/*1* Utility functions for x86 operand and address decoding2*3* Copyright (C) Intel Corporation 20174*/5#include <linux/kernel.h>6#include <linux/string.h>7#include <linux/ratelimit.h>8#include <linux/mmu_context.h>9#include <asm/desc_defs.h>10#include <asm/desc.h>11#include <asm/inat.h>12#include <asm/insn.h>13#include <asm/insn-eval.h>14#include <asm/ldt.h>15#include <asm/msr.h>16#include <asm/vm86.h>1718#undef pr_fmt19#define pr_fmt(fmt) "insn: " fmt2021enum reg_type {22REG_TYPE_RM = 0,23REG_TYPE_REG,24REG_TYPE_INDEX,25REG_TYPE_BASE,26};2728/**29* is_string_insn() - Determine if instruction is a string instruction30* @insn: Instruction containing the opcode to inspect31*32* Returns:33*34* true if the instruction, determined by the opcode, is any of the35* string instructions as defined in the Intel Software Development manual.36* False otherwise.37*/38static bool is_string_insn(struct insn *insn)39{40/* All string instructions have a 1-byte opcode. */41if (insn->opcode.nbytes != 1)42return false;4344switch (insn->opcode.bytes[0]) {45case 0x6c ... 0x6f: /* INS, OUTS */46case 0xa4 ... 0xa7: /* MOVS, CMPS */47case 0xaa ... 0xaf: /* STOS, LODS, SCAS */48return true;49default:50return false;51}52}5354/**55* insn_has_rep_prefix() - Determine if instruction has a REP prefix56* @insn: Instruction containing the prefix to inspect57*58* Returns:59*60* true if the instruction has a REP prefix, false if not.61*/62bool insn_has_rep_prefix(struct insn *insn)63{64insn_byte_t p;65int i;6667insn_get_prefixes(insn);6869for_each_insn_prefix(insn, i, p) {70if (p == 0xf2 || p == 0xf3)71return true;72}7374return false;75}7677/**78* get_seg_reg_override_idx() - obtain segment register override index79* @insn: Valid instruction with segment override prefixes80*81* Inspect the instruction prefixes in @insn and find segment overrides, if any.82*83* Returns:84*85* A constant identifying the segment register to use, among CS, SS, DS,86* ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override87* prefixes were found.88*89* -EINVAL in case of error.90*/91static int get_seg_reg_override_idx(struct insn *insn)92{93int idx = INAT_SEG_REG_DEFAULT;94int num_overrides = 0, i;95insn_byte_t p;9697insn_get_prefixes(insn);9899/* Look for any segment override prefixes. */100for_each_insn_prefix(insn, i, p) {101insn_attr_t attr;102103attr = inat_get_opcode_attribute(p);104switch (attr) {105case INAT_MAKE_PREFIX(INAT_PFX_CS):106idx = INAT_SEG_REG_CS;107num_overrides++;108break;109case INAT_MAKE_PREFIX(INAT_PFX_SS):110idx = INAT_SEG_REG_SS;111num_overrides++;112break;113case INAT_MAKE_PREFIX(INAT_PFX_DS):114idx = INAT_SEG_REG_DS;115num_overrides++;116break;117case INAT_MAKE_PREFIX(INAT_PFX_ES):118idx = INAT_SEG_REG_ES;119num_overrides++;120break;121case INAT_MAKE_PREFIX(INAT_PFX_FS):122idx = INAT_SEG_REG_FS;123num_overrides++;124break;125case INAT_MAKE_PREFIX(INAT_PFX_GS):126idx = INAT_SEG_REG_GS;127num_overrides++;128break;129/* No default action needed. */130}131}132133/* More than one segment override prefix leads to undefined behavior. */134if (num_overrides > 1)135return -EINVAL;136137return idx;138}139140/**141* check_seg_overrides() - check if segment override prefixes are allowed142* @insn: Valid instruction with segment override prefixes143* @regoff: Operand offset, in pt_regs, for which the check is performed144*145* For a particular register used in register-indirect addressing, determine if146* segment override prefixes can be used. Specifically, no overrides are allowed147* for rDI if used with a string instruction.148*149* Returns:150*151* True if segment override prefixes can be used with the register indicated152* in @regoff. False if otherwise.153*/154static bool check_seg_overrides(struct insn *insn, int regoff)155{156if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))157return false;158159return true;160}161162/**163* resolve_default_seg() - resolve default segment register index for an operand164* @insn: Instruction with opcode and address size. Must be valid.165* @regs: Register values as seen when entering kernel mode166* @off: Operand offset, in pt_regs, for which resolution is needed167*168* Resolve the default segment register index associated with the instruction169* operand register indicated by @off. Such index is resolved based on defaults170* described in the Intel Software Development Manual.171*172* Returns:173*174* If in protected mode, a constant identifying the segment register to use,175* among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.176*177* -EINVAL in case of error.178*/179static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)180{181if (any_64bit_mode(regs))182return INAT_SEG_REG_IGNORE;183/*184* Resolve the default segment register as described in Section 3.7.4185* of the Intel Software Development Manual Vol. 1:186*187* + DS for all references involving r[ABCD]X, and rSI.188* + If used in a string instruction, ES for rDI. Otherwise, DS.189* + AX, CX and DX are not valid register operands in 16-bit address190* encodings but are valid for 32-bit and 64-bit encodings.191* + -EDOM is reserved to identify for cases in which no register192* is used (i.e., displacement-only addressing). Use DS.193* + SS for rSP or rBP.194* + CS for rIP.195*/196197switch (off) {198case offsetof(struct pt_regs, ax):199case offsetof(struct pt_regs, cx):200case offsetof(struct pt_regs, dx):201/* Need insn to verify address size. */202if (insn->addr_bytes == 2)203return -EINVAL;204205fallthrough;206207case -EDOM:208case offsetof(struct pt_regs, bx):209case offsetof(struct pt_regs, si):210return INAT_SEG_REG_DS;211212case offsetof(struct pt_regs, di):213if (is_string_insn(insn))214return INAT_SEG_REG_ES;215return INAT_SEG_REG_DS;216217case offsetof(struct pt_regs, bp):218case offsetof(struct pt_regs, sp):219return INAT_SEG_REG_SS;220221case offsetof(struct pt_regs, ip):222return INAT_SEG_REG_CS;223224default:225return -EINVAL;226}227}228229/**230* resolve_seg_reg() - obtain