1 /* SPDX-License-Identifier: GPL-2.0 */
3 * linux/arch/x86_64/entry.S
5 * Copyright (C) 1991, 1992 Linus Torvalds
6 * Copyright (C) 2000, 2001, 2002 Andi Kleen SuSE Labs
7 * Copyright (C) 2000 Pavel Machek <pavel@suse.cz>
9 * entry.S contains the system-call and fault low-level handling routines.
11 * Some of this is documented in Documentation/x86/entry_64.rst
13 * A note on terminology:
14 * - iret frame: Architecture defined interrupt frame from SS to RIP
15 * at the top of the kernel process stack.
18 * - SYM_FUNC_START/END:Define functions in the symbol table.
19 * - TRACE_IRQ_*: Trace hardirq state for lock debugging.
20 * - idtentry: Define exception entry points.
22 #include <linux/linkage.h>
23 #include <asm/segment.h>
24 #include <asm/cache.h>
25 #include <asm/errno.h>
26 #include <asm/asm-offsets.h>
28 #include <asm/unistd.h>
29 #include <asm/thread_info.h>
30 #include <asm/hw_irq.h>
31 #include <asm/page_types.h>
32 #include <asm/irqflags.h>
33 #include <asm/paravirt.h>
34 #include <asm/percpu.h>
37 #include <asm/pgtable_types.h>
38 #include <asm/export.h>
39 #include <asm/frame.h>
40 #include <asm/trapnr.h>
41 #include <asm/nospec-branch.h>
42 #include <linux/err.h>
47 .section .entry.text, "ax"
49 #ifdef CONFIG_PARAVIRT
50 SYM_CODE_START(native_usergs_sysret64)
54 SYM_CODE_END(native_usergs_sysret64)
55 #endif /* CONFIG_PARAVIRT */
57 .macro TRACE_IRQS_FLAGS flags:req
58 #ifdef CONFIG_TRACE_IRQFLAGS
59 btl $9, \flags /* interrupts off? */
66 .macro TRACE_IRQS_IRETQ
67 TRACE_IRQS_FLAGS EFLAGS(%rsp)
71 * When dynamic function tracer is enabled it will add a breakpoint
72 * to all locations that it is about to modify, sync CPUs, update
73 * all the code, sync CPUs, then remove the breakpoints. In this time
74 * if lockdep is enabled, it might jump back into the debug handler
75 * outside the updating of the IST protection. (TRACE_IRQS_ON/OFF).
77 * We need to change the IDT table before calling TRACE_IRQS_ON/OFF to
78 * make sure the stack pointer does not get reset back to the top
79 * of the debug stack, and instead just reuses the current stack.
81 #if defined(CONFIG_DYNAMIC_FTRACE) && defined(CONFIG_TRACE_IRQFLAGS)
83 .macro TRACE_IRQS_OFF_DEBUG
84 call debug_stack_set_zero
86 call debug_stack_reset
89 .macro TRACE_IRQS_ON_DEBUG
90 call debug_stack_set_zero
92 call debug_stack_reset
95 .macro TRACE_IRQS_IRETQ_DEBUG
96 btl $9, EFLAGS(%rsp) /* interrupts off? */
103 # define TRACE_IRQS_OFF_DEBUG TRACE_IRQS_OFF
104 # define TRACE_IRQS_ON_DEBUG TRACE_IRQS_ON
105 # define TRACE_IRQS_IRETQ_DEBUG TRACE_IRQS_IRETQ
109 * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers.
111 * This is the only entry point used for 64-bit system calls. The
112 * hardware interface is reasonably well designed and the register to
113 * argument mapping Linux uses fits well with the registers that are
114 * available when SYSCALL is used.
116 * SYSCALL instructions can be found inlined in libc implementations as
117 * well as some other programs and libraries. There are also a handful
118 * of SYSCALL instructions in the vDSO used, for example, as a
119 * clock_gettimeofday fallback.
121 * 64-bit SYSCALL saves rip to rcx, clears rflags.RF, then saves rflags to r11,
122 * then loads new ss, cs, and rip from previously programmed MSRs.
123 * rflags gets masked by a value from another MSR (so CLD and CLAC
124 * are not needed). SYSCALL does not save anything on the stack
125 * and does not change rsp.
127 * Registers on entry:
128 * rax system call number
130 * r11 saved rflags (note: r11 is callee-clobbered register in C ABI)
134 * r10 arg3 (needs to be moved to rcx to conform to C ABI)
137 * (note: r12-r15, rbp, rbx are callee-preserved in C ABI)
139 * Only called from user space.
141 * When user can change pt_regs->foo always force IRET. That is because
142 * it deals with uncanonical addresses better. SYSRET has trouble
143 * with them due to bugs in both AMD and Intel CPUs.
146 SYM_CODE_START(entry_SYSCALL_64)
149 * Interrupts are off on entry.
150 * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
151 * it is too small to ever cause noticeable irq latency.
155 /* tss.sp2 is scratch space. */
156 movq %rsp, PER_CPU_VAR(cpu_tss_rw + TSS_sp2)
157 SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
158 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
160 /* Construct struct pt_regs on stack */
161 pushq $__USER_DS /* pt_regs->ss */
162 pushq PER_CPU_VAR(cpu_tss_rw + TSS_sp2) /* pt_regs->sp */
163 pushq %r11 /* pt_regs->flags */
164 pushq $__USER_CS /* pt_regs->cs */
165 pushq %rcx /* pt_regs->ip */
166 SYM_INNER_LABEL(entry_SYSCALL_64_after_hwframe, SYM_L_GLOBAL)
167 pushq %rax /* pt_regs->orig_ax */
169 PUSH_AND_CLEAR_REGS rax=$-ENOSYS
174 call do_syscall_64 /* returns with IRQs disabled */
177 * Try to use SYSRET instead of IRET if we're returning to
178 * a completely clean 64-bit userspace context. If we're not,
179 * go to the slow exit path.
184 cmpq %rcx, %r11 /* SYSRET requires RCX == RIP */
185 jne swapgs_restore_regs_and_return_to_usermode
188 * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP
189 * in kernel space. This essentially lets the user take over
190 * the kernel, since userspace controls RSP.
192 * If width of "canonical tail" ever becomes variable, this will need
193 * to be updated to remain correct on both old and new CPUs.
195 * Change top bits to match most significant bit (47th or 56th bit
196 * depending on paging mode) in the address.
