1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * linux/arch/x86_64/entry.S
4 *
5 * Copyright (C) 1991, 1992 Linus Torvalds
6 * Copyright (C) 2000, 2001, 2002 Andi Kleen SuSE Labs
7 * Copyright (C) 2000 Pavel Machek <pavel@suse.cz>
8 *
9 * entry.S contains the system-call and fault low-level handling routines.
10 *
11 * Some of this is documented in Documentation/x86/entry_64.txt
12 *
13 * A note on terminology:
14 * - iret frame: Architecture defined interrupt frame from SS to RIP
15 * at the top of the kernel process stack.
16 *
17 * Some macro usage:
18 * - ENTRY/END: Define functions in the symbol table.
19 * - TRACE_IRQ_*: Trace hardirq state for lock debugging.
20 * - idtentry: Define exception entry points.
21 */
22#include <linux/linkage.h>
23#include <asm/segment.h>
24#include <asm/cache.h>
25#include <asm/errno.h>
26#include <asm/asm-offsets.h>
27#include <asm/msr.h>
28#include <asm/unistd.h>
29#include <asm/thread_info.h>
30#include <asm/hw_irq.h>
31#include <asm/page_types.h>
32#include <asm/irqflags.h>
33#include <asm/paravirt.h>
34#include <asm/percpu.h>
35#include <asm/asm.h>
36#include <asm/smap.h>
37#include <asm/pgtable_types.h>
38#include <asm/export.h>
39#include <asm/frame.h>
40#include <asm/nospec-branch.h>
41#include <linux/err.h>
42
43#include "calling.h"
44
45.code64
46.section .entry.text, "ax"
47
48#ifdef CONFIG_PARAVIRT
49ENTRY(native_usergs_sysret64)
50 UNWIND_HINT_EMPTY
51 swapgs
52 sysretq
53END(native_usergs_sysret64)
54#endif /* CONFIG_PARAVIRT */
55
56.macro TRACE_IRQS_FLAGS flags:req
57#ifdef CONFIG_TRACE_IRQFLAGS
58 btl $9, \flags /* interrupts off? */
59 jnc 1f
60 TRACE_IRQS_ON
611:
62#endif
63.endm
64
65.macro TRACE_IRQS_IRETQ
66 TRACE_IRQS_FLAGS EFLAGS(%rsp)
67.endm
68
69/*
70 * When dynamic function tracer is enabled it will add a breakpoint
71 * to all locations that it is about to modify, sync CPUs, update
72 * all the code, sync CPUs, then remove the breakpoints. In this time
73 * if lockdep is enabled, it might jump back into the debug handler
74 * outside the updating of the IST protection. (TRACE_IRQS_ON/OFF).
75 *
76 * We need to change the IDT table before calling TRACE_IRQS_ON/OFF to
77 * make sure the stack pointer does not get reset back to the top
78 * of the debug stack, and instead just reuses the current stack.
79 */
80#if defined(CONFIG_DYNAMIC_FTRACE) && defined(CONFIG_TRACE_IRQFLAGS)
81
82.macro TRACE_IRQS_OFF_DEBUG
83 call debug_stack_set_zero
84 TRACE_IRQS_OFF
85 call debug_stack_reset
86.endm
87
88.macro TRACE_IRQS_ON_DEBUG
89 call debug_stack_set_zero
90 TRACE_IRQS_ON
91 call debug_stack_reset
92.endm
93
94.macro TRACE_IRQS_IRETQ_DEBUG
95 btl $9, EFLAGS(%rsp) /* interrupts off? */
96 jnc 1f
97 TRACE_IRQS_ON_DEBUG
981:
99.endm
100
101#else
102# define TRACE_IRQS_OFF_DEBUG TRACE_IRQS_OFF
103# define TRACE_IRQS_ON_DEBUG TRACE_IRQS_ON
104# define TRACE_IRQS_IRETQ_DEBUG TRACE_IRQS_IRETQ
105#endif
106
107/*
108 * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers.
109 *
110 * This is the only entry point used for 64-bit system calls. The
111 * hardware interface is reasonably well designed and the register to
112 * argument mapping Linux uses fits well with the registers that are
113 * available when SYSCALL is used.
114 *
115 * SYSCALL instructions can be found inlined in libc implementations as
116 * well as some other programs and libraries. There are also a handful
117 * of SYSCALL instructions in the vDSO used, for example, as a
118 * clock_gettimeofday fallback.
119 *
120 * 64-bit SYSCALL saves rip to rcx, clears rflags.RF, then saves rflags to r11,
121 * then loads new ss, cs, and rip from previously programmed MSRs.
122 * rflags gets masked by a value from another MSR (so CLD and CLAC
123 * are not needed). SYSCALL does not save anything on the stack
124 * and does not change rsp.
125 *
126 * Registers on entry:
127 * rax system call number
128 * rcx return address
129 * r11 saved rflags (note: r11 is callee-clobbered register in C ABI)
130 * rdi arg0
131 * rsi arg1
132 * rdx arg2
133 * r10 arg3 (needs to be moved to rcx to conform to C ABI)
134 * r8 arg4
135 * r9 arg5
136 * (note: r12-r15, rbp, rbx are callee-preserved in C ABI)
137 *
138 * Only called from user space.
139 *
140 * When user can change pt_regs->foo always force IRET. That is because
141 * it deals with uncanonical addresses better. SYSRET has trouble
142 * with them due to bugs in both AMD and Intel CPUs.
143 */
144
145ENTRY(entry_SYSCALL_64)
146 UNWIND_HINT_EMPTY
147 /*
148 * Interrupts are off on entry.
149 * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
150 * it is too small to ever cause noticeable irq latency.
151 */
152
153 swapgs
154 /* tss.sp2 is scratch space. */
155 movq %rsp, PER_CPU_VAR(cpu_tss_rw + TSS_sp2)
156 SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
157 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
158
159 /* Construct struct pt_regs on stack */
160 pushq $__USER_DS /* pt_regs->ss */
161 pushq PER_CPU_VAR(cpu_tss_rw + TSS_sp2) /* pt_regs->sp */
162 pushq %r11 /* pt_regs->flags */
163 pushq $__USER_CS /* pt_regs->cs */
164 pushq %rcx /* pt_regs->ip */
165GLOBAL(entry_SYSCALL_64_after_hwframe)
166 pushq %rax /* pt_regs->orig_ax */
167
168 PUSH_AND_CLEAR_REGS rax=$-ENOSYS
169
170 TRACE_IRQS_OFF
171
172 /* IRQs are off. */
173 movq %rax, %rdi
174 movq %rsp, %rsi
175 call do_syscall_64 /* returns with IRQs disabled */
176
177 TRACE_IRQS_IRETQ /* we're about to change IF */
178
179 /*
180 * Try to use SYSRET instead of IRET if we're returning to
181 * a completely clean 64-bit userspace context. If we're not,
182 * go to the slow exit path.
183 */
184 movq RCX(%rsp), %rcx
185 movq RIP(%rsp), %r11
186
187 cmpq %rcx, %r11 /* SYSRET requires RCX == RIP */
188 jne swapgs_restore_regs_and_return_to_usermode
189
190 /*
191 * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP
192 * in kernel space. This essentially lets the user take over
193 * the kernel, since userspace controls RSP.
194 *
195 * If width of "canonical tail" ever becomes variable, this will need
196 * to be updated to remain correct on both old and new CPUs.
197 *
198 * Change top bits to match most significant bit (47th or 56th bit
199 * depending on paging mode) in the address.