segment register index231* @insn: Instruction with operands232* @regs: Register values as seen when entering kernel mode233* @regoff: Operand offset, in pt_regs, used to determine segment register234*235* Determine the segment register associated with the operands and, if236* applicable, prefixes and the instruction pointed by @insn.237*238* The segment register associated to an operand used in register-indirect239* addressing depends on:240*241* a) Whether running in long mode (in such a case segments are ignored, except242* if FS or GS are used).243*244* b) Whether segment override prefixes can be used. Certain instructions and245* registers do not allow override prefixes.246*247* c) Whether segment overrides prefixes are found in the instruction prefixes.248*249* d) If there are not segment override prefixes or they cannot be used, the250* default segment register associated with the operand register is used.251*252* The function checks first if segment override prefixes can be used with the253* operand indicated by @regoff. If allowed, obtain such overridden segment254* register index. Lastly, if not prefixes were found or cannot be used, resolve255* the segment register index to use based on the defaults described in the256* Intel documentation. In long mode, all segment register indexes will be257* ignored, except if overrides were found for FS or GS. All these operations258* are done using helper functions.259*260* The operand register, @regoff, is represented as the offset from the base of261* pt_regs.262*263* As stated, the main use of this function is to determine the segment register264* index based on the instruction, its operands and prefixes. Hence, @insn265* must be valid. However, if @regoff indicates rIP, we don't need to inspect266* @insn at all as in this case CS is used in all cases. This case is checked267* before proceeding further.268*269* Please note that this function does not return the value in the segment270* register (i.e., the segment selector) but our defined index. The segment271* selector needs to be obtained using get_segment_selector() and passing the272* segment register index resolved by this function.273*274* Returns:275*276* An index identifying the segment register to use, among CS, SS, DS,277* ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.278*279* -EINVAL in case of error.280*/281static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)282{283int idx;284285/*286* In the unlikely event of having to resolve the segment register287* index for rIP, do it first. Segment override prefixes should not288* be used. Hence, it is not necessary to inspect the instruction,289* which may be invalid at this point.290*/291if (regoff == offsetof(struct pt_regs, ip)) {292if (any_64bit_mode(regs))293return INAT_SEG_REG_IGNORE;294else295return INAT_SEG_REG_CS;296}297298if (!insn)299return -EINVAL;300301if (!check_seg_overrides(insn, regoff))302return resolve_default_seg(insn, regs, regoff);303304idx = get_seg_reg_override_idx(insn);305if (idx < 0)306return idx;307308if (idx == INAT_SEG_REG_DEFAULT)309return resolve_default_seg(insn, regs, regoff);310311/*312* In long mode, segment override prefixes are ignored, except for313* overrides for FS and GS.314*/315if (any_64bit_mode(regs)) {316if (idx != INAT_SEG_REG_FS &&317idx != INAT_SEG_REG_GS)318idx = INAT_SEG_REG_IGNORE;319}320321return idx;322}323324/**325* get_segment_selector() - obtain segment selector326* @regs: Register values as seen when entering kernel mode327* @seg_reg_idx: Segment register index to use328*329* Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment330* registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or331* kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained332* from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU333* registers. This done for only for completeness as in CONFIG_X86_64 segment334* registers are ignored.335*336* Returns:337*338* Value of the segment selector, including null when running in339* long mode.340*341* -EINVAL on error.342*/343static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)344{345unsigned short sel;346347#ifdef CONFIG_X86_64348switch (seg_reg_idx) {349case INAT_SEG_REG_IGNORE:350return 0;351case INAT_SEG_REG_CS:352return (unsigned short)(regs->cs & 0xffff);353case INAT_SEG_REG_SS:354return (unsigned short)(regs->ss & 0xffff);355case INAT_SEG_REG_DS:356savesegment(ds, sel);357return sel;358case INAT_SEG_REG_ES:359savesegment(es, sel);360return sel;361case INAT_SEG_REG_FS:362savesegment(fs, sel);363return sel;364case INAT_SEG_REG_GS:365savesegment(gs, sel);366return sel;367default:368return -EINVAL;369}370#else /* CONFIG_X86_32 */371struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;372373if (v8086_mode(regs)) {374switch (seg_reg_idx) {375case INAT_SEG_REG_CS:376return (unsigned short)(regs->cs & 0xffff);377case INAT_SEG_REG_SS:378return (unsigned short)(regs->ss & 0xffff);379case INAT_SEG_REG_DS:380return vm86regs->ds;381case INAT_SEG_REG_ES:382return vm86regs->es;383case INAT_SEG_REG_FS:384return vm86regs->fs;385case INAT_SEG_REG_GS:386return vm86regs->gs;387case INAT_SEG_REG_IGNORE:388default:389return -EINVAL;390}391}392393switch (seg_reg_idx) {394case INAT_SEG_REG_CS:395return (unsigned short)(regs->cs & 0xffff);396case INAT_SEG_REG_SS:397return (unsigned short)(regs->ss & 0xffff);398case INAT_SEG_REG_DS:399return (unsigned short)(regs->ds & 0xffff);400case INAT_SEG_REG_ES:401return (unsigned short)(regs->es & 0xffff);402case INAT_SEG_REG_FS:403return (unsigned short)(regs->fs & 0xffff);404case INAT_SEG_REG_GS:405savesegment(gs, sel);406return sel;407case INAT_SEG_REG_IGNORE:408default:409return -EINVAL;410}411#endif /* CONFIG_X86_64 */412}413414static const int pt_regoff[] = {415offsetof(struct pt_regs, ax),416offsetof(struct pt_regs, cx),417offsetof(struct pt_regs, dx),418offsetof(struct pt_regs, bx),419offsetof(struct pt_regs, sp),420offsetof(struct