&r" (_tmp)                              \
 309                                : _ly ((_src).val), "i" (EFLAGS_MASK) );    \
 310                        break;                                              \
 311                case 8:                                                     \
 312                        __emulate_2op_8byte(_op, _src, _dst,                \
 313                                            _eflags, _qx, _qy);             \
 314                        break;                                              \
 315                }                                                           \
 316        } while (0)
 317
 318#define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
 319        do {                                                                 \
 320                unsigned long _tmp;                                          \
 321                switch ( (_dst).bytes )                                      \
 322                {                                                            \
 323                case 1:                                                      \
 324                        __asm__ __volatile__ (                               \
 325                                _PRE_EFLAGS("0","4","2")                     \
 326                                _op"b %"_bx"3,%1; "                          \
 327                                _POST_EFLAGS("0","4","2")                    \
 328                                : "=m" (_eflags), "=m" ((_dst).val),         \
 329                                  "=&r" (_tmp)                               \
 330                                : _by ((_src).val), "i" (EFLAGS_MASK) );     \
 331                        break;                                               \
 332                default:                                                     \
 333                        __emulate_2op_nobyte(_op, _src, _dst, _eflags,       \
 334                                             _wx, _wy, _lx, _ly, _qx, _qy);  \
 335                        break;                                               \
 336                }                                                            \
 337        } while (0)
 338
 339/* Source operand is byte-sized and may be restricted to just %cl. */
 340#define emulate_2op_SrcB(_op, _src, _dst, _eflags)                      \
 341        __emulate_2op(_op, _src, _dst, _eflags,                         \
 342                      "b", "c", "b", "c", "b", "c", "b", "c")
 343
 344/* Source operand is byte, word, long or quad sized. */
 345#define emulate_2op_SrcV(_op, _src, _dst, _eflags)                      \
 346        __emulate_2op(_op, _src, _dst, _eflags,                         \
 347                      "b", "q", "w", "r", _LO32, "r", "", "r")
 348
 349/* Source operand is word, long or quad sized. */
 350#define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags)               \
 351        __emulate_2op_nobyte(_op, _src, _dst, _eflags,                  \
 352                             "w", "r", _LO32, "r", "", "r")
 353
 354/* Instruction has only one explicit operand (no source operand). */
 355#define emulate_1op(_op, _dst, _eflags)                                    \
 356        do {                                                            \
 357                unsigned long _tmp;                                     \
 358                                                                        \
 359                switch ( (_dst).bytes )                                 \
 360                {                                                       \
 361                case 1:                                                 \
 362                        __asm__ __volatile__ (                          \
 363                                _PRE_EFLAGS("0","3","2")                \
 364                                _op"b %1; "                             \
 365                                _POST_EFLAGS("0","3","2")               \
 366                                : "=m" (_eflags), "=m" ((_dst).val),    \
 367                                  "=&r" (_tmp)                          \
 368                                : "i" (EFLAGS_MASK) );                  \
 369                        break;                                          \
 370                case 2:                                                 \
 371                        __asm__ __volatile__ (                          \
 372                                _PRE_EFLAGS("0","3","2")                \
 373                                _op"w %1; "                             \
 374                                _POST_EFLAGS("0","3","2")               \
 375                                : "=m" (_eflags), "=m" ((_dst).val),    \
 376                                  "=&r" (_tmp)                          \
 377                                : "i" (EFLAGS_MASK) );                  \
 378                        break;                                          \
 379                case 4:                                                 \
 380                        __asm__ __volatile__ (                          \
 381                                _PRE_EFLAGS("0","3","2")                \
 382                                _op"l %1; "                             \
 383                                _POST_EFLAGS("0","3","2")               \
 384                                : "=m" (_eflags), "=m" ((_dst).val),    \
 385                                  "=&r" (_tmp)                          \
 386                                : "i" (EFLAGS_MASK) );                  \
 387                        break;                                          \
 388                case 8:                                                 \
 389                        __emulate_1op_8byte(_op, _dst, _eflags);        \
 390                        break;                                          \
 391                }                                                       \
 392        } while (0)
 393
 394/* Emulate an instruction with quadword operands (x86/64 only). */
 395#if defined(CONFIG_X86_64)
 396#define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)           \
 397        do {                                                              \
 398                __asm__ __volatile__ (                                    \
 399                        _PRE_EFLAGS("0","4","2")                          \
 400                        _op"q %"_qx"3,%1; "                               \
 401                        _POST_EFLAGS("0","4","2")                         \
 402                        : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
 403                        : _qy ((_src).val), "i" (EFLAGS_MASK) );          \
 404        } while (0)
 405
 406#define __emulate_1op_8byte(_op, _dst, _eflags)                           \
 407        do {                                                              \
 408                __asm__ __volatile__ (                                    \
 409                        _PRE_EFLAGS("0","3","2")                          \
 410                        _op"q %1; "                                       \
 411                        _POST_EFLAGS("0","3","2")                         \
 412                        : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
 413                        : "i" (EFLAGS_MASK) );                            \
 414        } while (0)
 415
 416#elif defined(__i386__)
 417#define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
 418#define __emulate_1op_8byte(_op, _dst, _eflags)
 419#endif                          /* __i386__ */
 420
 421/* Fetch next part of the instruction being emulated. */
 422#define insn_fetch(_type, _size, _eip)                                  \
 423({      unsigned long _x;                                               \
 424        rc = ops->read_std((unsigned long)(_eip) + ctxt->cs_base, &_x,  \
 425                                                  (_size), ctxt->vcpu); \
 426        if ( rc != 0 )                                                  \
 427                goto done;                                              \
 428        (_eip) += (_size);                                              \
 429        (_type)_x;                                                      \
 430})
 431
 432/* Access/update address held in a register, based on addressing mode. */
 433#define address_mask(reg)                                               \
 434        ((ad_bytes == sizeof(unsigned long)) ?                          \
 435                (reg) : ((reg) & ((1UL << (ad_bytes << 3)) - 1)))
 436#define register_address(base, reg)                                     \
 437        ((base) + address_mask(reg))
 438#define register_address_increment(reg, inc)                            \
 439        do {                                                            \
 440                /* signed type ensures sign extension to long */        \
 441                int _inc = (inc);                                       \
 442                if ( ad_bytes == sizeof(unsigned long) )                \
 443                        (reg) += _inc;                                  \
 444                else                                                    \
 445                        (reg) = ((reg) & ~((1UL << (ad_bytes << 3)) - 1)) | \
 446                           (((reg) + _inc) & ((1UL << (ad_bytes << 3)) - 1)); \
 447        } while (0)
 448
 449#define JMP_REL(rel)                                                    \
 450        do {                                                            \
 451                register_address_increment(_eip, rel);                  \
 452        } while (0)
 453
 454/*
 455 * Given the 'reg' portion of a ModRM byte, and a register block, return a
 456 * pointer into the block that addresses the relevant register.
