1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2015-2017 Josh Poimboeuf <[email protected]>
4 */
5
6 #include <string.h>
7 #include <stdlib.h>
8 #include <inttypes.h>
9 #include <sys/mman.h>
10
11 #include <objtool/builtin.h>
12 #include <objtool/cfi.h>
13 #include <objtool/arch.h>
14 #include <objtool/check.h>
15 #include <objtool/special.h>
16 #include <objtool/warn.h>
17 #include <objtool/endianness.h>
18
19 #include <linux/objtool_types.h>
20 #include <linux/hashtable.h>
21 #include <linux/kernel.h>
22 #include <linux/static_call_types.h>
23 #include <linux/string.h>
24
25 struct alternative {
26 struct alternative *next;
27 struct instruction *insn;
28 bool skip_orig;
29 };
30
31 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache;
32
33 static struct cfi_init_state initial_func_cfi;
34 static struct cfi_state init_cfi;
35 static struct cfi_state func_cfi;
36 static struct cfi_state force_undefined_cfi;
37
find_insn(struct objtool_file * file,struct section * sec,unsigned long offset)38 struct instruction *find_insn(struct objtool_file *file,
39 struct section *sec, unsigned long offset)
40 {
41 struct instruction *insn;
42
43 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) {
44 if (insn->sec == sec && insn->offset == offset)
45 return insn;
46 }
47
48 return NULL;
49 }
50
next_insn_same_sec(struct objtool_file * file,struct instruction * insn)51 struct instruction *next_insn_same_sec(struct objtool_file *file,
52 struct instruction *insn)
53 {
54 if (insn->idx == INSN_CHUNK_MAX)
55 return find_insn(file, insn->sec, insn->offset + insn->len);
56
57 insn++;
58 if (!insn->len)
59 return NULL;
60
61 return insn;
62 }
63
next_insn_same_func(struct objtool_file * file,struct instruction * insn)64 static struct instruction *next_insn_same_func(struct objtool_file *file,
65 struct instruction *insn)
66 {
67 struct instruction *next = next_insn_same_sec(file, insn);
68 struct symbol *func = insn_func(insn);
69
70 if (!func)
71 return NULL;
72
73 if (next && insn_func(next) == func)
74 return next;
75
76 /* Check if we're already in the subfunction: */
77 if (func == func->cfunc)
78 return NULL;
79
80 /* Move to the subfunction: */
81 return find_insn(file, func->cfunc->sec, func->cfunc->offset);
82 }
83
prev_insn_same_sec(struct objtool_file * file,struct instruction * insn)84 static struct instruction *prev_insn_same_sec(struct objtool_file *file,
85 struct instruction *insn)
86 {
87 if (insn->idx == 0) {
88 if (insn->prev_len)
89 return find_insn(file, insn->sec, insn->offset - insn->prev_len);
90 return NULL;
91 }
92
93 return insn - 1;
94 }
95
prev_insn_same_sym(struct objtool_file * file,struct instruction * insn)96 static struct instruction *prev_insn_same_sym(struct objtool_file *file,
97 struct instruction *insn)
98 {
99 struct instruction *prev = prev_insn_same_sec(file, insn);
100
101 if (prev && insn_func(prev) == insn_func(insn))
102 return prev;
103
104 return NULL;
105 }
106
107 #define for_each_insn(file, insn) \
108 for (struct section *__sec, *__fake = (struct section *)1; \
109 __fake; __fake = NULL) \
110 for_each_sec(file, __sec) \
111 sec_for_each_insn(file, __sec, insn)
112
113 #define func_for_each_insn(file, func, insn) \
114 for (insn = find_insn(file, func->sec, func->offset); \
115 insn; \
116 insn = next_insn_same_func(file, insn))
117
118 #define sym_for_each_insn(file, sym, insn) \
119 for (insn = find_insn(file, sym->sec, sym->offset); \
120 insn && insn->offset < sym->offset + sym->len; \
121 insn = next_insn_same_sec(file, insn))
122
123 #define sym_for_each_insn_continue_reverse(file, sym, insn) \
124 for (insn = prev_insn_same_sec(file, insn); \
125 insn && insn->offset >= sym->offset; \
126 insn = prev_insn_same_sec(file, insn))
127
128 #define sec_for_each_insn_from(file, insn) \
129 for (; insn; insn = next_insn_same_sec(file, insn))
130
131 #define sec_for_each_insn_continue(file, insn) \
132 for (insn = next_insn_same_sec(file, insn); insn; \
133 insn = next_insn_same_sec(file, insn))
134
insn_call_dest(struct instruction * insn)135 static inline struct symbol *insn_call_dest(struct instruction *insn)
136 {
137 if (insn->type == INSN_JUMP_DYNAMIC ||
138 insn->type == INSN_CALL_DYNAMIC)
139 return NULL;
140
141 return insn->_call_dest;
142 }
143
insn_jump_table(struct instruction * insn)144 static inline struct reloc *insn_jump_table(struct instruction *insn)
145 {
146 if (insn->type == INSN_JUMP_DYNAMIC ||
147 insn->type == INSN_CALL_DYNAMIC)
148 return insn->_jump_table;
149
150 return NULL;
151 }
152
insn_jump_table_size(struct instruction * insn)153 static inline unsigned long insn_jump_table_size(struct instruction *insn)
154 {
155 if (insn->type == INSN_JUMP_DYNAMIC ||
156 insn->type == INSN_CALL_DYNAMIC)
157 return insn->_jump_table_size;
158
159 return 0;
160 }
161
is_jump_table_jump(struct instruction * insn)162 static bool is_jump_table_jump(struct instruction *insn)
163 {
164 struct alt_group *alt_group = insn->alt_group;
165
166 if (insn_jump_table(insn))
167 return true;
168
169 /* Retpoline alternative for a jump table? */
170 return alt_group && alt_group->orig_group &&
171 insn_jump_table(alt_group->orig_group->first_insn);
172 }
173
is_sibling_call(struct instruction * insn)174 static bool is_sibling_call(struct instruction *insn)
175 {
176 /*
177 * Assume only STT_FUNC calls have jump-tables.
178 */
179 if (insn_func(insn)) {
180 /* An indirect jump is either a sibling call or a jump to a table. */
181 if (insn->type == INSN_JUMP_DYNAMIC)
182 return !is_jump_table_jump(insn);
183 }
184
185 /* add_jump_destinations() sets insn_call_dest(insn) for sibling calls. */
186 return (is_static_jump(insn) && insn_call_dest(insn));
187 }
188
189 /*
190 * Checks if a string ends with another.
191 */
str_ends_with(const char * s,const char * sub)192 static bool str_ends_with(const char *s, const char *sub)
193 {
194 const int slen = strlen(s);
195 const int sublen = strlen(sub);
196
197 if (sublen > slen)
198 return 0;
199
200 return !memcmp(s + slen - sublen, sub, sublen);
201 }
202
203 /*
204 * Checks if a function is a Rust "noreturn" one.
205 */
is_rust_noreturn(const struct symbol * func)206 static bool is_rust_noreturn(const struct symbol *func)
207 {
208 /*
209 * If it does not start with "_R", then it is not a Rust symbol.
210 */
211 if (strncmp(func->name, "_R", 2))
212 return false;
213
214 /*
215 * These are just heuristics -- we do not control the precise symbol
216 * name, due to the crate disambiguators (which depend on the compiler)
217 * as well as changes to the source code itself between versions (since
218 * these come from the Rust standard library).
219 */
220 return str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") ||
221 str_ends_with(func->name, "_4core6option13unwrap_failed") ||
222 str_ends_with(func->name, "_4core6result13unwrap_failed") ||
223 str_ends_with(func->name, "_4core9panicking5panic") ||
224 str_ends_with(func->name, "_4core9panicking9panic_fmt") ||
225 str_ends_with(func->name, "_4core9panicking14panic_explicit") ||
226 str_ends_with(func->name, "_4core9panicking14panic_nounwind") ||
227 str_ends_with(func->name, "_4core9panicking18panic_bounds_check") ||
228 str_ends_with(func->name, "_4core9panicking19assert_failed_inner") ||
229 str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") ||
230 str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") ||
231 strstr(func->name, "_4core9panicking13assert_failed") ||
232 strstr(func->name, "_4core9panicking11panic_const24panic_const_") ||
233 (strstr(func->name, "_4core5slice5index24slice_") &&
234 str_ends_with(func->name, "_fail"));
235 }
236
237 /*
238 * This checks to see if the given function is a "noreturn" function.
239 *
240 * For global functions which are outside the scope of this object file, we
241 * have to keep a manual list of them.
242 *
243 * For local functions, we have to detect them manually by simply looking for
244 * the lack of a return instruction.
245 */
__dead_end_function(struct objtool_file * file,struct symbol * func,int recursion)246 static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
247 int recursion)
248 {
249 int i;
250 struct instruction *insn;
251 bool empty = true;
252
253 #define NORETURN(func) __stringify(func),
254 static const char * const global_noreturns[] = {
255 #include "noreturns.h"
256 };
257 #undef NORETURN
258
259 if (!func)
260 return false;
261
262 if (func->bind == STB_GLOBAL || func->bind == STB_WEAK) {
263 if (is_rust_noreturn(func))
264 return true;
265
266 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++)
267 if (!strcmp(func->name, global_noreturns[i]))
268 return true;
269 }
270
271 if (func->bind == STB_WEAK)
272 return false;
273
274 if (!func->len)
275 return false;
276
277 insn = find_insn(file, func->sec, func->offset);
278 if (!insn || !insn_func(insn))
279 return false;
280
281 func_for_each_insn(file, func, insn) {
282 empty = false;
283
284 if (insn->type == INSN_RETURN)
285 return false;
286 }
287
288 if (empty)
289 return false;
290
291 /*
292 * A function can have a sibling call instead of a return. In that
293 * case, the function's dead-end status depends on whether the target
294 * of the sibling call returns.
295 */
296 func_for_each_insn(file, func, insn) {
297 if (is_sibling_call(insn)) {
298 struct instruction *dest = insn->jump_dest;
299
300 if (!dest)
301 /* sibling call to another file */
302 return false;
303
304 /* local sibling call */
305 if (recursion == 5) {
306 /*
307 * Infinite recursion: two functions have
308 * sibling calls to each other. This is a very
309 * rare case. It means they aren't dead ends.
310 */
311 return false;
312 }
313
314 return __dead_end_function(file, insn_func(dest), recursion+1);
315 }
316 }
317
318 return true;
319 }
320
dead_end_function(struct objtool_file * file,struct symbol * func)321 static bool dead_end_function(struct objtool_file *file, struct symbol *func)
322 {
323 return __dead_end_function(file, func, 0);
324 }
325
init_cfi_state(struct cfi_state * cfi)326 static void init_cfi_state(struct cfi_state *cfi)
327 {
328 int i;
329
330 for (i = 0; i < CFI_NUM_REGS; i++) {
331 cfi->regs[i].base = CFI_UNDEFINED;
332 cfi->vals[i].base = CFI_UNDEFINED;
333 }
334 cfi->cfa.base = CFI_UNDEFINED;
335 cfi->drap_reg = CFI_UNDEFINED;
336 cfi->drap_offset = -1;
337 }
338
init_insn_state(struct objtool_file * file,struct insn_state * state,struct section * sec)339 static void init_insn_state(struct objtool_file *file, struct insn_state *state,
340 struct section *sec)
341 {
342 memset(state, 0, sizeof(*state));
343 init_cfi_state(&state->cfi);
344
345 /*
346 * We need the full vmlinux for noinstr validation, otherwise we can
347 * not correctly determine insn_call_dest(insn)->sec (external symbols
348 * do not have a section).