pt_regs, bp),421offsetof(struct pt_regs, si),422offsetof(struct pt_regs, di),423#ifdef CONFIG_X86_64424offsetof(struct pt_regs, r8),425offsetof(struct pt_regs, r9),426offsetof(struct pt_regs, r10),427offsetof(struct pt_regs, r11),428offsetof(struct pt_regs, r12),429offsetof(struct pt_regs, r13),430offsetof(struct pt_regs, r14),431offsetof(struct pt_regs, r15),432#else433offsetof(struct pt_regs, ds),434offsetof(struct pt_regs, es),435offsetof(struct pt_regs, fs),436offsetof(struct pt_regs, gs),437#endif438};439440int pt_regs_offset(struct pt_regs *regs, int regno)441{442if ((unsigned)regno < ARRAY_SIZE(pt_regoff))443return pt_regoff[regno];444return -EDOM;445}446447static int get_regno(struct insn *insn, enum reg_type type)448{449int nr_registers = ARRAY_SIZE(pt_regoff);450int regno = 0;451452/*453* Don't possibly decode a 32-bit instructions as454* reading a 64-bit-only register.455*/456if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)457nr_registers -= 8;458459switch (type) {460case REG_TYPE_RM:461regno = X86_MODRM_RM(insn->modrm.value);462463/*464* ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement465* follows the ModRM byte.466*/467if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)468return -EDOM;469470if (X86_REX_B(insn->rex_prefix.value))471regno += 8;472break;473474case REG_TYPE_REG:475regno = X86_MODRM_REG(insn->modrm.value);476477if (X86_REX_R(insn->rex_prefix.value))478regno += 8;479break;480481case REG_TYPE_INDEX:482regno = X86_SIB_INDEX(insn->sib.value);483if (X86_REX_X(insn->rex_prefix.value))484regno += 8;485486/*487* If ModRM.mod != 3 and SIB.index = 4 the scale*index488* portion of the address computation is null. This is489* true only if REX.X is 0. In such a case, the SIB index490* is used in the address computation.491*/492if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)493return -EDOM;494break;495496case REG_TYPE_BASE:497regno = X86_SIB_BASE(insn->sib.value);498/*499* If ModRM.mod is 0 and SIB.base == 5, the base of the500* register-indirect addressing is 0. In this case, a501* 32-bit displacement follows the SIB byte.502*/503if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)504return -EDOM;505506if (X86_REX_B(insn->rex_prefix.value))507regno += 8;508break;509510default:511pr_err_ratelimited("invalid register type: %d\n", type);512return -EINVAL;513}514515if (regno >= nr_registers) {516WARN_ONCE(1, "decoded an instruction with an invalid register");517return -EINVAL;518}519return regno;520}521522static int get_reg_offset(struct insn *insn, struct pt_regs *regs,523enum reg_type type)524{525int regno = get_regno(insn, type);526527if (regno < 0)528return regno;529530return pt_regs_offset(regs, regno);531}532533/**534* get_reg_offset_16() - Obtain offset of register indicated by instruction535* @insn: Instruction containing ModRM byte536* @regs: Register values as seen when entering kernel mode537* @offs1: Offset of the first operand register538* @offs2: Offset of the second operand register, if applicable539*540* Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte541* in @insn. This function is to be used with 16-bit address encodings. The542* @offs1 and @offs2 will be written with the offset of the two registers543* indicated by the instruction. In cases where any of the registers is not544* referenced by the instruction, the value will be set to -EDOM.545*546* Returns:547*548* 0 on success, -EINVAL on error.549*/550static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,551int *offs1, int *offs2)552{553/*554* 16-bit addressing can use one or two registers. Specifics of555* encodings are given in Table 2-1. "16-Bit Addressing Forms with the556* ModR/M Byte" of the Intel Software Development Manual.557*/558static const int regoff1[] = {559offsetof(struct pt_regs, bx),560offsetof(struct pt_regs, bx),561offsetof(struct pt_regs, bp),562offsetof(struct pt_regs, bp),563offsetof(struct pt_regs, si),564offsetof(struct pt_regs, di),565offsetof(struct pt_regs, bp),566offsetof(struct pt_regs, bx),567};568569static const int regoff2[] = {570offsetof(struct pt_regs, si),571offsetof(struct pt_regs, di),572offsetof(struct pt_regs, si),573offsetof(struct pt_regs, di),574-EDOM,575-EDOM,576-EDOM,577-EDOM,578};579580if (!offs1 || !offs2)581return -EINVAL;582583/* Operand is a register, use the generic function. */584if (X86_MODRM_MOD(insn->modrm.value) == 3) {585*offs1 = insn_get_modrm_rm_off(insn, regs);586*offs2 = -EDOM;587return 0;588}589590*offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];591*offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];592593/*594* If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-595* only addressing. This means that no registers are involved in596* computing the effective address. Thus, ensure that the first597* register offset is invalid. The second register offset is already598* invalid under the aforementioned conditions.599*/600if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&601(X86_MODRM_RM(insn->modrm.value) == 6))602*offs1 = -EDOM;603604return 0;605}606607/**608* get_desc() - Obtain contents of a segment descriptor609* @out: Segment descriptor contents on success610* @sel: Segment selector611*612* Given a segment selector, obtain a pointer to the segment descriptor.613* Both global and local descriptor tables are supported.614*615* Returns:616*617* True on success, false on failure.618*619* NULL on error.620*/621static bool get_desc(struct desc_struct *out, unsigned short sel)622{623struct desc_ptr gdt_desc = {0, 0};624unsigned long desc_base;625626#ifdef CONFIG_MODIFY_LDT_SYSCALL627if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {628bool success = false;629struct ldt_struct *ldt;630631/* Bits [15:3] contain the index of the desired entry. */632sel >>= 3;633634/*635* If we're not in a valid context with a real (not just lazy)636* user mm, then don't even try.637*/638if (!nmi_uaccess_okay())639return false;640641mutex_lock(¤t->mm->context.lock);642ldt = current->mm->context.ldt;643if (ldt && sel < ldt->nr_entries) {644*out = ldt->entries[sel];645success = true;646}647648mutex_unlock(¤t->mm->context.lock);649650return success;651}652#endif653native_store_gdt(&gdt_desc);654655/*656* Segment descriptors have a size of 8 bytes. Thus, the index is657* multiplied by 8 to obtain the memory offset of the desired descriptor658* from the base of the GDT. As bits [15:3] of the segment selector659* contain the index, it can be regarded as multiplied by 8 already.660* All that remains is to clear bits [2:0].661*/662desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);663664if (desc_base > gdt_desc.size)665return false;666667*out = *(struct desc_struct *)(gdt_desc.address + desc_base);668return true;669}670671/**672* insn_get_seg_base() - Obtain base address of segment descriptor.673* @regs: Register values as seen when entering kernel mode674* @seg_reg_idx: Index of the segment register pointing to seg descriptor675*676* Obtain the base address of the segment as indicated by the segment descriptor677* pointed by the segment selector. The segment selector is obtained from the678* input segment register index @seg_reg_idx.679*680* Returns:681*682* In protected mode, base address of the segment. Zero in long mode,683* except when FS or GS are used. In virtual-8086 mode, the segment684* selector shifted 4 bits to the right.685*686* -1L in case of error.687*/688unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)689{690struct desc_struct desc;691short sel;692693sel = get_segment_selector(regs, seg_reg_idx);694if (sel < 0)695return -1L;696697if (v8086_mode(regs))698/*699* Base is simply the segment selector shifted 4700* bits to the right.701*/702return (unsigned long)(sel << 4);703704if (any_64bit_mode(regs)) {705/*706* Only FS or GS will have a base address, the rest of707* the segments' bases are forced to 0.708*/709unsigned long base;710711if (seg_reg_idx == INAT_SEG_REG_FS) {712rdmsrq(MSR_FS_BASE, base);713} else if (seg_reg_idx == INAT_SEG_REG_GS) {714/*715* swapgs was called at the kernel entry point. Thus,716* MSR_KERNEL_GS_BASE will have the user-space GS base.717*/718if (user_mode(regs))719rdmsrq(MSR_KERNEL_GS_BASE, base);720else721rdmsrq(MSR_GS_BASE, base);722} else {723base = 0;724}725return base;726}727728/* In protected mode the segment selector cannot be null. */729if (!sel)730return -1L;731732if (!get_desc(&desc, sel))733return -1L;734735return get_desc_base(&desc);736}737738/**739* get_seg_limit() - Obtain the limit of a segment descriptor740* @regs: Register values as seen when entering kernel mode741* @seg_reg_idx: Index of the segment register pointing to seg descriptor742*743* Obtain the limit of the segment as indicated by the segment descriptor744* pointed by the segment selector. The segment selector is obtained from the745* input segment register index @seg_reg_idx.746*747* Returns:748*749* In protected mode, the limit of the segment descriptor in bytes.750* In long mode and virtual-8086 mode, segment limits are not enforced. Thus,751* limit is returned as -1L to imply a limit-less segment.752*753* Zero is returned on error.754*/755static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)756{757struct desc_struct desc;758unsigned long limit;759short sel;760761sel = get_segment_selector(regs, seg_reg_idx);762if (sel < 0)763return 0;764765if (any_64bit_mode(regs) || v8086_mode(regs))766return -1L;767768if (!sel)769return 0;770771if (!get_desc(&desc, sel))772return 0;773774/*775* If the granularity bit is set, the limit is given in multiples776* of 4096. This also means that the 12 least significant bits are777* not tested when checking the segment limits. In practice,778* this means that the segment ends in (limit << 12) + 0xfff.779*/780limit = get_desc_limit(&desc);781if (desc.g)782limit = (limit << 12) + 0xfff;783784return limit;785}786787/**788* insn_get_code_seg_params() - Obtain code segment parameters789* @regs: Structure with register values as seen when entering kernel mode790*791* Obtain address and operand sizes of the code segment. It is obtained from the792* selector contained in the CS register in regs. In protected mode, the default793* address is determined by inspecting the L and D bits of the segment794* descriptor. In virtual-8086 mode, the default is always two bytes for both795* address and operand sizes.796*797* Returns:798*799* An int containing ORed-in default parameters on success.800*801* -EINVAL on error.802*/803int insn_get_code_seg_params(struct pt_regs *regs)804{805struct desc_struct desc;806short sel;807808if (v8086_mode(regs))809/* Address and operand size are both 16-bit. */810return INSN_CODE_SEG_PARAMS(2, 2);811812sel = get_segment_selector(regs, INAT_SEG_REG_CS);813if (sel < 0)814return sel;815816if (!get_desc(&desc, sel))817return -EINVAL;818819/*820* The most significant byte of the Type field of the segment descriptor821* determines whether a segment contains data or code. If this is a data822* segment, return error.823*/824if (!(desc.type & BIT(3)))825return -EINVAL;826827switch ((desc.l << 1) | desc.d) {828case 0: /*829* Legacy mode. CS.L=0, CS.D=0. Address and operand size are830* both 16-bit.831*/832return INSN_CODE_SEG_PARAMS(2, 2);833case 1: /*834* Legacy mode. CS.L=0, CS.D=1. Address and operand size are835* both 32-bit.836*/837return INSN_CODE_SEG_PARAMS(4, 4);838case 2: /*839* IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;840* operand size is 32-bit.841*/842return INSN_CODE_SEG_PARAMS(4, 8);843case 3: /* Invalid setting. CS.L=1, CS.D=1 */844fallthrough;845default:846return -EINVAL;847}848}849850/**851* insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte852* @insn: Instruction containing the ModRM byte853* @regs: Register values as seen when entering kernel mode854*855* Returns:856*857* The register indicated by the r/m part of the ModRM byte. The858* register is obtained as an offset from the base of pt_regs. In specific859* cases, the