From: "Chang S. Bae" <chang.seok.bae@intel.com>
To: pbonzini@redhat.com, seanjc@google.com
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
chao.gao@intel.com, chang.seok.bae@intel.com
Subject: [PATCH v2 11/16] KVM: emulate: Support REX2-prefixed opcode decode
Date: Mon, 12 Jan 2026 23:54:03 +0000 [thread overview]
Message-ID: <20260112235408.168200-12-chang.seok.bae@intel.com> (raw)
In-Reply-To: <20260112235408.168200-1-chang.seok.bae@intel.com>
Extend the instruction decoder to recognize and handle the REX2 prefix,
including validation of prefix sequences and correct opcode table
selection.
REX2 is a terminal prefix: once 0xD5 is encountered, the following byte
is the opcode. When REX.M=0, most prefix bytes are invalid after REX2,
including REX, VEX, EVEX, and another REX2. Also, REX2-prefixed
instructions are only valid in 64-bit mode.
All of the invalid prefix combinations after REX2 coincide with opcodes
that are architecturally invalid in 64-bit mode. Thus, marking such
opcodes with No64 in opcode_table[] naturally disallows those illegal
prefix sequences.
The 0x40–0x4F opcode row was missing the No64 flag. While NoRex2 already
invalidates REX2 for these opcodes, adding No64 makes opcode attributes
explicit and complete.
Link: https://lore.kernel.org/CABgObfYYGTvkYpeyqLSr9JgKMDA_STSff2hXBNchLZuKFU+MMA@mail.gmail.com
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
---
arch/x86/kvm/emulate.c | 38 ++++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index ef0da1acab5a..1a565a4e3ff7 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4256,7 +4256,7 @@ static const struct opcode opcode_table[256] = {
/* 0x38 - 0x3F */
I6ALU(NoWrite, em_cmp), N, N,
/* 0x40 - 0x4F */
- X8(I(DstReg | NoRex2, em_inc)), X8(I(DstReg | NoRex2, em_dec)),
+ X8(I(DstReg | NoRex2 | No64, em_inc)), X8(I(DstReg | NoRex2 | No64, em_dec)),
/* 0x50 - 0x57 */
X8(I(SrcReg | Stack, em_push)),
/* 0x58 - 0x5F */
@@ -4850,6 +4850,17 @@ static int x86_decode_avx(struct x86_emulate_ctxt *ctxt,
return rc;
}
+static inline bool rex2_invalid(struct x86_emulate_ctxt *ctxt)
+{
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ u64 xcr = 0;
+
+ return ctxt->rex_prefix == REX_PREFIX ||
+ !(ops->get_cr(ctxt, 4) & X86_CR4_OSXSAVE) ||
+ ops->get_xcr(ctxt, 0, &xcr) ||
+ !(xcr & XFEATURE_MASK_APX);
+}
+
int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int emulation_type)
{
int rc = X86EMUL_CONTINUE;
@@ -4903,7 +4914,7 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int
ctxt->op_bytes = def_op_bytes;
ctxt->ad_bytes = def_ad_bytes;
- /* Legacy prefixes. */
+ /* Legacy and REX/REX2 prefixes. */
for (;;) {
switch (ctxt->b = insn_fetch(u8, ctxt)) {
case 0x66: /* operand-size override */
@@ -4949,6 +4960,17 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int
ctxt->rex_prefix = REX_PREFIX;
ctxt->rex_bits = ctxt->b & 0xf;
continue;
+ case 0xd5: /* REX2 */
+ if (mode != X86EMUL_MODE_PROT64)
+ goto done_prefixes;
+ if (rex2_invalid(ctxt)) {
+ opcode = ud;
+ goto done_modrm;
+ }
+ ctxt->rex_prefix = REX2_PREFIX;
+ ctxt->rex_bits = insn_fetch(u8, ctxt);
+ ctxt->b = insn_fetch(u8, ctxt);
+ goto done_prefixes;
case 0xf0: /* LOCK */
ctxt->lock_prefix = 1;
break;
@@ -4971,6 +4993,12 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int
if (ctxt->rex_bits & REX_W)
ctxt->op_bytes = 8;
+ /* REX2 opcode is one byte unless M-bit selects the two-byte map */
+ if (ctxt->rex_bits & REX_M)
+ goto decode_twobytes;
+ else if (ctxt->rex_prefix == REX2_PREFIX)
+ goto decode_onebyte;
+