198 #ifdef CONFIG_X86_5LEVEL
199 ALTERNATIVE "shl $(64 - 48), %rcx; sar $(64 - 48), %rcx", \
200 "shl $(64 - 57), %rcx; sar $(64 - 57), %rcx", X86_FEATURE_LA57
202 shl $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
203 sar $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
206 /* If this changed %rcx, it was not canonical */
208 jne swapgs_restore_regs_and_return_to_usermode
210 cmpq $__USER_CS, CS(%rsp) /* CS must match SYSRET */
211 jne swapgs_restore_regs_and_return_to_usermode
214 cmpq %r11, EFLAGS(%rsp) /* R11 == RFLAGS */
215 jne swapgs_restore_regs_and_return_to_usermode
218 * SYSCALL clears RF when it saves RFLAGS in R11 and SYSRET cannot
219 * restore RF properly. If the slowpath sets it for whatever reason, we
220 * need to restore it correctly.
222 * SYSRET can restore TF, but unlike IRET, restoring TF results in a
223 * trap from userspace immediately after SYSRET. This would cause an
224 * infinite loop whenever #DB happens with register state that satisfies
225 * the opportunistic SYSRET conditions. For example, single-stepping
228 * movq $stuck_here, %rcx
233 * would never get past 'stuck_here'.
235 testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
236 jnz swapgs_restore_regs_and_return_to_usermode
238 /* nothing to check for RSP */
240 cmpq $__USER_DS, SS(%rsp) /* SS must match SYSRET */
241 jne swapgs_restore_regs_and_return_to_usermode
244 * We win! This label is here just for ease of understanding
245 * perf profiles. Nothing jumps here.
247 syscall_return_via_sysret:
248 /* rcx and r11 are already restored (see code above) */
249 POP_REGS pop_rdi=0 skip_r11rcx=1
252 * Now all regs are restored except RSP and RDI.
253 * Save old stack pointer and switch to trampoline stack.
256 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
259 pushq RSP-RDI(%rdi) /* RSP */
260 pushq (%rdi) /* RDI */
263 * We are on the trampoline stack. All regs except RDI are live.
264 * We can do future final exit work right here.
266 STACKLEAK_ERASE_NOCLOBBER
268 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
273 SYM_CODE_END(entry_SYSCALL_64)
279 .pushsection .text, "ax"
280 SYM_FUNC_START(__switch_to_asm)
282 * Save callee-saved registers
283 * This must match the order in inactive_task_frame
293 movq %rsp, TASK_threadsp(%rdi)
294 movq TASK_threadsp(%rsi), %rsp
296 #ifdef CONFIG_STACKPROTECTOR
297 movq TASK_stack_canary(%rsi), %rbx
298 movq %rbx, PER_CPU_VAR(fixed_percpu_data) + stack_canary_offset
301 #ifdef CONFIG_RETPOLINE
303 * When switching from a shallower to a deeper call stack
304 * the RSB may either underflow or use entries populated
305 * with userspace addresses. On CPUs where those concerns
306 * exist, overwrite the RSB with entries which capture
307 * speculative execution to prevent attack.
309 FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
312 /* restore callee-saved registers */
321 SYM_FUNC_END(__switch_to_asm)
325 * A newly forked process directly context switches into this address.
327 * rax: prev task we switched from
328 * rbx: kernel thread func (NULL for user thread)
329 * r12: kernel thread arg
331 .pushsection .text, "ax"
332 SYM_CODE_START(ret_from_fork)
335 call schedule_tail /* rdi: 'prev' task parameter */
337 testq %rbx, %rbx /* from kernel_thread? */
338 jnz 1f /* kernel threads are uncommon */
343 call syscall_return_slowpath /* returns with IRQs disabled */
344 jmp swapgs_restore_regs_and_return_to_usermode
352 * A kernel thread is allowed to return here after successfully
353 * calling do_execve(). Exit to userspace to complete the execve()
358 SYM_CODE_END(ret_from_fork)
362 * Build the entry stubs with some assembler magic.
363 * We pack 1 stub into every 8-byte block.
366 SYM_CODE_START(irq_entries_start)
367 vector=FIRST_EXTERNAL_VECTOR
368 .rept (FIRST_SYSTEM_VECTOR - FIRST_EXTERNAL_VECTOR)
369 UNWIND_HINT_IRET_REGS
370 pushq $(~vector+0x80) /* Note: always in signed byte range */
375 SYM_CODE_END(irq_entries_start)
378 SYM_CODE_START(spurious_entries_start)
379 vector=FIRST_SYSTEM_VECTOR
380 .rept (NR_VECTORS - FIRST_SYSTEM_VECTOR)
381 UNWIND_HINT_IRET_REGS
382 pushq $(~vector+0x80) /* Note: always in signed byte range */
387 SYM_CODE_END(spurious_entries_start)
389 .macro DEBUG_ENTRY_ASSERT_IRQS_OFF
390 #ifdef CONFIG_DEBUG_ENTRY
393 testl $X86_EFLAGS_IF, %eax
402 * Enters the IRQ stack if we're not already using it. NMI-safe. Clobbers
403 * flags and puts old RSP into old_rsp, and leaves all other GPRs alone.
404 * Requires kernel GSBASE.
406 * The invariant is that, if irq_count != -1, then the IRQ stack is in use.
408 .macro ENTER_IRQ_STACK regs=1 old_rsp save_ret=0
409 DEBUG_ENTRY_ASSERT_IRQS_OFF
413 * If save_ret is set, the original stack contains one additional
414 * entry -- the return address. Therefore, move the address one
415 * entry below %rsp to \old_rsp.
417 leaq 8(%rsp), \old_rsp
423 UNWIND_HINT_REGS base=\old_rsp
426 incl PER_CPU_VAR(irq_count)
427 jnz .Lirq_stack_push_old_rsp_\@
430 * Right now, if we just incremented irq_count to zero, we've
431 * claimed the IRQ stack but we haven't switched to it yet.
433 * If anything is added that can interrupt us here without using IST,
434 * it must be *extremely* careful to limit its stack usage. This
435 * could include kprobes and a hypothetical future IST-less #DB
438 * The OOPS unwinder relies on the word at the top of the IRQ
439 * stack linking back to the previous RSP for the entire time we're
440 * on the IRQ stack. For this to work reliably, we need to write
441 * it before we actually move ourselves to the IRQ stack.
444 movq \old_rsp, PER_CPU_VAR(irq_stack_backing_store + IRQ_STACK_SIZE - 8)
445 movq PER_CPU_VAR(hardirq_stack_ptr), %rsp
447 #ifdef CONFIG_DEBUG_ENTRY
449 * If the first movq above becomes wrong due to IRQ stack layout
450 * changes, the only way we'll notice is if we try to unwind right
451 * here. Assert that we set up the stack right to catch this type
454 cmpq -8(%rsp), \old_rsp
455 je .Lirq_stack_okay\@
460 .Lirq_stack_push_old_rsp_\@:
464 UNWIND_HINT_REGS indirect=1
469 * Push the return address to the stack. This return address can
470 * be found at the "real" original RSP, which was offset by 8 at
471 * the beginning of this macro.
