1	/*
2	* Utility functions for x86 operand and address decoding
3	*
4	* Copyright (C) Intel Corporation 2017
5	*/
6	#include <linux/kernel.h>
7	#include <linux/string.h>
8	#include <linux/ratelimit.h>
9	#include <linux/mmu_context.h>
10	#include <asm/desc_defs.h>
11	#include <asm/desc.h>
12	#include <asm/inat.h>
13	#include <asm/insn.h>
14	#include <asm/insn-eval.h>
15	#include <asm/ldt.h>
16	#include <asm/vm86.h>
17
18	#undef pr_fmt
19	#define pr_fmt(fmt) "insn: " fmt
20
21	enum reg_type {
22	REG_TYPE_RM = 0,
23	REG_TYPE_REG,
24	REG_TYPE_INDEX,
25	REG_TYPE_BASE,
26	};
27
28	/**
29	* is_string_insn() - Determine if instruction is a string instruction
30	* @insn: Instruction containing the opcode to inspect
31	*
32	* Returns:
33	*
34	* true if the instruction, determined by the opcode, is any of the
35	* string instructions as defined in the Intel Software Development manual.
36	* False otherwise.
37	*/
38	static bool is_string_insn(struct insn *insn)
39	{
40	/* All string instructions have a 1-byte opcode. */
41	if (insn->opcode.nbytes != 1)
42	return false;
43
44	switch (insn->opcode.bytes[0]) {
45	case 0x6c ... 0x6f: /* INS, OUTS */
46	case 0xa4 ... 0xa7: /* MOVS, CMPS */
47	case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
48	return true;
49	default:
50	return false;
51	}
52	}
53
54	/**
55	* insn_has_rep_prefix() - Determine if instruction has a REP prefix
56	* @insn: Instruction containing the prefix to inspect
57	*
58	* Returns:
59	*
60	* true if the instruction has a REP prefix, false if not.
61	*/
62	bool insn_has_rep_prefix(struct insn *insn)
63	{
64	insn_byte_t p;
65	int i;
66
67	insn_get_prefixes(insn);
68
69	for_each_insn_prefix(insn, i, p) {
70	if (p == 0xf2 || p == 0xf3)
71	return true;
72	}
73
74	return false;
75	}
76
77	/**
78	* get_seg_reg_override_idx() - obtain segment register override index
79	* @insn: Valid instruction with segment override prefixes
80	*
81	* Inspect the instruction prefixes in @insn and find segment overrides, if any.
82	*
83	* Returns:
84	*
85	* A constant identifying the segment register to use, among CS, SS, DS,
86	* ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
87	* prefixes were found.
88	*
89	* -EINVAL in case of error.
90	*/
91	static int get_seg_reg_override_idx(struct insn *insn)
92	{
93	int idx = INAT_SEG_REG_DEFAULT;
94	int num_overrides = 0, i;
95	insn_byte_t p;
96
97	insn_get_prefixes(insn);
98
99	/* Look for any segment override prefixes. */
100	for_each_insn_prefix(insn, i, p) {
101	insn_attr_t attr;
102
103	attr = inat_get_opcode_attribute(opcode: p);
104	switch (attr) {
105	case INAT_MAKE_PREFIX(INAT_PFX_CS):
106	idx = INAT_SEG_REG_CS;
107	num_overrides++;
108	break;
109	case INAT_MAKE_PREFIX(INAT_PFX_SS):
110	idx = INAT_SEG_REG_SS;
111	num_overrides++;
112	break;
113	case INAT_MAKE_PREFIX(INAT_PFX_DS):
114	idx = INAT_SEG_REG_DS;
115	num_overrides++;
116	break;
117	case INAT_MAKE_PREFIX(INAT_PFX_ES):
118	idx = INAT_SEG_REG_ES;
119	num_overrides++;
120	break;
121	case INAT_MAKE_PREFIX(INAT_PFX_FS):
122	idx = INAT_SEG_REG_FS;
123	num_overrides++;
124	break;
125	case INAT_MAKE_PREFIX(INAT_PFX_GS):
126	idx = INAT_SEG_REG_GS;
127	num_overrides++;
128	break;
129	/* No default action needed. */
130	}
131	}
132
133	/* More than one segment override prefix leads to undefined behavior. */
134	if (num_overrides > 1)
135	return -EINVAL;
136
137	return idx;
138	}
139
140	/**
141	* check_seg_overrides() - check if segment override prefixes are allowed
142	* @insn: Valid instruction with segment override prefixes
143	* @regoff: Operand offset, in pt_regs, for which the check is performed
144	*
145	* For a particular register used in register-indirect addressing, determine if
146	* segment override prefixes can be used. Specifically, no overrides are allowed
147	* for rDI if used with a string instruction.
148	*
149	* Returns:
150	*
151	* True if segment override prefixes can be used with the register indicated
152	* in @regoff. False if otherwise.
153	*/
154	static bool check_seg_overrides(struct insn *insn, int regoff)
155	{
156	if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
157	return false;
158
159	return true;
160	}
161
162	/**
163	* resolve_default_seg() - resolve default segment register index for an operand
164	* @insn: Instruction with opcode and address size. Must be valid.
165	* @regs: Register values as seen when entering kernel mode
166	* @off: Operand offset, in pt_regs, for which resolution is needed
167	*
168	* Resolve the default segment register index associated with the instruction
169	* operand register indicated by @off. Such index is resolved based on defaults
170	* described in the Intel Software Development Manual.
171	*
172	* Returns:
173	*
174	* If in protected mode, a constant identifying the segment register to use,
175	* among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
176	*
177	* -EINVAL in case of error.
178	*/
179	static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
180	{
181	if (any_64bit_mode(regs))
182	return INAT_SEG_REG_IGNORE;
183	/*
184	* Resolve the default segment register as described in Section 3.7.4
185	* of the Intel Software Development Manual Vol. 1:
186	*
187	* + DS for all references involving r[ABCD]X, and rSI.
188	* + If used in a string instruction, ES for rDI. Otherwise, DS.
189	* + AX, CX and DX are not valid register operands in 16-bit address
190	* encodings but are valid for 32-bit and 64-bit encodings.
191	* + -EDOM is reserved to identify for cases in which no register
192	* is used (i.e., displacement-only addressing). Use DS.
193	* + SS for rSP or rBP.
194	* + CS for rIP.
