blob: 6123c0292b22f286dcc3e671862084cbc916b574 [file] [log] [blame]
Avi Kivity6aa8b732006-12-10 02:21:36 -08001/******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privieged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
21
22#ifndef __KERNEL__
23#include <stdio.h>
24#include <stdint.h>
25#include <public/xen.h>
26#define DPRINTF(_f, _a ...) printf( _f , ## _a )
27#else
28#include "kvm.h"
29#define DPRINTF(x...) do {} while (0)
30#endif
31#include "x86_emulate.h"
32#include <linux/module.h>
33
34/*
35 * Opcode effective-address decode tables.
36 * Note that we only emulate instructions that have at least one memory
37 * operand (excluding implicit stack references). We assume that stack
38 * references and instruction fetches will never occur in special memory
39 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 * not be handled.
41 */
42
43/* Operand sizes: 8-bit operands or specified/overridden size. */
44#define ByteOp (1<<0) /* 8-bit operands. */
45/* Destination operand type. */
46#define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
47#define DstReg (2<<1) /* Register operand. */
48#define DstMem (3<<1) /* Memory operand. */
49#define DstMask (3<<1)
50/* Source operand type. */
51#define SrcNone (0<<3) /* No source operand. */
52#define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
53#define SrcReg (1<<3) /* Register operand. */
54#define SrcMem (2<<3) /* Memory operand. */
55#define SrcMem16 (3<<3) /* Memory operand (16-bit). */
56#define SrcMem32 (4<<3) /* Memory operand (32-bit). */
57#define SrcImm (5<<3) /* Immediate operand. */
58#define SrcImmByte (6<<3) /* 8-bit sign-extended immediate operand. */
59#define SrcMask (7<<3)
60/* Generic ModRM decode. */
61#define ModRM (1<<6)
62/* Destination is only written; never read. */
63#define Mov (1<<7)
Avi Kivity038e51d2007-01-22 20:40:40 -080064#define BitOp (1<<8)
Avi Kivity6aa8b732006-12-10 02:21:36 -080065
66static u8 opcode_table[256] = {
67 /* 0x00 - 0x07 */
68 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
69 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
70 0, 0, 0, 0,
71 /* 0x08 - 0x0F */
72 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
73 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
74 0, 0, 0, 0,
75 /* 0x10 - 0x17 */
76 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
77 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
78 0, 0, 0, 0,
79 /* 0x18 - 0x1F */
80 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
81 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
82 0, 0, 0, 0,
83 /* 0x20 - 0x27 */
84 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
85 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
86 0, 0, 0, 0,
87 /* 0x28 - 0x2F */
88 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
89 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
90 0, 0, 0, 0,
91 /* 0x30 - 0x37 */
92 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
93 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
94 0, 0, 0, 0,
95 /* 0x38 - 0x3F */
96 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
97 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
98 0, 0, 0, 0,
99 /* 0x40 - 0x4F */
100 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
101 /* 0x50 - 0x5F */
102 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
103 /* 0x60 - 0x6F */
104 0, 0, 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
106 /* 0x70 - 0x7F */
107 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
108 /* 0x80 - 0x87 */
109 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
110 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
111 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
112 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
113 /* 0x88 - 0x8F */
114 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
115 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
116 0, 0, 0, DstMem | SrcNone | ModRM | Mov,
117 /* 0x90 - 0x9F */
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
119 /* 0xA0 - 0xA7 */
120 ByteOp | DstReg | SrcMem | Mov, DstReg | SrcMem | Mov,
121 ByteOp | DstMem | SrcReg | Mov, DstMem | SrcReg | Mov,
122 ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
123 ByteOp | ImplicitOps, ImplicitOps,
124 /* 0xA8 - 0xAF */
125 0, 0, ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
126 ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
127 ByteOp | ImplicitOps, ImplicitOps,
128 /* 0xB0 - 0xBF */
129 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
130 /* 0xC0 - 0xC7 */
131 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM, 0, 0,
132 0, 0, ByteOp | DstMem | SrcImm | ModRM | Mov,
133 DstMem | SrcImm | ModRM | Mov,
134 /* 0xC8 - 0xCF */
135 0, 0, 0, 0, 0, 0, 0, 0,
136 /* 0xD0 - 0xD7 */
137 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
138 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
139 0, 0, 0, 0,
140 /* 0xD8 - 0xDF */
141 0, 0, 0, 0, 0, 0, 0, 0,
142 /* 0xE0 - 0xEF */
143 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
144 /* 0xF0 - 0xF7 */
145 0, 0, 0, 0,
146 0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
147 /* 0xF8 - 0xFF */
148 0, 0, 0, 0,
149 0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM
150};
151
Avi Kivity038e51d2007-01-22 20:40:40 -0800152static u16 twobyte_table[256] = {
Avi Kivity6aa8b732006-12-10 02:21:36 -0800153 /* 0x00 - 0x0F */
154 0, SrcMem | ModRM | DstReg, 0, 0, 0, 0, ImplicitOps, 0,
Avi Kivity687fdbf2007-05-24 11:17:33 +0300155 0, ImplicitOps, 0, 0, 0, ImplicitOps | ModRM, 0, 0,
Avi Kivity6aa8b732006-12-10 02:21:36 -0800156 /* 0x10 - 0x1F */
157 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
158 /* 0x20 - 0x2F */
159 ModRM | ImplicitOps, ModRM, ModRM | ImplicitOps, ModRM, 0, 0, 0, 0,
160 0, 0, 0, 0, 0, 0, 0, 0,
161 /* 0x30 - 0x3F */
162 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
163 /* 0x40 - 0x47 */
164 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
165 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
166 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
167 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
168 /* 0x48 - 0x4F */
169 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
170 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
171 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
172 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
173 /* 0x50 - 0x5F */
174 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
175 /* 0x60 - 0x6F */
176 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
177 /* 0x70 - 0x7F */
178 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
179 /* 0x80 - 0x8F */
180 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
181 /* 0x90 - 0x9F */
182 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
183 /* 0xA0 - 0xA7 */
Avi Kivity038e51d2007-01-22 20:40:40 -0800184 0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
Avi Kivity6aa8b732006-12-10 02:21:36 -0800185 /* 0xA8 - 0xAF */
Avi Kivity038e51d2007-01-22 20:40:40 -0800186 0, 0, 0, DstMem | SrcReg | ModRM | BitOp, 0, 0, 0, 0,
Avi Kivity6aa8b732006-12-10 02:21:36 -0800187 /* 0xB0 - 0xB7 */
188 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM, 0,
Avi Kivity038e51d2007-01-22 20:40:40 -0800189 DstMem | SrcReg | ModRM | BitOp,
Avi Kivity6aa8b732006-12-10 02:21:36 -0800190 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
191 DstReg | SrcMem16 | ModRM | Mov,
192 /* 0xB8 - 0xBF */
Avi Kivity038e51d2007-01-22 20:40:40 -0800193 0, 0, DstMem | SrcImmByte | ModRM, DstMem | SrcReg | ModRM | BitOp,
Avi Kivity6aa8b732006-12-10 02:21:36 -0800194 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
195 DstReg | SrcMem16 | ModRM | Mov,
196 /* 0xC0 - 0xCF */
197 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0, 0,
198 /* 0xD0 - 0xDF */
199 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
200 /* 0xE0 - 0xEF */
201 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
202 /* 0xF0 - 0xFF */
203 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
204};
205
206/*
207 * Tell the emulator that of the Group 7 instructions (sgdt, lidt, etc.) we
208 * are interested only in invlpg and not in any of the rest.