478 * Undoes ENTER_IRQ_STACK.
480 .macro LEAVE_IRQ_STACK regs=1
481 DEBUG_ENTRY_ASSERT_IRQS_OFF
482 /* We need to be off the IRQ stack before decrementing irq_count. */
490 * As in ENTER_IRQ_STACK, irq_count == 0, we are still claiming
491 * the irq stack but we're not on it.
494 decl PER_CPU_VAR(irq_count)
498 * idtentry_body - Macro to emit code calling the C function
499 * @vector: Vector number
500 * @cfunc: C function to be called
501 * @has_error_code: Hardware pushed error code on stack
502 * @sane: Sane variant which handles irq tracing, context tracking in C
504 .macro idtentry_body vector cfunc has_error_code:req sane=0
509 .if \vector == X86_TRAP_PF
511 * Store CR2 early so subsequent faults cannot clobber it. Use R12 as
512 * intermediate storage as RDX can be clobbered in enter_from_user_mode().
513 * GET_CR2_INTO can clobber RAX.
521 #ifdef CONFIG_CONTEXT_TRACKING
523 jz .Lfrom_kernel_no_ctxt_tracking_\@
524 CALL_enter_from_user_mode
525 .Lfrom_kernel_no_ctxt_tracking_\@:
529 movq %rsp, %rdi /* pt_regs pointer into 1st argument*/
531 .if \has_error_code == 1
532 movq ORIG_RAX(%rsp), %rsi /* get error code into 2nd argument*/
533 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
535 xorl %esi, %esi /* Clear the error code */
538 .if \vector == X86_TRAP_PF
539 movq %r12, %rdx /* Move CR2 into 3rd argument */
552 * idtentry - Macro to generate entry stubs for simple IDT entries
553 * @vector: Vector number
554 * @asmsym: ASM symbol for the entry point
555 * @cfunc: C function to be called
556 * @has_error_code: Hardware pushed error code on stack
557 * @sane: Sane variant which handles irq tracing, context tracking in C
559 * The macro emits code to set up the kernel context for straight forward
560 * and simple IDT entries. No IST stack, no paranoid entry checks.
562 .macro idtentry vector asmsym cfunc has_error_code:req sane=0
563 SYM_CODE_START(\asmsym)
564 UNWIND_HINT_IRET_REGS offset=\has_error_code*8
567 .if \has_error_code == 0
568 pushq $-1 /* ORIG_RAX: no syscall to restart */
571 .if \vector == X86_TRAP_BP
573 * If coming from kernel space, create a 6-word gap to allow the
574 * int3 handler to emulate a call instruction.
576 testb $3, CS-ORIG_RAX(%rsp)
577 jnz .Lfrom_usermode_no_gap_\@
581 UNWIND_HINT_IRET_REGS offset=8
582 .Lfrom_usermode_no_gap_\@:
585 idtentry_body \vector \cfunc \has_error_code \sane
587 _ASM_NOKPROBE(\asmsym)
588 SYM_CODE_END(\asmsym)
592 * MCE and DB exceptions
594 #define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss_rw) + (TSS_ist + (x) * 8)
597 * idtentry_mce_db - Macro to generate entry stubs for #MC and #DB
598 * @vector: Vector number
599 * @asmsym: ASM symbol for the entry point
600 * @cfunc: C function to be called
602 * The macro emits code to set up the kernel context for #MC and #DB
604 * If the entry comes from user space it uses the normal entry path
605 * including the return to user space work and preemption checks on
608 * If hits in kernel mode then it needs to go through the paranoid
609 * entry as the exception can hit any random state. No preemption
610 * check on exit to keep the paranoid path simple.
612 * If the trap is #DB then the interrupt stack entry in the IST is
613 * moved to the second stack, so a potential recursion will have a
616 .macro idtentry_mce_db vector asmsym cfunc
617 SYM_CODE_START(\asmsym)
618 UNWIND_HINT_IRET_REGS
621 pushq $-1 /* ORIG_RAX: no syscall to restart */
624 * If the entry is from userspace, switch stacks and treat it as
627 testb $3, CS-ORIG_RAX(%rsp)
628 jnz .Lfrom_usermode_switch_stack_\@
631 * paranoid_entry returns SWAPGS flag for paranoid_exit in EBX.
632 * EBX == 0 -> SWAPGS, EBX == 1 -> no SWAPGS
638 .if \vector == X86_TRAP_DB
644 movq %rsp, %rdi /* pt_regs pointer */
645 xorl %esi, %esi /* Clear the error code */
647 .if \vector == X86_TRAP_DB
648 subq $DB_STACK_OFFSET, CPU_TSS_IST(IST_INDEX_DB)
653 .if \vector == X86_TRAP_DB
654 addq $DB_STACK_OFFSET, CPU_TSS_IST(IST_INDEX_DB)
659 /* Switch to the regular task stack and use the noist entry point */
660 .Lfrom_usermode_switch_stack_\@:
661 idtentry_body vector \cfunc, has_error_code=0
663 _ASM_NOKPROBE(\asmsym)
664 SYM_CODE_END(\asmsym)
668 * Double fault entry. Straight paranoid. No checks from which context
669 * this comes because for the espfix induced #DF this would do the wrong
672 .macro idtentry_df vector asmsym cfunc
673 SYM_CODE_START(\asmsym)
674 UNWIND_HINT_IRET_REGS offset=8
678 * paranoid_entry returns SWAPGS flag for paranoid_exit in EBX.
679 * EBX == 0 -> SWAPGS, EBX == 1 -> no SWAPGS
689 movq %rsp, %rdi /* pt_regs pointer into first argument */
690 movq ORIG_RAX(%rsp), %rsi /* get error code into 2nd argument*/
691 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
692 movq %r12, %rdx /* Move CR2 into 3rd argument */
697 _ASM_NOKPROBE(\asmsym)
698 SYM_CODE_END(\asmsym)
702 * Include the defines which emit the idt entries which are shared
703 * shared between 32 and 64 bit.
705 #include <asm/idtentry.h>
708 * Interrupt entry helper function.
710 * Entry runs with interrupts off. Stack layout at entry:
711 * +----------------------------------------------------+
717 * +----------------------------------------------------+
718 * | regs->orig_ax = ~(interrupt number) |
719 * +----------------------------------------------------+
721 * +----------------------------------------------------+
723 SYM_CODE_START(interrupt_entry)
724 UNWIND_HINT_IRET_REGS offset=16
728 testb $3, CS-ORIG_RAX+8(%rsp)
731 FENCE_SWAPGS_USER_ENTRY
733 * Switch to the thread stack. The IRET frame and orig_ax are
734 * on the stack, as well as the return address. RDI..R12 are
735 * not (yet) on the stack and space has not (yet) been
736 * allocated for them.