195	*/
196
197	switch (off) {
198	case offsetof(struct pt_regs, ax):
199	case offsetof(struct pt_regs, cx):
200	case offsetof(struct pt_regs, dx):
201	/* Need insn to verify address size. */
202	if (insn->addr_bytes == 2)
203	return -EINVAL;
204
205	fallthrough;
206
207	case -EDOM:
208	case offsetof(struct pt_regs, bx):
209	case offsetof(struct pt_regs, si):
210	return INAT_SEG_REG_DS;
211
212	case offsetof(struct pt_regs, di):
213	if (is_string_insn(insn))
214	return INAT_SEG_REG_ES;
215	return INAT_SEG_REG_DS;
216
217	case offsetof(struct pt_regs, bp):
218	case offsetof(struct pt_regs, sp):
219	return INAT_SEG_REG_SS;
220
221	case offsetof(struct pt_regs, ip):
222	return INAT_SEG_REG_CS;
223
224	default:
225	return -EINVAL;
226	}
227	}
228
229	/**
230	* resolve_seg_reg() - obtain segment register index
231	* @insn: Instruction with operands
232	* @regs: Register values as seen when entering kernel mode
233	* @regoff: Operand offset, in pt_regs, used to determine segment register
234	*
235	* Determine the segment register associated with the operands and, if
236	* applicable, prefixes and the instruction pointed by @insn.
237	*
238	* The segment register associated to an operand used in register-indirect
239	* addressing depends on:
240	*
241	* a) Whether running in long mode (in such a case segments are ignored, except
242	* if FS or GS are used).
243	*
244	* b) Whether segment override prefixes can be used. Certain instructions and
245	* registers do not allow override prefixes.
246	*
247	* c) Whether segment overrides prefixes are found in the instruction prefixes.
248	*
249	* d) If there are not segment override prefixes or they cannot be used, the
250	* default segment register associated with the operand register is used.
251	*
252	* The function checks first if segment override prefixes can be used with the
253	* operand indicated by @regoff. If allowed, obtain such overridden segment
254	* register index. Lastly, if not prefixes were found or cannot be used, resolve
255	* the segment register index to use based on the defaults described in the
256	* Intel documentation. In long mode, all segment register indexes will be
257	* ignored, except if overrides were found for FS or GS. All these operations
258	* are done using helper functions.
259	*
260	* The operand register, @regoff, is represented as the offset from the base of
261	* pt_regs.
262	*
263	* As stated, the main use of this function is to determine the segment register
264	* index based on the instruction, its operands and prefixes. Hence, @insn
265	* must be valid. However, if @regoff indicates rIP, we don't need to inspect
266	* @insn at all as in this case CS is used in all cases. This case is checked
267	* before proceeding further.
268	*
269	* Please note that this function does not return the value in the segment
270	* register (i.e., the segment selector) but our defined index. The segment
271	* selector needs to be obtained using get_segment_selector() and passing the
272	* segment register index resolved by this function.
273	*
274	* Returns:
275	*
276	* An index identifying the segment register to use, among CS, SS, DS,
277	* ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
278	*
279	* -EINVAL in case of error.
280	*/
281	static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
282	{
283	int idx;
284
285	/*
286	* In the unlikely event of having to resolve the segment register
287	* index for rIP, do it first. Segment override prefixes should not
288	* be used. Hence, it is not necessary to inspect the instruction,
289	* which may be invalid at this point.
290	*/
291	if (regoff == offsetof(struct pt_regs, ip)) {
292	if (any_64bit_mode(regs))
293	return INAT_SEG_REG_IGNORE;
294	else
295	return INAT_SEG_REG_CS;
296	}
297
298	if (!insn)
299	return -EINVAL;
300
301	if (!check_seg_overrides(insn, regoff))
302	return resolve_default_seg(insn, regs, off: regoff);
303
304	idx = get_seg_reg_override_idx(insn);
305	if (idx < 0)
306	return idx;
307
308	if (idx == INAT_SEG_REG_DEFAULT)
309	return resolve_default_seg(insn, regs, off: regoff);
310
311	/*
312	* In long mode, segment override prefixes are ignored, except for
313	* overrides for FS and GS.
314	*/
315	if (any_64bit_mode(regs)) {
316	if (idx != INAT_SEG_REG_FS &&
317	idx != INAT_SEG_REG_GS)
318	idx = INAT_SEG_REG_IGNORE;
319	}
320
321	return idx;
322	}
323
324	/**
325	* get_segment_selector() - obtain segment selector
326	* @regs: Register values as seen when entering kernel mode
327	* @seg_reg_idx: Segment register index to use
328	*
329	* Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
330	* registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
331	* kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
332	* from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
333	* registers. This done for only for completeness as in CONFIG_X86_64 segment
334	* registers are ignored.
335	*
336	* Returns:
337	*
338	* Value of the segment selector, including null when running in
339	* long mode.
340	*
341	* -EINVAL on error.
342	*/
343	static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
344	{
345	unsigned short sel;
346
347	#ifdef CONFIG_X86_64
348	switch (seg_reg_idx) {
349	case INAT_SEG_REG_IGNORE:
350	return 0;
351	case INAT_SEG_REG_CS:
352	return (unsigned short)(regs->cs & 0xffff);
353	case INAT_SEG_REG_SS:
354	return (unsigned short)(regs->ss & 0xffff);
355	case INAT_SEG_REG_DS:
356	savesegment(ds, sel);
357	return sel;
358	case INAT_SEG_REG_ES:
359	savesegment(es, sel);
360	return sel;
361	case INAT_SEG_REG_FS:
362	savesegment(fs, sel);
363	return sel;
364	case INAT_SEG_REG_GS:
365	savesegment(gs, sel);
366	return sel;
367	default:
368	return -EINVAL;
369	}
370	#else /* CONFIG_X86_32 */
371	struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
372
373	if (v8086_mode(regs)) {
374	switch (seg_reg_idx) {
375	case INAT_SEG_REG_CS:
376	return (unsigned short)(regs->cs & 0xffff);
377	case INAT_SEG_REG_SS:
378	return (unsigned short)(regs->ss & 0xffff);
379	case INAT_SEG_REG_DS:
380	return vm86regs->ds;
381	case INAT_SEG_REG_ES:
382	return vm86regs->es;
383	case INAT_SEG_REG_FS:
384	return vm86regs->fs;
385	case INAT_SEG_REG_GS:
386	return vm86regs->gs;
387	case INAT_SEG_REG_IGNORE:
388	default:
389	return -EINVAL;
390	}
391	}
392
393	switch (seg_reg_idx) {
394	case INAT_SEG_REG_CS:
395	return (unsigned short)(regs->cs & 0xffff);
396	case INAT_SEG_REG_SS:
397	return (unsigned short)(regs->ss & 0xffff);
398	case INAT_SEG_REG_DS:
399	return (unsigned short)(regs->ds & 0xffff);
400	case INAT_SEG_REG_ES:
401	return (unsigned short)(regs->es & 0xffff);
402	case INAT_SEG_REG_FS:
403	return (unsigned short)(regs->fs & 0xffff);
404	case INAT_SEG_REG_GS:
405	savesegment(gs, sel);
406	return sel;
407	case INAT_SEG_REG_IGNORE:
408	default:
409	return -EINVAL;
410	}
411	#endif /* CONFIG_X86_64 */
412	}
413
414	static const int pt_regoff[] = {
415	offsetof(struct pt_regs, ax),
416	offsetof(struct pt_regs, cx),
417	offsetof(struct pt_regs, dx),
418	offsetof(struct pt_regs, bx),
419	offsetof(struct pt_regs, sp),
420	offsetof(struct pt_regs, bp),
421	offsetof(struct pt_regs, si),
422	offsetof(struct pt_regs, di),
423	#ifdef CONFIG_X86_64
424	offsetof(struct pt_regs, r8),
425	offsetof(struct pt_regs, r9),
426	offsetof(struct pt_regs, r10),
427	offsetof(struct pt_regs, r11),
428	offsetof(struct pt_regs, r12),
429	offsetof(struct pt_regs, r13),
430	offsetof(struct pt_regs, r14),
431	offsetof(struct pt_regs, r15),
432	#else
433	offsetof(struct pt_regs, ds),
434	offsetof(struct pt_regs, es),
435	offsetof(struct pt_regs, fs),
436	offsetof(struct pt_regs, gs),
437	#endif
438	};
439
440	int pt_regs_offset(struct pt_regs *regs, int regno)
441	{
442	if ((unsigned)regno < ARRAY_SIZE(pt_regoff))
443	return pt_regoff[regno];
444	return -EDOM;
445	}
446
447	static int get_regno(struct insn *insn, enum reg_type type)
448	{
449	int nr_registers = ARRAY_SIZE(pt_regoff);
450	int regno = 0;
451
452	/*
453	* Don't possibly decode a 32-bit instructions as
454	* reading a 64-bit-only register.