 457 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
 458 */
 459static void *decode_register(u8 modrm_reg, unsigned long *regs,
 460                             int highbyte_regs)
 461{
 462        void *p;
 463
 464        p = &regs[modrm_reg];
 465        if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
 466                p = (unsigned char *)&regs[modrm_reg & 3] + 1;
 467        return p;
 468}
 469
 470static int read_descriptor(struct x86_emulate_ctxt *ctxt,
 471                           struct x86_emulate_ops *ops,
 472                           void *ptr,
 473                           u16 *size, unsigned long *address, int op_bytes)
 474{
 475        int rc;
 476
 477        if (op_bytes == 2)
 478                op_bytes = 3;
 479        *address = 0;
 480        rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
 481                           ctxt->vcpu);
 482        if (rc)
 483                return rc;
 484        rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
 485                           ctxt->vcpu);
 486        return rc;
 487}
 488
 489static int test_cc(unsigned int condition, unsigned int flags)
 490{
 491        int rc = 0;
 492
 493        switch ((condition & 15) >> 1) {
 494        case 0: /* o */
 495                rc |= (flags & EFLG_OF);
 496                break;
 497        case 1: /* b/c/nae */
 498                rc |= (flags & EFLG_CF);
 499                break;
 500        case 2: /* z/e */
 501                rc |= (flags & EFLG_ZF);
 502                break;
 503        case 3: /* be/na */
 504                rc |= (flags & (EFLG_CF|EFLG_ZF));
 505                break;
 506        case 4: /* s */
 507                rc |= (flags & EFLG_SF);
 508                break;
 509        case 5: /* p/pe */
 510                rc |= (flags & EFLG_PF);
 511                break;
 512        case 7: /* le/ng */
 513                rc |= (flags & EFLG_ZF);
 514                /* fall through */
 515        case 6: /* l/nge */
 516                rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
 517                break;
 518        }
 519
 520        /* Odd condition identifiers (lsb == 1) have inverted sense. */
 521        return (!!rc ^ (condition & 1));
 522}
 523
 524int
 525x86_emulate_memop(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 526{
 527        unsigned d;
 528        u8 b, sib, twobyte = 0, rex_prefix = 0;
 529        u8 modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
 530        unsigned long *override_base = NULL;
 531        unsigned int op_bytes, ad_bytes, lock_prefix = 0, rep_prefix = 0, i;
 532        int rc = 0;
 533        struct operand src, dst;
 534        unsigned long cr2 = ctxt->cr2;
 535        int mode = ctxt->mode;
 536        unsigned long modrm_ea;
 537        int use_modrm_ea, index_reg = 0, base_reg = 0, scale, rip_relative = 0;
 538        int no_wb = 0;
 539        u64 msr_data;
 540
 541        /* Shadow copy of register state. Committed on successful emulation. */
 542        unsigned long _regs[NR_VCPU_REGS];
 543        unsigned long _eip = ctxt->vcpu->rip, _eflags = ctxt->eflags;
 544        unsigned long modrm_val = 0;
 545
 546        memcpy(_regs, ctxt->vcpu->regs, sizeof _regs);
 547
 548        switch (mode) {
 549        case X86EMUL_MODE_REAL:
 550        case X86EMUL_MODE_PROT16:
 551                op_bytes = ad_bytes = 2;
 552                break;
 553        case X86EMUL_MODE_PROT32:
 554                op_bytes = ad_bytes = 4;
 555                break;
 556#ifdef CONFIG_X86_64
 557        case X86EMUL_MODE_PROT64:
 558                op_bytes = 4;
 559                ad_bytes = 8;
 560                break;
 561#endif
 562        default:
 563                return -1;
 564        }
 565
 566        /* Legacy prefixes. */
 567        for (i = 0; i < 8; i++) {
 568                switch (b = insn_fetch(u8, 1, _eip)) {
 569                case 0x66:      /* operand-size override */
 570                        op_bytes ^= 6;  /* switch between 2/4 bytes */
 571                        break;
 572                case 0x67:      /* address-size override */
 573                        if (mode == X86EMUL_MODE_PROT64)
 574                                ad_bytes ^= 12; /* switch between 4/8 bytes */
 575                        else
 576                                ad_bytes ^= 6;  /* switch between 2/4 bytes */
 577                        break;
 578                case 0x2e:      /* CS override */
 579                        override_base = &ctxt->cs_base;
 580                        break;
 581                case 0x3e:      /* DS override */
 582                        override_base = &ctxt->ds_base;
 583                        break;
 584                case 0x26:      /* ES override */
 585                        override_base = &ctxt->es_base;
 586                        break;
 587                case 0x64:      /* FS override */
 588                        override_base = &ctxt->fs_base;
 589                        break;
 590                case 0x65:      /* GS override */
 591                        override_base = &ctxt->gs_base;
 592                        break;
 593                case 0x36:      /* SS override */
 594                        override_base = &ctxt->ss_base;
 595                        break;
 596                case 0xf0:      /* LOCK */
 597                        lock_prefix = 1;
 598                        break;
 599                case 0xf2:      /* REPNE/REPNZ */
 600                case 0xf3:      /* REP/REPE/REPZ */
 601                        rep_prefix = 1;
 602                        break;
 603                default:
 604                        goto done_prefixes;
 605                }
 606        }
 607
 608done_prefixes:
 609
 610        /* REX prefix. */
 611        if ((mode == X86EMUL_MODE_PROT64) && ((b & 0xf0) == 0x40)) {
 612                rex_prefix = b;
 613                if (b & 8)
 614                        op_bytes = 8;   /* REX.W */
 615                modrm_reg = (b & 4) << 1;       /* REX.R */
 616                index_reg = (b & 2) << 2; /* REX.X */
 617                modrm_rm = base_reg = (b & 1) << 3; /* REG.B */
 618                b = insn_fetch(u8, 1, _eip);
 619        }
 620
 621        /* Opcode byte(s). */
 622        d = opcode_table[b];
 623        if (d == 0) {
 624                /* Two-byte opcode? */
 625                if (b == 0x0f) {
 626                        twobyte = 1;
 627                        b = insn_fetch(u8, 1, _eip);
 628                        d = twobyte_table[b];
 629                }
 630
 631                /* Unrecognised? */
 632                if (d == 0)
 633                        goto cannot_emulate;
 634        }
 635
 636        /* ModRM and SIB bytes. */
 637        if (d & ModRM) {
 638                modrm = insn_fetch(u8, 1, _eip);
 639                modrm_mod |= (modrm & 0xc0) >> 6;
 640                modrm_reg |= (modrm & 0x38) >> 3;
 641                modrm_rm |= (modrm & 0x07);
 642                modrm_ea = 0;
 643                use_modrm_ea = 1;
 644
 645                if (modrm_mod == 3) {
 646                        modrm_val = *(unsigned long *)
 647                                decode_register(modrm_rm, _regs, d & ByteOp);
 648                        goto modrm_done;
 649                }
 650
 651                if (ad_bytes == 2) {
 652                        unsigned bx = _regs[VCPU_REGS_RBX];
 653                        unsigned bp = _regs[VCPU_REGS_RBP];
 654                        unsigned si = _regs[VCPU_REGS_RSI];
 655                        unsigned di = _regs[VCPU_REGS_RDI];
 656
 657                        /* 16-bit ModR/M decode. */
 658                        switch (modrm_mod) {
 659                        case 0:
 660                                if (modrm_rm == 6)