/* Opcode byte(s). */
if (ctxt->b == 0xc4 || ctxt->b == 0xc5) {
/* VEX or LDS/LES */
@@ -4988,17 +5016,19 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len, int
goto done;
} else if (ctxt->b == 0x0f) {
/* Two- or three-byte opcode */
- ctxt->opcode_len = 2;
ctxt->b = insn_fetch(u8, ctxt);
+decode_twobytes:
+ ctxt->opcode_len = 2;
opcode = twobyte_table[ctxt->b];
/* 0F_38 opcode map */
- if (ctxt->b == 0x38) {
+ if (ctxt->b == 0x38 && ctxt->rex_prefix != REX2_PREFIX) {
ctxt->opcode_len = 3;
ctxt->b = insn_fetch(u8, ctxt);
opcode = opcode_map_0f_38[ctxt->b];
}
} else {
+decode_onebyte:
/* Opcode byte(s). */
opcode = opcode_table[ctxt->b];
}
--
2.51.0
next prev parent reply other threads:[~2026-01-13 0:18 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 23:53 [PATCH v2 00/16] KVM: x86: Enable APX for guests Chang S. Bae
2026-01-12 23:53 ` [PATCH v2 01/16] KVM: x86: Rename register accessors to be GPR-specific Chang S. Bae
2026-03-05 1:35 ` Sean Christopherson
2026-03-07 1:32 ` Chang S. Bae
2026-03-09 23:28 ` Chang S. Bae
2026-03-10 1:23 ` Sean Christopherson
2026-03-10 22:05 ` Chang S. Bae
2026-03-10 23:12 ` Sean Christopherson
2026-01-12 23:53 ` [PATCH v2 02/16] KVM: x86: Refactor GPR accessors to differentiate register access types Chang S. Bae
2026-03-05 1:49 ` Sean Christopherson
2026-03-07 1:32 ` Chang S. Bae
2026-01-12 23:53 ` [PATCH v2 03/16] KVM: x86: Implement accessors for extended GPRs Chang S. Bae
2026-03-05 1:41 ` Sean Christopherson
2026-03-07 1:32 ` Chang S. Bae
2026-01-12 23:53 ` [PATCH v2 04/16] KVM: VMX: Introduce unified instruction info structure Chang S. Bae
2026-03-05 4:21 ` Sean Christopherson
2026-03-07 1:33 ` Chang S. Bae
2026-03-13 1:05 ` Sean Christopherson
2026-01-12 23:53 ` [PATCH v2 05/16] KVM: VMX: Refactor instruction information retrieval Chang S. Bae
2026-01-12 23:53 ` [PATCH v2 06/16] KVM: VMX: Refactor GPR index retrieval from exit qualification Chang S. Bae
2026-03-05 4:13 ` Sean Christopherson
2026-01-12 23:53 ` [PATCH v2 07/16] KVM: VMX: Support extended register index in exit handling Chang S. Bae
2026-01-12 23:54 ` [PATCH v2 08/16] KVM: nVMX: Propagate the extended instruction info field Chang S. Bae
2026-01-12 23:54 ` [PATCH v2 09/16] KVM: emulate: Support EGPR accessing and tracking Chang S. Bae
2026-03-05 4:22 ` Sean Christopherson
2026-01-12 23:54 ` [PATCH v2 10/16] KVM: emulate: Handle EGPR index and REX2-incompatible opcodes Chang S. Bae
2026-01-12 23:54 ` Chang S. Bae [this message]
2026-01-12 23:54 ` [PATCH v2 12/16] KVM: emulate: Reject EVEX-prefixed instructions Chang S. Bae
2026-01-12 23:54 ` [PATCH v2 13/16] KVM: x86: Guard valid XCR0.APX settings Chang S. Bae
2026-01-12 23:54 ` [PATCH v2 14/16] KVM: x86: Expose APX foundational feature bit to guests Chang S. Bae
2026-01-19 5:55 ` Xiaoyao Li
2026-01-20 18:07 ` Edgecombe, Rick P
2026-01-20 20:50 ` Chang S. Bae
2026-01-21 19:59 ` Edgecombe, Rick P
2026-01-12 23:54 ` [PATCH v2 15/16] KVM: x86: Expose APX sub-features " Chang S. Bae
2026-01-12 23:54 ` [PATCH v2 16/16] KVM: x86: selftests: Add APX state handling and XCR0 sanity checks Chang S. Bae
2026-03-05 4:28 ` Sean Christopherson
2026-03-07 1:33 ` Chang S. Bae
2026-03-11 18:42 ` Paolo Bonzini
2026-04-20 21:23 ` [PATCH kvm-unit-tests] x86: xsave: Add test case for emulation of APX instructions Chang S. Bae
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260112235408.168200-12-chang.seok.bae@intel.com \
--to=chang.seok.bae@intel.com \
--cc=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.