1
// SPDX-License-Identifier: GPL-2.0-only
2
/******************************************************************************
3
 * emulate.c
4
 *
5
 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6
 *
7
 * Copyright (c) 2005 Keir Fraser
8
 *
9
 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
10
 * privileged instructions:
11
 *
12
 * Copyright (C) 2006 Qumranet
13
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14
 *
15
 *   Avi Kivity <[email protected]>
16
 *   Yaniv Kamay <[email protected]>
17
 *
18
 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
19
 */
20
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
21

22
#include <linux/kvm_host.h>
23
#include "kvm_cache_regs.h"
24
#include "kvm_emulate.h"
25
#include <linux/stringify.h>
26
#include <asm/debugreg.h>
27
#include <asm/nospec-branch.h>
28
#include <asm/ibt.h>
29

30
#include "x86.h"
31
#include "tss.h"
32
#include "mmu.h"
33
#include "pmu.h"
34

35
/*
36
 * Operand types
37
 */
38
#define OpNone             0ull
39
#define OpImplicit         1ull  /* No generic decode */
40
#define OpReg              2ull  /* Register */
41
#define OpMem              3ull  /* Memory */
42
#define OpAcc              4ull  /* Accumulator: AL/AX/EAX/RAX */
43
#define OpDI               5ull  /* ES:DI/EDI/RDI */
44
#define OpMem64            6ull  /* Memory, 64-bit */
45
#define OpImmUByte         7ull  /* Zero-extended 8-bit immediate */
46
#define OpDX               8ull  /* DX register */
47
#define OpCL               9ull  /* CL register (for shifts) */
48
#define OpImmByte         10ull  /* 8-bit sign extended immediate */
49
#define OpOne             11ull  /* Implied 1 */
50
#define OpImm             12ull  /* Sign extended up to 32-bit immediate */
51
#define OpMem16           13ull  /* Memory operand (16-bit). */
52
#define OpMem32           14ull  /* Memory operand (32-bit). */
53
#define OpImmU            15ull  /* Immediate operand, zero extended */
54
#define OpSI              16ull  /* SI/ESI/RSI */
55
#define OpImmFAddr        17ull  /* Immediate far address */
56
#define OpMemFAddr        18ull  /* Far address in memory */
57
#define OpImmU16          19ull  /* Immediate operand, 16 bits, zero extended */
58
#define OpES              20ull  /* ES */
59
#define OpCS              21ull  /* CS */
60
#define OpSS              22ull  /* SS */
61
#define OpDS              23ull  /* DS */
62
#define OpFS              24ull  /* FS */
63
#define OpGS              25ull  /* GS */
64
#define OpMem8            26ull  /* 8-bit zero extended memory operand */
65
#define OpImm64           27ull  /* Sign extended 16/32/64-bit immediate */
66
#define OpXLat            28ull  /* memory at BX/EBX/RBX + zero-extended AL */
67
#define OpAccLo           29ull  /* Low part of extended acc (AX/AX/EAX/RAX) */
68
#define OpAccHi           30ull  /* High part of extended acc (-/DX/EDX/RDX) */
69

70
#define OpBits             5  /* Width of operand field */
71
#define OpMask             ((1ull << OpBits) - 1)
72

73
/*
74
 * Opcode effective-address decode tables.
75
 * Note that we only emulate instructions that have at least one memory
76
 * operand (excluding implicit stack references). We assume that stack
77
 * references and instruction fetches will never occur in special memory
78
 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
79
 * not be handled.
80
 */
81

82
/* Operand sizes: 8-bit operands or specified/overridden size. */
83
#define ByteOp      (1<<0)	/* 8-bit operands. */
84
/* Destination operand type. */
85
#define DstShift    1
86
#define ImplicitOps (OpImplicit << DstShift)
87
#define DstReg      (OpReg << DstShift)
88
#define DstMem      (OpMem << DstShift)
89
#define DstAcc      (OpAcc << DstShift)
90
#define DstDI       (OpDI << DstShift)
91
#define DstMem64    (OpMem64 << DstShift)
92
#define DstMem16    (OpMem16 << DstShift)
93
#define DstImmUByte (OpImmUByte << DstShift)
94
#define DstDX       (OpDX << DstShift)
95
#define DstAccLo    (OpAccLo << DstShift)
96
#define DstMask     (OpMask << DstShift)
97
/* Source operand type. */
98
#define SrcShift    6
99
#define SrcNone     (OpNone << SrcShift)
100
#define SrcReg      (OpReg << SrcShift)
101
#define SrcMem      (OpMem << SrcShift)
102
#define SrcMem16    (OpMem16 << SrcShift)
103
#define SrcMem32    (OpMem32 << SrcShift)
104
#define SrcImm      (OpImm << SrcShift)
105
#define SrcImmByte  (OpImmByte << SrcShift)
106
#define SrcOne      (OpOne << SrcShift)
107
#define SrcImmUByte (OpImmUByte << SrcShift)
108
#define SrcImmU     (OpImmU << SrcShift)
109
#define SrcSI       (OpSI << SrcShift)
110
#define SrcXLat     (OpXLat << SrcShift)
111
#define SrcImmFAddr (OpImmFAddr << SrcShift)
112
#define SrcMemFAddr (OpMemFAddr << SrcShift)
113
#define SrcAcc      (OpAcc << SrcShift)
114
#define SrcImmU16   (OpImmU16 << SrcShift)
115
#define SrcImm64    (OpImm64 << SrcShift)
116
#define SrcDX       (OpDX << SrcShift)
117
#define SrcMem8     (OpMem8 << SrcShift)
118
#define SrcAccHi    (OpAccHi << SrcShift)
119
#define SrcMask     (OpMask << SrcShift)
120
#define BitOp       (1<<11)
121
#define MemAbs      (1<<12)      /* Memory operand is absolute displacement */
122
#define String      (1<<13)     /* String instruction (rep capable) */
123
#define Stack       (1<<14)     /* Stack instruction (push/pop) */
124
#define GroupMask   (7<<15)     /* Opcode uses one of the group mechanisms */
125
#define Group       (1<<15)     /* Bits 3:5 of modrm byte extend opcode */
126
#define GroupDual   (2<<15)     /* Alternate decoding of mod == 3 */
127
#define Prefix      (3<<15)     /* Instruction varies with 66/f2/f3 prefix */
128
#define RMExt       (4<<15)     /* Opcode extension in ModRM r/m if mod == 3 */
129
#define Escape      (5<<15)     /* Escape to coprocessor instruction */
130
#define InstrDual   (6<<15)     /* Alternate instruction decoding of mod == 3 */
131
#define ModeDual    (7<<15)     /* Different instruction for 32/64 bit */
132
#define Sse         (1<<18)     /* SSE Vector instruction */
133
/* Generic ModRM decode. */
134
#define ModRM       (1<<19)
135
/* Destination is only written; never read. */
136
#define Mov         (1<<20)
137
/* Misc flags */
138
#define Prot        (1<<21) /* instruction generates #UD if not in prot-mode */
139
#define EmulateOnUD (1<<22) /* Emulate if unsupported by the host */
140
#define NoAccess    (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
141
#define Op3264      (1<<24) /* Operand is 64b in long mode, 32b otherwise */
142
#define Undefined   (1<<25) /* No Such Instruction */
143
#define Lock        (1<<26) /* lock prefix is allowed for the instruction */
144
#define Priv        (1<<27) /* instruction generates #GP if current CPL != 0 */
145
#define No64	    (1<<28)
146
#define PageTable   (1 << 29)   /* instruction used to write page table */
147
#define NotImpl     (1 << 30)   /* instruction is not implemented */
148
/* Source 2 operand type */
149
#define Src2Shift   (31)
150
#define Src2None    (OpNone << Src2Shift)
151
#define Src2Mem     (OpMem << Src2Shift)
152
#define Src2CL      (OpCL << Src2Shift)
153
#define Src2ImmByte (OpImmByte << Src2Shift)
154
#define Src2One     (OpOne << Src2Shift)
155
#define Src2Imm     (OpImm << Src2Shift)
156
#define Src2ES      (OpES << Src2Shift)
157
#define Src2CS      (OpCS << Src2Shift)
158
#define Src2SS      (OpSS << Src2Shift)
159
#define Src2DS      (OpDS << Src2Shift)
160
#define Src2FS      (OpFS << Src2Shift)
161
#define Src2GS      (OpGS << Src2Shift)
162
#define Src2Mask    (OpMask << Src2Shift)
163
#define Mmx         ((u64)1 << 40)  /* MMX Vector instruction */
164
#define AlignMask   ((u64)7 << 41)
165
#define Aligned     ((u64)1 << 41)  /* Explicitly aligned (e.g. MOVDQA) */
166
#define Unaligned   ((u64)2 << 41)  /* Explicitly unaligned (e.g. MOVDQU) */
167
#define Avx         ((u64)3 << 41)  /* Advanced Vector Extensions */
168
#define Aligned16   ((u64)4 << 41)  /* Aligned to 16 byte boundary (e.g. FXSAVE) */
169
#define Fastop      ((u64)1 << 44)  /* Use opcode::u.fastop */
170
#define NoWrite     ((u64)1 << 45)  /* No writeback */
171
#define SrcWrite    ((u64)1 << 46)  /* Write back src operand */
172
#define NoMod	    ((u64)1 << 47)  /* Mod field is ignored */
173
#define Intercept   ((u64)1 << 48)  /* Has valid intercept field */
174
#define CheckPerm   ((u64)1 << 49)  /* Has valid check_perm field */
175
#define PrivUD      ((u64)1 << 51)  /* #UD instead of #GP on CPL > 0 */
176
#define NearBranch  ((u64)1 << 52)  /* Near branches */
177
#define No16	    ((u64)1 << 53)  /* No 16 bit operand */
178
#define IncSP       ((u64)1 << 54)  /* SP is incremented before ModRM calc */
179
#define TwoMemOp    ((u64)1 << 55)  /* Instruction has two memory operand */
180
#define IsBranch    ((u64)1 << 56)  /* Instruction is considered a branch. */
181

182
#define DstXacc     (DstAccLo | SrcAccHi | SrcWrite)
183

184
#define X2(x...) x, x
185
#define X3(x...) X2(x), x
186
#define X4(x...) X2(x), X2(x)
187
#define X5(x...) X4(x), x
188
#define X6(x...) X4(x), X2(x)
189
#define X7(x...) X4(x), X3(x)
190
#define X8(x...) X4(x), X4(x)
191
#define X16(x...) X8(x), X8(x)
192

193
struct opcode {
194
	u64 flags;
195
	u8 intercept;
196
	u8 pad[7];
197
	union {
198
		int (*execute)(struct x86_emulate_ctxt *ctxt);
199
		const struct opcode *group;
200
		const struct group_dual *gdual;
201
		const struct gprefix *gprefix;
202
		const struct escape *esc;
203
		const struct instr_dual *idual;
204
		const struct mode_dual *mdual;
205
		void (*fastop)(struct fastop *fake);
206
	} u;
207
	int (*check_perm)(struct x86_emulate_ctxt *ctxt);
208
};
209

210
struct group_dual {
211
	struct opcode mod012[8];
212
	struct opcode mod3[8];
213
};
214

215
struct gprefix {
216
	struct opcode pfx_no;
217
	struct opcode pfx_66;
218
	struct opcode pfx_f2;
219
	struct opcode pfx_f3;
220
};
221

222
struct escape {
223
	struct opcode op[8];
224
	struct opcode high[64];
225
};
226

227
struct instr_dual {
228
	struct opcode mod012;
229
	struct opcode mod3;
230
};
231

232
struct mode_dual {
233
	struct opcode mode32;
234
	struct opcode mode64;
235
};
236

237
#define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
238

239
enum x86_transfer_type {
240
	X86_TRANSFER_NONE,
241
	X86_TRANSFER_CALL_JMP,
242
	X86_TRANSFER_RET,
243
	X86_TRANSFER_TASK_SWITCH,
244
};
245

246
static void writeback_registers(struct x86_emulate_ctxt *ctxt)
247
{
248
	unsigned long dirty = ctxt->regs_dirty;
249
	unsigned reg;
250

251
	for_each_set_bit(reg, &dirty, NR_EMULATOR_GPRS)
252
		ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]);
253
}
254

255
static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
256
{
257
	ctxt->regs_dirty = 0;
258
	ctxt->regs_valid = 0;
259
}
260

261
/*
262
 * These EFLAGS bits are restored from saved value during emulation, and
263
 * any changes are written back to the saved value after emulation.
264
 */
265
#define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF|\
266
		     X86_EFLAGS_PF|X86_EFLAGS_CF)
267

268
#ifdef CONFIG_X86_64
269
#define ON64(x) x
270
#else
271
#define ON64(x)
272
#endif
273

274
/*
275
 * fastop functions have a special calling convention:
276
 *
277
 * dst:    rax        (in/out)
278
 * src:    rdx        (in/out)
279
 * src2:   rcx        (in)
280
 * flags:  rflags     (in/out)
281
 * ex:     rsi        (in:fastop pointer, out:zero if exception)
282
 *
283
 * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
284
 * different operand sizes can be reached by calculation, rather than a jump
285
 * table (which would be bigger than the code).
286
 *
287
 * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR
288
 * and 1 for the straight line speculation INT3, leaves 7 bytes for the
289
 * body of the function.  Currently none is larger than 4.
290
 */
291
static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
292

293
#define FASTOP_SIZE	16
294

295
#define __FOP_FUNC(name) \
296
	".align " __stringify(FASTOP_SIZE) " \n\t" \
297
	".type " name ", @function \n\t" \
298
	name ":\n\t" \
299
	ASM_ENDBR \
300
	IBT_NOSEAL(name)
301

302
#define FOP_FUNC(name) \
303
	__FOP_FUNC(#name)
304

305
#define __FOP_RET(name) \
306
	"11: " ASM_RET \
307
	".size " name ", .-" name "\n\t"
308

309
#define FOP_RET(name) \
310
	__FOP_RET(#name)
311

312
#define __FOP_START(op, align) \
313
	extern void em_##op(struct fastop *fake); \
314
	asm(".pushsection .text, \"ax\" \n\t" \
315
	    ".global em_" #op " \n\t" \
316
	    ".align " __stringify(align) " \n\t" \
317
	    "em_" #op ":\n\t"
318

319
#define FOP_START(op) __FOP_START(op, FASTOP_SIZE)
320

321
#define FOP_END \
322
	    ".popsection")
323

324
#define __FOPNOP(name) \
325
	__FOP_FUNC(name) \
326
	__FOP_RET(name)
327

328
#define FOPNOP() \
329
	__FOPNOP(__stringify(__UNIQUE_ID(nop)))
330

331
#define FOP1E(op,  dst) \
332
	__FOP_FUNC(#op "_" #dst) \
333
	"10: " #op " %" #dst " \n\t" \
334
	__FOP_RET(#op "_" #dst)
335

336
#define FOP1EEX(op,  dst) \
337
	FOP1E(op, dst) _ASM_EXTABLE_TYPE_REG(10b, 11b, EX_TYPE_ZERO_REG, %%esi)
338

339
#define FASTOP1(op) \
340
	FOP_START(op) \
341
	FOP1E(op##b, al) \
342
	FOP1E(op##w, ax) \
343
	FOP1E(op##l, eax) \
344
	ON64(FOP1E(op##q, rax))	\
345
	FOP_END
346

347
/* 1-operand, using src2 (for MUL/DIV r/m) */
348
#define FASTOP1SRC2(op, name) \
349
	FOP_START(name) \
350
	FOP1E(op, cl) \
351
	FOP1E(op, cx) \
352
	FOP1E(op, ecx) \
353
	ON64(FOP1E(op, rcx)) \
354
	FOP_END
355

356
/* 1-operand, using src2 (for MUL/DIV r/m), with exceptions */
357
#define FASTOP1SRC2EX(op, name) \
358
	FOP_START(name) \
359
	FOP1EEX(op, cl) \
360
	FOP1EEX(op, cx) \
361
	FOP1EEX(op, ecx) \
362
	ON64(FOP1EEX(op, rcx)) \
363
	FOP_END
364

365
#define FOP2E(op,  dst, src)	   \
366
	__FOP_FUNC(#op "_" #dst "_" #src) \
367
	#op " %" #src ", %" #dst " \n\t" \
368
	__FOP_RET(#op "_" #dst "_" #src)
369

370
#define FASTOP2(op) \
371
	FOP_START(op) \
372
	FOP2E(op##b, al, dl) \
373
	FOP2E(op##w, ax, dx) \
374
	FOP2E(op##l, eax, edx) \
375
	ON64(FOP2E(op##q, rax, rdx)) \
376
	FOP_END
377

378
/* 2 operand, word only */
379
#define FASTOP2W(op) \
380
	FOP_START(op) \
381
	FOPNOP() \
382
	FOP2E(op##w, ax, dx) \
383
	FOP2E(op##l, eax, edx) \
384
	ON64(FOP2E(op##q, rax, rdx)) \
385
	FOP_END
386

387
/* 2 operand, src is CL */
388
#define FASTOP2CL(op) \
389
	FOP_START(op) \
390
	FOP2E(op##b, al, cl) \
391
	FOP2E(op##w, ax, cl) \
392
	FOP2E(op##l, eax, cl) \
393
	ON64(FOP2E(op##q, rax, cl)) \
394
	FOP_END
395

396
/* 2 operand, src and dest are reversed */
397
#define FASTOP2R(op, name) \
398
	FOP_START(name) \
399
	FOP2E(op##b, dl, al) \
400
	FOP2E(op##w, dx, ax) \
401
	FOP2E(op##l, edx, eax) \
402
	ON64(FOP2E(op##q, rdx, rax)) \
403
	FOP_END
404

405
#define FOP3E(op,  dst, src, src2) \
406
	__FOP_FUNC(#op "_" #dst "_" #src "_" #src2) \
407
	#op " %" #src2 ", %" #src ", %" #dst " \n\t"\
408
	__FOP_RET(#op "_" #dst "_" #src "_" #src2)
409

410
/* 3-operand, word-only, src2=cl */
411
#define FASTOP3WCL(op) \
412
	FOP_START(op) \
413
	FOPNOP() \
414
	FOP3E(op##w, ax, dx, cl) \
415
	FOP3E(op##l, eax, edx, cl) \
416
	ON64(FOP3E(op##q, rax, rdx, cl)) \
417
	FOP_END
418

419
/* Special case for SETcc - 1 instruction per cc */
420
#define FOP_SETCC(op) \
421
	FOP_FUNC(op) \
422
	#op " %al \n\t" \
423
	FOP_RET(op)
424

425
FOP_START(setcc)
426
FOP_SETCC(seto)
427
FOP_SETCC(setno)
428
FOP_SETCC(setc)
429
FOP_SETCC(setnc)
430
FOP_SETCC(setz)
431
FOP_SETCC(setnz)
432
FOP_SETCC(setbe)
433
FOP_SETCC(setnbe)
434
FOP_SETCC(sets)
435
FOP_SETCC(setns)
436
FOP_SETCC(setp)
437
FOP_SETCC(setnp)
438
FOP_SETCC(setl)
439
FOP_SETCC(setnl)
440
FOP_SETCC(setle)
441
FOP_SETCC(setnle)
442
FOP_END;
443

444
FOP_START(salc)
445
FOP_FUNC(salc)
446
"pushf; sbb %al, %al; popf \n\t"
447
FOP_RET(salc)
448
FOP_END;
449

450
/*
451
 * XXX: inoutclob user must know where the argument is being expanded.
452
 *      Using asm goto would allow us to remove _fault.
453
 */
454
#define asm_safe(insn, inoutclob...) \
455
({ \
456
	int _fault = 0; \
457
 \
458
	asm volatile("1:" insn "\n" \
459
	             "2:\n" \
460
		     _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_ONE_REG, %[_fault]) \
461
	             : [_fault] "+r"(_fault) inoutclob ); \
462
 \
463
	_fault ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; \
464
})
465

466
static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
467
				    enum x86_intercept intercept,
468
				    enum x86_intercept_stage stage)
469
{
470
	struct x86_instruction_info info = {
471
		.intercept  = intercept,
472
		.rep_prefix = ctxt->rep_prefix,
473
		.modrm_mod  = ctxt->modrm_mod,
474
		.modrm_reg  = ctxt->modrm_reg,
475
		.modrm_rm   = ctxt->modrm_rm,
476
		.src_val    = ctxt->src.val64,
477
		.dst_val    = ctxt->dst.val64,
478
		.src_bytes  = ctxt->src.bytes,
479
		.dst_bytes  = ctxt->dst.bytes,
480
		.src_type   = ctxt->src.type,
481
		.dst_type   = ctxt->dst.type,
482
		.ad_bytes   = ctxt->ad_bytes,
483
		.rip	    = ctxt->eip,
484
		.next_rip   = ctxt->_eip,
485
	};
486

487
	return ctxt->ops->intercept(ctxt, &info, stage);
488
}
489

490
static void assign_masked(ulong *dest, ulong src, ulong mask)
491
{
492
	*dest = (*dest & ~mask) | (src & mask);
493
}
494

495
static void assign_register(unsigned long *reg, u64 val, int bytes)
496
{
497
	/* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
498
	switch (bytes) {
499
	case 1:
500
		*(u8 *)reg = (u8)val;
501
		break;
502
	case 2:
503
		*(u16 *)reg = (u16)val;
504
		break;
505
	case 4:
506
		*reg = (u32)val;
507
		break;	/* 64b: zero-extend */
508
	case 8:
509
		*reg = val;
510
		break;
511
	}
512
}
513

514
static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt)
515
{
516
	return (1UL << (ctxt->ad_bytes << 3)) - 1;
517
}
518

519
static ulong stack_mask(struct x86_emulate_ctxt *ctxt)
520
{
521
	u16 sel;
522
	struct desc_struct ss;
523

524
	if (ctxt->mode == X86EMUL_MODE_PROT64)
525
		return ~0UL;
526
	ctxt->ops->get_segment(ctxt, &sel, &ss, NULL, VCPU_SREG_SS);
527
	return ~0U >> ((ss.d ^ 1) * 16);  /* d=0: 0xffff; d=1: 0xffffffff */
528
}
529

530
static int stack_size(struct x86_emulate_ctxt *ctxt)
531
{
532
	return (__fls(stack_mask(ctxt)) + 1) >> 3;
533
}
534

535
/* Access/update address held in a register, based on addressing mode. */
536
static inline unsigned long
537
address_mask(struct x86_emulate_ctxt *ctxt, unsigned long reg)
538
{
539
	if (ctxt->ad_bytes == sizeof(unsigned long))
540
		return reg;
541
	else
542
		return reg & ad_mask(ctxt);
543
}
544

545
static inline unsigned long
546
register_address(struct x86_emulate_ctxt *ctxt, int reg)
547
{
548
	return address_mask(ctxt, reg_read(ctxt, reg));
549
}
550

551
static void masked_increment(ulong *reg, ulong mask, int inc)
552
{
553
	assign_masked(reg, *reg + inc, mask);
554
}
555

556
static inline void
557
register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc)
558
{
559
	ulong *preg = reg_rmw(ctxt, reg);
560

561
	assign_register(preg, *preg + inc, ctxt->ad_bytes);
562
}
563

564
static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
565
{
566
	masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
567
}
568

569
static u32 desc_limit_scaled(struct desc_struct *desc)
570
{
571
	u32 limit = get_desc_limit(desc);
572

573
	return desc->g ? (limit << 12) | 0xfff : limit;
574
}
575

576
static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
577
{
578
	if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
579
		return 0;
580

581
	return ctxt->ops->get_cached_segment_base(ctxt, seg);
582
}
583

584
static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
585
			     u32 error, bool valid)
586
{
587
	if (KVM_EMULATOR_BUG_ON(vec > 0x1f, ctxt))
588
		return X86EMUL_UNHANDLEABLE;
589

590
	ctxt->exception.vector = vec;
591
	ctxt->exception.error_code = error;
592
	ctxt->exception.error_code_valid = valid;
593
	return X86EMUL_PROPAGATE_FAULT;
594
}
595

596
static int emulate_db(struct x86_emulate_ctxt *ctxt)
597
{
598
	return emulate_exception(ctxt, DB_VECTOR, 0, false);
599
}
600

601
static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
602
{
603
	return emulate_exception(ctxt, GP_VECTOR, err, true);
604
}
605

606
static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
607
{
608
	return emulate_exception(ctxt, SS_VECTOR, err, true);
609
}
610

611
static int emulate_ud(struct x86_emulate_ctxt *ctxt)
612
{
613
	return emulate_exception(ctxt, UD_VECTOR, 0, false);
614
}
615

616
static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
617
{
618
	return emulate_exception(ctxt, TS_VECTOR, err, true);
619
}
620

621
static int emulate_de(struct x86_emulate_ctxt *ctxt)
622
{
623
	return emulate_exception(ctxt, DE_VECTOR, 0, false);
624
}
625

626
static int emulate_nm(struct x86_emulate_ctxt *ctxt)
627
{
628
	return emulate_exception(ctxt, NM_VECTOR, 0, false);
629
}
630

631
static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
632
{
633
	u16 selector;
634
	struct desc_struct desc;
635

636
	ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
637
	return selector;
638
}
639

640
static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
641
				 unsigned seg)
642
{
643
	u16 dummy;
644
	u32 base3;
645
	struct desc_struct desc;
646

647
	ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
648
	ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
649
}
650

651
static inline u8 ctxt_virt_addr_bits(struct x86_emulate_ctxt *ctxt)
652
{
653
	return (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_LA57) ? 57 : 48;
654
}
655

656
static inline bool emul_is_noncanonical_address(u64 la,
657
						struct x86_emulate_ctxt *ctxt,
658
						unsigned int flags)
659
{
660
	return !ctxt->ops->is_canonical_addr(ctxt, la, flags);
661
}
662

663
/*
664
 * x86 defines three classes of vector instructions: explicitly
665
 * aligned, explicitly unaligned, and the rest, which change behaviour
666
 * depending on whether they're AVX encoded or not.
667
 *
668
 * Also included is CMPXCHG16B which is not a vector instruction, yet it is
669
 * subject to the same check.  FXSAVE and FXRSTOR are checked here too as their
670
 * 512 bytes of data must be aligned to a 16 byte boundary.
671
 */
672
static unsigned insn_alignment(struct x86_emulate_ctxt *ctxt, unsigned size)
673
{
674
	u64 alignment = ctxt->d & AlignMask;
675