209 *
210 * invlpg is a special instruction in that the data it references may not
211 * be mapped.
212 */
213void kvm_emulator_want_group7_invlpg(void)
214{
215 twobyte_table[1] &= ~SrcMem;
216}
217EXPORT_SYMBOL_GPL(kvm_emulator_want_group7_invlpg);
218
219/* Type, address-of, and value of an instruction's operand. */
220struct operand {
221 enum { OP_REG, OP_MEM, OP_IMM } type;
222 unsigned int bytes;
223 unsigned long val, orig_val, *ptr;
224};
225
226/* EFLAGS bit definitions. */
227#define EFLG_OF (1<<11)
228#define EFLG_DF (1<<10)
229#define EFLG_SF (1<<7)
230#define EFLG_ZF (1<<6)
231#define EFLG_AF (1<<4)
232#define EFLG_PF (1<<2)
233#define EFLG_CF (1<<0)
234
235/*
236 * Instruction emulation:
237 * Most instructions are emulated directly via a fragment of inline assembly
238 * code. This allows us to save/restore EFLAGS and thus very easily pick up
239 * any modified flags.
240 */
241
Avi Kivity05b3e0c2006-12-13 00:33:45 -0800242#if defined(CONFIG_X86_64)
Avi Kivity6aa8b732006-12-10 02:21:36 -0800243#define _LO32 "k" /* force 32-bit operand */
244#define _STK "%%rsp" /* stack pointer */
245#elif defined(__i386__)
246#define _LO32 "" /* force 32-bit operand */
247#define _STK "%%esp" /* stack pointer */
248#endif
249
250/*
251 * These EFLAGS bits are restored from saved value during emulation, and
252 * any changes are written back to the saved value after emulation.
253 */
254#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
255
256/* Before executing instruction: restore necessary bits in EFLAGS. */
257#define _PRE_EFLAGS(_sav, _msk, _tmp) \
258 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); */ \
259 "push %"_sav"; " \
260 "movl %"_msk",%"_LO32 _tmp"; " \
261 "andl %"_LO32 _tmp",("_STK"); " \
262 "pushf; " \
263 "notl %"_LO32 _tmp"; " \
264 "andl %"_LO32 _tmp",("_STK"); " \
265 "pop %"_tmp"; " \
266 "orl %"_LO32 _tmp",("_STK"); " \
267 "popf; " \
268 /* _sav &= ~msk; */ \
269 "movl %"_msk",%"_LO32 _tmp"; " \
270 "notl %"_LO32 _tmp"; " \
271 "andl %"_LO32 _tmp",%"_sav"; "
272
273/* After executing instruction: write-back necessary bits in EFLAGS. */
274#define _POST_EFLAGS(_sav, _msk, _tmp) \
275 /* _sav |= EFLAGS & _msk; */ \
276 "pushf; " \
277 "pop %"_tmp"; " \
278 "andl %"_msk",%"_LO32 _tmp"; " \
279 "orl %"_LO32 _tmp",%"_sav"; "
280
281/* Raw emulation: instruction has two explicit operands. */
282#define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
283 do { \
284 unsigned long _tmp; \
285 \
286 switch ((_dst).bytes) { \
287 case 2: \
288 __asm__ __volatile__ ( \
289 _PRE_EFLAGS("0","4","2") \
290 _op"w %"_wx"3,%1; " \
291 _POST_EFLAGS("0","4","2") \
292 : "=m" (_eflags), "=m" ((_dst).val), \
293 "=&r" (_tmp) \
294 : _wy ((_src).val), "i" (EFLAGS_MASK) ); \
295 break; \
296 case 4: \
297 __asm__ __volatile__ ( \
298 _PRE_EFLAGS("0","4","2") \
299 _op"l %"_lx"3,%1; " \
300 _POST_EFLAGS("0","4","2") \
301 : "=m" (_eflags), "=m" ((_dst).val), \
302 "=&r" (_tmp) \
303 : _ly ((_src).val), "i" (EFLAGS_MASK) ); \
304 break; \
305 case 8: \
306 __emulate_2op_8byte(_op, _src, _dst, \
307 _eflags, _qx, _qy); \
308 break; \
309 } \
310 } while (0)
311
312#define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
313 do { \
314 unsigned long _tmp; \
315 switch ( (_dst).bytes ) \
316 { \
317 case 1: \
318 __asm__ __volatile__ ( \
319 _PRE_EFLAGS("0","4","2") \
320 _op"b %"_bx"3,%1; " \
321 _POST_EFLAGS("0","4","2") \
322 : "=m" (_eflags), "=m" ((_dst).val), \
323 "=&r" (_tmp) \
324 : _by ((_src).val), "i" (EFLAGS_MASK) ); \
325 break; \
326 default: \
327 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
328 _wx, _wy, _lx, _ly, _qx, _qy); \
329 break; \
330 } \
331 } while (0)
332
333/* Source operand is byte-sized and may be restricted to just %cl. */
334#define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
335 __emulate_2op(_op, _src, _dst, _eflags, \
336 "b", "c", "b", "c", "b", "c", "b", "c")
337
338/* Source operand is byte, word, long or quad sized. */
339#define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
340 __emulate_2op(_op, _src, _dst, _eflags, \
341 "b", "q", "w", "r", _LO32, "r", "", "r")
342
343/* Source operand is word, long or quad sized. */
344#define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
345 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
346 "w", "r", _LO32, "r", "", "r")
347
348/* Instruction has only one explicit operand (no source operand). */
349#define emulate_1op(_op, _dst, _eflags) \
350 do { \
351 unsigned long _tmp; \
352 \
353 switch ( (_dst).bytes ) \
354 { \
355 case 1: \
356 __asm__ __volatile__ ( \
357 _PRE_EFLAGS("0","3","2") \
358 _op"b %1; " \
359 _POST_EFLAGS("0","3","2") \
360 : "=m" (_eflags), "=m" ((_dst).val), \
361 "=&r" (_tmp) \
