2 * linux/arch/x86_64/entry.S
4 * Copyright (C) 1991, 1992 Linus Torvalds
5 * Copyright (C) 2000, 2001, 2002 Andi Kleen SuSE Labs
6 * Copyright (C) 2000 Pavel Machek <pavel@suse.cz>
8 * entry.S contains the system-call and fault low-level handling routines.
10 * Some of this is documented in Documentation/x86/entry_64.txt
12 * A note on terminology:
13 * - iret frame: Architecture defined interrupt frame from SS to RIP
14 * at the top of the kernel process stack.
17 * - ENTRY/END: Define functions in the symbol table.
18 * - TRACE_IRQ_*: Trace hardirq state for lock debugging.
19 * - idtentry: Define exception entry points.
21 #include <linux/linkage.h>
22 #include <asm/segment.h>
23 #include <asm/cache.h>
24 #include <asm/errno.h>
26 #include <asm/asm-offsets.h>
28 #include <asm/unistd.h>
29 #include <asm/thread_info.h>
30 #include <asm/hw_irq.h>
31 #include <asm/page_types.h>
32 #include <asm/irqflags.h>
33 #include <asm/paravirt.h>
34 #include <asm/percpu.h>
37 #include <asm/pgtable_types.h>
38 #include <asm/kaiser.h>
39 #include <linux/err.h>
41 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
42 #include <linux/elf-em.h>
43 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
44 #define __AUDIT_ARCH_64BIT 0x80000000
45 #define __AUDIT_ARCH_LE 0x40000000
48 .section .entry.text, "ax"
50 #ifdef CONFIG_PARAVIRT
51 ENTRY(native_usergs_sysret64)
54 ENDPROC(native_usergs_sysret64)
55 #endif /* CONFIG_PARAVIRT */
57 .macro TRACE_IRQS_IRETQ
58 #ifdef CONFIG_TRACE_IRQFLAGS
59 bt $9, EFLAGS(%rsp) /* interrupts off? */
67 * When dynamic function tracer is enabled it will add a breakpoint
68 * to all locations that it is about to modify, sync CPUs, update
69 * all the code, sync CPUs, then remove the breakpoints. In this time
70 * if lockdep is enabled, it might jump back into the debug handler
71 * outside the updating of the IST protection. (TRACE_IRQS_ON/OFF).
73 * We need to change the IDT table before calling TRACE_IRQS_ON/OFF to
74 * make sure the stack pointer does not get reset back to the top
75 * of the debug stack, and instead just reuses the current stack.
77 #if defined(CONFIG_DYNAMIC_FTRACE) && defined(CONFIG_TRACE_IRQFLAGS)
79 .macro TRACE_IRQS_OFF_DEBUG
80 call debug_stack_set_zero
82 call debug_stack_reset
85 .macro TRACE_IRQS_ON_DEBUG
86 call debug_stack_set_zero
88 call debug_stack_reset
91 .macro TRACE_IRQS_IRETQ_DEBUG
92 bt $9, EFLAGS(%rsp) /* interrupts off? */
99 # define TRACE_IRQS_OFF_DEBUG TRACE_IRQS_OFF
100 # define TRACE_IRQS_ON_DEBUG TRACE_IRQS_ON
101 # define TRACE_IRQS_IRETQ_DEBUG TRACE_IRQS_IRETQ
105 * 64-bit SYSCALL instruction entry. Up to 6 arguments in registers.
107 * 64-bit SYSCALL saves rip to rcx, clears rflags.RF, then saves rflags to r11,
108 * then loads new ss, cs, and rip from previously programmed MSRs.
109 * rflags gets masked by a value from another MSR (so CLD and CLAC
110 * are not needed). SYSCALL does not save anything on the stack
111 * and does not change rsp.
113 * Registers on entry:
114 * rax system call number
116 * r11 saved rflags (note: r11 is callee-clobbered register in C ABI)
120 * r10 arg3 (needs to be moved to rcx to conform to C ABI)
123 * (note: r12-r15, rbp, rbx are callee-preserved in C ABI)
125 * Only called from user space.
127 * When user can change pt_regs->foo always force IRET. That is because
128 * it deals with uncanonical addresses better. SYSRET has trouble
129 * with them due to bugs in both AMD and Intel CPUs.
132 ENTRY(entry_SYSCALL_64)
134 * Interrupts are off on entry.
135 * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
136 * it is too small to ever cause noticeable irq latency.
139 SWITCH_KERNEL_CR3_NO_STACK
141 * A hypervisor implementation might want to use a label
142 * after the swapgs, so that it can do the swapgs
143 * for the guest and jump here on syscall.
145 GLOBAL(entry_SYSCALL_64_after_swapgs)
147 movq %rsp, PER_CPU_VAR(rsp_scratch)
148 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
150 /* Construct struct pt_regs on stack */
151 pushq $__USER_DS /* pt_regs->ss */
152 pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
154 * Re-enable interrupts.
155 * We use 'rsp_scratch' as a scratch space, hence irq-off block above
156 * must execute atomically in the face of possible interrupt-driven
157 * task preemption. We must enable interrupts only after we're done
158 * with using rsp_scratch:
160 ENABLE_INTERRUPTS(CLBR_NONE)
161 pushq %r11 /* pt_regs->flags */
162 pushq $__USER_CS /* pt_regs->cs */
163 pushq %rcx /* pt_regs->ip */
164 pushq %rax /* pt_regs->orig_ax */
165 pushq %rdi /* pt_regs->di */
166 pushq %rsi /* pt_regs->si */
167 pushq %rdx /* pt_regs->dx */
168 pushq %rcx /* pt_regs->cx */
169 pushq $-ENOSYS /* pt_regs->ax */
170 pushq %r8 /* pt_regs->r8 */
171 pushq %r9 /* pt_regs->r9 */
172 pushq %r10 /* pt_regs->r10 */
173 pushq %r11 /* pt_regs->r11 */
174 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
176 testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
178 entry_SYSCALL_64_fastpath:
179 #if __SYSCALL_MASK == ~0
180 cmpq $__NR_syscall_max, %rax
182 andl $__SYSCALL_MASK, %eax
183 cmpl $__NR_syscall_max, %eax
185 ja 1f /* return -ENOSYS (already in pt_regs->ax) */
187 call *sys_call_table(, %rax, 8)
191 * Syscall return path ending with SYSRET (fast path).