740 /* Need to switch before accessing the thread stack. */
741 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
743 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
746 * We have RDI, return address, and orig_ax on the stack on
747 * top of the IRET frame. That means offset=24
749 UNWIND_HINT_IRET_REGS base=%rdi offset=24
751 pushq 7*8(%rdi) /* regs->ss */
752 pushq 6*8(%rdi) /* regs->rsp */
753 pushq 5*8(%rdi) /* regs->eflags */
754 pushq 4*8(%rdi) /* regs->cs */
755 pushq 3*8(%rdi) /* regs->ip */
756 UNWIND_HINT_IRET_REGS
757 pushq 2*8(%rdi) /* regs->orig_ax */
758 pushq 8(%rdi) /* return address */
763 FENCE_SWAPGS_KERNEL_ENTRY
765 PUSH_AND_CLEAR_REGS save_ret=1
766 ENCODE_FRAME_POINTER 8
772 * IRQ from user mode.
774 * We need to tell lockdep that IRQs are off. We can't do this until
775 * we fix gsbase, and we should do it before enter_from_user_mode
776 * (which can take locks). Since TRACE_IRQS_OFF is idempotent,
777 * the simplest way to handle it is to just call it twice if
778 * we enter from user mode. There's no reason to optimize this since
779 * TRACE_IRQS_OFF is a no-op if lockdep is off.
783 CALL_enter_from_user_mode
786 ENTER_IRQ_STACK old_rsp=%rdi save_ret=1
787 /* We entered an interrupt context - irqs are off: */
791 SYM_CODE_END(interrupt_entry)
792 _ASM_NOKPROBE(interrupt_entry)
795 /* Interrupt entry/exit. */
798 * The interrupt stubs push (~vector+0x80) onto the stack and
799 * then jump to common_spurious/interrupt.
801 SYM_CODE_START_LOCAL(common_spurious)
802 addq $-0x80, (%rsp) /* Adjust vector to [-256, -1] range */
804 UNWIND_HINT_REGS indirect=1
805 call smp_spurious_interrupt /* rdi points to pt_regs */
807 SYM_CODE_END(common_spurious)
808 _ASM_NOKPROBE(common_spurious)
810 /* common_interrupt is a hotpath. Align it */
811 .p2align CONFIG_X86_L1_CACHE_SHIFT
812 SYM_CODE_START_LOCAL(common_interrupt)
813 addq $-0x80, (%rsp) /* Adjust vector to [-256, -1] range */
815 UNWIND_HINT_REGS indirect=1
816 call do_IRQ /* rdi points to pt_regs */
817 /* 0(%rsp): old RSP */
819 DISABLE_INTERRUPTS(CLBR_ANY)
827 /* Interrupt came from user space */
830 call prepare_exit_to_usermode
832 SYM_INNER_LABEL(swapgs_restore_regs_and_return_to_usermode, SYM_L_GLOBAL)
833 #ifdef CONFIG_DEBUG_ENTRY
834 /* Assert that pt_regs indicates user mode. */
843 * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
844 * Save old stack pointer and switch to trampoline stack.
847 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
850 /* Copy the IRET frame to the trampoline stack. */
851 pushq 6*8(%rdi) /* SS */
852 pushq 5*8(%rdi) /* RSP */
853 pushq 4*8(%rdi) /* EFLAGS */
854 pushq 3*8(%rdi) /* CS */
855 pushq 2*8(%rdi) /* RIP */
857 /* Push user RDI on the trampoline stack. */
861 * We are on the trampoline stack. All regs except RDI are live.
862 * We can do future final exit work right here.
864 STACKLEAK_ERASE_NOCLOBBER
866 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
874 /* Returning to kernel space */
876 #ifdef CONFIG_PREEMPTION
877 /* Interrupts are off */
878 /* Check if we need preemption */
879 btl $9, EFLAGS(%rsp) /* were interrupts off? */
881 cmpl $0, PER_CPU_VAR(__preempt_count)
883 call preempt_schedule_irq
887 * The iretq could re-enable interrupts:
891 SYM_INNER_LABEL(restore_regs_and_return_to_kernel, SYM_L_GLOBAL)
892 #ifdef CONFIG_DEBUG_ENTRY
893 /* Assert that pt_regs indicates kernel mode. */
900 addq $8, %rsp /* skip regs->orig_ax */
902 * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization
903 * when returning from IPI handler.
907 SYM_INNER_LABEL_ALIGN(native_iret, SYM_L_GLOBAL)
908 UNWIND_HINT_IRET_REGS
910 * Are we returning to a stack segment from the LDT? Note: in
911 * 64-bit mode SS:RSP on the exception stack is always valid.
913 #ifdef CONFIG_X86_ESPFIX64
914 testb $4, (SS-RIP)(%rsp)
915 jnz native_irq_return_ldt
918 SYM_INNER_LABEL(native_irq_return_iret, SYM_L_GLOBAL)
920 * This may fault. Non-paranoid faults on return to userspace are
921 * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
922 * Double-faults due to espfix64 are handled in do_double_fault.
923 * Other faults here are fatal.
927 #ifdef CONFIG_X86_ESPFIX64
928 native_irq_return_ldt:
930 * We are running with user GSBASE. All GPRs contain their user
931 * values. We have a percpu ESPFIX stack that is eight slots
932 * long (see ESPFIX_STACK_SIZE). espfix_waddr points to the bottom
933 * of the ESPFIX stack.
935 * We clobber RAX and RDI in this code. We stash RDI on the
936 * normal stack and RAX on the ESPFIX stack.
938 * The ESPFIX stack layout we set up looks like this:
940 * --- top of ESPFIX stack ---
945 * RIP <-- RSP points here when we're done
946 * RAX <-- espfix_waddr points here
947 * --- bottom of ESPFIX stack ---
950 pushq %rdi /* Stash user RDI */
951 SWAPGS /* to kernel GS */
952 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */
954 movq PER_CPU_VAR(espfix_waddr), %rdi
955 movq %rax, (0*8)(%rdi) /* user RAX */
956 movq (1*8)(%rsp), %rax /* user RIP */
957 movq %rax, (1*8)(%rdi)
958 movq (2*8)(%rsp), %rax /* user CS */
959 movq %rax, (2*8)(%rdi)
960 movq (3*8)(%rsp), %rax /* user RFLAGS */
961 movq %rax, (3*8)(%rdi)
962 movq (5*8)(%rsp), %rax /* user SS */
963 movq %rax, (5*8)(%rdi)
964 movq (4*8)(%rsp), %rax /* user RSP */
965 movq %rax, (4*8)(%rdi)
966 /* Now RAX == RSP. */
968 andl $0xffff0000, %eax /* RAX = (RSP & 0xffff0000) */
971 * espfix_stack[31:16] == 0. The page tables are set up such that
972 * (espfix_stack | (X & 0xffff0000)) points to a read-only alias of
973 * espfix_waddr for any X. That is, there are 65536 RO aliases of
974 * the same page. Set up RSP so that RSP[31:16] contains the
975 * respective 16 bits of the /userspace/ RSP and RSP nonetheless
976 * still points to an RO alias of the ESPFIX stack.