676
	if (likely(size < 16))
677
		return 1;
678

679
	switch (alignment) {
680
	case Unaligned:
681
	case Avx:
682
		return 1;
683
	case Aligned16:
684
		return 16;
685
	case Aligned:
686
	default:
687
		return size;
688
	}
689
}
690

691
static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
692
				       struct segmented_address addr,
693
				       unsigned *max_size, unsigned size,
694
				       enum x86emul_mode mode, ulong *linear,
695
				       unsigned int flags)
696
{
697
	struct desc_struct desc;
698
	bool usable;
699
	ulong la;
700
	u32 lim;
701
	u16 sel;
702
	u8  va_bits;
703

704
	la = seg_base(ctxt, addr.seg) + addr.ea;
705
	*max_size = 0;
706
	switch (mode) {
707
	case X86EMUL_MODE_PROT64:
708
		*linear = la = ctxt->ops->get_untagged_addr(ctxt, la, flags);
709
		va_bits = ctxt_virt_addr_bits(ctxt);
710
		if (!__is_canonical_address(la, va_bits))
711
			goto bad;
712

713
		*max_size = min_t(u64, ~0u, (1ull << va_bits) - la);
714
		if (size > *max_size)
715
			goto bad;
716
		break;
717
	default:
718
		*linear = la = (u32)la;
719
		usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
720
						addr.seg);
721
		if (!usable)
722
			goto bad;
723
		/* code segment in protected mode or read-only data segment */
724
		if ((((ctxt->mode != X86EMUL_MODE_REAL) && (desc.type & 8)) || !(desc.type & 2)) &&
725
		    (flags & X86EMUL_F_WRITE))
726
			goto bad;
727
		/* unreadable code segment */
728
		if (!(flags & X86EMUL_F_FETCH) && (desc.type & 8) && !(desc.type & 2))
729
			goto bad;
730
		lim = desc_limit_scaled(&desc);
731
		if (!(desc.type & 8) && (desc.type & 4)) {
732
			/* expand-down segment */
733
			if (addr.ea <= lim)
734
				goto bad;
735
			lim = desc.d ? 0xffffffff : 0xffff;
736
		}
737
		if (addr.ea > lim)
738
			goto bad;
739
		if (lim == 0xffffffff)
740
			*max_size = ~0u;
741
		else {
742
			*max_size = (u64)lim + 1 - addr.ea;
743
			if (size > *max_size)
744
				goto bad;
745
		}
746
		break;
747
	}
748
	if (la & (insn_alignment(ctxt, size) - 1))
749
		return emulate_gp(ctxt, 0);
750
	return X86EMUL_CONTINUE;
751
bad:
752
	if (addr.seg == VCPU_SREG_SS)
753
		return emulate_ss(ctxt, 0);
754
	else
755
		return emulate_gp(ctxt, 0);
756
}
757

758
static int linearize(struct x86_emulate_ctxt *ctxt,
759
		     struct segmented_address addr,
760
		     unsigned size, bool write,
761
		     ulong *linear)
762
{
763
	unsigned max_size;
764
	return __linearize(ctxt, addr, &max_size, size, ctxt->mode, linear,
765
			   write ? X86EMUL_F_WRITE : 0);
766
}
767

768
static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst)
769
{
770
	ulong linear;
771
	int rc;
772
	unsigned max_size;
773
	struct segmented_address addr = { .seg = VCPU_SREG_CS,
774
					   .ea = dst };
775

776
	if (ctxt->op_bytes != sizeof(unsigned long))
777
		addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
778
	rc = __linearize(ctxt, addr, &max_size, 1, ctxt->mode, &linear,
779
			 X86EMUL_F_FETCH);
780
	if (rc == X86EMUL_CONTINUE)
781
		ctxt->_eip = addr.ea;
782
	return rc;
783
}
784

785
static inline int emulator_recalc_and_set_mode(struct x86_emulate_ctxt *ctxt)
786
{
787
	u64 efer;
788
	struct desc_struct cs;
789
	u16 selector;
790
	u32 base3;
791

792
	ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
793

794
	if (!(ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PE)) {
795
		/* Real mode. cpu must not have long mode active */
796
		if (efer & EFER_LMA)
797
			return X86EMUL_UNHANDLEABLE;
798
		ctxt->mode = X86EMUL_MODE_REAL;
799
		return X86EMUL_CONTINUE;
800
	}
801

802
	if (ctxt->eflags & X86_EFLAGS_VM) {
803
		/* Protected/VM86 mode. cpu must not have long mode active */
804
		if (efer & EFER_LMA)
805
			return X86EMUL_UNHANDLEABLE;
806
		ctxt->mode = X86EMUL_MODE_VM86;
807
		return X86EMUL_CONTINUE;
808
	}
809

810
	if (!ctxt->ops->get_segment(ctxt, &selector, &cs, &base3, VCPU_SREG_CS))
811
		return X86EMUL_UNHANDLEABLE;
812

813
	if (efer & EFER_LMA) {
814
		if (cs.l) {
815
			/* Proper long mode */
816
			ctxt->mode = X86EMUL_MODE_PROT64;
817
		} else if (cs.d) {
818
			/* 32 bit compatibility mode*/
819
			ctxt->mode = X86EMUL_MODE_PROT32;
820
		} else {
821
			ctxt->mode = X86EMUL_MODE_PROT16;
822
		}
823
	} else {
824
		/* Legacy 32 bit / 16 bit mode */
825
		ctxt->mode = cs.d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
826
	}
827

828
	return X86EMUL_CONTINUE;
829
}
830

831
static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
832
{
833
	return assign_eip(ctxt, dst);
834
}
835

836
static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst)
837
{
838
	int rc = emulator_recalc_and_set_mode(ctxt);
839

840
	if (rc != X86EMUL_CONTINUE)
841
		return rc;
842

843
	return assign_eip(ctxt, dst);
844
}
845

846
static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
847
{
848
	return assign_eip_near(ctxt, ctxt->_eip + rel);
849
}
850

851
static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
852
			      void *data, unsigned size)
853
{
854
	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
855
}
856

857
static int linear_write_system(struct x86_emulate_ctxt *ctxt,
858
			       ulong linear, void *data,
859
			       unsigned int size)
860
{
861
	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
862
}
863

864
static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
865
			      struct segmented_address addr,
866
			      void *data,
867
			      unsigned size)
868
{
869
	int rc;
870
	ulong linear;
871

872
	rc = linearize(ctxt, addr, size, false, &linear);
873
	if (rc != X86EMUL_CONTINUE)
874
		return rc;
875
	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
876
}
877

878
static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
879
			       struct segmented_address addr,
880
			       void *data,
881
			       unsigned int size)
882
{
883
	int rc;
884
	ulong linear;
885

886
	rc = linearize(ctxt, addr, size, true, &linear);
887
	if (rc != X86EMUL_CONTINUE)
888
		return rc;
889
	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
890
}
891

892
/*
893
 * Prefetch the remaining bytes of the instruction without crossing page
894
 * boundary if they are not in fetch_cache yet.
895
 */
896
static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
897
{
898
	int rc;
899
	unsigned size, max_size;
900
	unsigned long linear;
901
	int cur_size = ctxt->fetch.end - ctxt->fetch.data;
902
	struct segmented_address addr = { .seg = VCPU_SREG_CS,
903
					   .ea = ctxt->eip + cur_size };
904

905
	/*
906
	 * We do not know exactly how many bytes will be needed, and
907
	 * __linearize is expensive, so fetch as much as possible.  We
908
	 * just have to avoid going beyond the 15 byte limit, the end
909
	 * of the segment, or the end of the page.
910
	 *
911
	 * __linearize is called with size 0 so that it does not do any
912
	 * boundary check itself.  Instead, we use max_size to check
913
	 * against op_size.
914
	 */
915
	rc = __linearize(ctxt, addr, &max_size, 0, ctxt->mode, &linear,
916
			 X86EMUL_F_FETCH);
917
	if (unlikely(rc != X86EMUL_CONTINUE))
918
		return rc;
919

920
	size = min_t(unsigned, 15UL ^ cur_size, max_size);
921
	size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
922

923
	/*
924
	 * One instruction can only straddle two pages,
925
	 * and one has been loaded at the beginning of
926
	 * x86_decode_insn.  So, if not enough bytes
927
	 * still, we must have hit the 15-byte boundary.
928
	 */
929
	if (unlikely(size < op_size))
930
		return emulate_gp(ctxt, 0);
931

932
	rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
933
			      size, &ctxt->exception);
934
	if (unlikely(rc != X86EMUL_CONTINUE))
935
		return rc;
936
	ctxt->fetch.end += size;
937
	return X86EMUL_CONTINUE;
938
}
939

940
static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
941
					       unsigned size)
942
{
943
	unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
944

945
	if (unlikely(done_size < size))
946
		return __do_insn_fetch_bytes(ctxt, size - done_size);
947
	else
948
		return X86EMUL_CONTINUE;
949
}
950

951
/* Fetch next part of the instruction being emulated. */
952
#define insn_fetch(_type, _ctxt)					\
953
({	_type _x;							\
954
									\
955
	rc = do_insn_fetch_bytes(_ctxt, sizeof(_type));			\
956
	if (rc != X86EMUL_CONTINUE)					\
957
		goto done;						\
958
	ctxt->_eip += sizeof(_type);					\
959
	memcpy(&_x, ctxt->fetch.ptr, sizeof(_type));			\
960
	ctxt->fetch.ptr += sizeof(_type);				\
961
	_x;								\
962
})
963

964
#define insn_fetch_arr(_arr, _size, _ctxt)				\
965
({									\
966
	rc = do_insn_fetch_bytes(_ctxt, _size);				\
967
	if (rc != X86EMUL_CONTINUE)					\
968
		goto done;						\
969
	ctxt->_eip += (_size);						\
970
	memcpy(_arr, ctxt->fetch.ptr, _size);				\
971
	ctxt->fetch.ptr += (_size);					\
972
})
973

974
/*
975
 * Given the 'reg' portion of a ModRM byte, and a register block, return a
976
 * pointer into the block that addresses the relevant register.
977
 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
978
 */
979
static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg,
980
			     int byteop)
981
{
982
	void *p;
983
	int highbyte_regs = (ctxt->rex_prefix == 0) && byteop;
984

985
	if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
986
		p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1;
987
	else
988
		p = reg_rmw(ctxt, modrm_reg);
989
	return p;
990
}
991

992
static int read_descriptor(struct x86_emulate_ctxt *ctxt,
993
			   struct segmented_address addr,
994
			   u16 *size, unsigned long *address, int op_bytes)
995
{
996
	int rc;
997

998
	if (op_bytes == 2)
999
		op_bytes = 3;
1000
	*address = 0;
1001
	rc = segmented_read_std(ctxt, addr, size, 2);
1002
	if (rc != X86EMUL_CONTINUE)
1003
		return rc;
1004
	addr.ea += 2;
1005
	rc = segmented_read_std(ctxt, addr, address, op_bytes);
1006
	return rc;
1007
}
1008

1009
FASTOP2(add);
1010
FASTOP2(or);
1011
FASTOP2(adc);
1012
FASTOP2(sbb);
1013
FASTOP2(and);
1014
FASTOP2(sub);
1015
FASTOP2(xor);
1016
FASTOP2(cmp);
1017
FASTOP2(test);
1018

1019
FASTOP1SRC2(mul, mul_ex);
1020
FASTOP1SRC2(imul, imul_ex);
1021
FASTOP1SRC2EX(div, div_ex);
1022
FASTOP1SRC2EX(idiv, idiv_ex);
1023

1024
FASTOP3WCL(shld);
1025
FASTOP3WCL(shrd);
1026

1027
FASTOP2W(imul);
1028

1029
FASTOP1(not);
1030
FASTOP1(neg);
1031
FASTOP1(inc);
1032
FASTOP1(dec);
1033

1034
FASTOP2CL(rol);
1035
FASTOP2CL(ror);
1036
FASTOP2CL(rcl);
1037
FASTOP2CL(rcr);
1038
FASTOP2CL(shl);
1039
FASTOP2CL(shr);
1040
FASTOP2CL(sar);
1041

1042
FASTOP2W(bsf);
1043
FASTOP2W(bsr);
1044
FASTOP2W(bt);
1045
FASTOP2W(bts);
1046
FASTOP2W(btr);
1047
FASTOP2W(btc);
1048

1049
FASTOP2(xadd);
1050

1051
FASTOP2R(cmp, cmp_r);
1052

1053
static int em_bsf_c(struct x86_emulate_ctxt *ctxt)
1054
{
1055
	/* If src is zero, do not writeback, but update flags */
1056
	if (ctxt->src.val == 0)
1057
		ctxt->dst.type = OP_NONE;
1058
	return fastop(ctxt, em_bsf);
1059
}
1060

1061
static int em_bsr_c(struct x86_emulate_ctxt *ctxt)
1062
{
1063
	/* If src is zero, do not writeback, but update flags */
1064
	if (ctxt->src.val == 0)
1065
		ctxt->dst.type = OP_NONE;
1066
	return fastop(ctxt, em_bsr);
1067
}
1068

1069
static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
1070
{
1071
	u8 rc;
1072
	void (*fop)(void) = (void *)em_setcc + FASTOP_SIZE * (condition & 0xf);
1073

1074
	flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
1075
	asm("push %[flags]; popf; " CALL_NOSPEC
1076
	    : "=a"(rc), ASM_CALL_CONSTRAINT : [thunk_target]"r"(fop), [flags]"r"(flags));
1077
	return rc;
1078
}
1079

1080
static void fetch_register_operand(struct operand *op)
1081
{
1082
	switch (op->bytes) {
1083
	case 1:
1084
		op->val = *(u8 *)op->addr.reg;
1085
		break;
1086
	case 2:
1087
		op->val = *(u16 *)op->addr.reg;
1088
		break;
1089
	case 4:
1090
		op->val = *(u32 *)op->addr.reg;
1091
		break;
1092
	case 8:
1093
		op->val = *(u64 *)op->addr.reg;
1094
		break;
1095
	}
1096
}
1097

1098
static int em_fninit(struct x86_emulate_ctxt *ctxt)
1099
{
1100
	if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1101
		return emulate_nm(ctxt);
1102

1103
	kvm_fpu_get();
1104
	asm volatile("fninit");
1105
	kvm_fpu_put();
1106
	return X86EMUL_CONTINUE;
1107
}
1108

1109
static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
1110
{
1111
	u16 fcw;
1112

1113
	if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1114
		return emulate_nm(ctxt);
1115

1116
	kvm_fpu_get();
1117
	asm volatile("fnstcw %0": "+m"(fcw));
1118
	kvm_fpu_put();
1119

1120
	ctxt->dst.val = fcw;
1121

1122
	return X86EMUL_CONTINUE;
1123
}
1124

1125
static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
1126
{
1127
	u16 fsw;
1128

1129
	if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
1130
		return emulate_nm(ctxt);
1131

1132
	kvm_fpu_get();
1133
	asm volatile("fnstsw %0": "+m"(fsw));
1134
	kvm_fpu_put();
1135

1136
	ctxt->dst.val = fsw;
1137

1138
	return X86EMUL_CONTINUE;
1139
}
1140

1141
static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
1142
				    struct operand *op)
1143
{
1144
	unsigned int reg;
1145

1146
	if (ctxt->d & ModRM)
1147
		reg = ctxt->modrm_reg;
1148
	else
1149
		reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3);
1150

1151
	if (ctxt->d & Sse) {
1152
		op->type = OP_XMM;
1153
		op->bytes = 16;
1154
		op->addr.xmm = reg;
1155
		kvm_read_sse_reg(reg, &op->vec_val);
1156
		return;
1157
	}
1158
	if (ctxt->d & Mmx) {
1159
		reg &= 7;
1160
		op->type = OP_MM;
1161
		op->bytes = 8;
1162
		op->addr.mm = reg;
1163
		return;
1164
	}
1165

1166
	op->type = OP_REG;
1167
	op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1168
	op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp);
1169

1170
	fetch_register_operand(op);
1171
	op->orig_val = op->val;
1172
}
1173

1174
static void adjust_modrm_seg(struct x86_emulate_ctxt *ctxt, int base_reg)
1175
{
1176
	if (base_reg == VCPU_REGS_RSP || base_reg == VCPU_REGS_RBP)
1177
		ctxt->modrm_seg = VCPU_SREG_SS;
1178
}
1179

1180
static int decode_modrm(struct x86_emulate_ctxt *ctxt,
1181
			struct operand *op)
1182
{
1183
	u8 sib;
1184
	int index_reg, base_reg, scale;
1185
	int rc = X86EMUL_CONTINUE;
1186
	ulong modrm_ea = 0;
1187

1188
	ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */
1189
	index_reg = (ctxt->rex_prefix << 2) & 8; /* REX.X */
1190
	base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */
1191

1192
	ctxt->modrm_mod = (ctxt->modrm & 0xc0) >> 6;
1193
	ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
1194
	ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07);
1195
	ctxt->modrm_seg = VCPU_SREG_DS;
1196

1197
	if (ctxt->modrm_mod == 3 || (ctxt->d & NoMod)) {
1198
		op->type = OP_REG;
1199
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
1200
		op->addr.reg = decode_register(ctxt, ctxt->modrm_rm,
1201
				ctxt->d & ByteOp);
1202
		if (ctxt->d & Sse) {
1203
			op->type = OP_XMM;
1204
			op->bytes = 16;
1205
			op->addr.xmm = ctxt->modrm_rm;
1206
			kvm_read_sse_reg(ctxt->modrm_rm, &op->vec_val);
1207
			return rc;
1208
		}
1209
		if (ctxt->d & Mmx) {
1210
			op->type = OP_MM;
1211
			op->bytes = 8;
1212
			op->addr.mm = ctxt->modrm_rm & 7;
1213
			return rc;
1214
		}
1215
		fetch_register_operand(op);
1216
		return rc;
1217
	}
1218

1219
	op->type = OP_MEM;
1220

1221
	if (ctxt->ad_bytes == 2) {
1222
		unsigned bx = reg_read(ctxt, VCPU_REGS_RBX);
1223
		unsigned bp = reg_read(ctxt, VCPU_REGS_RBP);
1224
		unsigned si = reg_read(ctxt, VCPU_REGS_RSI);
1225
		unsigned di = reg_read(ctxt, VCPU_REGS_RDI);
1226

1227
		/* 16-bit ModR/M decode. */
1228
		switch (ctxt->modrm_mod) {
1229
		case 0:
1230
			if (ctxt->modrm_rm == 6)
1231
				modrm_ea += insn_fetch(u16, ctxt);
1232
			break;
1233
		case 1:
1234
			modrm_ea += insn_fetch(s8, ctxt);
1235
			break;
1236
		case 2:
1237
			modrm_ea += insn_fetch(u16, ctxt);
1238
			break;
1239
		}
1240
		switch (ctxt->modrm_rm) {
1241
		case 0:
1242
			modrm_ea += bx + si;
1243
			break;
1244
		case 1:
1245
			modrm_ea += bx + di;
1246
			break;
1247
		case 2:
1248
			modrm_ea += bp + si;
1249
			break;
1250
		case 3:
1251
			modrm_ea += bp + di;
1252
			break;
1253
		case 4:
1254
			modrm_ea += si;
1255
			break;
1256
		case 5:
1257
			modrm_ea += di;
1258
			break;
1259
		case 6:
1260
			if (ctxt->modrm_mod != 0)
1261
				modrm_ea += bp;
1262
			break;
1263
		case 7:
1264
			modrm_ea += bx;
1265
			break;
1266
		}
1267
		if (ctxt->modrm_rm == 2 || ctxt->modrm_rm == 3 ||
1268
		    (ctxt->modrm_rm == 6 && ctxt->modrm_mod != 0))
1269
			ctxt->modrm_seg = VCPU_SREG_SS;
1270
		modrm_ea = (u16)modrm_ea;
1271
	} else {
1272
		/* 32/64-bit ModR/M decode. */
1273
		if ((ctxt->modrm_rm & 7) == 4) {
1274
			sib = insn_fetch(u8, ctxt);
1275
			index_reg |= (sib >> 3) & 7;
1276
			base_reg |= sib & 7;
1277
			scale = sib >> 6;
1278

1279
			if ((base_reg & 7) == 5 && ctxt->modrm_mod == 0)
1280
				modrm_ea += insn_fetch(s32, ctxt);
1281
			else {
1282
				modrm_ea += reg_read(ctxt, base_reg);
1283
				adjust_modrm_seg(ctxt, base_reg);
1284
				/* Increment ESP on POP [ESP] */
1285
				if ((ctxt->d & IncSP) &&
1286
				    base_reg == VCPU_REGS_RSP)
1287
					modrm_ea += ctxt->op_bytes;
1288
			}
1289
			if (index_reg != 4)
1290
				modrm_ea += reg_read(ctxt, index_reg) << scale;
1291
		} else if ((ctxt->modrm_rm & 7) == 5 && ctxt->modrm_mod == 0) {
1292
			modrm_ea += insn_fetch(s32, ctxt);
1293
			if (ctxt->mode == X86EMUL_MODE_PROT64)
1294
				ctxt->rip_relative = 1;
1295
		} else {
1296
			base_reg = ctxt->modrm_rm;
1297
			modrm_ea += reg_read(ctxt, base_reg);
1298
			adjust_modrm_seg(ctxt, base_reg);
1299
		}
1300
		switch (ctxt->modrm_mod) {
1301
		case 1:
1302
			modrm_ea += insn_fetch(s8, ctxt);
1303
			break;
1304
		case 2:
1305
			modrm_ea += insn_fetch(s32, ctxt);
1306
			break;
1307
		}
1308
	}
1309
	op->addr.mem.ea = modrm_ea;
1310
	if (ctxt->ad_bytes != 8)
1311
		ctxt->memop.addr.mem.ea = (u32)ctxt->memop.addr.mem.ea;
1312

1313
done:
1314
	return rc;
1315
}
1316

1317
static int decode_abs(struct x86_emulate_ctxt *ctxt,
1318
		      struct operand *op)
1319
{
1320
	int rc = X86EMUL_CONTINUE;
1321

1322
	op->type = OP_MEM;
1323
	switch (ctxt->ad_bytes) {
1324
	case 2:
1325
		op->addr.mem.ea = insn_fetch(u16, ctxt);
1326
		break;
1327
	case 4:
1328
		op->addr.mem.ea = insn_fetch(u32, ctxt);
1329
		break;
1330
	case 8:
1331
		op->addr.mem.ea = insn_fetch(u64, ctxt);
1332
		break;
1333
	}
1334
done:
1335
	return rc;
1336
}
1337

1338
static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
1339
{
1340
	long sv = 0, mask;
1341

1342
	if (ctxt->dst.type == OP_MEM && ctxt->src.type == OP_REG) {
1343
		mask = ~((long)ctxt->dst.bytes * 8 - 1);
1344

1345
		if (ctxt->src.bytes == 2)
1346
			sv = (s16)ctxt->src.val & (s16)mask;
1347
		else if (ctxt->src.bytes == 4)
1348
			sv = (s32)ctxt->src.val & (s32)mask;
1349
		else
1350
			sv = (s64)ctxt->src.val & (s64)mask;
1351

1352
		ctxt->dst.addr.mem.ea = address_mask(ctxt,
1353
					   ctxt->dst.addr.mem.ea + (sv >> 3));
1354
	}
1355

1356
	/* only subword offset */
1357
	ctxt->src.val &= (ctxt->dst.bytes << 3) - 1;
1358
}
1359

1360
static int read_emulated(struct x86_emulate_ctxt *ctxt,
1361
			 unsigned long addr, void *dest, unsigned size)
1362
{
1363
	int rc;
1364
	struct read_cache *mc = &ctxt->mem_read;
1365

1366
	if (mc->pos < mc->end)
1367
		goto read_cached;
1368

1369
	if (KVM_EMULATOR_BUG_ON((mc->end + size) >= sizeof(mc->data), ctxt))
1370
		return X86EMUL_UNHANDLEABLE;
1371

1372
	rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
1373
				      &ctxt->exception);
1374
	if (rc != X86EMUL_CONTINUE)
1375
		return rc;
1376

1377
	mc->end += size;
1378

1379
read_cached:
1380
	memcpy(dest, mc->data + mc->pos, size);
1381
	mc->pos += size;
1382
	return X86EMUL_CONTINUE;
1383
}
1384

1385
static int segmented_read(struct x86_emulate_ctxt *ctxt,
1386
			  struct segmented_address addr,
1387
			  void *data,
1388
			  unsigned size)
1389
{
1390
	int rc;
1391
	ulong linear;
1392

1393
	rc = linearize(ctxt, addr, size, false, &linear);
1394
	if (rc != X86EMUL_CONTINUE)
1395
		return rc;
1396
	return read_emulated(ctxt, linear, data, size);
1397
}
1398

1399
static int segmented_write(struct x86_emulate_ctxt *ctxt,
1400
			   struct segmented_address addr,
1401
			   const void *data,
1402
			   unsigned size)
1403
{
1404
	int rc;
1405
	ulong linear;
1406

1407
	rc = linearize(ctxt, addr, size, true, &linear);
1408
	if (rc != X86EMUL_CONTINUE)
1409
		return rc;
1410
	return ctxt->ops->write_emulated(ctxt, linear, data, size,
1411
					 &ctxt->exception);
1412
}
1413

1414
static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
1415
			     struct segmented_address addr,
1416
			     const void *orig_data, const void *data,
1417
			     unsigned size)
1418
{
1419
	int rc;
1420
	ulong linear;
1421

1422
	rc = linearize(ctxt, addr, size, true, &linear);
1423
	if (rc != X86EMUL_CONTINUE)
1424
		return rc;
1425
	return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
1426
					   size, &ctxt->exception);
1427
}
1428

1429
static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1430
			   unsigned int size, unsigned short port,
1431
			   void *dest)
1432
{
1433
	struct read_cache *rc = &ctxt->io_read;
1434

1435
	if (rc->pos == rc->end) { /* refill pio read ahead */
1436
		unsigned int in_page, n;
1437
		unsigned int count = ctxt->rep_prefix ?
1438
			address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) : 1;
1439
		in_page = (ctxt->eflags & X86_EFLAGS_DF) ?
1440
			offset_in_page(reg_read(ctxt, VCPU_REGS_RDI)) :
1441
			PAGE_SIZE - offset_in_page(reg_read(ctxt, VCPU_REGS_RDI));
1442
		n = min3(in_page, (unsigned int)sizeof(rc->data) / size, count);
1443
		if (n == 0)
1444
			n = 1;
1445
		rc->pos = rc->end = 0;
1446
		if (!ctxt->ops->pio_in_emulated(ctxt, size, port, rc->data, n))
1447
			return 0;
1448
		rc->end = n * size;
1449
	}
1450