362 : "i" (EFLAGS_MASK) ); \
363 break; \
364 case 2: \
365 __asm__ __volatile__ ( \
366 _PRE_EFLAGS("0","3","2") \
367 _op"w %1; " \
368 _POST_EFLAGS("0","3","2") \
369 : "=m" (_eflags), "=m" ((_dst).val), \
370 "=&r" (_tmp) \
371 : "i" (EFLAGS_MASK) ); \
372 break; \
373 case 4: \
374 __asm__ __volatile__ ( \
375 _PRE_EFLAGS("0","3","2") \
376 _op"l %1; " \
377 _POST_EFLAGS("0","3","2") \
378 : "=m" (_eflags), "=m" ((_dst).val), \
379 "=&r" (_tmp) \
380 : "i" (EFLAGS_MASK) ); \
381 break; \
382 case 8: \
383 __emulate_1op_8byte(_op, _dst, _eflags); \
384 break; \
385 } \
386 } while (0)
387
388/* Emulate an instruction with quadword operands (x86/64 only). */
Avi Kivity05b3e0c2006-12-13 00:33:45 -0800389#if defined(CONFIG_X86_64)
Avi Kivity6aa8b732006-12-10 02:21:36 -0800390#define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
391 do { \
392 __asm__ __volatile__ ( \
393 _PRE_EFLAGS("0","4","2") \
394 _op"q %"_qx"3,%1; " \
395 _POST_EFLAGS("0","4","2") \
396 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
397 : _qy ((_src).val), "i" (EFLAGS_MASK) ); \
398 } while (0)
399
400#define __emulate_1op_8byte(_op, _dst, _eflags) \
401 do { \
402 __asm__ __volatile__ ( \
403 _PRE_EFLAGS("0","3","2") \
404 _op"q %1; " \
405 _POST_EFLAGS("0","3","2") \
406 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
407 : "i" (EFLAGS_MASK) ); \
408 } while (0)
409
410#elif defined(__i386__)
411#define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
412#define __emulate_1op_8byte(_op, _dst, _eflags)
413#endif /* __i386__ */
414
415/* Fetch next part of the instruction being emulated. */
416#define insn_fetch(_type, _size, _eip) \
417({ unsigned long _x; \
418 rc = ops->read_std((unsigned long)(_eip) + ctxt->cs_base, &_x, \
419 (_size), ctxt); \
420 if ( rc != 0 ) \
421 goto done; \
422 (_eip) += (_size); \
423 (_type)_x; \
424})
425
426/* Access/update address held in a register, based on addressing mode. */
427#define register_address(base, reg) \
428 ((base) + ((ad_bytes == sizeof(unsigned long)) ? (reg) : \
429 ((reg) & ((1UL << (ad_bytes << 3)) - 1))))
430
431#define register_address_increment(reg, inc) \
432 do { \
433 /* signed type ensures sign extension to long */ \
434 int _inc = (inc); \
435 if ( ad_bytes == sizeof(unsigned long) ) \
436 (reg) += _inc; \
437 else \
438 (reg) = ((reg) & ~((1UL << (ad_bytes << 3)) - 1)) | \
439 (((reg) + _inc) & ((1UL << (ad_bytes << 3)) - 1)); \
440 } while (0)
441
442void *decode_register(u8 modrm_reg, unsigned long *regs,
443 int highbyte_regs)
444{
445 void *p;
446
447 p = &regs[modrm_reg];
448 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
449 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
450 return p;
451}
452
453static int read_descriptor(struct x86_emulate_ctxt *ctxt,
454 struct x86_emulate_ops *ops,
455 void *ptr,
456 u16 *size, unsigned long *address, int op_bytes)
457{
458 int rc;
459
460 if (op_bytes == 2)
461 op_bytes = 3;
462 *address = 0;
463 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2, ctxt);
464 if (rc)
465 return rc;
466 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes, ctxt);
467 return rc;
468}
469
470int
471x86_emulate_memop(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
472{
Avi Kivity038e51d2007-01-22 20:40:40 -0800473 unsigned d;
474 u8 b, sib, twobyte = 0, rex_prefix = 0;
Avi Kivity6aa8b732006-12-10 02:21:36 -0800475 u8 modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
476 unsigned long *override_base = NULL;
477 unsigned int op_bytes, ad_bytes, lock_prefix = 0, rep_prefix = 0, i;
478 int rc = 0;
479 struct operand src, dst;
480 unsigned long cr2 = ctxt->cr2;
481 int mode = ctxt->mode;
482 unsigned long modrm_ea;
483 int use_modrm_ea, index_reg = 0, base_reg = 0, scale, rip_relative = 0;
484
485 /* Shadow copy of register state. Committed on successful emulation. */
486 unsigned long _regs[NR_VCPU_REGS];
487 unsigned long _eip = ctxt->vcpu->rip, _eflags = ctxt->eflags;
488 unsigned long modrm_val = 0;
489
490 memcpy(_regs, ctxt->vcpu->regs, sizeof _regs);
491
492 switch (mode) {
493 case X86EMUL_MODE_REAL:
494 case X86EMUL_MODE_PROT16:
495 op_bytes = ad_bytes = 2;
496 break;
497 case X86EMUL_MODE_PROT32:
498 op_bytes = ad_bytes = 4;
499 break;
Avi Kivity05b3e0c2006-12-13 00:33:45 -0800500#ifdef CONFIG_X86_64
Avi Kivity6aa8b732006-12-10 02:21:36 -0800501 case X86EMUL_MODE_PROT64:
502 op_bytes = 4;
503 ad_bytes = 8;
504 break;
505#endif
506 default:
507 return -1;
508 }
509
510 /* Legacy prefixes. */
511 for (i = 0; i < 8; i++) {
512 switch (b = insn_fetch(u8, 1, _eip)) {
513 case 0x66: /* operand-size override */
514 op_bytes ^= 6; /* switch between 2/4 bytes */
515 break;
516 case 0x67: /* address-size override */
