xref: /openbmc/linux/arch/x86/lib/insn-eval.c (revision 8ffdff6a)
1 /*
2  * Utility functions for x86 operand and address decoding
3  *
4  * Copyright (C) Intel Corporation 2017
5  */
6 #include <linux/kernel.h>
7 #include <linux/string.h>
8 #include <linux/ratelimit.h>
9 #include <linux/mmu_context.h>
10 #include <asm/desc_defs.h>
11 #include <asm/desc.h>
12 #include <asm/inat.h>
13 #include <asm/insn.h>
14 #include <asm/insn-eval.h>
15 #include <asm/ldt.h>
16 #include <asm/vm86.h>
17 
18 #undef pr_fmt
19 #define pr_fmt(fmt) "insn: " fmt
20 
21 enum reg_type {
22 	REG_TYPE_RM = 0,
23 	REG_TYPE_REG,
24 	REG_TYPE_INDEX,
25 	REG_TYPE_BASE,
26 };
27 
28 /**
29  * is_string_insn() - Determine if instruction is a string instruction
30  * @insn:	Instruction containing the opcode to inspect
31  *
32  * Returns:
33  *
34  * true if the instruction, determined by the opcode, is any of the
35  * string instructions as defined in the Intel Software Development manual.
36  * False otherwise.
37  */
38 static bool is_string_insn(struct insn *insn)
39 {
40 	insn_get_opcode(insn);
41 
42 	/* All string instructions have a 1-byte opcode. */
43 	if (insn->opcode.nbytes != 1)
44 		return false;
45 
46 	switch (insn->opcode.bytes[0]) {
47 	case 0x6c ... 0x6f:	/* INS, OUTS */
48 	case 0xa4 ... 0xa7:	/* MOVS, CMPS */
49 	case 0xaa ... 0xaf:	/* STOS, LODS, SCAS */
50 		return true;
51 	default:
52 		return false;
53 	}
54 }
55 
56 /**
57  * insn_has_rep_prefix() - Determine if instruction has a REP prefix
58  * @insn:	Instruction containing the prefix to inspect
59  *
60  * Returns:
61  *
62  * true if the instruction has a REP prefix, false if not.
63  */
64 bool insn_has_rep_prefix(struct insn *insn)
65 {
66 	insn_byte_t p;
67 	int i;
68 
69 	insn_get_prefixes(insn);
70 
71 	for_each_insn_prefix(insn, i, p) {
72 		if (p == 0xf2 || p == 0xf3)
73 			return true;
74 	}
75 
76 	return false;
77 }
78 
79 /**
80  * get_seg_reg_override_idx() - obtain segment register override index
81  * @insn:	Valid instruction with segment override prefixes
82  *
83  * Inspect the instruction prefixes in @insn and find segment overrides, if any.
84  *
85  * Returns:
86  *
87  * A constant identifying the segment register to use, among CS, SS, DS,
88  * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
89  * prefixes were found.
90  *
91  * -EINVAL in case of error.
92  */
93 static int get_seg_reg_override_idx(struct insn *insn)
94 {
95 	int idx = INAT_SEG_REG_DEFAULT;
96 	int num_overrides = 0, i;
97 	insn_byte_t p;
98 
99 	insn_get_prefixes(insn);
100 
101 	/* Look for any segment override prefixes. */
102 	for_each_insn_prefix(insn, i, p) {
103 		insn_attr_t attr;
104 
105 		attr = inat_get_opcode_attribute(p);
106 		switch (attr) {
107 		case INAT_MAKE_PREFIX(INAT_PFX_CS):
108 			idx = INAT_SEG_REG_CS;
109 			num_overrides++;
110 			break;
111 		case INAT_MAKE_PREFIX(INAT_PFX_SS):
112 			idx = INAT_SEG_REG_SS;
113 			num_overrides++;
114 			break;
115 		case INAT_MAKE_PREFIX(INAT_PFX_DS):
116 			idx = INAT_SEG_REG_DS;
117 			num_overrides++;
118 			break;
119 		case INAT_MAKE_PREFIX(INAT_PFX_ES):
120 			idx = INAT_SEG_REG_ES;
121 			num_overrides++;
122 			break;
123 		case INAT_MAKE_PREFIX(INAT_PFX_FS):
124 			idx = INAT_SEG_REG_FS;
125 			num_overrides++;
126 			break;
127 		case INAT_MAKE_PREFIX(INAT_PFX_GS):
128 			idx = INAT_SEG_REG_GS;
129 			num_overrides++;
130 			break;
131 		/* No default action needed. */
132 		}
133 	}
134 
135 	/* More than one segment override prefix leads to undefined behavior. */
136 	if (num_overrides > 1)
137 		return -EINVAL;
138 
139 	return idx;
140 }
141 
142 /**
143  * check_seg_overrides() - check if segment override prefixes are allowed
144  * @insn:	Valid instruction with segment override prefixes
145  * @regoff:	Operand offset, in pt_regs, for which the check is performed
146  *
147  * For a particular register used in register-indirect addressing, determine if
148  * segment override prefixes can be used. Specifically, no overrides are allowed
149  * for rDI if used with a string instruction.
150  *
151  * Returns:
152  *
153  * True if segment override prefixes can be used with the register indicated
154  * in @regoff. False if otherwise.
155  */
156 static bool check_seg_overrides(struct insn *insn, int regoff)
157 {
158 	if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
159 		return false;
160 
161 	return true;
162 }
163 
164 /**
165  * resolve_default_seg() - resolve default segment register index for an operand
166  * @insn:	Instruction with opcode and address size. Must be valid.
167  * @regs:	Register values as seen when entering kernel mode
168  * @off:	Operand offset, in pt_regs, for which resolution is needed
169  *
170  * Resolve the default segment register index associated with the instruction
171  * operand register indicated by @off. Such index is resolved based on defaults
172  * described in the Intel Software Development Manual.
173  *
174  * Returns:
175  *
176  * If in protected mode, a constant identifying the segment register to use,
177  * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
178  *
179  * -EINVAL in case of error.
180  */
181 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
182 {
183 	if (any_64bit_mode(regs))
184 		return INAT_SEG_REG_IGNORE;
185 	/*
186 	 * Resolve the default segment register as described in Section 3.7.4
187 	 * of the Intel Software Development Manual Vol. 1:
188 	 *
189 	 *  + DS for all references involving r[ABCD]X, and rSI.
190 	 *  + If used in a string instruction, ES for rDI. Otherwise, DS.