455	*/
456	if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
457	nr_registers -= 8;
458
459	switch (type) {
460	case REG_TYPE_RM:
461	regno = X86_MODRM_RM(insn->modrm.value);
462
463	/*
464	* ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
465	* follows the ModRM byte.
466	*/
467	if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
468	return -EDOM;
469
470	if (X86_REX_B(insn->rex_prefix.value))
471	regno += 8;
472	break;
473
474	case REG_TYPE_REG:
475	regno = X86_MODRM_REG(insn->modrm.value);
476
477	if (X86_REX_R(insn->rex_prefix.value))
478	regno += 8;
479	break;
480
481	case REG_TYPE_INDEX:
482	regno = X86_SIB_INDEX(insn->sib.value);
483	if (X86_REX_X(insn->rex_prefix.value))
484	regno += 8;
485
486	/*
487	* If ModRM.mod != 3 and SIB.index = 4 the scale*index
488	* portion of the address computation is null. This is
489	* true only if REX.X is 0. In such a case, the SIB index
490	* is used in the address computation.
491	*/
492	if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
493	return -EDOM;
494	break;
495
496	case REG_TYPE_BASE:
497	regno = X86_SIB_BASE(insn->sib.value);
498	/*
499	* If ModRM.mod is 0 and SIB.base == 5, the base of the
500	* register-indirect addressing is 0. In this case, a
501	* 32-bit displacement follows the SIB byte.
502	*/
503	if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
504	return -EDOM;
505
506	if (X86_REX_B(insn->rex_prefix.value))
507	regno += 8;
508	break;
509
510	default:
511	pr_err_ratelimited("invalid register type: %d\n", type);
512	return -EINVAL;
513	}
514
515	if (regno >= nr_registers) {
516	WARN_ONCE(1, "decoded an instruction with an invalid register");
517	return -EINVAL;
518	}
519	return regno;
520	}
521
522	static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
523	enum reg_type type)
524	{
525	int regno = get_regno(insn, type);
526
527	if (regno < 0)
528	return regno;
529
530	return pt_regs_offset(regs, regno);
531	}
532
533	/**
534	* get_reg_offset_16() - Obtain offset of register indicated by instruction
535	* @insn: Instruction containing ModRM byte
536	* @regs: Register values as seen when entering kernel mode
537	* @offs1: Offset of the first operand register
538	* @offs2: Offset of the second operand register, if applicable
539	*
540	* Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
541	* in @insn. This function is to be used with 16-bit address encodings. The
542	* @offs1 and @offs2 will be written with the offset of the two registers
543	* indicated by the instruction. In cases where any of the registers is not
544	* referenced by the instruction, the value will be set to -EDOM.
545	*
546	* Returns:
547	*
548	* 0 on success, -EINVAL on error.
549	*/
550	static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
551	int *offs1, int *offs2)
552	{
553	/*
554	* 16-bit addressing can use one or two registers. Specifics of
555	* encodings are given in Table 2-1. "16-Bit Addressing Forms with the
556	* ModR/M Byte" of the Intel Software Development Manual.
557	*/
558	static const int regoff1[] = {
559	offsetof(struct pt_regs, bx),
560	offsetof(struct pt_regs, bx),
561	offsetof(struct pt_regs, bp),
562	offsetof(struct pt_regs, bp),
563	offsetof(struct pt_regs, si),
564	offsetof(struct pt_regs, di),
565	offsetof(struct pt_regs, bp),
566	offsetof(struct pt_regs, bx),
567	};
568
569	static const int regoff2[] = {
570	offsetof(struct pt_regs, si),
571	offsetof(struct pt_regs, di),
572	offsetof(struct pt_regs, si),
573	offsetof(struct pt_regs, di),
574	-EDOM,
575	-EDOM,
576	-EDOM,
577	-EDOM,
578	};
579
580	if (!offs1 || !offs2)
581	return -EINVAL;
582
583	/* Operand is a register, use the generic function. */
584	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
585	*offs1 = insn_get_modrm_rm_off(insn, regs);
586	*offs2 = -EDOM;
587	return 0;
588	}
589
590	*offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
591	*offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
592
593	/*
594	* If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
595	* only addressing. This means that no registers are involved in
596	* computing the effective address. Thus, ensure that the first
597	* register offset is invalid. The second register offset is already
598	* invalid under the aforementioned conditions.
599	*/
600	if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
601	(X86_MODRM_RM(insn->modrm.value) == 6))
602	*offs1 = -EDOM;
603
604	return 0;
605	}
606
607	/**
608	* get_desc() - Obtain contents of a segment descriptor
609	* @out: Segment descriptor contents on success
610	* @sel: Segment selector
611	*
612	* Given a segment selector, obtain a pointer to the segment descriptor.
613	* Both global and local descriptor tables are supported.
614	*
615	* Returns:
616	*
617	* True on success, false on failure.
618	*
619	* NULL on error.