200 */
201#ifdef CONFIG_X86_5LEVEL
202 ALTERNATIVE "shl $(64 - 48), %rcx; sar $(64 - 48), %rcx", \
203 "shl $(64 - 57), %rcx; sar $(64 - 57), %rcx", X86_FEATURE_LA57
204#else
205 shl $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
206 sar $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
207#endif
208
209 /* If this changed %rcx, it was not canonical */
210 cmpq %rcx, %r11
211 jne swapgs_restore_regs_and_return_to_usermode
212
213 cmpq $__USER_CS, CS(%rsp) /* CS must match SYSRET */
214 jne swapgs_restore_regs_and_return_to_usermode
215
216 movq R11(%rsp), %r11
217 cmpq %r11, EFLAGS(%rsp) /* R11 == RFLAGS */
218 jne swapgs_restore_regs_and_return_to_usermode
219
220 /*
221 * SYSCALL clears RF when it saves RFLAGS in R11 and SYSRET cannot
222 * restore RF properly. If the slowpath sets it for whatever reason, we
223 * need to restore it correctly.
224 *
225 * SYSRET can restore TF, but unlike IRET, restoring TF results in a
226 * trap from userspace immediately after SYSRET. This would cause an
227 * infinite loop whenever #DB happens with register state that satisfies
228 * the opportunistic SYSRET conditions. For example, single-stepping
229 * this user code:
230 *
231 * movq $stuck_here, %rcx
232 * pushfq
233 * popq %r11
234 * stuck_here:
235 *
236 * would never get past 'stuck_here'.
237 */
238 testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
239 jnz swapgs_restore_regs_and_return_to_usermode
240
241 /* nothing to check for RSP */
242
243 cmpq $__USER_DS, SS(%rsp) /* SS must match SYSRET */
244 jne swapgs_restore_regs_and_return_to_usermode
245
246 /*
247 * We win! This label is here just for ease of understanding
248 * perf profiles. Nothing jumps here.
249 */
250syscall_return_via_sysret:
251 /* rcx and r11 are already restored (see code above) */
252 UNWIND_HINT_EMPTY
253 POP_REGS pop_rdi=0 skip_r11rcx=1
254
255 /*
256 * Now all regs are restored except RSP and RDI.
257 * Save old stack pointer and switch to trampoline stack.
258 */
259 movq %rsp, %rdi
260 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
261
262 pushq RSP-RDI(%rdi) /* RSP */
263 pushq (%rdi) /* RDI */
264
265 /*
266 * We are on the trampoline stack. All regs except RDI are live.
267 * We can do future final exit work right here.
268 */
269 STACKLEAK_ERASE_NOCLOBBER
270
271 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
272
273 popq %rdi
274 popq %rsp
275 USERGS_SYSRET64
276END(entry_SYSCALL_64)
277
278/*
279 * %rdi: prev task
280 * %rsi: next task
281 */
282ENTRY(__switch_to_asm)
283 UNWIND_HINT_FUNC
284 /*
285 * Save callee-saved registers
286 * This must match the order in inactive_task_frame
287 */
288 pushq %rbp
289 pushq %rbx
290 pushq %r12
291 pushq %r13
292 pushq %r14
293 pushq %r15
294
295 /* switch stack */
296 movq %rsp, TASK_threadsp(%rdi)
297 movq TASK_threadsp(%rsi), %rsp
298
299#ifdef CONFIG_STACKPROTECTOR
300 movq TASK_stack_canary(%rsi), %rbx
301 movq %rbx, PER_CPU_VAR(irq_stack_union)+stack_canary_offset
302#endif
303
304#ifdef CONFIG_RETPOLINE
305 /*
306 * When switching from a shallower to a deeper call stack
307 * the RSB may either underflow or use entries populated
308 * with userspace addresses. On CPUs where those concerns
309 * exist, overwrite the RSB with entries which capture
310 * speculative execution to prevent attack.
311 */
312 FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
313#endif
314
315 /* restore callee-saved registers */
316 popq %r15
317 popq %r14
318 popq %r13
319 popq %r12
320 popq %rbx
321 popq %rbp
322
323 jmp __switch_to
324END(__switch_to_asm)
325
326/*
327 * A newly forked process directly context switches into this address.
328 *
329 * rax: prev task we switched from
330 * rbx: kernel thread func (NULL for user thread)
331 * r12: kernel thread arg
332 */
333ENTRY(ret_from_fork)
334 UNWIND_HINT_EMPTY
335 movq %rax, %rdi
336 call schedule_tail /* rdi: 'prev' task parameter */
337
338 testq %rbx, %rbx /* from kernel_thread? */
339 jnz 1f /* kernel threads are uncommon */
340
3412:
342 UNWIND_HINT_REGS
343 movq %rsp, %rdi
344 call syscall_return_slowpath /* returns with IRQs disabled */
345 TRACE_IRQS_ON /* user mode is traced as IRQS on */
346 jmp swapgs_restore_regs_and_return_to_usermode
347
3481:
349 /* kernel thread */
350 UNWIND_HINT_EMPTY
351 movq %r12, %rdi
352 CALL_NOSPEC %rbx
353 /*
354 * A kernel thread is allowed to return here after successfully
355 * calling do_execve(). Exit to userspace to complete the execve()
356 * syscall.
357 */
358 movq $0, RAX(%rsp)
359 jmp 2b
360END(ret_from_fork)
361
362/*
363 * Build the entry stubs with some assembler magic.
364 * We pack 1 stub into every 8-byte block.
365 */
366 .align 8
367ENTRY(irq_entries_start)
368 vector=FIRST_EXTERNAL_VECTOR
369 .rept (FIRST_SYSTEM_VECTOR - FIRST_EXTERNAL_VECTOR)
370 UNWIND_HINT_IRET_REGS
371 pushq $(~vector+0x80) /* Note: always in signed byte range */
372 jmp common_interrupt
373 .align 8
374 vector=vector+1
375 .endr
376END(irq_entries_start)
377
378.macro DEBUG_ENTRY_ASSERT_IRQS_OFF
379#ifdef CONFIG_DEBUG_ENTRY
380 pushq %rax
381 SAVE_FLAGS(CLBR_RAX)
382 testl $X86_EFLAGS_IF, %eax
383 jz .Lokay_\@
384 ud2
385.Lokay_\@:
386 popq %rax
387#endif
388.endm
389
390/*
391 * Enters the IRQ stack if we're not already using it. NMI-safe. Clobbers
392 * flags and puts old RSP into old_rsp, and leaves all other GPRs alone.
393 * Requires kernel GSBASE.
394 *
395 * The invariant is that, if irq_count != -1, then the IRQ stack is in use.
396 */
397.macro ENTER_IRQ_STACK regs=1 old_rsp save_ret=0
398 DEBUG_ENTRY_ASSERT_IRQS_OFF
399
400 .if \save_ret
401 /*
402 * If save_ret is set, the original stack contains one additional
403 * entry -- the return address. Therefore, move the address one
404 * entry below %rsp to \old_rsp.
405 */
406 leaq 8(%rsp), \old_rsp
407 .else
408 movq %rsp, \old_rsp
409 .endif
410
411 .if \regs
412 UNWIND_HINT_REGS base=\old_rsp
413 .endif
414
415 incl PER_CPU_VAR(irq_count)
416 jnz .Lirq_stack_push_old_rsp_\@
417
418 /*
419 * Right now, if we just incremented irq_count to zero, we've
420 * claimed the IRQ stack but we haven't switched to it yet.
421 *
422 * If anything is added that can interrupt us here without using IST,
423 * it must be *extremely* careful to limit its stack usage. This
424 * could include kprobes and a hypothetical future IST-less #DB
425 * handler.
426 *
427 * The OOPS unwinder relies on the word at the top of the IRQ
428 * stack linking back to the previous RSP for the entire time we're
429 * on the IRQ stack. For this to work reliably, we need to write
430 * it before we actually move ourselves to the IRQ stack.