 661                                        modrm_ea += insn_fetch(u16, 2, _eip);
 662                                break;
 663                        case 1:
 664                                modrm_ea += insn_fetch(s8, 1, _eip);
 665                                break;
 666                        case 2:
 667                                modrm_ea += insn_fetch(u16, 2, _eip);
 668                                break;
 669                        }
 670                        switch (modrm_rm) {
 671                        case 0:
 672                                modrm_ea += bx + si;
 673                                break;
 674                        case 1:
 675                                modrm_ea += bx + di;
 676                                break;
 677                        case 2:
 678                                modrm_ea += bp + si;
 679                                break;
 680                        case 3:
 681                                modrm_ea += bp + di;
 682                                break;
 683                        case 4:
 684                                modrm_ea += si;
 685                                break;
 686                        case 5:
 687                                modrm_ea += di;
 688                                break;
 689                        case 6:
 690                                if (modrm_mod != 0)
 691                                        modrm_ea += bp;
 692                                break;
 693                        case 7:
 694                                modrm_ea += bx;
 695                                break;
 696                        }
 697                        if (modrm_rm == 2 || modrm_rm == 3 ||
 698                            (modrm_rm == 6 && modrm_mod != 0))
 699                                if (!override_base)
 700                                        override_base = &ctxt->ss_base;
 701                        modrm_ea = (u16)modrm_ea;
 702                } else {
 703                        /* 32/64-bit ModR/M decode. */
 704                        switch (modrm_rm) {
 705                        case 4:
 706                        case 12:
 707                                sib = insn_fetch(u8, 1, _eip);
 708                                index_reg |= (sib >> 3) & 7;
 709                                base_reg |= sib & 7;
 710                                scale = sib >> 6;
 711
 712                                switch (base_reg) {
 713                                case 5:
 714                                        if (modrm_mod != 0)
 715                                                modrm_ea += _regs[base_reg];
 716                                        else
 717                                                modrm_ea += insn_fetch(s32, 4, _eip);
 718                                        break;
 719                                default:
 720                                        modrm_ea += _regs[base_reg];
 721                                }
 722                                switch (index_reg) {
 723                                case 4:
 724                                        break;
 725                                default:
 726                                        modrm_ea += _regs[index_reg] << scale;
 727
 728                                }
 729                                break;
 730                        case 5:
 731                                if (modrm_mod != 0)
 732                                        modrm_ea += _regs[modrm_rm];
 733                                else if (mode == X86EMUL_MODE_PROT64)
 734                                        rip_relative = 1;
 735                                break;
 736                        default:
 737                                modrm_ea += _regs[modrm_rm];
 738                                break;
 739                        }
 740                        switch (modrm_mod) {
 741                        case 0:
 742                                if (modrm_rm == 5)
 743                                        modrm_ea += insn_fetch(s32, 4, _eip);
 744                                break;
 745                        case 1:
 746                                modrm_ea += insn_fetch(s8, 1, _eip);
 747                                break;
 748                        case 2:
 749                                modrm_ea += insn_fetch(s32, 4, _eip);
 750                                break;
 751                        }
 752                }
 753                if (!override_base)
 754                        override_base = &ctxt->ds_base;
 755                if (mode == X86EMUL_MODE_PROT64 &&
 756                    override_base != &ctxt->fs_base &&
 757                    override_base != &ctxt->gs_base)
 758                        override_base = NULL;
 759
 760                if (override_base)
 761                        modrm_ea += *override_base;
 762
 763                if (rip_relative) {
 764                        modrm_ea += _eip;
 765                        switch (d & SrcMask) {
 766                        case SrcImmByte:
 767                                modrm_ea += 1;
 768                                break;
 769                        case SrcImm:
 770                                if (d & ByteOp)
 771                                        modrm_ea += 1;
 772                                else
 773                                        if (op_bytes == 8)
 774                                                modrm_ea += 4;
 775                                        else
 776                                                modrm_ea += op_bytes;
 777                        }
 778                }
 779                if (ad_bytes != 8)
 780                        modrm_ea = (u32)modrm_ea;
 781                cr2 = modrm_ea;
 782        modrm_done:
 783                ;
 784        }
 785
 786        /*
 787         * Decode and fetch the source operand: register, memory
 788         * or immediate.
 789         */
 790        switch (d & SrcMask) {
 791        case SrcNone:
 792                break;
 793        case SrcReg:
 794                src.type = OP_REG;
 795                if (d & ByteOp) {
 796                        src.ptr = decode_register(modrm_reg, _regs,
 797                                                  (rex_prefix == 0));
 798                        src.val = src.orig_val = *(u8 *) src.ptr;
 799                        src.bytes = 1;
 800                } else {
 801                        src.ptr = decode_register(modrm_reg, _regs, 0);
 802                        switch ((src.bytes = op_bytes)) {
 803                        case 2:
 804                                src.val = src.orig_val = *(u16 *) src.ptr;
 805                                break;
 806                        case 4:
 807                                src.val = src.orig_val = *(u32 *) src.ptr;
 808                                break;
 809                        case 8:
 810                                src.val = src.orig_val = *(u64 *) src.ptr;
 811                                break;
 812                        }
 813                }
 814                break;
 815        case SrcMem16:
 816                src.bytes = 2;
 817                goto srcmem_common;
 818        case SrcMem32:
 819                src.bytes = 4;
 820                goto srcmem_common;
 821        case SrcMem:
 822                src.bytes = (d & ByteOp) ? 1 : op_bytes;
 823                /* Don't fetch the address for invlpg: it could be unmapped. */
 824                if (twobyte && b == 0x01 && modrm_reg == 7)
 825                        break;
 826              srcmem_common:
 827                /*
 828                 * For instructions with a ModR/M byte, switch to register
 829                 * access if Mod = 3.
