1 /* SPDX-License-Identifier: GPL-2.0 */
3 * linux/arch/x86_64/entry.S
5 * Copyright (C) 1991, 1992 Linus Torvalds
6 * Copyright (C) 2000, 2001, 2002 Andi Kleen SuSE Labs
7 * Copyright (C) 2000 Pavel Machek <pavel@suse.cz>
9 * entry.S contains the system-call and fault low-level handling routines.
11 * Some of this is documented in Documentation/arch/x86/entry_64.rst
13 * A note on terminology:
14 * - iret frame: Architecture defined interrupt frame from SS to RIP
15 * at the top of the kernel process stack.
18 * - SYM_FUNC_START/END:Define functions in the symbol table.
19 * - idtentry: Define exception entry points.
21 #include <linux/export.h>
22 #include <linux/linkage.h>
23 #include <asm/segment.h>
24 #include <asm/cache.h>
25 #include <asm/errno.h>
26 #include <asm/asm-offsets.h>
28 #include <asm/unistd.h>
29 #include <asm/thread_info.h>
30 #include <asm/hw_irq.h>
31 #include <asm/page_types.h>
32 #include <asm/irqflags.h>
33 #include <asm/paravirt.h>
34 #include <asm/percpu.h>
37 #include <asm/pgtable_types.h>
38 #include <asm/frame.h>
39 #include <asm/trapnr.h>
40 #include <asm/nospec-branch.h>
41 #include <asm/fsgsbase.h>
42 #include <linux/err.h>
47 .section .entry.text, "ax"
50 * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers.
52 * This is the only entry point used for 64-bit system calls. The
53 * hardware interface is reasonably well designed and the register to
54 * argument mapping Linux uses fits well with the registers that are
55 * available when SYSCALL is used.
57 * SYSCALL instructions can be found inlined in libc implementations as
58 * well as some other programs and libraries. There are also a handful
59 * of SYSCALL instructions in the vDSO used, for example, as a
60 * clock_gettimeofday fallback.
62 * 64-bit SYSCALL saves rip to rcx, clears rflags.RF, then saves rflags to r11,
63 * then loads new ss, cs, and rip from previously programmed MSRs.
64 * rflags gets masked by a value from another MSR (so CLD and CLAC
65 * are not needed). SYSCALL does not save anything on the stack
66 * and does not change rsp.
69 * rax system call number
71 * r11 saved rflags (note: r11 is callee-clobbered register in C ABI)
75 * r10 arg3 (needs to be moved to rcx to conform to C ABI)
78 * (note: r12-r15, rbp, rbx are callee-preserved in C ABI)
80 * Only called from user space.
82 * When user can change pt_regs->foo always force IRET. That is because
83 * it deals with uncanonical addresses better. SYSRET has trouble
84 * with them due to bugs in both AMD and Intel CPUs.
87 SYM_CODE_START(entry_SYSCALL_64)
92 /* tss.sp2 is scratch space. */
93 movq %rsp, PER_CPU_VAR(cpu_tss_rw + TSS_sp2)
94 SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
95 movq PER_CPU_VAR(pcpu_hot + X86_top_of_stack), %rsp
97 SYM_INNER_LABEL(entry_SYSCALL_64_safe_stack, SYM_L_GLOBAL)
100 /* Construct struct pt_regs on stack */
101 pushq $__USER_DS /* pt_regs->ss */
102 pushq PER_CPU_VAR(cpu_tss_rw + TSS_sp2) /* pt_regs->sp */
103 pushq %r11 /* pt_regs->flags */
104 pushq $__USER_CS /* pt_regs->cs */
105 pushq %rcx /* pt_regs->ip */
106 SYM_INNER_LABEL(entry_SYSCALL_64_after_hwframe, SYM_L_GLOBAL)
107 pushq %rax /* pt_regs->orig_ax */
109 PUSH_AND_CLEAR_REGS rax=$-ENOSYS
113 /* Sign extend the lower 32bit as syscall numbers are treated as int */
116 /* clobbers %rax, make sure it is after saving the syscall nr */
120 call do_syscall_64 /* returns with IRQs disabled */
123 * Try to use SYSRET instead of IRET if we're returning to
124 * a completely clean 64-bit userspace context. If we're not,
125 * go to the slow exit path.
126 * In the Xen PV case we must use iret anyway.
129 ALTERNATIVE "testb %al, %al; jz swapgs_restore_regs_and_return_to_usermode", \
130 "jmp swapgs_restore_regs_and_return_to_usermode", X86_FEATURE_XENPV
133 * We win! This label is here just for ease of understanding
134 * perf profiles. Nothing jumps here.
136 syscall_return_via_sysret:
141 * Now all regs are restored except RSP and RDI.
142 * Save old stack pointer and switch to trampoline stack.
145 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
146 UNWIND_HINT_END_OF_STACK
148 pushq RSP-RDI(%rdi) /* RSP */
149 pushq (%rdi) /* RDI */
152 * We are on the trampoline stack. All regs except RDI are live.
153 * We can do future final exit work right here.
