2 * Copyright (c) 1989, 1990 William F. Jolitz.
3 * Copyright (c) 1990 The Regents of the University of California.
4 * Copyright (c) 2007-2018 The FreeBSD Foundation
7 * Portions of this software were developed by A. Joseph Koshy under
8 * sponsorship from the FreeBSD Foundation and Google, Inc.
10 * Portions of this software were developed by
11 * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
12 * the FreeBSD Foundation.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 #include "opt_atpic.h"
42 #include "opt_compat.h"
43 #include "opt_hwpmc_hooks.h"
47 #include <machine/asmacros.h>
48 #include <machine/psl.h>
49 #include <machine/trap.h>
50 #include <machine/specialreg.h>
54 .globl dtrace_invop_jump_addr
56 .type dtrace_invop_jump_addr,@object
57 .size dtrace_invop_jump_addr,8
58 dtrace_invop_jump_addr:
60 .globl dtrace_invop_calltrap_addr
62 .type dtrace_invop_calltrap_addr,@object
63 .size dtrace_invop_calltrap_addr,8
64 dtrace_invop_calltrap_addr:
69 ENTRY(start_exceptions)
72 /*****************************************************************************/
74 /*****************************************************************************/
76 * Trap and fault vector routines.
78 * All traps are 'interrupt gates', SDT_SYSIGT. An interrupt gate pushes
79 * state on the stack but also disables interrupts. This is important for
80 * us for the use of the swapgs instruction. We cannot be interrupted
81 * until the GS.base value is correct. For most traps, we automatically
82 * then enable interrupts if the interrupted context had them enabled.
83 * This is equivalent to the i386 port's use of SDT_SYS386TGT.
85 * The cpu will push a certain amount of state onto the kernel stack for
86 * the current process. See amd64/include/frame.h.
87 * This includes the current RFLAGS (status register, which includes
88 * the interrupt disable state prior to the trap), the code segment register,
89 * and the return instruction pointer are pushed by the cpu. The cpu
90 * will also push an 'error' code for certain traps. We push a dummy
91 * error code for those traps where the cpu doesn't in order to maintain
92 * a consistent frame. We also push a contrived 'trap number'.
94 * The CPU does not push the general registers, so we must do that, and we
95 * must restore them prior to calling 'iret'. The CPU adjusts %cs and %ss
96 * but does not mess with %ds, %es, %gs or %fs. We swap the %gs base for
97 * for the kernel mode operation shortly, without changes to the selector
98 * loaded. Since superuser long mode works with any selectors loaded into
99 * segment registers other then %cs, which makes them mostly unused in long
100 * mode, and kernel does not reference %fs, leave them alone. The segment
101 * registers are reloaded on return to the usermode.
107 /* Traps that we leave interrupts disabled for. */
108 .macro TRAP_NOEN l, trapno
112 X\l: subq $TF_RIP,%rsp
113 movl $\trapno,TF_TRAPNO(%rsp)
114 movq $0,TF_ADDR(%rsp)
119 TRAP_NOEN bpt, T_BPTFLT
121 TRAP_NOEN dtrace_ret, T_DTRACE_RET
124 /* Regular traps; The cpu does not supply tf_err for these. */
125 .macro TRAP l, trapno
131 movl $\trapno,TF_TRAPNO(%rsp)
132 movq $0,TF_ADDR(%rsp)
140 TRAP ill, T_PRIVINFLT
142 TRAP fpusegm, T_FPOPFLT
143 TRAP rsvd, T_RESERVED
144 TRAP fpu, T_ARITHTRAP
147 /* This group of traps have tf_err already pushed by the cpu. */
148 .macro TRAP_ERR l, trapno
149 PTI_ENTRY \l,X\l,has_err=1
154 movl $\trapno,TF_TRAPNO(%rsp)
155 movq $0,TF_ADDR(%rsp)
159 TRAP_ERR tss, T_TSSFLT
160 TRAP_ERR align, T_ALIGNFLT
163 * alltraps entry point. Use swapgs if this is the first time in the
164 * kernel from userland. Reenable interrupts if they were enabled
165 * before the trap. This approximates SDT_SYS386TGT on the i386 port.