 830                 */
 831                if ((d & ModRM) && modrm_mod == 3) {
 832                        src.type = OP_REG;
 833                        break;
 834                }
 835                src.type = OP_MEM;
 836                src.ptr = (unsigned long *)cr2;
 837                src.val = 0;
 838                if ((rc = ops->read_emulated((unsigned long)src.ptr,
 839                                             &src.val, src.bytes, ctxt->vcpu)) != 0)
 840                        goto done;
 841                src.orig_val = src.val;
 842                break;
 843        case SrcImm:
 844                src.type = OP_IMM;
 845                src.ptr = (unsigned long *)_eip;
 846                src.bytes = (d & ByteOp) ? 1 : op_bytes;
 847                if (src.bytes == 8)
 848                        src.bytes = 4;
 849                /* NB. Immediates are sign-extended as necessary. */
 850                switch (src.bytes) {
 851                case 1:
 852                        src.val = insn_fetch(s8, 1, _eip);
 853                        break;
 854                case 2:
 855                        src.val = insn_fetch(s16, 2, _eip);
 856                        break;
 857                case 4:
 858                        src.val = insn_fetch(s32, 4, _eip);
 859                        break;
 860                }
 861                break;
 862        case SrcImmByte:
 863                src.type = OP_IMM;
 864                src.ptr = (unsigned long *)_eip;
 865                src.bytes = 1;
 866                src.val = insn_fetch(s8, 1, _eip);
 867                break;
 868        }
 869
 870        /* Decode and fetch the destination operand: register or memory. */
 871        switch (d & DstMask) {
 872        case ImplicitOps:
 873                /* Special instructions do their own operand decoding. */
 874                goto special_insn;
 875        case DstReg:
 876                dst.type = OP_REG;
 877                if ((d & ByteOp)
 878                    && !(twobyte && (b == 0xb6 || b == 0xb7))) {
 879                        dst.ptr = decode_register(modrm_reg, _regs,
 880                                                  (rex_prefix == 0));
 881                        dst.val = *(u8 *) dst.ptr;
 882                        dst.bytes = 1;
 883                } else {
 884                        dst.ptr = decode_register(modrm_reg, _regs, 0);
 885                        switch ((dst.bytes = op_bytes)) {
 886                        case 2:
 887                                dst.val = *(u16 *)dst.ptr;
 888                                break;
 889                        case 4:
 890                                dst.val = *(u32 *)dst.ptr;
 891                                break;
 892                        case 8:
 893                                dst.val = *(u64 *)dst.ptr;
 894                                break;
 895                        }
 896                }
 897                break;
 898        case DstMem:
 899                dst.type = OP_MEM;
 900                dst.ptr = (unsigned long *)cr2;
 901                dst.bytes = (d & ByteOp) ? 1 : op_bytes;
 902                dst.val = 0;
 903                /*
 904                 * For instructions with a ModR/M byte, switch to register
 905                 * access if Mod = 3.
 906                 */
 907                if ((d & ModRM) && modrm_mod == 3) {
 908                        dst.type = OP_REG;
 909                        break;
 910                }
 911                if (d & BitOp) {
 912                        unsigned long mask = ~(dst.bytes * 8 - 1);
 913
 914                        dst.ptr = (void *)dst.ptr + (src.val & mask) / 8;
 915                }
 916                if (!(d & Mov) && /* optimisation - avoid slow emulated read */
 917                    ((rc = ops->read_emulated((unsigned long)dst.ptr,
 918                                              &dst.val, dst.bytes, ctxt->vcpu)) != 0))
 919                        goto done;
 920                break;
 921        }
 922        dst.orig_val = dst.val;
 923
 924        if (twobyte)
 925                goto twobyte_insn;
 926
 927        switch (b) {
 928        case 0x00 ... 0x05:
 929              add:              /* add */
 930                emulate_2op_SrcV("add", src, dst, _eflags);
 931                break;
 932        case 0x08 ... 0x0d:
 933              or:               /* or */
 934                emulate_2op_SrcV("or", src, dst, _eflags);
 935                break;
 936        case 0x10 ... 0x15:
 937              adc:              /* adc */
 938                emulate_2op_SrcV("adc", src, dst, _eflags);
 939                break;
 940        case 0x18 ... 0x1d:
 941              sbb:              /* sbb */
 942                emulate_2op_SrcV("sbb", src, dst, _eflags);
 943                break;
 944        case 0x20 ... 0x23:
 945              and:              /* and */
 946                emulate_2op_SrcV("and", src, dst, _eflags);
 947                break;
 948        case 0x24:              /* and al imm8 */
 949                dst.type = OP_REG;
 950                dst.ptr = &_regs[VCPU_REGS_RAX];
 951                dst.val = *(u8 *)dst.ptr;
 952                dst.bytes = 1;
 953                dst.orig_val = dst.val;
 954                goto and;
 955        case 0x25:              /* and ax imm16, or eax imm32 */
 956                dst.type = OP_REG;
 957                dst.bytes = op_bytes;
 958                dst.ptr = &_regs[VCPU_REGS_RAX];
 959                if (op_bytes == 2)
 960                        dst.val = *(u16 *)dst.ptr;
 961                else
 962                        dst.val = *(u32 *)dst.ptr;
 963                dst.orig_val = dst.val;
 964                goto and;
 965        case 0x28 ... 0x2d:
 966              sub:              /* sub */
 967                emulate_2op_SrcV("sub", src, dst, _eflags);
 968                break;
 969        case 0x30 ... 0x35:
 970              xor:              /* xor */
 971                emulate_2op_SrcV("xor", src, dst, _eflags);
 972                break;
 973        case 0x38 ... 0x3d:
 974              cmp:              /* cmp */
 975                emulate_2op_SrcV("cmp", src, dst, _eflags);
 976                break;
 977        case 0x63:              /* movsxd */
 978                if (mode != X86EMUL_MODE_PROT64)
 979                        goto cannot_emulate;
 980                dst.val = (s32) src.val;
 981                break;
 982        case 0x80 ... 0x83:     /* Grp1 */
 983                switch (modrm_reg) {
 984                case 0:
 985                        goto add;
 986                case 1:
 987                        goto or;
 988                case 2:
 989                        goto adc;
 990                case 3:
 991                        goto sbb;
 992                case 4:
 993                        goto and;
 994                case 5:
 995                        goto sub;
 996                case 6:
 997                        goto xor;
 998                case 7:
 999                        goto cmp;
1000                }

1001                break;
1002        case 0x84 ... 0x85:
1003              test:             /* test */
1004                emulate_2op_SrcV("test", src, dst, _eflags);
1005                break;
1006        case 0x86 ... 0x87:     /* xchg */
1007                /* Write back the register source. */
1008                switch (dst.bytes) {
1009                case 1:
1010                        *(u8 *) src.ptr = (u8) dst.val;
1011                        break;
1012                case 2:
1013                        *(u16 *) src.ptr = (u16) dst.val;
1014                        break;
1015                case 4:
1016                        *src.ptr = (u32) dst.val;
1017                        break;  /* 64b reg: zero-extend */
1018                case 8:
1019                        *src.ptr = dst.val;
1020                        break;
1021                }
1022                /*
1023                 * Write back the memory destination with implicit LOCK
1024                 * prefix.