1451
	if (ctxt->rep_prefix && (ctxt->d & String) &&
1452
	    !(ctxt->eflags & X86_EFLAGS_DF)) {
1453
		ctxt->dst.data = rc->data + rc->pos;
1454
		ctxt->dst.type = OP_MEM_STR;
1455
		ctxt->dst.count = (rc->end - rc->pos) / size;
1456
		rc->pos = rc->end;
1457
	} else {
1458
		memcpy(dest, rc->data + rc->pos, size);
1459
		rc->pos += size;
1460
	}
1461
	return 1;
1462
}
1463

1464
static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
1465
				     u16 index, struct desc_struct *desc)
1466
{
1467
	struct desc_ptr dt;
1468
	ulong addr;
1469

1470
	ctxt->ops->get_idt(ctxt, &dt);
1471

1472
	if (dt.size < index * 8 + 7)
1473
		return emulate_gp(ctxt, index << 3 | 0x2);
1474

1475
	addr = dt.address + index * 8;
1476
	return linear_read_system(ctxt, addr, desc, sizeof(*desc));
1477
}
1478

1479
static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1480
				     u16 selector, struct desc_ptr *dt)
1481
{
1482
	const struct x86_emulate_ops *ops = ctxt->ops;
1483
	u32 base3 = 0;
1484

1485
	if (selector & 1 << 2) {
1486
		struct desc_struct desc;
1487
		u16 sel;
1488

1489
		memset(dt, 0, sizeof(*dt));
1490
		if (!ops->get_segment(ctxt, &sel, &desc, &base3,
1491
				      VCPU_SREG_LDTR))
1492
			return;
1493

1494
		dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1495
		dt->address = get_desc_base(&desc) | ((u64)base3 << 32);
1496
	} else
1497
		ops->get_gdt(ctxt, dt);
1498
}
1499

1500
static int get_descriptor_ptr(struct x86_emulate_ctxt *ctxt,
1501
			      u16 selector, ulong *desc_addr_p)
1502
{
1503
	struct desc_ptr dt;
1504
	u16 index = selector >> 3;
1505
	ulong addr;
1506

1507
	get_descriptor_table_ptr(ctxt, selector, &dt);
1508

1509
	if (dt.size < index * 8 + 7)
1510
		return emulate_gp(ctxt, selector & 0xfffc);
1511

1512
	addr = dt.address + index * 8;
1513

1514
#ifdef CONFIG_X86_64
1515
	if (addr >> 32 != 0) {
1516
		u64 efer = 0;
1517

1518
		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1519
		if (!(efer & EFER_LMA))
1520
			addr &= (u32)-1;
1521
	}
1522
#endif
1523

1524
	*desc_addr_p = addr;
1525
	return X86EMUL_CONTINUE;
1526
}
1527

1528
/* allowed just for 8 bytes segments */
1529
static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1530
				   u16 selector, struct desc_struct *desc,
1531
				   ulong *desc_addr_p)
1532
{
1533
	int rc;
1534

1535
	rc = get_descriptor_ptr(ctxt, selector, desc_addr_p);
1536
	if (rc != X86EMUL_CONTINUE)
1537
		return rc;
1538

1539
	return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
1540
}
1541

1542
/* allowed just for 8 bytes segments */
1543
static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1544
				    u16 selector, struct desc_struct *desc)
1545
{
1546
	int rc;
1547
	ulong addr;
1548

1549
	rc = get_descriptor_ptr(ctxt, selector, &addr);
1550
	if (rc != X86EMUL_CONTINUE)
1551
		return rc;
1552

1553
	return linear_write_system(ctxt, addr, desc, sizeof(*desc));
1554
}
1555

1556
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1557
				     u16 selector, int seg, u8 cpl,
1558
				     enum x86_transfer_type transfer,
1559
				     struct desc_struct *desc)
1560
{
1561
	struct desc_struct seg_desc, old_desc;
1562
	u8 dpl, rpl;
1563
	unsigned err_vec = GP_VECTOR;
1564
	u32 err_code = 0;
1565
	bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1566
	ulong desc_addr;
1567
	int ret;
1568
	u16 dummy;
1569
	u32 base3 = 0;
1570

1571
	memset(&seg_desc, 0, sizeof(seg_desc));
1572

1573
	if (ctxt->mode == X86EMUL_MODE_REAL) {
1574
		/* set real mode segment descriptor (keep limit etc. for
1575
		 * unreal mode) */
1576
		ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
1577
		set_desc_base(&seg_desc, selector << 4);
1578
		goto load;
1579
	} else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
1580
		/* VM86 needs a clean new segment descriptor */
1581
		set_desc_base(&seg_desc, selector << 4);
1582
		set_desc_limit(&seg_desc, 0xffff);
1583
		seg_desc.type = 3;
1584
		seg_desc.p = 1;
1585
		seg_desc.s = 1;
1586
		seg_desc.dpl = 3;
1587
		goto load;
1588
	}
1589

1590
	rpl = selector & 3;
1591

1592
	/* TR should be in GDT only */
1593
	if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1594
		goto exception;
1595

1596
	/* NULL selector is not valid for TR, CS and (except for long mode) SS */
1597
	if (null_selector) {
1598
		if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
1599
			goto exception;
1600

1601
		if (seg == VCPU_SREG_SS) {
1602
			if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
1603
				goto exception;
1604

1605
			/*
1606
			 * ctxt->ops->set_segment expects the CPL to be in
1607
			 * SS.DPL, so fake an expand-up 32-bit data segment.
1608
			 */
1609
			seg_desc.type = 3;
1610
			seg_desc.p = 1;
1611
			seg_desc.s = 1;
1612
			seg_desc.dpl = cpl;
1613
			seg_desc.d = 1;
1614
			seg_desc.g = 1;
1615
		}
1616

1617
		/* Skip all following checks */
1618
		goto load;
1619
	}
1620

1621
	ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
1622
	if (ret != X86EMUL_CONTINUE)
1623
		return ret;
1624

1625
	err_code = selector & 0xfffc;
1626
	err_vec = (transfer == X86_TRANSFER_TASK_SWITCH) ? TS_VECTOR :
1627
							   GP_VECTOR;
1628

1629
	/* can't load system descriptor into segment selector */
1630
	if (seg <= VCPU_SREG_GS && !seg_desc.s) {
1631
		if (transfer == X86_TRANSFER_CALL_JMP)
1632
			return X86EMUL_UNHANDLEABLE;
1633
		goto exception;
1634
	}
1635

1636
	dpl = seg_desc.dpl;
1637

1638
	switch (seg) {
1639
	case VCPU_SREG_SS:
1640
		/*
1641
		 * segment is not a writable data segment or segment
1642
		 * selector's RPL != CPL or DPL != CPL
1643
		 */
1644
		if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1645
			goto exception;
1646
		break;
1647
	case VCPU_SREG_CS:
1648
		/*
1649
		 * KVM uses "none" when loading CS as part of emulating Real
1650
		 * Mode exceptions and IRET (handled above).  In all other
1651
		 * cases, loading CS without a control transfer is a KVM bug.
1652
		 */
1653
		if (WARN_ON_ONCE(transfer == X86_TRANSFER_NONE))
1654
			goto exception;
1655

1656
		if (!(seg_desc.type & 8))
1657
			goto exception;
1658

1659
		if (transfer == X86_TRANSFER_RET) {
1660
			/* RET can never return to an inner privilege level. */
1661
			if (rpl < cpl)
1662
				goto exception;
1663
			/* Outer-privilege level return is not implemented */
1664
			if (rpl > cpl)
1665
				return X86EMUL_UNHANDLEABLE;
1666
		}
1667
		if (transfer == X86_TRANSFER_RET || transfer == X86_TRANSFER_TASK_SWITCH) {
1668
			if (seg_desc.type & 4) {
1669
				/* conforming */
1670
				if (dpl > rpl)
1671
					goto exception;
1672
			} else {
1673
				/* nonconforming */
1674
				if (dpl != rpl)
1675
					goto exception;
1676
			}
1677
		} else { /* X86_TRANSFER_CALL_JMP */
1678
			if (seg_desc.type & 4) {
1679
				/* conforming */
1680
				if (dpl > cpl)
1681
					goto exception;
1682
			} else {
1683
				/* nonconforming */
1684
				if (rpl > cpl || dpl != cpl)
1685
					goto exception;
1686
			}
1687
		}
1688
		/* in long-mode d/b must be clear if l is set */
1689
		if (seg_desc.d && seg_desc.l) {
1690
			u64 efer = 0;
1691

1692
			ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1693
			if (efer & EFER_LMA)
1694
				goto exception;
1695
		}
1696

1697
		/* CS(RPL) <- CPL */
1698
		selector = (selector & 0xfffc) | cpl;
1699
		break;
1700
	case VCPU_SREG_TR:
1701
		if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1702
			goto exception;
1703
		break;
1704
	case VCPU_SREG_LDTR:
1705
		if (seg_desc.s || seg_desc.type != 2)
1706
			goto exception;
1707
		break;
1708
	default: /*  DS, ES, FS, or GS */
1709
		/*
1710
		 * segment is not a data or readable code segment or
1711
		 * ((segment is a data or nonconforming code segment)
1712
		 * and ((RPL > DPL) or (CPL > DPL)))
1713
		 */
1714
		if ((seg_desc.type & 0xa) == 0x8 ||
1715
		    (((seg_desc.type & 0xc) != 0xc) &&
1716
		     (rpl > dpl || cpl > dpl)))
1717
			goto exception;
1718
		break;
1719
	}
1720

1721
	if (!seg_desc.p) {
1722
		err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1723
		goto exception;
1724
	}
1725

1726
	if (seg_desc.s) {
1727
		/* mark segment as accessed */
1728
		if (!(seg_desc.type & 1)) {
1729
			seg_desc.type |= 1;
1730
			ret = write_segment_descriptor(ctxt, selector,
1731
						       &seg_desc);
1732
			if (ret != X86EMUL_CONTINUE)
1733
				return ret;
1734
		}
1735
	} else if (ctxt->mode == X86EMUL_MODE_PROT64) {
1736
		ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
1737
		if (ret != X86EMUL_CONTINUE)
1738
			return ret;
1739
		if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
1740
						 ((u64)base3 << 32), ctxt,
1741
						 X86EMUL_F_DT_LOAD))
1742
			return emulate_gp(ctxt, err_code);
1743
	}
1744

1745
	if (seg == VCPU_SREG_TR) {
1746
		old_desc = seg_desc;
1747
		seg_desc.type |= 2; /* busy */
1748
		ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
1749
						  sizeof(seg_desc), &ctxt->exception);
1750
		if (ret != X86EMUL_CONTINUE)
1751
			return ret;
1752
	}
1753
load:
1754
	ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
1755
	if (desc)
1756
		*desc = seg_desc;
1757
	return X86EMUL_CONTINUE;
1758
exception:
1759
	return emulate_exception(ctxt, err_vec, err_code, true);
1760
}
1761

1762
static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1763
				   u16 selector, int seg)
1764
{
1765
	u8 cpl = ctxt->ops->cpl(ctxt);
1766

1767
	/*
1768
	 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
1769
	 * they can load it at CPL<3 (Intel's manual says only LSS can,
1770
	 * but it's wrong).
1771
	 *
1772
	 * However, the Intel manual says that putting IST=1/DPL=3 in
1773
	 * an interrupt gate will result in SS=3 (the AMD manual instead
1774
	 * says it doesn't), so allow SS=3 in __load_segment_descriptor
1775
	 * and only forbid it here.
1776
	 */
1777
	if (seg == VCPU_SREG_SS && selector == 3 &&
1778
	    ctxt->mode == X86EMUL_MODE_PROT64)
1779
		return emulate_exception(ctxt, GP_VECTOR, 0, true);
1780

1781
	return __load_segment_descriptor(ctxt, selector, seg, cpl,
1782
					 X86_TRANSFER_NONE, NULL);
1783
}
1784

1785
static void write_register_operand(struct operand *op)
1786
{
1787
	return assign_register(op->addr.reg, op->val, op->bytes);
1788
}
1789

1790
static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op)
1791
{
1792
	switch (op->type) {
1793
	case OP_REG:
1794
		write_register_operand(op);
1795
		break;
1796
	case OP_MEM:
1797
		if (ctxt->lock_prefix)
1798
			return segmented_cmpxchg(ctxt,
1799
						 op->addr.mem,
1800
						 &op->orig_val,
1801
						 &op->val,
1802
						 op->bytes);
1803
		else
1804
			return segmented_write(ctxt,
1805
					       op->addr.mem,
1806
					       &op->val,
1807
					       op->bytes);
1808
	case OP_MEM_STR:
1809
		return segmented_write(ctxt,
1810
				       op->addr.mem,
1811
				       op->data,
1812
				       op->bytes * op->count);
1813
	case OP_XMM:
1814
		kvm_write_sse_reg(op->addr.xmm, &op->vec_val);
1815
		break;
1816
	case OP_MM:
1817
		kvm_write_mmx_reg(op->addr.mm, &op->mm_val);
1818
		break;
1819
	case OP_NONE:
1820
		/* no writeback */
1821
		break;
1822
	default:
1823
		break;
1824
	}
1825
	return X86EMUL_CONTINUE;
1826
}
1827

1828
static int emulate_push(struct x86_emulate_ctxt *ctxt, const void *data, int len)
1829
{
1830
	struct segmented_address addr;
1831

1832
	rsp_increment(ctxt, -len);
1833
	addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1834
	addr.seg = VCPU_SREG_SS;
1835

1836
	return segmented_write(ctxt, addr, data, len);
1837
}
1838

1839
static int em_push(struct x86_emulate_ctxt *ctxt)
1840
{
1841
	/* Disable writeback. */
1842
	ctxt->dst.type = OP_NONE;
1843
	return emulate_push(ctxt, &ctxt->src.val, ctxt->op_bytes);
1844
}
1845

1846
static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1847
		       void *dest, int len)
1848
{
1849
	int rc;
1850
	struct segmented_address addr;
1851

1852
	addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
1853
	addr.seg = VCPU_SREG_SS;
1854
	rc = segmented_read(ctxt, addr, dest, len);
1855
	if (rc != X86EMUL_CONTINUE)
1856
		return rc;
1857

1858
	rsp_increment(ctxt, len);
1859
	return rc;
1860
}
1861

1862
static int em_pop(struct x86_emulate_ctxt *ctxt)
1863
{
1864
	return emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1865
}
1866

1867
static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1868
			void *dest, int len)
1869
{
1870
	int rc;
1871
	unsigned long val = 0;
1872
	unsigned long change_mask;
1873
	int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
1874
	int cpl = ctxt->ops->cpl(ctxt);
1875

1876
	rc = emulate_pop(ctxt, &val, len);
1877
	if (rc != X86EMUL_CONTINUE)
1878
		return rc;
1879

1880
	change_mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
1881
		      X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF |
1882
		      X86_EFLAGS_TF | X86_EFLAGS_DF | X86_EFLAGS_NT |
1883
		      X86_EFLAGS_AC | X86_EFLAGS_ID;
1884

1885
	switch(ctxt->mode) {
1886
	case X86EMUL_MODE_PROT64:
1887
	case X86EMUL_MODE_PROT32:
1888
	case X86EMUL_MODE_PROT16:
1889
		if (cpl == 0)
1890
			change_mask |= X86_EFLAGS_IOPL;
1891
		if (cpl <= iopl)
1892
			change_mask |= X86_EFLAGS_IF;
1893
		break;
1894
	case X86EMUL_MODE_VM86:
1895
		if (iopl < 3)
1896
			return emulate_gp(ctxt, 0);
1897
		change_mask |= X86_EFLAGS_IF;
1898
		break;
1899
	default: /* real mode */
1900
		change_mask |= (X86_EFLAGS_IOPL | X86_EFLAGS_IF);
1901
		break;
1902
	}
1903

1904
	*(unsigned long *)dest =
1905
		(ctxt->eflags & ~change_mask) | (val & change_mask);
1906

1907
	return rc;
1908
}
1909

1910
static int em_popf(struct x86_emulate_ctxt *ctxt)
1911
{
1912
	ctxt->dst.type = OP_REG;
1913
	ctxt->dst.addr.reg = &ctxt->eflags;
1914
	ctxt->dst.bytes = ctxt->op_bytes;
1915
	return emulate_popf(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1916
}
1917

1918
static int em_enter(struct x86_emulate_ctxt *ctxt)
1919
{
1920
	int rc;
1921
	unsigned frame_size = ctxt->src.val;
1922
	unsigned nesting_level = ctxt->src2.val & 31;
1923
	ulong rbp;
1924

1925
	if (nesting_level)
1926
		return X86EMUL_UNHANDLEABLE;
1927

1928
	rbp = reg_read(ctxt, VCPU_REGS_RBP);
1929
	rc = emulate_push(ctxt, &rbp, stack_size(ctxt));
1930
	if (rc != X86EMUL_CONTINUE)
1931
		return rc;
1932
	assign_masked(reg_rmw(ctxt, VCPU_REGS_RBP), reg_read(ctxt, VCPU_REGS_RSP),
1933
		      stack_mask(ctxt));
1934
	assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP),
1935
		      reg_read(ctxt, VCPU_REGS_RSP) - frame_size,
1936
		      stack_mask(ctxt));
1937
	return X86EMUL_CONTINUE;
1938
}
1939

1940
static int em_leave(struct x86_emulate_ctxt *ctxt)
1941
{
1942
	assign_masked(reg_rmw(ctxt, VCPU_REGS_RSP), reg_read(ctxt, VCPU_REGS_RBP),
1943
		      stack_mask(ctxt));
1944
	return emulate_pop(ctxt, reg_rmw(ctxt, VCPU_REGS_RBP), ctxt->op_bytes);
1945
}
1946

1947
static int em_push_sreg(struct x86_emulate_ctxt *ctxt)
1948
{
1949
	int seg = ctxt->src2.val;
1950

1951
	ctxt->src.val = get_segment_selector(ctxt, seg);
1952
	if (ctxt->op_bytes == 4) {
1953
		rsp_increment(ctxt, -2);
1954
		ctxt->op_bytes = 2;
1955
	}
1956

1957
	return em_push(ctxt);
1958
}
1959

1960
static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
1961
{
1962
	int seg = ctxt->src2.val;
1963
	unsigned long selector = 0;
1964
	int rc;
1965

1966
	rc = emulate_pop(ctxt, &selector, 2);
1967
	if (rc != X86EMUL_CONTINUE)
1968
		return rc;
1969

1970
	if (seg == VCPU_SREG_SS)
1971
		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
1972
	if (ctxt->op_bytes > 2)
1973
		rsp_increment(ctxt, ctxt->op_bytes - 2);
1974

1975
	rc = load_segment_descriptor(ctxt, (u16)selector, seg);
1976
	return rc;
1977
}
1978

1979
static int em_pusha(struct x86_emulate_ctxt *ctxt)
1980
{
1981
	unsigned long old_esp = reg_read(ctxt, VCPU_REGS_RSP);
1982
	int rc = X86EMUL_CONTINUE;
1983
	int reg = VCPU_REGS_RAX;
1984

1985
	while (reg <= VCPU_REGS_RDI) {
1986
		(reg == VCPU_REGS_RSP) ?
1987
		(ctxt->src.val = old_esp) : (ctxt->src.val = reg_read(ctxt, reg));
1988

1989
		rc = em_push(ctxt);
1990
		if (rc != X86EMUL_CONTINUE)
1991
			return rc;
1992

1993
		++reg;
1994
	}
1995

1996
	return rc;
1997
}
1998

1999
static int em_pushf(struct x86_emulate_ctxt *ctxt)
2000
{
2001
	ctxt->src.val = (unsigned long)ctxt->eflags & ~X86_EFLAGS_VM;
2002
	return em_push(ctxt);
2003
}
2004

2005
static int em_popa(struct x86_emulate_ctxt *ctxt)
2006
{
2007
	int rc = X86EMUL_CONTINUE;
2008
	int reg = VCPU_REGS_RDI;
2009
	u32 val = 0;
2010

2011
	while (reg >= VCPU_REGS_RAX) {
2012
		if (reg == VCPU_REGS_RSP) {
2013
			rsp_increment(ctxt, ctxt->op_bytes);
2014
			--reg;
2015
		}
2016

2017
		rc = emulate_pop(ctxt, &val, ctxt->op_bytes);
2018
		if (rc != X86EMUL_CONTINUE)
2019
			break;
2020
		assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes);
2021
		--reg;
2022
	}
2023
	return rc;
2024
}
2025

2026
static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2027
{
2028
	const struct x86_emulate_ops *ops = ctxt->ops;
2029
	int rc;
2030
	struct desc_ptr dt;
2031
	gva_t cs_addr;
2032
	gva_t eip_addr;
2033
	u16 cs, eip;
2034

2035
	/* TODO: Add limit checks */
2036
	ctxt->src.val = ctxt->eflags;
2037
	rc = em_push(ctxt);
2038
	if (rc != X86EMUL_CONTINUE)
2039
		return rc;
2040

2041
	ctxt->eflags &= ~(X86_EFLAGS_IF | X86_EFLAGS_TF | X86_EFLAGS_AC);
2042

2043
	ctxt->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
2044
	rc = em_push(ctxt);
2045
	if (rc != X86EMUL_CONTINUE)
2046
		return rc;
2047

2048
	ctxt->src.val = ctxt->_eip;
2049
	rc = em_push(ctxt);
2050
	if (rc != X86EMUL_CONTINUE)
2051
		return rc;
2052

2053
	ops->get_idt(ctxt, &dt);
2054

2055
	eip_addr = dt.address + (irq << 2);
2056
	cs_addr = dt.address + (irq << 2) + 2;
2057

2058
	rc = linear_read_system(ctxt, cs_addr, &cs, 2);
2059
	if (rc != X86EMUL_CONTINUE)
2060
		return rc;
2061

2062
	rc = linear_read_system(ctxt, eip_addr, &eip, 2);
2063
	if (rc != X86EMUL_CONTINUE)
2064
		return rc;
2065

2066
	rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
2067
	if (rc != X86EMUL_CONTINUE)
2068
		return rc;
2069

2070
	ctxt->_eip = eip;
2071

2072
	return rc;
2073
}
2074

2075
int emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
2076
{
2077
	int rc;
2078

2079
	invalidate_registers(ctxt);
2080
	rc = __emulate_int_real(ctxt, irq);
2081
	if (rc == X86EMUL_CONTINUE)
2082
		writeback_registers(ctxt);
2083
	return rc;
2084
}
2085

2086
static int emulate_int(struct x86_emulate_ctxt *ctxt, int irq)
2087
{
2088
	switch(ctxt->mode) {
2089
	case X86EMUL_MODE_REAL:
2090
		return __emulate_int_real(ctxt, irq);
2091
	case X86EMUL_MODE_VM86:
2092
	case X86EMUL_MODE_PROT16:
2093
	case X86EMUL_MODE_PROT32:
2094
	case X86EMUL_MODE_PROT64:
2095
	default:
2096
		/* Protected mode interrupts unimplemented yet */
2097
		return X86EMUL_UNHANDLEABLE;
2098
	}
2099
}
2100

2101
static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
2102
{
2103
	int rc = X86EMUL_CONTINUE;
2104
	unsigned long temp_eip = 0;
2105
	unsigned long temp_eflags = 0;
2106
	unsigned long cs = 0;
2107
	unsigned long mask = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
2108
			     X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_TF |
2109
			     X86_EFLAGS_IF | X86_EFLAGS_DF | X86_EFLAGS_OF |
2110
			     X86_EFLAGS_IOPL | X86_EFLAGS_NT | X86_EFLAGS_RF |
2111
			     X86_EFLAGS_AC | X86_EFLAGS_ID |
2112
			     X86_EFLAGS_FIXED;
2113
	unsigned long vm86_mask = X86_EFLAGS_VM | X86_EFLAGS_VIF |
2114
				  X86_EFLAGS_VIP;
2115

2116
	/* TODO: Add stack limit check */
2117

2118
	rc = emulate_pop(ctxt, &temp_eip, ctxt->op_bytes);
2119

2120
	if (rc != X86EMUL_CONTINUE)
2121
		return rc;
2122

2123
	if (temp_eip & ~0xffff)
2124
		return emulate_gp(ctxt, 0);
2125

2126
	rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2127

2128
	if (rc != X86EMUL_CONTINUE)
2129
		return rc;
2130

2131
	rc = emulate_pop(ctxt, &temp_eflags, ctxt->op_bytes);
2132

2133
	if (rc != X86EMUL_CONTINUE)
2134
		return rc;
2135

2136
	rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
2137

2138
	if (rc != X86EMUL_CONTINUE)
2139
		return rc;
2140

2141
	ctxt->_eip = temp_eip;
2142

2143
	if (ctxt->op_bytes == 4)
2144
		ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
2145
	else if (ctxt->op_bytes == 2) {
2146
		ctxt->eflags &= ~0xffff;
2147
		ctxt->eflags |= temp_eflags;
2148
	}
2149

2150
	ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
2151
	ctxt->eflags |= X86_EFLAGS_FIXED;
2152
	ctxt->ops->set_nmi_mask(ctxt, false);
2153

2154
	return rc;
2155
}
2156

2157
static int em_iret(struct x86_emulate_ctxt *ctxt)
2158
{
2159
	switch(ctxt->mode) {
2160
	case X86EMUL_MODE_REAL:
2161
		return emulate_iret_real(ctxt);
2162
	case X86EMUL_MODE_VM86:
2163
	case X86EMUL_MODE_PROT16:
2164
	case X86EMUL_MODE_PROT32:
2165
	case X86EMUL_MODE_PROT64:
2166
	default:
2167
		/* iret from protected mode unimplemented yet */
2168
		return X86EMUL_UNHANDLEABLE;
2169
	}
2170
}
2171

2172
static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
2173
{
2174
	int rc;
2175
	unsigned short sel;
2176
	struct desc_struct new_desc;
2177
	u8 cpl = ctxt->ops->cpl(ctxt);
2178

2179
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2180

2181
	rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
2182
				       X86_TRANSFER_CALL_JMP,
2183
				       &new_desc);
2184
	if (rc != X86EMUL_CONTINUE)
2185
		return rc;
2186