returned value can be -EDOM to indicate that the particular value860* of ModRM does not refer to a register and shall be ignored.861*/862int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)863{864return get_reg_offset(insn, regs, REG_TYPE_RM);865}866867/**868* insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte869* @insn: Instruction containing the ModRM byte870* @regs: Register values as seen when entering kernel mode871*872* Returns:873*874* The register indicated by the reg part of the ModRM byte. The875* register is obtained as an offset from the base of pt_regs.876*/877int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)878{879return get_reg_offset(insn, regs, REG_TYPE_REG);880}881882/**883* insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte884* @insn: Instruction containing the ModRM byte885* @regs: Register values as seen when entering kernel mode886*887* Returns:888*889* The register indicated by the reg part of the ModRM byte.890* The register is obtained as a pointer within pt_regs.891*/892unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)893{894int offset;895896offset = insn_get_modrm_reg_off(insn, regs);897if (offset < 0)898return NULL;899return (void *)regs + offset;900}901902/**903* get_seg_base_limit() - obtain base address and limit of a segment904* @insn: Instruction. Must be valid.905* @regs: Register values as seen when entering kernel mode906* @regoff: Operand offset, in pt_regs, used to resolve segment descriptor907* @base: Obtained segment base908* @limit: Obtained segment limit909*910* Obtain the base address and limit of the segment associated with the operand911* @regoff and, if any or allowed, override prefixes in @insn. This function is912* different from insn_get_seg_base() as the latter does not resolve the segment913* associated with the instruction operand. If a limit is not needed (e.g.,914* when running in long mode), @limit can be NULL.915*916* Returns:917*918* 0 on success. @base and @limit will contain the base address and of the919* resolved segment, respectively.920*921* -EINVAL on error.922*/923static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,924int regoff, unsigned long *base,925unsigned long *limit)926{927int seg_reg_idx;928929if (!base)930return -EINVAL;931932seg_reg_idx = resolve_seg_reg(insn, regs, regoff);933if (seg_reg_idx < 0)934return seg_reg_idx;935936*base = insn_get_seg_base(regs, seg_reg_idx);937if (*base == -1L)938return -EINVAL;939940if (!limit)941return 0;942943*limit = get_seg_limit(regs, seg_reg_idx);944if (!(*limit))945return -EINVAL;946947return 0;948}949950/**951* get_eff_addr_reg() - Obtain effective address from register operand952* @insn: Instruction. Must be valid.953* @regs: Register values as seen when entering kernel mode954* @regoff: Obtained operand offset, in pt_regs, with the effective address955* @eff_addr: Obtained effective address956*957* Obtain the effective address stored in the register operand as indicated by958* the ModRM byte. This function is to be used only with register addressing959* (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The960* register operand, as an offset from the base of pt_regs, is saved in @regoff;961* such offset can then be used to resolve the segment associated with the962* operand. This function can be used with any of the supported address sizes963* in x86.964*965* Returns:966*967* 0 on success. @eff_addr will have the effective address stored in the968* operand indicated by ModRM. @regoff will have such operand as an offset from969* the base of pt_regs.970*971* -EINVAL on error.972*/973static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,974int *regoff, long *eff_addr)975{976int ret;977978ret = insn_get_modrm(insn);979if (ret)980return ret;981982if (X86_MODRM_MOD(insn->modrm.value) != 3)983return -EINVAL;984985*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);986if (*regoff < 0)987return -EINVAL;988989/* Ignore bytes that are outside the address size. */990if (insn->addr_bytes == 2)991*eff_addr = regs_get_register(regs, *regoff) & 0xffff;992else if (insn->addr_bytes == 4)993*eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;994else /* 64-bit address */995*eff_addr = regs_get_register(regs, *regoff);996997return 0;998}9991000/**1001* get_eff_addr_modrm() - Obtain referenced effective address via ModRM1002* @insn: Instruction. Must be valid.1003* @regs: Register values as seen when entering kernel mode1004* @regoff: Obtained operand offset, in pt_regs, associated with segment1005* @eff_addr: Obtained effective address1006*1007* Obtain the effective address referenced by the ModRM byte of @insn. After1008* identifying the registers involved in the register-indirect memory reference,1009* its value is obtained from the operands in @regs. The computed address is1010* stored @eff_addr. Also, the register operand that indicates the associated1011* segment is stored in @regoff, this parameter can later be used to determine1012* such segment.1013*1014* Returns:1015*1016* 0 on success. @eff_addr will have the referenced effective address. @regoff1017* will have a register, as an offset from the base of pt_regs, that can be used1018* to resolve the associated segment.1019*1020* -EINVAL on error.1021*/1022static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,1023int *regoff, long *eff_addr)1024{1025long tmp;1026int ret;10271028if (insn->addr_bytes != 8 && insn->addr_bytes != 4)1029return -EINVAL;10301031ret = insn_get_modrm(insn);1032if (ret)1033return ret;10341035if (X86_MODRM_MOD(insn->modrm.value) > 2)1036return -EINVAL;10371038*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);10391040/*1041* -EDOM means that we must ignore the address_offset. In such a case,1042* in 64-bit mode the effective address relative to the rIP of the1043* following instruction.1044*/1045if (*regoff == -EDOM) {1046if (any_64bit_mode(regs))1047tmp = regs->ip + insn->length;1048else1049tmp = 0;1050} else