1025                 */
1026                dst.val = src.val;
1027                lock_prefix = 1;
1028                break;
1029        case 0x88 ... 0x8b:     /* mov */
1030                goto mov;
1031        case 0x8d: /* lea r16/r32, m */
1032                dst.val = modrm_val;
1033                break;
1034        case 0x8f:              /* pop (sole member of Grp1a) */
1035                /* 64-bit mode: POP always pops a 64-bit operand. */
1036                if (mode == X86EMUL_MODE_PROT64)
1037                        dst.bytes = 8;
1038                if ((rc = ops->read_std(register_address(ctxt->ss_base,
1039                                                         _regs[VCPU_REGS_RSP]),
1040                                        &dst.val, dst.bytes, ctxt->vcpu)) != 0)
1041                        goto done;
1042                register_address_increment(_regs[VCPU_REGS_RSP], dst.bytes);
1043                break;
1044        case 0xa0 ... 0xa1:     /* mov */
1045                dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1046                dst.val = src.val;
1047                _eip += ad_bytes;       /* skip src displacement */
1048                break;
1049        case 0xa2 ... 0xa3:     /* mov */
1050                dst.val = (unsigned long)_regs[VCPU_REGS_RAX];
1051                _eip += ad_bytes;       /* skip dst displacement */
1052                break;
1053        case 0xc0 ... 0xc1:
1054              grp2:             /* Grp2 */
1055                switch (modrm_reg) {
1056                case 0: /* rol */
1057                        emulate_2op_SrcB("rol", src, dst, _eflags);
1058                        break;
1059                case 1: /* ror */
1060                        emulate_2op_SrcB("ror", src, dst, _eflags);
1061                        break;
1062                case 2: /* rcl */
1063                        emulate_2op_SrcB("rcl", src, dst, _eflags);
1064                        break;
1065                case 3: /* rcr */
1066                        emulate_2op_SrcB("rcr", src, dst, _eflags);
1067                        break;
1068                case 4: /* sal/shl */
1069                case 6: /* sal/shl */
1070                        emulate_2op_SrcB("sal", src, dst, _eflags);
1071                        break;
1072                case 5: /* shr */
1073                        emulate_2op_SrcB("shr", src, dst, _eflags);
1074                        break;
1075                case 7: /* sar */
1076                        emulate_2op_SrcB("sar", src, dst, _eflags);
1077                        break;
1078                }
1079                break;
1080        case 0xc6 ... 0xc7:     /* mov (sole member of Grp11) */
1081        mov:
1082                dst.val = src.val;
1083                break;
1084        case 0xd0 ... 0xd1:     /* Grp2 */
1085                src.val = 1;
1086                goto grp2;
1087        case 0xd2 ... 0xd3:     /* Grp2 */
1088                src.val = _regs[VCPU_REGS_RCX];
1089                goto grp2;
1090        case 0xf6 ... 0xf7:     /* Grp3 */
1091                switch (modrm_reg) {
1092                case 0 ... 1:   /* test */
1093                        /*
1094                         * Special case in Grp3: test has an immediate
1095                         * source operand.
1096                         */
1097                        src.type = OP_IMM;
1098                        src.ptr = (unsigned long *)_eip;
1099                        src.bytes = (d & ByteOp) ? 1 : op_bytes;
1100                        if (src.bytes == 8)
1101                                src.bytes = 4;
1102                        switch (src.bytes) {
1103                        case 1:
1104                                src.val = insn_fetch(s8, 1, _eip);
1105                                break;
1106                        case 2:
1107                                src.val = insn_fetch(s16, 2, _eip);
1108                                break;
1109                        case 4:
1110                                src.val = insn_fetch(s32, 4, _eip);
1111                                break;
1112                        }
1113                        goto test;
1114                case 2: /* not */
1115                        dst.val = ~dst.val;
1116                        break;
1117                case 3: /* neg */
1118                        emulate_1op("neg", dst, _eflags);
1119                        break;
1120                default:
1121                        goto cannot_emulate;
1122                }
1123                break;
1124        case 0xfe ... 0xff:     /* Grp4/Grp5 */
1125                switch (modrm_reg) {
1126                case 0: /* inc */
1127                        emulate_1op("inc", dst, _eflags);
1128                        break;
1129                case 1: /* dec */
1130                        emulate_1op("dec", dst, _eflags);
1131                        break;
1132                case 4: /* jmp abs */
1133                        if (b == 0xff)
1134                                _eip = dst.val;
1135                        else
1136                                goto cannot_emulate;
1137                        break;
1138                case 6: /* push */
1139                        /* 64-bit mode: PUSH always pushes a 64-bit operand. */
1140                        if (mode == X86EMUL_MODE_PROT64) {
1141                                dst.bytes = 8;
1142                                if ((rc = ops->read_std((unsigned long)dst.ptr,
1143                                                        &dst.val, 8,
1144                                                        ctxt->vcpu)) != 0)
1145                                        goto done;
1146                        }
1147                        register_address_increment(_regs[VCPU_REGS_RSP],
1148                                                   -dst.bytes);
1149                        if ((rc = ops->write_emulated(
1150                                     register_address(ctxt->ss_base,
1151                                                      _regs[VCPU_REGS_RSP]),
1152                                     &dst.val, dst.bytes, ctxt->vcpu)) != 0)
1153                                goto done;
1154                        no_wb = 1;
1155                        break;
1156                default:
1157                        goto cannot_emulate;
1158                }
1159                break;
1160        }
1161
1162writeback:
1163        if (!no_wb) {
1164                switch (dst.type) {
1165                case OP_REG:
1166                        /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1167                        switch (dst.bytes) {
1168                        case 1:
1169                                *(u8 *)dst.ptr = (u8)dst.val;
1170                                break;
1171                        case 2:
1172                                *(u16 *)dst.ptr = (u16)dst.val;
1173                                break;
1174                        case 4:
1175                                *dst.ptr = (u32)dst.val;
1176                                break;  /* 64b: zero-ext */
1177                        case 8:
1178                                *dst.ptr = dst.val;
1179                                break;
1180                        }
1181                        break;
1182                case OP_MEM:
1183                        if (lock_prefix)
1184                                rc = ops->cmpxchg_emulated((unsigned long)dst.