192 * Has incompletely filled pt_regs.
196 * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
197 * it is too small to ever cause noticeable irq latency.
199 DISABLE_INTERRUPTS(CLBR_NONE)
202 * We must check ti flags with interrupts (or at least preemption)
203 * off because we must *never* return to userspace without
204 * processing exit work that is enqueued if we're preempted here.
205 * In particular, returning to userspace with any of the one-shot
206 * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
209 testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
210 jnz int_ret_from_sys_call_irqs_off /* Go to the slow path */
213 movq EFLAGS(%rsp), %r11
214 RESTORE_C_REGS_EXCEPT_RCX_R11
216 * This opens a window where we have a user CR3, but are
217 * running in the kernel. This makes using the CS
218 * register useless for telling whether or not we need to
219 * switch CR3 in NMIs. Normal interrupts are OK because
225 * 64-bit SYSRET restores rip from rcx,
226 * rflags from r11 (but RF and VM bits are forced to 0),
227 * cs and ss are loaded from MSRs.
228 * Restoration of rflags re-enables interrupts.
230 * NB: On AMD CPUs with the X86_BUG_SYSRET_SS_ATTRS bug, the ss
231 * descriptor is not reinitialized. This means that we should
232 * avoid SYSRET with SS == NULL, which could happen if we schedule,
233 * exit the kernel, and re-enter using an interrupt vector. (All
234 * interrupt entries on x86_64 set SS to NULL.) We prevent that
235 * from happening by reloading SS in __switch_to. (Actually
236 * detecting the failure in 64-bit userspace is tricky but can be
241 GLOBAL(int_ret_from_sys_call_irqs_off)
243 ENABLE_INTERRUPTS(CLBR_NONE)
244 jmp int_ret_from_sys_call
246 /* Do syscall entry tracing */
249 movl $AUDIT_ARCH_X86_64, %esi
250 call syscall_trace_enter_phase1
252 jnz tracesys_phase2 /* if needed, run the slow path */
253 RESTORE_C_REGS_EXCEPT_RAX /* else restore clobbered regs */
254 movq ORIG_RAX(%rsp), %rax
255 jmp entry_SYSCALL_64_fastpath /* and return to the fast path */
260 movl $AUDIT_ARCH_X86_64, %esi
262 call syscall_trace_enter_phase2
265 * Reload registers from stack in case ptrace changed them.
266 * We don't reload %rax because syscall_trace_entry_phase2() returned
267 * the value it wants us to use in the table lookup.
269 RESTORE_C_REGS_EXCEPT_RAX
271 #if __SYSCALL_MASK == ~0
272 cmpq $__NR_syscall_max, %rax
274 andl $__SYSCALL_MASK, %eax
275 cmpl $__NR_syscall_max, %eax
277 ja 1f /* return -ENOSYS (already in pt_regs->ax) */
278 movq %r10, %rcx /* fixup for C */
279 call *sys_call_table(, %rax, 8)
282 /* Use IRET because user could have changed pt_regs->foo */
285 * Syscall return path ending with IRET.
286 * Has correct iret frame.
288 GLOBAL(int_ret_from_sys_call)
291 call syscall_return_slowpath /* returns with IRQs disabled */
293 TRACE_IRQS_IRETQ /* we're about to change IF */
296 * Try to use SYSRET instead of IRET if we're returning to
297 * a completely clean 64-bit userspace context.
301 cmpq %rcx, %r11 /* RCX == RIP */
302 jne opportunistic_sysret_failed
305 * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP
306 * in kernel space. This essentially lets the user take over
307 * the kernel, since userspace controls RSP.
309 * If width of "canonical tail" ever becomes variable, this will need
310 * to be updated to remain correct on both old and new CPUs.
312 .ifne __VIRTUAL_MASK_SHIFT - 47
313 .error "virtual address width changed -- SYSRET checks need update"
316 /* Change top 16 bits to be the sign-extension of 47th bit */
317 shl $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
318 sar $(64 - (__VIRTUAL_MASK_SHIFT+1)), %rcx
320 /* If this changed %rcx, it was not canonical */
322 jne opportunistic_sysret_failed
324 cmpq $__USER_CS, CS(%rsp) /* CS must match SYSRET */
325 jne opportunistic_sysret_failed
328 cmpq %r11, EFLAGS(%rsp) /* R11 == RFLAGS */
329 jne opportunistic_sysret_failed
332 * SYSRET can't restore RF. SYSRET can restore TF, but unlike IRET,
333 * restoring TF results in a trap from userspace immediately after
334 * SYSRET. This would cause an infinite loop whenever #DB happens
335 * with register state that satisfies the opportunistic SYSRET
336 * conditions. For example, single-stepping this user code:
338 * movq $stuck_here, %rcx
343 * would never get past 'stuck_here'.
345 testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
346 jnz opportunistic_sysret_failed
348 /* nothing to check for RSP */
350 cmpq $__USER_DS, SS(%rsp) /* SS must match SYSRET */
351 jne opportunistic_sysret_failed
354 * We win! This label is here just for ease of understanding
355 * perf profiles. Nothing jumps here.
