SYSEXIT

Fast Return from Fast System Call

Opcodes

Hex Mnemonic Encoding Long Mode Legacy Mode Description
REX.W + 0F 35 SYSEXIT A Valid Valid Fast return to 64-bit mode privilege level 3 user code.
0F 35 SYSEXIT A Valid Valid Fast return to privilege level 3 user code.

Instruction Operand Encoding

Op/En Operand 0 Operand 1 Operand 2 Operand 3
A NA NA NA NA

Description

Executes a fast return to privilege level 3 user code. SYSEXIT is a companion instruction to the SYSENTER instruction. The instruction is optimized to provide the maximum performance for returns from system procedures executing at protections levels 0 to user procedures executing at protection level 3. It must be executed from code executing at privilege level 0.

Prior to executing SYSEXIT, software must specify the privilege level 3 code segment and code entry point, and the privilege level 3 stack segment and stack pointer by writing values into the following MSR and general-purpose registers:

The IA32_SYSENTER_CS MSR can be read from and written to using RDMSR/WRMSR. The register address is listed in Table 4-17. This address is definedto remain fixed for future Intel 64 and IA-32 processors.

When SYSEXIT is executed, the processor:

See "SWAPGS—Swap GS Base Register" in this chapter for information about usingthe SYSENTER and SYSEXIT instructions as companion call and return instructions.

The SYSEXIT instruction always transfers program control to a protected-mode code segment with a DPL of 3. The instruction requires that the following conditions are met by the operating system:

The SYSEXIT instruction can be invoked from all operating modes except real-address mode and virtual 8086 mode.

The SYSENTER and SYSEXIT instructions were introduced into the IA-32 architecture in the Pentium II processor. The availability of these instructions on a processor is indicated with the SYSENTER/SYSEXIT present (SEP) feature flag returned to the EDX register by the CPUID instruction. An operating system that qualifies the SEP flag must also qualify the processor family and model to ensure that the SYSENTER/SYSEXIT instructions are actually present. For example:

IF CPUID SEP bit is set THEN
	IF (Family = 6) and (Model < 3) and (Stepping < 3)
		THEN
			SYSENTER/SYSEXIT_Not_Supported;
		FI;
	ELSE
		SYSENTER/SYSEXIT_Supported;
	FI;
FI;

When the CPUID instruction is executed on the Pentium Pro processor (model 1), the processor returns a the SEP flag as set, but does not support the SYSENTER/SYSEXIT instructions.

Pseudo Code

IF SYSENTER_CS_MSR[15:2] = 0
	#GP(0);
FI;
IF CR0.PE = 0
	#GP(0);
FI;
IF CPL != 0
	#GP(0);
FI;
CS.SEL = (SYSENTER_CS_MSR + 16); (* Segment selector for return CS *)
(* Set rest of CS to a fixed value *)
CS.SEL.RPL = 3;
CS.BASE = 0; (* Flat segment *)
CS.ARbyte.G = 1; (* 4-KByte granularity *)
CS.ARbyte.S = 1;
CS.ARbyte.TYPE = 1011B; (* Execute, Read, Non-Conforming Code *)
CS.ARbyte.D = 1; (* 32-bit code segment *)
CS.ARbyte.DPL = 3;
CS.ARbyte.P = 1;
CS.LIMIT = FFFFFH; (* with 4-KByte granularity, implies a 4-GByte limit *)
CPL = 3;
SS.SEL = (SYSENTER_CS_MSR + 24); (* Segment selector for return SS *)
(* Set rest of SS to a fixed value *);
SS.SEL.RPL = 3;
SS.BASE = 0; (* Flat segment *)
SS.ARbyte.G = 1; (* 4-KByte granularity *)
SS.ARbyte.S = 1;
SS.ARbyte.TYPE = 0011B; (* Expand Up, Read/Write, Data *)
SS.ARbyte.D = 1; (* 32-bit stack segment *)
SS.ARbyte.DPL = 3;
SS.ARbyte.P = 1;
SS.LIMIT = FFFFFH; (* with 4-KByte granularity, implies a 4-GByte limit *)
ESP = ECX;
EIP = EDX;

Flags Affected

None.

Exceptions

64-Bit Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP(0) If IA32_SYSENTER_CS = 0. If CPL != 0. If ECX or EDX contains a non-canonical address.

Compatibility Mode Exceptions

Same exceptions as in protected mode.

Virtual-8086 Mode Exceptions

Exception Description
#GP(0) Always.

Real-Address Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP If protected mode is not enabled.

Protected Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP(0) If IA32_SYSENTER_CS[15:2] = 0. If CPL != 0.