cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

insn-eval.c (46208B)


      1/*
      2 * Utility functions for x86 operand and address decoding
      3 *
      4 * Copyright (C) Intel Corporation 2017
      5 */
      6#include <linux/kernel.h>
      7#include <linux/string.h>
      8#include <linux/ratelimit.h>
      9#include <linux/mmu_context.h>
     10#include <asm/desc_defs.h>
     11#include <asm/desc.h>
     12#include <asm/inat.h>
     13#include <asm/insn.h>
     14#include <asm/insn-eval.h>
     15#include <asm/ldt.h>
     16#include <asm/vm86.h>
     17
     18#undef pr_fmt
     19#define pr_fmt(fmt) "insn: " fmt
     20
     21enum reg_type {
     22	REG_TYPE_RM = 0,
     23	REG_TYPE_REG,
     24	REG_TYPE_INDEX,
     25	REG_TYPE_BASE,
     26};
     27
     28/**
     29 * is_string_insn() - Determine if instruction is a string instruction
     30 * @insn:	Instruction containing the opcode to inspect
     31 *
     32 * Returns:
     33 *
     34 * true if the instruction, determined by the opcode, is any of the
     35 * string instructions as defined in the Intel Software Development manual.
     36 * False otherwise.
     37 */
     38static bool is_string_insn(struct insn *insn)
     39{
     40	/* All string instructions have a 1-byte opcode. */
     41	if (insn->opcode.nbytes != 1)
     42		return false;
     43
     44	switch (insn->opcode.bytes[0]) {
     45	case 0x6c ... 0x6f:	/* INS, OUTS */
     46	case 0xa4 ... 0xa7:	/* MOVS, CMPS */
     47	case 0xaa ... 0xaf:	/* STOS, LODS, SCAS */
     48		return true;
     49	default:
     50		return false;
     51	}
     52}
     53
     54/**
     55 * insn_has_rep_prefix() - Determine if instruction has a REP prefix
     56 * @insn:	Instruction containing the prefix to inspect
     57 *
     58 * Returns:
     59 *
     60 * true if the instruction has a REP prefix, false if not.
     61 */
     62bool insn_has_rep_prefix(struct insn *insn)
     63{
     64	insn_byte_t p;
     65	int i;
     66
     67	insn_get_prefixes(insn);
     68
     69	for_each_insn_prefix(insn, i, p) {
     70		if (p == 0xf2 || p == 0xf3)
     71			return true;
     72	}
     73
     74	return false;
     75}
     76
     77/**
     78 * get_seg_reg_override_idx() - obtain segment register override index
     79 * @insn:	Valid instruction with segment override prefixes
     80 *
     81 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
     82 *
     83 * Returns:
     84 *
     85 * A constant identifying the segment register to use, among CS, SS, DS,
     86 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
     87 * prefixes were found.
     88 *
     89 * -EINVAL in case of error.
     90 */
     91static int get_seg_reg_override_idx(struct insn *insn)
     92{
     93	int idx = INAT_SEG_REG_DEFAULT;
     94	int num_overrides = 0, i;
     95	insn_byte_t p;
     96
     97	insn_get_prefixes(insn);
     98
     99	/* Look for any segment override prefixes. */
    100	for_each_insn_prefix(insn, i, p) {
    101		insn_attr_t attr;
    102
    103		attr = inat_get_opcode_attribute(p);
    104		switch (attr) {
    105		case INAT_MAKE_PREFIX(INAT_PFX_CS):
    106			idx = INAT_SEG_REG_CS;
    107			num_overrides++;
    108			break;
    109		case INAT_MAKE_PREFIX(INAT_PFX_SS):
    110			idx = INAT_SEG_REG_SS;
    111			num_overrides++;
    112			break;
    113		case INAT_MAKE_PREFIX(INAT_PFX_DS):
    114			idx = INAT_SEG_REG_DS;
    115			num_overrides++;
    116			break;
    117		case INAT_MAKE_PREFIX(INAT_PFX_ES):
    118			idx = INAT_SEG_REG_ES;
    119			num_overrides++;
    120			break;
    121		case INAT_MAKE_PREFIX(INAT_PFX_FS):
    122			idx = INAT_SEG_REG_FS;
    123			num_overrides++;
    124			break;
    125		case INAT_MAKE_PREFIX(INAT_PFX_GS):
    126			idx = INAT_SEG_REG_GS;
    127			num_overrides++;
    128			break;
    129		/* No default action needed. */
    130		}
    131	}
    132
    133	/* More than one segment override prefix leads to undefined behavior. */
    134	if (num_overrides > 1)
    135		return -EINVAL;
    136
    137	return idx;
    138}
    139
    140/**
    141 * check_seg_overrides() - check if segment override prefixes are allowed
    142 * @insn:	Valid instruction with segment override prefixes
    143 * @regoff:	Operand offset, in pt_regs, for which the check is performed
    144 *
    145 * For a particular register used in register-indirect addressing, determine if
    146 * segment override prefixes can be used. Specifically, no overrides are allowed
    147 * for rDI if used with a string instruction.
    148 *
    149 * Returns:
    150 *
    151 * True if segment override prefixes can be used with the register indicated
    152 * in @regoff. False if otherwise.
    153 */
    154static bool check_seg_overrides(struct insn *insn, int regoff)
    155{
    156	if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
    157		return false;
    158
    159	return true;
    160}
    161
    162/**
    163 * resolve_default_seg() - resolve default segment register index for an operand
    164 * @insn:	Instruction with opcode and address size. Must be valid.
    165 * @regs:	Register values as seen when entering kernel mode
    166 * @off:	Operand offset, in pt_regs, for which resolution is needed
    167 *
    168 * Resolve the default segment register index associated with the instruction
    169 * operand register indicated by @off. Such index is resolved based on defaults
    170 * described in the Intel Software Development Manual.
    171 *
    172 * Returns:
    173 *
    174 * If in protected mode, a constant identifying the segment register to use,
    175 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
    176 *
    177 * -EINVAL in case of error.
    178 */
    179static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
    180{
    181	if (any_64bit_mode(regs))
    182		return INAT_SEG_REG_IGNORE;
    183	/*
    184	 * Resolve the default segment register as described in Section 3.7.4
    185	 * of the Intel Software Development Manual Vol. 1:
    186	 *
    187	 *  + DS for all references involving r[ABCD]X, and rSI.
    188	 *  + If used in a string instruction, ES for rDI. Otherwise, DS.
    189	 *  + AX, CX and DX are not valid register operands in 16-bit address
    190	 *    encodings but are valid for 32-bit and 64-bit encodings.
    191	 *  + -EDOM is reserved to identify for cases in which no register
    192	 *    is used (i.e., displacement-only addressing). Use DS.
    193	 *  + SS for rSP or rBP.
    194	 *  + CS for rIP.