357 syscall_return_via_sysret:
358 /* rcx and r11 are already restored (see code above) */
359 RESTORE_C_REGS_EXCEPT_RCX_R11
361 * This opens a window where we have a user CR3, but are
362 * running in the kernel. This makes using the CS
363 * register useless for telling whether or not we need to
364 * switch CR3 in NMIs. Normal interrupts are OK because
371 opportunistic_sysret_failed:
373 * This opens a window where we have a user CR3, but are
374 * running in the kernel. This makes using the CS
375 * register useless for telling whether or not we need to
376 * switch CR3 in NMIs. Normal interrupts are OK because
381 jmp restore_c_regs_and_iret
382 END(entry_SYSCALL_64)
385 .macro FORK_LIKE func
401 /* exec failed, can use fast SYSRET code path in this case */
404 /* must use IRET code path (pt_regs->cs may have changed) */
408 jmp int_ret_from_sys_call
411 * Remaining execve stubs are only 7 bytes long.
412 * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
415 GLOBAL(stub_execveat)
417 jmp return_from_execve
420 #if defined(CONFIG_X86_X32_ABI)
422 GLOBAL(stub_x32_execve)
423 call compat_sys_execve
424 jmp return_from_execve
427 GLOBAL(stub_x32_execveat)
428 call compat_sys_execveat
429 jmp return_from_execve
430 END(stub_x32_execveat)
434 * sigreturn is special because it needs to restore all registers on return.
435 * This cannot be done with SYSRET, so use the IRET return path instead.
437 ENTRY(stub_rt_sigreturn)
439 * SAVE_EXTRA_REGS result is not normally needed:
440 * sigreturn overwrites all pt_regs->GPREGS.
441 * But sigreturn can fail (!), and there is no easy way to detect that.
442 * To make sure RESTORE_EXTRA_REGS doesn't restore garbage on error,
443 * we SAVE_EXTRA_REGS here.
446 call sys_rt_sigreturn
451 jmp int_ret_from_sys_call
452 END(stub_rt_sigreturn)
454 #ifdef CONFIG_X86_X32_ABI
455 ENTRY(stub_x32_rt_sigreturn)
457 call sys32_x32_rt_sigreturn
459 END(stub_x32_rt_sigreturn)
463 * A newly forked process directly context switches into this address.
465 * rdi: prev task we switched from
469 LOCK ; btr $TIF_FORK, TI_flags(%r8)
472 popfq /* reset kernel eflags */
474 call schedule_tail /* rdi: 'prev' task parameter */
478 testb $3, CS(%rsp) /* from kernel_thread? */
481 * By the time we get here, we have no idea whether our pt_regs,
482 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
483 * the slow path, or one of the 32-bit compat paths.
484 * Use IRET code path to return, since it can safely handle
487 jnz int_ret_from_sys_call
490 * We came from kernel_thread
491 * nb: we depend on RESTORE_EXTRA_REGS above
497 jmp int_ret_from_sys_call
501 * Build the entry stubs with some assembler magic.
502 * We pack 1 stub into every 8-byte block.
505 ENTRY(irq_entries_start)
506 vector=FIRST_EXTERNAL_VECTOR
507 .rept (FIRST_SYSTEM_VECTOR - FIRST_EXTERNAL_VECTOR)
508 pushq $(~vector+0x80) /* Note: always in signed byte range */
513 END(irq_entries_start)
516 * Interrupt entry/exit.
518 * Interrupt entry points save only callee clobbered registers in fast path.
520 * Entry runs with interrupts off.
523 /* 0(%rsp): ~(interrupt number) */
524 .macro interrupt func
526 ALLOC_PT_GPREGS_ON_STACK
534 * IRQ from user mode. Switch to kernel gsbase and inform context
535 * tracking that we're in kernel mode.
541 * We need to tell lockdep that IRQs are off. We can't do this until
542 * we fix gsbase, and we should do it before enter_from_user_mode
543 * (which can take locks). Since TRACE_IRQS_OFF idempotent,
544 * the simplest way to handle it is to just call it twice if
545 * we enter from user mode. There's no reason to optimize this since
546 * TRACE_IRQS_OFF is a no-op if lockdep is off.
550 #ifdef CONFIG_CONTEXT_TRACKING
551 call enter_from_user_mode
556 * Save previous stack pointer, optionally switch to interrupt stack.
557 * irq_count is used to check if a CPU is already on an interrupt stack
558 * or not. While this is essentially redundant with preempt_count it is
559 * a little cheaper to use a separate counter in the PDA (short of
560 * moving irq_enter into assembly, which would be too much work)
563 incl PER_CPU_VAR(irq_count)
564 cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp
566 /* We entered an interrupt context - irqs are off: */
569 call \func /* rdi points to pt_regs */
573 * The interrupt stubs push (~vector+0x80) onto the stack and
574 * then jump to common_interrupt.
576 .p2align CONFIG_X86_L1_CACHE_SHIFT
579 addq $-0x80, (%rsp) /* Adjust vector to [-256, -1] range */
581 /* 0(%rsp): old RSP */
583 DISABLE_INTERRUPTS(CLBR_NONE)
585 decl PER_CPU_VAR(irq_count)
587 /* Restore saved previous stack */
593 /* Interrupt came from user space */
596 call prepare_exit_to_usermode
600 jmp restore_regs_and_iret
602 /* Returning to kernel space */
604 #ifdef CONFIG_PREEMPT
605 /* Interrupts are off */
606 /* Check if we need preemption */
607 bt $9, EFLAGS(%rsp) /* were interrupts off? */
609 0: cmpl $0, PER_CPU_VAR(__preempt_count)
611 call preempt_schedule_irq
616 * The iretq could re-enable interrupts:
621 * At this label, code paths which return to kernel and to user,
622 * which come from interrupts/exception and from syscalls, merge.
624 GLOBAL(restore_regs_and_iret)
626 restore_c_regs_and_iret:
628 REMOVE_PT_GPREGS_FROM_STACK 8
633 * Are we returning to a stack segment from the LDT? Note: in
634 * 64-bit mode SS:RSP on the exception stack is always valid.