155 STACKLEAK_ERASE_NOCLOBBER
157 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
161 SYM_INNER_LABEL(entry_SYSRETQ_unsafe_stack, SYM_L_GLOBAL)
166 SYM_INNER_LABEL(entry_SYSRETQ_end, SYM_L_GLOBAL)
169 SYM_CODE_END(entry_SYSCALL_64)
175 .pushsection .text, "ax"
176 SYM_FUNC_START(__switch_to_asm)
178 * Save callee-saved registers
179 * This must match the order in inactive_task_frame
189 movq %rsp, TASK_threadsp(%rdi)
190 movq TASK_threadsp(%rsi), %rsp
192 #ifdef CONFIG_STACKPROTECTOR
193 movq TASK_stack_canary(%rsi), %rbx
194 movq %rbx, PER_CPU_VAR(fixed_percpu_data + FIXED_stack_canary)
198 * When switching from a shallower to a deeper call stack
199 * the RSB may either underflow or use entries populated
200 * with userspace addresses. On CPUs where those concerns
201 * exist, overwrite the RSB with entries which capture
202 * speculative execution to prevent attack.
204 FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
206 /* restore callee-saved registers */
215 SYM_FUNC_END(__switch_to_asm)
219 * A newly forked process directly context switches into this address.
221 * rax: prev task we switched from
222 * rbx: kernel thread func (NULL for user thread)
223 * r12: kernel thread arg
225 .pushsection .text, "ax"
226 SYM_CODE_START(ret_from_fork_asm)
228 * This is the start of the kernel stack; even through there's a
229 * register set at the top, the regset isn't necessarily coherent
230 * (consider kthreads) and one cannot unwind further.
232 * This ensures stack unwinds of kernel threads terminate in a known
235 UNWIND_HINT_END_OF_STACK
236 ANNOTATE_NOENDBR // copy_thread
239 movq %rax, %rdi /* prev */
240 movq %rsp, %rsi /* regs */
241 movq %rbx, %rdx /* fn */
242 movq %r12, %rcx /* fn_arg */
246 * Set the stack state to what is expected for the target function
247 * -- at this point the register set should be a valid user set
248 * and unwind should work normally.
252 #ifdef CONFIG_X86_FRED
253 ALTERNATIVE "jmp swapgs_restore_regs_and_return_to_usermode", \
254 "jmp asm_fred_exit_user", X86_FEATURE_FRED
256 jmp swapgs_restore_regs_and_return_to_usermode
258 SYM_CODE_END(ret_from_fork_asm)
261 .macro DEBUG_ENTRY_ASSERT_IRQS_OFF
262 #ifdef CONFIG_DEBUG_ENTRY
265 testl $X86_EFLAGS_IF, %eax
273 SYM_CODE_START(xen_error_entry)
276 PUSH_AND_CLEAR_REGS save_ret=1
277 ENCODE_FRAME_POINTER 8
278 UNTRAIN_RET_FROM_CALL
280 SYM_CODE_END(xen_error_entry)
283 * idtentry_body - Macro to emit code calling the C function
284 * @cfunc: C function to be called
285 * @has_error_code: Hardware pushed error code on stack
287 .macro idtentry_body cfunc has_error_code:req
290 * Call error_entry() and switch to the task stack if from userspace.
292 * When in XENPV, it is already in the task stack, and it can't fault
293 * for native_iret() nor native_load_gs_index() since XENPV uses its
294 * own pvops for IRET and load_gs_index(). And it doesn't need to
295 * switch the CR3. So it can skip invoking error_entry().
297 ALTERNATIVE "call error_entry; movq %rax, %rsp", \
298 "call xen_error_entry", X86_FEATURE_XENPV
303 movq %rsp, %rdi /* pt_regs pointer into 1st argument*/
305 .if \has_error_code == 1
306 movq ORIG_RAX(%rsp), %rsi /* get error code into 2nd argument*/
307 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
312 /* For some configurations \cfunc ends up being a noreturn. */
319 * idtentry - Macro to generate entry stubs for simple IDT entries
320 * @vector: Vector number
321 * @asmsym: ASM symbol for the entry point
322 * @cfunc: C function to be called
323 * @has_error_code: Hardware pushed error code on stack
325 * The macro emits code to set up the kernel context for straight forward
326 * and simple IDT entries. No IST stack, no paranoid entry checks.
328 .macro idtentry vector asmsym cfunc has_error_code:req
329 SYM_CODE_START(\asmsym)
331 .if \vector == X86_TRAP_BP
332 /* #BP advances %rip to the next instruction */
333 UNWIND_HINT_IRET_ENTRY offset=\has_error_code*8 signal=0
335 UNWIND_HINT_IRET_ENTRY offset=\has_error_code*8
342 .if \has_error_code == 0
343 pushq $-1 /* ORIG_RAX: no syscall to restart */
346 .if \vector == X86_TRAP_BP
348 * If coming from kernel space, create a 6-word gap to allow the
349 * int3 handler to emulate a call instruction.
351 testb $3, CS-ORIG_RAX(%rsp)
352 jnz .Lfrom_usermode_no_gap_\@
356 UNWIND_HINT_IRET_REGS offset=8
357 .Lfrom_usermode_no_gap_\@:
360 idtentry_body \cfunc \has_error_code
362 _ASM_NOKPROBE(\asmsym)
363 SYM_CODE_END(\asmsym)
367 * Interrupt entry/exit.