2187
	rc = assign_eip_far(ctxt, ctxt->src.val);
2188
	/* Error handling is not implemented. */
2189
	if (rc != X86EMUL_CONTINUE)
2190
		return X86EMUL_UNHANDLEABLE;
2191

2192
	return rc;
2193
}
2194

2195
static int em_jmp_abs(struct x86_emulate_ctxt *ctxt)
2196
{
2197
	return assign_eip_near(ctxt, ctxt->src.val);
2198
}
2199

2200
static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
2201
{
2202
	int rc;
2203
	long int old_eip;
2204

2205
	old_eip = ctxt->_eip;
2206
	rc = assign_eip_near(ctxt, ctxt->src.val);
2207
	if (rc != X86EMUL_CONTINUE)
2208
		return rc;
2209
	ctxt->src.val = old_eip;
2210
	rc = em_push(ctxt);
2211
	return rc;
2212
}
2213

2214
static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
2215
{
2216
	u64 old = ctxt->dst.orig_val64;
2217

2218
	if (ctxt->dst.bytes == 16)
2219
		return X86EMUL_UNHANDLEABLE;
2220

2221
	if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
2222
	    ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
2223
		*reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
2224
		*reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
2225
		ctxt->eflags &= ~X86_EFLAGS_ZF;
2226
	} else {
2227
		ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
2228
			(u32) reg_read(ctxt, VCPU_REGS_RBX);
2229

2230
		ctxt->eflags |= X86_EFLAGS_ZF;
2231
	}
2232
	return X86EMUL_CONTINUE;
2233
}
2234

2235
static int em_ret(struct x86_emulate_ctxt *ctxt)
2236
{
2237
	int rc;
2238
	unsigned long eip = 0;
2239

2240
	rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2241
	if (rc != X86EMUL_CONTINUE)
2242
		return rc;
2243

2244
	return assign_eip_near(ctxt, eip);
2245
}
2246

2247
static int em_ret_far(struct x86_emulate_ctxt *ctxt)
2248
{
2249
	int rc;
2250
	unsigned long eip = 0;
2251
	unsigned long cs = 0;
2252
	int cpl = ctxt->ops->cpl(ctxt);
2253
	struct desc_struct new_desc;
2254

2255
	rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
2256
	if (rc != X86EMUL_CONTINUE)
2257
		return rc;
2258
	rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
2259
	if (rc != X86EMUL_CONTINUE)
2260
		return rc;
2261
	rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, cpl,
2262
				       X86_TRANSFER_RET,
2263
				       &new_desc);
2264
	if (rc != X86EMUL_CONTINUE)
2265
		return rc;
2266
	rc = assign_eip_far(ctxt, eip);
2267
	/* Error handling is not implemented. */
2268
	if (rc != X86EMUL_CONTINUE)
2269
		return X86EMUL_UNHANDLEABLE;
2270

2271
	return rc;
2272
}
2273

2274
static int em_ret_far_imm(struct x86_emulate_ctxt *ctxt)
2275
{
2276
        int rc;
2277

2278
        rc = em_ret_far(ctxt);
2279
        if (rc != X86EMUL_CONTINUE)
2280
                return rc;
2281
        rsp_increment(ctxt, ctxt->src.val);
2282
        return X86EMUL_CONTINUE;
2283
}
2284

2285
static int em_cmpxchg(struct x86_emulate_ctxt *ctxt)
2286
{
2287
	/* Save real source value, then compare EAX against destination. */
2288
	ctxt->dst.orig_val = ctxt->dst.val;
2289
	ctxt->dst.val = reg_read(ctxt, VCPU_REGS_RAX);
2290
	ctxt->src.orig_val = ctxt->src.val;
2291
	ctxt->src.val = ctxt->dst.orig_val;
2292
	fastop(ctxt, em_cmp);
2293

2294
	if (ctxt->eflags & X86_EFLAGS_ZF) {
2295
		/* Success: write back to memory; no update of EAX */
2296
		ctxt->src.type = OP_NONE;
2297
		ctxt->dst.val = ctxt->src.orig_val;
2298
	} else {
2299
		/* Failure: write the value we saw to EAX. */
2300
		ctxt->src.type = OP_REG;
2301
		ctxt->src.addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
2302
		ctxt->src.val = ctxt->dst.orig_val;
2303
		/* Create write-cycle to dest by writing the same value */
2304
		ctxt->dst.val = ctxt->dst.orig_val;
2305
	}
2306
	return X86EMUL_CONTINUE;
2307
}
2308

2309
static int em_lseg(struct x86_emulate_ctxt *ctxt)
2310
{
2311
	int seg = ctxt->src2.val;
2312
	unsigned short sel;
2313
	int rc;
2314

2315
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
2316

2317
	rc = load_segment_descriptor(ctxt, sel, seg);
2318
	if (rc != X86EMUL_CONTINUE)
2319
		return rc;
2320

2321
	ctxt->dst.val = ctxt->src.val;
2322
	return rc;
2323
}
2324

2325
static int em_rsm(struct x86_emulate_ctxt *ctxt)
2326
{
2327
	if (!ctxt->ops->is_smm(ctxt))
2328
		return emulate_ud(ctxt);
2329

2330
	if (ctxt->ops->leave_smm(ctxt))
2331
		ctxt->ops->triple_fault(ctxt);
2332

2333
	return emulator_recalc_and_set_mode(ctxt);
2334
}
2335

2336
static void
2337
setup_syscalls_segments(struct desc_struct *cs, struct desc_struct *ss)
2338
{
2339
	cs->l = 0;		/* will be adjusted later */
2340
	set_desc_base(cs, 0);	/* flat segment */
2341
	cs->g = 1;		/* 4kb granularity */
2342
	set_desc_limit(cs, 0xfffff);	/* 4GB limit */
2343
	cs->type = 0x0b;	/* Read, Execute, Accessed */
2344
	cs->s = 1;
2345
	cs->dpl = 0;		/* will be adjusted later */
2346
	cs->p = 1;
2347
	cs->d = 1;
2348
	cs->avl = 0;
2349

2350
	set_desc_base(ss, 0);	/* flat segment */
2351
	set_desc_limit(ss, 0xfffff);	/* 4GB limit */
2352
	ss->g = 1;		/* 4kb granularity */
2353
	ss->s = 1;
2354
	ss->type = 0x03;	/* Read/Write, Accessed */
2355
	ss->d = 1;		/* 32bit stack segment */
2356
	ss->dpl = 0;
2357
	ss->p = 1;
2358
	ss->l = 0;
2359
	ss->avl = 0;
2360
}
2361

2362
static int em_syscall(struct x86_emulate_ctxt *ctxt)
2363
{
2364
	const struct x86_emulate_ops *ops = ctxt->ops;
2365
	struct desc_struct cs, ss;
2366
	u64 msr_data;
2367
	u16 cs_sel, ss_sel;
2368
	u64 efer = 0;
2369

2370
	/* syscall is not available in real mode */
2371
	if (ctxt->mode == X86EMUL_MODE_REAL ||
2372
	    ctxt->mode == X86EMUL_MODE_VM86)
2373
		return emulate_ud(ctxt);
2374

2375
	/*
2376
	 * Intel compatible CPUs only support SYSCALL in 64-bit mode, whereas
2377
	 * AMD allows SYSCALL in any flavor of protected mode.  Note, it's
2378
	 * infeasible to emulate Intel behavior when running on AMD hardware,
2379
	 * as SYSCALL won't fault in the "wrong" mode, i.e. there is no #UD
2380
	 * for KVM to trap-and-emulate, unlike emulating AMD on Intel.
2381
	 */
2382
	if (ctxt->mode != X86EMUL_MODE_PROT64 &&
2383
	    ctxt->ops->guest_cpuid_is_intel_compatible(ctxt))
2384
		return emulate_ud(ctxt);
2385

2386
	ops->get_msr(ctxt, MSR_EFER, &efer);
2387
	if (!(efer & EFER_SCE))
2388
		return emulate_ud(ctxt);
2389

2390
	setup_syscalls_segments(&cs, &ss);
2391
	ops->get_msr(ctxt, MSR_STAR, &msr_data);
2392
	msr_data >>= 32;
2393
	cs_sel = (u16)(msr_data & 0xfffc);
2394
	ss_sel = (u16)(msr_data + 8);
2395

2396
	if (efer & EFER_LMA) {
2397
		cs.d = 0;
2398
		cs.l = 1;
2399
	}
2400
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2401
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2402

2403
	*reg_write(ctxt, VCPU_REGS_RCX) = ctxt->_eip;
2404
	if (efer & EFER_LMA) {
2405
#ifdef CONFIG_X86_64
2406
		*reg_write(ctxt, VCPU_REGS_R11) = ctxt->eflags;
2407

2408
		ops->get_msr(ctxt,
2409
			     ctxt->mode == X86EMUL_MODE_PROT64 ?
2410
			     MSR_LSTAR : MSR_CSTAR, &msr_data);
2411
		ctxt->_eip = msr_data;
2412

2413
		ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
2414
		ctxt->eflags &= ~msr_data;
2415
		ctxt->eflags |= X86_EFLAGS_FIXED;
2416
#endif
2417
	} else {
2418
		/* legacy mode */
2419
		ops->get_msr(ctxt, MSR_STAR, &msr_data);
2420
		ctxt->_eip = (u32)msr_data;
2421

2422
		ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2423
	}
2424

2425
	ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
2426
	return X86EMUL_CONTINUE;
2427
}
2428

2429
static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2430
{
2431
	const struct x86_emulate_ops *ops = ctxt->ops;
2432
	struct desc_struct cs, ss;
2433
	u64 msr_data;
2434
	u16 cs_sel, ss_sel;
2435
	u64 efer = 0;
2436

2437
	ops->get_msr(ctxt, MSR_EFER, &efer);
2438
	/* inject #GP if in real mode */
2439
	if (ctxt->mode == X86EMUL_MODE_REAL)
2440
		return emulate_gp(ctxt, 0);
2441

2442
	/*
2443
	 * Intel's architecture allows SYSENTER in compatibility mode, but AMD
2444
	 * does not.  Note, AMD does allow SYSENTER in legacy protected mode.
2445
	 */
2446
	if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) &&
2447
	    !ctxt->ops->guest_cpuid_is_intel_compatible(ctxt))
2448
		return emulate_ud(ctxt);
2449

2450
	/* sysenter/sysexit have not been tested in 64bit mode. */
2451
	if (ctxt->mode == X86EMUL_MODE_PROT64)
2452
		return X86EMUL_UNHANDLEABLE;
2453

2454
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2455
	if ((msr_data & 0xfffc) == 0x0)
2456
		return emulate_gp(ctxt, 0);
2457

2458
	setup_syscalls_segments(&cs, &ss);
2459
	ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
2460
	cs_sel = (u16)msr_data & ~SEGMENT_RPL_MASK;
2461
	ss_sel = cs_sel + 8;
2462
	if (efer & EFER_LMA) {
2463
		cs.d = 0;
2464
		cs.l = 1;
2465
	}
2466

2467
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2468
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2469

2470
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2471
	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2472

2473
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2474
	*reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2475
							      (u32)msr_data;
2476
	if (efer & EFER_LMA)
2477
		ctxt->mode = X86EMUL_MODE_PROT64;
2478

2479
	return X86EMUL_CONTINUE;
2480
}
2481

2482
static int em_sysexit(struct x86_emulate_ctxt *ctxt)
2483
{
2484
	const struct x86_emulate_ops *ops = ctxt->ops;
2485
	struct desc_struct cs, ss;
2486
	u64 msr_data, rcx, rdx;
2487
	int usermode;
2488
	u16 cs_sel = 0, ss_sel = 0;
2489

2490
	/* inject #GP if in real mode or Virtual 8086 mode */
2491
	if (ctxt->mode == X86EMUL_MODE_REAL ||
2492
	    ctxt->mode == X86EMUL_MODE_VM86)
2493
		return emulate_gp(ctxt, 0);
2494

2495
	setup_syscalls_segments(&cs, &ss);
2496

2497
	if ((ctxt->rex_prefix & 0x8) != 0x0)
2498
		usermode = X86EMUL_MODE_PROT64;
2499
	else
2500
		usermode = X86EMUL_MODE_PROT32;
2501

2502
	rcx = reg_read(ctxt, VCPU_REGS_RCX);
2503
	rdx = reg_read(ctxt, VCPU_REGS_RDX);
2504

2505
	cs.dpl = 3;
2506
	ss.dpl = 3;
2507
	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2508
	switch (usermode) {
2509
	case X86EMUL_MODE_PROT32:
2510
		cs_sel = (u16)(msr_data + 16);
2511
		if ((msr_data & 0xfffc) == 0x0)
2512
			return emulate_gp(ctxt, 0);
2513
		ss_sel = (u16)(msr_data + 24);
2514
		rcx = (u32)rcx;
2515
		rdx = (u32)rdx;
2516
		break;
2517
	case X86EMUL_MODE_PROT64:
2518
		cs_sel = (u16)(msr_data + 32);
2519
		if (msr_data == 0x0)
2520
			return emulate_gp(ctxt, 0);
2521
		ss_sel = cs_sel + 8;
2522
		cs.d = 0;
2523
		cs.l = 1;
2524
		if (emul_is_noncanonical_address(rcx, ctxt, 0) ||
2525
		    emul_is_noncanonical_address(rdx, ctxt, 0))
2526
			return emulate_gp(ctxt, 0);
2527
		break;
2528
	}
2529
	cs_sel |= SEGMENT_RPL_MASK;
2530
	ss_sel |= SEGMENT_RPL_MASK;
2531

2532
	ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
2533
	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2534

2535
	ctxt->_eip = rdx;
2536
	ctxt->mode = usermode;
2537
	*reg_write(ctxt, VCPU_REGS_RSP) = rcx;
2538

2539
	return X86EMUL_CONTINUE;
2540
}
2541

2542
static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt)
2543
{
2544
	int iopl;
2545
	if (ctxt->mode == X86EMUL_MODE_REAL)
2546
		return false;
2547
	if (ctxt->mode == X86EMUL_MODE_VM86)
2548
		return true;
2549
	iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> X86_EFLAGS_IOPL_BIT;
2550
	return ctxt->ops->cpl(ctxt) > iopl;
2551
}
2552

2553
#define VMWARE_PORT_VMPORT	(0x5658)
2554
#define VMWARE_PORT_VMRPC	(0x5659)
2555

2556
static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2557
					    u16 port, u16 len)
2558
{
2559
	const struct x86_emulate_ops *ops = ctxt->ops;
2560
	struct desc_struct tr_seg;
2561
	u32 base3;
2562
	int r;
2563
	u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
2564
	unsigned mask = (1 << len) - 1;
2565
	unsigned long base;
2566

2567
	/*
2568
	 * VMware allows access to these ports even if denied
2569
	 * by TSS I/O permission bitmap. Mimic behavior.
2570
	 */
2571
	if (enable_vmware_backdoor &&
2572
	    ((port == VMWARE_PORT_VMPORT) || (port == VMWARE_PORT_VMRPC)))
2573
		return true;
2574

2575
	ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
2576
	if (!tr_seg.p)
2577
		return false;
2578
	if (desc_limit_scaled(&tr_seg) < 103)
2579
		return false;
2580
	base = get_desc_base(&tr_seg);
2581
#ifdef CONFIG_X86_64
2582
	base |= ((u64)base3) << 32;
2583
#endif
2584
	r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
2585
	if (r != X86EMUL_CONTINUE)
2586
		return false;
2587
	if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2588
		return false;
2589
	r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
2590
	if (r != X86EMUL_CONTINUE)
2591
		return false;
2592
	if ((perm >> bit_idx) & mask)
2593
		return false;
2594
	return true;
2595
}
2596

2597
static bool emulator_io_permitted(struct x86_emulate_ctxt *ctxt,
2598
				  u16 port, u16 len)
2599
{
2600
	if (ctxt->perm_ok)
2601
		return true;
2602

2603
	if (emulator_bad_iopl(ctxt))
2604
		if (!emulator_io_port_access_allowed(ctxt, port, len))
2605
			return false;
2606

2607
	ctxt->perm_ok = true;
2608

2609
	return true;
2610
}
2611

2612
static void string_registers_quirk(struct x86_emulate_ctxt *ctxt)
2613
{
2614
	/*
2615
	 * Intel CPUs mask the counter and pointers in quite strange
2616
	 * manner when ECX is zero due to REP-string optimizations.
2617
	 */
2618
#ifdef CONFIG_X86_64
2619
	u32 eax, ebx, ecx, edx;
2620

2621
	if (ctxt->ad_bytes != 4)
2622
		return;
2623

2624
	eax = ecx = 0;
2625
	ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, true);
2626
	if (!is_guest_vendor_intel(ebx, ecx, edx))
2627
		return;
2628

2629
	*reg_write(ctxt, VCPU_REGS_RCX) = 0;
2630

2631
	switch (ctxt->b) {
2632
	case 0xa4:	/* movsb */
2633
	case 0xa5:	/* movsd/w */
2634
		*reg_rmw(ctxt, VCPU_REGS_RSI) &= (u32)-1;
2635
		fallthrough;
2636
	case 0xaa:	/* stosb */
2637
	case 0xab:	/* stosd/w */
2638
		*reg_rmw(ctxt, VCPU_REGS_RDI) &= (u32)-1;
2639
	}
2640
#endif
2641
}
2642

2643
static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2644
				struct tss_segment_16 *tss)
2645
{
2646
	tss->ip = ctxt->_eip;
2647
	tss->flag = ctxt->eflags;
2648
	tss->ax = reg_read(ctxt, VCPU_REGS_RAX);
2649
	tss->cx = reg_read(ctxt, VCPU_REGS_RCX);
2650
	tss->dx = reg_read(ctxt, VCPU_REGS_RDX);
2651
	tss->bx = reg_read(ctxt, VCPU_REGS_RBX);
2652
	tss->sp = reg_read(ctxt, VCPU_REGS_RSP);
2653
	tss->bp = reg_read(ctxt, VCPU_REGS_RBP);
2654
	tss->si = reg_read(ctxt, VCPU_REGS_RSI);
2655
	tss->di = reg_read(ctxt, VCPU_REGS_RDI);
2656

2657
	tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2658
	tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2659
	tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2660
	tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2661
	tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
2662
}
2663

2664
static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2665
				 struct tss_segment_16 *tss)
2666
{
2667
	int ret;
2668
	u8 cpl;
2669

2670
	ctxt->_eip = tss->ip;
2671
	ctxt->eflags = tss->flag | 2;
2672
	*reg_write(ctxt, VCPU_REGS_RAX) = tss->ax;
2673
	*reg_write(ctxt, VCPU_REGS_RCX) = tss->cx;
2674
	*reg_write(ctxt, VCPU_REGS_RDX) = tss->dx;
2675
	*reg_write(ctxt, VCPU_REGS_RBX) = tss->bx;
2676
	*reg_write(ctxt, VCPU_REGS_RSP) = tss->sp;
2677
	*reg_write(ctxt, VCPU_REGS_RBP) = tss->bp;
2678
	*reg_write(ctxt, VCPU_REGS_RSI) = tss->si;
2679
	*reg_write(ctxt, VCPU_REGS_RDI) = tss->di;
2680

2681
	/*
2682
	 * SDM says that segment selectors are loaded before segment
2683
	 * descriptors
2684
	 */
2685
	set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
2686
	set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2687
	set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2688
	set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2689
	set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2690

2691
	cpl = tss->cs & 3;
2692

2693
	/*
2694
	 * Now load segment descriptors. If fault happens at this stage
2695
	 * it is handled in a context of new task
2696
	 */
2697
	ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
2698
					X86_TRANSFER_TASK_SWITCH, NULL);
2699
	if (ret != X86EMUL_CONTINUE)
2700
		return ret;
2701
	ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2702
					X86_TRANSFER_TASK_SWITCH, NULL);
2703
	if (ret != X86EMUL_CONTINUE)
2704
		return ret;
2705
	ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2706
					X86_TRANSFER_TASK_SWITCH, NULL);
2707
	if (ret != X86EMUL_CONTINUE)
2708
		return ret;
2709
	ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2710
					X86_TRANSFER_TASK_SWITCH, NULL);
2711
	if (ret != X86EMUL_CONTINUE)
2712
		return ret;
2713
	ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2714
					X86_TRANSFER_TASK_SWITCH, NULL);
2715
	if (ret != X86EMUL_CONTINUE)
2716
		return ret;
2717

2718
	return X86EMUL_CONTINUE;
2719
}
2720

2721
static int task_switch_16(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
2722
			  ulong old_tss_base, struct desc_struct *new_desc)
2723
{
2724
	struct tss_segment_16 tss_seg;
2725
	int ret;
2726
	u32 new_tss_base = get_desc_base(new_desc);
2727

2728
	ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2729
	if (ret != X86EMUL_CONTINUE)
2730
		return ret;
2731

2732
	save_state_to_tss16(ctxt, &tss_seg);
2733

2734
	ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2735
	if (ret != X86EMUL_CONTINUE)
2736
		return ret;
2737

2738
	ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
2739
	if (ret != X86EMUL_CONTINUE)
2740
		return ret;
2741

2742
	if (old_tss_sel != 0xffff) {
2743
		tss_seg.prev_task_link = old_tss_sel;
2744

2745
		ret = linear_write_system(ctxt, new_tss_base,
2746
					  &tss_seg.prev_task_link,
2747
					  sizeof(tss_seg.prev_task_link));
2748
		if (ret != X86EMUL_CONTINUE)
2749
			return ret;
2750
	}
2751

2752
	return load_state_from_tss16(ctxt, &tss_seg);
2753
}
2754

2755
static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2756
				struct tss_segment_32 *tss)
2757
{
2758
	/* CR3 and ldt selector are not saved intentionally */
2759
	tss->eip = ctxt->_eip;
2760
	tss->eflags = ctxt->eflags;
2761
	tss->eax = reg_read(ctxt, VCPU_REGS_RAX);
2762
	tss->ecx = reg_read(ctxt, VCPU_REGS_RCX);
2763
	tss->edx = reg_read(ctxt, VCPU_REGS_RDX);
2764
	tss->ebx = reg_read(ctxt, VCPU_REGS_RBX);
2765
	tss->esp = reg_read(ctxt, VCPU_REGS_RSP);
2766
	tss->ebp = reg_read(ctxt, VCPU_REGS_RBP);
2767
	tss->esi = reg_read(ctxt, VCPU_REGS_RSI);
2768
	tss->edi = reg_read(ctxt, VCPU_REGS_RDI);
2769

2770
	tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
2771
	tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
2772
	tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
2773
	tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
2774
	tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
2775
	tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
2776
}
2777

2778
static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2779
				 struct tss_segment_32 *tss)
2780
{
2781
	int ret;
2782
	u8 cpl;
2783

2784
	if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
2785
		return emulate_gp(ctxt, 0);
2786
	ctxt->_eip = tss->eip;
2787
	ctxt->eflags = tss->eflags | 2;
2788

2789
	/* General purpose registers */
2790
	*reg_write(ctxt, VCPU_REGS_RAX) = tss->eax;
2791
	*reg_write(ctxt, VCPU_REGS_RCX) = tss->ecx;
2792
	*reg_write(ctxt, VCPU_REGS_RDX) = tss->edx;
2793
	*reg_write(ctxt, VCPU_REGS_RBX) = tss->ebx;
2794
	*reg_write(ctxt, VCPU_REGS_RSP) = tss->esp;
2795
	*reg_write(ctxt, VCPU_REGS_RBP) = tss->ebp;
2796
	*reg_write(ctxt, VCPU_REGS_RSI) = tss->esi;
2797
	*reg_write(ctxt, VCPU_REGS_RDI) = tss->edi;
2798

2799
	/*
2800
	 * SDM says that segment selectors are loaded before segment
2801
	 * descriptors.  This is important because CPL checks will
2802
	 * use CS.RPL.
2803
	 */
2804
	set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
2805
	set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
2806
	set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
2807
	set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
2808
	set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
2809
	set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
2810
	set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
2811

2812
	/*
2813
	 * If we're switching between Protected Mode and VM86, we need to make
2814
	 * sure to update the mode before loading the segment descriptors so
2815
	 * that the selectors are interpreted correctly.
2816
	 */
2817
	if (ctxt->eflags & X86_EFLAGS_VM) {
2818
		ctxt->mode = X86EMUL_MODE_VM86;
2819
		cpl = 3;
2820
	} else {
2821
		ctxt->mode = X86EMUL_MODE_PROT32;
2822
		cpl = tss->cs & 3;
2823
	}
2824

2825
	/*
2826
	 * Now load segment descriptors. If fault happens at this stage
2827
	 * it is handled in a context of new task
2828
	 */
2829
	ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
2830
					cpl, X86_TRANSFER_TASK_SWITCH, NULL);
2831
	if (ret != X86EMUL_CONTINUE)
2832
		return ret;
2833
	ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
2834
					X86_TRANSFER_TASK_SWITCH, NULL);
2835
	if (ret != X86EMUL_CONTINUE)
2836
		return ret;
2837
	ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
2838
					X86_TRANSFER_TASK_SWITCH, NULL);
2839
	if (ret != X86EMUL_CONTINUE)
2840
		return ret;
2841
	ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
2842
					X86_TRANSFER_TASK_SWITCH, NULL);
2843
	if (ret != X86EMUL_CONTINUE)
2844
		return ret;
2845
	ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
2846
					X86_TRANSFER_TASK_SWITCH, NULL);
2847
	if (ret != X86EMUL_CONTINUE)
2848
		return ret;
2849
	ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
2850
					X86_TRANSFER_TASK_SWITCH, NULL);
2851
	if (ret != X86EMUL_CONTINUE)
2852
		return ret;
2853
	ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
2854
					X86_TRANSFER_TASK_SWITCH, NULL);
2855

2856
	return ret;
2857
}
2858

2859
static int task_switch_32(struct x86_emulate_ctxt *ctxt, u16 old_tss_sel,
2860
			  ulong old_tss_base, struct desc_struct *new_desc)
2861
{
2862
	struct tss_segment_32 tss_seg;
2863
	int ret;
2864
	u32 new_tss_base = get_desc_base(new_desc);
2865
	u32 eip_offset = offsetof(struct tss_segment_32, eip);
2866
	u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
2867

2868
	ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof(tss_seg));
2869
	if (ret != X86EMUL_CONTINUE)
2870
		return ret;
2871