    195	 */
    196
    197	switch (off) {
    198	case offsetof(struct pt_regs, ax):
    199	case offsetof(struct pt_regs, cx):
    200	case offsetof(struct pt_regs, dx):
    201		/* Need insn to verify address size. */
    202		if (insn->addr_bytes == 2)
    203			return -EINVAL;
    204
    205		fallthrough;
    206
    207	case -EDOM:
    208	case offsetof(struct pt_regs, bx):
    209	case offsetof(struct pt_regs, si):
    210		return INAT_SEG_REG_DS;
    211
    212	case offsetof(struct pt_regs, di):
    213		if (is_string_insn(insn))
    214			return INAT_SEG_REG_ES;
    215		return INAT_SEG_REG_DS;
    216
    217	case offsetof(struct pt_regs, bp):
    218	case offsetof(struct pt_regs, sp):
    219		return INAT_SEG_REG_SS;
    220
    221	case offsetof(struct pt_regs, ip):
    222		return INAT_SEG_REG_CS;
    223
    224	default:
    225		return -EINVAL;
    226	}
    227}
    228
    229/**
    230 * resolve_seg_reg() - obtain segment register index
    231 * @insn:	Instruction with operands
    232 * @regs:	Register values as seen when entering kernel mode
    233 * @regoff:	Operand offset, in pt_regs, used to determine segment register
    234 *
    235 * Determine the segment register associated with the operands and, if
    236 * applicable, prefixes and the instruction pointed by @insn.
    237 *
    238 * The segment register associated to an operand used in register-indirect
    239 * addressing depends on:
    240 *
    241 * a) Whether running in long mode (in such a case segments are ignored, except
    242 * if FS or GS are used).
    243 *
    244 * b) Whether segment override prefixes can be used. Certain instructions and
    245 *    registers do not allow override prefixes.
    246 *
    247 * c) Whether segment overrides prefixes are found in the instruction prefixes.
    248 *
    249 * d) If there are not segment override prefixes or they cannot be used, the
    250 *    default segment register associated with the operand register is used.
    251 *
    252 * The function checks first if segment override prefixes can be used with the
    253 * operand indicated by @regoff. If allowed, obtain such overridden segment
    254 * register index. Lastly, if not prefixes were found or cannot be used, resolve
    255 * the segment register index to use based on the defaults described in the
    256 * Intel documentation. In long mode, all segment register indexes will be
    257 * ignored, except if overrides were found for FS or GS. All these operations
    258 * are done using helper functions.
    259 *
    260 * The operand register, @regoff, is represented as the offset from the base of
    261 * pt_regs.
    262 *
    263 * As stated, the main use of this function is to determine the segment register
    264 * index based on the instruction, its operands and prefixes. Hence, @insn
    265 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
    266 * @insn at all as in this case CS is used in all cases. This case is checked
    267 * before proceeding further.
    268 *
    269 * Please note that this function does not return the value in the segment
    270 * register (i.e., the segment selector) but our defined index. The segment
    271 * selector needs to be obtained using get_segment_selector() and passing the
    272 * segment register index resolved by this function.
    273 *
    274 * Returns:
    275 *
    276 * An index identifying the segment register to use, among CS, SS, DS,
    277 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
    278 *
    279 * -EINVAL in case of error.
    280 */
    281static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
    282{
    283	int idx;
    284
    285	/*
    286	 * In the unlikely event of having to resolve the segment register
    287	 * index for rIP, do it first. Segment override prefixes should not
    288	 * be used. Hence, it is not necessary to inspect the instruction,
    289	 * which may be invalid at this point.
    290	 */
    291	if (regoff == offsetof(struct pt_regs, ip)) {
    292		if (any_64bit_mode(regs))
    293			return INAT_SEG_REG_IGNORE;
    294		else
    295			return INAT_SEG_REG_CS;
    296	}
    297
    298	if (!insn)
    299		return -EINVAL;
    300
    301	if (!check_seg_overrides(insn, regoff))
    302		return resolve_default_seg(insn, regs, regoff);
    303
    304	idx = get_seg_reg_override_idx(insn);
    305	if (idx < 0)
    306		return idx;
    307
    308	if (idx == INAT_SEG_REG_DEFAULT)
    309		return resolve_default_seg(insn, regs, regoff);
    310
    311	/*
    312	 * In long mode, segment override prefixes are ignored, except for
    313	 * overrides for FS and GS.
    314	 */
    315	if (any_64bit_mode(regs)) {
    316		if (idx != INAT_SEG_REG_FS &&
    317		    idx != INAT_SEG_REG_GS)
    318			idx = INAT_SEG_REG_IGNORE;
    319	}
    320
    321	return idx;
    322}
    323
    324/**
    325 * get_segment_selector() - obtain segment selector
    326 * @regs:		Register values as seen when entering kernel mode
    327 * @seg_reg_idx:	Segment register index to use
    328 *
    329 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
    330 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
    331 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
    332 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
    333 * registers. This done for only for completeness as in CONFIG_X86_64 segment
    334 * registers are ignored.
    335 *
    336 * Returns:
    337 *
    338 * Value of the segment selector, including null when running in
    339 * long mode.
    340 *
    341 * -EINVAL on error.
    342 */
    343static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
    344{
    345	unsigned short sel;
    346
    347#ifdef CONFIG_X86_64
    348	switch (seg_reg_idx) {
    349	case INAT_SEG_REG_IGNORE:
    350		return 0;
    351	case INAT_SEG_REG_CS:
    352		return (unsigned short)(regs->cs & 0xffff);
    353	case INAT_SEG_REG_SS:
    354		return (unsigned short)(regs->ss & 0xffff);
    355	case INAT_SEG_REG_DS:
    356		savesegment(ds, sel);
    357		return sel;
    358	case INAT_SEG_REG_ES:
    359		savesegment(es, sel);
    360		return sel;
    361	case INAT_SEG_REG_FS:
    362		savesegment(fs, sel);
    363		return sel;
    364	case INAT_SEG_REG_GS:
    365		savesegment(gs, sel);
    366		return sel;
    367	default:
    368		return -EINVAL;
    369	}
    370#else /* CONFIG_X86_32 */
    371	struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
    372
    373	if (v8086_mode(regs)) {
    374		switch (seg_reg_idx) {
    375		case INAT_SEG_REG_CS:
    376			return (unsigned short)(regs->cs & 0xffff);
    377		case INAT_SEG_REG_SS:
    378			return (unsigned short)(regs->ss & 0xffff);
    379		case INAT_SEG_REG_DS:
    380			return vm86regs->ds;
    381		case INAT_SEG_REG_ES:
    382			return vm86regs->es;
    383		case INAT_SEG_REG_FS:
    384			return vm86regs->fs;
    385		case INAT_SEG_REG_GS:
    386			return vm86regs->gs;
    387		case INAT_SEG_REG_IGNORE:
    388		default:
    389			return -EINVAL;
    390		}
    391	}
    392
    393	switch (seg_reg_idx) {
    394	case INAT_SEG_REG_CS:
    395		return (unsigned short)(regs->cs & 0xffff);
    396	case INAT_SEG_REG_SS:
    397		return (unsigned short)(regs->ss & 0xffff);
    398	case INAT_SEG_REG_DS:
    399		return (unsigned short)(regs->ds & 0xffff);
    400	case INAT_SEG_REG_ES:
    401		return (unsigned short)(regs->es & 0xffff);
    402	case INAT_SEG_REG_FS:
    403		return (unsigned short)(regs->fs & 0xffff);
    404	case INAT_SEG_REG_GS:
    405		savesegment(gs, sel);
    406		return sel;
    407	case INAT_SEG_REG_IGNORE:
    408	default:
    409		return -EINVAL;
    410	}
    411#endif /* CONFIG_X86_64 */
    412}
    413
    414static const int pt_regoff[] = {
    415	offsetof(struct pt_regs, ax),
    416	offsetof(struct pt_regs, cx),
    417	offsetof(struct pt_regs, dx),
    418	offsetof(struct pt_regs, bx),
    419	offsetof(struct pt_regs, sp),
    420	offsetof(struct pt_regs, bp),
    421	offsetof(struct pt_regs, si),
    422	offsetof(struct pt_regs, di),
    423#ifdef CONFIG_X86_64
    424	offsetof(struct pt_regs, r8),
    425	offsetof(struct pt_regs, r9),
    426	offsetof(struct pt_regs, r10),
    427	offsetof(struct pt_regs, r11),
    428	offsetof(struct pt_regs, r12),
    429	offsetof(struct pt_regs, r13),
    430	offsetof(struct pt_regs, r14),
    431	offsetof(struct pt_regs, r15),
    432#else
    433	offsetof(struct pt_regs, ds),
    434	offsetof(struct pt_regs, es),
    435	offsetof(struct pt_regs, fs),
    436	offsetof(struct pt_regs, gs),
    437#endif
    438};
    439
    440int pt_regs_offset(struct pt_regs *regs, int regno)
    441{
    442	if ((unsigned)regno < ARRAY_SIZE(pt_regoff))
    443		return pt_regoff[regno];
    444	return -EDOM;
    445}
    446
    447static int get_regno(struct insn *insn, enum reg_type type)
    448{
    449	int nr_registers = ARRAY_SIZE(pt_regoff);
    450	int regno = 0;
    451
    452	/*
    453	 * Don't possibly decode a 32-bit instructions as
    454	 * reading a 64-bit-only register.