369 + The interrupt stubs push (vector) onto the stack, which is the error_code
370 * position of idtentry exceptions, and jump to one of the two idtentry points
373 * common_interrupt is a hotpath, align it to a cache line
375 .macro idtentry_irq vector cfunc
376 .p2align CONFIG_X86_L1_CACHE_SHIFT
377 idtentry \vector asm_\cfunc \cfunc has_error_code=1
381 * idtentry_mce_db - Macro to generate entry stubs for #MC and #DB
382 * @vector: Vector number
383 * @asmsym: ASM symbol for the entry point
384 * @cfunc: C function to be called
386 * The macro emits code to set up the kernel context for #MC and #DB
388 * If the entry comes from user space it uses the normal entry path
389 * including the return to user space work and preemption checks on
392 * If hits in kernel mode then it needs to go through the paranoid
393 * entry as the exception can hit any random state. No preemption
394 * check on exit to keep the paranoid path simple.
396 .macro idtentry_mce_db vector asmsym cfunc
397 SYM_CODE_START(\asmsym)
398 UNWIND_HINT_IRET_ENTRY
403 pushq $-1 /* ORIG_RAX: no syscall to restart */
406 * If the entry is from userspace, switch stacks and treat it as
409 testb $3, CS-ORIG_RAX(%rsp)
410 jnz .Lfrom_usermode_switch_stack_\@
412 /* paranoid_entry returns GS information for paranoid_exit in EBX. */
417 movq %rsp, %rdi /* pt_regs pointer */
423 /* Switch to the regular task stack and use the noist entry point */
424 .Lfrom_usermode_switch_stack_\@:
425 idtentry_body noist_\cfunc, has_error_code=0
427 _ASM_NOKPROBE(\asmsym)
428 SYM_CODE_END(\asmsym)
431 #ifdef CONFIG_AMD_MEM_ENCRYPT
433 * idtentry_vc - Macro to generate entry stub for #VC
434 * @vector: Vector number
435 * @asmsym: ASM symbol for the entry point
436 * @cfunc: C function to be called
438 * The macro emits code to set up the kernel context for #VC. The #VC handler
439 * runs on an IST stack and needs to be able to cause nested #VC exceptions.
441 * To make this work the #VC entry code tries its best to pretend it doesn't use
442 * an IST stack by switching to the task stack if coming from user-space (which
443 * includes early SYSCALL entry path) or back to the stack in the IRET frame if
444 * entered from kernel-mode.
446 * If entered from kernel-mode the return stack is validated first, and if it is
447 * not safe to use (e.g. because it points to the entry stack) the #VC handler
448 * will switch to a fall-back stack (VC2) and call a special handler function.
450 * The macro is only used for one vector, but it is planned to be extended in
451 * the future for the #HV exception.
453 .macro idtentry_vc vector asmsym cfunc
454 SYM_CODE_START(\asmsym)
455 UNWIND_HINT_IRET_ENTRY
461 * If the entry is from userspace, switch stacks and treat it as
464 testb $3, CS-ORIG_RAX(%rsp)
465 jnz .Lfrom_usermode_switch_stack_\@
468 * paranoid_entry returns SWAPGS flag for paranoid_exit in EBX.
469 * EBX == 0 -> SWAPGS, EBX == 1 -> no SWAPGS
476 * Switch off the IST stack to make it free for nested exceptions. The
477 * vc_switch_off_ist() function will switch back to the interrupted
478 * stack if it is safe to do so. If not it switches to the VC fall-back
481 movq %rsp, %rdi /* pt_regs pointer */
482 call vc_switch_off_ist
483 movq %rax, %rsp /* Switch to new stack */
489 movq ORIG_RAX(%rsp), %rsi /* get error code into 2nd argument*/
490 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
492 movq %rsp, %rdi /* pt_regs pointer */
497 * No need to switch back to the IST stack. The current stack is either
498 * identical to the stack in the IRET frame or the VC fall-back stack,
499 * so it is definitely mapped even with PTI enabled.
503 /* Switch to the regular task stack */
504 .Lfrom_usermode_switch_stack_\@:
505 idtentry_body user_\cfunc, has_error_code=1
507 _ASM_NOKPROBE(\asmsym)
508 SYM_CODE_END(\asmsym)
513 * Double fault entry. Straight paranoid. No checks from which context
514 * this comes because for the espfix induced #DF this would do the wrong
517 .macro idtentry_df vector asmsym cfunc
518 SYM_CODE_START(\asmsym)
519 UNWIND_HINT_IRET_ENTRY offset=8
524 /* paranoid_entry returns GS information for paranoid_exit in EBX. */
528 movq %rsp, %rdi /* pt_regs pointer into first argument */
529 movq ORIG_RAX(%rsp), %rsi /* get error code into 2nd argument*/
530 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
533 /* For some configurations \cfunc ends up being a noreturn. */
538 _ASM_NOKPROBE(\asmsym)
539 SYM_CODE_END(\asmsym)
543 * Include the defines which emit the idt entries which are shared
544 * shared between 32 and 64 bit and emit the __irqentry_text_* markers
545 * so the stacktrace boundary checks work.
548 .globl __irqentry_text_start
549 __irqentry_text_start:
551 #include <asm/idtentry.h>
554 .globl __irqentry_text_end
558 SYM_CODE_START_LOCAL(common_interrupt_return)
559 SYM_INNER_LABEL(swapgs_restore_regs_and_return_to_usermode, SYM_L_GLOBAL)
562 ALTERNATIVE "", "jmp xenpv_restore_regs_and_return_to_usermode", X86_FEATURE_XENPV
564 #ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
565 ALTERNATIVE "", "jmp .Lpti_restore_regs_and_return_to_usermode", X86_FEATURE_PTI
570 add $8, %rsp /* orig_ax */
571 UNWIND_HINT_IRET_REGS
576 /* Assert that the IRET frame indicates user mode. */
581 #ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
582 .Lpti_restore_regs_and_return_to_usermode:
586 * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
587 * Save old stack pointer and switch to trampoline stack.