2872
	save_state_to_tss32(ctxt, &tss_seg);
2873

2874
	/* Only GP registers and segment selectors are saved */
2875
	ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
2876
				  ldt_sel_offset - eip_offset);
2877
	if (ret != X86EMUL_CONTINUE)
2878
		return ret;
2879

2880
	ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof(tss_seg));
2881
	if (ret != X86EMUL_CONTINUE)
2882
		return ret;
2883

2884
	if (old_tss_sel != 0xffff) {
2885
		tss_seg.prev_task_link = old_tss_sel;
2886

2887
		ret = linear_write_system(ctxt, new_tss_base,
2888
					  &tss_seg.prev_task_link,
2889
					  sizeof(tss_seg.prev_task_link));
2890
		if (ret != X86EMUL_CONTINUE)
2891
			return ret;
2892
	}
2893

2894
	return load_state_from_tss32(ctxt, &tss_seg);
2895
}
2896

2897
static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2898
				   u16 tss_selector, int idt_index, int reason,
2899
				   bool has_error_code, u32 error_code)
2900
{
2901
	const struct x86_emulate_ops *ops = ctxt->ops;
2902
	struct desc_struct curr_tss_desc, next_tss_desc;
2903
	int ret;
2904
	u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
2905
	ulong old_tss_base =
2906
		ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
2907
	u32 desc_limit;
2908
	ulong desc_addr, dr7;
2909

2910
	/* FIXME: old_tss_base == ~0 ? */
2911

2912
	ret = read_segment_descriptor(ctxt, tss_selector, &next_tss_desc, &desc_addr);
2913
	if (ret != X86EMUL_CONTINUE)
2914
		return ret;
2915
	ret = read_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc, &desc_addr);
2916
	if (ret != X86EMUL_CONTINUE)
2917
		return ret;
2918

2919
	/* FIXME: check that next_tss_desc is tss */
2920

2921
	/*
2922
	 * Check privileges. The three cases are task switch caused by...
2923
	 *
2924
	 * 1. jmp/call/int to task gate: Check against DPL of the task gate
2925
	 * 2. Exception/IRQ/iret: No check is performed
2926
	 * 3. jmp/call to TSS/task-gate: No check is performed since the
2927
	 *    hardware checks it before exiting.
2928
	 */
2929
	if (reason == TASK_SWITCH_GATE) {
2930
		if (idt_index != -1) {
2931
			/* Software interrupts */
2932
			struct desc_struct task_gate_desc;
2933
			int dpl;
2934

2935
			ret = read_interrupt_descriptor(ctxt, idt_index,
2936
							&task_gate_desc);
2937
			if (ret != X86EMUL_CONTINUE)
2938
				return ret;
2939

2940
			dpl = task_gate_desc.dpl;
2941
			if ((tss_selector & 3) > dpl || ops->cpl(ctxt) > dpl)
2942
				return emulate_gp(ctxt, (idt_index << 3) | 0x2);
2943
		}
2944
	}
2945

2946
	desc_limit = desc_limit_scaled(&next_tss_desc);
2947
	if (!next_tss_desc.p ||
2948
	    ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2949
	     desc_limit < 0x2b)) {
2950
		return emulate_ts(ctxt, tss_selector & 0xfffc);
2951
	}
2952

2953
	if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2954
		curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2955
		write_segment_descriptor(ctxt, old_tss_sel, &curr_tss_desc);
2956
	}
2957

2958
	if (reason == TASK_SWITCH_IRET)
2959
		ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2960

2961
	/* set back link to prev task only if NT bit is set in eflags
2962
	   note that old_tss_sel is not used after this point */
2963
	if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2964
		old_tss_sel = 0xffff;
2965

2966
	if (next_tss_desc.type & 8)
2967
		ret = task_switch_32(ctxt, old_tss_sel, old_tss_base, &next_tss_desc);
2968
	else
2969
		ret = task_switch_16(ctxt, old_tss_sel,
2970
				     old_tss_base, &next_tss_desc);
2971
	if (ret != X86EMUL_CONTINUE)
2972
		return ret;
2973

2974
	if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2975
		ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2976

2977
	if (reason != TASK_SWITCH_IRET) {
2978
		next_tss_desc.type |= (1 << 1); /* set busy flag */
2979
		write_segment_descriptor(ctxt, tss_selector, &next_tss_desc);
2980
	}
2981

2982
	ops->set_cr(ctxt, 0,  ops->get_cr(ctxt, 0) | X86_CR0_TS);
2983
	ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
2984

2985
	if (has_error_code) {
2986
		ctxt->op_bytes = ctxt->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2987
		ctxt->lock_prefix = 0;
2988
		ctxt->src.val = (unsigned long) error_code;
2989
		ret = em_push(ctxt);
2990
	}
2991

2992
	dr7 = ops->get_dr(ctxt, 7);
2993
	ops->set_dr(ctxt, 7, dr7 & ~(DR_LOCAL_ENABLE_MASK | DR_LOCAL_SLOWDOWN));
2994

2995
	return ret;
2996
}
2997

2998
int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2999
			 u16 tss_selector, int idt_index, int reason,
3000
			 bool has_error_code, u32 error_code)
3001
{
3002
	int rc;
3003

3004
	invalidate_registers(ctxt);
3005
	ctxt->_eip = ctxt->eip;
3006
	ctxt->dst.type = OP_NONE;
3007

3008
	rc = emulator_do_task_switch(ctxt, tss_selector, idt_index, reason,
3009
				     has_error_code, error_code);
3010

3011
	if (rc == X86EMUL_CONTINUE) {
3012
		ctxt->eip = ctxt->_eip;
3013
		writeback_registers(ctxt);
3014
	}
3015

3016
	return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
3017
}
3018

3019
static void string_addr_inc(struct x86_emulate_ctxt *ctxt, int reg,
3020
		struct operand *op)
3021
{
3022
	int df = (ctxt->eflags & X86_EFLAGS_DF) ? -op->count : op->count;
3023

3024
	register_address_increment(ctxt, reg, df * op->bytes);
3025
	op->addr.mem.ea = register_address(ctxt, reg);
3026
}
3027

3028
static int em_das(struct x86_emulate_ctxt *ctxt)
3029
{
3030
	u8 al, old_al;
3031
	bool af, cf, old_cf;
3032

3033
	cf = ctxt->eflags & X86_EFLAGS_CF;
3034
	al = ctxt->dst.val;
3035

3036
	old_al = al;
3037
	old_cf = cf;
3038
	cf = false;
3039
	af = ctxt->eflags & X86_EFLAGS_AF;
3040
	if ((al & 0x0f) > 9 || af) {
3041
		al -= 6;
3042
		cf = old_cf | (al >= 250);
3043
		af = true;
3044
	} else {
3045
		af = false;
3046
	}
3047
	if (old_al > 0x99 || old_cf) {
3048
		al -= 0x60;
3049
		cf = true;
3050
	}
3051

3052
	ctxt->dst.val = al;
3053
	/* Set PF, ZF, SF */
3054
	ctxt->src.type = OP_IMM;
3055
	ctxt->src.val = 0;
3056
	ctxt->src.bytes = 1;
3057
	fastop(ctxt, em_or);
3058
	ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
3059
	if (cf)
3060
		ctxt->eflags |= X86_EFLAGS_CF;
3061
	if (af)
3062
		ctxt->eflags |= X86_EFLAGS_AF;
3063
	return X86EMUL_CONTINUE;
3064
}
3065

3066
static int em_aam(struct x86_emulate_ctxt *ctxt)
3067
{
3068
	u8 al, ah;
3069

3070
	if (ctxt->src.val == 0)
3071
		return emulate_de(ctxt);
3072

3073
	al = ctxt->dst.val & 0xff;
3074
	ah = al / ctxt->src.val;
3075
	al %= ctxt->src.val;
3076

3077
	ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
3078

3079
	/* Set PF, ZF, SF */
3080
	ctxt->src.type = OP_IMM;
3081
	ctxt->src.val = 0;
3082
	ctxt->src.bytes = 1;
3083
	fastop(ctxt, em_or);
3084

3085
	return X86EMUL_CONTINUE;
3086
}
3087

3088
static int em_aad(struct x86_emulate_ctxt *ctxt)
3089
{
3090
	u8 al = ctxt->dst.val & 0xff;
3091
	u8 ah = (ctxt->dst.val >> 8) & 0xff;
3092

3093
	al = (al + (ah * ctxt->src.val)) & 0xff;
3094

3095
	ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al;
3096

3097
	/* Set PF, ZF, SF */
3098
	ctxt->src.type = OP_IMM;
3099
	ctxt->src.val = 0;
3100
	ctxt->src.bytes = 1;
3101
	fastop(ctxt, em_or);
3102

3103
	return X86EMUL_CONTINUE;
3104
}
3105

3106
static int em_call(struct x86_emulate_ctxt *ctxt)
3107
{
3108
	int rc;
3109
	long rel = ctxt->src.val;
3110

3111
	ctxt->src.val = (unsigned long)ctxt->_eip;
3112
	rc = jmp_rel(ctxt, rel);
3113
	if (rc != X86EMUL_CONTINUE)
3114
		return rc;
3115
	return em_push(ctxt);
3116
}
3117

3118
static int em_call_far(struct x86_emulate_ctxt *ctxt)
3119
{
3120
	u16 sel, old_cs;
3121
	ulong old_eip;
3122
	int rc;
3123
	struct desc_struct old_desc, new_desc;
3124
	const struct x86_emulate_ops *ops = ctxt->ops;
3125
	int cpl = ctxt->ops->cpl(ctxt);
3126
	enum x86emul_mode prev_mode = ctxt->mode;
3127

3128
	old_eip = ctxt->_eip;
3129
	ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
3130

3131
	memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
3132
	rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
3133
				       X86_TRANSFER_CALL_JMP, &new_desc);
3134
	if (rc != X86EMUL_CONTINUE)
3135
		return rc;
3136

3137
	rc = assign_eip_far(ctxt, ctxt->src.val);
3138
	if (rc != X86EMUL_CONTINUE)
3139
		goto fail;
3140

3141
	ctxt->src.val = old_cs;
3142
	rc = em_push(ctxt);
3143
	if (rc != X86EMUL_CONTINUE)
3144
		goto fail;
3145

3146
	ctxt->src.val = old_eip;
3147
	rc = em_push(ctxt);
3148
	/* If we failed, we tainted the memory, but the very least we should
3149
	   restore cs */
3150
	if (rc != X86EMUL_CONTINUE) {
3151
		pr_warn_once("faulting far call emulation tainted memory\n");
3152
		goto fail;
3153
	}
3154
	return rc;
3155
fail:
3156
	ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
3157
	ctxt->mode = prev_mode;
3158
	return rc;
3159

3160
}
3161

3162
static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
3163
{
3164
	int rc;
3165
	unsigned long eip = 0;
3166

3167
	rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
3168
	if (rc != X86EMUL_CONTINUE)
3169
		return rc;
3170
	rc = assign_eip_near(ctxt, eip);
3171
	if (rc != X86EMUL_CONTINUE)
3172
		return rc;
3173
	rsp_increment(ctxt, ctxt->src.val);
3174
	return X86EMUL_CONTINUE;
3175
}
3176

3177
static int em_xchg(struct x86_emulate_ctxt *ctxt)
3178
{
3179
	/* Write back the register source. */
3180
	ctxt->src.val = ctxt->dst.val;
3181
	write_register_operand(&ctxt->src);
3182

3183
	/* Write back the memory destination with implicit LOCK prefix. */
3184
	ctxt->dst.val = ctxt->src.orig_val;
3185
	ctxt->lock_prefix = 1;
3186
	return X86EMUL_CONTINUE;
3187
}
3188

3189
static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
3190
{
3191
	ctxt->dst.val = ctxt->src2.val;
3192
	return fastop(ctxt, em_imul);
3193
}
3194

3195
static int em_cwd(struct x86_emulate_ctxt *ctxt)
3196
{
3197
	ctxt->dst.type = OP_REG;
3198
	ctxt->dst.bytes = ctxt->src.bytes;
3199
	ctxt->dst.addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
3200
	ctxt->dst.val = ~((ctxt->src.val >> (ctxt->src.bytes * 8 - 1)) - 1);
3201

3202
	return X86EMUL_CONTINUE;
3203
}
3204

3205
static int em_rdpid(struct x86_emulate_ctxt *ctxt)
3206
{
3207
	u64 tsc_aux = 0;
3208

3209
	if (!ctxt->ops->guest_has_rdpid(ctxt))
3210
		return emulate_ud(ctxt);
3211

3212
	ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux);
3213
	ctxt->dst.val = tsc_aux;
3214
	return X86EMUL_CONTINUE;
3215
}
3216

3217
static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
3218
{
3219
	u64 tsc = 0;
3220

3221
	ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
3222
	*reg_write(ctxt, VCPU_REGS_RAX) = (u32)tsc;
3223
	*reg_write(ctxt, VCPU_REGS_RDX) = tsc >> 32;
3224
	return X86EMUL_CONTINUE;
3225
}
3226

3227
static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
3228
{
3229
	u64 pmc;
3230

3231
	if (ctxt->ops->read_pmc(ctxt, reg_read(ctxt, VCPU_REGS_RCX), &pmc))
3232
		return emulate_gp(ctxt, 0);
3233
	*reg_write(ctxt, VCPU_REGS_RAX) = (u32)pmc;
3234
	*reg_write(ctxt, VCPU_REGS_RDX) = pmc >> 32;
3235
	return X86EMUL_CONTINUE;
3236
}
3237

3238
static int em_mov(struct x86_emulate_ctxt *ctxt)
3239
{
3240
	memcpy(ctxt->dst.valptr, ctxt->src.valptr, sizeof(ctxt->src.valptr));
3241
	return X86EMUL_CONTINUE;
3242
}
3243

3244
static int em_movbe(struct x86_emulate_ctxt *ctxt)
3245
{
3246
	u16 tmp;
3247

3248
	if (!ctxt->ops->guest_has_movbe(ctxt))
3249
		return emulate_ud(ctxt);
3250

3251
	switch (ctxt->op_bytes) {
3252
	case 2:
3253
		/*
3254
		 * From MOVBE definition: "...When the operand size is 16 bits,
3255
		 * the upper word of the destination register remains unchanged
3256
		 * ..."
3257
		 *
3258
		 * Both casting ->valptr and ->val to u16 breaks strict aliasing
3259
		 * rules so we have to do the operation almost per hand.
3260
		 */
3261
		tmp = (u16)ctxt->src.val;
3262
		ctxt->dst.val &= ~0xffffUL;
3263
		ctxt->dst.val |= (unsigned long)swab16(tmp);
3264
		break;
3265
	case 4:
3266
		ctxt->dst.val = swab32((u32)ctxt->src.val);
3267
		break;
3268
	case 8:
3269
		ctxt->dst.val = swab64(ctxt->src.val);
3270
		break;
3271
	default:
3272
		BUG();
3273
	}
3274
	return X86EMUL_CONTINUE;
3275
}
3276

3277
static int em_cr_write(struct x86_emulate_ctxt *ctxt)
3278
{
3279
	int cr_num = ctxt->modrm_reg;
3280
	int r;
3281

3282
	if (ctxt->ops->set_cr(ctxt, cr_num, ctxt->src.val))
3283
		return emulate_gp(ctxt, 0);
3284

3285
	/* Disable writeback. */
3286
	ctxt->dst.type = OP_NONE;
3287

3288
	if (cr_num == 0) {
3289
		/*
3290
		 * CR0 write might have updated CR0.PE and/or CR0.PG
3291
		 * which can affect the cpu's execution mode.
3292
		 */
3293
		r = emulator_recalc_and_set_mode(ctxt);
3294
		if (r != X86EMUL_CONTINUE)
3295
			return r;
3296
	}
3297

3298
	return X86EMUL_CONTINUE;
3299
}
3300

3301
static int em_dr_write(struct x86_emulate_ctxt *ctxt)
3302
{
3303
	unsigned long val;
3304

3305
	if (ctxt->mode == X86EMUL_MODE_PROT64)
3306
		val = ctxt->src.val & ~0ULL;
3307
	else
3308
		val = ctxt->src.val & ~0U;
3309

3310
	/* #UD condition is already handled. */
3311
	if (ctxt->ops->set_dr(ctxt, ctxt->modrm_reg, val) < 0)
3312
		return emulate_gp(ctxt, 0);
3313

3314
	/* Disable writeback. */
3315
	ctxt->dst.type = OP_NONE;
3316
	return X86EMUL_CONTINUE;
3317
}
3318

3319
static int em_wrmsr(struct x86_emulate_ctxt *ctxt)
3320
{
3321
	u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3322
	u64 msr_data;
3323
	int r;
3324

3325
	msr_data = (u32)reg_read(ctxt, VCPU_REGS_RAX)
3326
		| ((u64)reg_read(ctxt, VCPU_REGS_RDX) << 32);
3327
	r = ctxt->ops->set_msr_with_filter(ctxt, msr_index, msr_data);
3328

3329
	if (r == X86EMUL_PROPAGATE_FAULT)
3330
		return emulate_gp(ctxt, 0);
3331

3332
	return r;
3333
}
3334

3335
static int em_rdmsr(struct x86_emulate_ctxt *ctxt)
3336
{
3337
	u64 msr_index = reg_read(ctxt, VCPU_REGS_RCX);
3338
	u64 msr_data;
3339
	int r;
3340

3341
	r = ctxt->ops->get_msr_with_filter(ctxt, msr_index, &msr_data);
3342

3343
	if (r == X86EMUL_PROPAGATE_FAULT)
3344
		return emulate_gp(ctxt, 0);
3345

3346
	if (r == X86EMUL_CONTINUE) {
3347
		*reg_write(ctxt, VCPU_REGS_RAX) = (u32)msr_data;
3348
		*reg_write(ctxt, VCPU_REGS_RDX) = msr_data >> 32;
3349
	}
3350
	return r;
3351
}
3352

3353
static int em_store_sreg(struct x86_emulate_ctxt *ctxt, int segment)
3354
{
3355
	if (segment > VCPU_SREG_GS &&
3356
	    (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3357
	    ctxt->ops->cpl(ctxt) > 0)
3358
		return emulate_gp(ctxt, 0);
3359

3360
	ctxt->dst.val = get_segment_selector(ctxt, segment);
3361
	if (ctxt->dst.bytes == 4 && ctxt->dst.type == OP_MEM)
3362
		ctxt->dst.bytes = 2;
3363
	return X86EMUL_CONTINUE;
3364
}
3365

3366
static int em_mov_rm_sreg(struct x86_emulate_ctxt *ctxt)
3367
{
3368
	if (ctxt->modrm_reg > VCPU_SREG_GS)
3369
		return emulate_ud(ctxt);
3370

3371
	return em_store_sreg(ctxt, ctxt->modrm_reg);
3372
}
3373

3374
static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
3375
{
3376
	u16 sel = ctxt->src.val;
3377

3378
	if (ctxt->modrm_reg == VCPU_SREG_CS || ctxt->modrm_reg > VCPU_SREG_GS)
3379
		return emulate_ud(ctxt);
3380

3381
	if (ctxt->modrm_reg == VCPU_SREG_SS)
3382
		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
3383

3384
	/* Disable writeback. */
3385
	ctxt->dst.type = OP_NONE;
3386
	return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
3387
}
3388

3389
static int em_sldt(struct x86_emulate_ctxt *ctxt)
3390
{
3391
	return em_store_sreg(ctxt, VCPU_SREG_LDTR);
3392
}
3393

3394
static int em_lldt(struct x86_emulate_ctxt *ctxt)
3395
{
3396
	u16 sel = ctxt->src.val;
3397

3398
	/* Disable writeback. */
3399
	ctxt->dst.type = OP_NONE;
3400
	return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
3401
}
3402

3403
static int em_str(struct x86_emulate_ctxt *ctxt)
3404
{
3405
	return em_store_sreg(ctxt, VCPU_SREG_TR);
3406
}
3407

3408
static int em_ltr(struct x86_emulate_ctxt *ctxt)
3409
{
3410
	u16 sel = ctxt->src.val;
3411

3412
	/* Disable writeback. */
3413
	ctxt->dst.type = OP_NONE;
3414
	return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
3415
}
3416

3417
static int em_invlpg(struct x86_emulate_ctxt *ctxt)
3418
{
3419
	int rc;
3420
	ulong linear;
3421
	unsigned int max_size;
3422

3423
	rc = __linearize(ctxt, ctxt->src.addr.mem, &max_size, 1, ctxt->mode,
3424
			 &linear, X86EMUL_F_INVLPG);
3425
	if (rc == X86EMUL_CONTINUE)
3426
		ctxt->ops->invlpg(ctxt, linear);
3427
	/* Disable writeback. */
3428
	ctxt->dst.type = OP_NONE;
3429
	return X86EMUL_CONTINUE;
3430
}
3431

3432
static int em_clts(struct x86_emulate_ctxt *ctxt)
3433
{
3434
	ulong cr0;
3435

3436
	cr0 = ctxt->ops->get_cr(ctxt, 0);
3437
	cr0 &= ~X86_CR0_TS;
3438
	ctxt->ops->set_cr(ctxt, 0, cr0);
3439
	return X86EMUL_CONTINUE;
3440
}
3441

3442
static int em_hypercall(struct x86_emulate_ctxt *ctxt)
3443
{
3444
	int rc = ctxt->ops->fix_hypercall(ctxt);
3445

3446
	if (rc != X86EMUL_CONTINUE)
3447
		return rc;
3448

3449
	/* Let the processor re-execute the fixed hypercall */
3450
	ctxt->_eip = ctxt->eip;
3451
	/* Disable writeback. */
3452
	ctxt->dst.type = OP_NONE;
3453
	return X86EMUL_CONTINUE;
3454
}
3455

3456
static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
3457
				  void (*get)(struct x86_emulate_ctxt *ctxt,
3458
					      struct desc_ptr *ptr))
3459
{
3460
	struct desc_ptr desc_ptr;
3461

3462
	if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3463
	    ctxt->ops->cpl(ctxt) > 0)
3464
		return emulate_gp(ctxt, 0);
3465

3466
	if (ctxt->mode == X86EMUL_MODE_PROT64)
3467
		ctxt->op_bytes = 8;
3468
	get(ctxt, &desc_ptr);
3469
	if (ctxt->op_bytes == 2) {
3470
		ctxt->op_bytes = 4;
3471
		desc_ptr.address &= 0x00ffffff;
3472
	}
3473
	/* Disable writeback. */
3474
	ctxt->dst.type = OP_NONE;
3475
	return segmented_write_std(ctxt, ctxt->dst.addr.mem,
3476
				   &desc_ptr, 2 + ctxt->op_bytes);
3477
}
3478

3479
static int em_sgdt(struct x86_emulate_ctxt *ctxt)
3480
{
3481
	return emulate_store_desc_ptr(ctxt, ctxt->ops->get_gdt);
3482
}
3483

3484
static int em_sidt(struct x86_emulate_ctxt *ctxt)
3485
{
3486
	return emulate_store_desc_ptr(ctxt, ctxt->ops->get_idt);
3487
}
3488

3489
static int em_lgdt_lidt(struct x86_emulate_ctxt *ctxt, bool lgdt)
3490
{
3491
	struct desc_ptr desc_ptr;
3492
	int rc;
3493

3494
	if (ctxt->mode == X86EMUL_MODE_PROT64)
3495
		ctxt->op_bytes = 8;
3496
	rc = read_descriptor(ctxt, ctxt->src.addr.mem,
3497
			     &desc_ptr.size, &desc_ptr.address,
3498
			     ctxt->op_bytes);
3499
	if (rc != X86EMUL_CONTINUE)
3500
		return rc;
3501
	if (ctxt->mode == X86EMUL_MODE_PROT64 &&
3502
	    emul_is_noncanonical_address(desc_ptr.address, ctxt,
3503
					 X86EMUL_F_DT_LOAD))
3504
		return emulate_gp(ctxt, 0);
3505
	if (lgdt)
3506
		ctxt->ops->set_gdt(ctxt, &desc_ptr);
3507
	else
3508
		ctxt->ops->set_idt(ctxt, &desc_ptr);
3509
	/* Disable writeback. */
3510
	ctxt->dst.type = OP_NONE;
3511
	return X86EMUL_CONTINUE;
3512
}
3513

3514
static int em_lgdt(struct x86_emulate_ctxt *ctxt)
3515
{
3516
	return em_lgdt_lidt(ctxt, true);
3517
}
3518

3519
static int em_lidt(struct x86_emulate_ctxt *ctxt)
3520
{
3521
	return em_lgdt_lidt(ctxt, false);
3522
}
3523

3524
static int em_smsw(struct x86_emulate_ctxt *ctxt)
3525
{
3526
	if ((ctxt->ops->get_cr(ctxt, 4) & X86_CR4_UMIP) &&
3527
	    ctxt->ops->cpl(ctxt) > 0)
3528
		return emulate_gp(ctxt, 0);
3529

3530
	if (ctxt->dst.type == OP_MEM)
3531
		ctxt->dst.bytes = 2;
3532
	ctxt->dst.val = ctxt->ops->get_cr(ctxt, 0);
3533
	return X86EMUL_CONTINUE;
3534
}
3535

3536
static int em_lmsw(struct x86_emulate_ctxt *ctxt)
3537
{
3538
	ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
3539
			  | (ctxt->src.val & 0x0f));
3540
	ctxt->dst.type = OP_NONE;
3541
	return X86EMUL_CONTINUE;
3542
}
3543

3544
static int em_loop(struct x86_emulate_ctxt *ctxt)
3545
{
3546
	int rc = X86EMUL_CONTINUE;
3547

3548
	register_address_increment(ctxt, VCPU_REGS_RCX, -1);
3549
	if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
3550
	    (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
3551
		rc = jmp_rel(ctxt, ctxt->src.val);
3552

3553
	return rc;
3554
}
3555

3556
static int em_jcxz(struct x86_emulate_ctxt *ctxt)
3557
{
3558
	int rc = X86EMUL_CONTINUE;
3559

3560
	if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
3561
		rc = jmp_rel(ctxt, ctxt->src.val);
3562

3563
	return rc;
3564
}
3565

3566
static int em_in(struct x86_emulate_ctxt *ctxt)
3567
{
3568
	if (!pio_in_emulated(ctxt, ctxt->dst.bytes, ctxt->src.val,
3569
			     &ctxt->dst.val))
3570
		return X86EMUL_IO_NEEDED;
3571

