2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2012 Sandvine, Inc.
5 * Copyright (c) 2012 NetApp, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
36 #include <sys/param.h>
38 #include <sys/systm.h>
44 #include <machine/vmparam.h>
45 #include <machine/vmm.h>
47 #include <sys/types.h>
48 #include <sys/errno.h>
49 #include <sys/_iovec.h>
51 #include <machine/vmm.h>
61 #define KASSERT(exp,msg) assert((exp))
62 #define panic(...) errx(4, __VA_ARGS__)
65 #include <machine/vmm_instruction_emul.h>
67 #include <x86/specialreg.h>
69 /* struct vie_op.op_type */
86 VIE_OP_TYPE_TWOB_GRP15,
93 /* struct vie_op.op_flags */
94 #define VIE_OP_F_IMM (1 << 0) /* 16/32-bit immediate operand */
95 #define VIE_OP_F_IMM8 (1 << 1) /* 8-bit immediate operand */
96 #define VIE_OP_F_MOFFSET (1 << 2) /* 16/32/64-bit immediate moffset */
97 #define VIE_OP_F_NO_MODRM (1 << 3)
98 #define VIE_OP_F_NO_GLA_VERIFICATION (1 << 4)
100 static const struct vie_op three_byte_opcodes_0f38[256] = {
103 .op_type = VIE_OP_TYPE_BEXTR,
107 static const struct vie_op two_byte_opcodes[256] = {
110 .op_type = VIE_OP_TYPE_TWOB_GRP15,
114 .op_type = VIE_OP_TYPE_MOVZX,
118 .op_type = VIE_OP_TYPE_MOVZX,
122 .op_type = VIE_OP_TYPE_BITTEST,
123 .op_flags = VIE_OP_F_IMM8,
127 .op_type = VIE_OP_TYPE_MOVSX,
131 static const struct vie_op one_byte_opcodes[256] = {
134 .op_type = VIE_OP_TYPE_ADD,
138 .op_type = VIE_OP_TYPE_TWO_BYTE
142 .op_type = VIE_OP_TYPE_OR,
146 .op_type = VIE_OP_TYPE_SUB,
150 .op_type = VIE_OP_TYPE_CMP,
154 .op_type = VIE_OP_TYPE_CMP,
158 .op_type = VIE_OP_TYPE_MOV,
162 .op_type = VIE_OP_TYPE_MOV,
166 .op_type = VIE_OP_TYPE_MOV,
170 .op_type = VIE_OP_TYPE_MOV,
174 .op_type = VIE_OP_TYPE_MOV,
175 .op_flags = VIE_OP_F_MOFFSET | VIE_OP_F_NO_MODRM,
179 .op_type = VIE_OP_TYPE_MOV,
180 .op_flags = VIE_OP_F_MOFFSET | VIE_OP_F_NO_MODRM,
184 .op_type = VIE_OP_TYPE_MOVS,
185 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
189 .op_type = VIE_OP_TYPE_MOVS,
190 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
194 .op_type = VIE_OP_TYPE_STOS,
195 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
199 .op_type = VIE_OP_TYPE_STOS,
200 .op_flags = VIE_OP_F_NO_MODRM | VIE_OP_F_NO_GLA_VERIFICATION
203 /* XXX Group 11 extended opcode - not just MOV */
205 .op_type = VIE_OP_TYPE_MOV,
206 .op_flags = VIE_OP_F_IMM8,
210 .op_type = VIE_OP_TYPE_MOV,
211 .op_flags = VIE_OP_F_IMM,
215 .op_type = VIE_OP_TYPE_AND,
218 /* Group 1 extended opcode */
220 .op_type = VIE_OP_TYPE_GROUP1,
221 .op_flags = VIE_OP_F_IMM8,
224 /* Group 1 extended opcode */
226 .op_type = VIE_OP_TYPE_GROUP1,
227 .op_flags = VIE_OP_F_IMM,
230 /* Group 1 extended opcode */
232 .op_type = VIE_OP_TYPE_GROUP1,
233 .op_flags = VIE_OP_F_IMM8,
236 /* XXX Group 1A extended opcode - not just POP */
238 .op_type = VIE_OP_TYPE_POP,
241 /* XXX Group 3 extended opcode - not just TEST */
243 .op_type = VIE_OP_TYPE_TEST,
244 .op_flags = VIE_OP_F_IMM,
247 /* XXX Group 5 extended opcode - not just PUSH */
249 .op_type = VIE_OP_TYPE_PUSH,
254 #define VIE_MOD_INDIRECT 0
255 #define VIE_MOD_INDIRECT_DISP8 1
256 #define VIE_MOD_INDIRECT_DISP32 2
257 #define VIE_MOD_DIRECT 3
261 #define VIE_RM_DISP32 5
263 #define GB (1024 * 1024 * 1024)
265 static enum vm_reg_name gpr_map[16] = {
284 static uint64_t size2mask[] = {
288 [8] = 0xffffffffffffffff,
292 vie_read_register(void *vm, int vcpuid, enum vm_reg_name reg, uint64_t *rval)
296 error = vm_get_register(vm, vcpuid, reg, rval);
302 vie_calc_bytereg(struct vie *vie, enum vm_reg_name *reg, int *lhbr)
305 *reg = gpr_map[vie->reg];
308 * 64-bit mode imposes limitations on accessing legacy high byte
311 * The legacy high-byte registers cannot be addressed if the REX
312 * prefix is present. In this case the values 4, 5, 6 and 7 of the
313 * 'ModRM:reg' field address %spl, %bpl, %sil and %dil respectively.
315 * If the REX prefix is not present then the values 4, 5, 6 and 7
316 * of the 'ModRM:reg' field address the legacy high-byte registers,
317 * %ah, %ch, %dh and %bh respectively.
319 if (!vie->rex_present) {
320 if (vie->reg & 0x4) {
322 *reg = gpr_map[vie->reg & 0x3];
328 vie_read_bytereg(void *vm, int vcpuid, struct vie *vie, uint8_t *rval)
332 enum vm_reg_name reg;
334 vie_calc_bytereg(vie, ®, &lhbr);
335 error = vm_get_register(vm, vcpuid, reg, &val);
338 * To obtain the value of a legacy high byte register shift the
339 * base register right by 8 bits (%ah = %rax >> 8).
349 vie_write_bytereg(void *vm, int vcpuid, struct vie *vie, uint8_t byte)
351 uint64_t origval, val, mask;
353 enum vm_reg_name reg;
355 vie_calc_bytereg(vie, ®, &lhbr);
356 error = vm_get_register(vm, vcpuid, reg, &origval);
362 * Shift left by 8 to store 'byte' in a legacy high
368 val |= origval & ~mask;
369 error = vm_set_register(vm, vcpuid, reg, val);
375 vie_update_register(void *vm, int vcpuid, enum vm_reg_name reg,
376 uint64_t val, int size)
384 error = vie_read_register(vm, vcpuid, reg, &origval);
387 val &= size2mask[size];
388 val |= origval & ~size2mask[size];
399 error = vm_set_register(vm, vcpuid, reg, val);
403 #define RFLAGS_STATUS_BITS (PSL_C | PSL_PF | PSL_AF | PSL_Z | PSL_N | PSL_V)
406 * Return the status flags that would result from doing (x - y).
410 getcc##sz(uint##sz##_t x, uint##sz##_t y) \
414 __asm __volatile("sub %2,%1; pushfq; popq %0" : \
415 "=r" (rflags), "+r" (x) : "m" (y)); \
425 getcc(int opsize, uint64_t x, uint64_t y)
427 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
428 ("getcc: invalid operand size %d", opsize));
431 return (getcc8(x, y));
432 else if (opsize == 2)
433 return (getcc16(x, y));
434 else if (opsize == 4)
435 return (getcc32(x, y));
437 return (getcc64(x, y));
441 * Macro creation of functions getaddflags{8,16,32,64}
443 #define GETADDFLAGS(sz) \
445 getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \
449 __asm __volatile("add %2,%1; pushfq; popq %0" : \
450 "=r" (rflags), "+r" (x) : "m" (y)); \
460 getaddflags(int opsize, uint64_t x, uint64_t y)
462 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
463 ("getaddflags: invalid operand size %d", opsize));
466 return (getaddflags8(x, y));
467 else if (opsize == 2)
468 return (getaddflags16(x, y));
469 else if (opsize == 4)
470 return (getaddflags32(x, y));
472 return (getaddflags64(x, y));
476 * Return the status flags that would result from doing (x & y).