590 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
591 UNWIND_HINT_END_OF_STACK
593 /* Copy the IRET frame to the trampoline stack. */
594 pushq 6*8(%rdi) /* SS */
595 pushq 5*8(%rdi) /* RSP */
596 pushq 4*8(%rdi) /* EFLAGS */
597 pushq 3*8(%rdi) /* CS */
598 pushq 2*8(%rdi) /* RIP */
600 /* Push user RDI on the trampoline stack. */
604 * We are on the trampoline stack. All regs except RDI are live.
605 * We can do future final exit work right here.
607 STACKLEAK_ERASE_NOCLOBBER
610 SWITCH_TO_USER_CR3 scratch_reg=%rdi scratch_reg2=%rax
615 jmp .Lswapgs_and_iret
618 SYM_INNER_LABEL(restore_regs_and_return_to_kernel, SYM_L_GLOBAL)
619 #ifdef CONFIG_DEBUG_ENTRY
620 /* Assert that pt_regs indicates kernel mode. */
627 addq $8, %rsp /* skip regs->orig_ax */
629 * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization
630 * when returning from IPI handler.
633 SYM_INNER_LABEL(early_xen_iret_patch, SYM_L_GLOBAL)
636 .long .Lnative_iret - (. + 4)
640 UNWIND_HINT_IRET_REGS
642 * Are we returning to a stack segment from the LDT? Note: in
643 * 64-bit mode SS:RSP on the exception stack is always valid.
645 #ifdef CONFIG_X86_ESPFIX64
646 testb $4, (SS-RIP)(%rsp)
647 jnz native_irq_return_ldt
650 SYM_INNER_LABEL(native_irq_return_iret, SYM_L_GLOBAL)
651 ANNOTATE_NOENDBR // exc_double_fault
653 * This may fault. Non-paranoid faults on return to userspace are
654 * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
655 * Double-faults due to espfix64 are handled in exc_double_fault.
656 * Other faults here are fatal.
660 #ifdef CONFIG_X86_ESPFIX64
661 native_irq_return_ldt:
663 * We are running with user GSBASE. All GPRs contain their user
664 * values. We have a percpu ESPFIX stack that is eight slots
665 * long (see ESPFIX_STACK_SIZE). espfix_waddr points to the bottom
666 * of the ESPFIX stack.
668 * We clobber RAX and RDI in this code. We stash RDI on the
669 * normal stack and RAX on the ESPFIX stack.
671 * The ESPFIX stack layout we set up looks like this:
673 * --- top of ESPFIX stack ---
678 * RIP <-- RSP points here when we're done
679 * RAX <-- espfix_waddr points here
680 * --- bottom of ESPFIX stack ---
683 pushq %rdi /* Stash user RDI */
684 swapgs /* to kernel GS */
685 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */
687 movq PER_CPU_VAR(espfix_waddr), %rdi
688 movq %rax, (0*8)(%rdi) /* user RAX */
689 movq (1*8)(%rsp), %rax /* user RIP */
690 movq %rax, (1*8)(%rdi)
691 movq (2*8)(%rsp), %rax /* user CS */
692 movq %rax, (2*8)(%rdi)
693 movq (3*8)(%rsp), %rax /* user RFLAGS */
694 movq %rax, (3*8)(%rdi)
695 movq (5*8)(%rsp), %rax /* user SS */
696 movq %rax, (5*8)(%rdi)
697 movq (4*8)(%rsp), %rax /* user RSP */
698 movq %rax, (4*8)(%rdi)
699 /* Now RAX == RSP. */
701 andl $0xffff0000, %eax /* RAX = (RSP & 0xffff0000) */
704 * espfix_stack[31:16] == 0. The page tables are set up such that
705 * (espfix_stack | (X & 0xffff0000)) points to a read-only alias of
706 * espfix_waddr for any X. That is, there are 65536 RO aliases of
707 * the same page. Set up RSP so that RSP[31:16] contains the
708 * respective 16 bits of the /userspace/ RSP and RSP nonetheless
709 * still points to an RO alias of the ESPFIX stack.
711 orq PER_CPU_VAR(espfix_stack), %rax
713 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
714 swapgs /* to user GS */
715 popq %rdi /* Restore user RDI */
718 UNWIND_HINT_IRET_REGS offset=8
721 * At this point, we cannot write to the stack any more, but we can
724 popq %rax /* Restore user RAX */
729 * RSP now points to an ordinary IRET frame, except that the page
730 * is read-only and RSP[31:16] are preloaded with the userspace
731 * values. We can now IRET back to userspace.
733 jmp native_irq_return_iret
735 SYM_CODE_END(common_interrupt_return)
736 _ASM_NOKPROBE(common_interrupt_return)
739 * Reload gs selector with exception handling
742 * Is in entry.text as it shouldn't be instrumented.
744 SYM_FUNC_START(asm_load_gs_index)
748 ANNOTATE_NOENDBR // error_entry
750 2: ALTERNATIVE "", "mfence", X86_BUG_SWAPGS_FENCE
755 /* running with kernelgs */
757 swapgs /* switch back to user gs */
759 /* This can't be a string because the preprocessor needs to see it. */
760 movl $__USER_DS, %eax
763 ALTERNATIVE "", "ZAP_GS", X86_BUG_NULL_SEG
768 _ASM_EXTABLE(.Lgs_change, .Lbad_gs)
770 SYM_FUNC_END(asm_load_gs_index)
771 EXPORT_SYMBOL(asm_load_gs_index)
775 * A note on the "critical region" in our callback handler.