191 	 *  + AX, CX and DX are not valid register operands in 16-bit address
192 	 *    encodings but are valid for 32-bit and 64-bit encodings.
193 	 *  + -EDOM is reserved to identify for cases in which no register
194 	 *    is used (i.e., displacement-only addressing). Use DS.
195 	 *  + SS for rSP or rBP.
196 	 *  + CS for rIP.
197 	 */
198 
199 	switch (off) {
200 	case offsetof(struct pt_regs, ax):
201 	case offsetof(struct pt_regs, cx):
202 	case offsetof(struct pt_regs, dx):
203 		/* Need insn to verify address size. */
204 		if (insn->addr_bytes == 2)
205 			return -EINVAL;
206 
207 		fallthrough;
208 
209 	case -EDOM:
210 	case offsetof(struct pt_regs, bx):
211 	case offsetof(struct pt_regs, si):
212 		return INAT_SEG_REG_DS;
213 
214 	case offsetof(struct pt_regs, di):
215 		if (is_string_insn(insn))
216 			return INAT_SEG_REG_ES;
217 		return INAT_SEG_REG_DS;
218 
219 	case offsetof(struct pt_regs, bp):
220 	case offsetof(struct pt_regs, sp):
221 		return INAT_SEG_REG_SS;
222 
223 	case offsetof(struct pt_regs, ip):
224 		return INAT_SEG_REG_CS;
225 
226 	default:
227 		return -EINVAL;
228 	}
229 }
230 
231 /**
232  * resolve_seg_reg() - obtain segment register index
233  * @insn:	Instruction with operands
234  * @regs:	Register values as seen when entering kernel mode
235  * @regoff:	Operand offset, in pt_regs, used to deterimine segment register
236  *
237  * Determine the segment register associated with the operands and, if
238  * applicable, prefixes and the instruction pointed by @insn.
239  *
240  * The segment register associated to an operand used in register-indirect
241  * addressing depends on:
242  *
243  * a) Whether running in long mode (in such a case segments are ignored, except
244  * if FS or GS are used).
245  *
246  * b) Whether segment override prefixes can be used. Certain instructions and
247  *    registers do not allow override prefixes.
248  *
249  * c) Whether segment overrides prefixes are found in the instruction prefixes.
250  *
251  * d) If there are not segment override prefixes or they cannot be used, the
252  *    default segment register associated with the operand register is used.
253  *
254  * The function checks first if segment override prefixes can be used with the
255  * operand indicated by @regoff. If allowed, obtain such overridden segment
256  * register index. Lastly, if not prefixes were found or cannot be used, resolve
257  * the segment register index to use based on the defaults described in the
258  * Intel documentation. In long mode, all segment register indexes will be
259  * ignored, except if overrides were found for FS or GS. All these operations
260  * are done using helper functions.
261  *
262  * The operand register, @regoff, is represented as the offset from the base of
263  * pt_regs.
264  *
265  * As stated, the main use of this function is to determine the segment register
266  * index based on the instruction, its operands and prefixes. Hence, @insn
267  * must be valid. However, if @regoff indicates rIP, we don't need to inspect
268  * @insn at all as in this case CS is used in all cases. This case is checked
269  * before proceeding further.
270  *
271  * Please note that this function does not return the value in the segment
272  * register (i.e., the segment selector) but our defined index. The segment
273  * selector needs to be obtained using get_segment_selector() and passing the
274  * segment register index resolved by this function.
275  *
276  * Returns:
277  *
278  * An index identifying the segment register to use, among CS, SS, DS,
279  * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
280  *
281  * -EINVAL in case of error.
282  */
283 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
284 {
285 	int idx;
286 
287 	/*
288 	 * In the unlikely event of having to resolve the segment register
289 	 * index for rIP, do it first. Segment override prefixes should not
290 	 * be used. Hence, it is not necessary to inspect the instruction,
291 	 * which may be invalid at this point.
292 	 */
293 	if (regoff == offsetof(struct pt_regs, ip)) {
294 		if (any_64bit_mode(regs))
295 			return INAT_SEG_REG_IGNORE;
296 		else
297 			return INAT_SEG_REG_CS;
298 	}
299 
300 	if (!insn)
301 		return -EINVAL;
302 
303 	if (!check_seg_overrides(insn, regoff))
304 		return resolve_default_seg(insn, regs, regoff);
305 
306 	idx = get_seg_reg_override_idx(insn);
307 	if (idx < 0)
308 		return idx;
309 
310 	if (idx == INAT_SEG_REG_DEFAULT)
311 		return resolve_default_seg(insn, regs, regoff);
312 
313 	/*
314 	 * In long mode, segment override prefixes are ignored, except for
315 	 * overrides for FS and GS.
316 	 */
317 	if (any_64bit_mode(regs)) {
318 		if (idx != INAT_SEG_REG_FS &&
319 		    idx != INAT_SEG_REG_GS)
320 			idx = INAT_SEG_REG_IGNORE;
321 	}
322 
323 	return idx;
324 }
325 
326 /**
327  * get_segment_selector() - obtain segment selector
328  * @regs:		Register values as seen when entering kernel mode
329  * @seg_reg_idx:	Segment register index to use
330  *
331  * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
332  * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
333  * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
334  * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
335  * registers. This done for only for completeness as in CONFIG_X86_64 segment
336  * registers are ignored.
337  *
338  * Returns:
339  *
340  * Value of the segment selector, including null when running in
341  * long mode.
342  *
343  * -EINVAL on error.