478 #define GETANDFLAGS(sz) \
480 getandflags##sz(uint##sz##_t x, uint##sz##_t y) \
484 __asm __volatile("and %2,%1; pushfq; popq %0" : \
485 "=r" (rflags), "+r" (x) : "m" (y)); \
495 getandflags(int opsize, uint64_t x, uint64_t y)
497 KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
498 ("getandflags: invalid operand size %d", opsize));
501 return (getandflags8(x, y));
502 else if (opsize == 2)
503 return (getandflags16(x, y));
504 else if (opsize == 4)
505 return (getandflags32(x, y));
507 return (getandflags64(x, y));
511 emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
512 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
515 enum vm_reg_name reg;
522 switch (vie->op.op_byte) {
525 * MOV byte from reg (ModRM:reg) to mem (ModRM:r/m)
527 * REX + 88/r: mov r/m8, r8 (%ah, %ch, %dh, %bh not available)
529 size = 1; /* override for byte operation */
530 error = vie_read_bytereg(vm, vcpuid, vie, &byte);
532 error = memwrite(vm, vcpuid, gpa, byte, size, arg);
536 * MOV from reg (ModRM:reg) to mem (ModRM:r/m)
537 * 89/r: mov r/m16, r16
538 * 89/r: mov r/m32, r32
539 * REX.W + 89/r mov r/m64, r64
541 reg = gpr_map[vie->reg];
542 error = vie_read_register(vm, vcpuid, reg, &val);
544 val &= size2mask[size];
545 error = memwrite(vm, vcpuid, gpa, val, size, arg);
550 * MOV byte from mem (ModRM:r/m) to reg (ModRM:reg)
552 * REX + 8A/r: mov r8, r/m8
554 size = 1; /* override for byte operation */
555 error = memread(vm, vcpuid, gpa, &val, size, arg);
557 error = vie_write_bytereg(vm, vcpuid, vie, val);
561 * MOV from mem (ModRM:r/m) to reg (ModRM:reg)
562 * 8B/r: mov r16, r/m16
563 * 8B/r: mov r32, r/m32
564 * REX.W 8B/r: mov r64, r/m64
566 error = memread(vm, vcpuid, gpa, &val, size, arg);
568 reg = gpr_map[vie->reg];
569 error = vie_update_register(vm, vcpuid, reg, val, size);
574 * MOV from seg:moffset to AX/EAX/RAX
575 * A1: mov AX, moffs16
576 * A1: mov EAX, moffs32
577 * REX.W + A1: mov RAX, moffs64
579 error = memread(vm, vcpuid, gpa, &val, size, arg);
581 reg = VM_REG_GUEST_RAX;
582 error = vie_update_register(vm, vcpuid, reg, val, size);
587 * MOV from AX/EAX/RAX to seg:moffset
588 * A3: mov moffs16, AX
589 * A3: mov moffs32, EAX
590 * REX.W + A3: mov moffs64, RAX
592 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RAX, &val);
594 val &= size2mask[size];
595 error = memwrite(vm, vcpuid, gpa, val, size, arg);
600 * MOV from imm8 to mem (ModRM:r/m)
601 * C6/0 mov r/m8, imm8
602 * REX + C6/0 mov r/m8, imm8
604 size = 1; /* override for byte operation */
605 error = memwrite(vm, vcpuid, gpa, vie->immediate, size, arg);
609 * MOV from imm16/imm32 to mem (ModRM:r/m)
610 * C7/0 mov r/m16, imm16
611 * C7/0 mov r/m32, imm32
612 * REX.W + C7/0 mov r/m64, imm32 (sign-extended to 64-bits)
614 val = vie->immediate & size2mask[size];
615 error = memwrite(vm, vcpuid, gpa, val, size, arg);
625 emulate_movx(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
626 mem_region_read_t memread, mem_region_write_t memwrite,
630 enum vm_reg_name reg;
636 switch (vie->op.op_byte) {
639 * MOV and zero extend byte from mem (ModRM:r/m) to
642 * 0F B6/r movzx r16, r/m8
643 * 0F B6/r movzx r32, r/m8
644 * REX.W + 0F B6/r movzx r64, r/m8
647 /* get the first operand */
648 error = memread(vm, vcpuid, gpa, &val, 1, arg);
652 /* get the second operand */
653 reg = gpr_map[vie->reg];
655 /* zero-extend byte */
658 /* write the result */
659 error = vie_update_register(vm, vcpuid, reg, val, size);
663 * MOV and zero extend word from mem (ModRM:r/m) to
666 * 0F B7/r movzx r32, r/m16
667 * REX.W + 0F B7/r movzx r64, r/m16
669 error = memread(vm, vcpuid, gpa, &val, 2, arg);
673 reg = gpr_map[vie->reg];
675 /* zero-extend word */
678 error = vie_update_register(vm, vcpuid, reg, val, size);
682 * MOV and sign extend byte from mem (ModRM:r/m) to
685 * 0F BE/r movsx r16, r/m8
686 * 0F BE/r movsx r32, r/m8
687 * REX.W + 0F BE/r movsx r64, r/m8
690 /* get the first operand */
691 error = memread(vm, vcpuid, gpa, &val, 1, arg);
695 /* get the second operand */
696 reg = gpr_map[vie->reg];
698 /* sign extend byte */
701 /* write the result */
702 error = vie_update_register(vm, vcpuid, reg, val, size);
711 * Helper function to calculate and validate a linear address.
714 get_gla(void *vm, int vcpuid, struct vie *vie, struct vm_guest_paging *paging,
715 int opsize, int addrsize, int prot, enum vm_reg_name seg,
716 enum vm_reg_name gpr, uint64_t *gla, int *fault)
718 struct seg_desc desc;
719 uint64_t cr0, val, rflags;
722 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_CR0, &cr0);
723 KASSERT(error == 0, ("%s: error %d getting cr0", __func__, error));
725 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
726 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
728 error = vm_get_seg_desc(vm, vcpuid, seg, &desc);
729 KASSERT(error == 0, ("%s: error %d getting segment descriptor %d",
730 __func__, error, seg));
732 error = vie_read_register(vm, vcpuid, gpr, &val);
733 KASSERT(error == 0, ("%s: error %d getting register %d", __func__,
736 if (vie_calculate_gla(paging->cpu_mode, seg, &desc, val, opsize,
737 addrsize, prot, gla)) {
738 if (seg == VM_REG_GUEST_SS)
739 vm_inject_ss(vm, vcpuid, 0);
741 vm_inject_gp(vm, vcpuid);
745 if (vie_canonical_check(paging->cpu_mode, *gla)) {
746 if (seg == VM_REG_GUEST_SS)
747 vm_inject_ss(vm, vcpuid, 0);
749 vm_inject_gp(vm, vcpuid);
753 if (vie_alignment_check(paging->cpl, opsize, cr0, rflags, *gla)) {
754 vm_inject_ac(vm, vcpuid, 0);
767 emulate_movs(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
768 struct vm_guest_paging *paging, mem_region_read_t memread,
769 mem_region_write_t memwrite, void *arg)
772 struct vm_copyinfo copyinfo[2];
774 struct iovec copyinfo[2];
776 uint64_t dstaddr, srcaddr, dstgpa, srcgpa, val;
777 uint64_t rcx, rdi, rsi, rflags;
778 int error, fault, opsize, seg, repeat;
780 opsize = (vie->op.op_byte == 0xA4) ? 1 : vie->opsize;
785 * XXX although the MOVS instruction is only supposed to be used with
786 * the "rep" prefix some guests like FreeBSD will use "repnz" instead.
788 * Empirically the "repnz" prefix has identical behavior to "rep"
789 * and the zero flag does not make a difference.
791 repeat = vie->repz_present | vie->repnz_present;
794 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RCX, &rcx);
795 KASSERT(!error, ("%s: error %d getting rcx", __func__, error));
798 * The count register is %rcx, %ecx or %cx depending on the
799 * address size of the instruction.
801 if ((rcx & vie_size2mask(vie->addrsize)) == 0) {
808 * Source Destination Comments
809 * --------------------------------------------
810 * (1) memory memory n/a
811 * (2) memory mmio emulated
812 * (3) mmio memory emulated
813 * (4) mmio mmio emulated
815 * At this point we don't have sufficient information to distinguish
816 * between (2), (3) and (4). We use 'vm_copy_setup()' to tease this
817 * out because it will succeed only when operating on regular memory.
819 * XXX the emulation doesn't properly handle the case where 'gpa'
820 * is straddling the boundary between the normal memory and MMIO.