620	*/
621	static bool get_desc(struct desc_struct *out, unsigned short sel)
622	{
623	struct desc_ptr gdt_desc = {0, 0};
624	unsigned long desc_base;
625
626	#ifdef CONFIG_MODIFY_LDT_SYSCALL
627	if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
628	bool success = false;
629	struct ldt_struct *ldt;
630
631	/* Bits [15:3] contain the index of the desired entry. */
632	sel >>= 3;
633
634	mutex_lock(&current->active_mm->context.lock);
635	ldt = current->active_mm->context.ldt;
636	if (ldt && sel < ldt->nr_entries) {
637	*out = ldt->entries[sel];
638	success = true;
639	}
640
641	mutex_unlock(lock: &current->active_mm->context.lock);
642
643	return success;
644	}
645	#endif
646	native_store_gdt(dtr: &gdt_desc);
647
648	/*
649	* Segment descriptors have a size of 8 bytes. Thus, the index is
650	* multiplied by 8 to obtain the memory offset of the desired descriptor
651	* from the base of the GDT. As bits [15:3] of the segment selector
652	* contain the index, it can be regarded as multiplied by 8 already.
653	* All that remains is to clear bits [2:0].
654	*/
655	desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
656
657	if (desc_base > gdt_desc.size)
658	return false;
659
660	*out = *(struct desc_struct *)(gdt_desc.address + desc_base);
661	return true;
662	}
663
664	/**
665	* insn_get_seg_base() - Obtain base address of segment descriptor.
666	* @regs: Register values as seen when entering kernel mode
667	* @seg_reg_idx: Index of the segment register pointing to seg descriptor
668	*
669	* Obtain the base address of the segment as indicated by the segment descriptor
670	* pointed by the segment selector. The segment selector is obtained from the
671	* input segment register index @seg_reg_idx.
672	*
673	* Returns:
674	*
675	* In protected mode, base address of the segment. Zero in long mode,
676	* except when FS or GS are used. In virtual-8086 mode, the segment
677	* selector shifted 4 bits to the right.
678	*
679	* -1L in case of error.
680	*/
681	unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
682	{
683	struct desc_struct desc;
684	short sel;
685
686	sel = get_segment_selector(regs, seg_reg_idx);
687	if (sel < 0)
688	return -1L;
689
690	if (v8086_mode(regs))
691	/*
692	* Base is simply the segment selector shifted 4
693	* bits to the right.
694	*/
695	return (unsigned long)(sel << 4);
696
697	if (any_64bit_mode(regs)) {
698	/*
699	* Only FS or GS will have a base address, the rest of
700	* the segments' bases are forced to 0.
701	*/
702	unsigned long base;
703
704	if (seg_reg_idx == INAT_SEG_REG_FS) {
705	rdmsrl(MSR_FS_BASE, base);
706	} else if (seg_reg_idx == INAT_SEG_REG_GS) {
707	/*
708	* swapgs was called at the kernel entry point. Thus,
709	* MSR_KERNEL_GS_BASE will have the user-space GS base.
710	*/
711	if (user_mode(regs))
712	rdmsrl(MSR_KERNEL_GS_BASE, base);
713	else
714	rdmsrl(MSR_GS_BASE, base);
715	} else {
716	base = 0;
717	}
718	return base;
719	}
720
721	/* In protected mode the segment selector cannot be null. */
722	if (!sel)
723	return -1L;
724
725	if (!get_desc(out: &desc, sel))
726	return -1L;
727
728	return get_desc_base(desc: &desc);
729	}
730
731	/**
732	* get_seg_limit() - Obtain the limit of a segment descriptor
733	* @regs: Register values as seen when entering kernel mode
734	* @seg_reg_idx: Index of the segment register pointing to seg descriptor
735	*
736	* Obtain the limit of the segment as indicated by the segment descriptor
737	* pointed by the segment selector. The segment selector is obtained from the
738	* input segment register index @seg_reg_idx.
739	*
740	* Returns:
741	*
742	* In protected mode, the limit of the segment descriptor in bytes.
743	* In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
744	* limit is returned as -1L to imply a limit-less segment.
745	*
746	* Zero is returned on error.
747	*/
748	static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
749	{
750	struct desc_struct desc;
751	unsigned long limit;
752	short sel;
753
754	sel = get_segment_selector(regs, seg_reg_idx);
755	if (sel < 0)
756	return 0;
757
758	if (any_64bit_mode(regs) || v8086_mode(regs))
759	return -1L;
760
761	if (!sel)
762	return 0;
763
764	if (!get_desc(out: &desc, sel))
765	return 0;
766
767	/*
768	* If the granularity bit is set, the limit is given in multiples
769	* of 4096. This also means that the 12 least significant bits are
770	* not tested when checking the segment limits. In practice,
771	* this means that the segment ends in (limit << 12) + 0xfff.
772	*/
773	limit = get_desc_limit(desc: &desc);
774	if (desc.g)
775	limit = (limit << 12) + 0xfff;
776
777	return limit;
778	}
779
780	/**
781	* insn_get_code_seg_params() - Obtain code segment parameters
782	* @regs: Structure with register values as seen when entering kernel mode
783	*
784	* Obtain address and operand sizes of the code segment. It is obtained from the
785	* selector contained in the CS register in regs. In protected mode, the default
786	* address is determined by inspecting the L and D bits of the segment
787	* descriptor. In virtual-8086 mode, the default is always two bytes for both
788	* address and operand sizes.
789	*
790	* Returns:
791	*
792	* An int containing ORed-in default parameters on success.
793	*
794	* -EINVAL on error.
795	*/
796	int insn_get_code_seg_params(struct pt_regs *regs)
797	{
798	struct desc_struct desc;
799	short sel;
800
801	if (v8086_mode(regs))
802	/* Address and operand size are both 16-bit. */
803	return INSN_CODE_SEG_PARAMS(2, 2);
804
805	sel = get_segment_selector(regs, INAT_SEG_REG_CS);
806	if (sel < 0)
807	return sel;
808
809	if (!get_desc(out: &desc, sel))
810	return -EINVAL;
811
812	/*
813	* The most significant byte of the Type field of the segment descriptor
814	* determines whether a segment contains data or code. If this is a data
815	* segment, return error.
816	*/
817	if (!(desc.type & BIT(3)))
818	return -EINVAL;
819
820	switch ((desc.l << 1) | desc.d) {
821	case 0: /*
822	* Legacy mode. CS.L=0, CS.D=0. Address and operand size are
823	* both 16-bit.
824	*/
825	return INSN_CODE_SEG_PARAMS(2, 2);
826	case 1: /*
827	* Legacy mode. CS.L=0, CS.D=1. Address and operand size are
828	* both 32-bit.
829	*/
830	return INSN_CODE_SEG_PARAMS(4, 4);
831	case 2: /*
832	* IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
833	* operand size is 32-bit.