344  */
345 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
346 {
347 #ifdef CONFIG_X86_64
348 	unsigned short sel;
349 
350 	switch (seg_reg_idx) {
351 	case INAT_SEG_REG_IGNORE:
352 		return 0;
353 	case INAT_SEG_REG_CS:
354 		return (unsigned short)(regs->cs & 0xffff);
355 	case INAT_SEG_REG_SS:
356 		return (unsigned short)(regs->ss & 0xffff);
357 	case INAT_SEG_REG_DS:
358 		savesegment(ds, sel);
359 		return sel;
360 	case INAT_SEG_REG_ES:
361 		savesegment(es, sel);
362 		return sel;
363 	case INAT_SEG_REG_FS:
364 		savesegment(fs, sel);
365 		return sel;
366 	case INAT_SEG_REG_GS:
367 		savesegment(gs, sel);
368 		return sel;
369 	default:
370 		return -EINVAL;
371 	}
372 #else /* CONFIG_X86_32 */
373 	struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
374 
375 	if (v8086_mode(regs)) {
376 		switch (seg_reg_idx) {
377 		case INAT_SEG_REG_CS:
378 			return (unsigned short)(regs->cs & 0xffff);
379 		case INAT_SEG_REG_SS:
380 			return (unsigned short)(regs->ss & 0xffff);
381 		case INAT_SEG_REG_DS:
382 			return vm86regs->ds;
383 		case INAT_SEG_REG_ES:
384 			return vm86regs->es;
385 		case INAT_SEG_REG_FS:
386 			return vm86regs->fs;
387 		case INAT_SEG_REG_GS:
388 			return vm86regs->gs;
389 		case INAT_SEG_REG_IGNORE:
390 		default:
391 			return -EINVAL;
392 		}
393 	}
394 
395 	switch (seg_reg_idx) {
396 	case INAT_SEG_REG_CS:
397 		return (unsigned short)(regs->cs & 0xffff);
398 	case INAT_SEG_REG_SS:
399 		return (unsigned short)(regs->ss & 0xffff);
400 	case INAT_SEG_REG_DS:
401 		return (unsigned short)(regs->ds & 0xffff);
402 	case INAT_SEG_REG_ES:
403 		return (unsigned short)(regs->es & 0xffff);
404 	case INAT_SEG_REG_FS:
405 		return (unsigned short)(regs->fs & 0xffff);
406 	case INAT_SEG_REG_GS:
407 		/*
408 		 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
409 		 * The macro below takes care of both cases.
410 		 */
411 		return get_user_gs(regs);
412 	case INAT_SEG_REG_IGNORE:
413 	default:
414 		return -EINVAL;
415 	}
416 #endif /* CONFIG_X86_64 */
417 }
418 
419 static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
420 			  enum reg_type type)
421 {
422 	int regno = 0;
423 
424 	static const int regoff[] = {
425 		offsetof(struct pt_regs, ax),
426 		offsetof(struct pt_regs, cx),
427 		offsetof(struct pt_regs, dx),
428 		offsetof(struct pt_regs, bx),
429 		offsetof(struct pt_regs, sp),
430 		offsetof(struct pt_regs, bp),
431 		offsetof(struct pt_regs, si),
432 		offsetof(struct pt_regs, di),
433 #ifdef CONFIG_X86_64
434 		offsetof(struct pt_regs, r8),
435 		offsetof(struct pt_regs, r9),
436 		offsetof(struct pt_regs, r10),
437 		offsetof(struct pt_regs, r11),
438 		offsetof(struct pt_regs, r12),
439 		offsetof(struct pt_regs, r13),
440 		offsetof(struct pt_regs, r14),
441 		offsetof(struct pt_regs, r15),
442 #endif
443 	};
444 	int nr_registers = ARRAY_SIZE(regoff);
445 	/*
446 	 * Don't possibly decode a 32-bit instructions as
447 	 * reading a 64-bit-only register.
448 	 */
449 	if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
450 		nr_registers -= 8;
451 
452 	switch (type) {
453 	case REG_TYPE_RM:
454 		regno = X86_MODRM_RM(insn->modrm.value);
455 
456 		/*
457 		 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
458 		 * follows the ModRM byte.
459 		 */
460 		if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
461 			return -EDOM;
462 
463 		if (X86_REX_B(insn->rex_prefix.value))
464 			regno += 8;
465 		break;
466 
467 	case REG_TYPE_REG:
468 		regno = X86_MODRM_REG(insn->modrm.value);
469 
470 		if (X86_REX_R(insn->rex_prefix.value))
471 			regno += 8;
472 		break;
473 
474 	case REG_TYPE_INDEX:
475 		regno = X86_SIB_INDEX(insn->sib.value);
476 		if (X86_REX_X(insn->rex_prefix.value))
477 			regno += 8;
478 
479 		/*
480 		 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
481 		 * portion of the address computation is null. This is
482 		 * true only if REX.X is 0. In such a case, the SIB index
483 		 * is used in the address computation.
484 		 */
485 		if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
486 			return -EDOM;
487 		break;
488 
489 	case REG_TYPE_BASE:
490 		regno = X86_SIB_BASE(insn->sib.value);
491 		/*
492 		 * If ModRM.mod is 0 and SIB.base == 5, the base of the
493 		 * register-indirect addressing is 0. In this case, a
494 		 * 32-bit displacement follows the SIB byte.
495 		 */
496 		if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
497 			return -EDOM;
498 
499 		if (X86_REX_B(insn->rex_prefix.value))
500 			regno += 8;
501 		break;
502 
503 	default:
504 		pr_err_ratelimited("invalid register type: %d\n", type);
505 		return -EINVAL;
506 	}
507 
508 	if (regno >= nr_registers) {
509 		WARN_ONCE(1, "decoded an instruction with an invalid register");
510 		return -EINVAL;
511 	}
512 	return regoff[regno];
513 }
514 
515 /**
516  * get_reg_offset_16() - Obtain offset of register indicated by instruction
517  * @insn:	Instruction containing ModRM byte
518  * @regs:	Register values as seen when entering kernel mode
519  * @offs1:	Offset of the first operand register
520  * @offs2:	Offset of the second opeand register, if applicable
521  *
522  * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
523  * in @insn. This function is to be used with 16-bit address encodings. The
524  * @offs1 and @offs2 will be written with the offset of the two registers
525  * indicated by the instruction. In cases where any of the registers is not
526  * referenced by the instruction, the value will be set to -EDOM.
527  *
528  * Returns:
529  *
530  * 0 on success, -EINVAL on error.
531  */
532 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
533 			     int *offs1, int *offs2)
534 {
535 	/*
536 	 * 16-bit addressing can use one or two registers. Specifics of
537 	 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
538 	 * ModR/M Byte" of the Intel Software Development Manual.