431 */
432
433 movq \old_rsp, PER_CPU_VAR(irq_stack_union + IRQ_STACK_SIZE - 8)
434 movq PER_CPU_VAR(irq_stack_ptr), %rsp
435
436#ifdef CONFIG_DEBUG_ENTRY
437 /*
438 * If the first movq above becomes wrong due to IRQ stack layout
439 * changes, the only way we'll notice is if we try to unwind right
440 * here. Assert that we set up the stack right to catch this type
441 * of bug quickly.
442 */
443 cmpq -8(%rsp), \old_rsp
444 je .Lirq_stack_okay\@
445 ud2
446 .Lirq_stack_okay\@:
447#endif
448
449.Lirq_stack_push_old_rsp_\@:
450 pushq \old_rsp
451
452 .if \regs
453 UNWIND_HINT_REGS indirect=1
454 .endif
455
456 .if \save_ret
457 /*
458 * Push the return address to the stack. This return address can
459 * be found at the "real" original RSP, which was offset by 8 at
460 * the beginning of this macro.
461 */
462 pushq -8(\old_rsp)
463 .endif
464.endm
465
466/*
467 * Undoes ENTER_IRQ_STACK.
468 */
469.macro LEAVE_IRQ_STACK regs=1
470 DEBUG_ENTRY_ASSERT_IRQS_OFF
471 /* We need to be off the IRQ stack before decrementing irq_count. */
472 popq %rsp
473
474 .if \regs
475 UNWIND_HINT_REGS
476 .endif
477
478 /*
479 * As in ENTER_IRQ_STACK, irq_count == 0, we are still claiming
480 * the irq stack but we're not on it.
481 */
482
483 decl PER_CPU_VAR(irq_count)
484.endm
485
486/*
487 * Interrupt entry helper function.
488 *
489 * Entry runs with interrupts off. Stack layout at entry:
490 * +----------------------------------------------------+
491 * | regs->ss |
492 * | regs->rsp |
493 * | regs->eflags |
494 * | regs->cs |
495 * | regs->ip |
496 * +----------------------------------------------------+
497 * | regs->orig_ax = ~(interrupt number) |
498 * +----------------------------------------------------+
499 * | return address |
500 * +----------------------------------------------------+
501 */
502ENTRY(interrupt_entry)
503 UNWIND_HINT_FUNC
504 ASM_CLAC
505 cld
506
507 testb $3, CS-ORIG_RAX+8(%rsp)
508 jz 1f
509 SWAPGS
510
511 /*
512 * Switch to the thread stack. The IRET frame and orig_ax are
513 * on the stack, as well as the return address. RDI..R12 are
514 * not (yet) on the stack and space has not (yet) been
515 * allocated for them.
516 */
517 pushq %rdi
518
519 /* Need to switch before accessing the thread stack. */
520 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
521 movq %rsp, %rdi
522 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
523
524 /*
525 * We have RDI, return address, and orig_ax on the stack on
526 * top of the IRET frame. That means offset=24
527 */
528 UNWIND_HINT_IRET_REGS base=%rdi offset=24
529
530 pushq 7*8(%rdi) /* regs->ss */
531 pushq 6*8(%rdi) /* regs->rsp */
532 pushq 5*8(%rdi) /* regs->eflags */
533 pushq 4*8(%rdi) /* regs->cs */
534 pushq 3*8(%rdi) /* regs->ip */
535 pushq 2*8(%rdi) /* regs->orig_ax */
536 pushq 8(%rdi) /* return address */
537 UNWIND_HINT_FUNC
538
539 movq (%rdi), %rdi
5401:
541
542 PUSH_AND_CLEAR_REGS save_ret=1
543 ENCODE_FRAME_POINTER 8
544
545 testb $3, CS+8(%rsp)
546 jz 1f
547
548 /*
549 * IRQ from user mode.
550 *
551 * We need to tell lockdep that IRQs are off. We can't do this until
552 * we fix gsbase, and we should do it before enter_from_user_mode
553 * (which can take locks). Since TRACE_IRQS_OFF is idempotent,
554 * the simplest way to handle it is to just call it twice if
555 * we enter from user mode. There's no reason to optimize this since
556 * TRACE_IRQS_OFF is a no-op if lockdep is off.
557 */
558 TRACE_IRQS_OFF
559
560 CALL_enter_from_user_mode
561
5621:
563 ENTER_IRQ_STACK old_rsp=%rdi save_ret=1
564 /* We entered an interrupt context - irqs are off: */
565 TRACE_IRQS_OFF
566
567 ret
568END(interrupt_entry)
569_ASM_NOKPROBE(interrupt_entry)
570
571
572/* Interrupt entry/exit. */
573
574 /*
575 * The interrupt stubs push (~vector+0x80) onto the stack and
576 * then jump to common_interrupt.
577 */
578 .p2align CONFIG_X86_L1_CACHE_SHIFT
579common_interrupt:
580 addq $-0x80, (%rsp) /* Adjust vector to [-256, -1] range */
581 call interrupt_entry
582 UNWIND_HINT_REGS indirect=1
583 call do_IRQ /* rdi points to pt_regs */
584 /* 0(%rsp): old RSP */
585ret_from_intr:
586 DISABLE_INTERRUPTS(CLBR_ANY)
587 TRACE_IRQS_OFF
588
589 LEAVE_IRQ_STACK
590
591 testb $3, CS(%rsp)
592 jz retint_kernel
593
594 /* Interrupt came from user space */
595GLOBAL(retint_user)
596 mov %rsp,%rdi
597 call prepare_exit_to_usermode
598 TRACE_IRQS_IRETQ
599
600GLOBAL(swapgs_restore_regs_and_return_to_usermode)
601#ifdef CONFIG_DEBUG_ENTRY
602 /* Assert that pt_regs indicates user mode. */
603 testb $3, CS(%rsp)
604 jnz 1f
605 ud2
6061:
607#endif
608 POP_REGS pop_rdi=0
609
610 /*
611 * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
612 * Save old stack pointer and switch to trampoline stack.
613 */
614 movq %rsp, %rdi
615 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
616
617 /* Copy the IRET frame to the trampoline stack. */
618 pushq 6*8(%rdi) /* SS */
619 pushq 5*8(%rdi) /* RSP */
620 pushq 4*8(%rdi) /* EFLAGS */
621 pushq 3*8(%rdi) /* CS */
622 pushq 2*8(%rdi) /* RIP */
623
624 /* Push user RDI on the trampoline stack. */
625 pushq (%rdi)
626
627 /*
628 * We are on the trampoline stack. All regs except RDI are live.
629 * We can do future final exit work right here.
630 */
631 STACKLEAK_ERASE_NOCLOBBER
632
633 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
634
635 /* Restore RDI. */
636 popq %rdi
637 SWAPGS
638 INTERRUPT_RETURN
639
640
641/* Returning to kernel space */
642retint_kernel:
643#ifdef CONFIG_PREEMPT
644 /* Interrupts are off */
645 /* Check if we need preemption */
646 btl $9, EFLAGS(%rsp) /* were interrupts off? */
647 jnc 1f
6480: cmpl $0, PER_CPU_VAR(__preempt_count)
649 jnz 1f
650 call preempt_schedule_irq
651 jmp 0b
6521:
653#endif
654 /*
655 * The iretq could re-enable interrupts:
656 */
657 TRACE_IRQS_IRETQ
658
659GLOBAL(restore_regs_and_return_to_kernel)
660#ifdef CONFIG_DEBUG_ENTRY
661 /* Assert that pt_regs indicates kernel mode. */
662 testb $3, CS(%rsp)
663 jz 1f
664 ud2
6651:
666#endif
667 POP_REGS
668 addq $8, %rsp /* skip regs->orig_ax */
669 /*
670 * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization
671 * when returning from IPI handler.
672 */
673 INTERRUPT_RETURN
674
675ENTRY(native_iret)
676 UNWIND_HINT_IRET_REGS
677 /*
678 * Are we returning to a stack segment from the LDT? Note: in
679 * 64-bit mode SS:RSP on the exception stack is always valid.