823 seg = vie->segment_override ? vie->segment_register : VM_REG_GUEST_DS;
824 error = get_gla(vm, vcpuid, vie, paging, opsize, vie->addrsize,
825 PROT_READ, seg, VM_REG_GUEST_RSI, &srcaddr, &fault);
829 error = vm_copy_setup(vm, vcpuid, paging, srcaddr, opsize, PROT_READ,
830 copyinfo, nitems(copyinfo), &fault);
833 goto done; /* Resume guest to handle fault */
836 * case (2): read from system memory and write to mmio.
838 vm_copyin(vm, vcpuid, copyinfo, &val, opsize);
839 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
840 error = memwrite(vm, vcpuid, gpa, val, opsize, arg);
845 * 'vm_copy_setup()' is expected to fail for cases (3) and (4)
846 * if 'srcaddr' is in the mmio space.
849 error = get_gla(vm, vcpuid, vie, paging, opsize, vie->addrsize,
850 PROT_WRITE, VM_REG_GUEST_ES, VM_REG_GUEST_RDI, &dstaddr,
855 error = vm_copy_setup(vm, vcpuid, paging, dstaddr, opsize,
856 PROT_WRITE, copyinfo, nitems(copyinfo), &fault);
859 goto done; /* Resume guest to handle fault */
862 * case (3): read from MMIO and write to system memory.
864 * A MMIO read can have side-effects so we
865 * commit to it only after vm_copy_setup() is
866 * successful. If a page-fault needs to be
867 * injected into the guest then it will happen
868 * before the MMIO read is attempted.
870 error = memread(vm, vcpuid, gpa, &val, opsize, arg);
874 vm_copyout(vm, vcpuid, &val, copyinfo, opsize);
875 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
878 * Case (4): read from and write to mmio.
880 * Commit to the MMIO read/write (with potential
881 * side-effects) only after we are sure that the
882 * instruction is not going to be restarted due
883 * to address translation faults.
885 error = vm_gla2gpa(vm, vcpuid, paging, srcaddr,
886 PROT_READ, &srcgpa, &fault);
890 error = vm_gla2gpa(vm, vcpuid, paging, dstaddr,
891 PROT_WRITE, &dstgpa, &fault);
895 error = memread(vm, vcpuid, srcgpa, &val, opsize, arg);
899 error = memwrite(vm, vcpuid, dstgpa, val, opsize, arg);
905 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RSI, &rsi);
906 KASSERT(error == 0, ("%s: error %d getting rsi", __func__, error));
908 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RDI, &rdi);
909 KASSERT(error == 0, ("%s: error %d getting rdi", __func__, error));
911 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
912 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
914 if (rflags & PSL_D) {
922 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RSI, rsi,
924 KASSERT(error == 0, ("%s: error %d updating rsi", __func__, error));
926 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RDI, rdi,
928 KASSERT(error == 0, ("%s: error %d updating rdi", __func__, error));
932 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RCX,
934 KASSERT(!error, ("%s: error %d updating rcx", __func__, error));
937 * Repeat the instruction if the count register is not zero.
939 if ((rcx & vie_size2mask(vie->addrsize)) != 0)
940 vm_restart_instruction(vm, vcpuid);
943 KASSERT(error == 0 || error == EFAULT, ("%s: unexpected error %d",
949 emulate_stos(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
950 struct vm_guest_paging *paging, mem_region_read_t memread,
951 mem_region_write_t memwrite, void *arg)
953 int error, opsize, repeat;
955 uint64_t rcx, rdi, rflags;
957 opsize = (vie->op.op_byte == 0xAA) ? 1 : vie->opsize;
958 repeat = vie->repz_present | vie->repnz_present;
961 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RCX, &rcx);
962 KASSERT(!error, ("%s: error %d getting rcx", __func__, error));
965 * The count register is %rcx, %ecx or %cx depending on the
966 * address size of the instruction.
968 if ((rcx & vie_size2mask(vie->addrsize)) == 0)
972 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RAX, &val);
973 KASSERT(!error, ("%s: error %d getting rax", __func__, error));
975 error = memwrite(vm, vcpuid, gpa, val, opsize, arg);
979 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RDI, &rdi);
980 KASSERT(error == 0, ("%s: error %d getting rdi", __func__, error));
982 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
983 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
990 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RDI, rdi,
992 KASSERT(error == 0, ("%s: error %d updating rdi", __func__, error));
996 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RCX,
998 KASSERT(!error, ("%s: error %d updating rcx", __func__, error));
1001 * Repeat the instruction if the count register is not zero.
1003 if ((rcx & vie_size2mask(vie->addrsize)) != 0)
1004 vm_restart_instruction(vm, vcpuid);
1011 emulate_and(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1012 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1015 enum vm_reg_name reg;
1016 uint64_t result, rflags, rflags2, val1, val2;
1021 switch (vie->op.op_byte) {
1024 * AND reg (ModRM:reg) and mem (ModRM:r/m) and store the
1027 * 23/r and r16, r/m16
1028 * 23/r and r32, r/m32
1029 * REX.W + 23/r and r64, r/m64
1032 /* get the first operand */
1033 reg = gpr_map[vie->reg];
1034 error = vie_read_register(vm, vcpuid, reg, &val1);
1038 /* get the second operand */
1039 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1043 /* perform the operation and write the result */
1044 result = val1 & val2;
1045 error = vie_update_register(vm, vcpuid, reg, result, size);
1050 * AND mem (ModRM:r/m) with immediate and store the
1053 * 81 /4 and r/m16, imm16
1054 * 81 /4 and r/m32, imm32
1055 * REX.W + 81 /4 and r/m64, imm32 sign-extended to 64
1057 * 83 /4 and r/m16, imm8 sign-extended to 16
1058 * 83 /4 and r/m32, imm8 sign-extended to 32
1059 * REX.W + 83/4 and r/m64, imm8 sign-extended to 64
1062 /* get the first operand */
1063 error = memread(vm, vcpuid, gpa, &val1, size, arg);
1068 * perform the operation with the pre-fetched immediate
1069 * operand and write the result
1071 result = val1 & vie->immediate;
1072 error = memwrite(vm, vcpuid, gpa, result, size, arg);
1080 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1085 * OF and CF are cleared; the SF, ZF and PF flags are set according
1086 * to the result; AF is undefined.
1088 * The updated status flags are obtained by subtracting 0 from 'result'.
1090 rflags2 = getcc(size, result, 0);
1091 rflags &= ~RFLAGS_STATUS_BITS;
1092 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1094 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1099 emulate_or(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1100 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1103 enum vm_reg_name reg;
1104 uint64_t result, rflags, rflags2, val1, val2;
1109 switch (vie->op.op_byte) {
1112 * OR reg (ModRM:reg) and mem (ModRM:r/m) and store the
1115 * 0b/r or r16, r/m16
1116 * 0b/r or r32, r/m32
1117 * REX.W + 0b/r or r64, r/m64
1120 /* get the first operand */
1121 reg = gpr_map[vie->reg];
1122 error = vie_read_register(vm, vcpuid, reg, &val1);
1126 /* get the second operand */
1127 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1131 /* perform the operation and write the result */
1132 result = val1 | val2;
1133 error = vie_update_register(vm, vcpuid, reg, result, size);
1138 * OR mem (ModRM:r/m) with immediate and store the
1141 * 81 /1 or r/m16, imm16
1142 * 81 /1 or r/m32, imm32
1143 * REX.W + 81 /1 or r/m64, imm32 sign-extended to 64
1145 * 83 /1 or r/m16, imm8 sign-extended to 16
1146 * 83 /1 or r/m32, imm8 sign-extended to 32
1147 * REX.W + 83/1 or r/m64, imm8 sign-extended to 64
1150 /* get the first operand */
1151 error = memread(vm, vcpuid, gpa, &val1, size, arg);
1156 * perform the operation with the pre-fetched immediate
1157 * operand and write the result
1159 result = val1 | vie->immediate;
1160 error = memwrite(vm, vcpuid, gpa, result, size, arg);
1168 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1173 * OF and CF are cleared; the SF, ZF and PF flags are set according
1174 * to the result; AF is undefined.
1176 * The updated status flags are obtained by subtracting 0 from 'result'.
1178 rflags2 = getcc(size, result, 0);
1179 rflags &= ~RFLAGS_STATUS_BITS;
1180 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1182 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1187 emulate_cmp(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1188 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1191 uint64_t regop, memop, op1, op2, rflags, rflags2;
1192 enum vm_reg_name reg;
1195 switch (vie->op.op_byte) {
1199 * 39/r CMP r/m16, r16
1200 * 39/r CMP r/m32, r32
1201 * REX.W 39/r CMP r/m64, r64
1203 * 3B/r CMP r16, r/m16
1204 * 3B/r CMP r32, r/m32
1205 * REX.W + 3B/r CMP r64, r/m64
1207 * Compare the first operand with the second operand and
1208 * set status flags in EFLAGS register. The comparison is
1209 * performed by subtracting the second operand from the first
1210 * operand and then setting the status flags.
