/* SPDX-License-Identifier: GPL-2.0 */1#include <linux/linkage.h>2#include <asm/asm.h>3#include <asm/bitsperlong.h>4#include <asm/kvm_vcpu_regs.h>5#include <asm/nospec-branch.h>6#include <asm/percpu.h>7#include <asm/segment.h>8#include "kvm-asm-offsets.h"9#include "run_flags.h"1011#define WORD_SIZE (BITS_PER_LONG / 8)1213#define VCPU_RAX __VCPU_REGS_RAX * WORD_SIZE14#define VCPU_RCX __VCPU_REGS_RCX * WORD_SIZE15#define VCPU_RDX __VCPU_REGS_RDX * WORD_SIZE16#define VCPU_RBX __VCPU_REGS_RBX * WORD_SIZE17/* Intentionally omit RSP as it's context switched by hardware */18#define VCPU_RBP __VCPU_REGS_RBP * WORD_SIZE19#define VCPU_RSI __VCPU_REGS_RSI * WORD_SIZE20#define VCPU_RDI __VCPU_REGS_RDI * WORD_SIZE2122#ifdef CONFIG_X86_6423#define VCPU_R8 __VCPU_REGS_R8 * WORD_SIZE24#define VCPU_R9 __VCPU_REGS_R9 * WORD_SIZE25#define VCPU_R10 __VCPU_REGS_R10 * WORD_SIZE26#define VCPU_R11 __VCPU_REGS_R11 * WORD_SIZE27#define VCPU_R12 __VCPU_REGS_R12 * WORD_SIZE28#define VCPU_R13 __VCPU_REGS_R13 * WORD_SIZE29#define VCPU_R14 __VCPU_REGS_R14 * WORD_SIZE30#define VCPU_R15 __VCPU_REGS_R15 * WORD_SIZE31#endif3233.macro VMX_DO_EVENT_IRQOFF call_insn call_target34/*35* Unconditionally create a stack frame, getting the correct RSP on the36* stack (for x86-64) would take two instructions anyways, and RBP can37* be used to restore RSP to make objtool happy (see below).38*/39push %_ASM_BP40mov %_ASM_SP, %_ASM_BP4142#ifdef CONFIG_X86_6443/*44* Align RSP to a 16-byte boundary (to emulate CPU behavior) before45* creating the synthetic interrupt stack frame for the IRQ/NMI.46*/47and $-16, %rsp48push $__KERNEL_DS49push %rbp50#endif51pushf52push $__KERNEL_CS53\call_insn \call_target5455/*56* "Restore" RSP from RBP, even though IRET has already unwound RSP to57* the correct value. objtool doesn't know the callee will IRET and,58* without the explicit restore, thinks the stack is getting walloped.59* Using an unwind hint is problematic due to x86-64's dynamic alignment.60*/61leave62RET63.endm6465.section .noinstr.text, "ax"6667/**68* __vmx_vcpu_run - Run a vCPU via a transition to VMX guest mode69* @vmx: struct vcpu_vmx *70* @regs: unsigned long * (to guest registers)71* @flags: VMX_RUN_VMRESUME: use VMRESUME instead of VMLAUNCH72* VMX_RUN_SAVE_SPEC_CTRL: save guest SPEC_CTRL into vmx->spec_ctrl73*74* Returns:75* 0 on VM-Exit, 1 on VM-Fail76*/77SYM_FUNC_START(__vmx_vcpu_run)78push %_ASM_BP79mov %_ASM_SP, %_ASM_BP80#ifdef CONFIG_X86_6481push %r1582push %r1483push %r1384push %r1285#else86push %edi87push %esi88#endif89push %_ASM_BX9091/* Save @vmx for SPEC_CTRL handling */92push %_ASM_ARG19394/* Save @flags for SPEC_CTRL handling */95push %_ASM_ARG39697/*98* Save @regs, _ASM_ARG2 may be modified by vmx_update_host_rsp() and99* @regs is needed after VM-Exit to save the guest's register values.100*/101push %_ASM_ARG2102103/* Copy @flags to EBX, _ASM_ARG3 is volatile. */104mov %_ASM_ARG3L, %ebx105106lea (%_ASM_SP), %_ASM_ARG2107call vmx_update_host_rsp108109ALTERNATIVE "jmp .Lspec_ctrl_done", "", X86_FEATURE_MSR_SPEC_CTRL110111/*112* SPEC_CTRL handling: if the guest's SPEC_CTRL value differs from the113* host's, write the MSR.114*115* IMPORTANT: To avoid RSB