776 * We want to avoid stacking callback handlers due to events occurring
777 * during handling of the last event. To do this, we keep events disabled
778 * until we've done all processing. HOWEVER, we must enable events before
779 * popping the stack frame (can't be done atomically) and so it would still
780 * be possible to get enough handler activations to overflow the stack.
781 * Although unlikely, bugs of that kind are hard to track down, so we'd
782 * like to avoid the possibility.
783 * So, on entry to the handler we detect whether we interrupted an
784 * existing activation in its critical region -- if so, we pop the current
785 * activation and restart the handler using the previous one.
787 * C calling convention: exc_xen_hypervisor_callback(struct *pt_regs)
790 SYM_CODE_START_LOCAL_NOALIGN(exc_xen_hypervisor_callback)
793 * Since we don't modify %rdi, evtchn_do_upall(struct *pt_regs) will
794 * see the correct pointer to the pt_regs
797 movq %rdi, %rsp /* we don't return, adjust the stack frame */
800 call xen_pv_evtchn_do_upcall
803 SYM_CODE_END(exc_xen_hypervisor_callback)
806 * Hypervisor uses this for application faults while it executes.
807 * We get here for two reasons:
808 * 1. Fault while reloading DS, ES, FS or GS
809 * 2. Fault while executing IRET
810 * Category 1 we do not need to fix up as Xen has already reloaded all segment
811 * registers that could be reloaded and zeroed the others.
812 * Category 2 we fix up by killing the current process. We cannot use the
813 * normal Linux return path in this case because if we use the IRET hypercall
814 * to pop the stack frame we end up in an infinite loop of failsafe callbacks.
815 * We distinguish between categories by comparing each saved segment register
816 * with its current contents: any discrepancy means we in category 1.
819 SYM_CODE_START_NOALIGN(xen_failsafe_callback)
820 UNWIND_HINT_UNDEFINED
834 /* All segments match their saved values => Category 2 (Bad IRET). */
839 UNWIND_HINT_IRET_REGS offset=8
840 jmp asm_exc_general_protection
841 1: /* Segment mismatch => Category 1 (Bad segment). Retry the IRET. */
845 UNWIND_HINT_IRET_REGS
846 pushq $-1 /* orig_ax = -1 => not a system call */
850 SYM_CODE_END(xen_failsafe_callback)
851 #endif /* CONFIG_XEN_PV */
854 * Save all registers in pt_regs. Return GSBASE related information
855 * in EBX depending on the availability of the FSGSBASE instructions:
858 * N 0 -> SWAPGS on exit
859 * 1 -> no SWAPGS on exit
861 * Y GSBASE value at entry, must be restored in paranoid_exit
864 * R15 - old SPEC_CTRL
866 SYM_CODE_START(paranoid_entry)
869 PUSH_AND_CLEAR_REGS save_ret=1
870 ENCODE_FRAME_POINTER 8
873 * Always stash CR3 in %r14. This value will be restored,
874 * verbatim, at exit. Needed if paranoid_entry interrupted
875 * another entry that already switched to the user CR3 value
876 * but has not yet returned to userspace.
878 * This is also why CS (stashed in the "iret frame" by the
879 * hardware at entry) can not be used: this may be a return
880 * to kernel code, but with a user CR3 value.
882 * Switching CR3 does not depend on kernel GSBASE so it can
883 * be done before switching to the kernel GSBASE. This is
884 * required for FSGSBASE because the kernel GSBASE has to
885 * be retrieved from a kernel internal table.
887 SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
890 * Handling GSBASE depends on the availability of FSGSBASE.
892 * Without FSGSBASE the kernel enforces that negative GSBASE
893 * values indicate kernel GSBASE. With FSGSBASE no assumptions
894 * can be made about the GSBASE value when entering from user
897 ALTERNATIVE "jmp .Lparanoid_entry_checkgs", "", X86_FEATURE_FSGSBASE
900 * Read the current GSBASE and store it in %rbx unconditionally,
901 * retrieve and set the current CPUs kernel GSBASE. The stored value
902 * has to be restored in paranoid_exit unconditionally.
904 * The unconditional write to GS base below ensures that no subsequent
905 * loads based on a mispredicted GS base can happen, therefore no LFENCE
908 SAVE_AND_SET_GSBASE scratch_reg=%rax save_reg=%rbx
909 jmp .Lparanoid_gsbase_done
911 .Lparanoid_entry_checkgs:
912 /* EBX = 1 -> kernel GSBASE active, no restore required */
916 * The kernel-enforced convention is a negative GSBASE indicates
917 * a kernel value. No SWAPGS needed on entry and exit.
919 movl $MSR_GS_BASE, %ecx
922 js .Lparanoid_kernel_gsbase
924 /* EBX = 0 -> SWAPGS required on exit */
927 .Lparanoid_kernel_gsbase:
928 FENCE_SWAPGS_KERNEL_ENTRY
929 .Lparanoid_gsbase_done:
932 * Once we have CR3 and %GS setup save and set SPEC_CTRL. Just like
933 * CR3 above, keep the old value in a callee saved register.