636 #ifdef CONFIG_X86_ESPFIX64
637 testb $4, (SS-RIP)(%rsp)
638 jnz native_irq_return_ldt
641 .global native_irq_return_iret
642 native_irq_return_iret:
644 * This may fault. Non-paranoid faults on return to userspace are
645 * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
646 * Double-faults due to espfix64 are handled in do_double_fault.
647 * Other faults here are fatal.
651 #ifdef CONFIG_X86_ESPFIX64
652 native_irq_return_ldt:
657 movq PER_CPU_VAR(espfix_waddr), %rdi
658 movq %rax, (0*8)(%rdi) /* RAX */
659 movq (2*8)(%rsp), %rax /* RIP */
660 movq %rax, (1*8)(%rdi)
661 movq (3*8)(%rsp), %rax /* CS */
662 movq %rax, (2*8)(%rdi)
663 movq (4*8)(%rsp), %rax /* RFLAGS */
664 movq %rax, (3*8)(%rdi)
665 movq (6*8)(%rsp), %rax /* SS */
666 movq %rax, (5*8)(%rdi)
667 movq (5*8)(%rsp), %rax /* RSP */
668 movq %rax, (4*8)(%rdi)
669 andl $0xffff0000, %eax
671 orq PER_CPU_VAR(espfix_stack), %rax
676 jmp native_irq_return_iret
678 END(common_interrupt)
683 .macro apicinterrupt3 num sym do_sym
693 #ifdef CONFIG_TRACING
694 #define trace(sym) trace_##sym
695 #define smp_trace(sym) smp_trace_##sym
697 .macro trace_apicinterrupt num sym
698 apicinterrupt3 \num trace(\sym) smp_trace(\sym)
701 .macro trace_apicinterrupt num sym do_sym
705 /* Make sure APIC interrupt handlers end up in the irqentry section: */
706 #define PUSH_SECTION_IRQENTRY .pushsection .irqentry.text, "ax"
707 #define POP_SECTION_IRQENTRY .popsection
709 .macro apicinterrupt num sym do_sym
710 PUSH_SECTION_IRQENTRY
711 apicinterrupt3 \num \sym \do_sym
712 trace_apicinterrupt \num \sym
717 apicinterrupt3 IRQ_MOVE_CLEANUP_VECTOR irq_move_cleanup_interrupt smp_irq_move_cleanup_interrupt
718 apicinterrupt3 REBOOT_VECTOR reboot_interrupt smp_reboot_interrupt
722 apicinterrupt3 UV_BAU_MESSAGE uv_bau_message_intr1 uv_bau_message_interrupt
725 apicinterrupt LOCAL_TIMER_VECTOR apic_timer_interrupt smp_apic_timer_interrupt
726 apicinterrupt X86_PLATFORM_IPI_VECTOR x86_platform_ipi smp_x86_platform_ipi
728 #ifdef CONFIG_HAVE_KVM
729 apicinterrupt3 POSTED_INTR_VECTOR kvm_posted_intr_ipi smp_kvm_posted_intr_ipi
730 apicinterrupt3 POSTED_INTR_WAKEUP_VECTOR kvm_posted_intr_wakeup_ipi smp_kvm_posted_intr_wakeup_ipi
733 #ifdef CONFIG_X86_MCE_THRESHOLD
734 apicinterrupt THRESHOLD_APIC_VECTOR threshold_interrupt smp_threshold_interrupt
737 #ifdef CONFIG_X86_MCE_AMD
738 apicinterrupt DEFERRED_ERROR_VECTOR deferred_error_interrupt smp_deferred_error_interrupt
741 #ifdef CONFIG_X86_THERMAL_VECTOR
742 apicinterrupt THERMAL_APIC_VECTOR thermal_interrupt smp_thermal_interrupt
746 apicinterrupt CALL_FUNCTION_SINGLE_VECTOR call_function_single_interrupt smp_call_function_single_interrupt
747 apicinterrupt CALL_FUNCTION_VECTOR call_function_interrupt smp_call_function_interrupt
748 apicinterrupt RESCHEDULE_VECTOR reschedule_interrupt smp_reschedule_interrupt
751 apicinterrupt ERROR_APIC_VECTOR error_interrupt smp_error_interrupt
752 apicinterrupt SPURIOUS_APIC_VECTOR spurious_interrupt smp_spurious_interrupt
754 #ifdef CONFIG_IRQ_WORK
755 apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
759 * Exception entry points.
761 #define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
763 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
766 .if \shift_ist != -1 && \paranoid == 0
767 .error "using shift_ist requires paranoid=1"
771 PARAVIRT_ADJUST_EXCEPTION_FRAME
773 .ifeq \has_error_code
774 pushq $-1 /* ORIG_RAX: no syscall to restart */
777 ALLOC_PT_GPREGS_ON_STACK
781 testb $3, CS(%rsp) /* If coming from userspace, switch stacks */
788 /* returned flag: ebx=0: need swapgs on exit, ebx=1: don't need it */
792 TRACE_IRQS_OFF_DEBUG /* reload IDT in case of recursion */
798 movq %rsp, %rdi /* pt_regs pointer */
801 movq ORIG_RAX(%rsp), %rsi /* get error code */
802 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
804 xorl %esi, %esi /* no error code */
808 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
814 addq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
817 /* these procedures expect "no swapgs" flag in ebx */
826 * Paranoid entry from userspace. Switch stacks and treat it
827 * as a normal entry. This means that paranoid handlers
828 * run in real process context if user_mode(regs).