349 */
350 if (opts.link && opts.noinstr && sec)
351 state->noinstr = sec->noinstr;
352 }
353
cfi_alloc(void)354 static struct cfi_state *cfi_alloc(void)
355 {
356 struct cfi_state *cfi = calloc(1, sizeof(struct cfi_state));
357 if (!cfi) {
358 WARN("calloc failed");
359 exit(1);
360 }
361 nr_cfi++;
362 return cfi;
363 }
364
365 static int cfi_bits;
366 static struct hlist_head *cfi_hash;
367
cficmp(struct cfi_state * cfi1,struct cfi_state * cfi2)368 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2)
369 {
370 return memcmp((void *)cfi1 + sizeof(cfi1->hash),
371 (void *)cfi2 + sizeof(cfi2->hash),
372 sizeof(struct cfi_state) - sizeof(struct hlist_node));
373 }
374
cfi_key(struct cfi_state * cfi)375 static inline u32 cfi_key(struct cfi_state *cfi)
376 {
377 return jhash((void *)cfi + sizeof(cfi->hash),
378 sizeof(*cfi) - sizeof(cfi->hash), 0);
379 }
380
cfi_hash_find_or_add(struct cfi_state * cfi)381 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi)
382 {
383 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
384 struct cfi_state *obj;
385
386 hlist_for_each_entry(obj, head, hash) {
387 if (!cficmp(cfi, obj)) {
388 nr_cfi_cache++;
389 return obj;
390 }
391 }
392
393 obj = cfi_alloc();
394 *obj = *cfi;
395 hlist_add_head(&obj->hash, head);
396
397 return obj;
398 }
399
cfi_hash_add(struct cfi_state * cfi)400 static void cfi_hash_add(struct cfi_state *cfi)
401 {
402 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
403
404 hlist_add_head(&cfi->hash, head);
405 }
406
cfi_hash_alloc(unsigned long size)407 static void *cfi_hash_alloc(unsigned long size)
408 {
409 cfi_bits = max(10, ilog2(size));
410 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits,
411 PROT_READ|PROT_WRITE,
412 MAP_PRIVATE|MAP_ANON, -1, 0);
413 if (cfi_hash == (void *)-1L) {
414 WARN("mmap fail cfi_hash");
415 cfi_hash = NULL;
416 } else if (opts.stats) {
417 printf("cfi_bits: %d\n", cfi_bits);
418 }
419
420 return cfi_hash;
421 }
422
423 static unsigned long nr_insns;
424 static unsigned long nr_insns_visited;
425
426 /*
427 * Call the arch-specific instruction decoder for all the instructions and add
428 * them to the global instruction list.
429 */
decode_instructions(struct objtool_file * file)430 static int decode_instructions(struct objtool_file *file)
431 {
432 struct section *sec;
433 struct symbol *func;
434 unsigned long offset;
435 struct instruction *insn;
436 int ret;
437
438 for_each_sec(file, sec) {
439 struct instruction *insns = NULL;
440 u8 prev_len = 0;
441 u8 idx = 0;
442
443 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
444 continue;
445
446 if (strcmp(sec->name, ".altinstr_replacement") &&
447 strcmp(sec->name, ".altinstr_aux") &&
448 strncmp(sec->name, ".discard.", 9))
449 sec->text = true;
450
451 if (!strcmp(sec->name, ".noinstr.text") ||
452 !strcmp(sec->name, ".entry.text") ||
453 !strcmp(sec->name, ".cpuidle.text") ||
454 !strncmp(sec->name, ".text..__x86.", 13))
455 sec->noinstr = true;
456
457 /*
458 * .init.text code is ran before userspace and thus doesn't
459 * strictly need retpolines, except for modules which are
460 * loaded late, they very much do need retpoline in their
461 * .init.text
462 */
463 if (!strcmp(sec->name, ".init.text") && !opts.module)
464 sec->init = true;
465
466 for (offset = 0; offset < sec->sh.sh_size; offset += insn->len) {
467 if (!insns || idx == INSN_CHUNK_MAX) {
468 insns = calloc(sizeof(*insn), INSN_CHUNK_SIZE);
469 if (!insns) {
470 WARN("malloc failed");
471 return -1;
472 }
473 idx = 0;
474 } else {
475 idx++;
476 }
477 insn = &insns[idx];
478 insn->idx = idx;
479
480 INIT_LIST_HEAD(&insn->call_node);
481 insn->sec = sec;
482 insn->offset = offset;
483 insn->prev_len = prev_len;
484
485 ret = arch_decode_instruction(file, sec, offset,
486 sec->sh.sh_size - offset,
487 insn);
488 if (ret)
489 return ret;
490
491 prev_len = insn->len;
492
493 /*
494 * By default, "ud2" is a dead end unless otherwise
495 * annotated, because GCC 7 inserts it for certain
496 * divide-by-zero cases.
497 */
498 if (insn->type == INSN_BUG)
499 insn->dead_end = true;
500
501 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset));
502 nr_insns++;
503 }
504
505 // printf("%s: last chunk used: %d\n", sec->name, (int)idx);
506
507 sec_for_each_sym(sec, func) {
508 if (func->type != STT_NOTYPE && func->type != STT_FUNC)
509 continue;
510
511 if (func->offset == sec->sh.sh_size) {
512 /* Heuristic: likely an "end" symbol */
513 if (func->type == STT_NOTYPE)
514 continue;
515 WARN("%s(): STT_FUNC at end of section",
516 func->name);
517 return -1;
518 }
519
520 if (func->embedded_insn || func->alias != func)
521 continue;
522
523 if (!find_insn(file, sec, func->offset)) {
524 WARN("%s(): can't find starting instruction",
525 func->name);
526 return -1;
527 }
528
529 sym_for_each_insn(file, func, insn) {
530 insn->sym = func;
531 if (func->type == STT_FUNC &&
532 insn->type == INSN_ENDBR &&
533 list_empty(&insn->call_node)) {
534 if (insn->offset == func->offset) {
535 list_add_tail(&insn->call_node, &file->endbr_list);
536 file->nr_endbr++;
537 } else {
538 file->nr_endbr_int++;
539 }
540 }
541 }
542 }
543 }
544
545 if (opts.stats)
546 printf("nr_insns: %lu\n", nr_insns);
547
548 return 0;
549 }
550
551 /*
552 * Read the pv_ops[] .data table to find the static initialized values.
553 */
add_pv_ops(struct objtool_file * file,const char * symname)554 static int add_pv_ops(struct objtool_file *file, const char *symname)
555 {
556 struct symbol *sym, *func;
557 unsigned long off, end;
558 struct reloc *reloc;
559 int idx;
560
561 sym = find_symbol_by_name(file->elf, symname);
562 if (!sym)
563 return 0;
564
565 off = sym->offset;
566 end = off + sym->len;
567 for (;;) {
568 reloc = find_reloc_by_dest_range(file->elf, sym->sec, off, end - off);
569 if (!reloc)
570 break;
571
572 func = reloc->sym;
573 if (func->type == STT_SECTION)
574 func = find_symbol_by_offset(reloc->sym->sec,
575 reloc_addend(reloc));
576
577 idx = (reloc_offset(reloc) - sym->offset) / sizeof(unsigned long);
578
579 objtool_pv_add(file, idx, func);
580
581 off = reloc_offset(reloc) + 1;
582 if (off > end)
583 break;
584 }
585
586 return 0;
587 }
588
589 /*
590 * Allocate and initialize file->pv_ops[].
591 */
init_pv_ops(struct objtool_file * file)592 static int init_pv_ops(struct objtool_file *file)
593 {
594 static const char *pv_ops_tables[] = {
595 "pv_ops",
596 "xen_cpu_ops",
597 "xen_irq_ops",
598 "xen_mmu_ops",
599 NULL,
600 };
601 const char *pv_ops;
602 struct symbol *sym;
603 int idx, nr;
604
605 if (!opts.noinstr)
606 return 0;
607
608 file->pv_ops = NULL;
609
610 sym = find_symbol_by_name(file->elf, "pv_ops");
611 if (!sym)
612 return 0;
613
614 nr = sym->len / sizeof(unsigned long);
615 file->pv_ops = calloc(sizeof(struct pv_state), nr);
616 if (!file->pv_ops)
617 return -1;
618
619 for (idx = 0; idx < nr; idx++)
620 INIT_LIST_HEAD(&file->pv_ops[idx].targets);
621
622 for (idx = 0; (pv_ops = pv_ops_tables[idx]); idx++)
623 add_pv_ops(file, pv_ops);
624
625 return 0;
626 }
627
create_static_call_sections(struct objtool_file * file)628 static int create_static_call_sections(struct objtool_file *file)
629 {
630 struct static_call_site *site;
631 struct section *sec;
632 struct instruction *insn;
633 struct symbol *key_sym;
634 char *key_name, *tmp;
635 int idx;
636
637 sec = find_section_by_name(file->elf, ".static_call_sites");
638 if (sec) {
639 INIT_LIST_HEAD(&file->static_call_list);
640 WARN("file already has .static_call_sites section, skipping");
641 return 0;
642 }
643
644 if (list_empty(&file->static_call_list))
645 return 0;
646
647 idx = 0;
648 list_for_each_entry(insn, &file->static_call_list, call_node)
649 idx++;
650
651 sec = elf_create_section_pair(file->elf, ".static_call_sites",
652 sizeof(*site), idx, idx * 2);
653 if (!sec)
654 return -1;
655
656 /* Allow modules to modify the low bits of static_call_site::key */
657 sec->sh.sh_flags |= SHF_WRITE;
658
659 idx = 0;
660 list_for_each_entry(insn, &file->static_call_list, call_node) {
661
662 /* populate reloc for 'addr' */
663 if (!elf_init_reloc_text_sym(file->elf, sec,
664 idx * sizeof(*site), idx * 2,
665 insn->sec, insn->offset))
666 return -1;
667
668 /* find key symbol */
669 key_name = strdup(insn_call_dest(insn)->name);
670 if (!key_name) {
671 perror("strdup");
672 return -1;
673 }
674 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR,
675 STATIC_CALL_TRAMP_PREFIX_LEN)) {
676 WARN("static_call: trampoline name malformed: %s", key_name);
677 free(key_name);
678 return -1;
679 }
680 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN;
681 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN);
682
683 key_sym = find_symbol_by_name(file->elf, tmp);
684 if (!key_sym) {
685 if (!opts.module) {
686 WARN("static_call: can't find static_call_key symbol: %s", tmp);
687 free(key_name);
688 return -1;
689 }
690
691 /*
692 * For modules(), the key might not be exported, which
693 * means the module can make static calls but isn't
694 * allowed to change them.
695 *
696 * In that case we temporarily set the key to be the
697 * trampoline address. This is fixed up in
698 * static_call_add_module().