1185                                                           ptr, &dst.orig_val,
1186                                                           &dst.val, dst.bytes,
1187                                                           ctxt->vcpu);
1188                        else
1189                                rc = ops->write_emulated((unsigned long)dst.ptr,
1190                                                         &dst.val, dst.bytes,
1191                                                         ctxt->vcpu);
1192                        if (rc != 0)
1193                                goto done;
1194                default:
1195                        break;
1196                }
1197        }
1198
1199        /* Commit shadow register state. */
1200        memcpy(ctxt->vcpu->regs, _regs, sizeof _regs);
1201        ctxt->eflags = _eflags;
1202        ctxt->vcpu->rip = _eip;
1203
1204done:
1205        return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1206
1207special_insn:
1208        if (twobyte)
1209                goto twobyte_special_insn;
1210        switch(b) {
1211        case 0x50 ... 0x57:  /* push reg */
1212                if (op_bytes == 2)
1213                        src.val = (u16) _regs[b & 0x7];
1214                else
1215                        src.val = (u32) _regs[b & 0x7];
1216                dst.type  = OP_MEM;
1217                dst.bytes = op_bytes;
1218                dst.val = src.val;
1219                register_address_increment(_regs[VCPU_REGS_RSP], -op_bytes);
1220                dst.ptr = (void *) register_address(
1221                        ctxt->ss_base, _regs[VCPU_REGS_RSP]);
1222                break;
1223        case 0x58 ... 0x5f: /* pop reg */
1224                dst.ptr = (unsigned long *)&_regs[b & 0x7];
1225        pop_instruction:
1226                if ((rc = ops->read_std(register_address(ctxt->ss_base,
1227                        _regs[VCPU_REGS_RSP]), dst.ptr, op_bytes, ctxt->vcpu))
1228                        != 0)
1229                        goto done;
1230
1231                register_address_increment(_regs[VCPU_REGS_RSP], op_bytes);
1232                no_wb = 1; /* Disable writeback. */
1233                break;
1234        case 0x6a: /* push imm8 */
1235                src.val = 0L;
1236                src.val = insn_fetch(s8, 1, _eip);
1237        push:
1238                dst.type  = OP_MEM;
1239                dst.bytes = op_bytes;
1240                dst.val = src.val;
1241                register_address_increment(_regs[VCPU_REGS_RSP], -op_bytes);
1242                dst.ptr = (void *) register_address(ctxt->ss_base,
1243                                                        _regs[VCPU_REGS_RSP]);
1244                break;
1245        case 0x6c:              /* insb */
1246        case 0x6d:              /* insw/insd */
1247                 if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
1248                                1,                                      /* in */
1249                                (d & ByteOp) ? 1 : op_bytes,            /* size */
1250                                rep_prefix ?
1251                                address_mask(_regs[VCPU_REGS_RCX]) : 1, /* count */
1252                                (_eflags & EFLG_DF),                    /* down */
1253                                register_address(ctxt->es_base,
1254                                                 _regs[VCPU_REGS_RDI]), /* address */
1255                                rep_prefix,
1256                                _regs[VCPU_REGS_RDX]                    /* port */
1257                                ) == 0)
1258                        return -1;
1259                return 0;
1260        case 0x6e:              /* outsb */
1261        case 0x6f:              /* outsw/outsd */
1262                if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
1263                                0,                                      /* in */
1264                                (d & ByteOp) ? 1 : op_bytes,            /* size */
1265                                rep_prefix ?
1266                                address_mask(_regs[VCPU_REGS_RCX]) : 1, /* count */
1267                                (_eflags & EFLG_DF),                    /* down */
1268                                register_address(override_base ?
1269                                                 *override_base : ctxt->ds_base,
1270                                                 _regs[VCPU_REGS_RSI]), /* address */
1271                                rep_prefix,
1272                                _regs[VCPU_REGS_RDX]                    /* port */
1273                                ) == 0)
1274                        return -1;
1275                return 0;
1276        case 0x70 ... 0x7f: /* jcc (short) */ {
1277                int rel = insn_fetch(s8, 1, _eip);
1278
1279                if (test_cc(b, _eflags))
1280                JMP_REL(rel);
1281                break;
1282        }
1283        case 0x9c: /* pushf */
1284                src.val =  (unsigned long) _eflags;
1285                goto push;
1286        case 0x9d: /* popf */
1287                dst.ptr = (unsigned long *) &_eflags;
1288                goto pop_instruction;
1289        case 0xc3: /* ret */
1290                dst.ptr = &_eip;
1291                goto pop_instruction;
1292        case 0xf4:              /* hlt */
1293                ctxt->vcpu->halt_request = 1;
1294                goto done;
1295        }
1296        if (rep_prefix) {
1297                if (_regs[VCPU_REGS_RCX] == 0) {
1298                        ctxt->vcpu->rip = _eip;
1299                        goto done;
1300                }
1301                _regs[VCPU_REGS_RCX]--;
1302                _eip = ctxt->vcpu->rip;
1303        }
1304        switch (b) {
1305        case 0xa4 ... 0xa5:     /* movs */
1306                dst.type = OP_MEM;
1307                dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1308                dst.ptr = (unsigned long *)register_address(ctxt->es_base,
1309                                                        _regs[VCPU_REGS_RDI]);
1310                if ((rc = ops->read_emulated(register_address(
1311                      override_base ? *override_base : ctxt->ds_base,
1312                      _regs[VCPU_REGS_RSI]), &dst.val, dst.bytes, ctxt->vcpu)) != 0)
1313                        goto done;
1314                register_address_increment(_regs[VCPU_REGS_RSI],
1315                             (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1316                register_address_increment(_regs[VCPU_REGS_RDI],
1317                             (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1318                break;
1319        case 0xa6 ... 0xa7:     /* cmps */
1320                DPRINTF("Urk! I don't handle CMPS.\n");
1321                goto cannot_emulate;
1322        case 0xaa ... 0xab:     /* stos */
1323                dst.type = OP_MEM;