935 IBRS_ENTER save_reg=%r15
936 UNTRAIN_RET_FROM_CALL
939 SYM_CODE_END(paranoid_entry)
942 * "Paranoid" exit path from exception stack. This is invoked
943 * only on return from non-NMI IST interrupts that came
946 * We may be returning to very strange contexts (e.g. very early
947 * in syscall entry), so checking for preemption here would
948 * be complicated. Fortunately, there's no good reason to try
949 * to handle preemption here.
951 * R/EBX contains the GSBASE related information depending on the
952 * availability of the FSGSBASE instructions:
955 * N 0 -> SWAPGS on exit
956 * 1 -> no SWAPGS on exit
958 * Y User space GSBASE, must be restored unconditionally
961 * R15 - old SPEC_CTRL
963 SYM_CODE_START_LOCAL(paranoid_exit)
967 * Must restore IBRS state before both CR3 and %GS since we need access
968 * to the per-CPU x86_spec_ctrl_shadow variable.
970 IBRS_EXIT save_reg=%r15
973 * The order of operations is important. PARANOID_RESTORE_CR3 requires
976 * NB to anyone to try to optimize this code: this code does
977 * not execute at all for exceptions from user mode. Those
978 * exceptions go through error_return instead.
980 PARANOID_RESTORE_CR3 scratch_reg=%rax save_reg=%r14
982 /* Handle the three GSBASE cases */
983 ALTERNATIVE "jmp .Lparanoid_exit_checkgs", "", X86_FEATURE_FSGSBASE
985 /* With FSGSBASE enabled, unconditionally restore GSBASE */
987 jmp restore_regs_and_return_to_kernel
989 .Lparanoid_exit_checkgs:
990 /* On non-FSGSBASE systems, conditionally do SWAPGS */
992 jnz restore_regs_and_return_to_kernel
994 /* We are returning to a context with user GSBASE */
996 jmp restore_regs_and_return_to_kernel
997 SYM_CODE_END(paranoid_exit)
1000 * Switch GS and CR3 if needed.
1002 SYM_CODE_START(error_entry)
1006 PUSH_AND_CLEAR_REGS save_ret=1
1007 ENCODE_FRAME_POINTER 8
1009 testb $3, CS+8(%rsp)
1010 jz .Lerror_kernelspace
1013 * We entered from user mode or we're pretending to have entered
1014 * from user mode due to an IRET fault.
1017 FENCE_SWAPGS_USER_ENTRY
1018 /* We have user CR3. Change to kernel CR3. */
1019 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1021 UNTRAIN_RET_FROM_CALL
1023 leaq 8(%rsp), %rdi /* arg0 = pt_regs pointer */
1024 /* Put us onto the real thread stack. */
1028 * There are two places in the kernel that can potentially fault with
1029 * usergs. Handle them here. B stepping K8s sometimes report a
1030 * truncated RIP for IRET exceptions returning to compat mode. Check
1031 * for these here too.
1033 .Lerror_kernelspace:
1034 leaq native_irq_return_iret(%rip), %rcx
1035 cmpq %rcx, RIP+8(%rsp)
1037 movl %ecx, %eax /* zero extend */
1038 cmpq %rax, RIP+8(%rsp)
1040 cmpq $.Lgs_change, RIP+8(%rsp)
1041 jne .Lerror_entry_done_lfence
1044 * hack: .Lgs_change can fail with user gsbase. If this happens, fix up
1045 * gsbase and proceed. We'll fix up the exception and land in
1046 * .Lgs_change's error handler with kernel gsbase.
1051 * Issue an LFENCE to prevent GS speculation, regardless of whether it is a
1052 * kernel or user gsbase.
1054 .Lerror_entry_done_lfence:
1055 FENCE_SWAPGS_KERNEL_ENTRY
1057 leaq 8(%rsp), %rax /* return pt_regs pointer */
1062 /* Fix truncated RIP */
1063 movq %rcx, RIP+8(%rsp)
1068 * We came from an IRET to user mode, so we have user
1069 * gsbase and CR3. Switch to kernel gsbase and CR3:
1072 FENCE_SWAPGS_USER_ENTRY
1073 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1075 UNTRAIN_RET_FROM_CALL
1078 * Pretend that the exception came from user mode: set up pt_regs
1079 * as if we faulted immediately after IRET.
1081 leaq 8(%rsp), %rdi /* arg0 = pt_regs pointer */
1085 SYM_CODE_END(error_entry)
1087 SYM_CODE_START_LOCAL(error_return)
1089 DEBUG_ENTRY_ASSERT_IRQS_OFF
1091 jz restore_regs_and_return_to_kernel
1092 jmp swapgs_restore_regs_and_return_to_usermode
1093 SYM_CODE_END(error_return)
1096 * Runs on exception stack. Xen PV does not go through this path at all,
1097 * so we can use real assembly here.
1100 * %r14: Used to save/restore the CR3 of the interrupted context
1101 * when MITIGATION_PAGE_TABLE_ISOLATION is in use. Do not clobber.
1103 SYM_CODE_START(asm_exc_nmi)
1104 UNWIND_HINT_IRET_ENTRY
1108 * We allow breakpoints in NMIs. If a breakpoint occurs, then
1109 * the iretq it performs will take us out of NMI context.
1110 * This means that we can have nested NMIs where the next
1111 * NMI is using the top of the stack of the previous NMI. We
1112 * can't let it execute because the nested NMI will corrupt the
1113 * stack of the previous NMI. NMI handlers are not re-entrant
1116 * To handle this case we do the following:
1117 * Check a special location on the stack that contains a
1118 * variable that is set when NMIs are executing.