699 */
700 key_sym = insn_call_dest(insn);
701 }
702 free(key_name);
703
704 /* populate reloc for 'key' */
705 if (!elf_init_reloc_data_sym(file->elf, sec,
706 idx * sizeof(*site) + 4,
707 (idx * 2) + 1, key_sym,
708 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL))
709 return -1;
710
711 idx++;
712 }
713
714 return 0;
715 }
716
create_retpoline_sites_sections(struct objtool_file * file)717 static int create_retpoline_sites_sections(struct objtool_file *file)
718 {
719 struct instruction *insn;
720 struct section *sec;
721 int idx;
722
723 sec = find_section_by_name(file->elf, ".retpoline_sites");
724 if (sec) {
725 WARN("file already has .retpoline_sites, skipping");
726 return 0;
727 }
728
729 idx = 0;
730 list_for_each_entry(insn, &file->retpoline_call_list, call_node)
731 idx++;
732
733 if (!idx)
734 return 0;
735
736 sec = elf_create_section_pair(file->elf, ".retpoline_sites",
737 sizeof(int), idx, idx);
738 if (!sec)
739 return -1;
740
741 idx = 0;
742 list_for_each_entry(insn, &file->retpoline_call_list, call_node) {
743
744 if (!elf_init_reloc_text_sym(file->elf, sec,
745 idx * sizeof(int), idx,
746 insn->sec, insn->offset))
747 return -1;
748
749 idx++;
750 }
751
752 return 0;
753 }
754
create_return_sites_sections(struct objtool_file * file)755 static int create_return_sites_sections(struct objtool_file *file)
756 {
757 struct instruction *insn;
758 struct section *sec;
759 int idx;
760
761 sec = find_section_by_name(file->elf, ".return_sites");
762 if (sec) {
763 WARN("file already has .return_sites, skipping");
764 return 0;
765 }
766
767 idx = 0;
768 list_for_each_entry(insn, &file->return_thunk_list, call_node)
769 idx++;
770
771 if (!idx)
772 return 0;
773
774 sec = elf_create_section_pair(file->elf, ".return_sites",
775 sizeof(int), idx, idx);
776 if (!sec)
777 return -1;
778
779 idx = 0;
780 list_for_each_entry(insn, &file->return_thunk_list, call_node) {
781
782 if (!elf_init_reloc_text_sym(file->elf, sec,
783 idx * sizeof(int), idx,
784 insn->sec, insn->offset))
785 return -1;
786
787 idx++;
788 }
789
790 return 0;
791 }
792
create_ibt_endbr_seal_sections(struct objtool_file * file)793 static int create_ibt_endbr_seal_sections(struct objtool_file *file)
794 {
795 struct instruction *insn;
796 struct section *sec;
797 int idx;
798
799 sec = find_section_by_name(file->elf, ".ibt_endbr_seal");
800 if (sec) {
801 WARN("file already has .ibt_endbr_seal, skipping");
802 return 0;
803 }
804
805 idx = 0;
806 list_for_each_entry(insn, &file->endbr_list, call_node)
807 idx++;
808
809 if (opts.stats) {
810 printf("ibt: ENDBR at function start: %d\n", file->nr_endbr);
811 printf("ibt: ENDBR inside functions: %d\n", file->nr_endbr_int);
812 printf("ibt: superfluous ENDBR: %d\n", idx);
813 }
814
815 if (!idx)
816 return 0;
817
818 sec = elf_create_section_pair(file->elf, ".ibt_endbr_seal",
819 sizeof(int), idx, idx);
820 if (!sec)
821 return -1;
822
823 idx = 0;
824 list_for_each_entry(insn, &file->endbr_list, call_node) {
825
826 int *site = (int *)sec->data->d_buf + idx;
827 struct symbol *sym = insn->sym;
828 *site = 0;
829
830 if (opts.module && sym && sym->type == STT_FUNC &&
831 insn->offset == sym->offset &&
832 (!strcmp(sym->name, "init_module") ||
833 !strcmp(sym->name, "cleanup_module")))
834 WARN("%s(): not an indirect call target", sym->name);
835
836 if (!elf_init_reloc_text_sym(file->elf, sec,
837 idx * sizeof(int), idx,
838 insn->sec, insn->offset))
839 return -1;
840
841 idx++;
842 }
843
844 return 0;
845 }
846
create_cfi_sections(struct objtool_file * file)847 static int create_cfi_sections(struct objtool_file *file)
848 {
849 struct section *sec;
850 struct symbol *sym;
851 int idx;
852
853 sec = find_section_by_name(file->elf, ".cfi_sites");
854 if (sec) {
855 INIT_LIST_HEAD(&file->call_list);
856 WARN("file already has .cfi_sites section, skipping");
857 return 0;
858 }
859
860 idx = 0;
861 for_each_sym(file, sym) {
862 if (sym->type != STT_FUNC)
863 continue;
864
865 if (strncmp(sym->name, "__cfi_", 6))
866 continue;
867
868 idx++;
869 }
870
871 sec = elf_create_section_pair(file->elf, ".cfi_sites",
872 sizeof(unsigned int), idx, idx);
873 if (!sec)
874 return -1;
875
876 idx = 0;
877 for_each_sym(file, sym) {
878 if (sym->type != STT_FUNC)
879 continue;
880
881 if (strncmp(sym->name, "__cfi_", 6))
882 continue;
883
884 if (!elf_init_reloc_text_sym(file->elf, sec,
885 idx * sizeof(unsigned int), idx,
886 sym->sec, sym->offset))
887 return -1;
888
889 idx++;
890 }
891
892 return 0;
893 }
894
create_mcount_loc_sections(struct objtool_file * file)895 static int create_mcount_loc_sections(struct objtool_file *file)
896 {
897 size_t addr_size = elf_addr_size(file->elf);
898 struct instruction *insn;
899 struct section *sec;
900 int idx;
901
902 sec = find_section_by_name(file->elf, "__mcount_loc");
903 if (sec) {
904 INIT_LIST_HEAD(&file->mcount_loc_list);
905 WARN("file already has __mcount_loc section, skipping");
906 return 0;
907 }
908
909 if (list_empty(&file->mcount_loc_list))
910 return 0;
911
912 idx = 0;
913 list_for_each_entry(insn, &file->mcount_loc_list, call_node)
914 idx++;
915
916 sec = elf_create_section_pair(file->elf, "__mcount_loc", addr_size,
917 idx, idx);
918 if (!sec)
919 return -1;
920
921 sec->sh.sh_addralign = addr_size;
922
923 idx = 0;
924 list_for_each_entry(insn, &file->mcount_loc_list, call_node) {
925
926 struct reloc *reloc;
927
928 reloc = elf_init_reloc_text_sym(file->elf, sec, idx * addr_size, idx,
929 insn->sec, insn->offset);
930 if (!reloc)
931 return -1;
932
933 set_reloc_type(file->elf, reloc, addr_size == 8 ? R_ABS64 : R_ABS32);
934
935 idx++;
936 }
937
938 return 0;
939 }
940
create_direct_call_sections(struct objtool_file * file)941 static int create_direct_call_sections(struct objtool_file *file)
942 {
943 struct instruction *insn;
944 struct section *sec;
945 int idx;
946
947 sec = find_section_by_name(file->elf, ".call_sites");
948 if (sec) {
949 INIT_LIST_HEAD(&file->call_list);
950 WARN("file already has .call_sites section, skipping");
951 return 0;
952 }
953
954 if (list_empty(&file->call_list))
955 return 0;
956
957 idx = 0;
958 list_for_each_entry(insn, &file->call_list, call_node)
959 idx++;
960
961 sec = elf_create_section_pair(file->elf, ".call_sites",
962 sizeof(unsigned int), idx, idx);
963 if (!sec)
964 return -1;
965
966 idx = 0;
967 list_for_each_entry(insn, &file->call_list, call_node) {
968
969 if (!elf_init_reloc_text_sym(file->elf, sec,
970 idx * sizeof(unsigned int), idx,
971 insn->sec, insn->offset))
972 return -1;
973
974 idx++;
975 }
976
977 return 0;
978 }
979
980 /*
981 * Warnings shouldn't be reported for ignored functions.
982 */
add_ignores(struct objtool_file * file)983 static void add_ignores(struct objtool_file *file)
984 {
985 struct instruction *insn;
986 struct section *rsec;
987 struct symbol *func;
988 struct reloc *reloc;
989
990 rsec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard");
991 if (!rsec)
992 return;
993
994 for_each_reloc(rsec, reloc) {
995 switch (reloc->sym->type) {
996 case STT_FUNC:
997 func = reloc->sym;
998 break;
999
1000 case STT_SECTION:
1001 func = find_func_by_offset(reloc->sym->sec, reloc_addend(reloc));
1002 if (!func)
1003 continue;
1004 break;
1005
1006 default:
1007 WARN("unexpected relocation symbol type in %s: %d",
1008 rsec->name, reloc->sym->type);
1009 continue;
1010 }
1011
1012 func_for_each_insn(file, func, insn)
1013 insn->ignore = true;
1014 }
1015 }
1016
1017 /*
1018 * This is a whitelist of functions that is allowed to be called with AC set.
1019 * The list is meant to be minimal and only contains compiler instrumentation
1020 * ABI and a few functions used to implement *_{to,from}_user() functions.
1021 *
1022 * These functions must not directly change AC, but may PUSHF/POPF.
1023 */
1024 static const char *uaccess_safe_builtin[] = {
1025 /* KASAN */
1026 "kasan_report",
1027 "kasan_check_range",
1028 /* KASAN out-of-line */
1029 "__asan_loadN_noabort",
1030 "__asan_load1_noabort",
1031 "__asan_load2_noabort",
1032 "__asan_load4_noabort",
1033 "__asan_load8_noabort",
1034 "__asan_load16_noabort",
1035 "__asan_storeN_noabort",
1036 "__asan_store1_noabort",
1037 "__asan_store2_noabort",
1038 "__asan_store4_noabort",
1039 "__asan_store8_noabort",
1040 "__asan_store16_noabort",
1041 "__kasan_check_read",
1042 "__kasan_check_write",
1043 /* KASAN in-line */
1044 "__asan_report_load_n_noabort",
1045 "__asan_report_load1_noabort",
1046 "__asan_report_load2_noabort",
1047 "__asan_report_load4_noabort",
1048 "__asan_report_load8_noabort",
1049 "__asan_report_load16_noabort",
1050 "__asan_report_store_n_noabort",
1051 "__asan_report_store1_noabort",
1052 "__asan_report_store2_noabort",
1053 "__asan_report_store4_noabort",
1054 "__asan_report_store8_noabort",
1055 "__asan_report_store16_noabort",
1056 /* KCSAN */
1057 "__kcsan_check_access",
1058 "__kcsan_mb",
1059 "__kcsan_wmb",
1060 "__kcsan_rmb",
1061 "__kcsan_release",
1062 "kcsan_found_watchpoint",
1063 "kcsan_setup_watchpoint",
1064 "kcsan_check_scoped_accesses",
1065 "kcsan_disable_current",
1066 "kcsan_enable_current_nowarn",
1067 /* KCSAN/TSAN */
1068 "__tsan_func_entry",
1069 "__tsan_func_exit",
1070 "__tsan_read_range",
1071 "__tsan_write_range",
1072 "__tsan_read1",
1073 "__tsan_read2",
1074 "__tsan_read4",
1075 "__tsan_read8",
1076 "__tsan_read16",
1077 "__tsan_write1",
1078 "__tsan_write2",
1079 "__tsan_write4",
1080 "__tsan_write8",
1081 "__tsan_write16",
1082 "__tsan_read_write1",
1083 "__tsan_read_write2",
1084 "__tsan_read_write4",
1085 "__tsan_read_write8",
1086 "__tsan_read_write16",
1087 "__tsan_volatile_read1",
1088 "__tsan_volatile_read2",
1089 "__tsan_volatile_read4",
1090 "__tsan_volatile_read8",
1091 "__tsan_volatile_read16",
1092 "__tsan_volatile_write1",
1093 "__tsan_volatile_write2",
1094 "__tsan_volatile_write4",
1095 "__tsan_volatile_write8",
1096 "__tsan_volatile_write16",
1097 "__tsan_atomic8_load",
1098 "__tsan_atomic16_load",