1213 /* Get the register operand */
1214 reg = gpr_map[vie->reg];
1215 error = vie_read_register(vm, vcpuid, reg, ®op);
1219 /* Get the memory operand */
1220 error = memread(vm, vcpuid, gpa, &memop, size, arg);
1224 if (vie->op.op_byte == 0x3B) {
1231 rflags2 = getcc(size, op1, op2);
1237 * 80 /7 cmp r/m8, imm8
1238 * REX + 80 /7 cmp r/m8, imm8
1240 * 81 /7 cmp r/m16, imm16
1241 * 81 /7 cmp r/m32, imm32
1242 * REX.W + 81 /7 cmp r/m64, imm32 sign-extended to 64
1244 * 83 /7 cmp r/m16, imm8 sign-extended to 16
1245 * 83 /7 cmp r/m32, imm8 sign-extended to 32
1246 * REX.W + 83 /7 cmp r/m64, imm8 sign-extended to 64
1248 * Compare mem (ModRM:r/m) with immediate and set
1249 * status flags according to the results. The
1250 * comparison is performed by subtracting the
1251 * immediate from the first operand and then setting
1255 if (vie->op.op_byte == 0x80)
1258 /* get the first operand */
1259 error = memread(vm, vcpuid, gpa, &op1, size, arg);
1263 rflags2 = getcc(size, op1, vie->immediate);
1268 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1271 rflags &= ~RFLAGS_STATUS_BITS;
1272 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1274 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1279 emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1280 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1283 uint64_t op1, rflags, rflags2;
1288 switch (vie->op.op_byte) {
1291 * F7 /0 test r/m16, imm16
1292 * F7 /0 test r/m32, imm32
1293 * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64
1295 * Test mem (ModRM:r/m) with immediate and set status
1296 * flags according to the results. The comparison is
1297 * performed by anding the immediate from the first
1298 * operand and then setting the status flags.
1300 if ((vie->reg & 7) != 0)
1303 error = memread(vm, vcpuid, gpa, &op1, size, arg);
1307 rflags2 = getandflags(size, op1, vie->immediate);
1312 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1317 * OF and CF are cleared; the SF, ZF and PF flags are set according
1318 * to the result; AF is undefined.
1320 rflags &= ~RFLAGS_STATUS_BITS;
1321 rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
1323 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1328 emulate_bextr(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1329 struct vm_guest_paging *paging, mem_region_read_t memread,
1330 mem_region_write_t memwrite, void *arg)
1332 uint64_t src1, src2, dst, rflags;
1333 unsigned start, len;
1340 * VEX.LZ.0F38.W0 F7 /r BEXTR r32a, r/m32, r32b
1341 * VEX.LZ.0F38.W1 F7 /r BEXTR r64a, r/m64, r64b
1343 * Destination operand is ModRM:reg. Source operands are ModRM:r/m and
1346 * Operand size is always 32-bit if not in 64-bit mode (W1 is ignored).
1348 if (size != 4 && paging->cpu_mode != CPU_MODE_64BIT)
1352 * Extracts contiguous bits from the first /source/ operand (second
1353 * operand) using an index and length specified in the second /source/
1354 * operand (third operand).
1356 error = memread(vm, vcpuid, gpa, &src1, size, arg);
1359 error = vie_read_register(vm, vcpuid, gpr_map[vie->vex_reg], &src2);
1362 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1366 start = (src2 & 0xff);
1367 len = (src2 & 0xff00) >> 8;
1369 /* If no bits are extracted, the destination register is cleared. */
1372 /* If START exceeds the operand size, no bits are extracted. */
1373 if (start > size * 8)
1375 /* Length is bounded by both the destination size and start offset. */
1376 if (start + len > size * 8)
1377 len = (size * 8) - start;
1382 src1 = (src1 >> start);
1384 src1 = src1 & ((1ull << len) - 1);
1388 error = vie_update_register(vm, vcpuid, gpr_map[vie->reg], dst, size);
1393 * AMD: OF, CF cleared; SF/AF/PF undefined; ZF set by result.
1394 * Intel: ZF is set by result; AF/SF/PF undefined; all others cleared.
1396 rflags &= ~RFLAGS_STATUS_BITS;
1399 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags,
1405 emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1406 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1409 uint64_t nval, rflags, rflags2, val1, val2;
1410 enum vm_reg_name reg;
1415 switch (vie->op.op_byte) {
1418 * ADD r/m to r and store the result in r
1420 * 03/r ADD r16, r/m16
1421 * 03/r ADD r32, r/m32
1422 * REX.W + 03/r ADD r64, r/m64
1425 /* get the first operand */
1426 reg = gpr_map[vie->reg];
1427 error = vie_read_register(vm, vcpuid, reg, &val1);
1431 /* get the second operand */
1432 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1436 /* perform the operation and write the result */
1438 error = vie_update_register(vm, vcpuid, reg, nval, size);
1445 rflags2 = getaddflags(size, val1, val2);
1446 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1451 rflags &= ~RFLAGS_STATUS_BITS;
1452 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1453 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1461 emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1462 mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
1465 uint64_t nval, rflags, rflags2, val1, val2;
1466 enum vm_reg_name reg;
1471 switch (vie->op.op_byte) {
1474 * SUB r/m from r and store the result in r
1476 * 2B/r SUB r16, r/m16
1477 * 2B/r SUB r32, r/m32
1478 * REX.W + 2B/r SUB r64, r/m64
1481 /* get the first operand */
1482 reg = gpr_map[vie->reg];
1483 error = vie_read_register(vm, vcpuid, reg, &val1);
1487 /* get the second operand */
1488 error = memread(vm, vcpuid, gpa, &val2, size, arg);
1492 /* perform the operation and write the result */
1494 error = vie_update_register(vm, vcpuid, reg, nval, size);
1501 rflags2 = getcc(size, val1, val2);
1502 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1507 rflags &= ~RFLAGS_STATUS_BITS;
1508 rflags |= rflags2 & RFLAGS_STATUS_BITS;
1509 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
1517 emulate_stack_op(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1518 struct vm_guest_paging *paging, mem_region_read_t memread,
1519 mem_region_write_t memwrite, void *arg)
1522 struct vm_copyinfo copyinfo[2];
1524 struct iovec copyinfo[2];
1526 struct seg_desc ss_desc;
1527 uint64_t cr0, rflags, rsp, stack_gla, val;
1528 int error, fault, size, stackaddrsize, pushop;
1532 pushop = (vie->op.op_type == VIE_OP_TYPE_PUSH) ? 1 : 0;
1535 * From "Address-Size Attributes for Stack Accesses", Intel SDL, Vol 1
1537 if (paging->cpu_mode == CPU_MODE_REAL) {
1539 } else if (paging->cpu_mode == CPU_MODE_64BIT) {
1541 * "Stack Manipulation Instructions in 64-bit Mode", SDM, Vol 3
1542 * - Stack pointer size is always 64-bits.
1543 * - PUSH/POP of 32-bit values is not possible in 64-bit mode.
1544 * - 16-bit PUSH/POP is supported by using the operand size
1545 * override prefix (66H).
1548 size = vie->opsize_override ? 2 : 8;
1551 * In protected or compatibility mode the 'B' flag in the
1552 * stack-segment descriptor determines the size of the
1555 error = vm_get_seg_desc(vm, vcpuid, VM_REG_GUEST_SS, &ss_desc);
1556 KASSERT(error == 0, ("%s: error %d getting SS descriptor",
1558 if (SEG_DESC_DEF32(ss_desc.access))
1564 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_CR0, &cr0);
1565 KASSERT(error == 0, ("%s: error %d getting cr0", __func__, error));
1567 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1568 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
1570 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RSP, &rsp);
1571 KASSERT(error == 0, ("%s: error %d getting rsp", __func__, error));
1576 if (vie_calculate_gla(paging->cpu_mode, VM_REG_GUEST_SS, &ss_desc,
1577 rsp, size, stackaddrsize, pushop ? PROT_WRITE : PROT_READ,
1579 vm_inject_ss(vm, vcpuid, 0);
1583 if (vie_canonical_check(paging->cpu_mode, stack_gla)) {
1584 vm_inject_ss(vm, vcpuid, 0);
1588 if (vie_alignment_check(paging->cpl, size, cr0, rflags, stack_gla)) {
1589 vm_inject_ac(vm, vcpuid, 0);
1593 error = vm_copy_setup(vm, vcpuid, paging, stack_gla, size,
1594 pushop ? PROT_WRITE : PROT_READ, copyinfo, nitems(copyinfo),
1600 error = memread(vm, vcpuid, mmio_gpa, &val, size, arg);
1602 vm_copyout(vm, vcpuid, &val, copyinfo, size);
1604 vm_copyin(vm, vcpuid, copyinfo, &val, size);
1605 error = memwrite(vm, vcpuid, mmio_gpa, val, size, arg);
1608 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
1611 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RSP, rsp,
1613 KASSERT(error == 0, ("error %d updating rsp", error));
1619 emulate_push(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1620 struct vm_guest_paging *paging, mem_region_read_t memread,
1621 mem_region_write_t memwrite, void *arg)
1626 * Table A-6, "Opcode Extensions", Intel SDM, Vol 2.