3572
	return X86EMUL_CONTINUE;
3573
}
3574

3575
static int em_out(struct x86_emulate_ctxt *ctxt)
3576
{
3577
	ctxt->ops->pio_out_emulated(ctxt, ctxt->src.bytes, ctxt->dst.val,
3578
				    &ctxt->src.val, 1);
3579
	/* Disable writeback. */
3580
	ctxt->dst.type = OP_NONE;
3581
	return X86EMUL_CONTINUE;
3582
}
3583

3584
static int em_cli(struct x86_emulate_ctxt *ctxt)
3585
{
3586
	if (emulator_bad_iopl(ctxt))
3587
		return emulate_gp(ctxt, 0);
3588

3589
	ctxt->eflags &= ~X86_EFLAGS_IF;
3590
	return X86EMUL_CONTINUE;
3591
}
3592

3593
static int em_sti(struct x86_emulate_ctxt *ctxt)
3594
{
3595
	if (emulator_bad_iopl(ctxt))
3596
		return emulate_gp(ctxt, 0);
3597

3598
	ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3599
	ctxt->eflags |= X86_EFLAGS_IF;
3600
	return X86EMUL_CONTINUE;
3601
}
3602

3603
static int em_cpuid(struct x86_emulate_ctxt *ctxt)
3604
{
3605
	u32 eax, ebx, ecx, edx;
3606
	u64 msr = 0;
3607

3608
	ctxt->ops->get_msr(ctxt, MSR_MISC_FEATURES_ENABLES, &msr);
3609
	if (msr & MSR_MISC_FEATURES_ENABLES_CPUID_FAULT &&
3610
	    ctxt->ops->cpl(ctxt)) {
3611
		return emulate_gp(ctxt, 0);
3612
	}
3613

3614
	eax = reg_read(ctxt, VCPU_REGS_RAX);
3615
	ecx = reg_read(ctxt, VCPU_REGS_RCX);
3616
	ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx, false);
3617
	*reg_write(ctxt, VCPU_REGS_RAX) = eax;
3618
	*reg_write(ctxt, VCPU_REGS_RBX) = ebx;
3619
	*reg_write(ctxt, VCPU_REGS_RCX) = ecx;
3620
	*reg_write(ctxt, VCPU_REGS_RDX) = edx;
3621
	return X86EMUL_CONTINUE;
3622
}
3623

3624
static int em_sahf(struct x86_emulate_ctxt *ctxt)
3625
{
3626
	u32 flags;
3627

3628
	flags = X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
3629
		X86_EFLAGS_SF;
3630
	flags &= *reg_rmw(ctxt, VCPU_REGS_RAX) >> 8;
3631

3632
	ctxt->eflags &= ~0xffUL;
3633
	ctxt->eflags |= flags | X86_EFLAGS_FIXED;
3634
	return X86EMUL_CONTINUE;
3635
}
3636

3637
static int em_lahf(struct x86_emulate_ctxt *ctxt)
3638
{
3639
	*reg_rmw(ctxt, VCPU_REGS_RAX) &= ~0xff00UL;
3640
	*reg_rmw(ctxt, VCPU_REGS_RAX) |= (ctxt->eflags & 0xff) << 8;
3641
	return X86EMUL_CONTINUE;
3642
}
3643

3644
static int em_bswap(struct x86_emulate_ctxt *ctxt)
3645
{
3646
	switch (ctxt->op_bytes) {
3647
#ifdef CONFIG_X86_64
3648
	case 8:
3649
		asm("bswap %0" : "+r"(ctxt->dst.val));
3650
		break;
3651
#endif
3652
	default:
3653
		asm("bswap %0" : "+r"(*(u32 *)&ctxt->dst.val));
3654
		break;
3655
	}
3656
	return X86EMUL_CONTINUE;
3657
}
3658

3659
static int em_clflush(struct x86_emulate_ctxt *ctxt)
3660
{
3661
	/* emulating clflush regardless of cpuid */
3662
	return X86EMUL_CONTINUE;
3663
}
3664

3665
static int em_clflushopt(struct x86_emulate_ctxt *ctxt)
3666
{
3667
	/* emulating clflushopt regardless of cpuid */
3668
	return X86EMUL_CONTINUE;
3669
}
3670

3671
static int em_movsxd(struct x86_emulate_ctxt *ctxt)
3672
{
3673
	ctxt->dst.val = (s32) ctxt->src.val;
3674
	return X86EMUL_CONTINUE;
3675
}
3676

3677
static int check_fxsr(struct x86_emulate_ctxt *ctxt)
3678
{
3679
	if (!ctxt->ops->guest_has_fxsr(ctxt))
3680
		return emulate_ud(ctxt);
3681

3682
	if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
3683
		return emulate_nm(ctxt);
3684

3685
	/*
3686
	 * Don't emulate a case that should never be hit, instead of working
3687
	 * around a lack of fxsave64/fxrstor64 on old compilers.
3688
	 */
3689
	if (ctxt->mode >= X86EMUL_MODE_PROT64)
3690
		return X86EMUL_UNHANDLEABLE;
3691

3692
	return X86EMUL_CONTINUE;
3693
}
3694

3695
/*
3696
 * Hardware doesn't save and restore XMM 0-7 without CR4.OSFXSR, but does save
3697
 * and restore MXCSR.
3698
 */
3699
static size_t __fxstate_size(int nregs)
3700
{
3701
	return offsetof(struct fxregs_state, xmm_space[0]) + nregs * 16;
3702
}
3703

3704
static inline size_t fxstate_size(struct x86_emulate_ctxt *ctxt)
3705
{
3706
	bool cr4_osfxsr;
3707
	if (ctxt->mode == X86EMUL_MODE_PROT64)
3708
		return __fxstate_size(16);
3709

3710
	cr4_osfxsr = ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR;
3711
	return __fxstate_size(cr4_osfxsr ? 8 : 0);
3712
}
3713

3714
/*
3715
 * FXSAVE and FXRSTOR have 4 different formats depending on execution mode,
3716
 *  1) 16 bit mode
3717
 *  2) 32 bit mode
3718
 *     - like (1), but FIP and FDP (foo) are only 16 bit.  At least Intel CPUs
3719
 *       preserve whole 32 bit values, though, so (1) and (2) are the same wrt.
3720
 *       save and restore
3721
 *  3) 64-bit mode with REX.W prefix
3722
 *     - like (2), but XMM 8-15 are being saved and restored
3723
 *  4) 64-bit mode without REX.W prefix
3724
 *     - like (3), but FIP and FDP are 64 bit
3725
 *
3726
 * Emulation uses (3) for (1) and (2) and preserves XMM 8-15 to reach the
3727
 * desired result.  (4) is not emulated.
3728
 *
3729
 * Note: Guest and host CPUID.(EAX=07H,ECX=0H):EBX[bit 13] (deprecate FPU CS
3730
 * and FPU DS) should match.
3731
 */
3732
static int em_fxsave(struct x86_emulate_ctxt *ctxt)
3733
{
3734
	struct fxregs_state fx_state;
3735
	int rc;
3736

3737
	rc = check_fxsr(ctxt);
3738
	if (rc != X86EMUL_CONTINUE)
3739
		return rc;
3740

3741
	kvm_fpu_get();
3742

3743
	rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
3744

3745
	kvm_fpu_put();
3746

3747
	if (rc != X86EMUL_CONTINUE)
3748
		return rc;
3749

3750
	return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state,
3751
		                   fxstate_size(ctxt));
3752
}
3753

3754
/*
3755
 * FXRSTOR might restore XMM registers not provided by the guest. Fill
3756
 * in the host registers (via FXSAVE) instead, so they won't be modified.
3757
 * (preemption has to stay disabled until FXRSTOR).
3758
 *
3759
 * Use noinline to keep the stack for other functions called by callers small.
3760
 */
3761
static noinline int fxregs_fixup(struct fxregs_state *fx_state,
3762
				 const size_t used_size)
3763
{
3764
	struct fxregs_state fx_tmp;
3765
	int rc;
3766

3767
	rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_tmp));
3768
	memcpy((void *)fx_state + used_size, (void *)&fx_tmp + used_size,
3769
	       __fxstate_size(16) - used_size);
3770

3771
	return rc;
3772
}
3773

3774
static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
3775
{
3776
	struct fxregs_state fx_state;
3777
	int rc;
3778
	size_t size;
3779

3780
	rc = check_fxsr(ctxt);
3781
	if (rc != X86EMUL_CONTINUE)
3782
		return rc;
3783

3784
	size = fxstate_size(ctxt);
3785
	rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
3786
	if (rc != X86EMUL_CONTINUE)
3787
		return rc;
3788

3789
	kvm_fpu_get();
3790

3791
	if (size < __fxstate_size(16)) {
3792
		rc = fxregs_fixup(&fx_state, size);
3793
		if (rc != X86EMUL_CONTINUE)
3794
			goto out;
3795
	}
3796

3797
	if (fx_state.mxcsr >> 16) {
3798
		rc = emulate_gp(ctxt, 0);
3799
		goto out;
3800
	}
3801

3802
	if (rc == X86EMUL_CONTINUE)
3803
		rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
3804

3805
out:
3806
	kvm_fpu_put();
3807

3808
	return rc;
3809
}
3810

3811
static int em_xsetbv(struct x86_emulate_ctxt *ctxt)
3812
{
3813
	u32 eax, ecx, edx;
3814

3815
	if (!(ctxt->ops->get_cr(ctxt, 4) & X86_CR4_OSXSAVE))
3816
		return emulate_ud(ctxt);
3817

3818
	eax = reg_read(ctxt, VCPU_REGS_RAX);
3819
	edx = reg_read(ctxt, VCPU_REGS_RDX);
3820
	ecx = reg_read(ctxt, VCPU_REGS_RCX);
3821

3822
	if (ctxt->ops->set_xcr(ctxt, ecx, ((u64)edx << 32) | eax))
3823
		return emulate_gp(ctxt, 0);
3824

3825
	return X86EMUL_CONTINUE;
3826
}
3827

3828
static bool valid_cr(int nr)
3829
{
3830
	switch (nr) {
3831
	case 0:
3832
	case 2 ... 4:
3833
	case 8:
3834
		return true;
3835
	default:
3836
		return false;
3837
	}
3838
}
3839

3840
static int check_cr_access(struct x86_emulate_ctxt *ctxt)
3841
{
3842
	if (!valid_cr(ctxt->modrm_reg))
3843
		return emulate_ud(ctxt);
3844

3845
	return X86EMUL_CONTINUE;
3846
}
3847

3848
static int check_dr_read(struct x86_emulate_ctxt *ctxt)
3849
{
3850
	int dr = ctxt->modrm_reg;
3851
	u64 cr4;
3852

3853
	if (dr > 7)
3854
		return emulate_ud(ctxt);
3855

3856
	cr4 = ctxt->ops->get_cr(ctxt, 4);
3857
	if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
3858
		return emulate_ud(ctxt);
3859

3860
	if (ctxt->ops->get_dr(ctxt, 7) & DR7_GD) {
3861
		ulong dr6;
3862

3863
		dr6 = ctxt->ops->get_dr(ctxt, 6);
3864
		dr6 &= ~DR_TRAP_BITS;
3865
		dr6 |= DR6_BD | DR6_ACTIVE_LOW;
3866
		ctxt->ops->set_dr(ctxt, 6, dr6);
3867
		return emulate_db(ctxt);
3868
	}
3869

3870
	return X86EMUL_CONTINUE;
3871
}
3872

3873
static int check_dr_write(struct x86_emulate_ctxt *ctxt)
3874
{
3875
	u64 new_val = ctxt->src.val64;
3876
	int dr = ctxt->modrm_reg;
3877

3878
	if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
3879
		return emulate_gp(ctxt, 0);
3880

3881
	return check_dr_read(ctxt);
3882
}
3883

3884
static int check_svme(struct x86_emulate_ctxt *ctxt)
3885
{
3886
	u64 efer = 0;
3887

3888
	ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
3889

3890
	if (!(efer & EFER_SVME))
3891
		return emulate_ud(ctxt);
3892

3893
	return X86EMUL_CONTINUE;
3894
}
3895

3896
static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
3897
{
3898
	u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
3899

3900
	/* Valid physical address? */
3901
	if (rax & 0xffff000000000000ULL)
3902
		return emulate_gp(ctxt, 0);
3903

3904
	return check_svme(ctxt);
3905
}
3906

3907
static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
3908
{
3909
	u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3910

3911
	if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
3912
		return emulate_gp(ctxt, 0);
3913

3914
	return X86EMUL_CONTINUE;
3915
}
3916

3917
static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
3918
{
3919
	u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
3920
	u64 rcx = reg_read(ctxt, VCPU_REGS_RCX);
3921

3922
	/*
3923
	 * VMware allows access to these Pseduo-PMCs even when read via RDPMC
3924
	 * in Ring3 when CR4.PCE=0.
3925
	 */
3926
	if (enable_vmware_backdoor && is_vmware_backdoor_pmc(rcx))
3927
		return X86EMUL_CONTINUE;
3928

3929
	/*
3930
	 * If CR4.PCE is set, the SDM requires CPL=0 or CR0.PE=0.  The CR0.PE
3931
	 * check however is unnecessary because CPL is always 0 outside
3932
	 * protected mode.
3933
	 */
3934
	if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
3935
	    ctxt->ops->check_rdpmc_early(ctxt, rcx))
3936
		return emulate_gp(ctxt, 0);
3937

3938
	return X86EMUL_CONTINUE;
3939
}
3940

3941
static int check_perm_in(struct x86_emulate_ctxt *ctxt)
3942
{
3943
	ctxt->dst.bytes = min(ctxt->dst.bytes, 4u);
3944
	if (!emulator_io_permitted(ctxt, ctxt->src.val, ctxt->dst.bytes))
3945
		return emulate_gp(ctxt, 0);
3946

3947
	return X86EMUL_CONTINUE;
3948
}
3949

3950
static int check_perm_out(struct x86_emulate_ctxt *ctxt)
3951
{
3952
	ctxt->src.bytes = min(ctxt->src.bytes, 4u);
3953
	if (!emulator_io_permitted(ctxt, ctxt->dst.val, ctxt->src.bytes))
3954
		return emulate_gp(ctxt, 0);
3955

3956
	return X86EMUL_CONTINUE;
3957
}
3958

3959
#define D(_y) { .flags = (_y) }
3960
#define DI(_y, _i) { .flags = (_y)|Intercept, .intercept = x86_intercept_##_i }
3961
#define DIP(_y, _i, _p) { .flags = (_y)|Intercept|CheckPerm, \
3962
		      .intercept = x86_intercept_##_i, .check_perm = (_p) }
3963
#define N    D(NotImpl)
3964
#define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
3965
#define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
3966
#define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
3967
#define ID(_f, _i) { .flags = ((_f) | InstrDual | ModRM), .u.idual = (_i) }
3968
#define MD(_f, _m) { .flags = ((_f) | ModeDual), .u.mdual = (_m) }
3969
#define E(_f, _e) { .flags = ((_f) | Escape | ModRM), .u.esc = (_e) }
3970
#define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
3971
#define F(_f, _e) { .flags = (_f) | Fastop, .u.fastop = (_e) }
3972
#define II(_f, _e, _i) \
3973
	{ .flags = (_f)|Intercept, .u.execute = (_e), .intercept = x86_intercept_##_i }
3974
#define IIP(_f, _e, _i, _p) \
3975
	{ .flags = (_f)|Intercept|CheckPerm, .u.execute = (_e), \
3976
	  .intercept = x86_intercept_##_i, .check_perm = (_p) }
3977
#define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
3978

3979
#define D2bv(_f)      D((_f) | ByteOp), D(_f)
3980
#define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
3981
#define I2bv(_f, _e)  I((_f) | ByteOp, _e), I(_f, _e)
3982
#define F2bv(_f, _e)  F((_f) | ByteOp, _e), F(_f, _e)
3983
#define I2bvIP(_f, _e, _i, _p) \
3984
	IIP((_f) | ByteOp, _e, _i, _p), IIP(_f, _e, _i, _p)
3985

3986
#define F6ALU(_f, _e) F2bv((_f) | DstMem | SrcReg | ModRM, _e),		\
3987
		F2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e),	\
3988
		F2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
3989

3990
static const struct opcode group7_rm0[] = {
3991
	N,
3992
	I(SrcNone | Priv | EmulateOnUD,	em_hypercall),
3993
	N, N, N, N, N, N,
3994
};
3995

3996
static const struct opcode group7_rm1[] = {
3997
	DI(SrcNone | Priv, monitor),
3998
	DI(SrcNone | Priv, mwait),
3999
	N, N, N, N, N, N,
4000
};
4001

4002
static const struct opcode group7_rm2[] = {
4003
	N,
4004
	II(ImplicitOps | Priv,			em_xsetbv,	xsetbv),
4005
	N, N, N, N, N, N,
4006
};
4007

4008
static const struct opcode group7_rm3[] = {
4009
	DIP(SrcNone | Prot | Priv,		vmrun,		check_svme_pa),
4010
	II(SrcNone  | Prot | EmulateOnUD,	em_hypercall,	vmmcall),
4011
	DIP(SrcNone | Prot | Priv,		vmload,		check_svme_pa),
4012
	DIP(SrcNone | Prot | Priv,		vmsave,		check_svme_pa),
4013
	DIP(SrcNone | Prot | Priv,		stgi,		check_svme),
4014
	DIP(SrcNone | Prot | Priv,		clgi,		check_svme),
4015
	DIP(SrcNone | Prot | Priv,		skinit,		check_svme),
4016
	DIP(SrcNone | Prot | Priv,		invlpga,	check_svme),
4017
};
4018

4019
static const struct opcode group7_rm7[] = {
4020
	N,
4021
	DIP(SrcNone, rdtscp, check_rdtsc),
4022
	N, N, N, N, N, N,
4023
};
4024

4025
static const struct opcode group1[] = {
4026
	F(Lock, em_add),
4027
	F(Lock | PageTable, em_or),
4028
	F(Lock, em_adc),
4029
	F(Lock, em_sbb),
4030
	F(Lock | PageTable, em_and),
4031
	F(Lock, em_sub),
4032
	F(Lock, em_xor),
4033
	F(NoWrite, em_cmp),
4034
};
4035

4036
static const struct opcode group1A[] = {
4037
	I(DstMem | SrcNone | Mov | Stack | IncSP | TwoMemOp, em_pop), N, N, N, N, N, N, N,
4038
};
4039

4040
static const struct opcode group2[] = {
4041
	F(DstMem | ModRM, em_rol),
4042
	F(DstMem | ModRM, em_ror),
4043
	F(DstMem | ModRM, em_rcl),
4044
	F(DstMem | ModRM, em_rcr),
4045
	F(DstMem | ModRM, em_shl),
4046
	F(DstMem | ModRM, em_shr),
4047
	F(DstMem | ModRM, em_shl),
4048
	F(DstMem | ModRM, em_sar),
4049
};
4050

4051
static const struct opcode group3[] = {
4052
	F(DstMem | SrcImm | NoWrite, em_test),
4053
	F(DstMem | SrcImm | NoWrite, em_test),
4054
	F(DstMem | SrcNone | Lock, em_not),
4055
	F(DstMem | SrcNone | Lock, em_neg),
4056
	F(DstXacc | Src2Mem, em_mul_ex),
4057
	F(DstXacc | Src2Mem, em_imul_ex),
4058
	F(DstXacc | Src2Mem, em_div_ex),
4059
	F(DstXacc | Src2Mem, em_idiv_ex),
4060
};
4061

4062
static const struct opcode group4[] = {
4063
	F(ByteOp | DstMem | SrcNone | Lock, em_inc),
4064
	F(ByteOp | DstMem | SrcNone | Lock, em_dec),
4065
	N, N, N, N, N, N,
4066
};
4067

4068
static const struct opcode group5[] = {
4069
	F(DstMem | SrcNone | Lock,		em_inc),
4070
	F(DstMem | SrcNone | Lock,		em_dec),
4071
	I(SrcMem | NearBranch | IsBranch,       em_call_near_abs),
4072
	I(SrcMemFAddr | ImplicitOps | IsBranch, em_call_far),
4073
	I(SrcMem | NearBranch | IsBranch,       em_jmp_abs),
4074
	I(SrcMemFAddr | ImplicitOps | IsBranch, em_jmp_far),
4075
	I(SrcMem | Stack | TwoMemOp,		em_push), D(Undefined),
4076
};
4077

4078
static const struct opcode group6[] = {
4079
	II(Prot | DstMem,	   em_sldt, sldt),
4080
	II(Prot | DstMem,	   em_str, str),
4081
	II(Prot | Priv | SrcMem16, em_lldt, lldt),
4082
	II(Prot | Priv | SrcMem16, em_ltr, ltr),
4083
	N, N, N, N,
4084
};
4085

4086
static const struct group_dual group7 = { {
4087
	II(Mov | DstMem,			em_sgdt, sgdt),
4088
	II(Mov | DstMem,			em_sidt, sidt),
4089
	II(SrcMem | Priv,			em_lgdt, lgdt),
4090
	II(SrcMem | Priv,			em_lidt, lidt),
4091
	II(SrcNone | DstMem | Mov,		em_smsw, smsw), N,
4092
	II(SrcMem16 | Mov | Priv,		em_lmsw, lmsw),
4093
	II(SrcMem | ByteOp | Priv | NoAccess,	em_invlpg, invlpg),
4094
}, {
4095
	EXT(0, group7_rm0),
4096
	EXT(0, group7_rm1),
4097
	EXT(0, group7_rm2),
4098
	EXT(0, group7_rm3),
4099
	II(SrcNone | DstMem | Mov,		em_smsw, smsw), N,
4100
	II(SrcMem16 | Mov | Priv,		em_lmsw, lmsw),
4101
	EXT(0, group7_rm7),
4102
} };
4103

4104
static const struct opcode group8[] = {
4105
	N, N, N, N,
4106
	F(DstMem | SrcImmByte | NoWrite,		em_bt),
4107
	F(DstMem | SrcImmByte | Lock | PageTable,	em_bts),
4108
	F(DstMem | SrcImmByte | Lock,			em_btr),
4109
	F(DstMem | SrcImmByte | Lock | PageTable,	em_btc),
4110
};
4111

4112
/*
4113
 * The "memory" destination is actually always a register, since we come
4114
 * from the register case of group9.
4115
 */
4116
static const struct gprefix pfx_0f_c7_7 = {
4117
	N, N, N, II(DstMem | ModRM | Op3264 | EmulateOnUD, em_rdpid, rdpid),
4118
};
4119

4120

4121
static const struct group_dual group9 = { {
4122
	N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
4123
}, {
4124
	N, N, N, N, N, N, N,
4125
	GP(0, &pfx_0f_c7_7),
4126
} };
4127

4128
static const struct opcode group11[] = {
4129
	I(DstMem | SrcImm | Mov | PageTable, em_mov),
4130
	X7(D(Undefined)),
4131
};
4132

4133
static const struct gprefix pfx_0f_ae_7 = {
4134
	I(SrcMem | ByteOp, em_clflush), I(SrcMem | ByteOp, em_clflushopt), N, N,
4135
};
4136

4137
static const struct group_dual group15 = { {
4138
	I(ModRM | Aligned16, em_fxsave),
4139
	I(ModRM | Aligned16, em_fxrstor),
4140
	N, N, N, N, N, GP(0, &pfx_0f_ae_7),
4141
}, {
4142
	N, N, N, N, N, N, N, N,
4143
} };
4144

4145
static const struct gprefix pfx_0f_6f_0f_7f = {
4146
	I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
4147
};
4148

4149
static const struct instr_dual instr_dual_0f_2b = {
4150
	I(0, em_mov), N
4151
};
4152

4153
static const struct gprefix pfx_0f_2b = {
4154
	ID(0, &instr_dual_0f_2b), ID(0, &instr_dual_0f_2b), N, N,
4155
};
4156

4157
static const struct gprefix pfx_0f_10_0f_11 = {
4158
	I(Unaligned, em_mov), I(Unaligned, em_mov), N, N,
4159
};
4160

4161
static const struct gprefix pfx_0f_28_0f_29 = {
4162
	I(Aligned, em_mov), I(Aligned, em_mov), N, N,
4163
};
4164

4165
static const struct gprefix pfx_0f_e7 = {
4166
	N, I(Sse, em_mov), N, N,
4167
};
4168

4169
static const struct escape escape_d9 = { {
4170
	N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstcw),
4171
}, {
4172
	/* 0xC0 - 0xC7 */
4173
	N, N, N, N, N, N, N, N,
4174
	/* 0xC8 - 0xCF */
4175
	N, N, N, N, N, N, N, N,
4176
	/* 0xD0 - 0xC7 */
4177
	N, N, N, N, N, N, N, N,
4178
	/* 0xD8 - 0xDF */
4179
	N, N, N, N, N, N, N, N,
4180
	/* 0xE0 - 0xE7 */
4181
	N, N, N, N, N, N, N, N,
4182
	/* 0xE8 - 0xEF */
4183
	N, N, N, N, N, N, N, N,
4184
	/* 0xF0 - 0xF7 */
4185
	N, N, N, N, N, N, N, N,
4186
	/* 0xF8 - 0xFF */
4187
	N, N, N, N, N, N, N, N,
4188
} };
4189

4190
static const struct escape escape_db = { {
4191
	N, N, N, N, N, N, N, N,
4192
}, {
4193
	/* 0xC0 - 0xC7 */
4194
	N, N, N, N, N, N, N, N,
4195
	/* 0xC8 - 0xCF */
4196
	N, N, N, N, N, N, N, N,
4197
	/* 0xD0 - 0xC7 */
4198
	N, N, N, N, N, N, N, N,
4199
	/* 0xD8 - 0xDF */
4200
	N, N, N, N, N, N, N, N,
4201
	/* 0xE0 - 0xE7 */
4202
	N, N, N, I(ImplicitOps, em_fninit), N, N, N, N,
4203
	/* 0xE8 - 0xEF */
4204
	N, N, N, N, N, N, N, N,
4205
	/* 0xF0 - 0xF7 */
4206
	N, N, N, N, N, N, N, N,
4207
	/* 0xF8 - 0xFF */
4208
	N, N, N, N, N, N, N, N,
4209
} };
4210