834 movq %rsp, %rdi /* pt_regs pointer */
836 movq %rax, %rsp /* switch stack */
838 movq %rsp, %rdi /* pt_regs pointer */
841 movq ORIG_RAX(%rsp), %rsi /* get error code */
842 movq $-1, ORIG_RAX(%rsp) /* no syscall to restart */
844 xorl %esi, %esi /* no error code */
849 jmp error_exit /* %ebx: no swapgs flag */
854 #ifdef CONFIG_TRACING
855 .macro trace_idtentry sym do_sym has_error_code:req
856 idtentry trace(\sym) trace(\do_sym) has_error_code=\has_error_code
857 idtentry \sym \do_sym has_error_code=\has_error_code
860 .macro trace_idtentry sym do_sym has_error_code:req
861 idtentry \sym \do_sym has_error_code=\has_error_code
865 idtentry divide_error do_divide_error has_error_code=0
866 idtentry overflow do_overflow has_error_code=0
867 idtentry bounds do_bounds has_error_code=0
868 idtentry invalid_op do_invalid_op has_error_code=0
869 idtentry device_not_available do_device_not_available has_error_code=0
870 idtentry double_fault do_double_fault has_error_code=1 paranoid=2
871 idtentry coprocessor_segment_overrun do_coprocessor_segment_overrun has_error_code=0
872 idtentry invalid_TSS do_invalid_TSS has_error_code=1
873 idtentry segment_not_present do_segment_not_present has_error_code=1
874 idtentry spurious_interrupt_bug do_spurious_interrupt_bug has_error_code=0
875 idtentry coprocessor_error do_coprocessor_error has_error_code=0
876 idtentry alignment_check do_alignment_check has_error_code=1
877 idtentry simd_coprocessor_error do_simd_coprocessor_error has_error_code=0
881 * Reload gs selector with exception handling
884 ENTRY(native_load_gs_index)
886 DISABLE_INTERRUPTS(CLBR_ANY & ~CLBR_RDI)
890 2: mfence /* workaround */
894 END(native_load_gs_index)
896 _ASM_EXTABLE(gs_change, bad_gs)
897 .section .fixup, "ax"
898 /* running with kernelgs */
900 SWAPGS /* switch back to user gs */
906 /* Call softirq on interrupt stack. Interrupts are off. */
907 ENTRY(do_softirq_own_stack)
910 incl PER_CPU_VAR(irq_count)
911 cmove PER_CPU_VAR(irq_stack_ptr), %rsp
912 push %rbp /* frame pointer backlink */
915 decl PER_CPU_VAR(irq_count)
917 END(do_softirq_own_stack)
920 idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
923 * A note on the "critical region" in our callback handler.
924 * We want to avoid stacking callback handlers due to events occurring
925 * during handling of the last event. To do this, we keep events disabled
926 * until we've done all processing. HOWEVER, we must enable events before
927 * popping the stack frame (can't be done atomically) and so it would still
928 * be possible to get enough handler activations to overflow the stack.
929 * Although unlikely, bugs of that kind are hard to track down, so we'd
930 * like to avoid the possibility.
931 * So, on entry to the handler we detect whether we interrupted an
932 * existing activation in its critical region -- if so, we pop the current
933 * activation and restart the handler using the previous one.
935 ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */
938 * Since we don't modify %rdi, evtchn_do_upall(struct *pt_regs) will
939 * see the correct pointer to the pt_regs
941 movq %rdi, %rsp /* we don't return, adjust the stack frame */
942 11: incl PER_CPU_VAR(irq_count)
944 cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp
945 pushq %rbp /* frame pointer backlink */
946 call xen_evtchn_do_upcall
948 decl PER_CPU_VAR(irq_count)
949 #ifndef CONFIG_PREEMPT
950 call xen_maybe_preempt_hcall
953 END(xen_do_hypervisor_callback)
956 * Hypervisor uses this for application faults while it executes.
957 * We get here for two reasons:
958 * 1. Fault while reloading DS, ES, FS or GS
959 * 2. Fault while executing IRET
960 * Category 1 we do not need to fix up as Xen has already reloaded all segment
961 * registers that could be reloaded and zeroed the others.
962 * Category 2 we fix up by killing the current process. We cannot use the
963 * normal Linux return path in this case because if we use the IRET hypercall
964 * to pop the stack frame we end up in an infinite loop of failsafe callbacks.
965 * We distinguish between categories by comparing each saved segment register
966 * with its current contents: any discrepancy means we in category 1.
968 ENTRY(xen_failsafe_callback)
981 /* All segments match their saved values => Category 2 (Bad IRET). */
988 jmp general_protection
989 1: /* Segment mismatch => Category 1 (Bad segment). Retry the IRET. */
993 pushq $-1 /* orig_ax = -1 => not a system call */
994 ALLOC_PT_GPREGS_ON_STACK
998 END(xen_failsafe_callback)
1000 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1001 xen_hvm_callback_vector xen_evtchn_do_upcall
1003 #endif /* CONFIG_XEN */
1005 #if IS_ENABLED(CONFIG_HYPERV)
1006 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1007 hyperv_callback_vector hyperv_vector_handler
1008 #endif /* CONFIG_HYPERV */
1010 idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
1011 idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
1012 idtentry stack_segment do_stack_segment has_error_code=1
1015 idtentry xen_debug do_debug has_error_code=0
1016 idtentry xen_int3 do_int3 has_error_code=0
1017 idtentry xen_stack_segment do_stack_segment has_error_code=1
1020 idtentry general_protection do_general_protection has_error_code=1
1021 trace_idtentry page_fault do_page_fault has_error_code=1
1023 #ifdef CONFIG_KVM_GUEST
1024 idtentry async_page_fault do_async_page_fault has_error_code=1
1027 #ifdef CONFIG_X86_MCE
1028 idtentry machine_check has_error_code=0 paranoid=1 do_sym=*machine_check_vector(%rip)
1032 * Save all registers in pt_regs, and switch gs if needed.
1033 * Use slow, but surefire "are we in kernel?" check.