517 if (mode == X86EMUL_MODE_PROT64)
518 ad_bytes ^= 12; /* switch between 4/8 bytes */
519 else
520 ad_bytes ^= 6; /* switch between 2/4 bytes */
521 break;
522 case 0x2e: /* CS override */
523 override_base = &ctxt->cs_base;
524 break;
525 case 0x3e: /* DS override */
526 override_base = &ctxt->ds_base;
527 break;
528 case 0x26: /* ES override */
529 override_base = &ctxt->es_base;
530 break;
531 case 0x64: /* FS override */
532 override_base = &ctxt->fs_base;
533 break;
534 case 0x65: /* GS override */
535 override_base = &ctxt->gs_base;
536 break;
537 case 0x36: /* SS override */
538 override_base = &ctxt->ss_base;
539 break;
540 case 0xf0: /* LOCK */
541 lock_prefix = 1;
542 break;
543 case 0xf3: /* REP/REPE/REPZ */
544 rep_prefix = 1;
545 break;
546 case 0xf2: /* REPNE/REPNZ */
547 break;
548 default:
549 goto done_prefixes;
550 }
551 }
552
553done_prefixes:
554
555 /* REX prefix. */
556 if ((mode == X86EMUL_MODE_PROT64) && ((b & 0xf0) == 0x40)) {
557 rex_prefix = b;
558 if (b & 8)
559 op_bytes = 8; /* REX.W */
560 modrm_reg = (b & 4) << 1; /* REX.R */
561 index_reg = (b & 2) << 2; /* REX.X */
562 modrm_rm = base_reg = (b & 1) << 3; /* REG.B */
563 b = insn_fetch(u8, 1, _eip);
564 }
565
566 /* Opcode byte(s). */
567 d = opcode_table[b];
568 if (d == 0) {
569 /* Two-byte opcode? */
570 if (b == 0x0f) {
571 twobyte = 1;
572 b = insn_fetch(u8, 1, _eip);
573 d = twobyte_table[b];
574 }
575
576 /* Unrecognised? */
577 if (d == 0)
578 goto cannot_emulate;
579 }
580
581 /* ModRM and SIB bytes. */
582 if (d & ModRM) {
583 modrm = insn_fetch(u8, 1, _eip);
584 modrm_mod |= (modrm & 0xc0) >> 6;
585 modrm_reg |= (modrm & 0x38) >> 3;
586 modrm_rm |= (modrm & 0x07);
587 modrm_ea = 0;
588 use_modrm_ea = 1;
589
590 if (modrm_mod == 3) {
591 modrm_val = *(unsigned long *)
592 decode_register(modrm_rm, _regs, d & ByteOp);
593 goto modrm_done;
594 }
595
596 if (ad_bytes == 2) {
597 unsigned bx = _regs[VCPU_REGS_RBX];
598 unsigned bp = _regs[VCPU_REGS_RBP];
599 unsigned si = _regs[VCPU_REGS_RSI];
600 unsigned di = _regs[VCPU_REGS_RDI];
601
602 /* 16-bit ModR/M decode. */
603 switch (modrm_mod) {
604 case 0:
605 if (modrm_rm == 6)
606 modrm_ea += insn_fetch(u16, 2, _eip);
607 break;
608 case 1:
609 modrm_ea += insn_fetch(s8, 1, _eip);
610 break;
611 case 2:
612 modrm_ea += insn_fetch(u16, 2, _eip);
613 break;
614 }
615 switch (modrm_rm) {
616 case 0:
617 modrm_ea += bx + si;
618 break;
619 case 1:
620 modrm_ea += bx + di;
621 break;
622 case 2:
623 modrm_ea += bp + si;
624 break;
625 case 3:
626 modrm_ea += bp + di;
627 break;
628 case 4:
629 modrm_ea += si;
630 break;
631 case 5:
632 modrm_ea += di;
633 break;
634 case 6:
635 if (modrm_mod != 0)
636 modrm_ea += bp;
637 break;
638 case 7:
639 modrm_ea += bx;
640 break;
641 }
642 if (modrm_rm == 2 || modrm_rm == 3 ||
643 (modrm_rm == 6 && modrm_mod != 0))
644 if (!override_base)
645 override_base = &ctxt->ss_base;
646 modrm_ea = (u16)modrm_ea;
647 } else {
648 /* 32/64-bit ModR/M decode. */
649 switch (modrm_rm) {
650 case 4:
651 case 12:
652 sib = insn_fetch(u8, 1, _eip);
653 index_reg |= (sib >> 3) & 7;
654 base_reg |= sib & 7;
655 scale = sib >> 6;
656
657 switch (base_reg) {
658 case 5:
659 if (modrm_mod != 0)
660 modrm_ea += _regs[base_reg];
661 else
662 modrm_ea += insn_fetch(s32, 4, _eip);
663 break;
664 default:
665 modrm_ea += _regs[base_reg];
666 }
667 switch (index_reg) {
668 case 4:
669 break;
670 default:
671 modrm_ea += _regs[index_reg] << scale;
672
673 }
674 break;
675 case 5:
676 if (modrm_mod != 0)
677 modrm_ea += _regs[modrm_rm];
678 else if (mode == X86EMUL_MODE_PROT64)
679 rip_relative = 1;
680 break;
681 default:
682 modrm_ea += _regs[modrm_rm];
683 break;
684 }
685 switch (modrm_mod) {
686 case 0:
687 if (modrm_rm == 5)
688 modrm_ea += insn_fetch(s32, 4, _eip);
689 break;
690 case 1:
691 modrm_ea += insn_fetch(s8, 1, _eip);
692 break;
693 case 2:
694 modrm_ea += insn_fetch(s32, 4, _eip);
695 break;
696 }
697 }
698 if (!override_base)
699 override_base = &ctxt->ds_base;
700 if (mode == X86EMUL_MODE_PROT64 &&
701 override_base != &ctxt->fs_base &&
702 override_base != &ctxt->gs_base)
703 override_base = NULL;
704
705 if (override_base)
706 modrm_ea += *override_base;
707
708 if (rip_relative) {
709 modrm_ea += _eip;
710 switch (d & SrcMask) {
711 case SrcImmByte:
712 modrm_ea += 1;
713 break;
714 case SrcImm:
715 if (d & ByteOp)
716 modrm_ea += 1;
717 else
718 if (op_bytes == 8)
719 modrm_ea += 4;
720 else
721 modrm_ea += op_bytes;
722 }
723 }
724 if (ad_bytes != 8)
725 modrm_ea = (u32)modrm_ea;
726 cr2 = modrm_ea;
727 modrm_done:
728 ;
729 }
730
Avi Kivity6aa8b732006-12-10 02:21:36 -0800731 /*
732 * Decode and fetch the source operand: register, memory
733 * or immediate.