1099 "__tsan_atomic32_load",
1100 "__tsan_atomic64_load",
1101 "__tsan_atomic8_store",
1102 "__tsan_atomic16_store",
1103 "__tsan_atomic32_store",
1104 "__tsan_atomic64_store",
1105 "__tsan_atomic8_exchange",
1106 "__tsan_atomic16_exchange",
1107 "__tsan_atomic32_exchange",
1108 "__tsan_atomic64_exchange",
1109 "__tsan_atomic8_fetch_add",
1110 "__tsan_atomic16_fetch_add",
1111 "__tsan_atomic32_fetch_add",
1112 "__tsan_atomic64_fetch_add",
1113 "__tsan_atomic8_fetch_sub",
1114 "__tsan_atomic16_fetch_sub",
1115 "__tsan_atomic32_fetch_sub",
1116 "__tsan_atomic64_fetch_sub",
1117 "__tsan_atomic8_fetch_and",
1118 "__tsan_atomic16_fetch_and",
1119 "__tsan_atomic32_fetch_and",
1120 "__tsan_atomic64_fetch_and",
1121 "__tsan_atomic8_fetch_or",
1122 "__tsan_atomic16_fetch_or",
1123 "__tsan_atomic32_fetch_or",
1124 "__tsan_atomic64_fetch_or",
1125 "__tsan_atomic8_fetch_xor",
1126 "__tsan_atomic16_fetch_xor",
1127 "__tsan_atomic32_fetch_xor",
1128 "__tsan_atomic64_fetch_xor",
1129 "__tsan_atomic8_fetch_nand",
1130 "__tsan_atomic16_fetch_nand",
1131 "__tsan_atomic32_fetch_nand",
1132 "__tsan_atomic64_fetch_nand",
1133 "__tsan_atomic8_compare_exchange_strong",
1134 "__tsan_atomic16_compare_exchange_strong",
1135 "__tsan_atomic32_compare_exchange_strong",
1136 "__tsan_atomic64_compare_exchange_strong",
1137 "__tsan_atomic8_compare_exchange_weak",
1138 "__tsan_atomic16_compare_exchange_weak",
1139 "__tsan_atomic32_compare_exchange_weak",
1140 "__tsan_atomic64_compare_exchange_weak",
1141 "__tsan_atomic8_compare_exchange_val",
1142 "__tsan_atomic16_compare_exchange_val",
1143 "__tsan_atomic32_compare_exchange_val",
1144 "__tsan_atomic64_compare_exchange_val",
1145 "__tsan_atomic_thread_fence",
1146 "__tsan_atomic_signal_fence",
1147 "__tsan_unaligned_read16",
1148 "__tsan_unaligned_write16",
1149 /* KCOV */
1150 "write_comp_data",
1151 "check_kcov_mode",
1152 "__sanitizer_cov_trace_pc",
1153 "__sanitizer_cov_trace_const_cmp1",
1154 "__sanitizer_cov_trace_const_cmp2",
1155 "__sanitizer_cov_trace_const_cmp4",
1156 "__sanitizer_cov_trace_const_cmp8",
1157 "__sanitizer_cov_trace_cmp1",
1158 "__sanitizer_cov_trace_cmp2",
1159 "__sanitizer_cov_trace_cmp4",
1160 "__sanitizer_cov_trace_cmp8",
1161 "__sanitizer_cov_trace_switch",
1162 /* KMSAN */
1163 "kmsan_copy_to_user",
1164 "kmsan_disable_current",
1165 "kmsan_enable_current",
1166 "kmsan_report",
1167 "kmsan_unpoison_entry_regs",
1168 "kmsan_unpoison_memory",
1169 "__msan_chain_origin",
1170 "__msan_get_context_state",
1171 "__msan_instrument_asm_store",
1172 "__msan_metadata_ptr_for_load_1",
1173 "__msan_metadata_ptr_for_load_2",
1174 "__msan_metadata_ptr_for_load_4",
1175 "__msan_metadata_ptr_for_load_8",
1176 "__msan_metadata_ptr_for_load_n",
1177 "__msan_metadata_ptr_for_store_1",
1178 "__msan_metadata_ptr_for_store_2",
1179 "__msan_metadata_ptr_for_store_4",
1180 "__msan_metadata_ptr_for_store_8",
1181 "__msan_metadata_ptr_for_store_n",
1182 "__msan_poison_alloca",
1183 "__msan_warning",
1184 /* UBSAN */
1185 "ubsan_type_mismatch_common",
1186 "__ubsan_handle_type_mismatch",
1187 "__ubsan_handle_type_mismatch_v1",
1188 "__ubsan_handle_shift_out_of_bounds",
1189 "__ubsan_handle_load_invalid_value",
1190 /* STACKLEAK */
1191 "stackleak_track_stack",
1192 /* misc */
1193 "csum_partial_copy_generic",
1194 "copy_mc_fragile",
1195 "copy_mc_fragile_handle_tail",
1196 "copy_mc_enhanced_fast_string",
1197 "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */
1198 "rep_stos_alternative",
1199 "rep_movs_alternative",
1200 "__copy_user_nocache",
1201 NULL
1202 };
1203
add_uaccess_safe(struct objtool_file * file)1204 static void add_uaccess_safe(struct objtool_file *file)
1205 {
1206 struct symbol *func;
1207 const char **name;
1208
1209 if (!opts.uaccess)
1210 return;
1211
1212 for (name = uaccess_safe_builtin; *name; name++) {
1213 func = find_symbol_by_name(file->elf, *name);
1214 if (!func)
1215 continue;
1216
1217 func->uaccess_safe = true;
1218 }
1219 }
1220
1221 /*
1222 * Symbols that replace INSN_CALL_DYNAMIC, every (tail) call to such a symbol
1223 * will be added to the .retpoline_sites section.
1224 */
arch_is_retpoline(struct symbol * sym)1225 __weak bool arch_is_retpoline(struct symbol *sym)
1226 {
1227 return false;
1228 }
1229
1230 /*
1231 * Symbols that replace INSN_RETURN, every (tail) call to such a symbol
1232 * will be added to the .return_sites section.
1233 */
arch_is_rethunk(struct symbol * sym)1234 __weak bool arch_is_rethunk(struct symbol *sym)
1235 {
1236 return false;
1237 }
1238
1239 /*
1240 * Symbols that are embedded inside other instructions, because sometimes crazy
1241 * code exists. These are mostly ignored for validation purposes.
1242 */
arch_is_embedded_insn(struct symbol * sym)1243 __weak bool arch_is_embedded_insn(struct symbol *sym)
1244 {
1245 return false;
1246 }
1247
insn_reloc(struct objtool_file * file,struct instruction * insn)1248 static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn)
1249 {
1250 struct reloc *reloc;
1251
1252 if (insn->no_reloc)
1253 return NULL;
1254
1255 if (!file)
1256 return NULL;
1257
1258 reloc = find_reloc_by_dest_range(file->elf, insn->sec,
1259 insn->offset, insn->len);
1260 if (!reloc) {
1261 insn->no_reloc = 1;
1262 return NULL;
1263 }
1264
1265 return reloc;
1266 }
1267
remove_insn_ops(struct instruction * insn)1268 static void remove_insn_ops(struct instruction *insn)
1269 {
1270 struct stack_op *op, *next;
1271
1272 for (op = insn->stack_ops; op; op = next) {
1273 next = op->next;
1274 free(op);
1275 }
1276 insn->stack_ops = NULL;
1277 }
1278
annotate_call_site(struct objtool_file * file,struct instruction * insn,bool sibling)1279 static void annotate_call_site(struct objtool_file *file,
1280 struct instruction *insn, bool sibling)
1281 {
1282 struct reloc *reloc = insn_reloc(file, insn);
1283 struct symbol *sym = insn_call_dest(insn);
1284
1285 if (!sym)
1286 sym = reloc->sym;
1287
1288 /*
1289 * Alternative replacement code is just template code which is
1290 * sometimes copied to the original instruction. For now, don't
1291 * annotate it. (In the future we might consider annotating the
1292 * original instruction if/when it ever makes sense to do so.)
1293 */
1294 if (!strcmp(insn->sec->name, ".altinstr_replacement"))
1295 return;
1296
1297 if (sym->static_call_tramp) {
1298 list_add_tail(&insn->call_node, &file->static_call_list);
1299 return;
1300 }
1301
1302 if (sym->retpoline_thunk) {
1303 list_add_tail(&insn->call_node, &file->retpoline_call_list);
1304 return;
1305 }
1306
1307 /*
1308 * Many compilers cannot disable KCOV or sanitizer calls with a function
1309 * attribute so they need a little help, NOP out any such calls from
1310 * noinstr text.
1311 */
1312 if (opts.hack_noinstr && insn->sec->noinstr && sym->profiling_func) {
1313 if (reloc)
1314 set_reloc_type(file->elf, reloc, R_NONE);
1315
1316 elf_write_insn(file->elf, insn->sec,
1317 insn->offset, insn->len,
1318 sibling ? arch_ret_insn(insn->len)
1319 : arch_nop_insn(insn->len));
1320
1321 insn->type = sibling ? INSN_RETURN : INSN_NOP;
1322
1323 if (sibling) {
1324 /*
1325 * We've replaced the tail-call JMP insn by two new
1326 * insn: RET; INT3, except we only have a single struct
1327 * insn here. Mark it retpoline_safe to avoid the SLS
1328 * warning, instead of adding another insn.
1329 */
1330 insn->retpoline_safe = true;
1331 }
1332
1333 return;
1334 }
1335
1336 if (opts.mcount && sym->fentry) {
1337 if (sibling)
1338 WARN_INSN(insn, "tail call to __fentry__ !?!?");
1339 if (opts.mnop) {
1340 if (reloc)
1341 set_reloc_type(file->elf, reloc, R_NONE);
1342
1343 elf_write_insn(file->elf, insn->sec,
1344 insn->offset, insn->len,
1345 arch_nop_insn(insn->len));
1346
1347 insn->type = INSN_NOP;
1348 }
1349
1350 list_add_tail(&insn->call_node, &file->mcount_loc_list);
1351 return;
1352 }
1353
1354 if (insn->type == INSN_CALL && !insn->sec->init)
1355 list_add_tail(&insn->call_node, &file->call_list);
1356
1357 if (!sibling && dead_end_function(file, sym))
1358 insn->dead_end = true;
1359 }
1360
add_call_dest(struct objtool_file * file,struct instruction * insn,struct symbol * dest,bool sibling)1361 static void add_call_dest(struct objtool_file *file, struct instruction *insn,
1362 struct symbol *dest, bool sibling)
1363 {
1364 insn->_call_dest = dest;
1365 if (!dest)
1366 return;
1367
1368 /*
1369 * Whatever stack impact regular CALLs have, should be undone
1370 * by the RETURN of the called function.
1371 *
1372 * Annotated intra-function calls retain the stack_ops but
1373 * are converted to JUMP, see read_intra_function_calls().
1374 */
1375 remove_insn_ops(insn);
1376
1377 annotate_call_site(file, insn, sibling);
1378 }
1379
add_retpoline_call(struct objtool_file * file,struct instruction * insn)1380 static void add_retpoline_call(struct objtool_file *file, struct instruction *insn)
1381 {
1382 /*
1383 * Retpoline calls/jumps are really dynamic calls/jumps in disguise,
1384 * so convert them accordingly.
1385 */
1386 switch (insn->type) {
1387 case INSN_CALL:
1388 insn->type = INSN_CALL_DYNAMIC;
1389 break;
1390 case INSN_JUMP_UNCONDITIONAL:
1391 insn->type = INSN_JUMP_DYNAMIC;
1392 break;
1393 case INSN_JUMP_CONDITIONAL:
1394 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL;
1395 break;
1396 default:
1397 return;
1398 }
1399
1400 insn->retpoline_safe = true;
1401
1402 /*
1403 * Whatever stack impact regular CALLs have, should be undone
1404 * by the RETURN of the called function.
1405 *
1406 * Annotated intra-function calls retain the stack_ops but
1407 * are converted to JUMP, see read_intra_function_calls().
1408 */
1409 remove_insn_ops(insn);
1410
1411 annotate_call_site(file, insn, false);
1412 }
1413
add_return_call(struct objtool_file * file,struct instruction * insn,bool add)1414 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add)
1415 {
1416 /*
1417 * Return thunk tail calls are really just returns in disguise,
1418 * so convert them accordingly.