169 .type alltraps,@function
171 movq %rdi,TF_RDI(%rsp)
172 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
173 jz 1f /* already running with kernel GS.base */
175 movq PCPU(CURPCB),%rdi
176 andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
178 movq %rdx,TF_RDX(%rsp)
179 movq %rax,TF_RAX(%rsp)
180 movq %rcx,TF_RCX(%rsp)
181 testb $SEL_RPL_MASK,TF_CS(%rsp)
183 call handle_ibrs_entry
184 2: testl $PSL_I,TF_RFLAGS(%rsp)
185 jz alltraps_pushregs_no_rax
187 alltraps_pushregs_no_rax:
188 movq %rsi,TF_RSI(%rsp)
191 movq %rbx,TF_RBX(%rsp)
192 movq %rbp,TF_RBP(%rsp)
193 movq %r10,TF_R10(%rsp)
194 movq %r11,TF_R11(%rsp)
195 movq %r12,TF_R12(%rsp)
196 movq %r13,TF_R13(%rsp)
197 movq %r14,TF_R14(%rsp)
198 movq %r15,TF_R15(%rsp)
199 movl $TF_HASSEGS,TF_FLAGS(%rsp)
201 FAKE_MCOUNT(TF_RIP(%rsp))
204 * DTrace Function Boundary Trace (fbt) probes are triggered
205 * by int3 (0xcc) which causes the #BP (T_BPTFLT) breakpoint
206 * interrupt. For all other trap types, just handle them in
209 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
210 jnz calltrap /* ignore userland traps */
211 cmpl $T_BPTFLT,TF_TRAPNO(%rsp)
214 /* Check if there is no DTrace hook registered. */
215 cmpq $0,dtrace_invop_jump_addr
219 * Set our jump address for the jump back in the event that
220 * the breakpoint wasn't caused by DTrace at all.
222 movq $calltrap,dtrace_invop_calltrap_addr(%rip)
224 /* Jump to the code hooked in by DTrace. */
225 jmpq *dtrace_invop_jump_addr
228 .type calltrap,@function
233 jmp doreti /* Handle any pending ASTs */
236 * alltraps_noen entry point. Unlike alltraps above, we want to
237 * leave the interrupts disabled. This corresponds to
238 * SDT_SYS386IGT on the i386 port.
242 .type alltraps_noen,@function
244 movq %rdi,TF_RDI(%rsp)
245 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
246 jz 1f /* already running with kernel GS.base */
248 movq PCPU(CURPCB),%rdi
249 andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
251 movq %rdx,TF_RDX(%rsp)
252 movq %rax,TF_RAX(%rsp)
253 movq %rcx,TF_RCX(%rsp)
254 testb $SEL_RPL_MASK,TF_CS(%rsp)
255 jz alltraps_pushregs_no_rax
256 call handle_ibrs_entry
257 jmp alltraps_pushregs_no_rax
261 movl $T_DOUBLEFLT,TF_TRAPNO(%rsp)
262 movq $0,TF_ADDR(%rsp)
264 movq %rdi,TF_RDI(%rsp)
265 movq %rsi,TF_RSI(%rsp)
266 movq %rdx,TF_RDX(%rsp)
267 movq %rcx,TF_RCX(%rsp)
270 movq %rax,TF_RAX(%rsp)
271 movq %rbx,TF_RBX(%rsp)
272 movq %rbp,TF_RBP(%rsp)
273 movq %r10,TF_R10(%rsp)
274 movq %r11,TF_R11(%rsp)
275 movq %r12,TF_R12(%rsp)
276 movq %r13,TF_R13(%rsp)
277 movq %r14,TF_R14(%rsp)
278 movq %r15,TF_R15(%rsp)
280 movl $TF_HASSEGS,TF_FLAGS(%rsp)
282 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
283 jz 1f /* already running with kernel GS.base */
291 call dblfault_handler
297 testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp)
303 movq %rax,PCPU(SAVED_UCR3)
304 PTI_UUENTRY has_err=1
306 movq %rdi,TF_RDI(%rsp)
307 movq %rax,TF_RAX(%rsp)
308 movq %rdx,TF_RDX(%rsp)
309 movq %rcx,TF_RCX(%rsp)
313 movq %rdi,TF_RDI(%rsp) /* free up GP registers */
314 movq %rax,TF_RAX(%rsp)
315 movq %rdx,TF_RDX(%rsp)
316 movq %rcx,TF_RCX(%rsp)
317 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
318 jz page_cr2 /* already running with kernel GS.base */
320 page_u: movq PCPU(CURPCB),%rdi
321 andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
322 movq PCPU(SAVED_UCR3),%rax
323 movq %rax,PCB_SAVED_UCR3(%rdi)
324 call handle_ibrs_entry
326 movq %cr2,%rdi /* preserve %cr2 before .. */
327 movq %rdi,TF_ADDR(%rsp) /* enabling interrupts. */
329 movl $T_PAGEFLT,TF_TRAPNO(%rsp)
330 testl $PSL_I,TF_RFLAGS(%rsp)
331 jz alltraps_pushregs_no_rax
333 jmp alltraps_pushregs_no_rax
336 * We have to special-case this one. If we get a trap in doreti() at
337 * the iretq stage, we'll reenter with the wrong gs state. We'll have
338 * to do a special the swapgs in this case even coming from the kernel.