1035 * Return: ebx=0: needs swapgs but not SWITCH_USER_CR3 in paranoid_exit
1036 * ebx=1: needs neither swapgs nor SWITCH_USER_CR3 in paranoid_exit
1037 * ebx=2: needs both swapgs and SWITCH_USER_CR3 in paranoid_exit
1038 * ebx=3: needs SWITCH_USER_CR3 but not swapgs in paranoid_exit
1040 ENTRY(paranoid_entry)
1045 movl $MSR_GS_BASE, %ecx
1048 js 1f /* negative -> in kernel */
1052 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1054 * We might have come in between a swapgs and a SWITCH_KERNEL_CR3
1055 * on entry, or between a SWITCH_USER_CR3 and a swapgs on exit.
1056 * Do a conditional SWITCH_KERNEL_CR3: this could safely be done
1057 * unconditionally, but we need to find out whether the reverse
1058 * should be done on return (conveyed to paranoid_exit in %ebx).
1060 ALTERNATIVE "jmp 2f", "movq %cr3, %rax", X86_FEATURE_KAISER
1061 testl $KAISER_SHADOW_PGD_OFFSET, %eax
1064 andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), %rax
1065 /* If PCID enabled, set X86_CR3_PCID_NOFLUSH_BIT */
1066 ALTERNATIVE "", "bts $63, %rax", X86_FEATURE_PCID
1074 * "Paranoid" exit path from exception stack. This is invoked
1075 * only on return from non-NMI IST interrupts that came
1076 * from kernel space.
1078 * We may be returning to very strange contexts (e.g. very early
1079 * in syscall entry), so checking for preemption here would
1080 * be complicated. Fortunately, we there's no good reason
1081 * to try to handle preemption here.
1083 * On entry: ebx=0: needs swapgs but not SWITCH_USER_CR3
1084 * ebx=1: needs neither swapgs nor SWITCH_USER_CR3
1085 * ebx=2: needs both swapgs and SWITCH_USER_CR3
1086 * ebx=3: needs SWITCH_USER_CR3 but not swapgs
1088 ENTRY(paranoid_exit)
1089 DISABLE_INTERRUPTS(CLBR_NONE)
1090 TRACE_IRQS_OFF_DEBUG
1091 TRACE_IRQS_IRETQ_DEBUG
1092 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1093 /* No ALTERNATIVE for X86_FEATURE_KAISER: paranoid_entry sets %ebx */
1094 testl $2, %ebx /* SWITCH_USER_CR3 needed? */
1095 jz paranoid_exit_no_switch
1097 paranoid_exit_no_switch:
1099 testl $1, %ebx /* swapgs needed? */
1100 jnz paranoid_exit_no_swapgs
1102 paranoid_exit_no_swapgs:
1105 REMOVE_PT_GPREGS_FROM_STACK 8
1110 * Save all registers in pt_regs, and switch gs if needed.
1111 * Return: EBX=0: came from user mode; EBX=1: otherwise
1118 * error_entry() always returns with a kernel gsbase and
1119 * CR3. We must also have a kernel CR3/gsbase before
1120 * calling TRACE_IRQS_*. Just unconditionally switch to
1121 * the kernel CR3 here.
1125 testb $3, CS+8(%rsp)
1126 jz .Lerror_kernelspace
1128 .Lerror_entry_from_usermode_swapgs:
1130 * We entered from user mode or we're pretending to have entered
1131 * from user mode due to an IRET fault.
1135 .Lerror_entry_from_usermode_after_swapgs:
1137 * We need to tell lockdep that IRQs are off. We can't do this until
1138 * we fix gsbase, and we should do it before enter_from_user_mode
1139 * (which can take locks).
1142 #ifdef CONFIG_CONTEXT_TRACKING
1143 call enter_from_user_mode
1152 * There are two places in the kernel that can potentially fault with
1153 * usergs. Handle them here. B stepping K8s sometimes report a
1154 * truncated RIP for IRET exceptions returning to compat mode. Check
1155 * for these here too.
1157 .Lerror_kernelspace:
1159 leaq native_irq_return_iret(%rip), %rcx
1160 cmpq %rcx, RIP+8(%rsp)
1162 movl %ecx, %eax /* zero extend */
1163 cmpq %rax, RIP+8(%rsp)
1165 cmpq $gs_change, RIP+8(%rsp)
1166 jne .Lerror_entry_done
1169 * hack: gs_change can fail with user gsbase. If this happens, fix up
1170 * gsbase and proceed. We'll fix up the exception and land in
1171 * gs_change's error handler with kernel gsbase.
1173 jmp .Lerror_entry_from_usermode_swapgs
1176 /* Fix truncated RIP */
1177 movq %rcx, RIP+8(%rsp)
1182 * We came from an IRET to user mode, so we have user gsbase.
1183 * Switch to kernel gsbase:
1188 * Pretend that the exception came from user mode: set up pt_regs
1189 * as if we faulted immediately after IRET and clear EBX so that
1190 * error_exit knows that we will be returning to user mode.
1196 jmp .Lerror_entry_from_usermode_after_swapgs
1201 * On entry, EBS is a "return to kernel mode" flag:
1202 * 1: already in kernel mode, don't need SWAPGS
1203 * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
1207 DISABLE_INTERRUPTS(CLBR_NONE)
1214 /* Runs on exception stack */
1217 * Fix up the exception frame if we're on Xen.
1218 * PARAVIRT_ADJUST_EXCEPTION_FRAME is guaranteed to push at most
1219 * one value to the stack on native, so it may clobber the rdx
1220 * scratch slot, but it won't clobber any of the important
1223 * Xen is a different story, because the Xen frame itself overlaps
1224 * the "NMI executing" variable.
1226 PARAVIRT_ADJUST_EXCEPTION_FRAME
1229 * We allow breakpoints in NMIs. If a breakpoint occurs, then
1230 * the iretq it performs will take us out of NMI context.