539 	 */
540 	static const int regoff1[] = {
541 		offsetof(struct pt_regs, bx),
542 		offsetof(struct pt_regs, bx),
543 		offsetof(struct pt_regs, bp),
544 		offsetof(struct pt_regs, bp),
545 		offsetof(struct pt_regs, si),
546 		offsetof(struct pt_regs, di),
547 		offsetof(struct pt_regs, bp),
548 		offsetof(struct pt_regs, bx),
549 	};
550 
551 	static const int regoff2[] = {
552 		offsetof(struct pt_regs, si),
553 		offsetof(struct pt_regs, di),
554 		offsetof(struct pt_regs, si),
555 		offsetof(struct pt_regs, di),
556 		-EDOM,
557 		-EDOM,
558 		-EDOM,
559 		-EDOM,
560 	};
561 
562 	if (!offs1 || !offs2)
563 		return -EINVAL;
564 
565 	/* Operand is a register, use the generic function. */
566 	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
567 		*offs1 = insn_get_modrm_rm_off(insn, regs);
568 		*offs2 = -EDOM;
569 		return 0;
570 	}
571 
572 	*offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
573 	*offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
574 
575 	/*
576 	 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
577 	 * only addressing. This means that no registers are involved in
578 	 * computing the effective address. Thus, ensure that the first
579 	 * register offset is invalild. The second register offset is already
580 	 * invalid under the aforementioned conditions.
581 	 */
582 	if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
583 	    (X86_MODRM_RM(insn->modrm.value) == 6))
584 		*offs1 = -EDOM;
585 
586 	return 0;
587 }
588 
589 /**
590  * get_desc() - Obtain contents of a segment descriptor
591  * @out:	Segment descriptor contents on success
592  * @sel:	Segment selector
593  *
594  * Given a segment selector, obtain a pointer to the segment descriptor.
595  * Both global and local descriptor tables are supported.
596  *
597  * Returns:
598  *
599  * True on success, false on failure.
600  *
601  * NULL on error.
602  */
603 static bool get_desc(struct desc_struct *out, unsigned short sel)
604 {
605 	struct desc_ptr gdt_desc = {0, 0};
606 	unsigned long desc_base;
607 
608 #ifdef CONFIG_MODIFY_LDT_SYSCALL
609 	if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
610 		bool success = false;
611 		struct ldt_struct *ldt;
612 
613 		/* Bits [15:3] contain the index of the desired entry. */
614 		sel >>= 3;
615 
616 		mutex_lock(&current->active_mm->context.lock);
617 		ldt = current->active_mm->context.ldt;
618 		if (ldt && sel < ldt->nr_entries) {
619 			*out = ldt->entries[sel];
620 			success = true;
621 		}
622 
623 		mutex_unlock(&current->active_mm->context.lock);
624 
625 		return success;
626 	}
627 #endif
628 	native_store_gdt(&gdt_desc);
629 
630 	/*
631 	 * Segment descriptors have a size of 8 bytes. Thus, the index is
632 	 * multiplied by 8 to obtain the memory offset of the desired descriptor
633 	 * from the base of the GDT. As bits [15:3] of the segment selector
634 	 * contain the index, it can be regarded as multiplied by 8 already.
635 	 * All that remains is to clear bits [2:0].
636 	 */
637 	desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
638 
639 	if (desc_base > gdt_desc.size)
640 		return false;
641 
642 	*out = *(struct desc_struct *)(gdt_desc.address + desc_base);
643 	return true;
644 }
645 
646 /**
647  * insn_get_seg_base() - Obtain base address of segment descriptor.
648  * @regs:		Register values as seen when entering kernel mode
649  * @seg_reg_idx:	Index of the segment register pointing to seg descriptor
650  *
651  * Obtain the base address of the segment as indicated by the segment descriptor
652  * pointed by the segment selector. The segment selector is obtained from the
653  * input segment register index @seg_reg_idx.
654  *
655  * Returns:
656  *
657  * In protected mode, base address of the segment. Zero in long mode,
658  * except when FS or GS are used. In virtual-8086 mode, the segment
659  * selector shifted 4 bits to the right.
660  *
661  * -1L in case of error.
662  */
663 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
664 {
665 	struct desc_struct desc;
666 	short sel;
667 
668 	sel = get_segment_selector(regs, seg_reg_idx);
669 	if (sel < 0)
670 		return -1L;
671 
672 	if (v8086_mode(regs))
673 		/*
674 		 * Base is simply the segment selector shifted 4
675 		 * bits to the right.
676 		 */
677 		return (unsigned long)(sel << 4);
678 
679 	if (any_64bit_mode(regs)) {
680 		/*
681 		 * Only FS or GS will have a base address, the rest of
682 		 * the segments' bases are forced to 0.
683 		 */
684 		unsigned long base;
685 
686 		if (seg_reg_idx == INAT_SEG_REG_FS) {
687 			rdmsrl(MSR_FS_BASE, base);
688 		} else if (seg_reg_idx == INAT_SEG_REG_GS) {
689 			/*
690 			 * swapgs was called at the kernel entry point. Thus,
691 			 * MSR_KERNEL_GS_BASE will have the user-space GS base.
692 			 */
693 			if (user_mode(regs))
694 				rdmsrl(MSR_KERNEL_GS_BASE, base);
695 			else
696 				rdmsrl(MSR_GS_BASE, base);
697 		} else {
698 			base = 0;
699 		}
700 		return base;
701 	}
702 
703 	/* In protected mode the segment selector cannot be null. */
704 	if (!sel)
705 		return -1L;
706 
707 	if (!get_desc(&desc, sel))
708 		return -1L;
709 
710 	return get_desc_base(&desc);
711 }
712 
713 /**
714  * get_seg_limit() - Obtain the limit of a segment descriptor
715  * @regs:		Register values as seen when entering kernel mode
716  * @seg_reg_idx:	Index of the segment register pointing to seg descriptor
717  *
718  * Obtain the limit of the segment as indicated by the segment descriptor
719  * pointed by the segment selector. The segment selector is obtained from the
720  * input segment register index @seg_reg_idx.
721  *
722  * Returns:
723  *
724  * In protected mode, the limit of the segment descriptor in bytes.
725  * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
726  * limit is returned as -1L to imply a limit-less segment.
727  *
728  * Zero is returned on error.
729  */
730 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
731 {
732 	struct desc_struct desc;
733 	unsigned long limit;
734 	short sel;
735 
736 	sel = get_segment_selector(regs, seg_reg_idx);
737 	if (sel < 0)
738 		return 0;
739 
740 	if (any_64bit_mode(regs) || v8086_mode(regs))
741 		return -1L;
742 
743 	if (!sel)
744 		return 0;
745 
746 	if (!get_desc(&desc, sel))
747 		return 0;
748 
749 	/*
750 	 * If the granularity bit is set, the limit is given in multiples
751 	 * of 4096. This also means that the 12 least significant bits are
752 	 * not tested when checking the segment limits. In practice,
753 	 * this means that the segment ends in (limit << 12) + 0xfff.