1119 * The interrupted task's stack is also checked to see if it
1121 * If the variable is not set and the stack is not the NMI
1123 * o Set the special variable on the stack
1124 * o Copy the interrupt frame into an "outermost" location on the
1126 * o Copy the interrupt frame into an "iret" location on the stack
1127 * o Continue processing the NMI
1128 * If the variable is set or the previous stack is the NMI stack:
1129 * o Modify the "iret" location to jump to the repeat_nmi
1130 * o return back to the first NMI
1132 * Now on exit of the first NMI, we first clear the stack variable
1133 * The NMI stack will tell any nested NMIs at that point that it is
1134 * nested. Then we pop the stack normally with iret, and if there was
1135 * a nested NMI that updated the copy interrupt stack frame, a
1136 * jump will be made to the repeat_nmi code that will handle the second
1139 * However, espfix prevents us from directly returning to userspace
1140 * with a single IRET instruction. Similarly, IRET to user mode
1141 * can fault. We therefore handle NMIs from user space like
1142 * other IST entries.
1148 /* Use %rdx as our temp variable throughout */
1151 testb $3, CS-RIP+8(%rsp)
1152 jz .Lnmi_from_kernel
1155 * NMI from user mode. We need to run on the thread stack, but we
1156 * can't go through the normal entry paths: NMIs are masked, and
1157 * we don't want to enable interrupts, because then we'll end
1158 * up in an awkward situation in which IRQs are on but NMIs
1161 * We also must not push anything to the stack before switching
1162 * stacks lest we corrupt the "NMI executing" variable.
1166 FENCE_SWAPGS_USER_ENTRY
1167 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
1169 movq PER_CPU_VAR(pcpu_hot + X86_top_of_stack), %rsp
1170 UNWIND_HINT_IRET_REGS base=%rdx offset=8
1171 pushq 5*8(%rdx) /* pt_regs->ss */
1172 pushq 4*8(%rdx) /* pt_regs->rsp */
1173 pushq 3*8(%rdx) /* pt_regs->flags */
1174 pushq 2*8(%rdx) /* pt_regs->cs */
1175 pushq 1*8(%rdx) /* pt_regs->rip */
1176 UNWIND_HINT_IRET_REGS
1177 pushq $-1 /* pt_regs->orig_ax */
1178 PUSH_AND_CLEAR_REGS rdx=(%rdx)
1179 ENCODE_FRAME_POINTER
1185 * At this point we no longer need to worry about stack damage
1186 * due to nesting -- we're on the normal thread stack and we're
1187 * done with the NMI stack.
1194 * Return back to user mode. We must *not* do the normal exit
1195 * work, because we don't want to enable interrupts.
1197 jmp swapgs_restore_regs_and_return_to_usermode
1201 * Here's what our stack frame will look like:
1202 * +---------------------------------------------------------+
1204 * | original Return RSP |
1205 * | original RFLAGS |
1208 * +---------------------------------------------------------+
1209 * | temp storage for rdx |
1210 * +---------------------------------------------------------+
1211 * | "NMI executing" variable |
1212 * +---------------------------------------------------------+
1213 * | iret SS } Copied from "outermost" frame |
1214 * | iret Return RSP } on each loop iteration; overwritten |
1215 * | iret RFLAGS } by a nested NMI to force another |
1216 * | iret CS } iteration if needed. |
1218 * +---------------------------------------------------------+
1219 * | outermost SS } initialized in first_nmi; |
1220 * | outermost Return RSP } will not be changed before |
1221 * | outermost RFLAGS } NMI processing is done. |
1222 * | outermost CS } Copied to "iret" frame on each |
1223 * | outermost RIP } iteration. |
1224 * +---------------------------------------------------------+
1226 * +---------------------------------------------------------+
1228 * The "original" frame is used by hardware. Before re-enabling
1229 * NMIs, we need to be done with it, and we need to leave enough
1230 * space for the asm code here.
1232 * We return by executing IRET while RSP points to the "iret" frame.
1233 * That will either return for real or it will loop back into NMI
1236 * The "outermost" frame is copied to the "iret" frame on each
1237 * iteration of the loop, so each iteration starts with the "iret"
1238 * frame pointing to the final return target.
1242 * Determine whether we're a nested NMI.
1244 * If we interrupted kernel code between repeat_nmi and
1245 * end_repeat_nmi, then we are a nested NMI. We must not
1246 * modify the "iret" frame because it's being written by
1247 * the outer NMI. That's okay; the outer NMI handler is
1248 * about to call exc_nmi() anyway, so we can just resume
1252 movq $repeat_nmi, %rdx
1255 movq $end_repeat_nmi, %rdx
1261 * Now check "NMI executing". If it's set, then we're nested.