834	*/
835	return INSN_CODE_SEG_PARAMS(4, 8);
836	case 3: /* Invalid setting. CS.L=1, CS.D=1 */
837	fallthrough;
838	default:
839	return -EINVAL;
840	}
841	}
842
843	/**
844	* insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
845	* @insn: Instruction containing the ModRM byte
846	* @regs: Register values as seen when entering kernel mode
847	*
848	* Returns:
849	*
850	* The register indicated by the r/m part of the ModRM byte. The
851	* register is obtained as an offset from the base of pt_regs. In specific
852	* cases, the returned value can be -EDOM to indicate that the particular value
853	* of ModRM does not refer to a register and shall be ignored.
854	*/
855	int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
856	{
857	return get_reg_offset(insn, regs, type: REG_TYPE_RM);
858	}
859
860	/**
861	* insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
862	* @insn: Instruction containing the ModRM byte
863	* @regs: Register values as seen when entering kernel mode
864	*
865	* Returns:
866	*
867	* The register indicated by the reg part of the ModRM byte. The
868	* register is obtained as an offset from the base of pt_regs.
869	*/
870	int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
871	{
872	return get_reg_offset(insn, regs, type: REG_TYPE_REG);
873	}
874
875	/**
876	* insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte
877	* @insn: Instruction containing the ModRM byte
878	* @regs: Register values as seen when entering kernel mode
879	*
880	* Returns:
881	*
882	* The register indicated by the reg part of the ModRM byte.
883	* The register is obtained as a pointer within pt_regs.
884	*/
885	unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)
886	{
887	int offset;
888
889	offset = insn_get_modrm_reg_off(insn, regs);
890	if (offset < 0)
891	return NULL;
892	return (void *)regs + offset;
893	}
894
895	/**
896	* get_seg_base_limit() - obtain base address and limit of a segment
897	* @insn: Instruction. Must be valid.
898	* @regs: Register values as seen when entering kernel mode
899	* @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
900	* @base: Obtained segment base
901	* @limit: Obtained segment limit
902	*
903	* Obtain the base address and limit of the segment associated with the operand
904	* @regoff and, if any or allowed, override prefixes in @insn. This function is
905	* different from insn_get_seg_base() as the latter does not resolve the segment
906	* associated with the instruction operand. If a limit is not needed (e.g.,
907	* when running in long mode), @limit can be NULL.
908	*
909	* Returns:
910	*
911	* 0 on success. @base and @limit will contain the base address and of the
912	* resolved segment, respectively.
913	*
914	* -EINVAL on error.
915	*/
916	static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
917	int regoff, unsigned long *base,
918	unsigned long *limit)
919	{
920	int seg_reg_idx;
921
922	if (!base)
923	return -EINVAL;
924
925	seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
926	if (seg_reg_idx < 0)
927	return seg_reg_idx;
928
929	*base = insn_get_seg_base(regs, seg_reg_idx);
930	if (*base == -1L)
931	return -EINVAL;
932
933	if (!limit)
934	return 0;
935
936	*limit = get_seg_limit(regs, seg_reg_idx);
937	if (!(*limit))
938	return -EINVAL;
939
940	return 0;
941	}
942
943	/**
944	* get_eff_addr_reg() - Obtain effective address from register operand
945	* @insn: Instruction. Must be valid.
946	* @regs: Register values as seen when entering kernel mode
947	* @regoff: Obtained operand offset, in pt_regs, with the effective address
948	* @eff_addr: Obtained effective address
949	*
950	* Obtain the effective address stored in the register operand as indicated by
951	* the ModRM byte. This function is to be used only with register addressing
952	* (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
953	* register operand, as an offset from the base of pt_regs, is saved in @regoff;
954	* such offset can then be used to resolve the segment associated with the
955	* operand. This function can be used with any of the supported address sizes
956	* in x86.
957	*
958	* Returns:
959	*
960	* 0 on success. @eff_addr will have the effective address stored in the
961	* operand indicated by ModRM. @regoff will have such operand as an offset from
962	* the base of pt_regs.
963	*
964	* -EINVAL on error.
965	*/
966	static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
967	int *regoff, long *eff_addr)
968	{
969	int ret;
970
971	ret = insn_get_modrm(insn);
972	if (ret)
973	return ret;
974
975	if (X86_MODRM_MOD(insn->modrm.value) != 3)
976	return -EINVAL;
977
978	*regoff = get_reg_offset(insn, regs, type: REG_TYPE_RM);
979	if (*regoff < 0)
980	return -EINVAL;
981
982	/* Ignore bytes that are outside the address size. */
983	if (insn->addr_bytes == 2)
984	*eff_addr = regs_get_register(regs, offset: *regoff) & 0xffff;
985	else if (insn->addr_bytes == 4)
986	*eff_addr = regs_get_register(regs, offset: *regoff) & 0xffffffff;
987	else /* 64-bit address */
988	*eff_addr = regs_get_register(regs, offset: *regoff);
989
990	return 0;
991	}
992
993	/**
994	* get_eff_addr_modrm() - Obtain referenced effective address via ModRM
995	* @insn: Instruction. Must be valid.
996	* @regs: Register values as seen when entering kernel mode
997	* @regoff: Obtained operand offset, in pt_regs, associated with segment
998	* @eff_addr: Obtained effective address
999	*
1000	* Obtain the effective address referenced by the ModRM byte of @insn. After
1001	* identifying the registers involved in the register-indirect memory reference,
1002	* its value is obtained from the operands in @regs. The computed address is
1003	* stored @eff_addr. Also, the register operand that indicates the associated
1004	* segment is stored in @regoff, this parameter can later be used to determine
1005	* such segment.
1006	*
1007	* Returns:
1008	*
1009	* 0 on success. @eff_addr will have the referenced effective address. @regoff
1010	* will have a register, as an offset from the base of pt_regs, that can be used
1011	* to resolve the associated segment.
1012	*
1013	* -EINVAL on error.
1014	*/
1015	static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
1016	int *regoff, long *eff_addr)
1017	{
1018	long tmp;
1019	int ret;
1020
1021	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1022	return -EINVAL;
1023
1024	ret = insn_get_modrm(insn);
1025	if (ret)
1026	return ret;
1027
1028	if (X86_MODRM_MOD(insn->modrm.value) > 2)
1029	return -EINVAL;
1030
1031	*regoff = get_reg_offset(insn, regs, type: REG_TYPE_RM);
1032
1033	/*
1034	* -EDOM means that we must ignore the address_offset. In such a case,
1035	* in 64-bit mode the effective address relative to the rIP of the
1036	* following instruction.
1037	*/
1038	if (*regoff == -EDOM) {
1039	if (any_64bit_mode(regs))
1040	tmp = regs->ip + insn->length;
1041	else
1042	tmp = 0;
1043	} else if (*regoff < 0) {
1044	return -EINVAL;
1045	} else {
1046	tmp = regs_get_register(regs, offset: *regoff);
1047	}
1048
1049	if (insn->addr_bytes == 4) {
1050	int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1051
1052	*eff_addr = addr32 & 0xffffffff;
1053	} else {
1054	*eff_addr = tmp + insn->displacement.value;
1055	}
1056
1057	return 0;
1058	}
1059
1060	/**
1061	* get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1062	* @insn: Instruction. Must be valid.