1419 */
1420 insn->type = INSN_RETURN;
1421 insn->retpoline_safe = true;
1422
1423 if (add)
1424 list_add_tail(&insn->call_node, &file->return_thunk_list);
1425 }
1426
is_first_func_insn(struct objtool_file * file,struct instruction * insn,struct symbol * sym)1427 static bool is_first_func_insn(struct objtool_file *file,
1428 struct instruction *insn, struct symbol *sym)
1429 {
1430 if (insn->offset == sym->offset)
1431 return true;
1432
1433 /* Allow direct CALL/JMP past ENDBR */
1434 if (opts.ibt) {
1435 struct instruction *prev = prev_insn_same_sym(file, insn);
1436
1437 if (prev && prev->type == INSN_ENDBR &&
1438 insn->offset == sym->offset + prev->len)
1439 return true;
1440 }
1441
1442 return false;
1443 }
1444
1445 /*
1446 * A sibling call is a tail-call to another symbol -- to differentiate from a
1447 * recursive tail-call which is to the same symbol.
1448 */
jump_is_sibling_call(struct objtool_file * file,struct instruction * from,struct instruction * to)1449 static bool jump_is_sibling_call(struct objtool_file *file,
1450 struct instruction *from, struct instruction *to)
1451 {
1452 struct symbol *fs = from->sym;
1453 struct symbol *ts = to->sym;
1454
1455 /* Not a sibling call if from/to a symbol hole */
1456 if (!fs || !ts)
1457 return false;
1458
1459 /* Not a sibling call if not targeting the start of a symbol. */
1460 if (!is_first_func_insn(file, to, ts))
1461 return false;
1462
1463 /* Disallow sibling calls into STT_NOTYPE */
1464 if (ts->type == STT_NOTYPE)
1465 return false;
1466
1467 /* Must not be self to be a sibling */
1468 return fs->pfunc != ts->pfunc;
1469 }
1470
1471 /*
1472 * Find the destination instructions for all jumps.
1473 */
add_jump_destinations(struct objtool_file * file)1474 static int add_jump_destinations(struct objtool_file *file)
1475 {
1476 struct instruction *insn, *jump_dest;
1477 struct reloc *reloc;
1478 struct section *dest_sec;
1479 unsigned long dest_off;
1480
1481 for_each_insn(file, insn) {
1482 if (insn->jump_dest) {
1483 /*
1484 * handle_group_alt() may have previously set
1485 * 'jump_dest' for some alternatives.
1486 */
1487 continue;
1488 }
1489 if (!is_static_jump(insn))
1490 continue;
1491
1492 reloc = insn_reloc(file, insn);
1493 if (!reloc) {
1494 dest_sec = insn->sec;
1495 dest_off = arch_jump_destination(insn);
1496 } else if (reloc->sym->type == STT_SECTION) {
1497 dest_sec = reloc->sym->sec;
1498 dest_off = arch_dest_reloc_offset(reloc_addend(reloc));
1499 } else if (reloc->sym->retpoline_thunk) {
1500 add_retpoline_call(file, insn);
1501 continue;
1502 } else if (reloc->sym->return_thunk) {
1503 add_return_call(file, insn, true);
1504 continue;
1505 } else if (insn_func(insn)) {
1506 /*
1507 * External sibling call or internal sibling call with
1508 * STT_FUNC reloc.
1509 */
1510 add_call_dest(file, insn, reloc->sym, true);
1511 continue;
1512 } else if (reloc->sym->sec->idx) {
1513 dest_sec = reloc->sym->sec;
1514 dest_off = reloc->sym->sym.st_value +
1515 arch_dest_reloc_offset(reloc_addend(reloc));
1516 } else {
1517 /* non-func asm code jumping to another file */
1518 continue;
1519 }
1520
1521 jump_dest = find_insn(file, dest_sec, dest_off);
1522 if (!jump_dest) {
1523 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off);
1524
1525 /*
1526 * This is a special case for retbleed_untrain_ret().
1527 * It jumps to __x86_return_thunk(), but objtool
1528 * can't find the thunk's starting RET
1529 * instruction, because the RET is also in the
1530 * middle of another instruction. Objtool only
1531 * knows about the outer instruction.
1532 */
1533 if (sym && sym->embedded_insn) {
1534 add_return_call(file, insn, false);
1535 continue;
1536 }
1537
1538 WARN_INSN(insn, "can't find jump dest instruction at %s+0x%lx",
1539 dest_sec->name, dest_off);
1540 return -1;
1541 }
1542
1543 /*
1544 * An intra-TU jump in retpoline.o might not have a relocation
1545 * for its jump dest, in which case the above
1546 * add_{retpoline,return}_call() didn't happen.
1547 */
1548 if (jump_dest->sym && jump_dest->offset == jump_dest->sym->offset) {
1549 if (jump_dest->sym->retpoline_thunk) {
1550 add_retpoline_call(file, insn);
1551 continue;
1552 }
1553 if (jump_dest->sym->return_thunk) {
1554 add_return_call(file, insn, true);
1555 continue;
1556 }
1557 }
1558
1559 /*
1560 * Cross-function jump.
1561 */
1562 if (insn_func(insn) && insn_func(jump_dest) &&
1563 insn_func(insn) != insn_func(jump_dest)) {
1564
1565 /*
1566 * For GCC 8+, create parent/child links for any cold
1567 * subfunctions. This is _mostly_ redundant with a
1568 * similar initialization in read_symbols().
1569 *
1570 * If a function has aliases, we want the *first* such
1571 * function in the symbol table to be the subfunction's
1572 * parent. In that case we overwrite the
1573 * initialization done in read_symbols().
1574 *
1575 * However this code can't completely replace the
1576 * read_symbols() code because this doesn't detect the
1577 * case where the parent function's only reference to a
1578 * subfunction is through a jump table.
1579 */
1580 if (!strstr(insn_func(insn)->name, ".cold") &&
1581 strstr(insn_func(jump_dest)->name, ".cold")) {
1582 insn_func(insn)->cfunc = insn_func(jump_dest);
1583 insn_func(jump_dest)->pfunc = insn_func(insn);
1584 }
1585 }
1586
1587 if (jump_is_sibling_call(file, insn, jump_dest)) {
1588 /*
1589 * Internal sibling call without reloc or with
1590 * STT_SECTION reloc.
1591 */
1592 add_call_dest(file, insn, insn_func(jump_dest), true);
1593 continue;
1594 }
1595
1596 insn->jump_dest = jump_dest;
1597 }
1598
1599 return 0;
1600 }
1601
find_call_destination(struct section * sec,unsigned long offset)1602 static struct symbol *find_call_destination(struct section *sec, unsigned long offset)
1603 {
1604 struct symbol *call_dest;
1605
1606 call_dest = find_func_by_offset(sec, offset);
1607 if (!call_dest)
1608 call_dest = find_symbol_by_offset(sec, offset);
1609
1610 return call_dest;
1611 }
1612
1613 /*
1614 * Find the destination instructions for all calls.
1615 */
add_call_destinations(struct objtool_file * file)1616 static int add_call_destinations(struct objtool_file *file)
1617 {
1618 struct instruction *insn;
1619 unsigned long dest_off;
1620 struct symbol *dest;
1621 struct reloc *reloc;
1622
1623 for_each_insn(file, insn) {
1624 if (insn->type != INSN_CALL)
1625 continue;
1626
1627 reloc = insn_reloc(file, insn);
1628 if (!reloc) {
1629 dest_off = arch_jump_destination(insn);
1630 dest = find_call_destination(insn->sec, dest_off);
1631
1632 add_call_dest(file, insn, dest, false);
1633
1634 if (insn->ignore)
1635 continue;
1636
1637 if (!insn_call_dest(insn)) {
1638 WARN_INSN(insn, "unannotated intra-function call");
1639 return -1;
1640 }
1641
1642 if (insn_func(insn) && insn_call_dest(insn)->type != STT_FUNC) {
1643 WARN_INSN(insn, "unsupported call to non-function");
1644 return -1;
1645 }
1646
1647 } else if (reloc->sym->type == STT_SECTION) {
1648 dest_off = arch_dest_reloc_offset(reloc_addend(reloc));
1649 dest = find_call_destination(reloc->sym->sec, dest_off);
1650 if (!dest) {
1651 WARN_INSN(insn, "can't find call dest symbol at %s+0x%lx",
1652 reloc->sym->sec->name, dest_off);
1653 return -1;
1654 }
1655
1656 add_call_dest(file, insn, dest, false);
1657
1658 } else if (reloc->sym->retpoline_thunk) {
1659 add_retpoline_call(file, insn);
1660
1661 } else
1662 add_call_dest(file, insn, reloc->sym, false);
1663 }
1664
1665 return 0;
1666 }
1667
1668 /*
1669 * The .alternatives section requires some extra special care over and above
1670 * other special sections because alternatives are patched in place.
1671 */
handle_group_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1672 static int handle_group_alt(struct objtool_file *file,
1673 struct special_alt *special_alt,
1674 struct instruction *orig_insn,
1675 struct instruction **new_insn)
1676 {
1677 struct instruction *last_new_insn = NULL, *insn, *nop = NULL;
1678 struct alt_group *orig_alt_group, *new_alt_group;
1679 unsigned long dest_off;
1680
1681 orig_alt_group = orig_insn->alt_group;
1682 if (!orig_alt_group) {
1683 struct instruction *last_orig_insn = NULL;
1684
1685 orig_alt_group = malloc(sizeof(*orig_alt_group));
1686 if (!orig_alt_group) {
1687 WARN("malloc failed");
1688 return -1;
1689 }
1690 orig_alt_group->cfi = calloc(special_alt->orig_len,
1691 sizeof(struct cfi_state *));
1692 if (!orig_alt_group->cfi) {
1693 WARN("calloc failed");
1694 return -1;
1695 }
1696
1697 insn = orig_insn;
1698 sec_for_each_insn_from(file, insn) {
1699 if (insn->offset >= special_alt->orig_off + special_alt->orig_len)
1700 break;
1701
1702 insn->alt_group = orig_alt_group;
1703 last_orig_insn = insn;
1704 }
1705 orig_alt_group->orig_group = NULL;
1706 orig_alt_group->first_insn = orig_insn;
1707 orig_alt_group->last_insn = last_orig_insn;
1708 orig_alt_group->nop = NULL;
1709 } else {
1710 if (orig_alt_group->last_insn->offset + orig_alt_group->last_insn->len -
1711 orig_alt_group->first_insn->offset != special_alt->orig_len) {
1712 WARN_INSN(orig_insn, "weirdly overlapping alternative! %ld != %d",
1713 orig_alt_group->last_insn->offset +
1714 orig_alt_group->last_insn->len -
1715 orig_alt_group->first_insn->offset,
1716 special_alt->orig_len);
1717 return -1;
1718 }
1719 }
1720
1721 new_alt_group = malloc(sizeof(*new_alt_group));
1722 if (!new_alt_group) {
1723 WARN("malloc failed");
1724 return -1;
1725 }
1726
1727 if (special_alt->new_len < special_alt->orig_len) {
1728 /*
1729 * Insert a fake nop at the end to make the replacement
1730 * alt_group the same size as the original. This is needed to
1731 * allow propagate_alt_cfi() to do its magic. When the last
1732 * instruction affects the stack, the instruction after it (the
1733 * nop) will propagate the new state to the shared CFI array.