if (*regoff < 0) {1051return -EINVAL;1052} else {1053tmp = regs_get_register(regs, *regoff);1054}10551056if (insn->addr_bytes == 4) {1057int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;10581059*eff_addr = addr32 & 0xffffffff;1060} else {1061*eff_addr = tmp + insn->displacement.value;1062}10631064return 0;1065}10661067/**1068* get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM1069* @insn: Instruction. Must be valid.1070* @regs: Register values as seen when entering kernel mode1071* @regoff: Obtained operand offset, in pt_regs, associated with segment1072* @eff_addr: Obtained effective address1073*1074* Obtain the 16-bit effective address referenced by the ModRM byte of @insn.1075* After identifying the registers involved in the register-indirect memory1076* reference, its value is obtained from the operands in @regs. The computed1077* address is stored @eff_addr. Also, the register operand that indicates1078* the associated segment is stored in @regoff, this parameter can later be used1079* to determine such segment.1080*1081* Returns:1082*1083* 0 on success. @eff_addr will have the referenced effective address. @regoff1084* will have a register, as an offset from the base of pt_regs, that can be used1085* to resolve the associated segment.1086*1087* -EINVAL on error.1088*/1089static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,1090int *regoff, short *eff_addr)1091{1092int addr_offset1, addr_offset2, ret;1093short addr1 = 0, addr2 = 0, displacement;10941095if (insn->addr_bytes != 2)1096return -EINVAL;10971098insn_get_modrm(insn);10991100if (!insn->modrm.nbytes)1101return -EINVAL;11021103if (X86_MODRM_MOD(insn->modrm.value) > 2)1104return -EINVAL;11051106ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);1107if (ret < 0)1108return -EINVAL;11091110/*1111* Don't fail on invalid offset values. They might be invalid because1112* they cannot be used for this particular value of ModRM. Instead, use1113* them in the computation only if they contain a valid value.1114*/1115if (addr_offset1 != -EDOM)1116addr1 = regs_get_register(regs, addr_offset1) & 0xffff;11171118if (addr_offset2 != -EDOM)1119addr2 = regs_get_register(regs, addr_offset2) & 0xffff;11201121displacement = insn->displacement.value & 0xffff;1122*eff_addr = addr1 + addr2 + displacement;11231124/*1125* The first operand register could indicate to use of either SS or DS1126* registers to obtain the segment selector. The second operand1127* register can only indicate the use of DS. Thus, the first operand1128* will be used to obtain the segment selector.1129*/1130*regoff = addr_offset1;11311132return 0;1133}11341135/**1136* get_eff_addr_sib() - Obtain referenced effective address via SIB1137* @insn: Instruction. Must be valid.1138* @regs: Register values as seen when entering kernel mode1139* @base_offset: Obtained operand offset, in pt_regs, associated with segment1140* @eff_addr: Obtained effective address1141*1142* Obtain the effective address referenced by the SIB byte of @insn. After1143* identifying the registers involved in the indexed, register-indirect memory1144* reference, its value is obtained from the operands in @regs. The computed1145* address is stored @eff_addr. Also, the register operand that indicates the1146* associated segment is stored in @base_offset; this parameter can later be1147* used to determine such segment.1148*1149* Returns:1150*1151* 0 on success. @eff_addr will have the referenced effective address.1152* @base_offset will have a register, as an offset from the base of pt_regs,1153* that can be used to resolve the associated segment.1154*1155* Negative value on error.1156*/1157static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,1158int *base_offset, long *eff_addr)1159{1160long base, indx;1161int indx_offset;1162int ret;11631164if (insn->addr_bytes != 8 && insn->addr_bytes != 4)1165return -EINVAL;11661167ret = insn_get_modrm(insn);1168if (ret)1169return ret;11701171if (!insn->modrm.nbytes)1172return -EINVAL;11731174if (X86_MODRM_MOD(insn->modrm.value) > 2)1175return -EINVAL;11761177ret = insn_get_sib(insn);1178if (ret)1179return ret;11801181if (!insn->sib.nbytes)1182return -EINVAL;11831184*base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);1185indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);11861187/*1188* Negative values in the base and index offset means an error when1189* decoding the SIB byte. Except -EDOM, which means that the registers1190* should not be used in the address computation.1191*/1192if (*base_offset == -EDOM)1193base = 0;1194else if (*base_offset < 0)1195return -EINVAL;1196else1197base = regs_get_register(regs, *base_offset);11981199if (indx_offset == -EDOM)1200indx = 0;1201else if (indx_offset < 0)1202return -EINVAL;1203else1204indx = regs_get_register(regs, indx_offset);12051206if (insn->addr_bytes == 4) {1207int addr32, base32, idx32;12081209base32 = base & 0xffffffff;1210idx32 = indx & 0xffffffff;12111212addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));1213addr32 += insn->displacement.value;12141215*eff_addr = addr32 & 0xffffffff;1216} else {1217*eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));1218*eff_addr += insn->displacement.value;1219}12201221return 0;1222}12231224/**1225* get_addr_ref_16() - Obtain the 16-bit address referred by instruction1226* @insn: Instruction containing ModRM byte and displacement1227* @regs: Register values as seen when entering kernel mode1228*1229* This function is to be used with 16-bit address encodings. Obtain the memory1230* address referred by the instruction's ModRM and displacement bytes. Also, the1231* segment used as base is determined by either any segment override prefixes in1232* @insn or the default segment of the registers involved in the address1233* computation. In protected mode, segment limits are enforced.1234*1235* Returns:1236*1237* Linear address referenced by the instruction operands on success.1238*1239* -1L on