680 */
681#ifdef CONFIG_X86_ESPFIX64
682 testb $4, (SS-RIP)(%rsp)
683 jnz native_irq_return_ldt
684#endif
685
686.global native_irq_return_iret
687native_irq_return_iret:
688 /*
689 * This may fault. Non-paranoid faults on return to userspace are
690 * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
691 * Double-faults due to espfix64 are handled in do_double_fault.
692 * Other faults here are fatal.
693 */
694 iretq
695
696#ifdef CONFIG_X86_ESPFIX64
697native_irq_return_ldt:
698 /*
699 * We are running with user GSBASE. All GPRs contain their user
700 * values. We have a percpu ESPFIX stack that is eight slots
701 * long (see ESPFIX_STACK_SIZE). espfix_waddr points to the bottom
702 * of the ESPFIX stack.
703 *
704 * We clobber RAX and RDI in this code. We stash RDI on the
705 * normal stack and RAX on the ESPFIX stack.
706 *
707 * The ESPFIX stack layout we set up looks like this:
708 *
709 * --- top of ESPFIX stack ---
710 * SS
711 * RSP
712 * RFLAGS
713 * CS
714 * RIP <-- RSP points here when we're done
715 * RAX <-- espfix_waddr points here
716 * --- bottom of ESPFIX stack ---
717 */
718
719 pushq %rdi /* Stash user RDI */
720 SWAPGS /* to kernel GS */
721 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */
722
723 movq PER_CPU_VAR(espfix_waddr), %rdi
724 movq %rax, (0*8)(%rdi) /* user RAX */
725 movq (1*8)(%rsp), %rax /* user RIP */
726 movq %rax, (1*8)(%rdi)
727 movq (2*8)(%rsp), %rax /* user CS */
728 movq %rax, (2*8)(%rdi)
729 movq (3*8)(%rsp), %rax /* user RFLAGS */
730 movq %rax, (3*8)(%rdi)
731 movq (5*8)(%rsp), %rax /* user SS */
732 movq %rax, (5*8)(%rdi)
733 movq (4*8)(%rsp), %rax /* user RSP */
734 movq %rax, (4*8)(%rdi)
735 /* Now RAX == RSP. */
736
737 andl $0xffff0000, %eax /* RAX = (RSP & 0xffff0000) */
738
739 /*
740 * espfix_stack[31:16] == 0. The page tables are set up such that
741 * (espfix_stack | (X & 0xffff0000)) points to a read-only alias of
742 * espfix_waddr for any X. That is, there are 65536 RO aliases of
743 * the same page. Set up RSP so that RSP[31:16] contains the
744 * respective 16 bits of the /userspace/ RSP and RSP nonetheless
745 * still points to an RO alias of the ESPFIX stack.
746 */
747 orq PER_CPU_VAR(espfix_stack), %rax
748
749 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
750 SWAPGS /* to user GS */
751 popq %rdi /* Restore user RDI */
752
753 movq %rax, %rsp
754 UNWIND_HINT_IRET_REGS offset=8
755
756 /*
757 * At this point, we cannot write to the stack any more, but we can
758 * still read.
759 */
760 popq %rax /* Restore user RAX */
761
762 /*
763 * RSP now points to an ordinary IRET frame, except that the page
764 * is read-only and RSP[31:16] are preloaded with the userspace
765 * values. We can now IRET back to userspace.
766 */
767 jmp native_irq_return_iret
768#endif
769END(common_interrupt)
770_ASM_NOKPROBE(common_interrupt)
771
772/*
773 * APIC interrupts.
774 */
775.macro apicinterrupt3 num sym do_sym
776ENTRY(\sym)
777 UNWIND_HINT_IRET_REGS
778 pushq $~(\num)
779.Lcommon_\sym:
780 call interrupt_entry
781 UNWIND_HINT_REGS indirect=1
782 call \do_sym /* rdi points to pt_regs */
783 jmp ret_from_intr
784END(\sym)
785_ASM_NOKPROBE(\sym)
786.endm
787
788/* Make sure APIC interrupt handlers end up in the irqentry section: */
789#define PUSH_SECTION_IRQENTRY .pushsection .irqentry.text, "ax"
790#define POP_SECTION_IRQENTRY .popsection
791
792.macro apicinterrupt num sym do_sym
793PUSH_SECTION_IRQENTRY
794apicinterrupt3 \num \sym \do_sym
795POP_SECTION_IRQENTRY
796.endm
797
798#ifdef CONFIG_SMP
799apicinterrupt3 IRQ_MOVE_CLEANUP_VECTOR irq_move_cleanup_interrupt smp_irq_move_cleanup_interrupt
800apicinterrupt3 REBOOT_VECTOR reboot_interrupt smp_reboot_interrupt
801#endif
802
803#ifdef CONFIG_X86_UV
804apicinterrupt3 UV_BAU_MESSAGE uv_bau_message_intr1 uv_bau_message_interrupt
805#endif
806
807apicinterrupt LOCAL_TIMER_VECTOR apic_timer_interrupt smp_apic_timer_interrupt
808apicinterrupt X86_PLATFORM_IPI_VECTOR x86_platform_ipi smp_x86_platform_ipi
809
810#ifdef CONFIG_HAVE_KVM
811apicinterrupt3 POSTED_INTR_VECTOR kvm_posted_intr_ipi smp_kvm_posted_intr_ipi
812apicinterrupt3 POSTED_INTR_WAKEUP_VECTOR kvm_posted_intr_wakeup_ipi smp_kvm_posted_intr_wakeup_ipi
813apicinterrupt3 POSTED_INTR_NESTED_VECTOR kvm_posted_intr_nested_ipi smp_kvm_posted_intr_nested_ipi
814#endif
815
816#ifdef CONFIG_X86_MCE_THRESHOLD
817apicinterrupt THRESHOLD_APIC_VECTOR threshold_interrupt smp_threshold_interrupt
818#endif
819
820#ifdef CONFIG_X86_MCE_AMD
821apicinterrupt DEFERRED_ERROR_VECTOR deferred_error_interrupt smp_deferred_error_interrupt
822#endif
823
824#ifdef CONFIG_X86_THERMAL_VECTOR
825apicinterrupt THERMAL_APIC_VECTOR thermal_interrupt smp_thermal_interrupt
826#endif
827
828#ifdef CONFIG_SMP
829apicinterrupt CALL_FUNCTION_SINGLE_VECTOR call_function_single_interrupt smp_call_function_single_interrupt
830apicinterrupt CALL_FUNCTION_VECTOR call_function_interrupt smp_call_function_interrupt
831apicinterrupt RESCHEDULE_VECTOR reschedule_interrupt smp_reschedule_interrupt
832#endif
833
834apicinterrupt ERROR_APIC_VECTOR error_interrupt smp_error_interrupt
835apicinterrupt SPURIOUS_APIC_VECTOR spurious_interrupt smp_spurious_interrupt
836
837#ifdef CONFIG_IRQ_WORK
838apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
839#endif
840
841/*
842 * Exception entry points.
843 */
844#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss_rw) + (TSS_ist + ((x) - 1) * 8)
845
846/**
847 * idtentry - Generate an IDT entry stub
848 * @sym: Name of the generated entry point
849 * @do_sym: C function to be called
850 * @has_error_code: True if this IDT vector has an error code on the stack
851 * @paranoid: non-zero means that this vector may be invoked from
852 * kernel mode with user GSBASE and/or user CR3.
853 * 2 is special -- see below.
854 * @shift_ist: Set to an IST index if entries from kernel mode should
855 * decrement the IST stack so that nested entries get a
856 * fresh stack. (This is for #DB, which has a nasty habit
857 * of recursing.)