1231 * This means that we can have nested NMIs where the next
1232 * NMI is using the top of the stack of the previous NMI. We
1233 * can't let it execute because the nested NMI will corrupt the
1234 * stack of the previous NMI. NMI handlers are not re-entrant
1237 * To handle this case we do the following:
1238 * Check the a special location on the stack that contains
1239 * a variable that is set when NMIs are executing.
1240 * The interrupted task's stack is also checked to see if it
1242 * If the variable is not set and the stack is not the NMI
1244 * o Set the special variable on the stack
1245 * o Copy the interrupt frame into an "outermost" location on the
1247 * o Copy the interrupt frame into an "iret" location on the stack
1248 * o Continue processing the NMI
1249 * If the variable is set or the previous stack is the NMI stack:
1250 * o Modify the "iret" location to jump to the repeat_nmi
1251 * o return back to the first NMI
1253 * Now on exit of the first NMI, we first clear the stack variable
1254 * The NMI stack will tell any nested NMIs at that point that it is
1255 * nested. Then we pop the stack normally with iret, and if there was
1256 * a nested NMI that updated the copy interrupt stack frame, a
1257 * jump will be made to the repeat_nmi code that will handle the second
1260 * However, espfix prevents us from directly returning to userspace
1261 * with a single IRET instruction. Similarly, IRET to user mode
1262 * can fault. We therefore handle NMIs from user space like
1263 * other IST entries.
1268 /* Use %rdx as our temp variable throughout */
1271 testb $3, CS-RIP+8(%rsp)
1272 jz .Lnmi_from_kernel
1275 * NMI from user mode. We need to run on the thread stack, but we
1276 * can't go through the normal entry paths: NMIs are masked, and
1277 * we don't want to enable interrupts, because then we'll end
1278 * up in an awkward situation in which IRQs are on but NMIs
1281 * We also must not push anything to the stack before switching
1282 * stacks lest we corrupt the "NMI executing" variable.
1287 * percpu variables are mapped with user CR3, so no need
1288 * to switch CR3 here.
1292 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
1293 pushq 5*8(%rdx) /* pt_regs->ss */
1294 pushq 4*8(%rdx) /* pt_regs->rsp */
1295 pushq 3*8(%rdx) /* pt_regs->flags */
1296 pushq 2*8(%rdx) /* pt_regs->cs */
1297 pushq 1*8(%rdx) /* pt_regs->rip */
1298 pushq $-1 /* pt_regs->orig_ax */
1299 pushq %rdi /* pt_regs->di */
1300 pushq %rsi /* pt_regs->si */
1301 pushq (%rdx) /* pt_regs->dx */
1302 pushq %rcx /* pt_regs->cx */
1303 pushq %rax /* pt_regs->ax */
1304 pushq %r8 /* pt_regs->r8 */
1305 pushq %r9 /* pt_regs->r9 */
1306 pushq %r10 /* pt_regs->r10 */
1307 pushq %r11 /* pt_regs->r11 */
1308 pushq %rbx /* pt_regs->rbx */
1309 pushq %rbp /* pt_regs->rbp */
1310 pushq %r12 /* pt_regs->r12 */
1311 pushq %r13 /* pt_regs->r13 */
1312 pushq %r14 /* pt_regs->r14 */
1313 pushq %r15 /* pt_regs->r15 */
1316 * At this point we no longer need to worry about stack damage
1317 * due to nesting -- we're on the normal thread stack and we're
1318 * done with the NMI stack.
1323 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1324 /* Unconditionally use kernel CR3 for do_nmi() */
1325 /* %rax is saved above, so OK to clobber here */
1326 ALTERNATIVE "jmp 2f", "movq %cr3, %rax", X86_FEATURE_KAISER
1327 /* If PCID enabled, NOFLUSH now and NOFLUSH on return */
1328 ALTERNATIVE "", "bts $63, %rax", X86_FEATURE_PCID
1330 /* mask off "user" bit of pgd address and 12 PCID bits: */
1331 andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), %rax
1337 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1339 * Unconditionally restore CR3. I know we return to
1340 * kernel code that needs user CR3, but do we ever return
1341 * to "user mode" where we need the kernel CR3?
1343 ALTERNATIVE "", "popq %rax; movq %rax, %cr3", X86_FEATURE_KAISER
1347 * Return back to user mode. We must *not* do the normal exit
1348 * work, because we don't want to enable interrupts. Do not
1349 * switch to user CR3: we might be going back to kernel code
1350 * that had a user CR3 set.
1353 jmp restore_c_regs_and_iret
1357 * Here's what our stack frame will look like:
1358 * +---------------------------------------------------------+
1360 * | original Return RSP |
1361 * | original RFLAGS |
1364 * +---------------------------------------------------------+
1365 * | temp storage for rdx |
1366 * +---------------------------------------------------------+
1367 * | "NMI executing" variable |
1368 * +---------------------------------------------------------+
1369 * | iret SS } Copied from "outermost" frame |
1370 * | iret Return RSP } on each loop iteration; overwritten |
1371 * | iret RFLAGS } by a nested NMI to force another |
1372 * | iret CS } iteration if needed. |
1374 * +---------------------------------------------------------+
1375 * | outermost SS } initialized in first_nmi; |
1376 * | outermost Return RSP } will not be changed before |
1377 * | outermost RFLAGS } NMI processing is done. |
1378 * | outermost CS } Copied to "iret" frame on each |
1379 * | outermost RIP } iteration. |
1380 * +---------------------------------------------------------+
1382 * +---------------------------------------------------------+
1384 * The "original" frame is used by hardware. Before re-enabling
1385 * NMIs, we need to be done with it, and we need to leave enough
1386 * space for the asm code here.
1388 * We return by executing IRET while RSP points to the "iret" frame.
1389 * That will either return for real or it will loop back into NMI
1392 * The "outermost" frame is copied to the "iret" frame on each
1393 * iteration of the loop, so each iteration starts with the "iret"
1394 * frame pointing to the final return target.
1398 * Determine whether we're a nested NMI.