error.1240*/1241static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)1242{1243unsigned long linear_addr = -1L, seg_base, seg_limit;1244int ret, regoff;1245short eff_addr;1246long tmp;12471248if (insn_get_displacement(insn))1249goto out;12501251if (insn->addr_bytes != 2)1252goto out;12531254if (X86_MODRM_MOD(insn->modrm.value) == 3) {1255ret = get_eff_addr_reg(insn, regs, ®off, &tmp);1256if (ret)1257goto out;12581259eff_addr = tmp;1260} else {1261ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);1262if (ret)1263goto out;1264}12651266ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);1267if (ret)1268goto out;12691270/*1271* Before computing the linear address, make sure the effective address1272* is within the limits of the segment. In virtual-8086 mode, segment1273* limits are not enforced. In such a case, the segment limit is -1L to1274* reflect this fact.1275*/1276if ((unsigned long)(eff_addr & 0xffff) > seg_limit)1277goto out;12781279linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;12801281/* Limit linear address to 20 bits */1282if (v8086_mode(regs))1283linear_addr &= 0xfffff;12841285out:1286return (void __user *)linear_addr;1287}12881289/**1290* get_addr_ref_32() - Obtain a 32-bit linear address1291* @insn: Instruction with ModRM, SIB bytes and displacement1292* @regs: Register values as seen when entering kernel mode1293*1294* This function is to be used with 32-bit address encodings to obtain the1295* linear memory address referred by the instruction's ModRM, SIB,1296* displacement bytes and segment base address, as applicable. If in protected1297* mode, segment limits are enforced.1298*1299* Returns:1300*1301* Linear address referenced by instruction and registers on success.1302*1303* -1L on error.1304*/1305static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)1306{1307unsigned long linear_addr = -1L, seg_base, seg_limit;1308int eff_addr, regoff;1309long tmp;1310int ret;13111312if (insn->addr_bytes != 4)1313goto out;13141315if (X86_MODRM_MOD(insn->modrm.value) == 3) {1316ret = get_eff_addr_reg(insn, regs, ®off, &tmp);1317if (ret)1318goto out;13191320eff_addr = tmp;13211322} else {1323if (insn->sib.nbytes) {1324ret = get_eff_addr_sib(insn, regs, ®off, &tmp);1325if (ret)1326goto out;13271328eff_addr = tmp;1329} else {1330ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);1331if (ret)1332goto out;13331334eff_addr = tmp;1335}1336}13371338ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);1339if (ret)1340goto out;13411342/*1343* In protected mode, before computing the linear address, make sure1344* the effective address is within the limits of the segment.1345* 32-bit addresses can be used in long and virtual-8086 modes if an1346* address override prefix is used. In such cases, segment limits are1347* not enforced. When in virtual-8086 mode, the segment limit is -1L1348* to reflect this situation.1349*1350* After computed, the effective address is treated as an unsigned1351* quantity.1352*/1353if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))1354goto out;13551356/*1357* Even though 32-bit address encodings are allowed in virtual-80861358* mode, the address range is still limited to [0x-0xffff].1359*/1360if (v8086_mode(regs) && (eff_addr & ~0xffff))1361goto out;13621363/*1364* Data type long could be 64 bits in size. Ensure that our 32-bit1365* effective address is not sign-extended when computing the linear1366* address.1367*/1368linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;13691370/* Limit linear address to 20 bits */1371if (v8086_mode(regs))1372linear_addr &= 0xfffff;13731374out:1375return (void __user *)linear_addr;1376}13771378/**1379* get_addr_ref_64() - Obtain a 64-bit linear address1380* @insn: Instruction struct with ModRM and SIB bytes and displacement1381* @regs: Structure with register values as seen when entering kernel mode1382*1383* This function is to be used with 64-bit address encodings to obtain the1384* linear memory address referred by the instruction's ModRM, SIB,1385* displacement bytes and segment base address, as applicable.1386*1387* Returns:1388*1389* Linear address referenced by instruction and registers on success.1390*1391* -1L on error.1392*/1393#ifndef CONFIG_X86_641394static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)1395{1396return (void __user *)-1L;1397}1398#else1399static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)1400{1401unsigned long linear_addr = -1L, seg_base;1402int regoff, ret;1403long eff_addr;14041405if (insn->addr_bytes != 8)1406goto out;14071408if (X86_MODRM_MOD(insn->modrm.value) == 3) {1409ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);1410if (ret)1411goto out;14121413} else {1414if (insn->sib.nbytes) {1415ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);1416if (ret)1417goto out;1418} else {1419ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);1420if (ret)1421goto out;1422}14231424}14251426ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);1427if (ret)1428goto out;14291430linear_addr = (unsigned long)eff_addr + seg_base;14311432out:1433return (void __user *)linear_addr;1434}1435#endif /* CONFIG_X86_64 */14361437/**1438* insn_get_addr_ref() - Obtain the linear address referred by instruction1439* @insn: Instruction structure containing ModRM byte and displacement1440* @regs: Structure with register values as seen when entering kernel mode1441*1442* Obtain the linear address referred by the instruction's ModRM, SIB and1443* displacement bytes, and segment base, as applicable. In protected mode,1444* segment limits are enforced.1445*1446* Returns:1447*1448* Linear address referenced by instruction and registers on success.1449*1450* -1L on error.1451*/1452void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)1453{1454if (!insn || !regs)1455return (void __user *)-1L;14561457if (insn_get_opcode(insn))1458return (void __user *)-1L;14591460switch (insn->addr_bytes) {1461case 2:1462return get_addr_ref_16(insn, regs);1463case 