1628 * PUSH is part of the group 5 extended opcodes and is identified
1629 * by ModRM:reg = b110.
1631 if ((vie->reg & 7) != 6)
1634 error = emulate_stack_op(vm, vcpuid, mmio_gpa, vie, paging, memread,
1640 emulate_pop(void *vm, int vcpuid, uint64_t mmio_gpa, struct vie *vie,
1641 struct vm_guest_paging *paging, mem_region_read_t memread,
1642 mem_region_write_t memwrite, void *arg)
1647 * Table A-6, "Opcode Extensions", Intel SDM, Vol 2.
1649 * POP is part of the group 1A extended opcodes and is identified
1650 * by ModRM:reg = b000.
1652 if ((vie->reg & 7) != 0)
1655 error = emulate_stack_op(vm, vcpuid, mmio_gpa, vie, paging, memread,
1661 emulate_group1(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1662 struct vm_guest_paging *paging, mem_region_read_t memread,
1663 mem_region_write_t memwrite, void *memarg)
1667 switch (vie->reg & 7) {
1669 error = emulate_or(vm, vcpuid, gpa, vie,
1670 memread, memwrite, memarg);
1673 error = emulate_and(vm, vcpuid, gpa, vie,
1674 memread, memwrite, memarg);
1677 error = emulate_cmp(vm, vcpuid, gpa, vie,
1678 memread, memwrite, memarg);
1689 emulate_bittest(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1690 mem_region_read_t memread, mem_region_write_t memwrite, void *memarg)
1692 uint64_t val, rflags;
1693 int error, bitmask, bitoff;
1696 * 0F BA is a Group 8 extended opcode.
1698 * Currently we only emulate the 'Bit Test' instruction which is
1699 * identified by a ModR/M:reg encoding of 100b.
1701 if ((vie->reg & 7) != 4)
1704 error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
1705 KASSERT(error == 0, ("%s: error %d getting rflags", __func__, error));
1707 error = memread(vm, vcpuid, gpa, &val, vie->opsize, memarg);
1712 * Intel SDM, Vol 2, Table 3-2:
1713 * "Range of Bit Positions Specified by Bit Offset Operands"
1715 bitmask = vie->opsize * 8 - 1;
1716 bitoff = vie->immediate & bitmask;
1718 /* Copy the bit into the Carry flag in %rflags */
1719 if (val & (1UL << bitoff))
1724 error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
1725 KASSERT(error == 0, ("%s: error %d updating rflags", __func__, error));
1731 emulate_twob_group15(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1732 mem_region_read_t memread, mem_region_write_t memwrite, void *memarg)
1737 switch (vie->reg & 7) {
1738 case 0x7: /* CLFLUSH, CLFLUSHOPT, and SFENCE */
1739 if (vie->mod == 0x3) {
1741 * SFENCE. Ignore it, VM exit provides enough
1742 * barriers on its own.
1747 * CLFLUSH, CLFLUSHOPT. Only check for access
1750 error = memread(vm, vcpuid, gpa, &buf, 1, memarg);
1762 vmm_emulate_instruction(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
1763 struct vm_guest_paging *paging, mem_region_read_t memread,
1764 mem_region_write_t memwrite, void *memarg)
1771 switch (vie->op.op_type) {
1772 case VIE_OP_TYPE_GROUP1:
1773 error = emulate_group1(vm, vcpuid, gpa, vie, paging, memread,
1776 case VIE_OP_TYPE_POP:
1777 error = emulate_pop(vm, vcpuid, gpa, vie, paging, memread,
1780 case VIE_OP_TYPE_PUSH:
1781 error = emulate_push(vm, vcpuid, gpa, vie, paging, memread,
1784 case VIE_OP_TYPE_CMP:
1785 error = emulate_cmp(vm, vcpuid, gpa, vie,
1786 memread, memwrite, memarg);
1788 case VIE_OP_TYPE_MOV:
1789 error = emulate_mov(vm, vcpuid, gpa, vie,
1790 memread, memwrite, memarg);
1792 case VIE_OP_TYPE_MOVSX:
1793 case VIE_OP_TYPE_MOVZX:
1794 error = emulate_movx(vm, vcpuid, gpa, vie,
1795 memread, memwrite, memarg);
1797 case VIE_OP_TYPE_MOVS:
1798 error = emulate_movs(vm, vcpuid, gpa, vie, paging, memread,
1801 case VIE_OP_TYPE_STOS:
1802 error = emulate_stos(vm, vcpuid, gpa, vie, paging, memread,
1805 case VIE_OP_TYPE_AND:
1806 error = emulate_and(vm, vcpuid, gpa, vie,
1807 memread, memwrite, memarg);
1809 case VIE_OP_TYPE_OR:
1810 error = emulate_or(vm, vcpuid, gpa, vie,
1811 memread, memwrite, memarg);
1813 case VIE_OP_TYPE_SUB:
1814 error = emulate_sub(vm, vcpuid, gpa, vie,
1815 memread, memwrite, memarg);
1817 case VIE_OP_TYPE_BITTEST:
1818 error = emulate_bittest(vm, vcpuid, gpa, vie,
1819 memread, memwrite, memarg);
1821 case VIE_OP_TYPE_TWOB_GRP15:
1822 error = emulate_twob_group15(vm, vcpuid, gpa, vie,
1823 memread, memwrite, memarg);
1825 case VIE_OP_TYPE_ADD:
1826 error = emulate_add(vm, vcpuid, gpa, vie, memread,
1829 case VIE_OP_TYPE_TEST:
1830 error = emulate_test(vm, vcpuid, gpa, vie,
1831 memread, memwrite, memarg);
1833 case VIE_OP_TYPE_BEXTR:
1834 error = emulate_bextr(vm, vcpuid, gpa, vie, paging,
1835 memread, memwrite, memarg);
1846 vie_alignment_check(int cpl, int size, uint64_t cr0, uint64_t rf, uint64_t gla)
1848 KASSERT(size == 1 || size == 2 || size == 4 || size == 8,
1849 ("%s: invalid size %d", __func__, size));
1850 KASSERT(cpl >= 0 && cpl <= 3, ("%s: invalid cpl %d", __func__, cpl));
1852 if (cpl != 3 || (cr0 & CR0_AM) == 0 || (rf & PSL_AC) == 0)
1855 return ((gla & (size - 1)) ? 1 : 0);
1859 vie_canonical_check(enum vm_cpu_mode cpu_mode, uint64_t gla)
1863 if (cpu_mode != CPU_MODE_64BIT)
1867 * The value of the bit 47 in the 'gla' should be replicated in the
1868 * most significant 16 bits.
1870 mask = ~((1UL << 48) - 1);
1871 if (gla & (1UL << 47))
1872 return ((gla & mask) != mask);
1874 return ((gla & mask) != 0);
1878 vie_size2mask(int size)
1880 KASSERT(size == 1 || size == 2 || size == 4 || size == 8,
1881 ("vie_size2mask: invalid size %d", size));
1882 return (size2mask[size]);
1886 vie_calculate_gla(enum vm_cpu_mode cpu_mode, enum vm_reg_name seg,
1887 struct seg_desc *desc, uint64_t offset, int length, int addrsize,
1888 int prot, uint64_t *gla)
1890 uint64_t firstoff, low_limit, high_limit, segbase;
1893 KASSERT(seg >= VM_REG_GUEST_ES && seg <= VM_REG_GUEST_GS,
1894 ("%s: invalid segment %d", __func__, seg));
1895 KASSERT(length == 1 || length == 2 || length == 4 || length == 8,
1896 ("%s: invalid operand size %d", __func__, length));
1897 KASSERT((prot & ~(PROT_READ | PROT_WRITE)) == 0,
1898 ("%s: invalid prot %#x", __func__, prot));
1901 if (cpu_mode == CPU_MODE_64BIT) {
1902 KASSERT(addrsize == 4 || addrsize == 8, ("%s: invalid address "
1903 "size %d for cpu_mode %d", __func__, addrsize, cpu_mode));
1906 KASSERT(addrsize == 2 || addrsize == 4, ("%s: invalid address "
1907 "size %d for cpu mode %d", __func__, addrsize, cpu_mode));
1910 * If the segment selector is loaded with a NULL selector
1911 * then the descriptor is unusable and attempting to use
1912 * it results in a #GP(0).