339 * XXX linux has a trap handler for their equivalent of load_gs().
341 * On the stack, we have the hardware interrupt frame to return
342 * to usermode (faulted) and another frame with error code, for
343 * fault. For PTI, copy both frames to the main thread stack.
345 .macro PROTF_ENTRY name,trapno
353 subq $2*PTI_SIZE-3*8,%rax /* no err, %rax, %rdx in faulted frame */
354 MOVE_STACKS (PTI_SIZE / 4 - 3)
361 cmpq $doreti_iret,PTI_RIP-2*8(%rsp)
362 je \name\()_pti_doreti
363 testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp) /* %rax, %rdx not yet pushed */
369 movl $\trapno,TF_TRAPNO(%rsp)
373 PROTF_ENTRY missing, T_SEGNPFLT
374 PROTF_ENTRY stk, T_STKFLT
375 PROTF_ENTRY prot, T_PROTFLT
378 movq $0,TF_ADDR(%rsp)
379 movq %rdi,TF_RDI(%rsp) /* free up a GP register */
380 movq %rax,TF_RAX(%rsp)
381 movq %rdx,TF_RDX(%rsp)
382 movq %rcx,TF_RCX(%rsp)
385 leaq doreti_iret(%rip),%rdi
386 cmpq %rdi,TF_RIP(%rsp)
387 je 5f /* kernel but with user gsbase!! */
388 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
389 jz 6f /* already running with kernel GS.base */
390 testb $CPUID_STDEXT_FSGSBASE,cpu_stdext_feature(%rip)
392 cmpw $KUF32SEL,TF_FS(%rsp)
395 1: cmpw $KUG32SEL,TF_GS(%rsp)
399 movq PCPU(CURPCB),%rdi
400 testb $CPUID_STDEXT_FSGSBASE,cpu_stdext_feature(%rip)
402 cmpw $KUF32SEL,TF_FS(%rsp)
404 movq %rax,PCB_FSBASE(%rdi)
405 3: cmpw $KUG32SEL,TF_GS(%rsp)
407 movq %rdx,PCB_GSBASE(%rdi)
408 4: call handle_ibrs_entry
409 orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* always full iret from GPF */
412 testl $PSL_I,TF_RFLAGS(%rsp)
413 jz alltraps_pushregs_no_rax
415 jmp alltraps_pushregs_no_rax
418 6: movq PCPU(CURPCB),%rdi
422 * Fast syscall entry point. We enter here with just our new %cs/%ss set,
423 * and the new privilige level. We are still running on the old user stack
424 * pointer. We have to juggle a few things around to find our stack etc.
425 * swapgs gives us access to our PCPU space only.
427 * We do not support invoking this from a custom segment registers,
428 * esp. %cs, %ss, %fs, %gs, e.g. using entries from an LDT.