978 orq PER_CPU_VAR(espfix_stack), %rax
980 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
981 SWAPGS /* to user GS */
982 popq %rdi /* Restore user RDI */
985 UNWIND_HINT_IRET_REGS offset=8
988 * At this point, we cannot write to the stack any more, but we can
991 popq %rax /* Restore user RAX */
994 * RSP now points to an ordinary IRET frame, except that the page
995 * is read-only and RSP[31:16] are preloaded with the userspace
996 * values. We can now IRET back to userspace.
998 jmp native_irq_return_iret
1000 SYM_CODE_END(common_interrupt)
1001 _ASM_NOKPROBE(common_interrupt)
1006 .macro apicinterrupt3 num sym do_sym
1007 SYM_CODE_START(\sym)
1008 UNWIND_HINT_IRET_REGS
1010 call interrupt_entry
1011 UNWIND_HINT_REGS indirect=1
1012 call \do_sym /* rdi points to pt_regs */
1018 /* Make sure APIC interrupt handlers end up in the irqentry section: */
1019 #define PUSH_SECTION_IRQENTRY .pushsection .irqentry.text, "ax"
1020 #define POP_SECTION_IRQENTRY .popsection
1022 .macro apicinterrupt num sym do_sym
1023 PUSH_SECTION_IRQENTRY
1024 apicinterrupt3 \num \sym \do_sym
1025 POP_SECTION_IRQENTRY
1029 apicinterrupt3 IRQ_MOVE_CLEANUP_VECTOR irq_move_cleanup_interrupt smp_irq_move_cleanup_interrupt
1030 apicinterrupt3 REBOOT_VECTOR reboot_interrupt smp_reboot_interrupt
1033 #ifdef CONFIG_X86_UV
1034 apicinterrupt3 UV_BAU_MESSAGE uv_bau_message_intr1 uv_bau_message_interrupt
1037 apicinterrupt LOCAL_TIMER_VECTOR apic_timer_interrupt smp_apic_timer_interrupt
1038 apicinterrupt X86_PLATFORM_IPI_VECTOR x86_platform_ipi smp_x86_platform_ipi
1040 #ifdef CONFIG_HAVE_KVM
1041 apicinterrupt3 POSTED_INTR_VECTOR kvm_posted_intr_ipi smp_kvm_posted_intr_ipi
1042 apicinterrupt3 POSTED_INTR_WAKEUP_VECTOR kvm_posted_intr_wakeup_ipi smp_kvm_posted_intr_wakeup_ipi
1043 apicinterrupt3 POSTED_INTR_NESTED_VECTOR kvm_posted_intr_nested_ipi smp_kvm_posted_intr_nested_ipi
1046 #ifdef CONFIG_X86_MCE_THRESHOLD
1047 apicinterrupt THRESHOLD_APIC_VECTOR threshold_interrupt smp_threshold_interrupt
1050 #ifdef CONFIG_X86_MCE_AMD
1051 apicinterrupt DEFERRED_ERROR_VECTOR deferred_error_interrupt smp_deferred_error_interrupt
1054 #ifdef CONFIG_X86_THERMAL_VECTOR
1055 apicinterrupt THERMAL_APIC_VECTOR thermal_interrupt smp_thermal_interrupt
1059 apicinterrupt CALL_FUNCTION_SINGLE_VECTOR call_function_single_interrupt smp_call_function_single_interrupt
1060 apicinterrupt CALL_FUNCTION_VECTOR call_function_interrupt smp_call_function_interrupt
1061 apicinterrupt RESCHEDULE_VECTOR reschedule_interrupt smp_reschedule_interrupt
1064 apicinterrupt ERROR_APIC_VECTOR error_interrupt smp_error_interrupt
1065 apicinterrupt SPURIOUS_APIC_VECTOR spurious_interrupt smp_spurious_interrupt
1067 #ifdef CONFIG_IRQ_WORK
1068 apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
1072 * Exception entry points.
1075 idtentry X86_TRAP_BP int3 do_int3 has_error_code=0
1076 idtentry X86_TRAP_NP segment_not_present do_segment_not_present has_error_code=1
1077 idtentry X86_TRAP_SS stack_segment do_stack_segment has_error_code=1
1078 idtentry X86_TRAP_GP general_protection do_general_protection has_error_code=1
1079 idtentry X86_TRAP_SPURIOUS spurious_interrupt_bug do_spurious_interrupt_bug has_error_code=0
1080 idtentry X86_TRAP_MF coprocessor_error do_coprocessor_error has_error_code=0
1081 idtentry X86_TRAP_AC alignment_check do_alignment_check has_error_code=1
1082 idtentry X86_TRAP_XF simd_coprocessor_error do_simd_coprocessor_error has_error_code=0
1084 idtentry X86_TRAP_PF page_fault do_page_fault has_error_code=1
1086 #ifdef CONFIG_X86_MCE
1087 idtentry_mce_db X86_TRAP_MCE machine_check do_mce
1089 idtentry_mce_db X86_TRAP_DB debug do_debug
1090 idtentry_df X86_TRAP_DF double_fault do_double_fault
1092 #ifdef CONFIG_XEN_PV
1093 idtentry 512 /* dummy */ hypervisor_callback xen_do_hypervisor_callback has_error_code=0
1094 idtentry X86_TRAP_NMI xennmi do_nmi has_error_code=0
1095 idtentry X86_TRAP_DB xendebug do_debug has_error_code=0
1099 * Reload gs selector with exception handling
1102 * Is in entry.text as it shouldn't be instrumented.