858 *
859 * idtentry generates an IDT stub that sets up a usable kernel context,
860 * creates struct pt_regs, and calls @do_sym. The stub has the following
861 * special behaviors:
862 *
863 * On an entry from user mode, the stub switches from the trampoline or
864 * IST stack to the normal thread stack. On an exit to user mode, the
865 * normal exit-to-usermode path is invoked.
866 *
867 * On an exit to kernel mode, if @paranoid == 0, we check for preemption,
868 * whereas we omit the preemption check if @paranoid != 0. This is purely
869 * because the implementation is simpler this way. The kernel only needs
870 * to check for asynchronous kernel preemption when IRQ handlers return.
871 *
872 * If @paranoid == 0, then the stub will handle IRET faults by pretending
873 * that the fault came from user mode. It will handle gs_change faults by
874 * pretending that the fault happened with kernel GSBASE. Since this handling
875 * is omitted for @paranoid != 0, the #GP, #SS, and #NP stubs must have
876 * @paranoid == 0. This special handling will do the wrong thing for
877 * espfix-induced #DF on IRET, so #DF must not use @paranoid == 0.
878 *
879 * @paranoid == 2 is special: the stub will never switch stacks. This is for
880 * #DF: if the thread stack is somehow unusable, we'll still get a useful OOPS.
881 */
882.macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
883ENTRY(\sym)
884 UNWIND_HINT_IRET_REGS offset=\has_error_code*8
885
886 /* Sanity check */
887 .if \shift_ist != -1 && \paranoid == 0
888 .error "using shift_ist requires paranoid=1"
889 .endif
890
891 ASM_CLAC
892
893 .if \has_error_code == 0
894 pushq $-1 /* ORIG_RAX: no syscall to restart */
895 .endif
896
897 .if \paranoid == 1
898 testb $3, CS-ORIG_RAX(%rsp) /* If coming from userspace, switch stacks */
899 jnz .Lfrom_usermode_switch_stack_\@
900 .endif
901
902 .if \paranoid
903 call paranoid_entry
904 .else
905 call error_entry
906 .endif
907 UNWIND_HINT_REGS
908 /* returned flag: ebx=0: need swapgs on exit, ebx=1: don't need it */
909
910 .if \paranoid
911 .if \shift_ist != -1
912 TRACE_IRQS_OFF_DEBUG /* reload IDT in case of recursion */
913 .else
914 TRACE_IRQS_OFF
915 .endif
916 .endif
917
918 movq %rsp, %rdi /* pt_regs pointer */
919
920 .if \has_error_code
921 movq ORIG_RAX(%rsp), %rsi /* get error code */
922 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
923 .else
924 xorl %esi, %esi /* no error code */
925 .endif
926
927 .if \shift_ist != -1
928 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
929 .endif
930
931 call \do_sym
932
933 .if \shift_ist != -1
934 addq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
935 .endif
936
937 /* these procedures expect "no swapgs" flag in ebx */
938 .if \paranoid
939 jmp paranoid_exit
940 .else
941 jmp error_exit
942 .endif
943
944 .if \paranoid == 1
945 /*
946 * Entry from userspace. Switch stacks and treat it
947 * as a normal entry. This means that paranoid handlers
948 * run in real process context if user_mode(regs).
949 */
950.Lfrom_usermode_switch_stack_\@:
951 call error_entry
952
953 movq %rsp, %rdi /* pt_regs pointer */
954
955 .if \has_error_code
956 movq ORIG_RAX(%rsp), %rsi /* get error code */
957 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
958 .else
959 xorl %esi, %esi /* no error code */
960 .endif
961
962 call \do_sym
963
964 jmp error_exit
965 .endif
966_ASM_NOKPROBE(\sym)
967END(\sym)
968.endm
969
970idtentry divide_error do_divide_error has_error_code=0
971idtentry overflow do_overflow has_error_code=0
972idtentry bounds do_bounds has_error_code=0
973idtentry invalid_op do_invalid_op has_error_code=0
974idtentry device_not_available do_device_not_available has_error_code=0
975idtentry double_fault do_double_fault has_error_code=1 paranoid=2
976idtentry coprocessor_segment_overrun do_coprocessor_segment_overrun has_error_code=0
977idtentry invalid_TSS do_invalid_TSS has_error_code=1
978idtentry segment_not_present do_segment_not_present has_error_code=1
979idtentry spurious_interrupt_bug do_spurious_interrupt_bug has_error_code=0
980idtentry coprocessor_error do_coprocessor_error has_error_code=0
981idtentry alignment_check do_alignment_check has_error_code=1
982idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0
983
984
985 /*
986 * Reload gs selector with exception handling
987 * edi: new selector
988 */
989ENTRY(native_load_gs_index)
990 FRAME_BEGIN
991 pushfq
992 DISABLE_INTERRUPTS(CLBR_ANY & ~CLBR_RDI)
993 TRACE_IRQS_OFF
994 SWAPGS
995.Lgs_change:
996 movl %edi, %gs
9972: ALTERNATIVE "", "mfence", X86_BUG_SWAPGS_FENCE
998 SWAPGS
999 TRACE_IRQS_FLAGS (%rsp)
1000 popfq
1001 FRAME_END
1002 ret
1003ENDPROC(native_load_gs_index)
1004EXPORT_SYMBOL(native_load_gs_index)
1005
1006 _ASM_EXTABLE(.Lgs_change, bad_gs)
1007 .section .fixup, "ax"
1008 /* running with kernelgs */
1009bad_gs:
1010 SWAPGS /* switch back to user gs */
1011.macro ZAP_GS
1012 /* This can't be a string because the preprocessor needs to see it. */
1013 movl $__USER_DS, %eax
1014 movl %eax, %gs
1015.endm
1016 ALTERNATIVE "", "ZAP_GS", X86_BUG_NULL_SEG
1017 xorl %eax, %eax
1018 movl %eax, %gs
1019 jmp 2b
1020 .previous
1021
1022/* Call softirq on interrupt stack. Interrupts are off. */
1023ENTRY(do_softirq_own_stack)
1024 pushq %rbp
1025 mov %rsp, %rbp
1026 ENTER_IRQ_STACK regs=0 old_rsp=%r11
1027 call __do_softirq
1028 LEAVE_IRQ_STACK regs=0
1029 leaveq
1030 ret
1031ENDPROC(do_softirq_own_stack)
1032
1033#ifdef CONFIG_XEN_PV
1034idtentry hypervisor_callback xen_do_hypervisor_callback has_error_code=0
1035
1036/*
1037 * A note on the "critical region" in our callback handler.
1038 * We want to avoid stacking callback handlers due to events occurring
1039 * during handling of the last event. To do this, we keep events disabled
1040 * until we've done all processing. HOWEVER, we must enable events before
1041 * popping the stack frame (can't be done atomically) and so it would still
1042 * be possible to get enough handler activations to overflow the stack.
1043 * Although unlikely, bugs of that kind are hard to track down, so we'd
1044 * like to avoid the possibility.
1045 * So, on entry to the handler we detect whether we interrupted an
1046 * existing activation in its critical region -- if so, we pop the current
1047 * activation and restart the handler using the previous one.
1048 */
1049ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */
1050
1051/*
1052 * Since we don't modify %rdi, evtchn_do_upall(struct *pt_regs) will
1053 * see the correct pointer to the pt_regs
1054 */
1055 UNWIND_HINT_FUNC
1056 movq %rdi, %rsp /* we don't return, adjust the stack frame */
1057 UNWIND_HINT_REGS
1058
1059 ENTER_IRQ_STACK old_rsp=%r10
1060 call xen_evtchn_do_upcall
1061 LEAVE_IRQ_STACK
1062
1063#ifndef CONFIG_PREEMPT
1064 call xen_maybe_preempt_hcall
1065#endif
1066 jmp error_exit
1067END(xen_do_hypervisor_callback)
1068
1069/*
1070 * Hypervisor uses this for application faults while it executes.