1914 if (SEG_DESC_UNUSABLE(desc->access))
1918 * The processor generates a #NP exception when a segment
1919 * register is loaded with a selector that points to a
1920 * descriptor that is not present. If this was the case then
1921 * it would have been checked before the VM-exit.
1923 KASSERT(SEG_DESC_PRESENT(desc->access),
1924 ("segment %d not present: %#x", seg, desc->access));
1927 * The descriptor type must indicate a code/data segment.
1929 type = SEG_DESC_TYPE(desc->access);
1930 KASSERT(type >= 16 && type <= 31, ("segment %d has invalid "
1931 "descriptor type %#x", seg, type));
1933 if (prot & PROT_READ) {
1934 /* #GP on a read access to a exec-only code segment */
1935 if ((type & 0xA) == 0x8)
1939 if (prot & PROT_WRITE) {
1941 * #GP on a write access to a code segment or a
1942 * read-only data segment.
1944 if (type & 0x8) /* code segment */
1947 if ((type & 0xA) == 0) /* read-only data seg */
1952 * 'desc->limit' is fully expanded taking granularity into
1955 if ((type & 0xC) == 0x4) {
1956 /* expand-down data segment */
1957 low_limit = desc->limit + 1;
1958 high_limit = SEG_DESC_DEF32(desc->access) ?
1959 0xffffffff : 0xffff;
1961 /* code segment or expand-up data segment */
1963 high_limit = desc->limit;
1966 while (length > 0) {
1967 offset &= vie_size2mask(addrsize);
1968 if (offset < low_limit || offset > high_limit)
1976 * In 64-bit mode all segments except %fs and %gs have a segment
1977 * base address of 0.
1979 if (cpu_mode == CPU_MODE_64BIT && seg != VM_REG_GUEST_FS &&
1980 seg != VM_REG_GUEST_GS) {
1983 segbase = desc->base;
1987 * Truncate 'firstoff' to the effective address size before adding
1988 * it to the segment base.
1990 firstoff &= vie_size2mask(addrsize);
1991 *gla = (segbase + firstoff) & vie_size2mask(glasize);
1996 * Prepare a partially decoded vie for a 2nd attempt.
1999 vie_restart(struct vie *vie)
2002 offsetof(struct vie, inst) < offsetof(struct vie, vie_startzero) &&
2003 offsetof(struct vie, num_valid) < offsetof(struct vie, vie_startzero),
2004 "restart should not erase instruction length or contents");
2006 memset((char *)vie + offsetof(struct vie, vie_startzero), 0,
2007 sizeof(*vie) - offsetof(struct vie, vie_startzero));
2009 vie->base_register = VM_REG_LAST;
2010 vie->index_register = VM_REG_LAST;
2011 vie->segment_register = VM_REG_LAST;
2015 vie_init(struct vie *vie, const char *inst_bytes, int inst_length)
2017 KASSERT(inst_length >= 0 && inst_length <= VIE_INST_SIZE,
2018 ("%s: invalid instruction length (%d)", __func__, inst_length));
2021 memset(vie->inst, 0, sizeof(vie->inst));
2022 if (inst_length != 0)
2023 memcpy(vie->inst, inst_bytes, inst_length);
2024 vie->num_valid = inst_length;
2029 pf_error_code(int usermode, int prot, int rsvd, uint64_t pte)
2034 error_code |= PGEX_P;
2035 if (prot & VM_PROT_WRITE)
2036 error_code |= PGEX_W;
2038 error_code |= PGEX_U;
2040 error_code |= PGEX_RSV;
2041 if (prot & VM_PROT_EXECUTE)
2042 error_code |= PGEX_I;
2044 return (error_code);
2048 ptp_release(void **cookie)
2050 if (*cookie != NULL) {
2051 vm_gpa_release(*cookie);
2057 ptp_hold(struct vm *vm, int vcpu, vm_paddr_t ptpphys, size_t len, void **cookie)
2061 ptp_release(cookie);
2062 ptr = vm_gpa_hold(vm, vcpu, ptpphys, len, VM_PROT_RW, cookie);
2067 _vm_gla2gpa(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2068 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault, bool check_only)
2070 int nlevels, pfcode, ptpshift, ptpindex, retval, usermode, writable;
2072 uint64_t *ptpbase, ptpphys, pte, pgsize;
2073 uint32_t *ptpbase32, pte32;
2078 usermode = (paging->cpl == 3 ? 1 : 0);
2079 writable = prot & VM_PROT_WRITE;
2084 ptpphys = paging->cr3; /* root of the page tables */
2085 ptp_release(&cookie);
2089 if (vie_canonical_check(paging->cpu_mode, gla)) {
2091 * XXX assuming a non-stack reference otherwise a stack fault
2092 * should be generated.
2095 vm_inject_gp(vm, vcpuid);
2099 if (paging->paging_mode == PAGING_MODE_FLAT) {
2104 if (paging->paging_mode == PAGING_MODE_32) {
2106 while (--nlevels >= 0) {
2107 /* Zero out the lower 12 bits. */
2110 ptpbase32 = ptp_hold(vm, vcpuid, ptpphys, PAGE_SIZE,
2113 if (ptpbase32 == NULL)
2116 ptpshift = PAGE_SHIFT + nlevels * 10;
2117 ptpindex = (gla >> ptpshift) & 0x3FF;
2118 pgsize = 1UL << ptpshift;
2120 pte32 = ptpbase32[ptpindex];
2122 if ((pte32 & PG_V) == 0 ||
2123 (usermode && (pte32 & PG_U) == 0) ||
2124 (writable && (pte32 & PG_RW) == 0)) {
2126 pfcode = pf_error_code(usermode, prot, 0,
2128 vm_inject_pf(vm, vcpuid, pfcode, gla);
2134 * Emulate the x86 MMU's management of the accessed
2135 * and dirty flags. While the accessed flag is set
2136 * at every level of the page table, the dirty flag
2137 * is only set at the last level providing the guest
2140 if (!check_only && (pte32 & PG_A) == 0) {
2141 if (atomic_cmpset_32(&ptpbase32[ptpindex],
2142 pte32, pte32 | PG_A) == 0) {
2147 /* XXX must be ignored if CR4.PSE=0 */
2148 if (nlevels > 0 && (pte32 & PG_PS) != 0)
2154 /* Set the dirty bit in the page table entry if necessary */
2155 if (!check_only && writable && (pte32 & PG_M) == 0) {
2156 if (atomic_cmpset_32(&ptpbase32[ptpindex],
2157 pte32, pte32 | PG_M) == 0) {
2162 /* Zero out the lower 'ptpshift' bits */
2163 pte32 >>= ptpshift; pte32 <<= ptpshift;
2164 *gpa = pte32 | (gla & (pgsize - 1));
2168 if (paging->paging_mode == PAGING_MODE_PAE) {
2169 /* Zero out the lower 5 bits and the upper 32 bits */
2170 ptpphys &= 0xffffffe0UL;
2172 ptpbase = ptp_hold(vm, vcpuid, ptpphys, sizeof(*ptpbase) * 4,
2174 if (ptpbase == NULL)
2177 ptpindex = (gla >> 30) & 0x3;
2179 pte = ptpbase[ptpindex];
2181 if ((pte & PG_V) == 0) {
2183 pfcode = pf_error_code(usermode, prot, 0, pte);
2184 vm_inject_pf(vm, vcpuid, pfcode, gla);
2194 while (--nlevels >= 0) {
2195 /* Zero out the lower 12 bits and the upper 12 bits */
2196 ptpphys >>= 12; ptpphys <<= 24; ptpphys >>= 12;
2198 ptpbase = ptp_hold(vm, vcpuid, ptpphys, PAGE_SIZE, &cookie);
2199 if (ptpbase == NULL)
2202 ptpshift = PAGE_SHIFT + nlevels * 9;
2203 ptpindex = (gla >> ptpshift) & 0x1FF;
2204 pgsize = 1UL << ptpshift;
2206 pte = ptpbase[ptpindex];
2208 if ((pte & PG_V) == 0 ||
2209 (usermode && (pte & PG_U) == 0) ||
2210 (writable && (pte & PG_RW) == 0)) {