    455	 */
    456	if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
    457		nr_registers -= 8;
    458
    459	switch (type) {
    460	case REG_TYPE_RM:
    461		regno = X86_MODRM_RM(insn->modrm.value);
    462
    463		/*
    464		 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
    465		 * follows the ModRM byte.
    466		 */
    467		if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
    468			return -EDOM;
    469
    470		if (X86_REX_B(insn->rex_prefix.value))
    471			regno += 8;
    472		break;
    473
    474	case REG_TYPE_REG:
    475		regno = X86_MODRM_REG(insn->modrm.value);
    476
    477		if (X86_REX_R(insn->rex_prefix.value))
    478			regno += 8;
    479		break;
    480
    481	case REG_TYPE_INDEX:
    482		regno = X86_SIB_INDEX(insn->sib.value);
    483		if (X86_REX_X(insn->rex_prefix.value))
    484			regno += 8;
    485
    486		/*
    487		 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
    488		 * portion of the address computation is null. This is
    489		 * true only if REX.X is 0. In such a case, the SIB index
    490		 * is used in the address computation.
    491		 */
    492		if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
    493			return -EDOM;
    494		break;
    495
    496	case REG_TYPE_BASE:
    497		regno = X86_SIB_BASE(insn->sib.value);
    498		/*
    499		 * If ModRM.mod is 0 and SIB.base == 5, the base of the
    500		 * register-indirect addressing is 0. In this case, a
    501		 * 32-bit displacement follows the SIB byte.
    502		 */
    503		if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
    504			return -EDOM;
    505
    506		if (X86_REX_B(insn->rex_prefix.value))
    507			regno += 8;
    508		break;
    509
    510	default:
    511		pr_err_ratelimited("invalid register type: %d\n", type);
    512		return -EINVAL;
    513	}
    514
    515	if (regno >= nr_registers) {
    516		WARN_ONCE(1, "decoded an instruction with an invalid register");
    517		return -EINVAL;
    518	}
    519	return regno;
    520}
    521
    522static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
    523			  enum reg_type type)
    524{
    525	int regno = get_regno(insn, type);
    526
    527	if (regno < 0)
    528		return regno;
    529
    530	return pt_regs_offset(regs, regno);
    531}
    532
    533/**
    534 * get_reg_offset_16() - Obtain offset of register indicated by instruction
    535 * @insn:	Instruction containing ModRM byte
    536 * @regs:	Register values as seen when entering kernel mode
    537 * @offs1:	Offset of the first operand register
    538 * @offs2:	Offset of the second operand register, if applicable
    539 *
    540 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
    541 * in @insn. This function is to be used with 16-bit address encodings. The
    542 * @offs1 and @offs2 will be written with the offset of the two registers
    543 * indicated by the instruction. In cases where any of the registers is not
    544 * referenced by the instruction, the value will be set to -EDOM.
    545 *
    546 * Returns:
    547 *
    548 * 0 on success, -EINVAL on error.
    549 */
    550static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
    551			     int *offs1, int *offs2)
    552{
    553	/*
    554	 * 16-bit addressing can use one or two registers. Specifics of
    555	 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
    556	 * ModR/M Byte" of the Intel Software Development Manual.
    557	 */
    558	static const int regoff1[] = {
    559		offsetof(struct pt_regs, bx),
    560		offsetof(struct pt_regs, bx),
    561		offsetof(struct pt_regs, bp),
    562		offsetof(struct pt_regs, bp),
    563		offsetof(struct pt_regs, si),
    564		offsetof(struct pt_regs, di),
    565		offsetof(struct pt_regs, bp),
    566		offsetof(struct pt_regs, bx),
    567	};
    568
    569	static const int regoff2[] = {
    570		offsetof(struct pt_regs, si),
    571		offsetof(struct pt_regs, di),
    572		offsetof(struct pt_regs, si),
    573		offsetof(struct pt_regs, di),
    574		-EDOM,
    575		-EDOM,
    576		-EDOM,
    577		-EDOM,
    578	};
    579
    580	if (!offs1 || !offs2)
    581		return -EINVAL;
    582
    583	/* Operand is a register, use the generic function. */
    584	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
    585		*offs1 = insn_get_modrm_rm_off(insn, regs);
    586		*offs2 = -EDOM;
    587		return 0;
    588	}
    589
    590	*offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
    591	*offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
    592
    593	/*
    594	 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
    595	 * only addressing. This means that no registers are involved in
    596	 * computing the effective address. Thus, ensure that the first
    597	 * register offset is invalid. The second register offset is already
    598	 * invalid under the aforementioned conditions.
    599	 */
    600	if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
    601	    (X86_MODRM_RM(insn->modrm.value) == 6))
    602		*offs1 = -EDOM;
    603
    604	return 0;
    605}
    606
    607/**
    608 * get_desc() - Obtain contents of a segment descriptor
    609 * @out:	Segment descriptor contents on success
    610 * @sel:	Segment selector
    611 *
    612 * Given a segment selector, obtain a pointer to the segment descriptor.
    613 * Both global and local descriptor tables are supported.