4211
static const struct escape escape_dd = { {
4212
	N, N, N, N, N, N, N, I(DstMem16 | Mov, em_fnstsw),
4213
}, {
4214
	/* 0xC0 - 0xC7 */
4215
	N, N, N, N, N, N, N, N,
4216
	/* 0xC8 - 0xCF */
4217
	N, N, N, N, N, N, N, N,
4218
	/* 0xD0 - 0xC7 */
4219
	N, N, N, N, N, N, N, N,
4220
	/* 0xD8 - 0xDF */
4221
	N, N, N, N, N, N, N, N,
4222
	/* 0xE0 - 0xE7 */
4223
	N, N, N, N, N, N, N, N,
4224
	/* 0xE8 - 0xEF */
4225
	N, N, N, N, N, N, N, N,
4226
	/* 0xF0 - 0xF7 */
4227
	N, N, N, N, N, N, N, N,
4228
	/* 0xF8 - 0xFF */
4229
	N, N, N, N, N, N, N, N,
4230
} };
4231

4232
static const struct instr_dual instr_dual_0f_c3 = {
4233
	I(DstMem | SrcReg | ModRM | No16 | Mov, em_mov), N
4234
};
4235

4236
static const struct mode_dual mode_dual_63 = {
4237
	N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
4238
};
4239

4240
static const struct instr_dual instr_dual_8d = {
4241
	D(DstReg | SrcMem | ModRM | NoAccess), N
4242
};
4243

4244
static const struct opcode opcode_table[256] = {
4245
	/* 0x00 - 0x07 */
4246
	F6ALU(Lock, em_add),
4247
	I(ImplicitOps | Stack | No64 | Src2ES, em_push_sreg),
4248
	I(ImplicitOps | Stack | No64 | Src2ES, em_pop_sreg),
4249
	/* 0x08 - 0x0F */
4250
	F6ALU(Lock | PageTable, em_or),
4251
	I(ImplicitOps | Stack | No64 | Src2CS, em_push_sreg),
4252
	N,
4253
	/* 0x10 - 0x17 */
4254
	F6ALU(Lock, em_adc),
4255
	I(ImplicitOps | Stack | No64 | Src2SS, em_push_sreg),
4256
	I(ImplicitOps | Stack | No64 | Src2SS, em_pop_sreg),
4257
	/* 0x18 - 0x1F */
4258
	F6ALU(Lock, em_sbb),
4259
	I(ImplicitOps | Stack | No64 | Src2DS, em_push_sreg),
4260
	I(ImplicitOps | Stack | No64 | Src2DS, em_pop_sreg),
4261
	/* 0x20 - 0x27 */
4262
	F6ALU(Lock | PageTable, em_and), N, N,
4263
	/* 0x28 - 0x2F */
4264
	F6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
4265
	/* 0x30 - 0x37 */
4266
	F6ALU(Lock, em_xor), N, N,
4267
	/* 0x38 - 0x3F */
4268
	F6ALU(NoWrite, em_cmp), N, N,
4269
	/* 0x40 - 0x4F */
4270
	X8(F(DstReg, em_inc)), X8(F(DstReg, em_dec)),
4271
	/* 0x50 - 0x57 */
4272
	X8(I(SrcReg | Stack, em_push)),
4273
	/* 0x58 - 0x5F */
4274
	X8(I(DstReg | Stack, em_pop)),
4275
	/* 0x60 - 0x67 */
4276
	I(ImplicitOps | Stack | No64, em_pusha),
4277
	I(ImplicitOps | Stack | No64, em_popa),
4278
	N, MD(ModRM, &mode_dual_63),
4279
	N, N, N, N,
4280
	/* 0x68 - 0x6F */
4281
	I(SrcImm | Mov | Stack, em_push),
4282
	I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
4283
	I(SrcImmByte | Mov | Stack, em_push),
4284
	I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
4285
	I2bvIP(DstDI | SrcDX | Mov | String | Unaligned, em_in, ins, check_perm_in), /* insb, insw/insd */
4286
	I2bvIP(SrcSI | DstDX | String, em_out, outs, check_perm_out), /* outsb, outsw/outsd */
4287
	/* 0x70 - 0x7F */
4288
	X16(D(SrcImmByte | NearBranch | IsBranch)),
4289
	/* 0x80 - 0x87 */
4290
	G(ByteOp | DstMem | SrcImm, group1),
4291
	G(DstMem | SrcImm, group1),
4292
	G(ByteOp | DstMem | SrcImm | No64, group1),
4293
	G(DstMem | SrcImmByte, group1),
4294
	F2bv(DstMem | SrcReg | ModRM | NoWrite, em_test),
4295
	I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
4296
	/* 0x88 - 0x8F */
4297
	I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
4298
	I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
4299
	I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
4300
	ID(0, &instr_dual_8d),
4301
	I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
4302
	G(0, group1A),
4303
	/* 0x90 - 0x97 */
4304
	DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
4305
	/* 0x98 - 0x9F */
4306
	D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
4307
	I(SrcImmFAddr | No64 | IsBranch, em_call_far), N,
4308
	II(ImplicitOps | Stack, em_pushf, pushf),
4309
	II(ImplicitOps | Stack, em_popf, popf),
4310
	I(ImplicitOps, em_sahf), I(ImplicitOps, em_lahf),
4311
	/* 0xA0 - 0xA7 */
4312
	I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
4313
	I2bv(DstMem | SrcAcc | Mov | MemAbs | PageTable, em_mov),
4314
	I2bv(SrcSI | DstDI | Mov | String | TwoMemOp, em_mov),
4315
	F2bv(SrcSI | DstDI | String | NoWrite | TwoMemOp, em_cmp_r),
4316
	/* 0xA8 - 0xAF */
4317
	F2bv(DstAcc | SrcImm | NoWrite, em_test),
4318
	I2bv(SrcAcc | DstDI | Mov | String, em_mov),
4319
	I2bv(SrcSI | DstAcc | Mov | String, em_mov),
4320
	F2bv(SrcAcc | DstDI | String | NoWrite, em_cmp_r),
4321
	/* 0xB0 - 0xB7 */
4322
	X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
4323
	/* 0xB8 - 0xBF */
4324
	X8(I(DstReg | SrcImm64 | Mov, em_mov)),
4325
	/* 0xC0 - 0xC7 */
4326
	G(ByteOp | Src2ImmByte, group2), G(Src2ImmByte, group2),
4327
	I(ImplicitOps | NearBranch | SrcImmU16 | IsBranch, em_ret_near_imm),
4328
	I(ImplicitOps | NearBranch | IsBranch, em_ret),
4329
	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2ES, em_lseg),
4330
	I(DstReg | SrcMemFAddr | ModRM | No64 | Src2DS, em_lseg),
4331
	G(ByteOp, group11), G(0, group11),
4332
	/* 0xC8 - 0xCF */
4333
	I(Stack | SrcImmU16 | Src2ImmByte | IsBranch, em_enter),
4334
	I(Stack | IsBranch, em_leave),
4335
	I(ImplicitOps | SrcImmU16 | IsBranch, em_ret_far_imm),
4336
	I(ImplicitOps | IsBranch, em_ret_far),
4337
	D(ImplicitOps | IsBranch), DI(SrcImmByte | IsBranch, intn),
4338
	D(ImplicitOps | No64 | IsBranch),
4339
	II(ImplicitOps | IsBranch, em_iret, iret),
4340
	/* 0xD0 - 0xD7 */
4341
	G(Src2One | ByteOp, group2), G(Src2One, group2),
4342
	G(Src2CL | ByteOp, group2), G(Src2CL, group2),
4343
	I(DstAcc | SrcImmUByte | No64, em_aam),
4344
	I(DstAcc | SrcImmUByte | No64, em_aad),
4345
	F(DstAcc | ByteOp | No64, em_salc),
4346
	I(DstAcc | SrcXLat | ByteOp, em_mov),
4347
	/* 0xD8 - 0xDF */
4348
	N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
4349
	/* 0xE0 - 0xE7 */
4350
	X3(I(SrcImmByte | NearBranch | IsBranch, em_loop)),
4351
	I(SrcImmByte | NearBranch | IsBranch, em_jcxz),
4352
	I2bvIP(SrcImmUByte | DstAcc, em_in,  in,  check_perm_in),
4353
	I2bvIP(SrcAcc | DstImmUByte, em_out, out, check_perm_out),
4354
	/* 0xE8 - 0xEF */
4355
	I(SrcImm | NearBranch | IsBranch, em_call),
4356
	D(SrcImm | ImplicitOps | NearBranch | IsBranch),
4357
	I(SrcImmFAddr | No64 | IsBranch, em_jmp_far),
4358
	D(SrcImmByte | ImplicitOps | NearBranch | IsBranch),
4359
	I2bvIP(SrcDX | DstAcc, em_in,  in,  check_perm_in),
4360
	I2bvIP(SrcAcc | DstDX, em_out, out, check_perm_out),
4361
	/* 0xF0 - 0xF7 */
4362
	N, DI(ImplicitOps, icebp), N, N,
4363
	DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
4364
	G(ByteOp, group3), G(0, group3),
4365
	/* 0xF8 - 0xFF */
4366
	D(ImplicitOps), D(ImplicitOps),
4367
	I(ImplicitOps, em_cli), I(ImplicitOps, em_sti),
4368
	D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
4369
};
4370

4371
static const struct opcode twobyte_table[256] = {
4372
	/* 0x00 - 0x0F */
4373
	G(0, group6), GD(0, &group7), N, N,
4374
	N, I(ImplicitOps | EmulateOnUD | IsBranch, em_syscall),
4375
	II(ImplicitOps | Priv, em_clts, clts), N,
4376
	DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
4377
	N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4378
	/* 0x10 - 0x1F */
4379
	GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_10_0f_11),
4380
	GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_10_0f_11),
4381
	N, N, N, N, N, N,
4382
	D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 4 * prefetch + 4 * reserved NOP */
4383
	D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
4384
	D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4385
	D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4386
	D(ImplicitOps | ModRM | SrcMem | NoAccess), /* 8 * reserved NOP */
4387
	D(ImplicitOps | ModRM | SrcMem | NoAccess), /* NOP + 7 * reserved NOP */
4388
	/* 0x20 - 0x2F */
4389
	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_access),
4390
	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
4391
	IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_cr_write, cr_write,
4392
						check_cr_access),
4393
	IIP(ModRM | SrcMem | Priv | Op3264 | NoMod, em_dr_write, dr_write,
4394
						check_dr_write),
4395
	N, N, N, N,
4396
	GP(ModRM | DstReg | SrcMem | Mov | Sse, &pfx_0f_28_0f_29),
4397
	GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_28_0f_29),
4398
	N, GP(ModRM | DstMem | SrcReg | Mov | Sse, &pfx_0f_2b),
4399
	N, N, N, N,
4400
	/* 0x30 - 0x3F */
4401
	II(ImplicitOps | Priv, em_wrmsr, wrmsr),
4402
	IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
4403
	II(ImplicitOps | Priv, em_rdmsr, rdmsr),
4404
	IIP(ImplicitOps, em_rdpmc, rdpmc, check_rdpmc),
4405
	I(ImplicitOps | EmulateOnUD | IsBranch, em_sysenter),
4406
	I(ImplicitOps | Priv | EmulateOnUD | IsBranch, em_sysexit),
4407
	N, N,
4408
	N, N, N, N, N, N, N, N,
4409
	/* 0x40 - 0x4F */
4410
	X16(D(DstReg | SrcMem | ModRM)),
4411
	/* 0x50 - 0x5F */
4412
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4413
	/* 0x60 - 0x6F */
4414
	N, N, N, N,
4415
	N, N, N, N,
4416
	N, N, N, N,
4417
	N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
4418
	/* 0x70 - 0x7F */
4419
	N, N, N, N,
4420
	N, N, N, N,
4421
	N, N, N, N,
4422
	N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
4423
	/* 0x80 - 0x8F */
4424
	X16(D(SrcImm | NearBranch | IsBranch)),
4425
	/* 0x90 - 0x9F */
4426
	X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
4427
	/* 0xA0 - 0xA7 */
4428
	I(Stack | Src2FS, em_push_sreg), I(Stack | Src2FS, em_pop_sreg),
4429
	II(ImplicitOps, em_cpuid, cpuid),
4430
	F(DstMem | SrcReg | ModRM | BitOp | NoWrite, em_bt),
4431
	F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shld),
4432
	F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
4433
	/* 0xA8 - 0xAF */
4434
	I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
4435
	II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
4436
	F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
4437
	F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
4438
	F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
4439
	GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
4440
	/* 0xB0 - 0xB7 */
4441
	I2bv(DstMem | SrcReg | ModRM | Lock | PageTable | SrcWrite, em_cmpxchg),
4442
	I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
4443
	F(DstMem | SrcReg | ModRM | BitOp | Lock, em_btr),
4444
	I(DstReg | SrcMemFAddr | ModRM | Src2FS, em_lseg),
4445
	I(DstReg | SrcMemFAddr | ModRM | Src2GS, em_lseg),
4446
	D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4447
	/* 0xB8 - 0xBF */
4448
	N, N,
4449
	G(BitOp, group8),
4450
	F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_btc),
4451
	I(DstReg | SrcMem | ModRM, em_bsf_c),
4452
	I(DstReg | SrcMem | ModRM, em_bsr_c),
4453
	D(DstReg | SrcMem8 | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
4454
	/* 0xC0 - 0xC7 */
4455
	F2bv(DstMem | SrcReg | ModRM | SrcWrite | Lock, em_xadd),
4456
	N, ID(0, &instr_dual_0f_c3),
4457
	N, N, N, GD(0, &group9),
4458
	/* 0xC8 - 0xCF */
4459
	X8(I(DstReg, em_bswap)),
4460
	/* 0xD0 - 0xDF */
4461
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
4462
	/* 0xE0 - 0xEF */
4463
	N, N, N, N, N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_e7),
4464
	N, N, N, N, N, N, N, N,
4465
	/* 0xF0 - 0xFF */
4466
	N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
4467
};
4468

4469
static const struct instr_dual instr_dual_0f_38_f0 = {
4470
	I(DstReg | SrcMem | Mov, em_movbe), N
4471
};
4472

4473
static const struct instr_dual instr_dual_0f_38_f1 = {
4474
	I(DstMem | SrcReg | Mov, em_movbe), N
4475
};
4476

4477
static const struct gprefix three_byte_0f_38_f0 = {
4478
	ID(0, &instr_dual_0f_38_f0), ID(0, &instr_dual_0f_38_f0), N, N
4479
};
4480

4481
static const struct gprefix three_byte_0f_38_f1 = {
4482
	ID(0, &instr_dual_0f_38_f1), ID(0, &instr_dual_0f_38_f1), N, N
4483
};
4484

4485
/*
4486
 * Insns below are selected by the prefix which indexed by the third opcode
4487
 * byte.
4488
 */
4489
static const struct opcode opcode_map_0f_38[256] = {
4490
	/* 0x00 - 0x7f */
4491
	X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4492
	/* 0x80 - 0xef */
4493
	X16(N), X16(N), X16(N), X16(N), X16(N), X16(N), X16(N),
4494
	/* 0xf0 - 0xf1 */
4495
	GP(EmulateOnUD | ModRM, &three_byte_0f_38_f0),
4496
	GP(EmulateOnUD | ModRM, &three_byte_0f_38_f1),
4497
	/* 0xf2 - 0xff */
4498
	N, N, X4(N), X8(N)
4499
};
4500

4501
#undef D
4502
#undef N
4503
#undef G
4504
#undef GD
4505
#undef I
4506
#undef GP
4507
#undef EXT
4508
#undef MD
4509
#undef ID
4510

4511
#undef D2bv
4512
#undef D2bvIP
4513
#undef I2bv
4514
#undef I2bvIP
4515
#undef I6ALU
4516

4517
static unsigned imm_size(struct x86_emulate_ctxt *ctxt)
4518
{
4519
	unsigned size;
4520

4521
	size = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4522
	if (size == 8)
4523
		size = 4;
4524
	return size;
4525
}
4526

4527
static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
4528
		      unsigned size, bool sign_extension)
4529
{
4530
	int rc = X86EMUL_CONTINUE;
4531

4532
	op->type = OP_IMM;
4533
	op->bytes = size;
4534
	op->addr.mem.ea = ctxt->_eip;
4535
	/* NB. Immediates are sign-extended as necessary. */
4536
	switch (op->bytes) {
4537
	case 1:
4538
		op->val = insn_fetch(s8, ctxt);
4539
		break;
4540
	case 2:
4541
		op->val = insn_fetch(s16, ctxt);
4542
		break;
4543
	case 4:
4544
		op->val = insn_fetch(s32, ctxt);
4545
		break;
4546
	case 8:
4547
		op->val = insn_fetch(s64, ctxt);
4548
		break;
4549
	}
4550
	if (!sign_extension) {
4551
		switch (op->bytes) {
4552
		case 1:
4553
			op->val &= 0xff;
4554
			break;
4555
		case 2:
4556
			op->val &= 0xffff;
4557
			break;
4558
		case 4:
4559
			op->val &= 0xffffffff;
4560
			break;
4561
		}
4562
	}
4563
done:
4564
	return rc;
4565
}
4566

4567
static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
4568
			  unsigned d)
4569
{
4570
	int rc = X86EMUL_CONTINUE;
4571

4572
	switch (d) {
4573
	case OpReg:
4574
		decode_register_operand(ctxt, op);
4575
		break;
4576
	case OpImmUByte:
4577
		rc = decode_imm(ctxt, op, 1, false);
4578
		break;
4579
	case OpMem:
4580
		ctxt->memop.bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4581
	mem_common:
4582
		*op = ctxt->memop;
4583
		ctxt->memopp = op;
4584
		if (ctxt->d & BitOp)
4585
			fetch_bit_operand(ctxt);
4586
		op->orig_val = op->val;
4587
		break;
4588
	case OpMem64:
4589
		ctxt->memop.bytes = (ctxt->op_bytes == 8) ? 16 : 8;
4590
		goto mem_common;
4591
	case OpAcc:
4592
		op->type = OP_REG;
4593
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4594
		op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4595
		fetch_register_operand(op);
4596
		op->orig_val = op->val;
4597
		break;
4598
	case OpAccLo:
4599
		op->type = OP_REG;
4600
		op->bytes = (ctxt->d & ByteOp) ? 2 : ctxt->op_bytes;
4601
		op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RAX);
4602
		fetch_register_operand(op);
4603
		op->orig_val = op->val;
4604
		break;
4605
	case OpAccHi:
4606
		if (ctxt->d & ByteOp) {
4607
			op->type = OP_NONE;
4608
			break;
4609
		}
4610
		op->type = OP_REG;
4611
		op->bytes = ctxt->op_bytes;
4612
		op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4613
		fetch_register_operand(op);
4614
		op->orig_val = op->val;
4615
		break;
4616
	case OpDI:
4617
		op->type = OP_MEM;
4618
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4619
		op->addr.mem.ea =
4620
			register_address(ctxt, VCPU_REGS_RDI);
4621
		op->addr.mem.seg = VCPU_SREG_ES;
4622
		op->val = 0;
4623
		op->count = 1;
4624
		break;
4625
	case OpDX:
4626
		op->type = OP_REG;
4627
		op->bytes = 2;
4628
		op->addr.reg = reg_rmw(ctxt, VCPU_REGS_RDX);
4629
		fetch_register_operand(op);
4630
		break;
4631
	case OpCL:
4632
		op->type = OP_IMM;
4633
		op->bytes = 1;
4634
		op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
4635
		break;
4636
	case OpImmByte:
4637
		rc = decode_imm(ctxt, op, 1, true);
4638
		break;
4639
	case OpOne:
4640
		op->type = OP_IMM;
4641
		op->bytes = 1;
4642
		op->val = 1;
4643
		break;
4644
	case OpImm:
4645
		rc = decode_imm(ctxt, op, imm_size(ctxt), true);
4646
		break;
4647
	case OpImm64:
4648
		rc = decode_imm(ctxt, op, ctxt->op_bytes, true);
4649
		break;
4650
	case OpMem8:
4651
		ctxt->memop.bytes = 1;
4652
		if (ctxt->memop.type == OP_REG) {
4653
			ctxt->memop.addr.reg = decode_register(ctxt,
4654
					ctxt->modrm_rm, true);
4655
			fetch_register_operand(&ctxt->memop);
4656
		}
4657
		goto mem_common;
4658
	case OpMem16:
4659
		ctxt->memop.bytes = 2;
4660
		goto mem_common;
4661
	case OpMem32:
4662
		ctxt->memop.bytes = 4;
4663
		goto mem_common;
4664
	case OpImmU16:
4665
		rc = decode_imm(ctxt, op, 2, false);
4666
		break;
4667
	case OpImmU:
4668
		rc = decode_imm(ctxt, op, imm_size(ctxt), false);
4669
		break;
4670
	case OpSI:
4671
		op->type = OP_MEM;
4672
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4673
		op->addr.mem.ea =
4674
			register_address(ctxt, VCPU_REGS_RSI);
4675
		op->addr.mem.seg = ctxt->seg_override;
4676
		op->val = 0;
4677
		op->count = 1;
4678
		break;
4679
	case OpXLat:
4680
		op->type = OP_MEM;
4681
		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
4682
		op->addr.mem.ea =
4683
			address_mask(ctxt,
4684
				reg_read(ctxt, VCPU_REGS_RBX) +
4685
				(reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
4686
		op->addr.mem.seg = ctxt->seg_override;
4687
		op->val = 0;
4688
		break;
4689
	case OpImmFAddr:
4690
		op->type = OP_IMM;
4691
		op->addr.mem.ea = ctxt->_eip;
4692
		op->bytes = ctxt->op_bytes + 2;
4693
		insn_fetch_arr(op->valptr, op->bytes, ctxt);
4694
		break;
4695
	case OpMemFAddr:
4696
		ctxt->memop.bytes = ctxt->op_bytes + 2;
4697
		goto mem_common;
4698
	case OpES:
4699
		op->type = OP_IMM;
4700
		op->val = VCPU_SREG_ES;
4701
		break;
4702
	case OpCS:
4703
		op->type = OP_IMM;
4704
		op->val = VCPU_SREG_CS;
4705
		break;
4706
	case OpSS:
4707
		op->type = OP_IMM;
4708
		op->val = VCPU_SREG_SS;
4709
		break;
4710
	case OpDS:
4711
		op->type = OP_IMM;
4712
		op->val = VCPU_SREG_DS;
4713
		break;
4714
	case OpFS:
4715
		op->type = OP_IMM;
4716
		op->val = VCPU_SREG_FS;
4717
		break;
4718
	case OpGS:
4719
		op->type = OP_IMM;
4720
		op->val = VCPU_SREG_GS;
4721
		break;
4722
	case OpImplicit:
4723
		/* Special instructions do their own operand decoding. */
4724
	default:
4725
		op->type = OP_NONE; /* Disable writeback. */
4726
		break;
4727
	}
4728

4729
done:
4730
	return rc;
4731
}
4732

4733
int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int emulation_type)
4734
{
4735
	int rc = X86EMUL_CONTINUE;
4736
	int mode = ctxt->mode;
4737
	int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
4738
	bool op_prefix = false;
4739
	bool has_seg_override = false;
4740
	struct opcode opcode;
4741
	u16 dummy;
4742
	struct desc_struct desc;
4743

4744
	ctxt->memop.type = OP_NONE;
4745
	ctxt->memopp = NULL;
4746
	ctxt->_eip = ctxt->eip;
4747
	ctxt->fetch.ptr = ctxt->fetch.data;
4748
	ctxt->fetch.end = ctxt->fetch.data + insn_len;
4749
	ctxt->opcode_len = 1;
4750
	ctxt->intercept = x86_intercept_none;
4751
	if (insn_len > 0)
4752
		memcpy(ctxt->fetch.data, insn, insn_len);
4753
	else {
4754
		rc = __do_insn_fetch_bytes(ctxt, 1);
4755
		if (rc != X86EMUL_CONTINUE)
4756
			goto done;
4757
	}
4758

4759
	switch (mode) {
4760
	case X86EMUL_MODE_REAL:
4761
	case X86EMUL_MODE_VM86:
4762
		def_op_bytes = def_ad_bytes = 2;
4763
		ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
4764
		if (desc.d)
4765
			def_op_bytes = def_ad_bytes = 4;
4766
		break;
4767
	case X86EMUL_MODE_PROT16:
4768
		def_op_bytes = def_ad_bytes = 2;
4769
		break;
4770
	case X86EMUL_MODE_PROT32:
4771
		def_op_bytes = def_ad_bytes = 4;
4772
		break;
4773
#ifdef CONFIG_X86_64
4774
	case X86EMUL_MODE_PROT64:
4775
		def_op_bytes = 4;
4776
		def_ad_bytes = 8;
4777
		break;
4778
#endif
4779
	default:
4780
		return EMULATION_FAILED;
4781
	}
4782

4783
	ctxt->op_bytes = def_op_bytes;
4784
	ctxt->ad_bytes = def_ad_bytes;
4785

4786
	/* Legacy prefixes. */
4787
	for (;;) {
4788
		switch (ctxt->b = insn_fetch(u8, ctxt)) {
4789
		case 0x66:	/* operand-size override */
4790
			op_prefix = true;
4791
			/* switch between 2/4 bytes */
4792
			ctxt->op_bytes = def_op_bytes ^ 6;
4793
			break;
4794
		case 0x67:	/* address-size override */
4795
			if (mode == X86EMUL_MODE_PROT64)
4796
				/* switch between 4/8 bytes */
4797
				ctxt->ad_bytes = def_ad_bytes ^ 12;
4798
			else
4799
				/* switch between 2/4 bytes */
4800
				ctxt->ad_bytes = def_ad_bytes ^ 6;
4801
			break;
4802
		case 0x26:	/* ES override */
4803
			has_seg_override = true;
4804
			ctxt->seg_override = VCPU_SREG_ES;
4805
			break;
4806
		case 0x2e:	/* CS override */
4807
			has_seg_override = true;
4808
			ctxt->seg_override = VCPU_SREG_CS;
4809
			break;
4810
		case 0x36:	/* SS override */
4811
			has_seg_override = true;
4812
			ctxt->seg_override = VCPU_SREG_SS;
4813
			break;
4814
		case 0x3e:	/* DS override */
4815
			has_seg_override = true;
4816
			ctxt->seg_override = VCPU_SREG_DS;
4817
			break;
4818
		case 0x64:	/* FS override */
4819
			has_seg_override = true;
4820
			ctxt->seg_override = VCPU_SREG_FS;
4821
			break;
4822
		case 0x65:	/* GS override */
4823
			has_seg_override = true;
4824
			ctxt->seg_override = VCPU_SREG_GS;
4825
			break;
4826
		case 0x40 ... 0x4f: /* REX */
4827
			if (mode != X86EMUL_MODE_PROT64)
4828
				goto done_prefixes;
4829
			ctxt->rex_prefix = ctxt->b;
4830
			continue;
4831
		case 0xf0:	/* LOCK */
4832
			ctxt->lock_prefix = 1;
4833
			break;
4834
		case 0xf2:	/* REPNE/REPNZ */
4835
		case 0xf3:	/* REP/REPE/REPZ */
4836
			ctxt->rep_prefix = ctxt->b;
4837
			break;
4838
		default:
4839
			goto done_prefixes;
4840
		}
4841