4:1464return get_addr_ref_32(insn, regs);1465case 8:1466return get_addr_ref_64(insn, regs);1467default:1468return (void __user *)-1L;1469}1470}14711472int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)1473{1474unsigned long seg_base = 0;14751476/*1477* If not in user-space long mode, a custom code segment could be in1478* use. This is true in protected mode (if the process defined a local1479* descriptor table), or virtual-8086 mode. In most of the cases1480* seg_base will be zero as in USER_CS.1481*/1482if (!user_64bit_mode(regs)) {1483seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);1484if (seg_base == -1L)1485return -EINVAL;1486}14871488*ip = seg_base + regs->ip;14891490return 0;1491}14921493/**1494* insn_fetch_from_user() - Copy instruction bytes from user-space memory1495* @regs: Structure with register values as seen when entering kernel mode1496* @buf: Array to store the fetched instruction1497*1498* Gets the linear address of the instruction and copies the instruction bytes1499* to the buf.1500*1501* Returns:1502*1503* - number of instruction bytes copied.1504* - 0 if nothing was copied.1505* - -EINVAL if the linear address of the instruction could not be calculated1506*/1507int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])1508{1509unsigned long ip;1510int not_copied;15111512if (insn_get_effective_ip(regs, &ip))1513return -EINVAL;15141515not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);15161517return MAX_INSN_SIZE - not_copied;1518}15191520/**1521* insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory1522* while in atomic code1523* @regs: Structure with register values as seen when entering kernel mode1524* @buf: Array to store the fetched instruction1525*1526* Gets the linear address of the instruction and copies the instruction bytes1527* to the buf. This function must be used in atomic context.1528*1529* Returns:1530*1531* - number of instruction bytes copied.1532* - 0 if nothing was copied.1533* - -EINVAL if the linear address of the instruction could not be calculated.1534*/1535int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])1536{1537unsigned long ip;1538int not_copied;15391540if (insn_get_effective_ip(regs, &ip))1541return -EINVAL;15421543not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);15441545return MAX_INSN_SIZE - not_copied;1546}15471548/**1549* insn_decode_from_regs() - Decode an instruction1550* @insn: Structure to store decoded instruction1551* @regs: Structure with register values as seen when entering kernel mode1552* @buf: Buffer containing the instruction bytes1553* @buf_size: Number of instruction bytes available in buf1554*1555* Decodes the instruction provided in buf and stores the decoding results in1556* insn. Also determines the correct address and operand sizes.1557*1558* Returns:1559*1560* True if instruction was decoded, False otherwise.1561*/1562bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,1563unsigned char buf[MAX_INSN_SIZE], int buf_size)1564{1565int seg_defs;15661567insn_init(insn, buf, buf_size, user_64bit_mode(regs));15681569/*1570* Override the default operand and address sizes with what is specified1571* in the code segment descriptor. The instruction decoder only sets1572* the address size it to either 4 or 8 address bytes and does nothing1573* for the operand bytes. This OK for most of the cases, but we could1574* have special cases where, for instance, a 16-bit code segment1575* descriptor is used.1576* If there is an address override prefix, the instruction decoder1577* correctly updates these values, even for 16-bit defaults.1578*/1579seg_defs = insn_get_code_seg_params(regs);1580if (seg_defs == -EINVAL)1581return false;15821583insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);1584insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);15851586if (insn_get_length(insn))1587return false;15881589if (buf_size < insn->length)1590return false;15911592return true;1593}15941595/**1596* insn_decode_mmio() - Decode a MMIO instruction1597* @insn: Structure to store decoded instruction1598* @bytes: Returns size of memory operand1599*1600* Decodes instruction that used for Memory-mapped I/O.1601*1602* Returns:1603*1604* Type of the instruction. Size of the memory operand is stored in1605* @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned.1606*/1607enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes)1608{1609enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED;16101611*bytes = 0;16121613if (insn_get_opcode(insn))1614return INSN_MMIO_DECODE_FAILED;16151616switch (insn->opcode.bytes[0]) {1617case 0x88: /* MOV m8,r8 */1618*bytes = 1;1619fallthrough;1620case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */1621if (!*bytes)1622*bytes = insn->opnd_bytes;1623type = INSN_MMIO_WRITE;1624break;16251626case 0xc6: /* MOV m8, imm8 */1627*bytes = 1;1628fallthrough;1629case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */1630if (!*bytes)1631*bytes = insn->opnd_bytes;1632type = INSN_MMIO_WRITE_IMM;1633break;16341635case 0x8a: /* MOV r8, m8 */1636*bytes = 1;1637fallthrough;1638case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */1639if (!*bytes)1640*bytes = insn->opnd_bytes;1641type = INSN_MMIO_READ;1642break;16431644case 0xa4: /* MOVS m8, m8 */1645*bytes = 1;1646fallthrough;1647case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */1648if (!*bytes)1649*bytes = insn->opnd_bytes;1650type = INSN_MMIO_MOVS;1651break;16521653case 0x0f: /* Two-byte instruction */1654switch (insn->opcode.bytes[1]) {1655case 0xb6: /* MOVZX r16/r32/r64, m8 */1656*bytes = 1;1657fallthrough;1658case 0xb7: /* MOVZX r32/r64, m16 */1659if (!*bytes)1660*bytes = 2;1661type = INSN_MMIO_READ_ZERO_EXTEND;1662break;16631664case 0xbe: /* MOVSX r16/r32/r64, m8 */1665*bytes = 1;1666fallthrough;1667case 0xbf: /* MOVSX r32/r64, m16 */1668if (!*bytes)1669*bytes = 2;1670type = INSN_MMIO_READ_SIGN_EXTEND;1671break;1672}1673break;1674}16751676return type;1677}167816791680