754 	 */
755 	limit = get_desc_limit(&desc);
756 	if (desc.g)
757 		limit = (limit << 12) + 0xfff;
758 
759 	return limit;
760 }
761 
762 /**
763  * insn_get_code_seg_params() - Obtain code segment parameters
764  * @regs:	Structure with register values as seen when entering kernel mode
765  *
766  * Obtain address and operand sizes of the code segment. It is obtained from the
767  * selector contained in the CS register in regs. In protected mode, the default
768  * address is determined by inspecting the L and D bits of the segment
769  * descriptor. In virtual-8086 mode, the default is always two bytes for both
770  * address and operand sizes.
771  *
772  * Returns:
773  *
774  * An int containing ORed-in default parameters on success.
775  *
776  * -EINVAL on error.
777  */
778 int insn_get_code_seg_params(struct pt_regs *regs)
779 {
780 	struct desc_struct desc;
781 	short sel;
782 
783 	if (v8086_mode(regs))
784 		/* Address and operand size are both 16-bit. */
785 		return INSN_CODE_SEG_PARAMS(2, 2);
786 
787 	sel = get_segment_selector(regs, INAT_SEG_REG_CS);
788 	if (sel < 0)
789 		return sel;
790 
791 	if (!get_desc(&desc, sel))
792 		return -EINVAL;
793 
794 	/*
795 	 * The most significant byte of the Type field of the segment descriptor
796 	 * determines whether a segment contains data or code. If this is a data
797 	 * segment, return error.
798 	 */
799 	if (!(desc.type & BIT(3)))
800 		return -EINVAL;
801 
802 	switch ((desc.l << 1) | desc.d) {
803 	case 0: /*
804 		 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
805 		 * both 16-bit.
806 		 */
807 		return INSN_CODE_SEG_PARAMS(2, 2);
808 	case 1: /*
809 		 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
810 		 * both 32-bit.
811 		 */
812 		return INSN_CODE_SEG_PARAMS(4, 4);
813 	case 2: /*
814 		 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
815 		 * operand size is 32-bit.
816 		 */
817 		return INSN_CODE_SEG_PARAMS(4, 8);
818 	case 3: /* Invalid setting. CS.L=1, CS.D=1 */
819 		fallthrough;
820 	default:
821 		return -EINVAL;
822 	}
823 }
824 
825 /**
826  * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
827  * @insn:	Instruction containing the ModRM byte
828  * @regs:	Register values as seen when entering kernel mode
829  *
830  * Returns:
831  *
832  * The register indicated by the r/m part of the ModRM byte. The
833  * register is obtained as an offset from the base of pt_regs. In specific
834  * cases, the returned value can be -EDOM to indicate that the particular value
835  * of ModRM does not refer to a register and shall be ignored.
836  */
837 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
838 {
839 	return get_reg_offset(insn, regs, REG_TYPE_RM);
840 }
841 
842 /**
843  * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
844  * @insn:	Instruction containing the ModRM byte
845  * @regs:	Register values as seen when entering kernel mode
846  *
847  * Returns:
848  *
849  * The register indicated by the reg part of the ModRM byte. The
850  * register is obtained as an offset from the base of pt_regs.
851  */
852 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
853 {
854 	return get_reg_offset(insn, regs, REG_TYPE_REG);
855 }
856 
857 /**
858  * get_seg_base_limit() - obtain base address and limit of a segment
859  * @insn:	Instruction. Must be valid.
860  * @regs:	Register values as seen when entering kernel mode
861  * @regoff:	Operand offset, in pt_regs, used to resolve segment descriptor
862  * @base:	Obtained segment base
863  * @limit:	Obtained segment limit
864  *
865  * Obtain the base address and limit of the segment associated with the operand
866  * @regoff and, if any or allowed, override prefixes in @insn. This function is
867  * different from insn_get_seg_base() as the latter does not resolve the segment
868  * associated with the instruction operand. If a limit is not needed (e.g.,
869  * when running in long mode), @limit can be NULL.
870  *
871  * Returns:
872  *
873  * 0 on success. @base and @limit will contain the base address and of the
874  * resolved segment, respectively.
875  *
876  * -EINVAL on error.
877  */
878 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
879 			      int regoff, unsigned long *base,
880 			      unsigned long *limit)
881 {
882 	int seg_reg_idx;
883 
884 	if (!base)
885 		return -EINVAL;
886 
887 	seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
888 	if (seg_reg_idx < 0)
889 		return seg_reg_idx;
890 
891 	*base = insn_get_seg_base(regs, seg_reg_idx);
892 	if (*base == -1L)
893 		return -EINVAL;
894 
895 	if (!limit)
896 		return 0;
897 
898 	*limit = get_seg_limit(regs, seg_reg_idx);
899 	if (!(*limit))
900 		return -EINVAL;
901 
902 	return 0;
903 }
904 
905 /**
906  * get_eff_addr_reg() - Obtain effective address from register operand
907  * @insn:	Instruction. Must be valid.
908  * @regs:	Register values as seen when entering kernel mode
909  * @regoff:	Obtained operand offset, in pt_regs, with the effective address
910  * @eff_addr:	Obtained effective address
911  *
912  * Obtain the effective address stored in the register operand as indicated by
913  * the ModRM byte. This function is to be used only with register addressing
914  * (i.e.,  ModRM.mod is 3). The effective address is saved in @eff_addr. The
915  * register operand, as an offset from the base of pt_regs, is saved in @regoff;
916  * such offset can then be used to resolve the segment associated with the
917  * operand. This function can be used with any of the supported address sizes
918  * in x86.
919  *
920  * Returns:
921  *
922  * 0 on success. @eff_addr will have the effective address stored in the
923  * operand indicated by ModRM. @regoff will have such operand as an offset from
924  * the base of pt_regs.
925  *
926  * -EINVAL on error.
927  */
928 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
929 			    int *regoff, long *eff_addr)
930 {
931 	insn_get_modrm(insn);
932 
933 	if (!insn->modrm.nbytes)
934 		return -EINVAL;
935 
936 	if (X86_MODRM_MOD(insn->modrm.value) != 3)
937 		return -EINVAL;
938 
939 	*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
940 	if (*regoff < 0)
941 		return -EINVAL;
942 
943 	/* Ignore bytes that are outside the address size. */
944 	if (insn->addr_bytes == 2)
945 		*eff_addr = regs_get_register(regs, *regoff) & 0xffff;
946 	else if (insn->addr_bytes == 4)
947 		*eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
948 	else /* 64-bit address */
949 		*eff_addr = regs_get_register(regs, *regoff);
950 
951 	return 0;
952 }
953 
954 /**
955  * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
956  * @insn:	Instruction. Must be valid.