1104 SYM_FUNC_START(asm_load_gs_index)
1109 2: ALTERNATIVE "", "mfence", X86_BUG_SWAPGS_FENCE
1113 SYM_FUNC_END(asm_load_gs_index)
1114 EXPORT_SYMBOL(asm_load_gs_index)
1116 _ASM_EXTABLE(.Lgs_change, .Lbad_gs)
1117 .section .fixup, "ax"
1118 /* running with kernelgs */
1119 SYM_CODE_START_LOCAL_NOALIGN(.Lbad_gs)
1120 swapgs /* switch back to user gs */
1122 /* This can't be a string because the preprocessor needs to see it. */
1123 movl $__USER_DS, %eax
1126 ALTERNATIVE "", "ZAP_GS", X86_BUG_NULL_SEG
1130 SYM_CODE_END(.Lbad_gs)
1133 /* Call softirq on interrupt stack. Interrupts are off. */
1134 .pushsection .text, "ax"
1135 SYM_FUNC_START(do_softirq_own_stack)
1138 ENTER_IRQ_STACK regs=0 old_rsp=%r11
1140 LEAVE_IRQ_STACK regs=0
1143 SYM_FUNC_END(do_softirq_own_stack)
1146 #ifdef CONFIG_XEN_PV
1148 * A note on the "critical region" in our callback handler.
1149 * We want to avoid stacking callback handlers due to events occurring
1150 * during handling of the last event. To do this, we keep events disabled
1151 * until we've done all processing. HOWEVER, we must enable events before
1152 * popping the stack frame (can't be done atomically) and so it would still
1153 * be possible to get enough handler activations to overflow the stack.
1154 * Although unlikely, bugs of that kind are hard to track down, so we'd
1155 * like to avoid the possibility.
1156 * So, on entry to the handler we detect whether we interrupted an
1157 * existing activation in its critical region -- if so, we pop the current
1158 * activation and restart the handler using the previous one.
1160 /* do_hypervisor_callback(struct *pt_regs) */
1161 SYM_CODE_START_LOCAL(xen_do_hypervisor_callback)
1164 * Since we don't modify %rdi, evtchn_do_upall(struct *pt_regs) will
1165 * see the correct pointer to the pt_regs
1168 movq %rdi, %rsp /* we don't return, adjust the stack frame */
1171 ENTER_IRQ_STACK old_rsp=%r10
1172 call xen_evtchn_do_upcall
1175 #ifndef CONFIG_PREEMPTION
1176 call xen_maybe_preempt_hcall
1179 SYM_CODE_END(xen_do_hypervisor_callback)
1182 * Hypervisor uses this for application faults while it executes.
1183 * We get here for two reasons:
1184 * 1. Fault while reloading DS, ES, FS or GS
1185 * 2. Fault while executing IRET
1186 * Category 1 we do not need to fix up as Xen has already reloaded all segment
1187 * registers that could be reloaded and zeroed the others.
1188 * Category 2 we fix up by killing the current process. We cannot use the
1189 * normal Linux return path in this case because if we use the IRET hypercall
1190 * to pop the stack frame we end up in an infinite loop of failsafe callbacks.
1191 * We distinguish between categories by comparing each saved segment register
1192 * with its current contents: any discrepancy means we in category 1.
1194 SYM_CODE_START(xen_failsafe_callback)
1197 cmpw %cx, 0x10(%rsp)
1200 cmpw %cx, 0x18(%rsp)
1203 cmpw %cx, 0x20(%rsp)
1206 cmpw %cx, 0x28(%rsp)
1208 /* All segments match their saved values => Category 2 (Bad IRET). */
1213 UNWIND_HINT_IRET_REGS offset=8
1214 jmp general_protection
1215 1: /* Segment mismatch => Category 1 (Bad segment). Retry the IRET. */
1219 UNWIND_HINT_IRET_REGS
1220 pushq $-1 /* orig_ax = -1 => not a system call */
1222 ENCODE_FRAME_POINTER
1224 SYM_CODE_END(xen_failsafe_callback)
1225 #endif /* CONFIG_XEN_PV */
1227 #ifdef CONFIG_XEN_PVHVM
1228 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1229 xen_hvm_callback_vector xen_evtchn_do_upcall
1233 #if IS_ENABLED(CONFIG_HYPERV)
1234 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1235 hyperv_callback_vector hyperv_vector_handler
1237 apicinterrupt3 HYPERV_REENLIGHTENMENT_VECTOR \
1238 hyperv_reenlightenment_vector hyperv_reenlightenment_intr
1240 apicinterrupt3 HYPERV_STIMER0_VECTOR \
1241 hv_stimer0_callback_vector hv_stimer0_vector_handler
1242 #endif /* CONFIG_HYPERV */
1244 #if IS_ENABLED(CONFIG_ACRN_GUEST)
1245 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1246 acrn_hv_callback_vector acrn_hv_vector_handler
1250 * Save all registers in pt_regs, and switch gs if needed.
1251 * Use slow, but surefire "are we in kernel?" check.
1252 * Return: ebx=0: need swapgs on exit, ebx=1: otherwise
1254 SYM_CODE_START_LOCAL(paranoid_entry)
1257 PUSH_AND_CLEAR_REGS save_ret=1
1258 ENCODE_FRAME_POINTER 8
1260 movl $MSR_GS_BASE, %ecx
1263 js 1f /* negative -> in kernel */
1269 * Always stash CR3 in %r14. This value will be restored,
1270 * verbatim, at exit. Needed if paranoid_entry interrupted
1271 * another entry that already switched to the user CR3 value
1272 * but has not yet returned to userspace.
1274 * This is also why CS (stashed in the "iret frame" by the
1275 * hardware at entry) can not be used: this may be a return
1276 * to kernel code, but with a user CR3 value.
1278 SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
1281 * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an
1282 * unconditional CR3 write, even in the PTI case. So do an lfence
1283 * to prevent GS speculation, regardless of whether PTI is enabled.
1285 FENCE_SWAPGS_KERNEL_ENTRY
1288 SYM_CODE_END(paranoid_entry)
1291 * "Paranoid" exit path from exception stack. This is invoked
1292 * only on return from non-NMI IST interrupts that came
1293 * from kernel space.
1295 * We may be returning to very strange contexts (e.g. very early
1296 * in syscall entry), so checking for preemption here would
1297 * be complicated. Fortunately, we there's no good reason
1298 * to try to handle preemption here.
1300 * On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it)
1302 SYM_CODE_START_LOCAL(paranoid_exit)
1304 DISABLE_INTERRUPTS(CLBR_ANY)
1305 TRACE_IRQS_OFF_DEBUG
1306 testl %ebx, %ebx /* swapgs needed? */
1307 jnz .Lparanoid_exit_no_swapgs
1309 /* Always restore stashed CR3 value (see paranoid_entry) */
1310 RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
1312 jmp restore_regs_and_return_to_kernel
1313 .Lparanoid_exit_no_swapgs:
1314 TRACE_IRQS_IRETQ_DEBUG
1315 /* Always restore stashed CR3 value (see paranoid_entry) */
1316 RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
1317 jmp restore_regs_and_return_to_kernel
1318 SYM_CODE_END(paranoid_exit)
1321 * Save all registers in pt_regs, and switch GS if needed.