734 */
735 switch (d & SrcMask) {
736 case SrcNone:
737 break;
738 case SrcReg:
739 src.type = OP_REG;
740 if (d & ByteOp) {
741 src.ptr = decode_register(modrm_reg, _regs,
742 (rex_prefix == 0));
743 src.val = src.orig_val = *(u8 *) src.ptr;
744 src.bytes = 1;
745 } else {
746 src.ptr = decode_register(modrm_reg, _regs, 0);
747 switch ((src.bytes = op_bytes)) {
748 case 2:
749 src.val = src.orig_val = *(u16 *) src.ptr;
750 break;
751 case 4:
752 src.val = src.orig_val = *(u32 *) src.ptr;
753 break;
754 case 8:
755 src.val = src.orig_val = *(u64 *) src.ptr;
756 break;
757 }
758 }
759 break;
760 case SrcMem16:
761 src.bytes = 2;
762 goto srcmem_common;
763 case SrcMem32:
764 src.bytes = 4;
765 goto srcmem_common;
766 case SrcMem:
767 src.bytes = (d & ByteOp) ? 1 : op_bytes;
768 srcmem_common:
769 src.type = OP_MEM;
770 src.ptr = (unsigned long *)cr2;
771 if ((rc = ops->read_emulated((unsigned long)src.ptr,
772 &src.val, src.bytes, ctxt)) != 0)
773 goto done;
774 src.orig_val = src.val;
775 break;
776 case SrcImm:
777 src.type = OP_IMM;
778 src.ptr = (unsigned long *)_eip;
779 src.bytes = (d & ByteOp) ? 1 : op_bytes;
780 if (src.bytes == 8)
781 src.bytes = 4;
782 /* NB. Immediates are sign-extended as necessary. */
783 switch (src.bytes) {
784 case 1:
785 src.val = insn_fetch(s8, 1, _eip);
786 break;
787 case 2:
788 src.val = insn_fetch(s16, 2, _eip);
789 break;
790 case 4:
791 src.val = insn_fetch(s32, 4, _eip);
792 break;
793 }
794 break;
795 case SrcImmByte:
796 src.type = OP_IMM;
797 src.ptr = (unsigned long *)_eip;
798 src.bytes = 1;
799 src.val = insn_fetch(s8, 1, _eip);
800 break;
801 }
802
Avi Kivity038e51d2007-01-22 20:40:40 -0800803 /* Decode and fetch the destination operand: register or memory. */
804 switch (d & DstMask) {
805 case ImplicitOps:
806 /* Special instructions do their own operand decoding. */
807 goto special_insn;
808 case DstReg:
809 dst.type = OP_REG;
810 if ((d & ByteOp)
811 && !(twobyte_table && (b == 0xb6 || b == 0xb7))) {
812 dst.ptr = decode_register(modrm_reg, _regs,
813 (rex_prefix == 0));
814 dst.val = *(u8 *) dst.ptr;
815 dst.bytes = 1;
816 } else {
817 dst.ptr = decode_register(modrm_reg, _regs, 0);
818 switch ((dst.bytes = op_bytes)) {
819 case 2:
820 dst.val = *(u16 *)dst.ptr;
821 break;
822 case 4:
823 dst.val = *(u32 *)dst.ptr;
824 break;
825 case 8:
826 dst.val = *(u64 *)dst.ptr;
827 break;
828 }
829 }
830 break;
831 case DstMem:
832 dst.type = OP_MEM;
833 dst.ptr = (unsigned long *)cr2;
834 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
835 if (d & BitOp) {
Avi Kivitydf513e22007-03-28 20:04:16 +0200836 unsigned long mask = ~(dst.bytes * 8 - 1);
837
838 dst.ptr = (void *)dst.ptr + (src.val & mask) / 8;
Avi Kivity038e51d2007-01-22 20:40:40 -0800839 }
840 if (!(d & Mov) && /* optimisation - avoid slow emulated read */
841 ((rc = ops->read_emulated((unsigned long)dst.ptr,
842 &dst.val, dst.bytes, ctxt)) != 0))
843 goto done;
844 break;
845 }
846 dst.orig_val = dst.val;
847
Avi Kivity6aa8b732006-12-10 02:21:36 -0800848 if (twobyte)
849 goto twobyte_insn;
850
851 switch (b) {
852 case 0x00 ... 0x05:
853 add: /* add */
854 emulate_2op_SrcV("add", src, dst, _eflags);
855 break;
856 case 0x08 ... 0x0d:
857 or: /* or */
858 emulate_2op_SrcV("or", src, dst, _eflags);
859 break;
860 case 0x10 ... 0x15:
861 adc: /* adc */
862 emulate_2op_SrcV("adc", src, dst, _eflags);
863 break;
864 case 0x18 ... 0x1d:
865 sbb: /* sbb */
866 emulate_2op_SrcV("sbb", src, dst, _eflags);
867 break;
868 case 0x20 ... 0x25:
869 and: /* and */
870 emulate_2op_SrcV("and", src, dst, _eflags);
871 break;
872 case 0x28 ... 0x2d:
873 sub: /* sub */
874 emulate_2op_SrcV("sub", src, dst, _eflags);
875 break;
876 case 0x30 ... 0x35:
877 xor: /* xor */
878 emulate_2op_SrcV("xor", src, dst, _eflags);
879 break;
880 case 0x38 ... 0x3d:
881 cmp: /* cmp */
882 emulate_2op_SrcV("cmp", src, dst, _eflags);
883 break;
884 case 0x63: /* movsxd */
885 if (mode != X86EMUL_MODE_PROT64)
886 goto cannot_emulate;
887 dst.val = (s32) src.val;
888 break;
889 case 0x80 ... 0x83: /* Grp1 */
890 switch (modrm_reg) {
891 case 0:
892 goto add;
893 case 1:
894 goto or;
895 case 2:
896 goto adc;
897 case 3:
898 goto sbb;
899 case 4:
900 goto and;
901 case 5:
902 goto sub;
903 case 6:
904 goto xor;
905 case 7:
906 goto cmp;
907 }
908 break;
909 case 0x84 ... 0x85:
910 test: /* test */
911 emulate_2op_SrcV("test", src, dst, _eflags);
912 break;
913 case 0x86 ... 0x87: /* xchg */
914 /* Write back the register source. */
915 switch (dst.bytes) {
916 case 1:
917 *(u8 *) src.ptr = (u8) dst.val;
918 break;
919 case 2:
920 *(u16 *) src.ptr = (u16) dst.val;
921 break;
922 case 4:
923 *src.ptr = (u32) dst.val;
924 break; /* 64b reg: zero-extend */
925 case 8:
926 *src.ptr = dst.val;
927 break;
928 }
929 /*
930 * Write back the memory destination with implicit LOCK
931 * prefix.