957  * @regs:	Register values as seen when entering kernel mode
958  * @regoff:	Obtained operand offset, in pt_regs, associated with segment
959  * @eff_addr:	Obtained effective address
960  *
961  * Obtain the effective address referenced by the ModRM byte of @insn. After
962  * identifying the registers involved in the register-indirect memory reference,
963  * its value is obtained from the operands in @regs. The computed address is
964  * stored @eff_addr. Also, the register operand that indicates the associated
965  * segment is stored in @regoff, this parameter can later be used to determine
966  * such segment.
967  *
968  * Returns:
969  *
970  * 0 on success. @eff_addr will have the referenced effective address. @regoff
971  * will have a register, as an offset from the base of pt_regs, that can be used
972  * to resolve the associated segment.
973  *
974  * -EINVAL on error.
975  */
976 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
977 			      int *regoff, long *eff_addr)
978 {
979 	long tmp;
980 
981 	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
982 		return -EINVAL;
983 
984 	insn_get_modrm(insn);
985 
986 	if (!insn->modrm.nbytes)
987 		return -EINVAL;
988 
989 	if (X86_MODRM_MOD(insn->modrm.value) > 2)
990 		return -EINVAL;
991 
992 	*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
993 
994 	/*
995 	 * -EDOM means that we must ignore the address_offset. In such a case,
996 	 * in 64-bit mode the effective address relative to the rIP of the
997 	 * following instruction.
998 	 */
999 	if (*regoff == -EDOM) {
1000 		if (any_64bit_mode(regs))
1001 			tmp = regs->ip + insn->length;
1002 		else
1003 			tmp = 0;
1004 	} else if (*regoff < 0) {
1005 		return -EINVAL;
1006 	} else {
1007 		tmp = regs_get_register(regs, *regoff);
1008 	}
1009 
1010 	if (insn->addr_bytes == 4) {
1011 		int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1012 
1013 		*eff_addr = addr32 & 0xffffffff;
1014 	} else {
1015 		*eff_addr = tmp + insn->displacement.value;
1016 	}
1017 
1018 	return 0;
1019 }
1020 
1021 /**
1022  * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1023  * @insn:	Instruction. Must be valid.
1024  * @regs:	Register values as seen when entering kernel mode
1025  * @regoff:	Obtained operand offset, in pt_regs, associated with segment
1026  * @eff_addr:	Obtained effective address
1027  *
1028  * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1029  * After identifying the registers involved in the register-indirect memory
1030  * reference, its value is obtained from the operands in @regs. The computed
1031  * address is stored @eff_addr. Also, the register operand that indicates
1032  * the associated segment is stored in @regoff, this parameter can later be used
1033  * to determine such segment.
1034  *
1035  * Returns:
1036  *
1037  * 0 on success. @eff_addr will have the referenced effective address. @regoff
1038  * will have a register, as an offset from the base of pt_regs, that can be used
1039  * to resolve the associated segment.
1040  *
1041  * -EINVAL on error.
1042  */
1043 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1044 				 int *regoff, short *eff_addr)
1045 {
1046 	int addr_offset1, addr_offset2, ret;
1047 	short addr1 = 0, addr2 = 0, displacement;
1048 
1049 	if (insn->addr_bytes != 2)
1050 		return -EINVAL;
1051 
1052 	insn_get_modrm(insn);
1053 
1054 	if (!insn->modrm.nbytes)
1055 		return -EINVAL;
1056 
1057 	if (X86_MODRM_MOD(insn->modrm.value) > 2)
1058 		return -EINVAL;
1059 
1060 	ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1061 	if (ret < 0)
1062 		return -EINVAL;
1063 
1064 	/*
1065 	 * Don't fail on invalid offset values. They might be invalid because
1066 	 * they cannot be used for this particular value of ModRM. Instead, use
1067 	 * them in the computation only if they contain a valid value.
1068 	 */
1069 	if (addr_offset1 != -EDOM)
1070 		addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1071 
1072 	if (addr_offset2 != -EDOM)
1073 		addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1074 
1075 	displacement = insn->displacement.value & 0xffff;
1076 	*eff_addr = addr1 + addr2 + displacement;
1077 
1078 	/*
1079 	 * The first operand register could indicate to use of either SS or DS
1080 	 * registers to obtain the segment selector.  The second operand
1081 	 * register can only indicate the use of DS. Thus, the first operand
1082 	 * will be used to obtain the segment selector.
1083 	 */
1084 	*regoff = addr_offset1;
1085 
1086 	return 0;
1087 }
1088 
1089 /**
1090  * get_eff_addr_sib() - Obtain referenced effective address via SIB
1091  * @insn:	Instruction. Must be valid.
1092  * @regs:	Register values as seen when entering kernel mode
1093  * @regoff:	Obtained operand offset, in pt_regs, associated with segment
1094  * @eff_addr:	Obtained effective address
1095  *
1096  * Obtain the effective address referenced by the SIB byte of @insn. After
1097  * identifying the registers involved in the indexed, register-indirect memory
1098  * reference, its value is obtained from the operands in @regs. The computed
1099  * address is stored @eff_addr. Also, the register operand that indicates the
1100  * associated segment is stored in @regoff, this parameter can later be used to
1101  * determine such segment.
1102  *
1103  * Returns:
1104  *
1105  * 0 on success. @eff_addr will have the referenced effective address.
1106  * @base_offset will have a register, as an offset from the base of pt_regs,
1107  * that can be used to resolve the associated segment.
1108  *
1109  * -EINVAL on error.
1110  */
1111 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1112 			    int *base_offset, long *eff_addr)
1113 {
1114 	long base, indx;
1115 	int indx_offset;
1116 
1117 	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1118 		return -EINVAL;
1119 
1120 	insn_get_modrm(insn);
1121 
1122 	if (!insn->modrm.nbytes)
1123 		return -EINVAL;
1124 
1125 	if (X86_MODRM_MOD(insn->modrm.value) > 2)
1126 		return -EINVAL;
1127 
1128 	insn_get_sib(insn);
1129 
1130 	if (!insn->sib.nbytes)
1131 		return -EINVAL;
1132 
1133 	*base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1134 	indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1135 
1136 	/*
1137 	 * Negative values in the base and index offset means an error when
1138 	 * decoding the SIB byte. Except -EDOM, which means that the registers
1139 	 * should not be used in the address computation.