1323 SYM_CODE_START_LOCAL(error_entry)
1326 PUSH_AND_CLEAR_REGS save_ret=1
1327 ENCODE_FRAME_POINTER 8
1328 testb $3, CS+8(%rsp)
1329 jz .Lerror_kernelspace
1332 * We entered from user mode or we're pretending to have entered
1333 * from user mode due to an IRET fault.
1336 FENCE_SWAPGS_USER_ENTRY
1337 /* We have user CR3. Change to kernel CR3. */
1338 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1340 .Lerror_entry_from_usermode_after_swapgs:
1341 /* Put us onto the real thread stack. */
1342 popq %r12 /* save return addr in %12 */
1343 movq %rsp, %rdi /* arg0 = pt_regs pointer */
1345 movq %rax, %rsp /* switch stack */
1346 ENCODE_FRAME_POINTER
1350 .Lerror_entry_done_lfence:
1351 FENCE_SWAPGS_KERNEL_ENTRY
1356 * There are two places in the kernel that can potentially fault with
1357 * usergs. Handle them here. B stepping K8s sometimes report a
1358 * truncated RIP for IRET exceptions returning to compat mode. Check
1359 * for these here too.
1361 .Lerror_kernelspace:
1362 leaq native_irq_return_iret(%rip), %rcx
1363 cmpq %rcx, RIP+8(%rsp)
1365 movl %ecx, %eax /* zero extend */
1366 cmpq %rax, RIP+8(%rsp)
1368 cmpq $.Lgs_change, RIP+8(%rsp)
1369 jne .Lerror_entry_done_lfence
1372 * hack: .Lgs_change can fail with user gsbase. If this happens, fix up
1373 * gsbase and proceed. We'll fix up the exception and land in
1374 * .Lgs_change's error handler with kernel gsbase.
1377 FENCE_SWAPGS_USER_ENTRY
1378 jmp .Lerror_entry_done
1381 /* Fix truncated RIP */
1382 movq %rcx, RIP+8(%rsp)
1387 * We came from an IRET to user mode, so we have user
1388 * gsbase and CR3. Switch to kernel gsbase and CR3:
1391 FENCE_SWAPGS_USER_ENTRY
1392 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1395 * Pretend that the exception came from user mode: set up pt_regs
1396 * as if we faulted immediately after IRET.
1401 jmp .Lerror_entry_from_usermode_after_swapgs
1402 SYM_CODE_END(error_entry)
1404 SYM_CODE_START_LOCAL(error_exit)
1406 DISABLE_INTERRUPTS(CLBR_ANY)
1411 SYM_CODE_END(error_exit)
1413 SYM_CODE_START_LOCAL(error_return)
1415 DEBUG_ENTRY_ASSERT_IRQS_OFF
1417 jz restore_regs_and_return_to_kernel
1418 jmp swapgs_restore_regs_and_return_to_usermode
1419 SYM_CODE_END(error_return)
1422 * Runs on exception stack. Xen PV does not go through this path at all,
1423 * so we can use real assembly here.
1426 * %r14: Used to save/restore the CR3 of the interrupted context
1427 * when PAGE_TABLE_ISOLATION is in use. Do not clobber.
1430 UNWIND_HINT_IRET_REGS
1433 * We allow breakpoints in NMIs. If a breakpoint occurs, then
1434 * the iretq it performs will take us out of NMI context.
1435 * This means that we can have nested NMIs where the next
1436 * NMI is using the top of the stack of the previous NMI. We
1437 * can't let it execute because the nested NMI will corrupt the
1438 * stack of the previous NMI. NMI handlers are not re-entrant
1441 * To handle this case we do the following:
1442 * Check the a special location on the stack that contains
1443 * a variable that is set when NMIs are executing.
1444 * The interrupted task's stack is also checked to see if it
1446 * If the variable is not set and the stack is not the NMI
1448 * o Set the special variable on the stack
1449 * o Copy the interrupt frame into an "outermost" location on the
1451 * o Copy the interrupt frame into an "iret" location on the stack
1452 * o Continue processing the NMI
1453 * If the variable is set or the previous stack is the NMI stack:
1454 * o Modify the "iret" location to jump to the repeat_nmi
1455 * o return back to the first NMI
1457 * Now on exit of the first NMI, we first clear the stack variable
1458 * The NMI stack will tell any nested NMIs at that point that it is
1459 * nested. Then we pop the stack normally with iret, and if there was
1460 * a nested NMI that updated the copy interrupt stack frame, a
1461 * jump will be made to the repeat_nmi code that will handle the second
1464 * However, espfix prevents us from directly returning to userspace
1465 * with a single IRET instruction. Similarly, IRET to user mode
1466 * can fault. We therefore handle NMIs from user space like
1467 * other IST entries.
1472 /* Use %rdx as our temp variable throughout */
1475 testb $3, CS-RIP+8(%rsp)
1476 jz .Lnmi_from_kernel
1479 * NMI from user mode. We need to run on the thread stack, but we
1480 * can't go through the normal entry paths: NMIs are masked, and
1481 * we don't want to enable interrupts, because then we'll end
1482 * up in an awkward situation in which IRQs are on but NMIs
1485 * We also must not push anything to the stack before switching
1486 * stacks lest we corrupt the "NMI executing" variable.
1491 FENCE_SWAPGS_USER_ENTRY
1492 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
1494 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
1495 UNWIND_HINT_IRET_REGS base=%rdx offset=8
1496 pushq 5*8(%rdx) /* pt_regs->ss */
1497 pushq 4*8(%rdx) /* pt_regs->rsp */
1498 pushq 3*8(%rdx) /* pt_regs->flags */
1499 pushq 2*8(%rdx) /* pt_regs->cs */
1500 pushq 1*8(%rdx) /* pt_regs->rip */
1501 UNWIND_HINT_IRET_REGS
1502 pushq $-1 /* pt_regs->orig_ax */
1503 PUSH_AND_CLEAR_REGS rdx=(%rdx)
1504 ENCODE_FRAME_POINTER
1507 * At this point we no longer need to worry about stack damage
1508 * due to nesting -- we're on the normal thread stack and we're
1509 * done with the NMI stack.
1517 * Return back to user mode. We must *not* do the normal exit
1518 * work, because we don't want to enable interrupts.