2212 pfcode = pf_error_code(usermode, prot, 0, pte);
2213 vm_inject_pf(vm, vcpuid, pfcode, gla);
2218 /* Set the accessed bit in the page table entry */
2219 if (!check_only && (pte & PG_A) == 0) {
2220 if (atomic_cmpset_64(&ptpbase[ptpindex],
2221 pte, pte | PG_A) == 0) {
2226 if (nlevels > 0 && (pte & PG_PS) != 0) {
2227 if (pgsize > 1 * GB) {
2229 pfcode = pf_error_code(usermode, prot, 1,
2231 vm_inject_pf(vm, vcpuid, pfcode, gla);
2241 /* Set the dirty bit in the page table entry if necessary */
2242 if (!check_only && writable && (pte & PG_M) == 0) {
2243 if (atomic_cmpset_64(&ptpbase[ptpindex], pte, pte | PG_M) == 0)
2247 /* Zero out the lower 'ptpshift' bits and the upper 12 bits */
2248 pte >>= ptpshift; pte <<= (ptpshift + 12); pte >>= 12;
2249 *gpa = pte | (gla & (pgsize - 1));
2251 ptp_release(&cookie);
2252 KASSERT(retval == 0 || retval == EFAULT, ("%s: unexpected retval %d",
2264 vm_gla2gpa(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2265 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault)
2268 return (_vm_gla2gpa(vm, vcpuid, paging, gla, prot, gpa, guest_fault,
2273 vm_gla2gpa_nofault(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2274 uint64_t gla, int prot, uint64_t *gpa, int *guest_fault)
2277 return (_vm_gla2gpa(vm, vcpuid, paging, gla, prot, gpa, guest_fault,
2282 vmm_fetch_instruction(struct vm *vm, int vcpuid, struct vm_guest_paging *paging,
2283 uint64_t rip, int inst_length, struct vie *vie, int *faultptr)
2285 struct vm_copyinfo copyinfo[2];
2288 if (inst_length > VIE_INST_SIZE)
2289 panic("vmm_fetch_instruction: invalid length %d", inst_length);
2291 prot = PROT_READ | PROT_EXEC;
2292 error = vm_copy_setup(vm, vcpuid, paging, rip, inst_length, prot,
2293 copyinfo, nitems(copyinfo), faultptr);
2294 if (error || *faultptr)
2297 vm_copyin(vm, vcpuid, copyinfo, vie->inst, inst_length);
2298 vm_copy_teardown(vm, vcpuid, copyinfo, nitems(copyinfo));
2299 vie->num_valid = inst_length;
2302 #endif /* _KERNEL */
2305 vie_peek(struct vie *vie, uint8_t *x)
2308 if (vie->num_processed < vie->num_valid) {
2309 *x = vie->inst[vie->num_processed];
2316 vie_advance(struct vie *vie)
2319 vie->num_processed++;
2323 segment_override(uint8_t x, int *seg)
2328 *seg = VM_REG_GUEST_CS;
2331 *seg = VM_REG_GUEST_SS;
2334 *seg = VM_REG_GUEST_DS;
2337 *seg = VM_REG_GUEST_ES;
2340 *seg = VM_REG_GUEST_FS;
2343 *seg = VM_REG_GUEST_GS;
2352 decode_prefixes(struct vie *vie, enum vm_cpu_mode cpu_mode, int cs_d)
2357 if (vie_peek(vie, &x))
2361 vie->opsize_override = 1;
2363 vie->addrsize_override = 1;
2365 vie->repz_present = 1;
2367 vie->repnz_present = 1;
2368 else if (segment_override(x, &vie->segment_register))
2369 vie->segment_override = 1;
2377 * From section 2.2.1, "REX Prefixes", Intel SDM Vol 2:
2378 * - Only one REX prefix is allowed per instruction.
2379 * - The REX prefix must immediately precede the opcode byte or the
2380 * escape opcode byte.
2381 * - If an instruction has a mandatory prefix (0x66, 0xF2 or 0xF3)
2382 * the mandatory prefix must come before the REX prefix.
2384 if (cpu_mode == CPU_MODE_64BIT && x >= 0x40 && x <= 0x4F) {
2385 vie->rex_present = 1;
2386 vie->rex_w = x & 0x8 ? 1 : 0;
2387 vie->rex_r = x & 0x4 ? 1 : 0;
2388 vie->rex_x = x & 0x2 ? 1 : 0;
2389 vie->rex_b = x & 0x1 ? 1 : 0;
2394 * § 2.3.5, "The VEX Prefix", SDM Vol 2.
2396 if ((cpu_mode == CPU_MODE_64BIT || cpu_mode == CPU_MODE_COMPATIBILITY)
2398 const struct vie_op *optab;
2400 /* 3-byte VEX prefix. */
2401 vie->vex_present = 1;
2404 if (vie_peek(vie, &x))
2408 * 2nd byte: [R', X', B', mmmmm[4:0]]. Bits are inverted
2409 * relative to REX encoding.
2411 vie->rex_r = x & 0x80 ? 0 : 1;
2412 vie->rex_x = x & 0x40 ? 0 : 1;
2413 vie->rex_b = x & 0x20 ? 0 : 1;
2418 optab = three_byte_opcodes_0f38;
2421 /* 0F class - nothing handled here yet. */
2424 /* 0F 3A class - nothing handled here yet. */
2427 /* Reserved (#UD). */
2432 if (vie_peek(vie, &x))
2435 /* 3rd byte: [W, vvvv[6:3], L, pp[1:0]]. */
2436 vie->rex_w = x & 0x80 ? 1 : 0;
2438 vie->vex_reg = ((~(unsigned)x & 0x78u) >> 3);
2439 vie->vex_l = !!(x & 0x4);
2440 vie->vex_pp = (x & 0x3);
2442 /* PP: 1=66 2=F3 3=F2 prefixes. */
2443 switch (vie->vex_pp) {
2445 vie->opsize_override = 1;
2448 vie->repz_present = 1;
2451 vie->repnz_present = 1;
2457 /* Opcode, sans literal prefix prefix. */
2458 if (vie_peek(vie, &x))
2462 if (vie->op.op_type == VIE_OP_TYPE_NONE)
2469 * Section "Operand-Size And Address-Size Attributes", Intel SDM, Vol 1
2471 if (cpu_mode == CPU_MODE_64BIT) {
2473 * Default address size is 64-bits and default operand size
2476 vie->addrsize = vie->addrsize_override ? 4 : 8;
2479 else if (vie->opsize_override)
2484 /* Default address and operand sizes are 32-bits */
2485 vie->addrsize = vie->addrsize_override ? 2 : 4;
2486 vie->opsize = vie->opsize_override ? 2 : 4;
2488 /* Default address and operand sizes are 16-bits */
2489 vie->addrsize = vie->addrsize_override ? 4 : 2;
2490 vie->opsize = vie->opsize_override ? 4 : 2;
2496 decode_two_byte_opcode(struct vie *vie)
2500 if (vie_peek(vie, &x))
2503 vie->op = two_byte_opcodes[x];
2505 if (vie->op.op_type == VIE_OP_TYPE_NONE)
2513 decode_opcode(struct vie *vie)
2517 if (vie_peek(vie, &x))
2520 /* Already did this via VEX prefix. */
2521 if (vie->op.op_type != VIE_OP_TYPE_NONE)
2524 vie->op = one_byte_opcodes[x];
2526 if (vie->op.op_type == VIE_OP_TYPE_NONE)
2531 if (vie->op.op_type == VIE_OP_TYPE_TWO_BYTE)
2532 return (decode_two_byte_opcode(vie));
2538 decode_modrm(struct vie *vie, enum vm_cpu_mode cpu_mode)
2542 if (vie->op.op_flags & VIE_OP_F_NO_MODRM)
2545 if (cpu_mode == CPU_MODE_REAL)
2548 if (vie_peek(vie, &x))
2551 vie->mod = (x >> 6) & 0x3;
2552 vie->rm = (x >> 0) & 0x7;
2553 vie->reg = (x >> 3) & 0x7;
2556 * A direct addressing mode makes no sense in the context of an EPT
2557 * fault. There has to be a memory access involved to cause the
2560 if (vie->mod == VIE_MOD_DIRECT)
2563 if ((vie->mod == VIE_MOD_INDIRECT && vie->rm == VIE_RM_DISP32) ||
2564 (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)) {
2566 * Table 2-5: Special Cases of REX Encodings
2568 * mod=0, r/m=5 is used in the compatibility mode to
2569 * indicate a disp32 without a base register.