1071 * We get here for two reasons:
1072 * 1. Fault while reloading DS, ES, FS or GS
1073 * 2. Fault while executing IRET
1074 * Category 1 we do not need to fix up as Xen has already reloaded all segment
1075 * registers that could be reloaded and zeroed the others.
1076 * Category 2 we fix up by killing the current process. We cannot use the
1077 * normal Linux return path in this case because if we use the IRET hypercall
1078 * to pop the stack frame we end up in an infinite loop of failsafe callbacks.
1079 * We distinguish between categories by comparing each saved segment register
1080 * with its current contents: any discrepancy means we in category 1.
1081 */
1082ENTRY(xen_failsafe_callback)
1083 UNWIND_HINT_EMPTY
1084 movl %ds, %ecx
1085 cmpw %cx, 0x10(%rsp)
1086 jne 1f
1087 movl %es, %ecx
1088 cmpw %cx, 0x18(%rsp)
1089 jne 1f
1090 movl %fs, %ecx
1091 cmpw %cx, 0x20(%rsp)
1092 jne 1f
1093 movl %gs, %ecx
1094 cmpw %cx, 0x28(%rsp)
1095 jne 1f
1096 /* All segments match their saved values => Category 2 (Bad IRET). */
1097 movq (%rsp), %rcx
1098 movq 8(%rsp), %r11
1099 addq $0x30, %rsp
1100 pushq $0 /* RIP */
1101 UNWIND_HINT_IRET_REGS offset=8
1102 jmp general_protection
11031: /* Segment mismatch => Category 1 (Bad segment). Retry the IRET. */
1104 movq (%rsp), %rcx
1105 movq 8(%rsp), %r11
1106 addq $0x30, %rsp
1107 UNWIND_HINT_IRET_REGS
1108 pushq $-1 /* orig_ax = -1 => not a system call */
1109 PUSH_AND_CLEAR_REGS
1110 ENCODE_FRAME_POINTER
1111 jmp error_exit
1112END(xen_failsafe_callback)
1113#endif /* CONFIG_XEN_PV */
1114
1115#ifdef CONFIG_XEN_PVHVM
1116apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1117 xen_hvm_callback_vector xen_evtchn_do_upcall
1118#endif
1119
1120
1121#if IS_ENABLED(CONFIG_HYPERV)
1122apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1123 hyperv_callback_vector hyperv_vector_handler
1124
1125apicinterrupt3 HYPERV_REENLIGHTENMENT_VECTOR \
1126 hyperv_reenlightenment_vector hyperv_reenlightenment_intr
1127
1128apicinterrupt3 HYPERV_STIMER0_VECTOR \
1129 hv_stimer0_callback_vector hv_stimer0_vector_handler
1130#endif /* CONFIG_HYPERV */
1131
1132idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
1133idtentry int3 do_int3 has_error_code=0
1134idtentry stack_segment do_stack_segment has_error_code=1
1135
1136#ifdef CONFIG_XEN_PV
1137idtentry xennmi do_nmi has_error_code=0
1138idtentry xendebug do_debug has_error_code=0
1139idtentry xenint3 do_int3 has_error_code=0
1140#endif
1141
1142idtentry general_protection do_general_protection has_error_code=1
1143idtentry page_fault do_page_fault has_error_code=1
1144
1145#ifdef CONFIG_KVM_GUEST
1146idtentry async_page_fault do_async_page_fault has_error_code=1
1147#endif
1148
1149#ifdef CONFIG_X86_MCE
1150idtentry machine_check do_mce has_error_code=0 paranoid=1
1151#endif
1152
1153/*
1154 * Save all registers in pt_regs, and switch gs if needed.
1155 * Use slow, but surefire "are we in kernel?" check.
1156 * Return: ebx=0: need swapgs on exit, ebx=1: otherwise
1157 */
1158ENTRY(paranoid_entry)
1159 UNWIND_HINT_FUNC
1160 cld
1161 PUSH_AND_CLEAR_REGS save_ret=1
1162 ENCODE_FRAME_POINTER 8
1163 movl $1, %ebx
1164 movl $MSR_GS_BASE, %ecx
1165 rdmsr
1166 testl %edx, %edx
1167 js 1f /* negative -> in kernel */
1168 SWAPGS
1169 xorl %ebx, %ebx
1170
11711:
1172 /*
1173 * Always stash CR3 in %r14. This value will be restored,
1174 * verbatim, at exit. Needed if paranoid_entry interrupted
1175 * another entry that already switched to the user CR3 value
1176 * but has not yet returned to userspace.
1177 *
1178 * This is also why CS (stashed in the "iret frame" by the
1179 * hardware at entry) can not be used: this may be a return
1180 * to kernel code, but with a user CR3 value.
1181 */
1182 SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
1183
1184 ret
1185END(paranoid_entry)
1186
1187/*
1188 * "Paranoid" exit path from exception stack. This is invoked
1189 * only on return from non-NMI IST interrupts that came
1190 * from kernel space.
1191 *
1192 * We may be returning to very strange contexts (e.g. very early
1193 * in syscall entry), so checking for preemption here would
1194 * be complicated. Fortunately, we there's no good reason
1195 * to try to handle preemption here.
1196 *
1197 * On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it)
1198 */
1199ENTRY(paranoid_exit)
1200 UNWIND_HINT_REGS
1201 DISABLE_INTERRUPTS(CLBR_ANY)
1202 TRACE_IRQS_OFF_DEBUG
1203 testl %ebx, %ebx /* swapgs needed? */
1204 jnz .Lparanoid_exit_no_swapgs
1205 TRACE_IRQS_IRETQ
1206 /* Always restore stashed CR3 value (see paranoid_entry) */
1207 RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
1208 SWAPGS_UNSAFE_STACK
1209 jmp .Lparanoid_exit_restore
1210.Lparanoid_exit_no_swapgs:
1211 TRACE_IRQS_IRETQ_DEBUG
1212 /* Always restore stashed CR3 value (see paranoid_entry) */
1213 RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
1214.Lparanoid_exit_restore:
1215 jmp restore_regs_and_return_to_kernel
1216END(paranoid_exit)
1217
1218/*
1219 * Save all registers in pt_regs, and switch GS if needed.
1220 */
1221ENTRY(error_entry)
1222 UNWIND_HINT_FUNC
1223 cld
1224 PUSH_AND_CLEAR_REGS save_ret=1
1225 ENCODE_FRAME_POINTER 8
1226 testb $3, CS+8(%rsp)
1227 jz .Lerror_kernelspace
1228
1229 /*
1230 * We entered from user mode or we're pretending to have entered
1231 * from user mode due to an IRET fault.
1232 */
1233 SWAPGS
1234 /* We have user CR3. Change to kernel CR3. */
1235 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1236
1237.Lerror_entry_from_usermode_after_swapgs:
1238 /* Put us onto the real thread stack. */
1239 popq %r12 /* save return addr in %12 */
1240 movq %rsp, %rdi /* arg0 = pt_regs pointer */
1241 call sync_regs
1242 movq %rax, %rsp /* switch stack */
1243 ENCODE_FRAME_POINTER
1244 pushq %r12
1245
1246 /*
1247 * We need to tell lockdep that IRQs are off. We can't do this until
1248 * we fix gsbase, and we should do it before enter_from_user_mode
1249 * (which can take locks).
1250 */
1251 TRACE_IRQS_OFF
1252 CALL_enter_from_user_mode
1253 ret
1254
1255.Lerror_entry_done:
1256 TRACE_IRQS_OFF
1257 ret
1258
1259 /*
1260 * There are two places in the kernel that can potentially fault with
1261 * usergs. Handle them here. B stepping K8s sometimes report a
1262 * truncated RIP for IRET exceptions returning to compat mode. Check
1263 * for these here too.