1262 * This will not detect if we interrupted an outer NMI just
1269 * Now test if the previous stack was an NMI stack. This covers
1270 * the case where we interrupt an outer NMI after it clears
1271 * "NMI executing" but before IRET. We need to be careful, though:
1272 * there is one case in which RSP could point to the NMI stack
1273 * despite there being no NMI active: naughty userspace controls
1274 * RSP at the very beginning of the SYSCALL targets. We can
1275 * pull a fast one on naughty userspace, though: we program
1276 * SYSCALL to mask DF, so userspace cannot cause DF to be set
1277 * if it controls the kernel's RSP. We set DF before we clear
1281 /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
1282 cmpq %rdx, 4*8(%rsp)
1283 /* If the stack pointer is above the NMI stack, this is a normal NMI */
1286 subq $EXCEPTION_STKSZ, %rdx
1287 cmpq %rdx, 4*8(%rsp)
1288 /* If it is below the NMI stack, it is a normal NMI */
1291 /* Ah, it is within the NMI stack. */
1293 testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
1294 jz first_nmi /* RSP was user controlled. */
1296 /* This is a nested NMI. */
1300 * Modify the "iret" frame to point to repeat_nmi, forcing another
1301 * iteration of NMI handling.
1304 leaq -10*8(%rsp), %rdx
1311 /* Put stack back */
1317 /* We are returning to kernel mode, so this cannot result in a fault. */
1324 /* Make room for "NMI executing". */
1327 /* Leave room for the "iret" frame */
1330 /* Copy the "original" frame to the "outermost" frame */
1334 UNWIND_HINT_IRET_REGS
1336 /* Everything up to here is safe from nested NMIs */
1338 #ifdef CONFIG_DEBUG_ENTRY
1340 * For ease of testing, unmask NMIs right away. Disabled by
1341 * default because IRET is very expensive.
1344 pushq %rsp /* RSP (minus 8 because of the previous push) */
1345 addq $8, (%rsp) /* Fix up RSP */
1347 pushq $__KERNEL_CS /* CS */
1349 iretq /* continues at repeat_nmi below */
1350 UNWIND_HINT_IRET_REGS
1355 ANNOTATE_NOENDBR // this code
1357 * If there was a nested NMI, the first NMI's iret will return
1358 * here. But NMIs are still enabled and we can take another
1359 * nested NMI. The nested NMI checks the interrupted RIP to see
1360 * if it is between repeat_nmi and end_repeat_nmi, and if so
1361 * it will just return, as we are about to repeat an NMI anyway.
1362 * This makes it safe to copy to the stack frame that a nested
1365 * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
1366 * we're repeating an NMI, gsbase has the same value that it had on
1367 * the first iteration. paranoid_entry will load the kernel
1368 * gsbase if needed before we call exc_nmi(). "NMI executing"
1371 movq $1, 10*8(%rsp) /* Set "NMI executing". */
1374 * Copy the "outermost" frame to the "iret" frame. NMIs that nest
1375 * here must not modify the "iret" frame while we're writing to
1376 * it or it will end up containing garbage.
1384 ANNOTATE_NOENDBR // this code
1387 * Everything below this point can be preempted by a nested NMI.
1388 * If this happens, then the inner NMI will change the "iret"
1389 * frame to point back to repeat_nmi.
1391 pushq $-1 /* ORIG_RAX: no syscall to restart */
1394 * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
1395 * as we should not be calling schedule in NMI context.
1396 * Even with normal interrupts enabled. An NMI should not be
1397 * setting NEED_RESCHED or anything that normal interrupts and
1398 * exceptions might do.
1406 /* Always restore stashed SPEC_CTRL value (see paranoid_entry) */
1407 IBRS_EXIT save_reg=%r15
1409 PARANOID_RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
1412 * The above invocation of paranoid_entry stored the GSBASE
1413 * related information in R/EBX depending on the availability
1416 * If FSGSBASE is enabled, restore the saved GSBASE value
1417 * unconditionally, otherwise take the conditional SWAPGS path.
1419 ALTERNATIVE "jmp nmi_no_fsgsbase", "", X86_FEATURE_FSGSBASE
1425 /* EBX == 0 -> invoke SWAPGS */
1436 * Skip orig_ax and the "outermost" frame to point RSP at the "iret"
1437 * at the "iret" frame.
1442 * Clear "NMI executing". Set DF first so that we can easily
1443 * distinguish the remaining code between here and IRET from
1444 * the SYSCALL entry and exit paths.
1446 * We arguably should just inspect RIP instead, but I (Andy) wrote
1447 * this code when I had the misapprehension that Xen PV supported
1448 * NMIs, and Xen PV would break that approach.
1451 movq $0, 5*8(%rsp) /* clear "NMI executing" */
1454 * Skip CLEAR_CPU_BUFFERS here, since it only helps in rare cases like
1455 * NMI in kernel after user state is restored. For an unprivileged user
1456 * these conditions are hard to meet.
1460 * iretq reads the "iret" frame and exits the NMI stack in a
1461 * single instruction. We are returning to kernel mode, so this
1462 * cannot result in a fault. Similarly, we don't need to worry
1463 * about espfix64 on the way back to kernel mode.
1466 SYM_CODE_END(asm_exc_nmi)
1469 * This handles SYSCALL from 32-bit code. There is no way to program
1470 * MSRs to fully disable 32-bit SYSCALL.
1472 SYM_CODE_START(entry_SYSCALL32_ignore)
1473 UNWIND_HINT_END_OF_STACK
1478 SYM_CODE_END(entry_SYSCALL32_ignore)
1480 .pushsection .text, "ax"
1482 SYM_CODE_START_NOALIGN(rewind_stack_and_make_dead)
1484 /* Prevent any naive code from trying to unwind to our caller. */
1487 movq PER_CPU_VAR(pcpu_hot + X86_top_of_stack), %rax
1488 leaq -PTREGS_SIZE(%rax), %rsp
1492 SYM_CODE_END(rewind_stack_and_make_dead)