1324                dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1325                dst.ptr = (unsigned long *)cr2;
1326                dst.val = _regs[VCPU_REGS_RAX];
1327                register_address_increment(_regs[VCPU_REGS_RDI],
1328                             (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1329                break;
1330        case 0xac ... 0xad:     /* lods */
1331                dst.type = OP_REG;
1332                dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1333                dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1334                if ((rc = ops->read_emulated(cr2, &dst.val, dst.bytes,
1335                                             ctxt->vcpu)) != 0)
1336                        goto done;
1337                register_address_increment(_regs[VCPU_REGS_RSI],
1338                           (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1339                break;
1340        case 0xae ... 0xaf:     /* scas */
1341                DPRINTF("Urk! I don't handle SCAS.\n");
1342                goto cannot_emulate;
1343        case 0xe8: /* call (near) */ {
1344                long int rel;
1345                switch (op_bytes) {
1346                case 2:
1347                        rel = insn_fetch(s16, 2, _eip);
1348                        break;
1349                case 4:
1350                        rel = insn_fetch(s32, 4, _eip);
1351                        break;
1352                case 8:
1353                        rel = insn_fetch(s64, 8, _eip);
1354                        break;
1355                default:
1356                        DPRINTF("Call: Invalid op_bytes\n");
1357                        goto cannot_emulate;
1358                }
1359                src.val = (unsigned long) _eip;
1360                JMP_REL(rel);
1361                op_bytes = ad_bytes;
1362                goto push;
1363        }
1364        case 0xe9: /* jmp rel */
1365        case 0xeb: /* jmp rel short */
1366                JMP_REL(src.val);
1367                no_wb = 1; /* Disable writeback. */
1368                break;
1369
1370
1371        }
1372        goto writeback;
1373
1374twobyte_insn:
1375        switch (b) {
1376        case 0x01: /* lgdt, lidt, lmsw */
1377                /* Disable writeback. */
1378                no_wb = 1;
1379                switch (modrm_reg) {
1380                        u16 size;
1381                        unsigned long address;
1382
1383                case 2: /* lgdt */
1384                        rc = read_descriptor(ctxt, ops, src.ptr,
1385                                             &size, &address, op_bytes);
1386                        if (rc)
1387                                goto done;
1388                        realmode_lgdt(ctxt->vcpu, size, address);
1389                        break;
1390                case 3: /* lidt */
1391                        rc = read_descriptor(ctxt, ops, src.ptr,
1392                                             &size, &address, op_bytes);
1393                        if (rc)
1394                                goto done;
1395                        realmode_lidt(ctxt->vcpu, size, address);
1396                        break;
1397                case 4: /* smsw */
1398                        if (modrm_mod != 3)
1399                                goto cannot_emulate;
1400                        *(u16 *)&_regs[modrm_rm]
1401                                = realmode_get_cr(ctxt->vcpu, 0);
1402                        break;
1403                case 6: /* lmsw */
1404                        if (modrm_mod != 3)
1405                                goto cannot_emulate;
1406                        realmode_lmsw(ctxt->vcpu, (u16)modrm_val, &_eflags);
1407                        break;
1408                case 7: /* invlpg*/
1409                        emulate_invlpg(ctxt->vcpu, cr2);
1410                        break;
1411                default:
1412                        goto cannot_emulate;
1413                }
1414                break;
1415        case 0x21: /* mov from dr to reg */
1416                no_wb = 1;
1417                if (modrm_mod != 3)
1418                        goto cannot_emulate;
1419                rc = emulator_get_dr(ctxt, modrm_reg, &_regs[modrm_rm]);
1420                break;
1421        case 0x23: /* mov from reg to dr */
1422                no_wb = 1;
1423                if (modrm_mod != 3)
1424                        goto cannot_emulate;
1425                rc = emulator_set_dr(ctxt, modrm_reg, _regs[modrm_rm]);
1426                break;
1427        case 0x40 ... 0x4f:     /* cmov */
1428                dst.val = dst.orig_val = src.val;
1429                no_wb = 1;
1430                /*
1431                 * First, assume we're decoding an even cmov opcode
1432                 * (lsb == 0).
1433                 */
1434                switch ((b & 15) >> 1) {
1435                case 0: /* cmovo */
1436                        no_wb = (_eflags & EFLG_OF) ? 0 : 1;
1437                        break;
1438                case 1: /* cmovb/cmovc/cmovnae */
1439                        no_wb = (_eflags & EFLG_CF) ? 0 : 1;
1440                        break;
1441                case 2: /* cmovz/cmove */
1442                        no_wb = (_eflags & EFLG_ZF) ? 0 : 1;
1443                        break;
1444                case 3: /* cmovbe/cmovna */
1445                        no_wb = (_eflags & (EFLG_CF | EFLG_ZF)) ? 0 : 1;
1446                        break;
1447                case 4: /* cmovs */
1448                        no_wb = (_eflags & EFLG_SF) ? 0 : 1;
1449                        break;
1450                case 5: /* cmovp/cmovpe */
1451                        no_wb = (_eflags & EFLG_PF) ? 0 : 1;
1452                        break;
1453                case 7: /* cmovle/cmovng */
1454                        no_wb = (_eflags & EFLG_ZF) ? 0 : 1;
1455                        /* fall through */
1456                case 6: /* cmovl/cmovnge */
1457                        no_wb &= (!(_eflags & EFLG_SF) !=
1458                              !(_eflags & EFLG_OF)) ? 0 : 1;
1459                        break;
1460                }
1461                /* Odd cmov opcodes (lsb == 1) have inverted sense. */
1462                no_wb ^= b & 1;
1463                break;
1464        case 0xa3:
1465              bt:               /* bt */
1466                src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1467                emulate_2op_SrcV_nobyte("bt", src, dst, _eflags);
1468                break;
1469        case 0xab:
1470              bts:              /* bts */
1471                src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1472                emulate_2op_SrcV_nobyte("bts", src, dst, _eflags);
1473                break;
1474        case 0xb0 ... 0xb1:     /* cmpxchg */
1475                /*
1476                 * Save real source value, then compare EAX against
1477                 * destination.