1264 */
1265.Lerror_kernelspace:
1266 leaq native_irq_return_iret(%rip), %rcx
1267 cmpq %rcx, RIP+8(%rsp)
1268 je .Lerror_bad_iret
1269 movl %ecx, %eax /* zero extend */
1270 cmpq %rax, RIP+8(%rsp)
1271 je .Lbstep_iret
1272 cmpq $.Lgs_change, RIP+8(%rsp)
1273 jne .Lerror_entry_done
1274
1275 /*
1276 * hack: .Lgs_change can fail with user gsbase. If this happens, fix up
1277 * gsbase and proceed. We'll fix up the exception and land in
1278 * .Lgs_change's error handler with kernel gsbase.
1279 */
1280 SWAPGS
1281 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1282 jmp .Lerror_entry_done
1283
1284.Lbstep_iret:
1285 /* Fix truncated RIP */
1286 movq %rcx, RIP+8(%rsp)
1287 /* fall through */
1288
1289.Lerror_bad_iret:
1290 /*
1291 * We came from an IRET to user mode, so we have user
1292 * gsbase and CR3. Switch to kernel gsbase and CR3:
1293 */
1294 SWAPGS
1295 SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
1296
1297 /*
1298 * Pretend that the exception came from user mode: set up pt_regs
1299 * as if we faulted immediately after IRET.
1300 */
1301 mov %rsp, %rdi
1302 call fixup_bad_iret
1303 mov %rax, %rsp
1304 jmp .Lerror_entry_from_usermode_after_swapgs
1305END(error_entry)
1306
1307ENTRY(error_exit)
1308 UNWIND_HINT_REGS
1309 DISABLE_INTERRUPTS(CLBR_ANY)
1310 TRACE_IRQS_OFF
1311 testb $3, CS(%rsp)
1312 jz retint_kernel
1313 jmp retint_user
1314END(error_exit)
1315
1316/*
1317 * Runs on exception stack. Xen PV does not go through this path at all,
1318 * so we can use real assembly here.
1319 *
1320 * Registers:
1321 * %r14: Used to save/restore the CR3 of the interrupted context
1322 * when PAGE_TABLE_ISOLATION is in use. Do not clobber.
1323 */
1324ENTRY(nmi)
1325 UNWIND_HINT_IRET_REGS
1326
1327 /*
1328 * We allow breakpoints in NMIs. If a breakpoint occurs, then
1329 * the iretq it performs will take us out of NMI context.
1330 * This means that we can have nested NMIs where the next
1331 * NMI is using the top of the stack of the previous NMI. We
1332 * can't let it execute because the nested NMI will corrupt the
1333 * stack of the previous NMI. NMI handlers are not re-entrant
1334 * anyway.
1335 *
1336 * To handle this case we do the following:
1337 * Check the a special location on the stack that contains
1338 * a variable that is set when NMIs are executing.
1339 * The interrupted task's stack is also checked to see if it
1340 * is an NMI stack.
1341 * If the variable is not set and the stack is not the NMI
1342 * stack then:
1343 * o Set the special variable on the stack
1344 * o Copy the interrupt frame into an "outermost" location on the
1345 * stack
1346 * o Copy the interrupt frame into an "iret" location on the stack
1347 * o Continue processing the NMI
1348 * If the variable is set or the previous stack is the NMI stack:
1349 * o Modify the "iret" location to jump to the repeat_nmi
1350 * o return back to the first NMI
1351 *
1352 * Now on exit of the first NMI, we first clear the stack variable
1353 * The NMI stack will tell any nested NMIs at that point that it is
1354 * nested. Then we pop the stack normally with iret, and if there was
1355 * a nested NMI that updated the copy interrupt stack frame, a
1356 * jump will be made to the repeat_nmi code that will handle the second
1357 * NMI.
1358 *
1359 * However, espfix prevents us from directly returning to userspace
1360 * with a single IRET instruction. Similarly, IRET to user mode
1361 * can fault. We therefore handle NMIs from user space like
1362 * other IST entries.
1363 */
1364
1365 ASM_CLAC
1366
1367 /* Use %rdx as our temp variable throughout */
1368 pushq %rdx
1369
1370 testb $3, CS-RIP+8(%rsp)
1371 jz .Lnmi_from_kernel
1372
1373 /*
1374 * NMI from user mode. We need to run on the thread stack, but we
1375 * can't go through the normal entry paths: NMIs are masked, and
1376 * we don't want to enable interrupts, because then we'll end
1377 * up in an awkward situation in which IRQs are on but NMIs
1378 * are off.
1379 *
1380 * We also must not push anything to the stack before switching
1381 * stacks lest we corrupt the "NMI executing" variable.
1382 */
1383
1384 swapgs
1385 cld
1386 SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
1387 movq %rsp, %rdx
1388 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
1389 UNWIND_HINT_IRET_REGS base=%rdx offset=8
1390 pushq 5*8(%rdx) /* pt_regs->ss */
1391 pushq 4*8(%rdx) /* pt_regs->rsp */
1392 pushq 3*8(%rdx) /* pt_regs->flags */
1393 pushq 2*8(%rdx) /* pt_regs->cs */
1394 pushq 1*8(%rdx) /* pt_regs->rip */
1395 UNWIND_HINT_IRET_REGS
1396 pushq $-1 /* pt_regs->orig_ax */
1397 PUSH_AND_CLEAR_REGS rdx=(%rdx)
1398 ENCODE_FRAME_POINTER
1399
1400 /*
1401 * At this point we no longer need to worry about stack damage
1402 * due to nesting -- we're on the normal thread stack and we're
1403 * done with the NMI stack.
1404 */
1405
1406 movq %rsp, %rdi
1407 movq $-1, %rsi
1408 call do_nmi
1409
1410 /*
1411 * Return back to user mode. We must *not* do the normal exit
1412 * work, because we don't want to enable interrupts.
1413 */
1414 jmp swapgs_restore_regs_and_return_to_usermode
1415
1416.Lnmi_from_kernel:
1417 /*
1418 * Here's what our stack frame will look like:
1419 * +---------------------------------------------------------+
1420 * | original SS |
1421 * | original Return RSP |
1422 * | original RFLAGS |
1423 * | original CS |
1424 * | original RIP |
1425 * +---------------------------------------------------------+
1426 * | temp storage for rdx |
1427 * +---------------------------------------------------------+
1428 * | "NMI executing" variable |
1429 * +---------------------------------------------------------+
1430 * | iret SS } Copied from "outermost" frame |
1431 * | iret Return RSP } on each loop iteration; overwritten |
1432 * | iret RFLAGS } by a nested NMI to force another |
1433 * | iret CS } iteration if needed. |
1434 * | iret RIP } |
1435 * +---------------------------------------------------------+
1436 * | outermost SS } initialized in first_nmi; |
1437 * | outermost Return RSP } will not be changed before |
1438 * | outermost RFLAGS } NMI processing is done. |
1439 * | outermost CS } Copied to "iret" frame on each |
1440 * | outermost RIP } iteration. |
1441 * +---------------------------------------------------------+
1442 * | pt_regs |
1443 * +---------------------------------------------------------+
1444 *
1445 * The "original" frame is used by hardware. Before re-enabling
1446 * NMIs, we need to be done with it, and we need to leave enough
1447 * space for the asm code here.
1448 *
1449 * We return by executing IRET while RSP points to the "iret" frame.
1450 * That will either return for real or it will loop back into NMI
1451 * processing.
1452 *
1453 * The "outermost" frame is copied to the "iret" frame on each
1454 * iteration of the loop, so each iteration starts with the "iret"
1455 * frame pointing to the final return target.
1456 */
1457
1458 /*
1459 * Determine whether we're a nested NMI.