4842
		/* Any legacy prefix after a REX prefix nullifies its effect. */
4843

4844
		ctxt->rex_prefix = 0;
4845
	}
4846

4847
done_prefixes:
4848

4849
	/* REX prefix. */
4850
	if (ctxt->rex_prefix & 8)
4851
		ctxt->op_bytes = 8;	/* REX.W */
4852

4853
	/* Opcode byte(s). */
4854
	opcode = opcode_table[ctxt->b];
4855
	/* Two-byte opcode? */
4856
	if (ctxt->b == 0x0f) {
4857
		ctxt->opcode_len = 2;
4858
		ctxt->b = insn_fetch(u8, ctxt);
4859
		opcode = twobyte_table[ctxt->b];
4860

4861
		/* 0F_38 opcode map */
4862
		if (ctxt->b == 0x38) {
4863
			ctxt->opcode_len = 3;
4864
			ctxt->b = insn_fetch(u8, ctxt);
4865
			opcode = opcode_map_0f_38[ctxt->b];
4866
		}
4867
	}
4868
	ctxt->d = opcode.flags;
4869

4870
	if (ctxt->d & ModRM)
4871
		ctxt->modrm = insn_fetch(u8, ctxt);
4872

4873
	/* vex-prefix instructions are not implemented */
4874
	if (ctxt->opcode_len == 1 && (ctxt->b == 0xc5 || ctxt->b == 0xc4) &&
4875
	    (mode == X86EMUL_MODE_PROT64 || (ctxt->modrm & 0xc0) == 0xc0)) {
4876
		ctxt->d = NotImpl;
4877
	}
4878

4879
	while (ctxt->d & GroupMask) {
4880
		switch (ctxt->d & GroupMask) {
4881
		case Group:
4882
			goffset = (ctxt->modrm >> 3) & 7;
4883
			opcode = opcode.u.group[goffset];
4884
			break;
4885
		case GroupDual:
4886
			goffset = (ctxt->modrm >> 3) & 7;
4887
			if ((ctxt->modrm >> 6) == 3)
4888
				opcode = opcode.u.gdual->mod3[goffset];
4889
			else
4890
				opcode = opcode.u.gdual->mod012[goffset];
4891
			break;
4892
		case RMExt:
4893
			goffset = ctxt->modrm & 7;
4894
			opcode = opcode.u.group[goffset];
4895
			break;
4896
		case Prefix:
4897
			if (ctxt->rep_prefix && op_prefix)
4898
				return EMULATION_FAILED;
4899
			simd_prefix = op_prefix ? 0x66 : ctxt->rep_prefix;
4900
			switch (simd_prefix) {
4901
			case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
4902
			case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
4903
			case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
4904
			case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
4905
			}
4906
			break;
4907
		case Escape:
4908
			if (ctxt->modrm > 0xbf) {
4909
				size_t size = ARRAY_SIZE(opcode.u.esc->high);
4910
				u32 index = array_index_nospec(
4911
					ctxt->modrm - 0xc0, size);
4912

4913
				opcode = opcode.u.esc->high[index];
4914
			} else {
4915
				opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
4916
			}
4917
			break;
4918
		case InstrDual:
4919
			if ((ctxt->modrm >> 6) == 3)
4920
				opcode = opcode.u.idual->mod3;
4921
			else
4922
				opcode = opcode.u.idual->mod012;
4923
			break;
4924
		case ModeDual:
4925
			if (ctxt->mode == X86EMUL_MODE_PROT64)
4926
				opcode = opcode.u.mdual->mode64;
4927
			else
4928
				opcode = opcode.u.mdual->mode32;
4929
			break;
4930
		default:
4931
			return EMULATION_FAILED;
4932
		}
4933

4934
		ctxt->d &= ~(u64)GroupMask;
4935
		ctxt->d |= opcode.flags;
4936
	}
4937

4938
	ctxt->is_branch = opcode.flags & IsBranch;
4939

4940
	/* Unrecognised? */
4941
	if (ctxt->d == 0)
4942
		return EMULATION_FAILED;
4943

4944
	ctxt->execute = opcode.u.execute;
4945

4946
	if (unlikely(emulation_type & EMULTYPE_TRAP_UD) &&
4947
	    likely(!(ctxt->d & EmulateOnUD)))
4948
		return EMULATION_FAILED;
4949

4950
	if (unlikely(ctxt->d &
4951
	    (NotImpl|Stack|Op3264|Sse|Mmx|Intercept|CheckPerm|NearBranch|
4952
	     No16))) {
4953
		/*
4954
		 * These are copied unconditionally here, and checked unconditionally
4955
		 * in x86_emulate_insn.
4956
		 */
4957
		ctxt->check_perm = opcode.check_perm;
4958
		ctxt->intercept = opcode.intercept;
4959

4960
		if (ctxt->d & NotImpl)
4961
			return EMULATION_FAILED;
4962

4963
		if (mode == X86EMUL_MODE_PROT64) {
4964
			if (ctxt->op_bytes == 4 && (ctxt->d & Stack))
4965
				ctxt->op_bytes = 8;
4966
			else if (ctxt->d & NearBranch)
4967
				ctxt->op_bytes = 8;
4968
		}
4969

4970
		if (ctxt->d & Op3264) {
4971
			if (mode == X86EMUL_MODE_PROT64)
4972
				ctxt->op_bytes = 8;
4973
			else
4974
				ctxt->op_bytes = 4;
4975
		}
4976

4977
		if ((ctxt->d & No16) && ctxt->op_bytes == 2)
4978
			ctxt->op_bytes = 4;
4979

4980
		if (ctxt->d & Sse)
4981
			ctxt->op_bytes = 16;
4982
		else if (ctxt->d & Mmx)
4983
			ctxt->op_bytes = 8;
4984
	}
4985

4986
	/* ModRM and SIB bytes. */
4987
	if (ctxt->d & ModRM) {
4988
		rc = decode_modrm(ctxt, &ctxt->memop);
4989
		if (!has_seg_override) {
4990
			has_seg_override = true;
4991
			ctxt->seg_override = ctxt->modrm_seg;
4992
		}
4993
	} else if (ctxt->d & MemAbs)
4994
		rc = decode_abs(ctxt, &ctxt->memop);
4995
	if (rc != X86EMUL_CONTINUE)
4996
		goto done;
4997

4998
	if (!has_seg_override)
4999
		ctxt->seg_override = VCPU_SREG_DS;
5000

5001
	ctxt->memop.addr.mem.seg = ctxt->seg_override;
5002

5003
	/*
5004
	 * Decode and fetch the source operand: register, memory
5005
	 * or immediate.
5006
	 */
5007
	rc = decode_operand(ctxt, &ctxt->src, (ctxt->d >> SrcShift) & OpMask);
5008
	if (rc != X86EMUL_CONTINUE)
5009
		goto done;
5010

5011
	/*
5012
	 * Decode and fetch the second source operand: register, memory
5013
	 * or immediate.
5014
	 */
5015
	rc = decode_operand(ctxt, &ctxt->src2, (ctxt->d >> Src2Shift) & OpMask);
5016
	if (rc != X86EMUL_CONTINUE)
5017
		goto done;
5018

5019
	/* Decode and fetch the destination operand: register or memory. */
5020
	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
5021

5022
	if (ctxt->rip_relative && likely(ctxt->memopp))
5023
		ctxt->memopp->addr.mem.ea = address_mask(ctxt,
5024
					ctxt->memopp->addr.mem.ea + ctxt->_eip);
5025

5026
done:
5027
	if (rc == X86EMUL_PROPAGATE_FAULT)
5028
		ctxt->have_exception = true;
5029
	return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
5030
}
5031

5032
bool x86_page_table_writing_insn(struct x86_emulate_ctxt *ctxt)
5033
{
5034
	return ctxt->d & PageTable;
5035
}
5036

5037
static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
5038
{
5039
	/* The second termination condition only applies for REPE
5040
	 * and REPNE. Test if the repeat string operation prefix is
5041
	 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
5042
	 * corresponding termination condition according to:
5043
	 * 	- if REPE/REPZ and ZF = 0 then done
5044
	 * 	- if REPNE/REPNZ and ZF = 1 then done
5045
	 */
5046
	if (((ctxt->b == 0xa6) || (ctxt->b == 0xa7) ||
5047
	     (ctxt->b == 0xae) || (ctxt->b == 0xaf))
5048
	    && (((ctxt->rep_prefix == REPE_PREFIX) &&
5049
		 ((ctxt->eflags & X86_EFLAGS_ZF) == 0))
5050
		|| ((ctxt->rep_prefix == REPNE_PREFIX) &&
5051
		    ((ctxt->eflags & X86_EFLAGS_ZF) == X86_EFLAGS_ZF))))
5052
		return true;
5053

5054
	return false;
5055
}
5056

5057
static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
5058
{
5059
	int rc;
5060

5061
	kvm_fpu_get();
5062
	rc = asm_safe("fwait");
5063
	kvm_fpu_put();
5064

5065
	if (unlikely(rc != X86EMUL_CONTINUE))
5066
		return emulate_exception(ctxt, MF_VECTOR, 0, false);
5067

5068
	return X86EMUL_CONTINUE;
5069
}
5070

5071
static void fetch_possible_mmx_operand(struct operand *op)
5072
{
5073
	if (op->type == OP_MM)
5074
		kvm_read_mmx_reg(op->addr.mm, &op->mm_val);
5075
}
5076

5077
static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop)
5078
{
5079
	ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
5080

5081
	if (!(ctxt->d & ByteOp))
5082
		fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
5083

5084
	asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
5085
	    : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
5086
	      [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
5087
	    : "c"(ctxt->src2.val));
5088

5089
	ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
5090
	if (!fop) /* exception is returned in fop variable */
5091
		return emulate_de(ctxt);
5092
	return X86EMUL_CONTINUE;
5093
}
5094

5095
void init_decode_cache(struct x86_emulate_ctxt *ctxt)
5096
{
5097
	/* Clear fields that are set conditionally but read without a guard. */
5098
	ctxt->rip_relative = false;
5099
	ctxt->rex_prefix = 0;
5100
	ctxt->lock_prefix = 0;
5101
	ctxt->rep_prefix = 0;
5102
	ctxt->regs_valid = 0;
5103
	ctxt->regs_dirty = 0;
5104

5105
	ctxt->io_read.pos = 0;
5106
	ctxt->io_read.end = 0;
5107
	ctxt->mem_read.end = 0;
5108
}
5109

5110
int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
5111
{
5112
	const struct x86_emulate_ops *ops = ctxt->ops;
5113
	int rc = X86EMUL_CONTINUE;
5114
	int saved_dst_type = ctxt->dst.type;
5115
	bool is_guest_mode = ctxt->ops->is_guest_mode(ctxt);
5116

5117
	ctxt->mem_read.pos = 0;
5118

5119
	/* LOCK prefix is allowed only with some instructions */
5120
	if (ctxt->lock_prefix && (!(ctxt->d & Lock) || ctxt->dst.type != OP_MEM)) {
5121
		rc = emulate_ud(ctxt);
5122
		goto done;
5123
	}
5124

5125
	if ((ctxt->d & SrcMask) == SrcMemFAddr && ctxt->src.type != OP_MEM) {
5126
		rc = emulate_ud(ctxt);
5127
		goto done;
5128
	}
5129

5130
	if (unlikely(ctxt->d &
5131
		     (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
5132
		if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
5133
				(ctxt->d & Undefined)) {
5134
			rc = emulate_ud(ctxt);
5135
			goto done;
5136
		}
5137

5138
		if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
5139
		    || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
5140
			rc = emulate_ud(ctxt);
5141
			goto done;
5142
		}
5143

5144
		if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
5145
			rc = emulate_nm(ctxt);
5146
			goto done;
5147
		}
5148

5149
		if (ctxt->d & Mmx) {
5150
			rc = flush_pending_x87_faults(ctxt);
5151
			if (rc != X86EMUL_CONTINUE)
5152
				goto done;
5153
			/*
5154
			 * Now that we know the fpu is exception safe, we can fetch
5155
			 * operands from it.
5156
			 */
5157
			fetch_possible_mmx_operand(&ctxt->src);
5158
			fetch_possible_mmx_operand(&ctxt->src2);
5159
			if (!(ctxt->d & Mov))
5160
				fetch_possible_mmx_operand(&ctxt->dst);
5161
		}
5162

5163
		if (unlikely(is_guest_mode) && ctxt->intercept) {
5164
			rc = emulator_check_intercept(ctxt, ctxt->intercept,
5165
						      X86_ICPT_PRE_EXCEPT);
5166
			if (rc != X86EMUL_CONTINUE)
5167
				goto done;
5168
		}
5169

5170
		/* Instruction can only be executed in protected mode */
5171
		if ((ctxt->d & Prot) && ctxt->mode < X86EMUL_MODE_PROT16) {
5172
			rc = emulate_ud(ctxt);
5173
			goto done;
5174
		}
5175

5176
		/* Privileged instruction can be executed only in CPL=0 */
5177
		if ((ctxt->d & Priv) && ops->cpl(ctxt)) {
5178
			if (ctxt->d & PrivUD)
5179
				rc = emulate_ud(ctxt);
5180
			else
5181
				rc = emulate_gp(ctxt, 0);
5182
			goto done;
5183
		}
5184

5185
		/* Do instruction specific permission checks */
5186
		if (ctxt->d & CheckPerm) {
5187
			rc = ctxt->check_perm(ctxt);
5188
			if (rc != X86EMUL_CONTINUE)
5189
				goto done;
5190
		}
5191

5192
		if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
5193
			rc = emulator_check_intercept(ctxt, ctxt->intercept,
5194
						      X86_ICPT_POST_EXCEPT);
5195
			if (rc != X86EMUL_CONTINUE)
5196
				goto done;
5197
		}
5198

5199
		if (ctxt->rep_prefix && (ctxt->d & String)) {
5200
			/* All REP prefixes have the same first termination condition */
5201
			if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) {
5202
				string_registers_quirk(ctxt);
5203
				ctxt->eip = ctxt->_eip;
5204
				ctxt->eflags &= ~X86_EFLAGS_RF;
5205
				goto done;
5206
			}
5207
		}
5208
	}
5209

5210
	if ((ctxt->src.type == OP_MEM) && !(ctxt->d & NoAccess)) {
5211
		rc = segmented_read(ctxt, ctxt->src.addr.mem,
5212
				    ctxt->src.valptr, ctxt->src.bytes);
5213
		if (rc != X86EMUL_CONTINUE)
5214
			goto done;
5215
		ctxt->src.orig_val64 = ctxt->src.val64;
5216
	}
5217

5218
	if (ctxt->src2.type == OP_MEM) {
5219
		rc = segmented_read(ctxt, ctxt->src2.addr.mem,
5220
				    &ctxt->src2.val, ctxt->src2.bytes);
5221
		if (rc != X86EMUL_CONTINUE)
5222
			goto done;
5223
	}
5224

5225
	if ((ctxt->d & DstMask) == ImplicitOps)
5226
		goto special_insn;
5227

5228

5229
	if ((ctxt->dst.type == OP_MEM) && !(ctxt->d & Mov)) {
5230
		/* optimisation - avoid slow emulated read if Mov */
5231
		rc = segmented_read(ctxt, ctxt->dst.addr.mem,
5232
				   &ctxt->dst.val, ctxt->dst.bytes);
5233
		if (rc != X86EMUL_CONTINUE) {
5234
			if (!(ctxt->d & NoWrite) &&
5235
			    rc == X86EMUL_PROPAGATE_FAULT &&
5236
			    ctxt->exception.vector == PF_VECTOR)
5237
				ctxt->exception.error_code |= PFERR_WRITE_MASK;
5238
			goto done;
5239
		}
5240
	}
5241
	/* Copy full 64-bit value for CMPXCHG8B.  */
5242
	ctxt->dst.orig_val64 = ctxt->dst.val64;
5243

5244
special_insn:
5245

5246
	if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
5247
		rc = emulator_check_intercept(ctxt, ctxt->intercept,
5248
					      X86_ICPT_POST_MEMACCESS);
5249
		if (rc != X86EMUL_CONTINUE)
5250
			goto done;
5251
	}
5252

5253
	if (ctxt->rep_prefix && (ctxt->d & String))
5254
		ctxt->eflags |= X86_EFLAGS_RF;
5255
	else
5256
		ctxt->eflags &= ~X86_EFLAGS_RF;
5257

5258
	if (ctxt->execute) {
5259
		if (ctxt->d & Fastop)
5260
			rc = fastop(ctxt, ctxt->fop);
5261
		else
5262
			rc = ctxt->execute(ctxt);
5263
		if (rc != X86EMUL_CONTINUE)
5264
			goto done;
5265
		goto writeback;
5266
	}
5267

5268
	if (ctxt->opcode_len == 2)
5269
		goto twobyte_insn;
5270
	else if (ctxt->opcode_len == 3)
5271
		goto threebyte_insn;
5272

5273
	switch (ctxt->b) {
5274
	case 0x70 ... 0x7f: /* jcc (short) */
5275
		if (test_cc(ctxt->b, ctxt->eflags))
5276
			rc = jmp_rel(ctxt, ctxt->src.val);
5277
		break;
5278
	case 0x8d: /* lea r16/r32, m */
5279
		ctxt->dst.val = ctxt->src.addr.mem.ea;
5280
		break;
5281
	case 0x90 ... 0x97: /* nop / xchg reg, rax */
5282
		if (ctxt->dst.addr.reg == reg_rmw(ctxt, VCPU_REGS_RAX))
5283
			ctxt->dst.type = OP_NONE;
5284
		else
5285
			rc = em_xchg(ctxt);
5286
		break;
5287
	case 0x98: /* cbw/cwde/cdqe */
5288
		switch (ctxt->op_bytes) {
5289
		case 2: ctxt->dst.val = (s8)ctxt->dst.val; break;
5290
		case 4: ctxt->dst.val = (s16)ctxt->dst.val; break;
5291
		case 8: ctxt->dst.val = (s32)ctxt->dst.val; break;
5292
		}
5293
		break;
5294
	case 0xcc:		/* int3 */
5295
		rc = emulate_int(ctxt, 3);
5296
		break;
5297
	case 0xcd:		/* int n */
5298
		rc = emulate_int(ctxt, ctxt->src.val);
5299
		break;
5300
	case 0xce:		/* into */
5301
		if (ctxt->eflags & X86_EFLAGS_OF)
5302
			rc = emulate_int(ctxt, 4);
5303
		break;
5304
	case 0xe9: /* jmp rel */
5305
	case 0xeb: /* jmp rel short */
5306
		rc = jmp_rel(ctxt, ctxt->src.val);
5307
		ctxt->dst.type = OP_NONE; /* Disable writeback. */
5308
		break;
5309
	case 0xf4:              /* hlt */
5310
		ctxt->ops->halt(ctxt);
5311
		break;
5312
	case 0xf5:	/* cmc */
5313
		/* complement carry flag from eflags reg */
5314
		ctxt->eflags ^= X86_EFLAGS_CF;
5315
		break;
5316
	case 0xf8: /* clc */
5317
		ctxt->eflags &= ~X86_EFLAGS_CF;
5318
		break;
5319
	case 0xf9: /* stc */
5320
		ctxt->eflags |= X86_EFLAGS_CF;
5321
		break;
5322
	case 0xfc: /* cld */
5323
		ctxt->eflags &= ~X86_EFLAGS_DF;
5324
		break;
5325
	case 0xfd: /* std */
5326
		ctxt->eflags |= X86_EFLAGS_DF;
5327
		break;
5328
	default:
5329
		goto cannot_emulate;
5330
	}
5331

5332
	if (rc != X86EMUL_CONTINUE)
5333
		goto done;
5334

5335
writeback:
5336
	if (ctxt->d & SrcWrite) {
5337
		BUG_ON(ctxt->src.type == OP_MEM || ctxt->src.type == OP_MEM_STR);
5338
		rc = writeback(ctxt, &ctxt->src);
5339
		if (rc != X86EMUL_CONTINUE)
5340
			goto done;
5341
	}
5342
	if (!(ctxt->d & NoWrite)) {
5343
		rc = writeback(ctxt, &ctxt->dst);
5344
		if (rc != X86EMUL_CONTINUE)
5345
			goto done;
5346
	}
5347

5348
	/*
5349
	 * restore dst type in case the decoding will be reused
5350
	 * (happens for string instruction )
5351
	 */
5352
	ctxt->dst.type = saved_dst_type;
5353

5354
	if ((ctxt->d & SrcMask) == SrcSI)
5355
		string_addr_inc(ctxt, VCPU_REGS_RSI, &ctxt->src);
5356

5357
	if ((ctxt->d & DstMask) == DstDI)
5358
		string_addr_inc(ctxt, VCPU_REGS_RDI, &ctxt->dst);
5359

5360
	if (ctxt->rep_prefix && (ctxt->d & String)) {
5361
		unsigned int count;
5362
		struct read_cache *r = &ctxt->io_read;
5363
		if ((ctxt->d & SrcMask) == SrcSI)
5364
			count = ctxt->src.count;
5365
		else
5366
			count = ctxt->dst.count;
5367
		register_address_increment(ctxt, VCPU_REGS_RCX, -count);
5368

5369
		if (!string_insn_completed(ctxt)) {
5370
			/*
5371
			 * Re-enter guest when pio read ahead buffer is empty
5372
			 * or, if it is not used, after each 1024 iteration.
5373
			 */
5374
			if ((r->end != 0 || reg_read(ctxt, VCPU_REGS_RCX) & 0x3ff) &&
5375
			    (r->end == 0 || r->end != r->pos)) {
5376
				/*
5377
				 * Reset read cache. Usually happens before
5378
				 * decode, but since instruction is restarted
5379
				 * we have to do it here.
5380
				 */
5381
				ctxt->mem_read.end = 0;
5382
				writeback_registers(ctxt);
5383
				return EMULATION_RESTART;
5384
			}
5385
			goto done; /* skip rip writeback */
5386
		}
5387
		ctxt->eflags &= ~X86_EFLAGS_RF;
5388
	}
5389

5390
	ctxt->eip = ctxt->_eip;
5391
	if (ctxt->mode != X86EMUL_MODE_PROT64)
5392
		ctxt->eip = (u32)ctxt->_eip;
5393

5394
done:
5395
	if (rc == X86EMUL_PROPAGATE_FAULT) {
5396
		if (KVM_EMULATOR_BUG_ON(ctxt->exception.vector > 0x1f, ctxt))
5397
			return EMULATION_FAILED;
5398
		ctxt->have_exception = true;
5399
	}
5400
	if (rc == X86EMUL_INTERCEPTED)
5401
		return EMULATION_INTERCEPTED;
5402

5403
	if (rc == X86EMUL_CONTINUE)
5404
		writeback_registers(ctxt);
5405

5406
	return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
5407

5408
twobyte_insn:
5409
	switch (ctxt->b) {
5410
	case 0x09:		/* wbinvd */
5411
		(ctxt->ops->wbinvd)(ctxt);
5412
		break;
5413
	case 0x08:		/* invd */
5414
	case 0x0d:		/* GrpP (prefetch) */
5415
	case 0x18:		/* Grp16 (prefetch/nop) */
5416
	case 0x1f:		/* nop */
5417
		break;
5418
	case 0x20: /* mov cr, reg */
5419
		ctxt->dst.val = ops->get_cr(ctxt, ctxt->modrm_reg);
5420
		break;
5421
	case 0x21: /* mov from dr to reg */
5422
		ctxt->dst.val = ops->get_dr(ctxt, ctxt->modrm_reg);
5423
		break;
5424
	case 0x40 ... 0x4f:	/* cmov */
5425
		if (test_cc(ctxt->b, ctxt->eflags))
5426
			ctxt->dst.val = ctxt->src.val;
5427
		else if (ctxt->op_bytes != 4)
5428
			ctxt->dst.type = OP_NONE; /* no writeback */
5429
		break;
5430
	case 0x80 ... 0x8f: /* jnz rel, etc*/
5431
		if (test_cc(ctxt->b, ctxt->eflags))
5432
			rc = jmp_rel(ctxt, ctxt->src.val);
5433
		break;
5434
	case 0x90 ... 0x9f:     /* setcc r/m8 */
5435
		ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
5436
		break;
5437
	case 0xb6 ... 0xb7:	/* movzx */
5438
		ctxt->dst.bytes = ctxt->op_bytes;
5439
		ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
5440
						       : (u16) ctxt->src.val;
5441
		break;
5442
	case 0xbe ... 0xbf:	/* movsx */
5443
		ctxt->dst.bytes = ctxt->op_bytes;
5444
		ctxt->dst.val = (ctxt->src.bytes == 1) ? (s8) ctxt->src.val :
5445
							(s16) ctxt->src.val;
5446
		break;
5447
	default:
5448
		goto cannot_emulate;
5449
	}
5450

5451
threebyte_insn:
5452

5453
	if (rc != X86EMUL_CONTINUE)
5454
		goto done;
5455

5456
	goto writeback;
5457

5458
cannot_emulate:
5459
	return EMULATION_FAILED;
5460
}
5461

5462
void emulator_invalidate_register_cache(struct x86_emulate_ctxt *ctxt)
5463
{
5464
	invalidate_registers(ctxt);
5465
}
5466

5467
void emulator_writeback_register_cache(struct x86_emulate_ctxt *ctxt)
5468
{
5469
	writeback_registers(ctxt);
5470
}
5471

5472
bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
5473
{
5474
	if (ctxt->rep_prefix && (ctxt->d & String))
5475
		return false;
5476

5477
	if (ctxt->d & TwoMemOp)
5478
		return false;
5479

5480
	return true;
5481
}
5482

5483