932 */
933 dst.val = src.val;
934 lock_prefix = 1;
935 break;
936 case 0xa0 ... 0xa1: /* mov */
937 dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
938 dst.val = src.val;
939 _eip += ad_bytes; /* skip src displacement */
940 break;
941 case 0xa2 ... 0xa3: /* mov */
942 dst.val = (unsigned long)_regs[VCPU_REGS_RAX];
943 _eip += ad_bytes; /* skip dst displacement */
944 break;
945 case 0x88 ... 0x8b: /* mov */
946 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
947 dst.val = src.val;
948 break;
949 case 0x8f: /* pop (sole member of Grp1a) */
950 /* 64-bit mode: POP always pops a 64-bit operand. */
951 if (mode == X86EMUL_MODE_PROT64)
952 dst.bytes = 8;
953 if ((rc = ops->read_std(register_address(ctxt->ss_base,
954 _regs[VCPU_REGS_RSP]),
955 &dst.val, dst.bytes, ctxt)) != 0)
956 goto done;
957 register_address_increment(_regs[VCPU_REGS_RSP], dst.bytes);
958 break;
959 case 0xc0 ... 0xc1:
960 grp2: /* Grp2 */
961 switch (modrm_reg) {
962 case 0: /* rol */
963 emulate_2op_SrcB("rol", src, dst, _eflags);
964 break;
965 case 1: /* ror */
966 emulate_2op_SrcB("ror", src, dst, _eflags);
967 break;
968 case 2: /* rcl */
969 emulate_2op_SrcB("rcl", src, dst, _eflags);
970 break;
971 case 3: /* rcr */
972 emulate_2op_SrcB("rcr", src, dst, _eflags);
973 break;
974 case 4: /* sal/shl */
975 case 6: /* sal/shl */
976 emulate_2op_SrcB("sal", src, dst, _eflags);
977 break;
978 case 5: /* shr */
979 emulate_2op_SrcB("shr", src, dst, _eflags);
980 break;
981 case 7: /* sar */
982 emulate_2op_SrcB("sar", src, dst, _eflags);
983 break;
984 }
985 break;
986 case 0xd0 ... 0xd1: /* Grp2 */
987 src.val = 1;
988 goto grp2;
989 case 0xd2 ... 0xd3: /* Grp2 */
990 src.val = _regs[VCPU_REGS_RCX];
991 goto grp2;
992 case 0xf6 ... 0xf7: /* Grp3 */
993 switch (modrm_reg) {
994 case 0 ... 1: /* test */
995 /*
996 * Special case in Grp3: test has an immediate
997 * source operand.
998 */
999 src.type = OP_IMM;
1000 src.ptr = (unsigned long *)_eip;
1001 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1002 if (src.bytes == 8)
1003 src.bytes = 4;
1004 switch (src.bytes) {
1005 case 1:
1006 src.val = insn_fetch(s8, 1, _eip);
1007 break;
1008 case 2:
1009 src.val = insn_fetch(s16, 2, _eip);
1010 break;
1011 case 4:
1012 src.val = insn_fetch(s32, 4, _eip);
1013 break;
1014 }
1015 goto test;
1016 case 2: /* not */
1017 dst.val = ~dst.val;
1018 break;
1019 case 3: /* neg */
1020 emulate_1op("neg", dst, _eflags);
1021 break;
1022 default:
1023 goto cannot_emulate;
1024 }
1025 break;
1026 case 0xfe ... 0xff: /* Grp4/Grp5 */
1027 switch (modrm_reg) {
1028 case 0: /* inc */
1029 emulate_1op("inc", dst, _eflags);
1030 break;
1031 case 1: /* dec */
1032 emulate_1op("dec", dst, _eflags);
1033 break;
1034 case 6: /* push */
1035 /* 64-bit mode: PUSH always pushes a 64-bit operand. */
1036 if (mode == X86EMUL_MODE_PROT64) {
1037 dst.bytes = 8;
1038 if ((rc = ops->read_std((unsigned long)dst.ptr,
1039 &dst.val, 8,
1040 ctxt)) != 0)
1041 goto done;
1042 }
1043 register_address_increment(_regs[VCPU_REGS_RSP],
1044 -dst.bytes);
1045 if ((rc = ops->write_std(
1046 register_address(ctxt->ss_base,
1047 _regs[VCPU_REGS_RSP]),
Avi Kivity4c690a12007-04-22 15:28:19 +03001048 &dst.val, dst.bytes, ctxt)) != 0)
Avi Kivity6aa8b732006-12-10 02:21:36 -08001049 goto done;
1050 dst.val = dst.orig_val; /* skanky: disable writeback */
1051 break;
1052 default:
1053 goto cannot_emulate;
1054 }
1055 break;
1056 }
1057
1058writeback:
1059 if ((d & Mov) || (dst.orig_val != dst.val)) {
1060 switch (dst.type) {
1061 case OP_REG:
1062 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1063 switch (dst.bytes) {
1064 case 1:
1065 *(u8 *)dst.ptr = (u8)dst.val;
1066 break;
1067 case 2:
1068 *(u16 *)dst.ptr = (u16)dst.val;
1069 break;
1070 case 4:
1071 *dst.ptr = (u32)dst.val;
1072 break; /* 64b: zero-ext */
1073 case 8:
1074 *dst.ptr = dst.val;
1075 break;
1076 }
1077 break;
1078 case OP_MEM:
1079 if (lock_prefix)
1080 rc = ops->cmpxchg_emulated((unsigned long)dst.