2571 * mod!=3, r/m=4 is used in the compatibility mode to
2572 * indicate that the SIB byte is present.
2574 * The 'b' bit in the REX prefix is don't care in
2578 vie->rm |= (vie->rex_b << 3);
2581 vie->reg |= (vie->rex_r << 3);
2584 if (vie->mod != VIE_MOD_DIRECT && vie->rm == VIE_RM_SIB)
2587 vie->base_register = gpr_map[vie->rm];
2590 case VIE_MOD_INDIRECT_DISP8:
2591 vie->disp_bytes = 1;
2593 case VIE_MOD_INDIRECT_DISP32:
2594 vie->disp_bytes = 4;
2596 case VIE_MOD_INDIRECT:
2597 if (vie->rm == VIE_RM_DISP32) {
2598 vie->disp_bytes = 4;
2600 * Table 2-7. RIP-Relative Addressing
2602 * In 64-bit mode mod=00 r/m=101 implies [rip] + disp32
2603 * whereas in compatibility mode it just implies disp32.
2606 if (cpu_mode == CPU_MODE_64BIT)
2607 vie->base_register = VM_REG_GUEST_RIP;
2609 vie->base_register = VM_REG_LAST;
2621 decode_sib(struct vie *vie)
2625 /* Proceed only if SIB byte is present */
2626 if (vie->mod == VIE_MOD_DIRECT || vie->rm != VIE_RM_SIB)
2629 if (vie_peek(vie, &x))
2632 /* De-construct the SIB byte */
2633 vie->ss = (x >> 6) & 0x3;
2634 vie->index = (x >> 3) & 0x7;
2635 vie->base = (x >> 0) & 0x7;
2637 /* Apply the REX prefix modifiers */
2638 vie->index |= vie->rex_x << 3;
2639 vie->base |= vie->rex_b << 3;
2642 case VIE_MOD_INDIRECT_DISP8:
2643 vie->disp_bytes = 1;
2645 case VIE_MOD_INDIRECT_DISP32:
2646 vie->disp_bytes = 4;
2650 if (vie->mod == VIE_MOD_INDIRECT &&
2651 (vie->base == 5 || vie->base == 13)) {
2653 * Special case when base register is unused if mod = 0
2654 * and base = %rbp or %r13.
2657 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
2658 * Table 2-5: Special Cases of REX Encodings
2660 vie->disp_bytes = 4;
2662 vie->base_register = gpr_map[vie->base];
2666 * All encodings of 'index' are valid except for %rsp (4).
2669 * Table 2-3: 32-bit Addressing Forms with the SIB Byte
2670 * Table 2-5: Special Cases of REX Encodings
2672 if (vie->index != 4)
2673 vie->index_register = gpr_map[vie->index];
2675 /* 'scale' makes sense only in the context of an index register */
2676 if (vie->index_register < VM_REG_LAST)
2677 vie->scale = 1 << vie->ss;
2685 decode_displacement(struct vie *vie)
2696 if ((n = vie->disp_bytes) == 0)
2699 if (n != 1 && n != 4)
2700 panic("decode_displacement: invalid disp_bytes %d", n);
2702 for (i = 0; i < n; i++) {
2703 if (vie_peek(vie, &x))
2711 vie->displacement = u.signed8; /* sign-extended */
2713 vie->displacement = u.signed32; /* sign-extended */
2719 decode_immediate(struct vie *vie)
2730 /* Figure out immediate operand size (if any) */
2731 if (vie->op.op_flags & VIE_OP_F_IMM) {
2733 * Section 2.2.1.5 "Immediates", Intel SDM:
2734 * In 64-bit mode the typical size of immediate operands
2735 * remains 32-bits. When the operand size if 64-bits, the
2736 * processor sign-extends all immediates to 64-bits prior
2739 if (vie->opsize == 4 || vie->opsize == 8)
2743 } else if (vie->op.op_flags & VIE_OP_F_IMM8) {
2747 if ((n = vie->imm_bytes) == 0)
2750 KASSERT(n == 1 || n == 2 || n == 4,
2751 ("%s: invalid number of immediate bytes: %d", __func__, n));
2753 for (i = 0; i < n; i++) {
2754 if (vie_peek(vie, &x))
2761 /* sign-extend the immediate value before use */
2763 vie->immediate = u.signed8;
2765 vie->immediate = u.signed16;
2767 vie->immediate = u.signed32;
2773 decode_moffset(struct vie *vie)
2782 if ((vie->op.op_flags & VIE_OP_F_MOFFSET) == 0)
2786 * Section 2.2.1.4, "Direct Memory-Offset MOVs", Intel SDM:
2787 * The memory offset size follows the address-size of the instruction.
2790 KASSERT(n == 2 || n == 4 || n == 8, ("invalid moffset bytes: %d", n));
2793 for (i = 0; i < n; i++) {
2794 if (vie_peek(vie, &x))
2800 vie->displacement = u.u64;
2806 * Verify that the 'guest linear address' provided as collateral of the nested
2807 * page table fault matches with our instruction decoding.
2810 verify_gla(struct vm *vm, int cpuid, uint64_t gla, struct vie *vie,
2811 enum vm_cpu_mode cpu_mode)
2814 uint64_t base, segbase, idx, gla2;
2815 enum vm_reg_name seg;
2816 struct seg_desc desc;
2818 /* Skip 'gla' verification */
2819 if (gla == VIE_INVALID_GLA)
2823 if (vie->base_register != VM_REG_LAST) {
2824 error = vm_get_register(vm, cpuid, vie->base_register, &base);
2826 printf("verify_gla: error %d getting base reg %d\n",
2827 error, vie->base_register);
2832 * RIP-relative addressing starts from the following
2835 if (vie->base_register == VM_REG_GUEST_RIP)
2836 base += vie->num_processed;
2840 if (vie->index_register != VM_REG_LAST) {
2841 error = vm_get_register(vm, cpuid, vie->index_register, &idx);
2843 printf("verify_gla: error %d getting index reg %d\n",
2844 error, vie->index_register);
2850 * From "Specifying a Segment Selector", Intel SDM, Vol 1
2852 * In 64-bit mode, segmentation is generally (but not
2853 * completely) disabled. The exceptions are the FS and GS
2856 * In legacy IA-32 mode, when the ESP or EBP register is used
2857 * as the base, the SS segment is the default segment. For
2858 * other data references, except when relative to stack or
2859 * string destination the DS segment is the default. These
2860 * can be overridden to allow other segments to be accessed.
2862 if (vie->segment_override)
2863 seg = vie->segment_register;
2864 else if (vie->base_register == VM_REG_GUEST_RSP ||
2865 vie->base_register == VM_REG_GUEST_RBP)
2866 seg = VM_REG_GUEST_SS;
2868 seg = VM_REG_GUEST_DS;
2869 if (cpu_mode == CPU_MODE_64BIT && seg != VM_REG_GUEST_FS &&
2870 seg != VM_REG_GUEST_GS) {
2873 error = vm_get_seg_desc(vm, cpuid, seg, &desc);
2875 printf("verify_gla: error %d getting segment"
2876 " descriptor %d", error,
2877 vie->segment_register);
2880 segbase = desc.base;
2883 gla2 = segbase + base + vie->scale * idx + vie->displacement;
2884 gla2 &= size2mask[vie->addrsize];
2886 printf("verify_gla mismatch: segbase(0x%0lx)"
2887 "base(0x%0lx), scale(%d), index(0x%0lx), "
2888 "disp(0x%0lx), gla(0x%0lx), gla2(0x%0lx)\n",
2889 segbase, base, vie->scale, idx, vie->displacement,
2896 #endif /* _KERNEL */
2900 vmm_decode_instruction(struct vm *vm, int cpuid, uint64_t gla,
2901 enum vm_cpu_mode cpu_mode, int cs_d, struct vie *vie)
2903 vmm_decode_instruction(enum vm_cpu_mode cpu_mode, int cs_d, struct vie *vie)
2907 if (decode_prefixes(vie, cpu_mode, cs_d))
2910 if (decode_opcode(vie))
2913 if (decode_modrm(vie, cpu_mode))
2916 if (decode_sib(vie))
2919 if (decode_displacement(vie))
2922 if (decode_immediate(vie))
2925 if (decode_moffset(vie))
2929 if ((vie->op.op_flags & VIE_OP_F_NO_GLA_VERIFICATION) == 0) {
2930 if (verify_gla(vm, cpuid, gla, vie, cpu_mode))
2935 vie->decoded = 1; /* success */
projects / FreeBSD / FreeBSD.git / blob