1460 *
1461 * If we interrupted kernel code between repeat_nmi and
1462 * end_repeat_nmi, then we are a nested NMI. We must not
1463 * modify the "iret" frame because it's being written by
1464 * the outer NMI. That's okay; the outer NMI handler is
1465 * about to about to call do_nmi anyway, so we can just
1466 * resume the outer NMI.
1467 */
1468
1469 movq $repeat_nmi, %rdx
1470 cmpq 8(%rsp), %rdx
1471 ja 1f
1472 movq $end_repeat_nmi, %rdx
1473 cmpq 8(%rsp), %rdx
1474 ja nested_nmi_out
14751:
1476
1477 /*
1478 * Now check "NMI executing". If it's set, then we're nested.
1479 * This will not detect if we interrupted an outer NMI just
1480 * before IRET.
1481 */
1482 cmpl $1, -8(%rsp)
1483 je nested_nmi
1484
1485 /*
1486 * Now test if the previous stack was an NMI stack. This covers
1487 * the case where we interrupt an outer NMI after it clears
1488 * "NMI executing" but before IRET. We need to be careful, though:
1489 * there is one case in which RSP could point to the NMI stack
1490 * despite there being no NMI active: naughty userspace controls
1491 * RSP at the very beginning of the SYSCALL targets. We can
1492 * pull a fast one on naughty userspace, though: we program
1493 * SYSCALL to mask DF, so userspace cannot cause DF to be set
1494 * if it controls the kernel's RSP. We set DF before we clear
1495 * "NMI executing".
1496 */
1497 lea 6*8(%rsp), %rdx
1498 /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
1499 cmpq %rdx, 4*8(%rsp)
1500 /* If the stack pointer is above the NMI stack, this is a normal NMI */
1501 ja first_nmi
1502
1503 subq $EXCEPTION_STKSZ, %rdx
1504 cmpq %rdx, 4*8(%rsp)
1505 /* If it is below the NMI stack, it is a normal NMI */
1506 jb first_nmi
1507
1508 /* Ah, it is within the NMI stack. */
1509
1510 testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
1511 jz first_nmi /* RSP was user controlled. */
1512
1513 /* This is a nested NMI. */
1514
1515nested_nmi:
1516 /*
1517 * Modify the "iret" frame to point to repeat_nmi, forcing another
1518 * iteration of NMI handling.
1519 */
1520 subq $8, %rsp
1521 leaq -10*8(%rsp), %rdx
1522 pushq $__KERNEL_DS
1523 pushq %rdx
1524 pushfq
1525 pushq $__KERNEL_CS
1526 pushq $repeat_nmi
1527
1528 /* Put stack back */
1529 addq $(6*8), %rsp
1530
1531nested_nmi_out:
1532 popq %rdx
1533
1534 /* We are returning to kernel mode, so this cannot result in a fault. */
1535 iretq
1536
1537first_nmi:
1538 /* Restore rdx. */
1539 movq (%rsp), %rdx
1540
1541 /* Make room for "NMI executing". */
1542 pushq $0
1543
1544 /* Leave room for the "iret" frame */
1545 subq $(5*8), %rsp
1546
1547 /* Copy the "original" frame to the "outermost" frame */
1548 .rept 5
1549 pushq 11*8(%rsp)
1550 .endr
1551 UNWIND_HINT_IRET_REGS
1552
1553 /* Everything up to here is safe from nested NMIs */
1554
1555#ifdef CONFIG_DEBUG_ENTRY
1556 /*
1557 * For ease of testing, unmask NMIs right away. Disabled by
1558 * default because IRET is very expensive.
1559 */
1560 pushq $0 /* SS */
1561 pushq %rsp /* RSP (minus 8 because of the previous push) */
1562 addq $8, (%rsp) /* Fix up RSP */
1563 pushfq /* RFLAGS */
1564 pushq $__KERNEL_CS /* CS */
1565 pushq $1f /* RIP */
1566 iretq /* continues at repeat_nmi below */
1567 UNWIND_HINT_IRET_REGS
15681:
1569#endif
1570
1571repeat_nmi:
1572 /*
1573 * If there was a nested NMI, the first NMI's iret will return
1574 * here. But NMIs are still enabled and we can take another
1575 * nested NMI. The nested NMI checks the interrupted RIP to see
1576 * if it is between repeat_nmi and end_repeat_nmi, and if so
1577 * it will just return, as we are about to repeat an NMI anyway.
1578 * This makes it safe to copy to the stack frame that a nested
1579 * NMI will update.
1580 *
1581 * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
1582 * we're repeating an NMI, gsbase has the same value that it had on
1583 * the first iteration. paranoid_entry will load the kernel
1584 * gsbase if needed before we call do_nmi. "NMI executing"
1585 * is zero.
1586 */
1587 movq $1, 10*8(%rsp) /* Set "NMI executing". */
1588
1589 /*
1590 * Copy the "outermost" frame to the "iret" frame. NMIs that nest
1591 * here must not modify the "iret" frame while we're writing to
1592 * it or it will end up containing garbage.
1593 */
1594 addq $(10*8), %rsp
1595 .rept 5
1596 pushq -6*8(%rsp)
1597 .endr
1598 subq $(5*8), %rsp
1599end_repeat_nmi:
1600
1601 /*
1602 * Everything below this point can be preempted by a nested NMI.
1603 * If this happens, then the inner NMI will change the "iret"
1604 * frame to point back to repeat_nmi.
1605 */
1606 pushq $-1 /* ORIG_RAX: no syscall to restart */
1607
1608 /*
1609 * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
1610 * as we should not be calling schedule in NMI context.
1611 * Even with normal interrupts enabled. An NMI should not be
1612 * setting NEED_RESCHED or anything that normal interrupts and
1613 * exceptions might do.
1614 */
1615 call paranoid_entry
1616 UNWIND_HINT_REGS
1617
1618 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
1619 movq %rsp, %rdi
1620 movq $-1, %rsi
1621 call do_nmi
1622
1623 /* Always restore stashed CR3 value (see paranoid_entry) */
1624 RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
1625
1626 testl %ebx, %ebx /* swapgs needed? */
1627 jnz nmi_restore
1628nmi_swapgs:
1629 SWAPGS_UNSAFE_STACK
1630nmi_restore:
1631 POP_REGS
1632
1633 /*
1634 * Skip orig_ax and the "outermost" frame to point RSP at the "iret"
1635 * at the "iret" frame.
1636 */
1637 addq $6*8, %rsp
1638
1639 /*
1640 * Clear "NMI executing". Set DF first so that we can easily
1641 * distinguish the remaining code between here and IRET from
1642 * the SYSCALL entry and exit paths.
1643 *
1644 * We arguably should just inspect RIP instead, but I (Andy) wrote
1645 * this code when I had the misapprehension that Xen PV supported
1646 * NMIs, and Xen PV would break that approach.
1647 */
1648 std
1649 movq $0, 5*8(%rsp) /* clear "NMI executing" */
1650
1651 /*
1652 * iretq reads the "iret" frame and exits the NMI stack in a
1653 * single instruction. We are returning to kernel mode, so this
1654 * cannot result in a fault. Similarly, we don't need to worry
1655 * about espfix64 on the way back to kernel mode.
1656 */
1657 iretq
1658END(nmi)
1659
1660ENTRY(ignore_sysret)
1661 UNWIND_HINT_EMPTY
1662 mov $-ENOSYS, %eax
1663 sysret
1664END(ignore_sysret)
1665
1666ENTRY(rewind_stack_do_exit)
1667 UNWIND_HINT_FUNC
1668 /* Prevent any naive code from trying to unwind to our caller. */
1669 xorl %ebp, %ebp
1670
1671 movq PER_CPU_VAR(cpu_current_top_of_stack), %rax
1672 leaq -PTREGS_SIZE(%rax), %rsp
1673 UNWIND_HINT_FUNC sp_offset=PTREGS_SIZE
1674
1675 call do_exit
1676END(rewind_stack_do_exit)
1677