Avi Kivity4c690a12007-04-22 15:28:19 +03001081 ptr, &dst.orig_val,
1082 &dst.val, dst.bytes,
Avi Kivity6aa8b732006-12-10 02:21:36 -08001083 ctxt);
1084 else
1085 rc = ops->write_emulated((unsigned long)dst.ptr,
Avi Kivity4c690a12007-04-22 15:28:19 +03001086 &dst.val, dst.bytes,
Avi Kivity6aa8b732006-12-10 02:21:36 -08001087 ctxt);
1088 if (rc != 0)
1089 goto done;
1090 default:
1091 break;
1092 }
1093 }
1094
1095 /* Commit shadow register state. */
1096 memcpy(ctxt->vcpu->regs, _regs, sizeof _regs);
1097 ctxt->eflags = _eflags;
1098 ctxt->vcpu->rip = _eip;
1099
1100done:
1101 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1102
1103special_insn:
1104 if (twobyte)
1105 goto twobyte_special_insn;
1106 if (rep_prefix) {
1107 if (_regs[VCPU_REGS_RCX] == 0) {
1108 ctxt->vcpu->rip = _eip;
1109 goto done;
1110 }
1111 _regs[VCPU_REGS_RCX]--;
1112 _eip = ctxt->vcpu->rip;
1113 }
1114 switch (b) {
1115 case 0xa4 ... 0xa5: /* movs */
1116 dst.type = OP_MEM;
1117 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1118 dst.ptr = (unsigned long *)register_address(ctxt->es_base,
1119 _regs[VCPU_REGS_RDI]);
1120 if ((rc = ops->read_emulated(register_address(
1121 override_base ? *override_base : ctxt->ds_base,
1122 _regs[VCPU_REGS_RSI]), &dst.val, dst.bytes, ctxt)) != 0)
1123 goto done;
1124 register_address_increment(_regs[VCPU_REGS_RSI],
1125 (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1126 register_address_increment(_regs[VCPU_REGS_RDI],
1127 (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1128 break;
1129 case 0xa6 ... 0xa7: /* cmps */
1130 DPRINTF("Urk! I don't handle CMPS.\n");
1131 goto cannot_emulate;
1132 case 0xaa ... 0xab: /* stos */
1133 dst.type = OP_MEM;
1134 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1135 dst.ptr = (unsigned long *)cr2;
1136 dst.val = _regs[VCPU_REGS_RAX];
1137 register_address_increment(_regs[VCPU_REGS_RDI],
1138 (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1139 break;
1140 case 0xac ... 0xad: /* lods */
1141 dst.type = OP_REG;
1142 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1143 dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1144 if ((rc = ops->read_emulated(cr2, &dst.val, dst.bytes, ctxt)) != 0)
1145 goto done;
1146 register_address_increment(_regs[VCPU_REGS_RSI],
1147 (_eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1148 break;
1149 case 0xae ... 0xaf: /* scas */
1150 DPRINTF("Urk! I don't handle SCAS.\n");
1151 goto cannot_emulate;
1152 }
1153 goto writeback;
1154
1155twobyte_insn:
1156 switch (b) {
1157 case 0x01: /* lgdt, lidt, lmsw */
1158 switch (modrm_reg) {
1159 u16 size;
1160 unsigned long address;
1161
1162 case 2: /* lgdt */
1163 rc = read_descriptor(ctxt, ops, src.ptr,
1164 &size, &address, op_bytes);
1165 if (rc)
1166 goto done;
1167 realmode_lgdt(ctxt->vcpu, size, address);
1168 break;
1169 case 3: /* lidt */
1170 rc = read_descriptor(ctxt, ops, src.ptr,
1171 &size, &address, op_bytes);
1172 if (rc)
1173 goto done;
1174 realmode_lidt(ctxt->vcpu, size, address);
1175 break;
1176 case 4: /* smsw */
1177 if (modrm_mod != 3)
1178 goto cannot_emulate;
1179 *(u16 *)&_regs[modrm_rm]
1180 = realmode_get_cr(ctxt->vcpu, 0);
1181 break;
1182 case 6: /* lmsw */
1183 if (modrm_mod != 3)
1184 goto cannot_emulate;
1185 realmode_lmsw(ctxt->vcpu, (u16)modrm_val, &_eflags);
1186 break;
1187 case 7: /* invlpg*/
1188 emulate_invlpg(ctxt->vcpu, cr2);
1189 break;
1190 default:
1191 goto cannot_emulate;
1192 }
1193 break;
1194 case 0x21: /* mov from dr to reg */
1195 if (modrm_mod != 3)
1196 goto cannot_emulate;
1197 rc = emulator_get_dr(ctxt, modrm_reg, &_regs[modrm_rm]);
1198 break;
1199 case 0x23: /* mov from reg to dr */
1200 if (modrm_mod != 3)
1201 goto cannot_emulate;
1202 rc = emulator_set_dr(ctxt, modrm_reg, _regs[modrm_rm]);
1203 break;
1204 case 0x40 ... 0x4f: /* cmov */
1205 dst.val = dst.orig_val = src.val;
1206 d &= ~Mov; /* default to no move */
1207 /*
1208 * First, assume we're decoding an even cmov opcode
1209 * (lsb == 0).
1210 */
1211 switch ((b & 15) >> 1) {
1212 case 0: /* cmovo */
1213 d |= (_eflags & EFLG_OF) ? Mov : 0;
1214 break;
1215 case 1: /* cmovb/cmovc/cmovnae */
1216 d |= (_eflags & EFLG_CF) ? Mov : 0;
1217 break;
1218 case 2: /* cmovz/cmove */
1219 d |= (_eflags & EFLG_ZF) ? Mov : 0;
1220 break;
1221 case 3: /* cmovbe/cmovna */
1222 d |= (_eflags & (EFLG_CF | EFLG_ZF)) ? Mov : 0;
1223 break;
1224 case 4: /* cmovs */
1225 d |= (_eflags & EFLG_SF) ? Mov : 0;
1226 break;
1227 case 5: /* cmovp/cmovpe */
1228 d |= (_eflags & EFLG_PF) ? Mov : 0;
1229 break;
1230 case 7: /* cmovle/cmovng */
1231 d |= (_eflags & EFLG_ZF) ? Mov : 0;
1232 /* fall through */
1233 case 6: /* cmovl/cmovnge */
1234 d |= (!(_eflags & EFLG_SF) !=
1235 !(_eflags & EFLG_OF)) ? Mov : 0;
1236 break;
1237 }
1238 /* Odd cmov opcodes (lsb == 1) have inverted sense. */
1239 d ^= (b & 1) ? Mov : 0;
1240 break;
1241 case 0xb0 ... 0xb1: /* cmpxchg */
1242 /*
1243 * Save real source value, then compare EAX against
1244 * destination.