    614 *
    615 * Returns:
    616 *
    617 * True on success, false on failure.
    618 *
    619 * NULL on error.
    620 */
    621static bool get_desc(struct desc_struct *out, unsigned short sel)
    622{
    623	struct desc_ptr gdt_desc = {0, 0};
    624	unsigned long desc_base;
    625
    626#ifdef CONFIG_MODIFY_LDT_SYSCALL
    627	if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
    628		bool success = false;
    629		struct ldt_struct *ldt;
    630
    631		/* Bits [15:3] contain the index of the desired entry. */
    632		sel >>= 3;
    633
    634		mutex_lock(&current->active_mm->context.lock);
    635		ldt = current->active_mm->context.ldt;
    636		if (ldt && sel < ldt->nr_entries) {
    637			*out = ldt->entries[sel];
    638			success = true;
    639		}
    640
    641		mutex_unlock(&current->active_mm->context.lock);
    642
    643		return success;
    644	}
    645#endif
    646	native_store_gdt(&gdt_desc);
    647
    648	/*
    649	 * Segment descriptors have a size of 8 bytes. Thus, the index is
    650	 * multiplied by 8 to obtain the memory offset of the desired descriptor
    651	 * from the base of the GDT. As bits [15:3] of the segment selector
    652	 * contain the index, it can be regarded as multiplied by 8 already.
    653	 * All that remains is to clear bits [2:0].
    654	 */
    655	desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
    656
    657	if (desc_base > gdt_desc.size)
    658		return false;
    659
    660	*out = *(struct desc_struct *)(gdt_desc.address + desc_base);
    661	return true;
    662}
    663
    664/**
    665 * insn_get_seg_base() - Obtain base address of segment descriptor.
    666 * @regs:		Register values as seen when entering kernel mode
    667 * @seg_reg_idx:	Index of the segment register pointing to seg descriptor
    668 *
    669 * Obtain the base address of the segment as indicated by the segment descriptor
    670 * pointed by the segment selector. The segment selector is obtained from the
    671 * input segment register index @seg_reg_idx.
    672 *
    673 * Returns:
    674 *
    675 * In protected mode, base address of the segment. Zero in long mode,
    676 * except when FS or GS are used. In virtual-8086 mode, the segment
    677 * selector shifted 4 bits to the right.
    678 *
    679 * -1L in case of error.
    680 */
    681unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
    682{
    683	struct desc_struct desc;
    684	short sel;
    685
    686	sel = get_segment_selector(regs, seg_reg_idx);
    687	if (sel < 0)
    688		return -1L;
    689
    690	if (v8086_mode(regs))
    691		/*
    692		 * Base is simply the segment selector shifted 4
    693		 * bits to the right.
    694		 */
    695		return (unsigned long)(sel << 4);
    696
    697	if (any_64bit_mode(regs)) {
    698		/*
    699		 * Only FS or GS will have a base address, the rest of
    700		 * the segments' bases are forced to 0.
    701		 */
    702		unsigned long base;
    703
    704		if (seg_reg_idx == INAT_SEG_REG_FS) {
    705			rdmsrl(MSR_FS_BASE, base);
    706		} else if (seg_reg_idx == INAT_SEG_REG_GS) {
    707			/*
    708			 * swapgs was called at the kernel entry point. Thus,
    709			 * MSR_KERNEL_GS_BASE will have the user-space GS base.
    710			 */
    711			if (user_mode(regs))
    712				rdmsrl(MSR_KERNEL_GS_BASE, base);
    713			else
    714				rdmsrl(MSR_GS_BASE, base);
    715		} else {
    716			base = 0;
    717		}
    718		return base;
    719	}
    720
    721	/* In protected mode the segment selector cannot be null. */
    722	if (!sel)
    723		return -1L;
    724
    725	if (!get_desc(&desc, sel))
    726		return -1L;
    727
    728	return get_desc_base(&desc);
    729}
    730
    731/**
    732 * get_seg_limit() - Obtain the limit of a segment descriptor
    733 * @regs:		Register values as seen when entering kernel mode
    734 * @seg_reg_idx:	Index of the segment register pointing to seg descriptor
    735 *
    736 * Obtain the limit of the segment as indicated by the segment descriptor
    737 * pointed by the segment selector. The segment selector is obtained from the
    738 * input segment register index @seg_reg_idx.
    739 *
    740 * Returns:
    741 *
    742 * In protected mode, the limit of the segment descriptor in bytes.
    743 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
    744 * limit is returned as -1L to imply a limit-less segment.
    745 *
    746 * Zero is returned on error.
    747 */
    748static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
    749{
    750	struct desc_struct desc;
    751	unsigned long limit;
    752	short sel;
    753
    754	sel = get_segment_selector(regs, seg_reg_idx);
    755	if (sel < 0)
    756		return 0;
    757
    758	if (any_64bit_mode(regs) || v8086_mode(regs))
    759		return -1L;
    760
    761	if (!sel)
    762		return 0;
    763
    764	if (!get_desc(&desc, sel))
    765		return 0;
    766
    767	/*
    768	 * If the granularity bit is set, the limit is given in multiples
    769	 * of 4096. This also means that the 12 least significant bits are
    770	 * not tested when checking the segment limits. In practice,
    771	 * this means that the segment ends in (limit << 12) + 0xfff.
    772	 */
    773	limit = get_desc_limit(&desc);
    774	if (desc.g)
    775		limit = (limit << 12) + 0xfff;
    776
    777	return limit;
    778}
    779
    780/**
    781 * insn_get_code_seg_params() - Obtain code segment parameters
    782 * @regs:	Structure with register values as seen when entering kernel mode
    783 *
    784 * Obtain address and operand sizes of the code segment. It is obtained from the
    785 * selector contained in the CS register in regs. In protected mode, the default
    786 * address is determined by inspecting the L and D bits of the segment
    787 * descriptor. In virtual-8086 mode, the default is always two bytes for both
    788 * address and operand sizes.
    789 *
    790 * Returns:
    791 *
    792 * An int containing ORed-in default parameters on success.
    793 *
    794 * -EINVAL on error.
    795 */
    796int insn_get_code_seg_params(struct pt_regs *regs)
    797{
    798	struct desc_struct desc;
    799	short sel;
    800
    801	if (v8086_mode(regs))
    802		/* Address and operand size are both 16-bit. */
    803		return INSN_CODE_SEG_PARAMS(2, 2);
    804
    805	sel = get_segment_selector(regs, INAT_SEG_REG_CS);
    806	if (sel < 0)
    807		return sel;
    808
    809	if (!get_desc(&desc, sel))
    810		return -EINVAL;
    811
    812	/*
    813	 * The most significant byte of the Type field of the segment descriptor
    814	 * determines whether a segment contains data or code. If this is a data
    815	 * segment, return error.
    816	 */
    817	if (!(desc.type & BIT(3)))
    818		return -EINVAL;
    819
    820	switch ((desc.l << 1) | desc.d) {
    821	case 0: /*
    822		 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
    823		 * both 16-bit.