1734 */
1735 nop = malloc(sizeof(*nop));
1736 if (!nop) {
1737 WARN("malloc failed");
1738 return -1;
1739 }
1740 memset(nop, 0, sizeof(*nop));
1741
1742 nop->sec = special_alt->new_sec;
1743 nop->offset = special_alt->new_off + special_alt->new_len;
1744 nop->len = special_alt->orig_len - special_alt->new_len;
1745 nop->type = INSN_NOP;
1746 nop->sym = orig_insn->sym;
1747 nop->alt_group = new_alt_group;
1748 nop->ignore = orig_insn->ignore_alts;
1749 }
1750
1751 if (!special_alt->new_len) {
1752 *new_insn = nop;
1753 goto end;
1754 }
1755
1756 insn = *new_insn;
1757 sec_for_each_insn_from(file, insn) {
1758 struct reloc *alt_reloc;
1759
1760 if (insn->offset >= special_alt->new_off + special_alt->new_len)
1761 break;
1762
1763 last_new_insn = insn;
1764
1765 insn->ignore = orig_insn->ignore_alts;
1766 insn->sym = orig_insn->sym;
1767 insn->alt_group = new_alt_group;
1768
1769 /*
1770 * Since alternative replacement code is copy/pasted by the
1771 * kernel after applying relocations, generally such code can't
1772 * have relative-address relocation references to outside the
1773 * .altinstr_replacement section, unless the arch's
1774 * alternatives code can adjust the relative offsets
1775 * accordingly.
1776 */
1777 alt_reloc = insn_reloc(file, insn);
1778 if (alt_reloc && arch_pc_relative_reloc(alt_reloc) &&
1779 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) {
1780
1781 WARN_INSN(insn, "unsupported relocation in alternatives section");
1782 return -1;
1783 }
1784
1785 if (!is_static_jump(insn))
1786 continue;
1787
1788 if (!insn->immediate)
1789 continue;
1790
1791 dest_off = arch_jump_destination(insn);
1792 if (dest_off == special_alt->new_off + special_alt->new_len) {
1793 insn->jump_dest = next_insn_same_sec(file, orig_alt_group->last_insn);
1794 if (!insn->jump_dest) {
1795 WARN_INSN(insn, "can't find alternative jump destination");
1796 return -1;
1797 }
1798 }
1799 }
1800
1801 if (!last_new_insn) {
1802 WARN_FUNC("can't find last new alternative instruction",
1803 special_alt->new_sec, special_alt->new_off);
1804 return -1;
1805 }
1806
1807 end:
1808 new_alt_group->orig_group = orig_alt_group;
1809 new_alt_group->first_insn = *new_insn;
1810 new_alt_group->last_insn = last_new_insn;
1811 new_alt_group->nop = nop;
1812 new_alt_group->cfi = orig_alt_group->cfi;
1813 return 0;
1814 }
1815
1816 /*
1817 * A jump table entry can either convert a nop to a jump or a jump to a nop.
1818 * If the original instruction is a jump, make the alt entry an effective nop
1819 * by just skipping the original instruction.
1820 */
handle_jump_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1821 static int handle_jump_alt(struct objtool_file *file,
1822 struct special_alt *special_alt,
1823 struct instruction *orig_insn,
1824 struct instruction **new_insn)
1825 {
1826 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL &&
1827 orig_insn->type != INSN_NOP) {
1828
1829 WARN_INSN(orig_insn, "unsupported instruction at jump label");
1830 return -1;
1831 }
1832
1833 if (opts.hack_jump_label && special_alt->key_addend & 2) {
1834 struct reloc *reloc = insn_reloc(file, orig_insn);
1835
1836 if (reloc)
1837 set_reloc_type(file->elf, reloc, R_NONE);
1838 elf_write_insn(file->elf, orig_insn->sec,
1839 orig_insn->offset, orig_insn->len,
1840 arch_nop_insn(orig_insn->len));
1841 orig_insn->type = INSN_NOP;
1842 }
1843
1844 if (orig_insn->type == INSN_NOP) {
1845 if (orig_insn->len == 2)
1846 file->jl_nop_short++;
1847 else
1848 file->jl_nop_long++;
1849
1850 return 0;
1851 }
1852
1853 if (orig_insn->len == 2)
1854 file->jl_short++;
1855 else
1856 file->jl_long++;
1857
1858 *new_insn = next_insn_same_sec(file, orig_insn);
1859 return 0;
1860 }
1861
1862 /*
1863 * Read all the special sections which have alternate instructions which can be
1864 * patched in or redirected to at runtime. Each instruction having alternate
1865 * instruction(s) has them added to its insn->alts list, which will be
1866 * traversed in validate_branch().
1867 */
add_special_section_alts(struct objtool_file * file)1868 static int add_special_section_alts(struct objtool_file *file)
1869 {
1870 struct list_head special_alts;
1871 struct instruction *orig_insn, *new_insn;
1872 struct special_alt *special_alt, *tmp;
1873 struct alternative *alt;
1874 int ret;
1875
1876 ret = special_get_alts(file->elf, &special_alts);
1877 if (ret)
1878 return ret;
1879
1880 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
1881
1882 orig_insn = find_insn(file, special_alt->orig_sec,
1883 special_alt->orig_off);
1884 if (!orig_insn) {
1885 WARN_FUNC("special: can't find orig instruction",
1886 special_alt->orig_sec, special_alt->orig_off);
1887 ret = -1;
1888 goto out;
1889 }
1890
1891 new_insn = NULL;
1892 if (!special_alt->group || special_alt->new_len) {
1893 new_insn = find_insn(file, special_alt->new_sec,
1894 special_alt->new_off);
1895 if (!new_insn) {
1896 WARN_FUNC("special: can't find new instruction",
1897 special_alt->new_sec,
1898 special_alt->new_off);
1899 ret = -1;
1900 goto out;
1901 }
1902 }
1903
1904 if (special_alt->group) {
1905 if (!special_alt->orig_len) {
1906 WARN_INSN(orig_insn, "empty alternative entry");
1907 continue;
1908 }
1909
1910 ret = handle_group_alt(file, special_alt, orig_insn,
1911 &new_insn);
1912 if (ret)
1913 goto out;
1914 } else if (special_alt->jump_or_nop) {
1915 ret = handle_jump_alt(file, special_alt, orig_insn,
1916 &new_insn);
1917 if (ret)
1918 goto out;
1919 }
1920
1921 alt = malloc(sizeof(*alt));
1922 if (!alt) {
1923 WARN("malloc failed");
1924 ret = -1;
1925 goto out;
1926 }
1927
1928 alt->insn = new_insn;
1929 alt->skip_orig = special_alt->skip_orig;
1930 orig_insn->ignore_alts |= special_alt->skip_alt;
1931 alt->next = orig_insn->alts;
1932 orig_insn->alts = alt;
1933
1934 list_del(&special_alt->list);
1935 free(special_alt);
1936 }
1937
1938 if (opts.stats) {
1939 printf("jl\\\tNOP\tJMP\n");
1940 printf("short:\t%ld\t%ld\n", file->jl_nop_short, file->jl_short);
1941 printf("long:\t%ld\t%ld\n", file->jl_nop_long, file->jl_long);
1942 }
1943
1944 out:
1945 return ret;
1946 }
1947
arch_jump_table_sym_offset(struct reloc * reloc,struct reloc * table)1948 __weak unsigned long arch_jump_table_sym_offset(struct reloc *reloc, struct reloc *table)
1949 {
1950 return reloc->sym->offset + reloc_addend(reloc);
1951 }
1952
add_jump_table(struct objtool_file * file,struct instruction * insn)1953 static int add_jump_table(struct objtool_file *file, struct instruction *insn)
1954 {
1955 unsigned long table_size = insn_jump_table_size(insn);
1956 struct symbol *pfunc = insn_func(insn)->pfunc;
1957 struct reloc *table = insn_jump_table(insn);
1958 struct instruction *dest_insn;
1959 unsigned int prev_offset = 0;
1960 struct reloc *reloc = table;
1961 struct alternative *alt;
1962 unsigned long sym_offset;
1963
1964 /*
1965 * Each @reloc is a switch table relocation which points to the target
1966 * instruction.
1967 */
1968 for_each_reloc_from(table->sec, reloc) {
1969
1970 /* Check for the end of the table: */
1971 if (table_size && reloc_offset(reloc) - reloc_offset(table) >= table_size)
1972 break;
1973 if (reloc != table && is_jump_table(reloc))
1974 break;
1975
1976 /* Make sure the table entries are consecutive: */
1977 if (prev_offset && reloc_offset(reloc) != prev_offset + arch_reloc_size(reloc))
1978 break;
1979
1980 sym_offset = arch_jump_table_sym_offset(reloc, table);
1981
1982 /* Detect function pointers from contiguous objects: */
1983 if (reloc->sym->sec == pfunc->sec && sym_offset == pfunc->offset)
1984 break;
1985
1986 /*
1987 * Clang sometimes leaves dangling unused jump table entries
1988 * which point to the end of the function. Ignore them.
1989 */
1990 if (reloc->sym->sec == pfunc->sec &&
1991 sym_offset == pfunc->offset + pfunc->len)
1992 goto next;
1993
1994 dest_insn = find_insn(file, reloc->sym->sec, sym_offset);
1995 if (!dest_insn)
1996 break;
1997
1998 /* Make sure the destination is in the same function: */
1999 if (!insn_func(dest_insn) || insn_func(dest_insn)->pfunc != pfunc)
2000 break;
2001
2002 alt = malloc(sizeof(*alt));
2003 if (!alt) {
2004 WARN("malloc failed");
2005 return -1;
2006 }
2007
2008 alt->insn = dest_insn;
2009 alt->next = insn->alts;
2010 insn->alts = alt;
2011 next:
2012 prev_offset = reloc_offset(reloc);
2013 }
2014
2015 if (!prev_offset) {
2016 WARN_INSN(insn, "can't find switch jump table");
2017 return -1;
2018 }
2019
2020 return 0;
2021 }
2022
2023 /*
2024 * find_jump_table() - Given a dynamic jump, find the switch jump table
2025 * associated with it.
2026 */
find_jump_table(struct objtool_file * file,struct symbol * func,struct instruction * insn)2027 static void find_jump_table(struct objtool_file *file, struct symbol *func,
2028 struct instruction *insn)
2029 {
2030 struct reloc *table_reloc;
2031 struct instruction *dest_insn, *orig_insn = insn;
2032 unsigned long table_size;
2033 unsigned long sym_offset;
2034
2035 /*
2036 * Backward search using the @first_jump_src links, these help avoid
2037 * much of the 'in between' code. Which avoids us getting confused by
2038 * it.
2039 */
2040 for (;
2041 insn && insn_func(insn) && insn_func(insn)->pfunc == func;
2042 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) {
2043
2044 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
2045 break;
2046
2047 /* allow small jumps within the range */
2048 if (insn->type == INSN_JUMP_UNCONDITIONAL &&
2049 insn->jump_dest &&
2050 (insn->jump_dest->offset <= insn->offset ||
2051 insn->jump_dest->offset > orig_insn->offset))
2052 break;
2053
2054 table_reloc = arch_find_switch_table(file, insn, &table_size);
2055 if (!table_reloc)
2056 continue;
2057
2058 sym_offset = table_reloc->sym->offset + reloc_addend(table_reloc);
2059
2060 dest_insn = find_insn(file, table_reloc->sym->sec, sym_offset);
2061 if (!dest_insn || !insn_func(dest_insn) || insn_func(dest_insn)->pfunc != func)
2062 continue;
2063
2064 set_jump_table(table_reloc);
2065 orig_insn->_jump_table = table_reloc;
2066 orig_insn->_jump_table_size = table_size;
2067
2068 break;
2069 }
2070 }
2071
2072 /*
2073 * First pass: Mark the head of each jump table so that in the next pass,
2074 * we know when a given jump table ends and the next one starts.
2075 */
mark_func_jump_tables(struct objtool_file * file,struct symbol * func)2076 static void mark_func_jump_tables(struct objtool_file *file,
2077 struct symbol *func)
2078 {
2079 struct instruction *insn, *last = NULL;
2080
2081 func_for_each_insn(file, func, insn) {
2082 if (!last)
2083 last = insn;
2084
2085 /*
2086 * Store back-pointers for unconditional forward jumps such
2087 * that find_jump_table() can back-track using those and
2088 * avoid some potentially confusing code.