1245 */
1246 src.orig_val = src.val;
1247 src.val = _regs[VCPU_REGS_RAX];
1248 emulate_2op_SrcV("cmp", src, dst, _eflags);
1249 /* Always write back. The question is: where to? */
1250 d |= Mov;
1251 if (_eflags & EFLG_ZF) {
1252 /* Success: write back to memory. */
1253 dst.val = src.orig_val;
1254 } else {
1255 /* Failure: write the value we saw to EAX. */
1256 dst.type = OP_REG;
1257 dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1258 }
1259 break;
1260 case 0xa3:
1261 bt: /* bt */
1262 src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1263 emulate_2op_SrcV_nobyte("bt", src, dst, _eflags);
1264 break;
1265 case 0xb3:
1266 btr: /* btr */
1267 src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1268 emulate_2op_SrcV_nobyte("btr", src, dst, _eflags);
1269 break;
1270 case 0xab:
1271 bts: /* bts */
1272 src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1273 emulate_2op_SrcV_nobyte("bts", src, dst, _eflags);
1274 break;
1275 case 0xb6 ... 0xb7: /* movzx */
1276 dst.bytes = op_bytes;
1277 dst.val = (d & ByteOp) ? (u8) src.val : (u16) src.val;
1278 break;
1279 case 0xbb:
1280 btc: /* btc */
1281 src.val &= (dst.bytes << 3) - 1; /* only subword offset */
1282 emulate_2op_SrcV_nobyte("btc", src, dst, _eflags);
1283 break;
1284 case 0xba: /* Grp8 */
1285 switch (modrm_reg & 3) {
1286 case 0:
1287 goto bt;
1288 case 1:
1289 goto bts;
1290 case 2:
1291 goto btr;
1292 case 3:
1293 goto btc;
1294 }
1295 break;
1296 case 0xbe ... 0xbf: /* movsx */
1297 dst.bytes = op_bytes;
1298 dst.val = (d & ByteOp) ? (s8) src.val : (s16) src.val;
1299 break;
1300 }
1301 goto writeback;
1302
1303twobyte_special_insn:
1304 /* Disable writeback. */
1305 dst.orig_val = dst.val;
1306 switch (b) {
Avi Kivity687fdbf2007-05-24 11:17:33 +03001307 case 0x09: /* wbinvd */
1308 break;
Avi Kivity6aa8b732006-12-10 02:21:36 -08001309 case 0x0d: /* GrpP (prefetch) */
1310 case 0x18: /* Grp16 (prefetch/nop) */
1311 break;
1312 case 0x06:
1313 emulate_clts(ctxt->vcpu);
1314 break;
1315 case 0x20: /* mov cr, reg */
1316 if (modrm_mod != 3)
1317 goto cannot_emulate;
1318 _regs[modrm_rm] = realmode_get_cr(ctxt->vcpu, modrm_reg);
1319 break;
1320 case 0x22: /* mov reg, cr */
1321 if (modrm_mod != 3)
1322 goto cannot_emulate;
1323 realmode_set_cr(ctxt->vcpu, modrm_reg, modrm_val, &_eflags);
1324 break;
1325 case 0xc7: /* Grp9 (cmpxchg8b) */
Avi Kivity6aa8b732006-12-10 02:21:36 -08001326 {
Avi Kivity4c690a12007-04-22 15:28:19 +03001327 u64 old, new;
Avi Kivity6aa8b732006-12-10 02:21:36 -08001328 if ((rc = ops->read_emulated(cr2, &old, 8, ctxt)) != 0)
1329 goto done;
1330 if (((u32) (old >> 0) != (u32) _regs[VCPU_REGS_RAX]) ||
1331 ((u32) (old >> 32) != (u32) _regs[VCPU_REGS_RDX])) {
1332 _regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1333 _regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1334 _eflags &= ~EFLG_ZF;
1335 } else {
Avi Kivity4c690a12007-04-22 15:28:19 +03001336 new = ((u64)_regs[VCPU_REGS_RCX] << 32)
1337 | (u32) _regs[VCPU_REGS_RBX];
1338 if ((rc = ops->cmpxchg_emulated(cr2, &old,
1339 &new, 8, ctxt)) != 0)
Avi Kivity6aa8b732006-12-10 02:21:36 -08001340 goto done;
1341 _eflags |= EFLG_ZF;
1342 }
1343 break;
1344 }
Avi Kivity6aa8b732006-12-10 02:21:36 -08001345 }
1346 goto writeback;
1347
1348cannot_emulate:
1349 DPRINTF("Cannot emulate %02x\n", b);
1350 return -1;
1351}
1352
1353#ifdef __XEN__
1354
1355#include <asm/mm.h>
1356#include <asm/uaccess.h>
1357
1358int
1359x86_emulate_read_std(unsigned long addr,
1360 unsigned long *val,
1361 unsigned int bytes, struct x86_emulate_ctxt *ctxt)
1362{
1363 unsigned int rc;
1364
1365 *val = 0;
1366
1367 if ((rc = copy_from_user((void *)val, (void *)addr, bytes)) != 0) {
1368 propagate_page_fault(addr + bytes - rc, 0); /* read fault */
1369 return X86EMUL_PROPAGATE_FAULT;
1370 }
1371
1372 return X86EMUL_CONTINUE;
1373}
1374
1375int
1376x86_emulate_write_std(unsigned long addr,
1377 unsigned long val,
1378 unsigned int bytes, struct x86_emulate_ctxt *ctxt)
1379{
1380 unsigned int rc;
1381
1382 if ((rc = copy_to_user((void *)addr, (void *)&val, bytes)) != 0) {
1383 propagate_page_fault(addr + bytes - rc, PGERR_write_access);
1384 return X86EMUL_PROPAGATE_FAULT;
1385 }
1386
1387 return X86EMUL_CONTINUE;
1388}
1389
1390#endif