1063	* @regs: Register values as seen when entering kernel mode
1064	* @regoff: Obtained operand offset, in pt_regs, associated with segment
1065	* @eff_addr: Obtained effective address
1066	*
1067	* Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1068	* After identifying the registers involved in the register-indirect memory
1069	* reference, its value is obtained from the operands in @regs. The computed
1070	* address is stored @eff_addr. Also, the register operand that indicates
1071	* the associated segment is stored in @regoff, this parameter can later be used
1072	* to determine such segment.
1073	*
1074	* Returns:
1075	*
1076	* 0 on success. @eff_addr will have the referenced effective address. @regoff
1077	* will have a register, as an offset from the base of pt_regs, that can be used
1078	* to resolve the associated segment.
1079	*
1080	* -EINVAL on error.
1081	*/
1082	static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1083	int *regoff, short *eff_addr)
1084	{
1085	int addr_offset1, addr_offset2, ret;
1086	short addr1 = 0, addr2 = 0, displacement;
1087
1088	if (insn->addr_bytes != 2)
1089	return -EINVAL;
1090
1091	insn_get_modrm(insn);
1092
1093	if (!insn->modrm.nbytes)
1094	return -EINVAL;
1095
1096	if (X86_MODRM_MOD(insn->modrm.value) > 2)
1097	return -EINVAL;
1098
1099	ret = get_reg_offset_16(insn, regs, offs1: &addr_offset1, offs2: &addr_offset2);
1100	if (ret < 0)
1101	return -EINVAL;
1102
1103	/*
1104	* Don't fail on invalid offset values. They might be invalid because
1105	* they cannot be used for this particular value of ModRM. Instead, use
1106	* them in the computation only if they contain a valid value.
1107	*/
1108	if (addr_offset1 != -EDOM)
1109	addr1 = regs_get_register(regs, offset: addr_offset1) & 0xffff;
1110
1111	if (addr_offset2 != -EDOM)
1112	addr2 = regs_get_register(regs, offset: addr_offset2) & 0xffff;
1113
1114	displacement = insn->displacement.value & 0xffff;
1115	*eff_addr = addr1 + addr2 + displacement;
1116
1117	/*
1118	* The first operand register could indicate to use of either SS or DS
1119	* registers to obtain the segment selector. The second operand
1120	* register can only indicate the use of DS. Thus, the first operand
1121	* will be used to obtain the segment selector.
1122	*/
1123	*regoff = addr_offset1;
1124
1125	return 0;
1126	}
1127
1128	/**
1129	* get_eff_addr_sib() - Obtain referenced effective address via SIB
1130	* @insn: Instruction. Must be valid.
1131	* @regs: Register values as seen when entering kernel mode
1132	* @regoff: Obtained operand offset, in pt_regs, associated with segment
1133	* @eff_addr: Obtained effective address
1134	*
1135	* Obtain the effective address referenced by the SIB byte of @insn. After
1136	* identifying the registers involved in the indexed, register-indirect memory
1137	* reference, its value is obtained from the operands in @regs. The computed
1138	* address is stored @eff_addr. Also, the register operand that indicates the
1139	* associated segment is stored in @regoff, this parameter can later be used to
1140	* determine such segment.
1141	*
1142	* Returns:
1143	*
1144	* 0 on success. @eff_addr will have the referenced effective address.
1145	* @base_offset will have a register, as an offset from the base of pt_regs,
1146	* that can be used to resolve the associated segment.
1147	*
1148	* Negative value on error.
1149	*/
1150	static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1151	int *base_offset, long *eff_addr)
1152	{
1153	long base, indx;
1154	int indx_offset;
1155	int ret;
1156
1157	if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1158	return -EINVAL;
1159
1160	ret = insn_get_modrm(insn);
1161	if (ret)
1162	return ret;
1163
1164	if (!insn->modrm.nbytes)
1165	return -EINVAL;
1166
1167	if (X86_MODRM_MOD(insn->modrm.value) > 2)
1168	return -EINVAL;
1169
1170	ret = insn_get_sib(insn);
1171	if (ret)
1172	return ret;
1173
1174	if (!insn->sib.nbytes)
1175	return -EINVAL;
1176
1177	*base_offset = get_reg_offset(insn, regs, type: REG_TYPE_BASE);
1178	indx_offset = get_reg_offset(insn, regs, type: REG_TYPE_INDEX);
1179
1180	/*
1181	* Negative values in the base and index offset means an error when
1182	* decoding the SIB byte. Except -EDOM, which means that the registers
1183	* should not be used in the address computation.
1184	*/
1185	if (*base_offset == -EDOM)
1186	base = 0;
1187	else if (*base_offset < 0)
1188	return -EINVAL;
1189	else
1190	base = regs_get_register(regs, offset: *base_offset);
1191
1192	if (indx_offset == -EDOM)
1193	indx = 0;
1194	else if (indx_offset < 0)
1195	return -EINVAL;
1196	else
1197	indx = regs_get_register(regs, offset: indx_offset);
1198
1199	if (insn->addr_bytes == 4) {
1200	int addr32, base32, idx32;
1201
1202	base32 = base & 0xffffffff;
1203	idx32 = indx & 0xffffffff;
1204
1205	addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1206	addr32 += insn->displacement.value;
1207
1208	*eff_addr = addr32 & 0xffffffff;
1209	} else {
1210	*eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1211	*eff_addr += insn->displacement.value;
1212	}
1213
1214	return 0;
1215	}
1216
1217	/**
1218	* get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1219	* @insn: Instruction containing ModRM byte and displacement
1220	* @regs: Register values as seen when entering kernel mode
1221	*
1222	* This function is to be used with 16-bit address encodings. Obtain the memory
1223	* address referred by the instruction's ModRM and displacement bytes. Also, the
1224	* segment used as base is determined by either any segment override prefixes in
1225	* @insn or the default segment of the registers involved in the address
1226	* computation. In protected mode, segment limits are enforced.
1227	*
1228	* Returns:
1229	*
1230	* Linear address referenced by the instruction operands on success.
1231	*
1232	* -1L on error.