431 IDTVEC(fast_syscall_pti)
433 movq %rax,PCPU(SCRATCH_RAX)
436 jmp fast_syscall_common
440 movq %rax,PCPU(SCRATCH_RAX)
442 movq %rsp,PCPU(SCRATCH_RSP)
444 /* Now emulate a trapframe. Make the 8 byte alignment odd for call. */
446 /* defer TF_RSP till we have a spare register */
447 movq %r11,TF_RFLAGS(%rsp)
448 movq %rcx,TF_RIP(%rsp) /* %rcx original value is in %r10 */
449 movq PCPU(SCRATCH_RSP),%r11 /* %r11 already saved */
450 movq %r11,TF_RSP(%rsp) /* user stack pointer */
451 movq PCPU(SCRATCH_RAX),%rax
452 movq %rax,TF_RAX(%rsp) /* syscall number */
453 movq %rdx,TF_RDX(%rsp) /* arg 3 */
455 call handle_ibrs_entry
456 movq PCPU(CURPCB),%r11
457 andl $~PCB_FULL_IRET,PCB_FLAGS(%r11)
459 movq $KUDSEL,TF_SS(%rsp)
460 movq $KUCSEL,TF_CS(%rsp)
462 movq %rdi,TF_RDI(%rsp) /* arg 1 */
463 movq %rsi,TF_RSI(%rsp) /* arg 2 */
464 movq %r10,TF_RCX(%rsp) /* arg 4 */
465 movq %r8,TF_R8(%rsp) /* arg 5 */
466 movq %r9,TF_R9(%rsp) /* arg 6 */
467 movq %rbx,TF_RBX(%rsp) /* C preserved */
468 movq %rbp,TF_RBP(%rsp) /* C preserved */
469 movq %r12,TF_R12(%rsp) /* C preserved */
470 movq %r13,TF_R13(%rsp) /* C preserved */
471 movq %r14,TF_R14(%rsp) /* C preserved */
472 movq %r15,TF_R15(%rsp) /* C preserved */
473 movl $TF_HASSEGS,TF_FLAGS(%rsp)
474 FAKE_MCOUNT(TF_RIP(%rsp))
475 movq PCPU(CURTHREAD),%rdi
476 movq %rsp,TD_FRAME(%rdi)
477 movl TF_RFLAGS(%rsp),%esi
480 1: movq PCPU(CURPCB),%rax
481 /* Disable interrupts before testing PCB_FULL_IRET. */
483 testl $PCB_FULL_IRET,PCB_FLAGS(%rax)
485 /* Check for and handle AST's on return to userland. */
486 movq PCPU(CURTHREAD),%rax
487 testl $TDF_ASTPENDING | TDF_NEEDRESCHED,TD_FLAGS(%rax)
489 call handle_ibrs_exit
491 /* Restore preserved registers. */
493 movq TF_RDI(%rsp),%rdi /* bonus; preserve arg 1 */
494 movq TF_RSI(%rsp),%rsi /* bonus: preserve arg 2 */
495 movq TF_RDX(%rsp),%rdx /* return value 2 */
496 movq TF_RAX(%rsp),%rax /* return value 1 */
497 movq TF_RFLAGS(%rsp),%r11 /* original %rflags */
498 movq TF_RIP(%rsp),%rcx /* original %rip */
499 movq TF_RSP(%rsp),%rsp /* user stack pointer */
500 xorl %r8d,%r8d /* zero the rest of GPRs */
510 3: /* AST scheduled. */
516 4: /* Requested full context restore, use doreti for that. */
521 * Here for CYA insurance, in case a "syscall" instruction gets
522 * issued from 32 bit compatibility mode. MSR_CSTAR has to point
523 * to *something* if EFER_SCE is enabled.
525 IDTVEC(fast_syscall32)
529 * DB# handler is very similar to NM#, because 'mov/pop %ss' delay
530 * generation of exception until the next instruction is executed,
531 * which might be a kernel entry. So we must execute the handler
532 * on IST stack and be ready for non-kernel GSBASE.
536 movl $(T_TRCTRAP),TF_TRAPNO(%rsp)
537 movq $0,TF_ADDR(%rsp)
539 movq %rdi,TF_RDI(%rsp)
540 movq %rsi,TF_RSI(%rsp)
541 movq %rdx,TF_RDX(%rsp)
542 movq %rcx,TF_RCX(%rsp)
545 movq %rax,TF_RAX(%rsp)
546 movq %rbx,TF_RBX(%rsp)
547 movq %rbp,TF_RBP(%rsp)
548 movq %r10,TF_R10(%rsp)
549 movq %r11,TF_R11(%rsp)
550 movq %r12,TF_R12(%rsp)
551 movq %r13,TF_R13(%rsp)
552 movq %r14,TF_R14(%rsp)
553 movq %r15,TF_R15(%rsp)
555 movl $TF_HASSEGS,TF_FLAGS(%rsp)
557 testb $SEL_RPL_MASK,TF_CS(%rsp)
558 jnz dbg_fromuserspace
560 * We've interrupted the kernel. Preserve GS.base in %r12,
561 * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
563 movl $MSR_GSBASE,%ecx
568 /* Retrieve and load the canonical value for GS.base. */
569 movq TF_SIZE(%rsp),%rdx
578 1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
580 movl $MSR_IA32_SPEC_CTRL,%ecx
583 call handle_ibrs_entry
584 2: FAKE_MCOUNT(TF_RIP(%rsp))
588 testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
592 movl $MSR_IA32_SPEC_CTRL,%ecx
595 * Put back the preserved MSR_GSBASE value.