2089 */
2090 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest &&
2091 insn->offset > last->offset &&
2092 insn->jump_dest->offset > insn->offset &&
2093 !insn->jump_dest->first_jump_src) {
2094
2095 insn->jump_dest->first_jump_src = insn;
2096 last = insn->jump_dest;
2097 }
2098
2099 if (insn->type != INSN_JUMP_DYNAMIC)
2100 continue;
2101
2102 find_jump_table(file, func, insn);
2103 }
2104 }
2105
add_func_jump_tables(struct objtool_file * file,struct symbol * func)2106 static int add_func_jump_tables(struct objtool_file *file,
2107 struct symbol *func)
2108 {
2109 struct instruction *insn;
2110 int ret;
2111
2112 func_for_each_insn(file, func, insn) {
2113 if (!insn_jump_table(insn))
2114 continue;
2115
2116
2117 ret = add_jump_table(file, insn);
2118 if (ret)
2119 return ret;
2120 }
2121
2122 return 0;
2123 }
2124
2125 /*
2126 * For some switch statements, gcc generates a jump table in the .rodata
2127 * section which contains a list of addresses within the function to jump to.
2128 * This finds these jump tables and adds them to the insn->alts lists.
2129 */
add_jump_table_alts(struct objtool_file * file)2130 static int add_jump_table_alts(struct objtool_file *file)
2131 {
2132 struct symbol *func;
2133 int ret;
2134
2135 if (!file->rodata)
2136 return 0;
2137
2138 for_each_sym(file, func) {
2139 if (func->type != STT_FUNC)
2140 continue;
2141
2142 mark_func_jump_tables(file, func);
2143 ret = add_func_jump_tables(file, func);
2144 if (ret)
2145 return ret;
2146 }
2147
2148 return 0;
2149 }
2150
set_func_state(struct cfi_state * state)2151 static void set_func_state(struct cfi_state *state)
2152 {
2153 state->cfa = initial_func_cfi.cfa;
2154 memcpy(&state->regs, &initial_func_cfi.regs,
2155 CFI_NUM_REGS * sizeof(struct cfi_reg));
2156 state->stack_size = initial_func_cfi.cfa.offset;
2157 state->type = UNWIND_HINT_TYPE_CALL;
2158 }
2159
read_unwind_hints(struct objtool_file * file)2160 static int read_unwind_hints(struct objtool_file *file)
2161 {
2162 struct cfi_state cfi = init_cfi;
2163 struct section *sec;
2164 struct unwind_hint *hint;
2165 struct instruction *insn;
2166 struct reloc *reloc;
2167 unsigned long offset;
2168 int i;
2169
2170 sec = find_section_by_name(file->elf, ".discard.unwind_hints");
2171 if (!sec)
2172 return 0;
2173
2174 if (!sec->rsec) {
2175 WARN("missing .rela.discard.unwind_hints section");
2176 return -1;
2177 }
2178
2179 if (sec->sh.sh_size % sizeof(struct unwind_hint)) {
2180 WARN("struct unwind_hint size mismatch");
2181 return -1;
2182 }
2183
2184 file->hints = true;
2185
2186 for (i = 0; i < sec->sh.sh_size / sizeof(struct unwind_hint); i++) {
2187 hint = (struct unwind_hint *)sec->data->d_buf + i;
2188
2189 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint));
2190 if (!reloc) {
2191 WARN("can't find reloc for unwind_hints[%d]", i);
2192 return -1;
2193 }
2194
2195 if (reloc->sym->type == STT_SECTION) {
2196 offset = reloc_addend(reloc);
2197 } else if (reloc->sym->local_label) {
2198 offset = reloc->sym->offset;
2199 } else {
2200 WARN("unexpected relocation symbol type in %s", sec->rsec->name);
2201 return -1;
2202 }
2203
2204 insn = find_insn(file, reloc->sym->sec, offset);
2205 if (!insn) {
2206 WARN("can't find insn for unwind_hints[%d]", i);
2207 return -1;
2208 }
2209
2210 insn->hint = true;
2211
2212 if (hint->type == UNWIND_HINT_TYPE_UNDEFINED) {
2213 insn->cfi = &force_undefined_cfi;
2214 continue;
2215 }
2216
2217 if (hint->type == UNWIND_HINT_TYPE_SAVE) {
2218 insn->hint = false;
2219 insn->save = true;
2220 continue;
2221 }
2222
2223 if (hint->type == UNWIND_HINT_TYPE_RESTORE) {
2224 insn->restore = true;
2225 continue;
2226 }
2227
2228 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) {
2229 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset);
2230
2231 if (sym && sym->bind == STB_GLOBAL) {
2232 if (opts.ibt && insn->type != INSN_ENDBR && !insn->noendbr) {
2233 WARN_INSN(insn, "UNWIND_HINT_IRET_REGS without ENDBR");
2234 }
2235 }
2236 }
2237
2238 if (hint->type == UNWIND_HINT_TYPE_FUNC) {
2239 insn->cfi = &func_cfi;
2240 continue;
2241 }
2242
2243 if (insn->cfi)
2244 cfi = *(insn->cfi);
2245
2246 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) {
2247 WARN_INSN(insn, "unsupported unwind_hint sp base reg %d", hint->sp_reg);
2248 return -1;
2249 }
2250
2251 cfi.cfa.offset = bswap_if_needed(file->elf, hint->sp_offset);
2252 cfi.type = hint->type;
2253 cfi.signal = hint->signal;
2254
2255 insn->cfi = cfi_hash_find_or_add(&cfi);
2256 }
2257
2258 return 0;
2259 }
2260
read_annotate(struct objtool_file * file,int (* func)(struct objtool_file * file,int type,struct instruction * insn))2261 static int read_annotate(struct objtool_file *file,
2262 int (*func)(struct objtool_file *file, int type, struct instruction *insn))
2263 {
2264 struct section *sec;
2265 struct instruction *insn;
2266 struct reloc *reloc;
2267 uint64_t offset;
2268 int type, ret;
2269
2270 sec = find_section_by_name(file->elf, ".discard.annotate_insn");
2271 if (!sec)
2272 return 0;
2273
2274 if (!sec->rsec)
2275 return 0;
2276
2277 if (sec->sh.sh_entsize != 8) {
2278 static bool warned = false;
2279 if (!warned && opts.verbose) {
2280 WARN("%s: dodgy linker, sh_entsize != 8", sec->name);
2281 warned = true;
2282 }
2283 sec->sh.sh_entsize = 8;
2284 }
2285
2286 for_each_reloc(sec->rsec, reloc) {
2287 type = *(u32 *)(sec->data->d_buf + (reloc_idx(reloc) * sec->sh.sh_entsize) + 4);
2288
2289 offset = reloc->sym->offset + reloc_addend(reloc);
2290 insn = find_insn(file, reloc->sym->sec, offset);
2291
2292 if (!insn) {
2293 WARN("bad .discard.annotate_insn entry: %d of type %d", reloc_idx(reloc), type);
2294 return -1;
2295 }
2296
2297 ret = func(file, type, insn);
2298 if (ret < 0)
2299 return ret;
2300 }
2301
2302 return 0;
2303 }
2304
__annotate_early(struct objtool_file * file,int type,struct instruction * insn)2305 static int __annotate_early(struct objtool_file *file, int type, struct instruction *insn)
2306 {
2307 switch (type) {
2308 case ANNOTYPE_IGNORE_ALTS:
2309 insn->ignore_alts = true;
2310 break;
2311
2312 /*
2313 * Must be before read_unwind_hints() since that needs insn->noendbr.
2314 */
2315 case ANNOTYPE_NOENDBR:
2316 insn->noendbr = 1;
2317 break;
2318
2319 default:
2320 break;
2321 }
2322
2323 return 0;
2324 }
2325
__annotate_ifc(struct objtool_file * file,int type,struct instruction * insn)2326 static int __annotate_ifc(struct objtool_file *file, int type, struct instruction *insn)
2327 {
2328 unsigned long dest_off;
2329
2330 if (type != ANNOTYPE_INTRA_FUNCTION_CALL)
2331 return 0;
2332
2333 if (insn->type != INSN_CALL) {
2334 WARN_INSN(insn, "intra_function_call not a direct call");
2335 return -1;
2336 }
2337
2338 /*
2339 * Treat intra-function CALLs as JMPs, but with a stack_op.
2340 * See add_call_destinations(), which strips stack_ops from
2341 * normal CALLs.
2342 */
2343 insn->type = INSN_JUMP_UNCONDITIONAL;
2344
2345 dest_off = arch_jump_destination(insn);
2346 insn->jump_dest = find_insn(file, insn->sec, dest_off);
2347 if (!insn->jump_dest) {
2348 WARN_INSN(insn, "can't find call dest at %s+0x%lx",
2349 insn->sec->name, dest_off);
2350 return -1;
2351 }
2352
2353 return 0;
2354 }
2355
__annotate_late(struct objtool_file * file,int type,struct instruction * insn)2356 static int __annotate_late(struct objtool_file *file, int type, struct instruction *insn)
2357 {
2358 switch (type) {
2359 case ANNOTYPE_NOENDBR:
2360 /* early */
2361 break;
2362
2363 case ANNOTYPE_RETPOLINE_SAFE:
2364 if (insn->type != INSN_JUMP_DYNAMIC &&
2365 insn->type != INSN_CALL_DYNAMIC &&
2366 insn->type != INSN_RETURN &&
2367 insn->type != INSN_NOP) {
2368 WARN_INSN(insn, "retpoline_safe hint not an indirect jump/call/ret/nop");
2369 return -1;
2370 }
2371
2372 insn->retpoline_safe = true;
2373 break;
2374
2375 case ANNOTYPE_INSTR_BEGIN:
2376 insn->instr++;
2377 break;
2378
2379 case ANNOTYPE_INSTR_END:
2380 insn->instr--;
2381 break;
2382
2383 case ANNOTYPE_UNRET_BEGIN:
2384 insn->unret = 1;
2385 break;
2386
2387 case ANNOTYPE_IGNORE_ALTS:
2388 /* early */
2389 break;
2390
2391 case ANNOTYPE_INTRA_FUNCTION_CALL:
2392 /* ifc */
2393 break;
2394
2395 case ANNOTYPE_REACHABLE:
2396 insn->dead_end = false;
2397 break;
2398
2399 default:
2400 WARN_INSN(insn, "Unknown annotation type: %d", type);
2401 break;
2402 }
2403
2404 return 0;
2405 }
2406
2407 /*
2408 * Return true if name matches an instrumentation function, where calls to that
2409 * function from noinstr code can safely be removed, but compilers won't do so.
2410 */
is_profiling_func(const char * name)2411 static bool is_profiling_func(const char *name)
2412 {
2413 /*
2414 * Many compilers cannot disable KCOV with a function attribute.
2415 */
2416 if (!strncmp(name, "__sanitizer_cov_", 16))
2417 return true;
2418
2419 /*
2420 * Some compilers currently do not remove __tsan_func_entry/exit nor
2421 * __tsan_atomic_signal_fence (used for barrier instrumentation) with
2422 * the __no_sanitize_thread attribute, remove them. Once the kernel's
2423 * minimum Clang version is 14.0, this can be removed.