1233	*/
1234	static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1235	{
1236	unsigned long linear_addr = -1L, seg_base, seg_limit;
1237	int ret, regoff;
1238	short eff_addr;
1239	long tmp;
1240
1241	if (insn_get_displacement(insn))
1242	goto out;
1243
1244	if (insn->addr_bytes != 2)
1245	goto out;
1246
1247	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1248	ret = get_eff_addr_reg(insn, regs, regoff: &regoff, eff_addr: &tmp);
1249	if (ret)
1250	goto out;
1251
1252	eff_addr = tmp;
1253	} else {
1254	ret = get_eff_addr_modrm_16(insn, regs, regoff: &regoff, eff_addr: &eff_addr);
1255	if (ret)
1256	goto out;
1257	}
1258
1259	ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, limit: &seg_limit);
1260	if (ret)
1261	goto out;
1262
1263	/*
1264	* Before computing the linear address, make sure the effective address
1265	* is within the limits of the segment. In virtual-8086 mode, segment
1266	* limits are not enforced. In such a case, the segment limit is -1L to
1267	* reflect this fact.
1268	*/
1269	if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1270	goto out;
1271
1272	linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1273
1274	/* Limit linear address to 20 bits */
1275	if (v8086_mode(regs))
1276	linear_addr &= 0xfffff;
1277
1278	out:
1279	return (void __user *)linear_addr;
1280	}
1281
1282	/**
1283	* get_addr_ref_32() - Obtain a 32-bit linear address
1284	* @insn: Instruction with ModRM, SIB bytes and displacement
1285	* @regs: Register values as seen when entering kernel mode
1286	*
1287	* This function is to be used with 32-bit address encodings to obtain the
1288	* linear memory address referred by the instruction's ModRM, SIB,
1289	* displacement bytes and segment base address, as applicable. If in protected
1290	* mode, segment limits are enforced.
1291	*
1292	* Returns:
1293	*
1294	* Linear address referenced by instruction and registers on success.
1295	*
1296	* -1L on error.
1297	*/
1298	static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1299	{
1300	unsigned long linear_addr = -1L, seg_base, seg_limit;
1301	int eff_addr, regoff;
1302	long tmp;
1303	int ret;
1304
1305	if (insn->addr_bytes != 4)
1306	goto out;
1307
1308	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1309	ret = get_eff_addr_reg(insn, regs, regoff: &regoff, eff_addr: &tmp);
1310	if (ret)
1311	goto out;
1312
1313	eff_addr = tmp;
1314
1315	} else {
1316	if (insn->sib.nbytes) {
1317	ret = get_eff_addr_sib(insn, regs, base_offset: &regoff, eff_addr: &tmp);
1318	if (ret)
1319	goto out;
1320
1321	eff_addr = tmp;
1322	} else {
1323	ret = get_eff_addr_modrm(insn, regs, regoff: &regoff, eff_addr: &tmp);
1324	if (ret)
1325	goto out;
1326
1327	eff_addr = tmp;
1328	}
1329	}
1330
1331	ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, limit: &seg_limit);
1332	if (ret)
1333	goto out;
1334
1335	/*
1336	* In protected mode, before computing the linear address, make sure
1337	* the effective address is within the limits of the segment.
1338	* 32-bit addresses can be used in long and virtual-8086 modes if an
1339	* address override prefix is used. In such cases, segment limits are
1340	* not enforced. When in virtual-8086 mode, the segment limit is -1L
1341	* to reflect this situation.
1342	*
1343	* After computed, the effective address is treated as an unsigned
1344	* quantity.
1345	*/
1346	if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1347	goto out;
1348
1349	/*
1350	* Even though 32-bit address encodings are allowed in virtual-8086
1351	* mode, the address range is still limited to [0x-0xffff].
1352	*/
1353	if (v8086_mode(regs) && (eff_addr & ~0xffff))
1354	goto out;
1355
1356	/*
1357	* Data type long could be 64 bits in size. Ensure that our 32-bit
1358	* effective address is not sign-extended when computing the linear
1359	* address.
1360	*/
1361	linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1362
1363	/* Limit linear address to 20 bits */
1364	if (v8086_mode(regs))
1365	linear_addr &= 0xfffff;
1366
1367	out:
1368	return (void __user *)linear_addr;
1369	}
1370
1371	/**
1372	* get_addr_ref_64() - Obtain a 64-bit linear address
1373	* @insn: Instruction struct with ModRM and SIB bytes and displacement
1374	* @regs: Structure with register values as seen when entering kernel mode
1375	*
1376	* This function is to be used with 64-bit address encodings to obtain the
1377	* linear memory address referred by the instruction's ModRM, SIB,
1378	* displacement bytes and segment base address, as applicable.
1379	*
1380	* Returns:
1381	*
1382	* Linear address referenced by instruction and registers on success.
1383	*
1384	* -1L on error.
1385	*/
1386	#ifndef CONFIG_X86_64
1387	static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1388	{
1389	return (void __user *)-1L;
1390	}
1391	#else
1392	static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1393	{
1394	unsigned long linear_addr = -1L, seg_base;
1395	int regoff, ret;
1396	long eff_addr;
1397
1398	if (insn->addr_bytes != 8)
1399	goto out;
1400
1401	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1402	ret = get_eff_addr_reg(insn, regs, regoff: &regoff, eff_addr: &eff_addr);
1403	if (ret)
1404	goto out;
1405
1406	} else {
1407	if (insn->sib.nbytes) {
1408	ret = get_eff_addr_sib(insn, regs, base_offset: &regoff, eff_addr: &eff_addr);
1409	if (ret)
1410	goto out;
1411	} else {
1412	ret = get_eff_addr_modrm(insn, regs, regoff: &regoff, eff_addr: &eff_addr);
1413	if (ret)
1414	goto out;
1415	}
1416
1417	}
1418
1419	ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, NULL);
1420	if (ret)
1421	goto out;
1422
1423	linear_addr = (unsigned long)eff_addr + seg_base;
1424
1425	out:
1426	return (void __user *)linear_addr;
1427	}
1428	#endif /* CONFIG_X86_64 */
1429
1430	/**
1431	* insn_get_addr_ref() - Obtain the linear address referred by instruction
1432	* @insn: Instruction structure containing ModRM byte and displacement
1433	* @regs: Structure with register values as seen when entering kernel mode
1434	*
1435	* Obtain the linear address referred by the instruction's ModRM, SIB and
1436	* displacement bytes, and segment base, as applicable. In protected mode,
1437	* segment limits are enforced.
1438	*
1439	* Returns:
1440	*
1441	* Linear address referenced by instruction and registers on success.
1442	*
1443	* -1L on error.
1444	*/
1445	void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1446	{
1447	if (!insn || !regs)
1448	return (void __user *)-1L;
1449
1450	if (insn_get_opcode(insn))
1451	return (void __user *)-1L;
1452
1453	switch (insn->addr_bytes) {
1454	case 2:
1455	return get_addr_ref_16(insn, regs);
1456	case 4:
1457	return get_addr_ref_32(insn, regs);
1458	case 8:
1459	return get_addr_ref_64(insn, regs);
1460	default:
1461	return (void __user *)-1L;
1462	}
1463	}
1464
1465	int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
1466	{
1467	unsigned long seg_base = 0;
1468
1469	/*
1470	* If not in user-space long mode, a custom code segment could be in
1471	* use. This is true in protected mode (if the process defined a local
1472	* descriptor table), or virtual-8086 mode. In most of the cases
1473	* seg_base will be zero as in USER_CS.