597 3: movl $MSR_GSBASE,%ecx
608 * Switch to kernel GSBASE and kernel page table, and copy frame
609 * from the IST stack to the normal kernel stack, since trap()
610 * re-enables interrupts, and since we might trap on DB# while
618 1: movq PCPU(RSP0),%rax
625 call handle_ibrs_entry
626 movq PCPU(CURPCB),%rdi
627 orl $PCB_FULL_IRET,PCB_FLAGS(%rdi)
628 testb $CPUID_STDEXT_FSGSBASE,cpu_stdext_feature(%rip)
630 cmpw $KUF32SEL,TF_FS(%rsp)
633 movq %rax,PCB_FSBASE(%rdi)
634 2: cmpw $KUG32SEL,TF_GS(%rsp)
636 movl $MSR_KGSBASE,%ecx
640 movq %rax,PCB_GSBASE(%rdi)
644 * NMI handling is special.
646 * First, NMIs do not respect the state of the processor's RFLAGS.IF
647 * bit. The NMI handler may be entered at any time, including when
648 * the processor is in a critical section with RFLAGS.IF == 0.
649 * The processor's GS.base value could be invalid on entry to the
652 * Second, the processor treats NMIs specially, blocking further NMIs
653 * until an 'iretq' instruction is executed. We thus need to execute
654 * the NMI handler with interrupts disabled, to prevent a nested interrupt
655 * from executing an 'iretq' instruction and inadvertently taking the
656 * processor out of NMI mode.
658 * Third, the NMI handler runs on its own stack (tss_ist2). The canonical
659 * GS.base value for the processor is stored just above the bottom of its
660 * NMI stack. For NMIs taken from kernel mode, the current value in
661 * the processor's GS.base is saved at entry to C-preserved register %r12,
662 * the canonical value for GS.base is then loaded into the processor, and
663 * the saved value is restored at exit time. For NMIs taken from user mode,
664 * the cheaper 'SWAPGS' instructions are used for swapping GS.base.
669 movl $(T_NMI),TF_TRAPNO(%rsp)
670 movq $0,TF_ADDR(%rsp)
672 movq %rdi,TF_RDI(%rsp)
673 movq %rsi,TF_RSI(%rsp)
674 movq %rdx,TF_RDX(%rsp)
675 movq %rcx,TF_RCX(%rsp)
678 movq %rax,TF_RAX(%rsp)
679 movq %rbx,TF_RBX(%rsp)
680 movq %rbp,TF_RBP(%rsp)
681 movq %r10,TF_R10(%rsp)
682 movq %r11,TF_R11(%rsp)
683 movq %r12,TF_R12(%rsp)
684 movq %r13,TF_R13(%rsp)
685 movq %r14,TF_R14(%rsp)
686 movq %r15,TF_R15(%rsp)
688 movl $TF_HASSEGS,TF_FLAGS(%rsp)
691 testb $SEL_RPL_MASK,TF_CS(%rsp)
692 jnz nmi_fromuserspace
694 * We've interrupted the kernel. Preserve GS.base in %r12,
695 * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
697 movl $MSR_GSBASE,%ecx
702 /* Retrieve and load the canonical value for GS.base. */
703 movq TF_SIZE(%rsp),%rdx
712 1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
714 movl $MSR_IA32_SPEC_CTRL,%ecx
717 call handle_ibrs_entry
727 1: call handle_ibrs_entry
728 movq PCPU(CURPCB),%rdi
731 orl $PCB_FULL_IRET,PCB_FLAGS(%rdi)
732 testb $CPUID_STDEXT_FSGSBASE,cpu_stdext_feature(%rip)
734 cmpw $KUF32SEL,TF_FS(%rsp)
737 movq %rax,PCB_FSBASE(%rdi)
738 2: cmpw $KUG32SEL,TF_GS(%rsp)
740 movl $MSR_KGSBASE,%ecx
744 movq %rax,PCB_GSBASE(%rdi)
746 /* Note: this label is also used by ddb and gdb: */
748 FAKE_MCOUNT(TF_RIP(%rsp))
754 * Capture a userspace callchain if needed.