underflow attacks and any other nastiness,116* there must not be any returns or indirect branches between this code117* and vmentry.118*/119mov 2*WORD_SIZE(%_ASM_SP), %_ASM_DI120movl VMX_spec_ctrl(%_ASM_DI), %edi121movl PER_CPU_VAR(x86_spec_ctrl_current), %esi122cmp %edi, %esi123je .Lspec_ctrl_done124mov $MSR_IA32_SPEC_CTRL, %ecx125xor %edx, %edx126mov %edi, %eax127wrmsr128129.Lspec_ctrl_done:130131/*132* Since vmentry is serializing on affected CPUs, there's no need for133* an LFENCE to stop speculation from skipping the wrmsr.134*/135136/* Load @regs to RAX. */137mov (%_ASM_SP), %_ASM_AX138139/* Check if vmlaunch or vmresume is needed */140bt $VMX_RUN_VMRESUME_SHIFT, %ebx141142/* Load guest registers. Don't clobber flags. */143mov VCPU_RCX(%_ASM_AX), %_ASM_CX144mov VCPU_RDX(%_ASM_AX), %_ASM_DX145mov VCPU_RBX(%_ASM_AX), %_ASM_BX146mov VCPU_RBP(%_ASM_AX), %_ASM_BP147mov VCPU_RSI(%_ASM_AX), %_ASM_SI148mov VCPU_RDI(%_ASM_AX), %_ASM_DI149#ifdef CONFIG_X86_64150mov VCPU_R8 (%_ASM_AX), %r8151mov VCPU_R9 (%_ASM_AX), %r9152mov VCPU_R10(%_ASM_AX), %r10153mov VCPU_R11(%_ASM_AX), %r11154mov VCPU_R12(%_ASM_AX), %r12155mov VCPU_R13(%_ASM_AX), %r13156mov VCPU_R14(%_ASM_AX), %r14157mov VCPU_R15(%_ASM_AX), %r15158#endif159/* Load guest RAX. This kills the @regs pointer! */160mov VCPU_RAX(%_ASM_AX), %_ASM_AX161162/* Clobbers EFLAGS.ZF */163CLEAR_CPU_BUFFERS164165/* Check EFLAGS.CF from the VMX_RUN_VMRESUME bit test above. */166jnc .Lvmlaunch167168/*169* After a successful VMRESUME/VMLAUNCH, control flow "magically"170* resumes below at 'vmx_vmexit' due to the VMCS HOST_RIP setting.171* So this isn't a typical function and objtool needs to be told to172* save the unwind state here and restore it below.173*/174UNWIND_HINT_SAVE175176/*177* If VMRESUME/VMLAUNCH and corresponding vmexit succeed, execution resumes at178* the 'vmx_vmexit' label below.179*/180.Lvmresume:181vmresume182jmp .Lvmfail183184.Lvmlaunch:185vmlaunch186jmp .Lvmfail187188_ASM_EXTABLE(.Lvmresume, .Lfixup)189_ASM_EXTABLE(.Lvmlaunch, .Lfixup)190191SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_GLOBAL)192193/* Restore unwind state from before the VMRESUME/VMLAUNCH. */194UNWIND_HINT_RESTORE195ENDBR196197/* Temporarily save guest's RAX. */198push %_ASM_AX199200/* Reload @regs to RAX. */201mov WORD_SIZE(%_ASM_SP), %_ASM_AX202203/* Save all guest registers, including RAX from the stack */204pop VCPU_RAX(%_ASM_AX)205mov %_ASM_CX, VCPU_RCX(%_ASM_AX)206mov %_ASM_DX, VCPU_RDX(%_ASM_AX)207mov %_ASM_BX, VCPU_RBX(%_ASM_AX)208mov %_ASM_BP, VCPU_RBP(%_ASM_AX)209mov %_ASM_SI, VCPU_RSI(%_ASM_AX)210mov %_ASM_DI, VCPU_RDI(%_ASM_AX)211#ifdef CONFIG_X86_64212mov %r8, VCPU_R8 (%_ASM_AX)213mov %r9, VCPU_R9 (%_ASM_AX)214mov %r10, VCPU_R10(%_ASM_AX)215mov %r11, VCPU_R11(%_ASM_AX)216mov %r12, VCPU_R12(%_ASM_AX)217mov %r13, VCPU_R13(%_ASM_AX)218mov %r14, VCPU_R14(%_ASM_AX)219mov %r15, VCPU_R15(%_ASM_AX)220#endif221222/* Clear return value to indicate VM-Exit (as opposed to VM-Fail). */223xor %ebx, %ebx224225.Lclear_regs:226/* Discard @regs. The register is irrelevant, it just can't be RBX. */227pop %_ASM_AX228229/*230* Clear all general purpose registers except RSP and RBX to prevent231* speculative