1140 	 */
1141 	if (*base_offset == -EDOM)
1142 		base = 0;
1143 	else if (*base_offset < 0)
1144 		return -EINVAL;
1145 	else
1146 		base = regs_get_register(regs, *base_offset);
1147 
1148 	if (indx_offset == -EDOM)
1149 		indx = 0;
1150 	else if (indx_offset < 0)
1151 		return -EINVAL;
1152 	else
1153 		indx = regs_get_register(regs, indx_offset);
1154 
1155 	if (insn->addr_bytes == 4) {
1156 		int addr32, base32, idx32;
1157 
1158 		base32 = base & 0xffffffff;
1159 		idx32 = indx & 0xffffffff;
1160 
1161 		addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1162 		addr32 += insn->displacement.value;
1163 
1164 		*eff_addr = addr32 & 0xffffffff;
1165 	} else {
1166 		*eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1167 		*eff_addr += insn->displacement.value;
1168 	}
1169 
1170 	return 0;
1171 }
1172 
1173 /**
1174  * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1175  * @insn:	Instruction containing ModRM byte and displacement
1176  * @regs:	Register values as seen when entering kernel mode
1177  *
1178  * This function is to be used with 16-bit address encodings. Obtain the memory
1179  * address referred by the instruction's ModRM and displacement bytes. Also, the
1180  * segment used as base is determined by either any segment override prefixes in
1181  * @insn or the default segment of the registers involved in the address
1182  * computation. In protected mode, segment limits are enforced.
1183  *
1184  * Returns:
1185  *
1186  * Linear address referenced by the instruction operands on success.
1187  *
1188  * -1L on error.
1189  */
1190 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1191 {
1192 	unsigned long linear_addr = -1L, seg_base, seg_limit;
1193 	int ret, regoff;
1194 	short eff_addr;
1195 	long tmp;
1196 
1197 	insn_get_modrm(insn);
1198 	insn_get_displacement(insn);
1199 
1200 	if (insn->addr_bytes != 2)
1201 		goto out;
1202 
1203 	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1204 		ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
1205 		if (ret)
1206 			goto out;
1207 
1208 		eff_addr = tmp;
1209 	} else {
1210 		ret = get_eff_addr_modrm_16(insn, regs, &regoff, &eff_addr);
1211 		if (ret)
1212 			goto out;
1213 	}
1214 
1215 	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1216 	if (ret)
1217 		goto out;
1218 
1219 	/*
1220 	 * Before computing the linear address, make sure the effective address
1221 	 * is within the limits of the segment. In virtual-8086 mode, segment
1222 	 * limits are not enforced. In such a case, the segment limit is -1L to
1223 	 * reflect this fact.
1224 	 */
1225 	if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1226 		goto out;
1227 
1228 	linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1229 
1230 	/* Limit linear address to 20 bits */
1231 	if (v8086_mode(regs))
1232 		linear_addr &= 0xfffff;
1233 
1234 out:
1235 	return (void __user *)linear_addr;
1236 }
1237 
1238 /**
1239  * get_addr_ref_32() - Obtain a 32-bit linear address
1240  * @insn:	Instruction with ModRM, SIB bytes and displacement
1241  * @regs:	Register values as seen when entering kernel mode
1242  *
1243  * This function is to be used with 32-bit address encodings to obtain the
1244  * linear memory address referred by the instruction's ModRM, SIB,
1245  * displacement bytes and segment base address, as applicable. If in protected
1246  * mode, segment limits are enforced.
1247  *
1248  * Returns:
1249  *
1250  * Linear address referenced by instruction and registers on success.
1251  *
1252  * -1L on error.
1253  */
1254 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1255 {
1256 	unsigned long linear_addr = -1L, seg_base, seg_limit;
1257 	int eff_addr, regoff;
1258 	long tmp;
1259 	int ret;
1260 
1261 	if (insn->addr_bytes != 4)
1262 		goto out;
1263 
1264 	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1265 		ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
1266 		if (ret)
1267 			goto out;
1268 
1269 		eff_addr = tmp;
1270 
1271 	} else {
1272 		if (insn->sib.nbytes) {
1273 			ret = get_eff_addr_sib(insn, regs, &regoff, &tmp);
1274 			if (ret)
1275 				goto out;
1276 
1277 			eff_addr = tmp;
1278 		} else {
1279 			ret = get_eff_addr_modrm(insn, regs, &regoff, &tmp);
1280 			if (ret)
1281 				goto out;
1282 
1283 			eff_addr = tmp;
1284 		}
1285 	}
1286 
1287 	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1288 	if (ret)
1289 		goto out;
1290 
1291 	/*
1292 	 * In protected mode, before computing the linear address, make sure
1293 	 * the effective address is within the limits of the segment.
1294 	 * 32-bit addresses can be used in long and virtual-8086 modes if an
1295 	 * address override prefix is used. In such cases, segment limits are
1296 	 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1297 	 * to reflect this situation.
1298 	 *
1299 	 * After computed, the effective address is treated as an unsigned
1300 	 * quantity.
1301 	 */
1302 	if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1303 		goto out;
1304 
1305 	/*
1306 	 * Even though 32-bit address encodings are allowed in virtual-8086
1307 	 * mode, the address range is still limited to [0x-0xffff].
1308 	 */
1309 	if (v8086_mode(regs) && (eff_addr & ~0xffff))
1310 		goto out;
1311 
1312 	/*
1313 	 * Data type long could be 64 bits in size. Ensure that our 32-bit
1314 	 * effective address is not sign-extended when computing the linear
1315 	 * address.
1316 	 */
1317 	linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1318 
1319 	/* Limit linear address to 20 bits */
1320 	if (v8086_mode(regs))
1321 		linear_addr &= 0xfffff;
1322 
1323 out:
1324 	return (void __user *)linear_addr;
1325 }
1326 
1327 /**
1328  * get_addr_ref_64() - Obtain a 64-bit linear address
1329  * @insn:	Instruction struct with ModRM and SIB bytes and displacement
1330  * @regs:	Structure with register values as seen when entering kernel mode
1331  *
1332  * This function is to be used with 64-bit address encodings to obtain the
1333  * linear memory address referred by the instruction's ModRM, SIB,
1334  * displacement bytes and segment base address, as applicable.