756 * - Check if the current trap was from user mode.
757 * - Check if the current thread is valid.
758 * - Check if the thread requires a user call chain to be
761 * We are still in NMI mode at this point.
764 jz nocallchain /* not from userspace */
765 movq PCPU(CURTHREAD),%rax
766 orq %rax,%rax /* curthread present? */
769 * Move execution to the regular kernel stack, because we
770 * committed to return through doreti.
772 movq %rsp,%rsi /* source stack pointer */
776 movq %rdx,%rdi /* destination stack pointer */
777 shrq $3,%rcx /* trap frame size in long words */
780 movsq /* copy trapframe */
781 movq %rdx,%rsp /* we are on the regular kstack */
783 testl $TDP_CALLCHAIN,TD_PFLAGS(%rax) /* flagged for capture? */
786 * A user callchain is to be captured, so:
787 * - Take the processor out of "NMI" mode by faking an "iret",
788 * to allow for nested NMI interrupts.
789 * - Enable interrupts, so that copyin() can work.
792 pushq %rax /* tf_ss */
793 pushq %rdx /* tf_rsp (on kernel stack) */
794 pushfq /* tf_rflags */
796 pushq %rax /* tf_cs */
797 pushq $outofnmi /* tf_rip */
801 * At this point the processor has exited NMI mode and is running
802 * with interrupts turned off on the normal kernel stack.
804 * If a pending NMI gets recognized at or after this point, it
805 * will cause a kernel callchain to be traced.
807 * We turn interrupts back on, and call the user callchain capture hook.
812 movq PCPU(CURTHREAD),%rdi /* thread */
813 movq $PMC_FN_USER_CALLCHAIN,%rsi /* command */
814 movq %rsp,%rdx /* frame */
820 testl %ebx,%ebx /* %ebx == 0 => return to userland */
823 * Restore speculation control MSR, if preserved.
825 testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
829 movl $MSR_IA32_SPEC_CTRL,%ecx
832 * Put back the preserved MSR_GSBASE value.
834 1: movl $MSR_GSBASE,%ecx
845 * MC# handling is similar to NMI.
847 * As with NMIs, machine check exceptions do not respect RFLAGS.IF and
848 * can occur at any time with a GS.base value that does not correspond
849 * to the privilege level in CS.
851 * Machine checks are not unblocked by iretq, but it is best to run
852 * the handler with interrupts disabled since the exception may have
853 * interrupted a critical section.
855 * The MC# handler runs on its own stack (tss_ist3). The canonical
856 * GS.base value for the processor is stored just above the bottom of
857 * its MC# stack. For exceptions taken from kernel mode, the current
858 * value in the processor's GS.base is saved at entry to C-preserved
859 * register %r12, the canonical value for GS.base is then loaded into
860 * the processor, and the saved value is restored at exit time. For
861 * exceptions taken from user mode, the cheaper 'SWAPGS' instructions
862 * are used for swapping GS.base.
867 movl $(T_MCHK),TF_TRAPNO(%rsp)
868 movq $0,TF_ADDR(%rsp)
870 movq %rdi,TF_RDI(%rsp)
871 movq %rsi,TF_RSI(%rsp)
872 movq %rdx,TF_RDX(%rsp)
873 movq %rcx,TF_RCX(%rsp)
876 movq %rax,TF_RAX(%rsp)
877 movq %rbx,TF_RBX(%rsp)
878 movq %rbp,TF_RBP(%rsp)
879 movq %r10,TF_R10(%rsp)
880 movq %r11,TF_R11(%rsp)
881 movq %r12,TF_R12(%rsp)
882 movq %r13,TF_R13(%rsp)
883 movq %r14,TF_R14(%rsp)
884 movq %r15,TF_R15(%rsp)
886 movl $TF_HASSEGS,TF_FLAGS(%rsp)
889 testb $SEL_RPL_MASK,TF_CS(%rsp)
890 jnz mchk_fromuserspace
892 * We've interrupted the kernel. Preserve GS.base in %r12,
893 * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
895 movl $MSR_GSBASE,%ecx
900 /* Retrieve and load the canonical value for GS.base. */
901 movq TF_SIZE(%rsp),%rdx
910 1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
912 movl $MSR_IA32_SPEC_CTRL,%ecx
915 call handle_ibrs_entry
925 1: call handle_ibrs_entry
926 /* Note: this label is also used by ddb and gdb: */
928 FAKE_MCOUNT(TF_RIP(%rsp))
932 testl %ebx,%ebx /* %ebx == 0 => return to userland */
935 * Restore speculation control MSR, if preserved.