1400 * If we interrupted kernel code between repeat_nmi and
1401 * end_repeat_nmi, then we are a nested NMI. We must not
1402 * modify the "iret" frame because it's being written by
1403 * the outer NMI. That's okay; the outer NMI handler is
1404 * about to about to call do_nmi anyway, so we can just
1405 * resume the outer NMI.
1408 movq $repeat_nmi, %rdx
1411 movq $end_repeat_nmi, %rdx
1417 * Now check "NMI executing". If it's set, then we're nested.
1418 * This will not detect if we interrupted an outer NMI just
1425 * Now test if the previous stack was an NMI stack. This covers
1426 * the case where we interrupt an outer NMI after it clears
1427 * "NMI executing" but before IRET. We need to be careful, though:
1428 * there is one case in which RSP could point to the NMI stack
1429 * despite there being no NMI active: naughty userspace controls
1430 * RSP at the very beginning of the SYSCALL targets. We can
1431 * pull a fast one on naughty userspace, though: we program
1432 * SYSCALL to mask DF, so userspace cannot cause DF to be set
1433 * if it controls the kernel's RSP. We set DF before we clear
1437 /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
1438 cmpq %rdx, 4*8(%rsp)
1439 /* If the stack pointer is above the NMI stack, this is a normal NMI */
1442 subq $EXCEPTION_STKSZ, %rdx
1443 cmpq %rdx, 4*8(%rsp)
1444 /* If it is below the NMI stack, it is a normal NMI */
1447 /* Ah, it is within the NMI stack. */
1449 testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
1450 jz first_nmi /* RSP was user controlled. */
1452 /* This is a nested NMI. */
1456 * Modify the "iret" frame to point to repeat_nmi, forcing another
1457 * iteration of NMI handling.
1460 leaq -10*8(%rsp), %rdx
1467 /* Put stack back */
1473 /* We are returning to kernel mode, so this cannot result in a fault. */
1480 /* Make room for "NMI executing". */
1483 /* Leave room for the "iret" frame */
1486 /* Copy the "original" frame to the "outermost" frame */
1491 /* Everything up to here is safe from nested NMIs */
1493 #ifdef CONFIG_DEBUG_ENTRY
1495 * For ease of testing, unmask NMIs right away. Disabled by
1496 * default because IRET is very expensive.
1499 pushq %rsp /* RSP (minus 8 because of the previous push) */
1500 addq $8, (%rsp) /* Fix up RSP */
1502 pushq $__KERNEL_CS /* CS */
1504 INTERRUPT_RETURN /* continues at repeat_nmi below */
1510 * If there was a nested NMI, the first NMI's iret will return
1511 * here. But NMIs are still enabled and we can take another
1512 * nested NMI. The nested NMI checks the interrupted RIP to see
1513 * if it is between repeat_nmi and end_repeat_nmi, and if so
1514 * it will just return, as we are about to repeat an NMI anyway.
1515 * This makes it safe to copy to the stack frame that a nested
1518 * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
1519 * we're repeating an NMI, gsbase has the same value that it had on
1520 * the first iteration. paranoid_entry will load the kernel
1521 * gsbase if needed before we call do_nmi. "NMI executing"
1524 movq $1, 10*8(%rsp) /* Set "NMI executing". */
1527 * Copy the "outermost" frame to the "iret" frame. NMIs that nest
1528 * here must not modify the "iret" frame while we're writing to
1529 * it or it will end up containing garbage.
1539 * Everything below this point can be preempted by a nested NMI.
1540 * If this happens, then the inner NMI will change the "iret"
1541 * frame to point back to repeat_nmi.
1543 pushq $-1 /* ORIG_RAX: no syscall to restart */
1544 ALLOC_PT_GPREGS_ON_STACK
1547 * Use the same approach as paranoid_entry to handle SWAPGS, but
1548 * without CR3 handling since we do that differently in NMIs. No
1549 * need to use paranoid_exit as we should not be calling schedule
1550 * in NMI context. Even with normal interrupts enabled. An NMI
1551 * should not be setting NEED_RESCHED or anything that normal
1552 * interrupts and exceptions might do.
1558 movl $MSR_GS_BASE, %ecx
1561 js 1f /* negative -> in kernel */
1567 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1568 /* Unconditionally use kernel CR3 for do_nmi() */
1569 /* %rax is saved above, so OK to clobber here */
1570 ALTERNATIVE "jmp 2f", "movq %cr3, %rax", X86_FEATURE_KAISER
1571 /* If PCID enabled, NOFLUSH now and NOFLUSH on return */
1572 ALTERNATIVE "", "bts $63, %rax", X86_FEATURE_PCID
1574 /* mask off "user" bit of pgd address and 12 PCID bits: */
1575 andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), %rax
1580 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
1583 #ifdef CONFIG_PAGE_TABLE_ISOLATION
1585 * Unconditionally restore CR3. We might be returning to
1586 * kernel code that needs user CR3, like just just before
1589 ALTERNATIVE "", "popq %rax; movq %rax, %cr3", X86_FEATURE_KAISER
1592 testl %ebx, %ebx /* swapgs needed? */
1595 /* We fixed up CR3 above, so no need to switch it here */
1601 /* Point RSP at the "iret" frame. */
1602 REMOVE_PT_GPREGS_FROM_STACK 6*8
1605 * Clear "NMI executing". Set DF first so that we can easily
1606 * distinguish the remaining code between here and IRET from
1607 * the SYSCALL entry and exit paths. On a native kernel, we
1608 * could just inspect RIP, but, on paravirt kernels,
1609 * INTERRUPT_RETURN can translate into a jump into a
1613 movq $0, 5*8(%rsp) /* clear "NMI executing" */
1616 * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
1617 * stack in a single instruction. We are returning to kernel
1618 * mode, so this cannot result in a fault.
1623 ENTRY(ignore_sysret)