    824		 */
    825		return INSN_CODE_SEG_PARAMS(2, 2);
    826	case 1: /*
    827		 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
    828		 * both 32-bit.
    829		 */
    830		return INSN_CODE_SEG_PARAMS(4, 4);
    831	case 2: /*
    832		 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
    833		 * operand size is 32-bit.
    834		 */
    835		return INSN_CODE_SEG_PARAMS(4, 8);
    836	case 3: /* Invalid setting. CS.L=1, CS.D=1 */
    837		fallthrough;
    838	default:
    839		return -EINVAL;
    840	}
    841}
    842
    843/**
    844 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
    845 * @insn:	Instruction containing the ModRM byte
    846 * @regs:	Register values as seen when entering kernel mode
    847 *
    848 * Returns:
    849 *
    850 * The register indicated by the r/m part of the ModRM byte. The
    851 * register is obtained as an offset from the base of pt_regs. In specific
    852 * cases, the returned value can be -EDOM to indicate that the particular value
    853 * of ModRM does not refer to a register and shall be ignored.
    854 */
    855int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
    856{
    857	return get_reg_offset(insn, regs, REG_TYPE_RM);
    858}
    859
    860/**
    861 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
    862 * @insn:	Instruction containing the ModRM byte
    863 * @regs:	Register values as seen when entering kernel mode
    864 *
    865 * Returns:
    866 *
    867 * The register indicated by the reg part of the ModRM byte. The
    868 * register is obtained as an offset from the base of pt_regs.
    869 */
    870int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
    871{
    872	return get_reg_offset(insn, regs, REG_TYPE_REG);
    873}
    874
    875/**
    876 * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte
    877 * @insn:	Instruction containing the ModRM byte
    878 * @regs:	Register values as seen when entering kernel mode
    879 *
    880 * Returns:
    881 *
    882 * The register indicated by the reg part of the ModRM byte.
    883 * The register is obtained as a pointer within pt_regs.
    884 */
    885unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)
    886{
    887	int offset;
    888
    889	offset = insn_get_modrm_reg_off(insn, regs);
    890	if (offset < 0)
    891		return NULL;
    892	return (void *)regs + offset;
    893}
    894
    895/**
    896 * get_seg_base_limit() - obtain base address and limit of a segment
    897 * @insn:	Instruction. Must be valid.
    898 * @regs:	Register values as seen when entering kernel mode
    899 * @regoff:	Operand offset, in pt_regs, used to resolve segment descriptor
    900 * @base:	Obtained segment base
    901 * @limit:	Obtained segment limit
    902 *
    903 * Obtain the base address and limit of the segment associated with the operand
    904 * @regoff and, if any or allowed, override prefixes in @insn. This function is
    905 * different from insn_get_seg_base() as the latter does not resolve the segment
    906 * associated with the instruction operand. If a limit is not needed (e.g.,
    907 * when running in long mode), @limit can be NULL.
    908 *
    909 * Returns:
    910 *
    911 * 0 on success. @base and @limit will contain the base address and of the
    912 * resolved segment, respectively.
    913 *
    914 * -EINVAL on error.
    915 */
    916static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
    917			      int regoff, unsigned long *base,
    918			      unsigned long *limit)
    919{
    920	int seg_reg_idx;
    921
    922	if (!base)
    923		return -EINVAL;
    924
    925	seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
    926	if (seg_reg_idx < 0)
    927		return seg_reg_idx;
    928
    929	*base = insn_get_seg_base(regs, seg_reg_idx);
    930	if (*base == -1L)
    931		return -EINVAL;
    932
    933	if (!limit)
    934		return 0;
    935
    936	*limit = get_seg_limit(regs, seg_reg_idx);
    937	if (!(*limit))
    938		return -EINVAL;
    939
    940	return 0;
    941}
    942
    943/**
    944 * get_eff_addr_reg() - Obtain effective address from register operand
    945 * @insn:	Instruction. Must be valid.
    946 * @regs:	Register values as seen when entering kernel mode
    947 * @regoff:	Obtained operand offset, in pt_regs, with the effective address
    948 * @eff_addr:	Obtained effective address
    949 *
    950 * Obtain the effective address stored in the register operand as indicated by
    951 * the ModRM byte. This function is to be used only with register addressing
    952 * (i.e.,  ModRM.mod is 3). The effective address is saved in @eff_addr. The
    953 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
    954 * such offset can then be used to resolve the segment associated with the
    955 * operand. This function can be used with any of the supported address sizes
    956 * in x86.
    957 *
    958 * Returns:
    959 *
    960 * 0 on success. @eff_addr will have the effective address stored in the
    961 * operand indicated by ModRM. @regoff will have such operand as an offset from
    962 * the base of pt_regs.
    963 *
    964 * -EINVAL on error.
    965 */
    966static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
    967			    int *regoff, long *eff_addr)
    968{
    969	int ret;
    970
    971	ret = insn_get_modrm(insn);
    972	if (ret)
    973		return ret;
    974
    975	if (X86_MODRM_MOD(insn->modrm.value) != 3)
    976		return -EINVAL;
    977
    978	*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
    979	if (*regoff < 0)
    980		return -EINVAL;
    981
    982	/* Ignore bytes that are outside the address size. */
    983	if (insn->addr_bytes == 2)
    984		*eff_addr = regs_get_register(regs, *regoff) & 0xffff;
    985	else if (insn->addr_bytes == 4)
    986		*eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
    987	else /* 64-bit address */
    988		*eff_addr = regs_get_register(regs, *regoff);
    989
    990	return 0;
    991}
    992
    993/**
    994 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
    995 * @insn:	Instruction. Must be valid.
    996 * @regs:	Register values as seen when entering kernel mode
    997 * @regoff:	Obtained operand offset, in pt_regs, associated with segment
    998 * @eff_addr:	Obtained effective address
    999 *
   1000 * Obtain the effective address referenced by the ModRM byte of @insn. After
   1001 * identifying the registers involved in the register-indirect memory reference,
   1002 * its value is obtained from the operands in @regs. The computed address is
   1003 * stored @eff_addr. Also, the register operand that indicates the associated
   1004 * segment is stored in @regoff, this parameter can later be used to determine
   1005 * such segment.
   1006 *
   1007 * Returns:
   1008 *
   1009 * 0 on success. @eff_addr will have the referenced effective address. @regoff
   1010 * will have a register, as an offset from the base of pt_regs, that can be used
   1011 * to resolve the associated segment.
   1012 *
   1013 * -EINVAL on error.
   1014 */
   1015static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
   1016			      int *regoff, long *eff_addr)
   1017{
   1018	long tmp;
   1019	int ret;
   1020
   1021	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
   1022		return -EINVAL;
   1023
   1024	ret = insn_get_modrm(insn);
   1025	if (ret)
   1026		return ret;
   1027
   1028	if (X86_MODRM_MOD(insn->modrm.value) > 2)
   1029		return -EINVAL;
   1030
   1031	*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
   1032
   1033	/*
   1034	 * -EDOM means that we must ignore the address_offset. In such a case,
   1035	 * in 64-bit mode the effective address relative to the rIP of the
   1036	 * following instruction.