1520 jmp swapgs_restore_regs_and_return_to_usermode
1524 * Here's what our stack frame will look like:
1525 * +---------------------------------------------------------+
1527 * | original Return RSP |
1528 * | original RFLAGS |
1531 * +---------------------------------------------------------+
1532 * | temp storage for rdx |
1533 * +---------------------------------------------------------+
1534 * | "NMI executing" variable |
1535 * +---------------------------------------------------------+
1536 * | iret SS } Copied from "outermost" frame |
1537 * | iret Return RSP } on each loop iteration; overwritten |
1538 * | iret RFLAGS } by a nested NMI to force another |
1539 * | iret CS } iteration if needed. |
1541 * +---------------------------------------------------------+
1542 * | outermost SS } initialized in first_nmi; |
1543 * | outermost Return RSP } will not be changed before |
1544 * | outermost RFLAGS } NMI processing is done. |
1545 * | outermost CS } Copied to "iret" frame on each |
1546 * | outermost RIP } iteration. |
1547 * +---------------------------------------------------------+
1549 * +---------------------------------------------------------+
1551 * The "original" frame is used by hardware. Before re-enabling
1552 * NMIs, we need to be done with it, and we need to leave enough
1553 * space for the asm code here.
1555 * We return by executing IRET while RSP points to the "iret" frame.
1556 * That will either return for real or it will loop back into NMI
1559 * The "outermost" frame is copied to the "iret" frame on each
1560 * iteration of the loop, so each iteration starts with the "iret"
1561 * frame pointing to the final return target.
1565 * Determine whether we're a nested NMI.
1567 * If we interrupted kernel code between repeat_nmi and
1568 * end_repeat_nmi, then we are a nested NMI. We must not
1569 * modify the "iret" frame because it's being written by
1570 * the outer NMI. That's okay; the outer NMI handler is
1571 * about to about to call do_nmi anyway, so we can just
1572 * resume the outer NMI.
1575 movq $repeat_nmi, %rdx
1578 movq $end_repeat_nmi, %rdx
1584 * Now check "NMI executing". If it's set, then we're nested.
1585 * This will not detect if we interrupted an outer NMI just
1592 * Now test if the previous stack was an NMI stack. This covers
1593 * the case where we interrupt an outer NMI after it clears
1594 * "NMI executing" but before IRET. We need to be careful, though:
1595 * there is one case in which RSP could point to the NMI stack
1596 * despite there being no NMI active: naughty userspace controls
1597 * RSP at the very beginning of the SYSCALL targets. We can
1598 * pull a fast one on naughty userspace, though: we program
1599 * SYSCALL to mask DF, so userspace cannot cause DF to be set
1600 * if it controls the kernel's RSP. We set DF before we clear
1604 /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
1605 cmpq %rdx, 4*8(%rsp)
1606 /* If the stack pointer is above the NMI stack, this is a normal NMI */
1609 subq $EXCEPTION_STKSZ, %rdx
1610 cmpq %rdx, 4*8(%rsp)
1611 /* If it is below the NMI stack, it is a normal NMI */
1614 /* Ah, it is within the NMI stack. */
1616 testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
1617 jz first_nmi /* RSP was user controlled. */
1619 /* This is a nested NMI. */
1623 * Modify the "iret" frame to point to repeat_nmi, forcing another
1624 * iteration of NMI handling.
1627 leaq -10*8(%rsp), %rdx
1634 /* Put stack back */
1640 /* We are returning to kernel mode, so this cannot result in a fault. */
1647 /* Make room for "NMI executing". */
1650 /* Leave room for the "iret" frame */
1653 /* Copy the "original" frame to the "outermost" frame */
1657 UNWIND_HINT_IRET_REGS
1659 /* Everything up to here is safe from nested NMIs */
1661 #ifdef CONFIG_DEBUG_ENTRY
1663 * For ease of testing, unmask NMIs right away. Disabled by
1664 * default because IRET is very expensive.
1667 pushq %rsp /* RSP (minus 8 because of the previous push) */
1668 addq $8, (%rsp) /* Fix up RSP */
1670 pushq $__KERNEL_CS /* CS */
1672 iretq /* continues at repeat_nmi below */
1673 UNWIND_HINT_IRET_REGS
1679 * If there was a nested NMI, the first NMI's iret will return
1680 * here. But NMIs are still enabled and we can take another
1681 * nested NMI. The nested NMI checks the interrupted RIP to see
1682 * if it is between repeat_nmi and end_repeat_nmi, and if so
1683 * it will just return, as we are about to repeat an NMI anyway.
1684 * This makes it safe to copy to the stack frame that a nested
1687 * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
1688 * we're repeating an NMI, gsbase has the same value that it had on
1689 * the first iteration. paranoid_entry will load the kernel
1690 * gsbase if needed before we call do_nmi. "NMI executing"
1693 movq $1, 10*8(%rsp) /* Set "NMI executing". */
1696 * Copy the "outermost" frame to the "iret" frame. NMIs that nest
1697 * here must not modify the "iret" frame while we're writing to
1698 * it or it will end up containing garbage.
1708 * Everything below this point can be preempted by a nested NMI.
1709 * If this happens, then the inner NMI will change the "iret"
1710 * frame to point back to repeat_nmi.
1712 pushq $-1 /* ORIG_RAX: no syscall to restart */
1715 * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
1716 * as we should not be calling schedule in NMI context.
1717 * Even with normal interrupts enabled. An NMI should not be
1718 * setting NEED_RESCHED or anything that normal interrupts and
1719 * exceptions might do.
1724 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
1729 /* Always restore stashed CR3 value (see paranoid_entry) */
1730 RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
1732 testl %ebx, %ebx /* swapgs needed? */
1740 * Skip orig_ax and the "outermost" frame to point RSP at the "iret"
1741 * at the "iret" frame.
1746 * Clear "NMI executing". Set DF first so that we can easily
1747 * distinguish the remaining code between here and IRET from
1748 * the SYSCALL entry and exit paths.
1750 * We arguably should just inspect RIP instead, but I (Andy) wrote
1751 * this code when I had the misapprehension that Xen PV supported
1752 * NMIs, and Xen PV would break that approach.
1755 movq $0, 5*8(%rsp) /* clear "NMI executing" */
1758 * iretq reads the "iret" frame and exits the NMI stack in a
1759 * single instruction. We are returning to kernel mode, so this
1760 * cannot result in a fault. Similarly, we don't need to worry
1761 * about espfix64 on the way back to kernel mode.
1766 #ifndef CONFIG_IA32_EMULATION
1768 * This handles SYSCALL from 32-bit code. There is no way to program
1769 * MSRs to fully disable 32-bit SYSCALL.
1771 SYM_CODE_START(ignore_sysret)
1775 SYM_CODE_END(ignore_sysret)
1778 .pushsection .text, "ax"
1779 SYM_CODE_START(rewind_stack_do_exit)
1781 /* Prevent any naive code from trying to unwind to our caller. */
1784 movq PER_CPU_VAR(cpu_current_top_of_stack), %rax
1785 leaq -PTREGS_SIZE(%rax), %rsp
1789 SYM_CODE_END(rewind_stack_do_exit)