1335  *
1336  * Returns:
1337  *
1338  * Linear address referenced by instruction and registers on success.
1339  *
1340  * -1L on error.
1341  */
1342 #ifndef CONFIG_X86_64
1343 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1344 {
1345 	return (void __user *)-1L;
1346 }
1347 #else
1348 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1349 {
1350 	unsigned long linear_addr = -1L, seg_base;
1351 	int regoff, ret;
1352 	long eff_addr;
1353 
1354 	if (insn->addr_bytes != 8)
1355 		goto out;
1356 
1357 	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1358 		ret = get_eff_addr_reg(insn, regs, &regoff, &eff_addr);
1359 		if (ret)
1360 			goto out;
1361 
1362 	} else {
1363 		if (insn->sib.nbytes) {
1364 			ret = get_eff_addr_sib(insn, regs, &regoff, &eff_addr);
1365 			if (ret)
1366 				goto out;
1367 		} else {
1368 			ret = get_eff_addr_modrm(insn, regs, &regoff, &eff_addr);
1369 			if (ret)
1370 				goto out;
1371 		}
1372 
1373 	}
1374 
1375 	ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1376 	if (ret)
1377 		goto out;
1378 
1379 	linear_addr = (unsigned long)eff_addr + seg_base;
1380 
1381 out:
1382 	return (void __user *)linear_addr;
1383 }
1384 #endif /* CONFIG_X86_64 */
1385 
1386 /**
1387  * insn_get_addr_ref() - Obtain the linear address referred by instruction
1388  * @insn:	Instruction structure containing ModRM byte and displacement
1389  * @regs:	Structure with register values as seen when entering kernel mode
1390  *
1391  * Obtain the linear address referred by the instruction's ModRM, SIB and
1392  * displacement bytes, and segment base, as applicable. In protected mode,
1393  * segment limits are enforced.
1394  *
1395  * Returns:
1396  *
1397  * Linear address referenced by instruction and registers on success.
1398  *
1399  * -1L on error.
1400  */
1401 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1402 {
1403 	if (!insn || !regs)
1404 		return (void __user *)-1L;
1405 
1406 	switch (insn->addr_bytes) {
1407 	case 2:
1408 		return get_addr_ref_16(insn, regs);
1409 	case 4:
1410 		return get_addr_ref_32(insn, regs);
1411 	case 8:
1412 		return get_addr_ref_64(insn, regs);
1413 	default:
1414 		return (void __user *)-1L;
1415 	}
1416 }
1417 
1418 static unsigned long insn_get_effective_ip(struct pt_regs *regs)
1419 {
1420 	unsigned long seg_base = 0;
1421 
1422 	/*
1423 	 * If not in user-space long mode, a custom code segment could be in
1424 	 * use. This is true in protected mode (if the process defined a local
1425 	 * descriptor table), or virtual-8086 mode. In most of the cases
1426 	 * seg_base will be zero as in USER_CS.
1427 	 */
1428 	if (!user_64bit_mode(regs)) {
1429 		seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1430 		if (seg_base == -1L)
1431 			return 0;
1432 	}
1433 
1434 	return seg_base + regs->ip;
1435 }
1436 
1437 /**
1438  * insn_fetch_from_user() - Copy instruction bytes from user-space memory
1439  * @regs:	Structure with register values as seen when entering kernel mode
1440  * @buf:	Array to store the fetched instruction
1441  *
1442  * Gets the linear address of the instruction and copies the instruction bytes
1443  * to the buf.
1444  *
1445  * Returns:
1446  *
1447  * Number of instruction bytes copied.
1448  *
1449  * 0 if nothing was copied.
1450  */
1451 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1452 {
1453 	unsigned long ip;
1454 	int not_copied;
1455 
1456 	ip = insn_get_effective_ip(regs);
1457 	if (!ip)
1458 		return 0;
1459 
1460 	not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
1461 
1462 	return MAX_INSN_SIZE - not_copied;
1463 }
1464 
1465 /**
1466  * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1467  *                                   while in atomic code
1468  * @regs:	Structure with register values as seen when entering kernel mode
1469  * @buf:	Array to store the fetched instruction
1470  *
1471  * Gets the linear address of the instruction and copies the instruction bytes
1472  * to the buf. This function must be used in atomic context.
1473  *
1474  * Returns:
1475  *
1476  * Number of instruction bytes copied.
1477  *
1478  * 0 if nothing was copied.
1479  */
1480 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1481 {
1482 	unsigned long ip;
1483 	int not_copied;
1484 
1485 	ip = insn_get_effective_ip(regs);
1486 	if (!ip)
1487 		return 0;
1488 
1489 	not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
1490 
1491 	return MAX_INSN_SIZE - not_copied;
1492 }
1493 
1494 /**
1495  * insn_decode() - Decode an instruction
1496  * @insn:	Structure to store decoded instruction
1497  * @regs:	Structure with register values as seen when entering kernel mode
1498  * @buf:	Buffer containing the instruction bytes
1499  * @buf_size:   Number of instruction bytes available in buf
1500  *
1501  * Decodes the instruction provided in buf and stores the decoding results in
1502  * insn. Also determines the correct address and operand sizes.
1503  *
1504  * Returns:
1505  *
1506  * True if instruction was decoded, False otherwise.
1507  */
1508 bool insn_decode(struct insn *insn, struct pt_regs *regs,
1509 		 unsigned char buf[MAX_INSN_SIZE], int buf_size)
1510 {
1511 	int seg_defs;
1512 
1513 	insn_init(insn, buf, buf_size, user_64bit_mode(regs));
1514 
1515 	/*
1516 	 * Override the default operand and address sizes with what is specified
1517 	 * in the code segment descriptor. The instruction decoder only sets
1518 	 * the address size it to either 4 or 8 address bytes and does nothing
1519 	 * for the operand bytes. This OK for most of the cases, but we could
1520 	 * have special cases where, for instance, a 16-bit code segment
1521 	 * descriptor is used.
1522 	 * If there is an address override prefix, the instruction decoder
1523 	 * correctly updates these values, even for 16-bit defaults.
1524 	 */
1525 	seg_defs = insn_get_code_seg_params(regs);
1526 	if (seg_defs == -EINVAL)
1527 		return false;
1528 
1529 	insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1530 	insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1531 
1532 	insn_get_length(insn);
1533 	if (buf_size < insn->length)
1534 		return false;
1535 
1536 	return true;
1537 }
1538