   1037	 */
   1038	if (*regoff == -EDOM) {
   1039		if (any_64bit_mode(regs))
   1040			tmp = regs->ip + insn->length;
   1041		else
   1042			tmp = 0;
   1043	} else if (*regoff < 0) {
   1044		return -EINVAL;
   1045	} else {
   1046		tmp = regs_get_register(regs, *regoff);
   1047	}
   1048
   1049	if (insn->addr_bytes == 4) {
   1050		int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
   1051
   1052		*eff_addr = addr32 & 0xffffffff;
   1053	} else {
   1054		*eff_addr = tmp + insn->displacement.value;
   1055	}
   1056
   1057	return 0;
   1058}
   1059
   1060/**
   1061 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
   1062 * @insn:	Instruction. Must be valid.
   1063 * @regs:	Register values as seen when entering kernel mode
   1064 * @regoff:	Obtained operand offset, in pt_regs, associated with segment
   1065 * @eff_addr:	Obtained effective address
   1066 *
   1067 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
   1068 * After identifying the registers involved in the register-indirect memory
   1069 * reference, its value is obtained from the operands in @regs. The computed
   1070 * address is stored @eff_addr. Also, the register operand that indicates
   1071 * the associated segment is stored in @regoff, this parameter can later be used
   1072 * to determine such segment.
   1073 *
   1074 * Returns:
   1075 *
   1076 * 0 on success. @eff_addr will have the referenced effective address. @regoff
   1077 * will have a register, as an offset from the base of pt_regs, that can be used
   1078 * to resolve the associated segment.
   1079 *
   1080 * -EINVAL on error.
   1081 */
   1082static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
   1083				 int *regoff, short *eff_addr)
   1084{
   1085	int addr_offset1, addr_offset2, ret;
   1086	short addr1 = 0, addr2 = 0, displacement;
   1087
   1088	if (insn->addr_bytes != 2)
   1089		return -EINVAL;
   1090
   1091	insn_get_modrm(insn);
   1092
   1093	if (!insn->modrm.nbytes)
   1094		return -EINVAL;
   1095
   1096	if (X86_MODRM_MOD(insn->modrm.value) > 2)
   1097		return -EINVAL;
   1098
   1099	ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
   1100	if (ret < 0)
   1101		return -EINVAL;
   1102
   1103	/*
   1104	 * Don't fail on invalid offset values. They might be invalid because
   1105	 * they cannot be used for this particular value of ModRM. Instead, use
   1106	 * them in the computation only if they contain a valid value.
   1107	 */
   1108	if (addr_offset1 != -EDOM)
   1109		addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
   1110
   1111	if (addr_offset2 != -EDOM)
   1112		addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
   1113
   1114	displacement = insn->displacement.value & 0xffff;
   1115	*eff_addr = addr1 + addr2 + displacement;
   1116
   1117	/*
   1118	 * The first operand register could indicate to use of either SS or DS
   1119	 * registers to obtain the segment selector.  The second operand
   1120	 * register can only indicate the use of DS. Thus, the first operand
   1121	 * will be used to obtain the segment selector.
   1122	 */
   1123	*regoff = addr_offset1;
   1124
   1125	return 0;
   1126}
   1127
   1128/**
   1129 * get_eff_addr_sib() - Obtain referenced effective address via SIB
   1130 * @insn:	Instruction. Must be valid.
   1131 * @regs:	Register values as seen when entering kernel mode
   1132 * @regoff:	Obtained operand offset, in pt_regs, associated with segment
   1133 * @eff_addr:	Obtained effective address
   1134 *
   1135 * Obtain the effective address referenced by the SIB byte of @insn. After
   1136 * identifying the registers involved in the indexed, register-indirect memory
   1137 * reference, its value is obtained from the operands in @regs. The computed
   1138 * address is stored @eff_addr. Also, the register operand that indicates the
   1139 * associated segment is stored in @regoff, this parameter can later be used to
   1140 * determine such segment.
   1141 *
   1142 * Returns:
   1143 *
   1144 * 0 on success. @eff_addr will have the referenced effective address.
   1145 * @base_offset will have a register, as an offset from the base of pt_regs,
   1146 * that can be used to resolve the associated segment.
   1147 *
   1148 * Negative value on error.
   1149 */
   1150static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
   1151			    int *base_offset, long *eff_addr)
   1152{
   1153	long base, indx;
   1154	int indx_offset;
   1155	int ret;
   1156
   1157	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
   1158		return -EINVAL;
   1159
   1160	ret = insn_get_modrm(insn);
   1161	if (ret)
   1162		return ret;
   1163
   1164	if (!insn->modrm.nbytes)
   1165		return -EINVAL;
   1166
   1167	if (X86_MODRM_MOD(insn->modrm.value) > 2)
   1168		return -EINVAL;
   1169
   1170	ret = insn_get_sib(insn);
   1171	if (ret)
   1172		return ret;
   1173
   1174	if (!insn->sib.nbytes)
   1175		return -EINVAL;
   1176
   1177	*base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
   1178	indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
   1179
   1180	/*
   1181	 * Negative values in the base and index offset means an error when
   1182	 * decoding the SIB byte. Except -EDOM, which means that the registers
   1183	 * should not be used in the address computation.
   1184	 */
   1185	if (*base_offset == -EDOM)
   1186		base = 0;
   1187	else if (*base_offset < 0)
   1188		return -EINVAL;
   1189	else
   1190		base = regs_get_register(regs, *base_offset);
   1191
   1192	if (indx_offset == -EDOM)
   1193		indx = 0;
   1194	else if (indx_offset < 0)
   1195		return -EINVAL;
   1196	else
   1197		indx = regs_get_register(regs, indx_offset);
   1198
   1199	if (insn->addr_bytes == 4) {
   1200		int addr32, base32, idx32;
   1201
   1202		base32 = base & 0xffffffff;
   1203		idx32 = indx & 0xffffffff;
   1204
   1205		addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
   1206		addr32 += insn->displacement.value;
   1207
   1208		*eff_addr = addr32 & 0xffffffff;
   1209	} else {
   1210		*eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
   1211		*eff_addr += insn->displacement.value;
   1212	}
   1213
   1214	return 0;
   1215}
   1216
   1217/**
   1218 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
   1219 * @insn:	Instruction containing ModRM byte and displacement
   1220 * @regs:	Register values as seen when entering kernel mode
   1221 *
   1222 * This function is to be used with 16-bit address encodings. Obtain the memory
   1223 * address referred by the instruction's ModRM and displacement bytes. Also, the
   1224 * segment used as base is determined by either any segment override prefixes in
   1225 * @insn or the default segment of the registers involved in the address
   1226 * computation. In protected mode, segment limits are enforced.
   1227 *
   1228 * Returns:
   1229 *
   1230 * Linear address referenced by the instruction operands on success.
   1231 *
   1232 * -1L on error.