937 testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
941 movl $MSR_IA32_SPEC_CTRL,%ecx
944 * Put back the preserved MSR_GSBASE value.
946 1: movl $MSR_GSBASE,%ecx
956 ENTRY(fork_trampoline)
957 movq %r12,%rdi /* function */
958 movq %rbx,%rsi /* arg1 */
959 movq %rsp,%rdx /* trapframe pointer */
962 jmp doreti /* Handle any ASTs */
965 * To efficiently implement classification of trap and interrupt handlers
966 * for profiling, there must be only trap handlers between the labels btrap
967 * and bintr, and only interrupt handlers between the labels bintr and
968 * eintr. This is implemented (partly) by including files that contain
969 * some of the handlers. Before including the files, set up a normal asm
970 * environment so that the included files doen't need to know that they are
974 #ifdef COMPAT_FREEBSD32
980 #include <amd64/ia32/ia32_exception.S>
989 #include <amd64/amd64/apic_vector.S>
997 #include <amd64/amd64/atpic_vector.S>
1004 * void doreti(struct trapframe)
1006 * Handle return from interrupts, traps and syscalls.
1010 .type doreti,@function
1013 FAKE_MCOUNT($bintr) /* init "from" bintr -> doreti */
1015 * Check if ASTs can be handled now.
1017 testb $SEL_RPL_MASK,TF_CS(%rsp) /* are we returning to user mode? */
1018 jz doreti_exit /* can't handle ASTs now if not */
1022 * Check for ASTs atomically with returning. Disabling CPU
1023 * interrupts provides sufficient locking even in the SMP case,
1024 * since we will be informed of any new ASTs by an IPI.
1027 movq PCPU(CURTHREAD),%rax
1028 testl $TDF_ASTPENDING | TDF_NEEDRESCHED,TD_FLAGS(%rax)
1031 movq %rsp,%rdi /* pass a pointer to the trapframe */
1036 * doreti_exit: pop registers, iret.
1038 * The segment register pop is a special case, since it may
1039 * fault if (for example) a sigreturn specifies bad segment
1040 * registers. The fault is handled in trap.c.
1044 movq PCPU(CURPCB),%r8
1047 * Do not reload segment registers for kernel.
1048 * Since we do not reload segments registers with sane
1049 * values on kernel entry, descriptors referenced by
1050 * segments registers might be not valid. This is fatal
1051 * for user mode, but is not a problem for the kernel.
1053 testb $SEL_RPL_MASK,TF_CS(%rsp)
1055 testl $PCB_FULL_IRET,PCB_FLAGS(%r8)
1057 andl $~PCB_FULL_IRET,PCB_FLAGS(%r8)
1058 testl $TF_HASSEGS,TF_FLAGS(%rsp)
1062 /* Restore %fs and fsbase */
1063 movw TF_FS(%rsp),%ax
1069 movl $MSR_FSBASE,%ecx
1070 movl PCB_FSBASE(%r8),%eax
1071 movl PCB_FSBASE+4(%r8),%edx
1076 /* Restore %gs and gsbase */
1077 movw TF_GS(%rsp),%si
1080 movl $MSR_GSBASE,%ecx
1081 /* Save current kernel %gs base into %r12d:%r13d */
1088 /* Save user %gs base into %r14d:%r15d */
1092 /* Restore kernel %gs base */
1098 * Restore user %gs base, either from PCB if used for TLS, or
1099 * from the previously saved msr read.