1474	*/
1475	if (!user_64bit_mode(regs)) {
1476	seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1477	if (seg_base == -1L)
1478	return -EINVAL;
1479	}
1480
1481	*ip = seg_base + regs->ip;
1482
1483	return 0;
1484	}
1485
1486	/**
1487	* insn_fetch_from_user() - Copy instruction bytes from user-space memory
1488	* @regs: Structure with register values as seen when entering kernel mode
1489	* @buf: Array to store the fetched instruction
1490	*
1491	* Gets the linear address of the instruction and copies the instruction bytes
1492	* to the buf.
1493	*
1494	* Returns:
1495	*
1496	* - number of instruction bytes copied.
1497	* - 0 if nothing was copied.
1498	* - -EINVAL if the linear address of the instruction could not be calculated
1499	*/
1500	int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1501	{
1502	unsigned long ip;
1503	int not_copied;
1504
1505	if (insn_get_effective_ip(regs, ip: &ip))
1506	return -EINVAL;
1507
1508	not_copied = copy_from_user(to: buf, from: (void __user *)ip, MAX_INSN_SIZE);
1509
1510	return MAX_INSN_SIZE - not_copied;
1511	}
1512
1513	/**
1514	* insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1515	* while in atomic code
1516	* @regs: Structure with register values as seen when entering kernel mode
1517	* @buf: Array to store the fetched instruction
1518	*
1519	* Gets the linear address of the instruction and copies the instruction bytes
1520	* to the buf. This function must be used in atomic context.
1521	*
1522	* Returns:
1523	*
1524	* - number of instruction bytes copied.
1525	* - 0 if nothing was copied.
1526	* - -EINVAL if the linear address of the instruction could not be calculated.
1527	*/
1528	int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1529	{
1530	unsigned long ip;
1531	int not_copied;
1532
1533	if (insn_get_effective_ip(regs, ip: &ip))
1534	return -EINVAL;
1535
1536	not_copied = __copy_from_user_inatomic(to: buf, from: (void __user *)ip, MAX_INSN_SIZE);
1537
1538	return MAX_INSN_SIZE - not_copied;
1539	}
1540
1541	/**
1542	* insn_decode_from_regs() - Decode an instruction
1543	* @insn: Structure to store decoded instruction
1544	* @regs: Structure with register values as seen when entering kernel mode
1545	* @buf: Buffer containing the instruction bytes
1546	* @buf_size: Number of instruction bytes available in buf
1547	*
1548	* Decodes the instruction provided in buf and stores the decoding results in
1549	* insn. Also determines the correct address and operand sizes.
1550	*
1551	* Returns:
1552	*
1553	* True if instruction was decoded, False otherwise.
1554	*/
1555	bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
1556	unsigned char buf[MAX_INSN_SIZE], int buf_size)
1557	{
1558	int seg_defs;
1559
1560	insn_init(insn, kaddr: buf, buf_len: buf_size, x86_64: user_64bit_mode(regs));
1561
1562	/*
1563	* Override the default operand and address sizes with what is specified
1564	* in the code segment descriptor. The instruction decoder only sets
1565	* the address size it to either 4 or 8 address bytes and does nothing
1566	* for the operand bytes. This OK for most of the cases, but we could
1567	* have special cases where, for instance, a 16-bit code segment
1568	* descriptor is used.
1569	* If there is an address override prefix, the instruction decoder
1570	* correctly updates these values, even for 16-bit defaults.
1571	*/
1572	seg_defs = insn_get_code_seg_params(regs);
1573	if (seg_defs == -EINVAL)
1574	return false;
1575
1576	insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1577	insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1578
1579	if (insn_get_length(insn))
1580	return false;
1581
1582	if (buf_size < insn->length)
1583	return false;
1584
1585	return true;
1586	}
1587
1588	/**
1589	* insn_decode_mmio() - Decode a MMIO instruction
1590	* @insn: Structure to store decoded instruction
1591	* @bytes: Returns size of memory operand
1592	*
1593	* Decodes instruction that used for Memory-mapped I/O.
1594	*
1595	* Returns:
1596	*
1597	* Type of the instruction. Size of the memory operand is stored in
1598	* @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned.
1599	*/
1600	enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
1601	{
1602	enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED;
1603
1604	*bytes = 0;
1605
1606	if (insn_get_opcode(insn))
1607	return INSN_MMIO_DECODE_FAILED;
1608
1609	switch (insn->opcode.bytes[0]) {
1610	case 0x88: /* MOV m8,r8 */
1611	*bytes = 1;
1612	fallthrough;
1613	case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */
1614	if (!*bytes)
1615	*bytes = insn->opnd_bytes;
1616	type = INSN_MMIO_WRITE;
1617	break;
1618
1619	case 0xc6: /* MOV m8, imm8 */
1620	*bytes = 1;
1621	fallthrough;
1622	case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */
1623	if (!*bytes)
1624	*bytes = insn->opnd_bytes;
1625	type = INSN_MMIO_WRITE_IMM;
1626	break;
1627
1628	case 0x8a: /* MOV r8, m8 */
1629	*bytes = 1;
1630	fallthrough;
1631	case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */
1632	if (!*bytes)
1633	*bytes = insn->opnd_bytes;
1634	type = INSN_MMIO_READ;
1635	break;
1636
1637	case 0xa4: /* MOVS m8, m8 */
1638	*bytes = 1;
1639	fallthrough;
1640	case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */
1641	if (!*bytes)
1642	*bytes = insn->opnd_bytes;
1643	type = INSN_MMIO_MOVS;
1644	break;
1645
1646	case 0x0f: /* Two-byte instruction */
1647	switch (insn->opcode.bytes[1]) {
1648	case 0xb6: /* MOVZX r16/r32/r64, m8 */
1649	*bytes = 1;
1650	fallthrough;
1651	case 0xb7: /* MOVZX r32/r64, m16 */
1652	if (!*bytes)
1653	*bytes = 2;
1654	type = INSN_MMIO_READ_ZERO_EXTEND;
1655	break;
1656
1657	case 0xbe: /* MOVSX r16/r32/r64, m8 */
1658	*bytes = 1;
1659	fallthrough;
1660	case 0xbf: /* MOVSX r32/r64, m16 */
1661	if (!*bytes)
1662	*bytes = 2;
1663	type = INSN_MMIO_READ_SIGN_EXTEND;
1664	break;
1665	}
1666	break;
1667	}
1668
1669	return type;
1670	}
1671