   1233 */
   1234static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
   1235{
   1236	unsigned long linear_addr = -1L, seg_base, seg_limit;
   1237	int ret, regoff;
   1238	short eff_addr;
   1239	long tmp;
   1240
   1241	if (insn_get_displacement(insn))
   1242		goto out;
   1243
   1244	if (insn->addr_bytes != 2)
   1245		goto out;
   1246
   1247	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
   1248		ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
   1249		if (ret)
   1250			goto out;
   1251
   1252		eff_addr = tmp;
   1253	} else {
   1254		ret = get_eff_addr_modrm_16(insn, regs, &regoff, &eff_addr);
   1255		if (ret)
   1256			goto out;
   1257	}
   1258
   1259	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
   1260	if (ret)
   1261		goto out;
   1262
   1263	/*
   1264	 * Before computing the linear address, make sure the effective address
   1265	 * is within the limits of the segment. In virtual-8086 mode, segment
   1266	 * limits are not enforced. In such a case, the segment limit is -1L to
   1267	 * reflect this fact.
   1268	 */
   1269	if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
   1270		goto out;
   1271
   1272	linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
   1273
   1274	/* Limit linear address to 20 bits */
   1275	if (v8086_mode(regs))
   1276		linear_addr &= 0xfffff;
   1277
   1278out:
   1279	return (void __user *)linear_addr;
   1280}
   1281
   1282/**
   1283 * get_addr_ref_32() - Obtain a 32-bit linear address
   1284 * @insn:	Instruction with ModRM, SIB bytes and displacement
   1285 * @regs:	Register values as seen when entering kernel mode
   1286 *
   1287 * This function is to be used with 32-bit address encodings to obtain the
   1288 * linear memory address referred by the instruction's ModRM, SIB,
   1289 * displacement bytes and segment base address, as applicable. If in protected
   1290 * mode, segment limits are enforced.
   1291 *
   1292 * Returns:
   1293 *
   1294 * Linear address referenced by instruction and registers on success.
   1295 *
   1296 * -1L on error.
   1297 */
   1298static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
   1299{
   1300	unsigned long linear_addr = -1L, seg_base, seg_limit;
   1301	int eff_addr, regoff;
   1302	long tmp;
   1303	int ret;
   1304
   1305	if (insn->addr_bytes != 4)
   1306		goto out;
   1307
   1308	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
   1309		ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
   1310		if (ret)
   1311			goto out;
   1312
   1313		eff_addr = tmp;
   1314
   1315	} else {
   1316		if (insn->sib.nbytes) {
   1317			ret = get_eff_addr_sib(insn, regs, &regoff, &tmp);
   1318			if (ret)
   1319				goto out;
   1320
   1321			eff_addr = tmp;
   1322		} else {
   1323			ret = get_eff_addr_modrm(insn, regs, &regoff, &tmp);
   1324			if (ret)
   1325				goto out;
   1326
   1327			eff_addr = tmp;
   1328		}
   1329	}
   1330
   1331	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
   1332	if (ret)
   1333		goto out;
   1334
   1335	/*
   1336	 * In protected mode, before computing the linear address, make sure
   1337	 * the effective address is within the limits of the segment.
   1338	 * 32-bit addresses can be used in long and virtual-8086 modes if an
   1339	 * address override prefix is used. In such cases, segment limits are
   1340	 * not enforced. When in virtual-8086 mode, the segment limit is -1L
   1341	 * to reflect this situation.
   1342	 *
   1343	 * After computed, the effective address is treated as an unsigned
   1344	 * quantity.
   1345	 */
   1346	if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
   1347		goto out;
   1348
   1349	/*
   1350	 * Even though 32-bit address encodings are allowed in virtual-8086
   1351	 * mode, the address range is still limited to [0x-0xffff].
   1352	 */
   1353	if (v8086_mode(regs) && (eff_addr & ~0xffff))
   1354		goto out;
   1355
   1356	/*
   1357	 * Data type long could be 64 bits in size. Ensure that our 32-bit
   1358	 * effective address is not sign-extended when computing the linear
   1359	 * address.
   1360	 */
   1361	linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
   1362
   1363	/* Limit linear address to 20 bits */
   1364	if (v8086_mode(regs))
   1365		linear_addr &= 0xfffff;
   1366
   1367out:
   1368	return (void __user *)linear_addr;
   1369}
   1370
   1371/**
   1372 * get_addr_ref_64() - Obtain a 64-bit linear address
   1373 * @insn:	Instruction struct with ModRM and SIB bytes and displacement
   1374 * @regs:	Structure with register values as seen when entering kernel mode
   1375 *
   1376 * This function is to be used with 64-bit address encodings to obtain the
   1377 * linear memory address referred by the instruction's ModRM, SIB,
   1378 * displacement bytes and segment base address, as applicable.
   1379 *
   1380 * Returns:
   1381 *
   1382 * Linear address referenced by instruction and registers on success.
   1383 *
   1384 * -1L on error.
   1385 */
   1386#ifndef CONFIG_X86_64
   1387static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
   1388{
   1389	return (void __user *)-1L;
   1390}
   1391#else
   1392static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
   1393{
   1394	unsigned long linear_addr = -1L, seg_base;
   1395	int regoff, ret;
   1396	long eff_addr;
   1397
   1398	if (insn->addr_bytes != 8)
   1399		goto out;
   1400
   1401	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
   1402		ret = get_eff_addr_reg(insn, regs, &regoff, &eff_addr);
   1403		if (ret)
   1404			goto out;
   1405
   1406	} else {
   1407		if (insn->sib.nbytes) {
   1408			ret = get_eff_addr_sib(insn, regs, &regoff, &eff_addr);
   1409			if (ret)
   1410				goto out;
   1411		} else {
   1412			ret = get_eff_addr_modrm(insn, regs, &regoff, &eff_addr);
   1413			if (ret)
   1414				goto out;
   1415		}
   1416
   1417	}
   1418
   1419	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
   1420	if (ret)
   1421		goto out;
   1422
   1423	linear_addr = (unsigned long)eff_addr + seg_base;
   1424
   1425out:
   1426	return (void __user *)linear_addr;
   1427}
   1428#endif /* CONFIG_X86_64 */
   1429
   1430/**
   1431 * insn_get_addr_ref() - Obtain the linear address referred by instruction
   1432 * @insn:	Instruction structure containing ModRM byte and displacement
   1433 * @regs:	Structure with register values as seen when entering kernel mode
   1434 *
   1435 * Obtain the linear address referred by the instruction's ModRM, SIB and
   1436 * displacement bytes, and segment base, as applicable. In protected mode,
   1437 * segment limits are enforced.
   1438 *
   1439 * Returns:
   1440 *
   1441 * Linear address referenced by instruction and registers on success.
   1442 *
   1443 * -1L on error.
   1444 */
   1445void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
   1446{
   1447	if (!insn || !regs)
   1448		return (void __user *)-1L;
   1449
   1450	if (insn_get_opcode(insn))
   1451		return (void __user *)-1L;
   1452
   1453	switch (insn->addr_bytes) {
   1454	case 2:
   1455		return get_addr_ref_16(insn, regs);
   1456	case 4:
   1457		return get_addr_ref_32(insn, regs);
   1458	case 8:
   1459		return get_addr_ref_64(insn, regs);
   1460	default:
   1461		return (void __user *)-1L;
   1462	}
   1463}
   1464
   1465int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
   1466{
   1467	unsigned long seg_base = 0;
   1468
   1469	/*
   1470	 * If not in user-space long mode, a custom code segment could be in
   1471	 * use. This is true in protected mode (if the process defined a local
   1472	 * descriptor table), or virtual-8086 mode. In most of the cases
   1473	 * seg_base will be zero as in USER_CS.