1478                 */
1479                src.orig_val = src.val;
1480                src.val = _regs[VCPU_REGS_RAX];
1481                emulate_2op_SrcV("cmp", src, dst, _eflags);
1482                if (_eflags & EFLG_ZF) {
1483                        /* Success: write back to memory. */
1484                        dst.val = src.orig_val;
1485                } else {
1486                        /* Failure: write the value we saw to EAX. */
1487                        dst.type = OP_REG;
1488                        dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1489                }
1490                break;
1491        case 0xb3:
1492              btr:              /* btr */
1493                src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1494                emulate_2op_SrcV_nobyte("btr", src, dst, _eflags);
1495                break;
1496        case 0xb6 ... 0xb7:     /* movzx */
1497                dst.bytes = op_bytes;
1498                dst.val = (d & ByteOp) ? (u8) src.val : (u16) src.val;
1499                break;
1500        case 0xba:              /* Grp8 */
1501                switch (modrm_reg & 3) {
1502                case 0:
1503                        goto bt;
1504                case 1:
1505                        goto bts;
1506                case 2:
1507                        goto btr;
1508                case 3:
1509                        goto btc;
1510                }
1511                break;
1512        case 0xbb:
1513              btc:              /* btc */
1514                src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1515                emulate_2op_SrcV_nobyte("btc", src, dst, _eflags);
1516                break;
1517        case 0xbe ... 0xbf:     /* movsx */
1518                dst.bytes = op_bytes;
1519                dst.val = (d & ByteOp) ? (s8) src.val : (s16) src.val;
1520                break;
1521        case 0xc3:              /* movnti */
1522                dst.bytes = op_bytes;
1523                dst.val = (op_bytes == 4) ? (u32) src.val : (u64) src.val;
1524                break;
1525        }
1526        goto writeback;
1527
1528twobyte_special_insn:
1529        /* Disable writeback. */
1530        no_wb = 1;
1531        switch (b) {
1532        case 0x06:
1533                emulate_clts(ctxt->vcpu);
1534                break;
1535        case 0x08:              /* invd */
1536                break;
1537        case 0x09:              /* wbinvd */
1538                break;
1539        case 0x0d:              /* GrpP (prefetch) */
1540        case 0x18:              /* Grp16 (prefetch/nop) */
1541                break;
1542        case 0x20: /* mov cr, reg */
1543                if (modrm_mod != 3)
1544                        goto cannot_emulate;
1545                _regs[modrm_rm] = realmode_get_cr(ctxt->vcpu, modrm_reg);
1546                break;
1547        case 0x22: /* mov reg, cr */
1548                if (modrm_mod != 3)
1549                        goto cannot_emulate;
1550                realmode_set_cr(ctxt->vcpu, modrm_reg, modrm_val, &_eflags);
1551                break;
1552        case 0x30:
1553                /* wrmsr */
1554                msr_data = (u32)_regs[VCPU_REGS_RAX]
1555                        | ((u64)_regs[VCPU_REGS_RDX] << 32);
1556                rc = kvm_set_msr(ctxt->vcpu, _regs[VCPU_REGS_RCX], msr_data);
1557                if (rc) {
1558                        kvm_x86_ops->inject_gp(ctxt->vcpu, 0);
1559                        _eip = ctxt->vcpu->rip;
1560                }
1561                rc = X86EMUL_CONTINUE;
1562                break;
1563        case 0x32:
1564                /* rdmsr */
1565                rc = kvm_get_msr(ctxt->vcpu, _regs[VCPU_REGS_RCX], &msr_data);
1566                if (rc) {
1567                        kvm_x86_ops->inject_gp(ctxt->vcpu, 0);
1568                        _eip = ctxt->vcpu->rip;
1569                } else {
1570                        _regs[VCPU_REGS_RAX] = (u32)msr_data;
1571                        _regs[VCPU_REGS_RDX] = msr_data >> 32;
1572                }
1573                rc = X86EMUL_CONTINUE;
1574                break;
1575        case 0x80 ... 0x8f: /* jnz rel, etc*/ {
1576                long int rel;
1577
1578                switch (op_bytes) {
1579                case 2:
1580                        rel = insn_fetch(s16, 2, _eip);
1581                        break;
1582                case 4:
1583                        rel = insn_fetch(s32, 4, _eip);
1584                        break;
1585                case 8:
1586                        rel = insn_fetch(s64, 8, _eip);
1587                        break;
1588                default:
1589                        DPRINTF("jnz: Invalid op_bytes\n");
1590                        goto cannot_emulate;
1591                }
1592                if (test_cc(b, _eflags))
1593                        JMP_REL(rel);
1594                break;
1595        }
1596        case 0xc7:              /* Grp9 (cmpxchg8b) */
1597                {
1598                        u64 old, new;
1599                        if ((rc = ops->read_emulated(cr2, &old, 8, ctxt->vcpu))
1600                                                                        != 0)
1601                                goto done;
1602                        if (((u32) (old >> 0) != (u32) _regs[VCPU_REGS_RAX]) ||
1603                            ((u32) (old >> 32) != (u32) _regs[VCPU_REGS_RDX])) {
1604                                _regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1605                                _regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1606                                _eflags &= ~EFLG_ZF;
1607                        } else {
1608                                new = ((u64)_regs[VCPU_REGS_RCX] << 32)
1609                                        | (u32) _regs[VCPU_REGS_RBX];
1610                                if ((rc = ops->cmpxchg_emulated(cr2, &old,
1611                                                          &new, 8, ctxt->vcpu)) != 0)
1612                                        goto done;
1613                                _eflags |= EFLG_ZF;
1614                        }
1615                        break;
1616                }
1617        }
1618        goto writeback;
1619
1620cannot_emulate:
1621        DPRINTF("Cannot emulate %02x\n", b);
1622        return -1;
1623}
1624
1625#ifdef __XEN__
1626
1627#include <asm/mm.h>
1628#include <asm/uaccess.h>
1629
1630int
1631x86_emulate_read_std(unsigned long addr,
1632                     unsigned long *val,
1633                     unsigned int bytes, struct x86_emulate_ctxt *ctxt)
1634{
1635        unsigned int rc;
1636
1637        *val = 0;
1638
1639        if ((rc = copy_from_user((void *)val, (void *)addr, bytes)) != 0) {
1640                propagate_page_fault(addr + bytes - rc, 0);     /* read fault */
1641                return X86EMUL_PROPAGATE_FAULT;
1642        }
1643
1644        return X86EMUL_CONTINUE;
1645}
1646
1647int
1648x86_emulate_write_std(unsigned long addr,
1649                      unsigned long val,
1650                      unsigned int bytes, struct x86_emulate_ctxt *ctxt)
1651{
1652        unsigned int rc;
1653
1654        if ((rc = copy_to_user((void *)addr, (void *)&val, bytes)) != 0) {
1655                propagate_page_fault(addr + bytes - rc, PGERR_write_access);
1656                return X86EMUL_PROPAGATE_FAULT;
1657        }
1658
1659        return X86EMUL_CONTINUE;
1660}
1661
1662#endif
1663