1101 movl $MSR_KGSBASE,%ecx
1104 movl PCB_GSBASE(%r8),%eax
1105 movl PCB_GSBASE+4(%r8),%edx
1112 wrmsr /* May trap if non-canonical, but only for TLS. */
1115 movw TF_ES(%rsp),%es
1118 movw TF_DS(%rsp),%ds
1121 testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
1122 jz 2f /* keep running with kernel GS.base */
1124 call handle_ibrs_exit_rs
1129 movq PCPU(PRVSPACE),%rdx
1130 addq $PC_PTI_STACK+PC_PTI_STACK_SZ*8-PTI_SIZE,%rdx
1131 movq %rax,PTI_RAX(%rdx)
1133 movq %rax,PTI_RDX(%rdx)
1134 movq TF_RIP(%rsp),%rax
1135 movq %rax,PTI_RIP(%rdx)
1136 movq TF_CS(%rsp),%rax
1137 movq %rax,PTI_CS(%rdx)
1138 movq TF_RFLAGS(%rsp),%rax
1139 movq %rax,PTI_RFLAGS(%rdx)
1140 movq TF_RSP(%rsp),%rax
1141 movq %rax,PTI_RSP(%rdx)
1142 movq TF_SS(%rsp),%rax
1143 movq %rax,PTI_SS(%rdx)
1144 movq PCPU(UCR3),%rax
1153 2: addq $TF_RIP,%rsp
1160 movw %ax,TF_DS(%rsp)
1161 movw %ax,TF_ES(%rsp)
1162 movw $KUF32SEL,TF_FS(%rsp)
1163 movw $KUG32SEL,TF_GS(%rsp)
1167 * doreti_iret_fault. Alternative return code for
1168 * the case where we get a fault in the doreti_exit code
1169 * above. trap() (amd64/amd64/trap.c) catches this specific
1170 * case, sends the process a signal and continues in the
1171 * corresponding place in the code below.
1174 .globl doreti_iret_fault
1176 subq $TF_RIP,%rsp /* space including tf_err, tf_trapno */
1177 movq %rax,TF_RAX(%rsp)
1178 movq %rdx,TF_RDX(%rsp)
1179 movq %rcx,TF_RCX(%rsp)
1180 call handle_ibrs_entry
1181 testb $SEL_RPL_MASK,TF_CS(%rsp)
1186 movl $TF_HASSEGS,TF_FLAGS(%rsp)
1187 movq %rdi,TF_RDI(%rsp)
1188 movq %rsi,TF_RSI(%rsp)
1189 movq %r8,TF_R8(%rsp)
1190 movq %r9,TF_R9(%rsp)
1191 movq %rbx,TF_RBX(%rsp)
1192 movq %rbp,TF_RBP(%rsp)
1193 movq %r10,TF_R10(%rsp)
1194 movq %r11,TF_R11(%rsp)
1195 movq %r12,TF_R12(%rsp)
1196 movq %r13,TF_R13(%rsp)
1197 movq %r14,TF_R14(%rsp)
1198 movq %r15,TF_R15(%rsp)
1199 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1200 movq $0,TF_ERR(%rsp) /* XXX should be the error code */
1201 movq $0,TF_ADDR(%rsp)
1202 FAKE_MCOUNT(TF_RIP(%rsp))
1206 .globl ds_load_fault
1208 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1209 testb $SEL_RPL_MASK,TF_CS(%rsp)
1215 movw $KUDSEL,TF_DS(%rsp)
1219 .globl es_load_fault
1221 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1222 testl $PSL_I,TF_RFLAGS(%rsp)
1228 movw $KUDSEL,TF_ES(%rsp)
1232 .globl fs_load_fault
1234 testl $PSL_I,TF_RFLAGS(%rsp)
1238 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1241 movw $KUF32SEL,TF_FS(%rsp)
1245 .globl gs_load_fault
1248 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1249 testl $PSL_I,TF_RFLAGS(%rsp)
1255 movw $KUG32SEL,TF_GS(%rsp)
1259 .globl fsbase_load_fault
1261 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1262 testl $PSL_I,TF_RFLAGS(%rsp)
1268 movq PCPU(CURTHREAD),%r8
1269 movq TD_PCB(%r8),%r8
1270 movq $0,PCB_FSBASE(%r8)
1274 .globl gsbase_load_fault
1276 movl $T_PROTFLT,TF_TRAPNO(%rsp)
1277 testl $PSL_I,TF_RFLAGS(%rsp)
1283 movq PCPU(CURTHREAD),%r8
1284 movq TD_PCB(%r8),%r8
1285 movq $0,PCB_GSBASE(%r8)
1289 ENTRY(end_exceptions)
projects / FreeBSD / FreeBSD.git / blob