   1474	 */
   1475	if (!user_64bit_mode(regs)) {
   1476		seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
   1477		if (seg_base == -1L)
   1478			return -EINVAL;
   1479	}
   1480
   1481	*ip = seg_base + regs->ip;
   1482
   1483	return 0;
   1484}
   1485
   1486/**
   1487 * insn_fetch_from_user() - Copy instruction bytes from user-space memory
   1488 * @regs:	Structure with register values as seen when entering kernel mode
   1489 * @buf:	Array to store the fetched instruction
   1490 *
   1491 * Gets the linear address of the instruction and copies the instruction bytes
   1492 * to the buf.
   1493 *
   1494 * Returns:
   1495 *
   1496 * - number of instruction bytes copied.
   1497 * - 0 if nothing was copied.
   1498 * - -EINVAL if the linear address of the instruction could not be calculated
   1499 */
   1500int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
   1501{
   1502	unsigned long ip;
   1503	int not_copied;
   1504
   1505	if (insn_get_effective_ip(regs, &ip))
   1506		return -EINVAL;
   1507
   1508	not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
   1509
   1510	return MAX_INSN_SIZE - not_copied;
   1511}
   1512
   1513/**
   1514 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
   1515 *                                   while in atomic code
   1516 * @regs:	Structure with register values as seen when entering kernel mode
   1517 * @buf:	Array to store the fetched instruction
   1518 *
   1519 * Gets the linear address of the instruction and copies the instruction bytes
   1520 * to the buf. This function must be used in atomic context.
   1521 *
   1522 * Returns:
   1523 *
   1524 *  - number of instruction bytes copied.
   1525 *  - 0 if nothing was copied.
   1526 *  - -EINVAL if the linear address of the instruction could not be calculated.
   1527 */
   1528int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
   1529{
   1530	unsigned long ip;
   1531	int not_copied;
   1532
   1533	if (insn_get_effective_ip(regs, &ip))
   1534		return -EINVAL;
   1535
   1536	not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
   1537
   1538	return MAX_INSN_SIZE - not_copied;
   1539}
   1540
   1541/**
   1542 * insn_decode_from_regs() - Decode an instruction
   1543 * @insn:	Structure to store decoded instruction
   1544 * @regs:	Structure with register values as seen when entering kernel mode
   1545 * @buf:	Buffer containing the instruction bytes
   1546 * @buf_size:   Number of instruction bytes available in buf
   1547 *
   1548 * Decodes the instruction provided in buf and stores the decoding results in
   1549 * insn. Also determines the correct address and operand sizes.
   1550 *
   1551 * Returns:
   1552 *
   1553 * True if instruction was decoded, False otherwise.
   1554 */
   1555bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
   1556			   unsigned char buf[MAX_INSN_SIZE], int buf_size)
   1557{
   1558	int seg_defs;
   1559
   1560	insn_init(insn, buf, buf_size, user_64bit_mode(regs));
   1561
   1562	/*
   1563	 * Override the default operand and address sizes with what is specified
   1564	 * in the code segment descriptor. The instruction decoder only sets
   1565	 * the address size it to either 4 or 8 address bytes and does nothing
   1566	 * for the operand bytes. This OK for most of the cases, but we could
   1567	 * have special cases where, for instance, a 16-bit code segment
   1568	 * descriptor is used.
   1569	 * If there is an address override prefix, the instruction decoder
   1570	 * correctly updates these values, even for 16-bit defaults.
   1571	 */
   1572	seg_defs = insn_get_code_seg_params(regs);
   1573	if (seg_defs == -EINVAL)
   1574		return false;
   1575
   1576	insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
   1577	insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
   1578
   1579	if (insn_get_length(insn))
   1580		return false;
   1581
   1582	if (buf_size < insn->length)
   1583		return false;
   1584
   1585	return true;
   1586}
   1587
   1588/**
   1589 * insn_decode_mmio() - Decode a MMIO instruction
   1590 * @insn:	Structure to store decoded instruction
   1591 * @bytes:	Returns size of memory operand
   1592 *
   1593 * Decodes instruction that used for Memory-mapped I/O.
   1594 *
   1595 * Returns:
   1596 *
   1597 * Type of the instruction. Size of the memory operand is stored in
   1598 * @bytes. If decode failed, MMIO_DECODE_FAILED returned.
   1599 */
   1600enum mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
   1601{
   1602	enum mmio_type type = MMIO_DECODE_FAILED;
   1603
   1604	*bytes = 0;
   1605
   1606	if (insn_get_opcode(insn))
   1607		return MMIO_DECODE_FAILED;
   1608
   1609	switch (insn->opcode.bytes[0]) {
   1610	case 0x88: /* MOV m8,r8 */
   1611		*bytes = 1;
   1612		fallthrough;
   1613	case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */
   1614		if (!*bytes)
   1615			*bytes = insn->opnd_bytes;
   1616		type = MMIO_WRITE;
   1617		break;
   1618
   1619	case 0xc6: /* MOV m8, imm8 */
   1620		*bytes = 1;
   1621		fallthrough;
   1622	case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */
   1623		if (!*bytes)
   1624			*bytes = insn->opnd_bytes;
   1625		type = MMIO_WRITE_IMM;
   1626		break;
   1627
   1628	case 0x8a: /* MOV r8, m8 */
   1629		*bytes = 1;
   1630		fallthrough;
   1631	case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */
   1632		if (!*bytes)
   1633			*bytes = insn->opnd_bytes;
   1634		type = MMIO_READ;
   1635		break;
   1636
   1637	case 0xa4: /* MOVS m8, m8 */
   1638		*bytes = 1;
   1639		fallthrough;
   1640	case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */
   1641		if (!*bytes)
   1642			*bytes = insn->opnd_bytes;
   1643		type = MMIO_MOVS;
   1644		break;
   1645
   1646	case 0x0f: /* Two-byte instruction */
   1647		switch (insn->opcode.bytes[1]) {
   1648		case 0xb6: /* MOVZX r16/r32/r64, m8 */
   1649			*bytes = 1;
   1650			fallthrough;
   1651		case 0xb7: /* MOVZX r32/r64, m16 */
   1652			if (!*bytes)
   1653				*bytes = 2;
   1654			type = MMIO_READ_ZERO_EXTEND;
   1655			break;
   1656
   1657		case 0xbe: /* MOVSX r16/r32/r64, m8 */
   1658			*bytes = 1;
   1659			fallthrough;
   1660		case 0xbf: /* MOVSX r32/r64, m16 */
   1661			if (!*bytes)
   1662				*bytes = 2;
   1663			type = MMIO_READ_SIGN_EXTEND;
   1664			break;
   1665		}
   1666		break;
   1667	}
   1668
   1669	return type;
   1670}