use of the guest's values, even those that are reloaded232* via the stack. In theory, an L1 cache miss when restoring registers233* could lead to speculative execution with the guest's values.234* Zeroing XORs are dirt cheap, i.e. the extra paranoia is essentially235* free. RSP and RBX are exempt as RSP is restored by hardware during236* VM-Exit and RBX is explicitly loaded with 0 or 1 to hold the return237* value.238*/239xor %eax, %eax240xor %ecx, %ecx241xor %edx, %edx242xor %ebp, %ebp243xor %esi, %esi244xor %edi, %edi245#ifdef CONFIG_X86_64246xor %r8d, %r8d247xor %r9d, %r9d248xor %r10d, %r10d249xor %r11d, %r11d250xor %r12d, %r12d251xor %r13d, %r13d252xor %r14d, %r14d253xor %r15d, %r15d254#endif255256/*257* IMPORTANT: RSB filling and SPEC_CTRL handling must be done before258* the first unbalanced RET after vmexit!259*260* For retpoline or IBRS, RSB filling is needed to prevent poisoned RSB261* entries and (in some cases) RSB underflow.262*263* eIBRS has its own protection against poisoned RSB, so it doesn't264* need the RSB filling sequence. But it does need to be enabled, and a265* single call to retire, before the first unbalanced RET.266*/267268FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\269X86_FEATURE_RSB_VMEXIT_LITE270271pop %_ASM_ARG2 /* @flags */272pop %_ASM_ARG1 /* @vmx */273274call vmx_spec_ctrl_restore_host275276CLEAR_BRANCH_HISTORY_VMEXIT277278/* Put return value in AX */279mov %_ASM_BX, %_ASM_AX280281pop %_ASM_BX282#ifdef CONFIG_X86_64283pop %r12284pop %r13285pop %r14286pop %r15287#else288pop %esi289pop %edi290#endif291pop %_ASM_BP292RET293294.Lfixup:295cmpb $0, _ASM_RIP(kvm_rebooting)296jne .Lvmfail297ud2298.Lvmfail:299/* VM-Fail: set return value to 1 */300mov $1, %_ASM_BX301jmp .Lclear_regs302303SYM_FUNC_END(__vmx_vcpu_run)304305SYM_FUNC_START(vmx_do_nmi_irqoff)306VMX_DO_EVENT_IRQOFF call asm_exc_nmi_kvm_vmx307SYM_FUNC_END(vmx_do_nmi_irqoff)308309#ifndef CONFIG_CC_HAS_ASM_GOTO_OUTPUT310311/**312* vmread_error_trampoline - Trampoline from inline asm to vmread_error()313* @field: VMCS field encoding that failed314* @fault: %true if the VMREAD faulted, %false if it failed315*316* Save and restore volatile registers across a call to vmread_error(). Note,317* all parameters are passed on the stack.318*/319SYM_FUNC_START(vmread_error_trampoline)320push %_ASM_BP321mov %_ASM_SP, %_ASM_BP322323push %_ASM_AX324push %_ASM_CX325push %_ASM_DX326#ifdef CONFIG_X86_64327push %rdi328push %rsi329push %r8330push %r9331push %r10332push %r11333#endif334335/* Load @field and @fault to arg1 and arg2 respectively. */336mov 3*WORD_SIZE(%_ASM_BP), %_ASM_ARG2337mov 2*WORD_SIZE(%_ASM_BP), %_ASM_ARG1338339call vmread_error_trampoline2340341/* Zero out @fault, which will be popped into the result register. */342_ASM_MOV $0, 3*WORD_SIZE(%_ASM_BP)343344#ifdef CONFIG_X86_64345pop %r11346pop %r10347pop %r9348pop %r8349pop %rsi350pop %rdi351#endif352pop %_ASM_DX353pop %_ASM_CX354pop %_ASM_AX355pop %_ASM_BP356357RET358SYM_FUNC_END(vmread_error_trampoline)359#endif360361.section .text, "ax"362363SYM_FUNC_START(vmx_do_interrupt_irqoff)364VMX_DO_EVENT_IRQOFF CALL_NOSPEC _ASM_ARG1365SYM_FUNC_END(vmx_do_interrupt_irqoff)366367368