2424 */
2425 if (!strncmp(name, "__tsan_func_", 12) ||
2426 !strcmp(name, "__tsan_atomic_signal_fence"))
2427 return true;
2428
2429 return false;
2430 }
2431
classify_symbols(struct objtool_file * file)2432 static int classify_symbols(struct objtool_file *file)
2433 {
2434 struct symbol *func;
2435
2436 for_each_sym(file, func) {
2437 if (func->type == STT_NOTYPE && strstarts(func->name, ".L"))
2438 func->local_label = true;
2439
2440 if (func->bind != STB_GLOBAL)
2441 continue;
2442
2443 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR,
2444 strlen(STATIC_CALL_TRAMP_PREFIX_STR)))
2445 func->static_call_tramp = true;
2446
2447 if (arch_is_retpoline(func))
2448 func->retpoline_thunk = true;
2449
2450 if (arch_is_rethunk(func))
2451 func->return_thunk = true;
2452
2453 if (arch_is_embedded_insn(func))
2454 func->embedded_insn = true;
2455
2456 if (arch_ftrace_match(func->name))
2457 func->fentry = true;
2458
2459 if (is_profiling_func(func->name))
2460 func->profiling_func = true;
2461 }
2462
2463 return 0;
2464 }
2465
mark_rodata(struct objtool_file * file)2466 static void mark_rodata(struct objtool_file *file)
2467 {
2468 struct section *sec;
2469 bool found = false;
2470
2471 /*
2472 * Search for the following rodata sections, each of which can
2473 * potentially contain jump tables:
2474 *
2475 * - .rodata: can contain GCC switch tables
2476 * - .rodata.<func>: same, if -fdata-sections is being used
2477 * - .data.rel.ro.c_jump_table: contains C annotated jump tables
2478 *
2479 * .rodata.str1.* sections are ignored; they don't contain jump tables.
2480 */
2481 for_each_sec(file, sec) {
2482 if ((!strncmp(sec->name, ".rodata", 7) &&
2483 !strstr(sec->name, ".str1.")) ||
2484 !strncmp(sec->name, ".data.rel.ro", 12)) {
2485 sec->rodata = true;
2486 found = true;
2487 }
2488 }
2489
2490 file->rodata = found;
2491 }
2492
decode_sections(struct objtool_file * file)2493 static int decode_sections(struct objtool_file *file)
2494 {
2495 int ret;
2496
2497 mark_rodata(file);
2498
2499 ret = init_pv_ops(file);
2500 if (ret)
2501 return ret;
2502
2503 /*
2504 * Must be before add_{jump_call}_destination.
2505 */
2506 ret = classify_symbols(file);
2507 if (ret)
2508 return ret;
2509
2510 ret = decode_instructions(file);
2511 if (ret)
2512 return ret;
2513
2514 add_ignores(file);
2515 add_uaccess_safe(file);
2516
2517 ret = read_annotate(file, __annotate_early);
2518 if (ret)
2519 return ret;
2520
2521 /*
2522 * Must be before add_jump_destinations(), which depends on 'func'
2523 * being set for alternatives, to enable proper sibling call detection.
2524 */
2525 if (opts.stackval || opts.orc || opts.uaccess || opts.noinstr) {
2526 ret = add_special_section_alts(file);
2527 if (ret)
2528 return ret;
2529 }
2530
2531 ret = add_jump_destinations(file);
2532 if (ret)
2533 return ret;
2534
2535 /*
2536 * Must be before add_call_destination(); it changes INSN_CALL to
2537 * INSN_JUMP.
2538 */
2539 ret = read_annotate(file, __annotate_ifc);
2540 if (ret)
2541 return ret;
2542
2543 ret = add_call_destinations(file);
2544 if (ret)
2545 return ret;
2546
2547 ret = add_jump_table_alts(file);
2548 if (ret)
2549 return ret;
2550
2551 ret = read_unwind_hints(file);
2552 if (ret)
2553 return ret;
2554
2555 /*
2556 * Must be after add_call_destinations() such that it can override
2557 * dead_end_function() marks.
2558 */
2559 ret = read_annotate(file, __annotate_late);
2560 if (ret)
2561 return ret;
2562
2563 return 0;
2564 }
2565
is_special_call(struct instruction * insn)2566 static bool is_special_call(struct instruction *insn)
2567 {
2568 if (insn->type == INSN_CALL) {
2569 struct symbol *dest = insn_call_dest(insn);
2570
2571 if (!dest)
2572 return false;
2573
2574 if (dest->fentry || dest->embedded_insn)
2575 return true;
2576 }
2577
2578 return false;
2579 }
2580
has_modified_stack_frame(struct instruction * insn,struct insn_state * state)2581 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state)
2582 {
2583 struct cfi_state *cfi = &state->cfi;
2584 int i;
2585
2586 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap)
2587 return true;
2588
2589 if (cfi->cfa.offset != initial_func_cfi.cfa.offset)
2590 return true;
2591
2592 if (cfi->stack_size != initial_func_cfi.cfa.offset)
2593 return true;
2594
2595 for (i = 0; i < CFI_NUM_REGS; i++) {
2596 if (cfi->regs[i].base != initial_func_cfi.regs[i].base ||
2597 cfi->regs[i].offset != initial_func_cfi.regs[i].offset)
2598 return true;
2599 }
2600
2601 return false;
2602 }
2603
check_reg_frame_pos(const struct cfi_reg * reg,int expected_offset)2604 static bool check_reg_frame_pos(const struct cfi_reg *reg,
2605 int expected_offset)
2606 {
2607 return reg->base == CFI_CFA &&
2608 reg->offset == expected_offset;
2609 }
2610
has_valid_stack_frame(struct insn_state * state)2611 static bool has_valid_stack_frame(struct insn_state *state)
2612 {
2613 struct cfi_state *cfi = &state->cfi;
2614
2615 if (cfi->cfa.base == CFI_BP &&
2616 check_reg_frame_pos(&cfi->regs[CFI_BP], -cfi->cfa.offset) &&
2617 check_reg_frame_pos(&cfi->regs[CFI_RA], -cfi->cfa.offset + 8))
2618 return true;
2619
2620 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP)
2621 return true;
2622
2623 return false;
2624 }
2625
update_cfi_state_regs(struct instruction * insn,struct cfi_state * cfi,struct stack_op * op)2626 static int update_cfi_state_regs(struct instruction *insn,
2627 struct cfi_state *cfi,
2628 struct stack_op *op)
2629 {
2630 struct cfi_reg *cfa = &cfi->cfa;
2631
2632 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
2633 return 0;
2634
2635 /* push */
2636 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF)
2637 cfa->offset += 8;
2638
2639 /* pop */
2640 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF)
2641 cfa->offset -= 8;
2642
2643 /* add immediate to sp */
2644 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD &&
2645 op->dest.reg == CFI_SP && op->src.reg == CFI_SP)
2646 cfa->offset -= op->src.offset;
2647
2648 return 0;
2649 }
2650
save_reg(struct cfi_state * cfi,unsigned char reg,int base,int offset)2651 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset)
2652 {
2653 if (arch_callee_saved_reg(reg) &&
2654 cfi->regs[reg].base == CFI_UNDEFINED) {
2655 cfi->regs[reg].base = base;
2656 cfi->regs[reg].offset = offset;
2657 }
2658 }
2659
restore_reg(struct cfi_state * cfi,unsigned char reg)2660 static void restore_reg(struct cfi_state *cfi, unsigned char reg)
2661 {
2662 cfi->regs[reg].base = initial_func_cfi.regs[reg].base;
2663 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset;
2664 }
2665
2666 /*
2667 * A note about DRAP stack alignment:
2668 *
2669 * GCC has the concept of a DRAP register, which is used to help keep track of
2670 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP
2671 * register. The typical DRAP pattern is:
2672 *
2673 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10
2674 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp
2675 * 41 ff 72 f8 pushq -0x8(%r10)
2676 * 55 push %rbp
2677 * 48 89 e5 mov %rsp,%rbp
2678 * (more pushes)
2679 * 41 52 push %r10
2680 * ...
2681 * 41 5a pop %r10
2682 * (more pops)
2683 * 5d pop %rbp
2684 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2685 * c3 retq
2686 *
2687 * There are some variations in the epilogues, like:
2688 *
2689 * 5b pop %rbx
2690 * 41 5a pop %r10
2691 * 41 5c pop %r12
2692 * 41 5d pop %r13
2693 * 41 5e pop %r14
2694 * c9 leaveq
2695 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2696 * c3 retq
2697 *
2698 * and:
2699 *
2700 * 4c 8b 55 e8 mov -0x18(%rbp),%r10
2701 * 48 8b 5d e0 mov -0x20(%rbp),%rbx
2702 * 4c 8b 65 f0 mov -0x10(%rbp),%r12
2703 * 4c 8b 6d f8 mov -0x8(%rbp),%r13
2704 * c9 leaveq
2705 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2706 * c3 retq
2707 *
2708 * Sometimes r13 is used as the DRAP register, in which case it's saved and
2709 * restored beforehand:
2710 *
2711 * 41 55 push %r13
2712 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13
2713 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
2714 * ...
2715 * 49 8d 65 f0 lea -0x10(%r13),%rsp
2716 * 41 5d pop %r13
2717 * c3 retq
2718 */
update_cfi_state(struct instruction * insn,struct instruction * next_insn,struct cfi_state * cfi,struct stack_op * op)2719 static int update_cfi_state(struct instruction *insn,
2720 struct instruction *next_insn,
2721 struct cfi_state *cfi, struct stack_op *op)
2722 {
2723 struct cfi_reg *cfa = &cfi->cfa;
2724 struct cfi_reg *regs = cfi->regs;
2725
2726 /* ignore UNWIND_HINT_UNDEFINED regions */
2727 if (cfi->force_undefined)
2728 return 0;
2729
2730 /* stack operations don't make sense with an undefined CFA */
2731 if (cfa->base == CFI_UNDEFINED) {
2732 if (insn_func(insn)) {
2733 WARN_INSN(insn, "undefined stack state");
2734 return -1;
2735 }
2736 return 0;
2737 }
2738
2739 if (cfi->type == UNWIND_HINT_TYPE_REGS ||
2740 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL)
2741 return update_cfi_state_regs(insn, cfi, op);
2742
2743 switch (op->dest.type) {
2744
2745 case OP_DEST_REG:
2746 switch (op->src.type) {
2747
2748 case OP_SRC_REG:
2749 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP &&
2750 cfa->base == CFI_SP &&
2751 check_reg_frame_pos(®s[CFI_BP], -cfa->offset)) {
2752
2753 /* mov %rsp, %rbp */
2754 cfa->base = op->dest.reg;
2755 cfi->bp_scratch = false;
2756 }
2757
2758 else if (op->src.reg == CFI_SP &&
2759 op->dest.reg == CFI_BP && cfi->drap) {
2760
2761 /* drap: mov %rsp, %rbp */
2762 regs[CFI_BP].base = CFI_BP;
2763 regs[CFI_BP].offset = -cfi->stack_size;
2764 cfi->bp_scratch = false;
2765 }
2766
2767 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2768
2769 /*
2770 * mov %rsp, %reg
2771 *
2772 * This is needed for the rare case where GCC
2773 * does:
2774 *
2775 * mov %rsp, %rax
2776 * ...
2777 * mov %rax, %rsp
2778 */
2779 cfi->vals[op->dest.reg].base = CFI_CFA;
2780 cfi->vals[op->dest.reg].offset = -cfi->stack_size;
2781 }
2782
2783 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP &&
2784 (cfa->base == CFI_BP || cfa->base == cfi->drap_reg)) {
2785
2786 /*
2787 * mov %rbp, %rsp
2788 *
2789 * Restore the original stack pointer (Clang).
2790 */
2791 cfi->stack_size = -cfi->regs[CFI_BP].offset;
2792 }
2793
2794 else if (op->dest.reg == cfa->base) {
2795
2796 /* mov %reg, %rsp */
2797 if (cfa->base == CFI_SP &&
2798 cfi->vals[op->src.reg].base == CFI_CFA) {
2799
2800 /*
2801 * This is needed for the rare case
2802 * where GCC does something dumb like:
2803 *
2804 * lea 0x8(%rsp), %rcx
2805 * ...
2806 * mov %rcx, %rsp
2807 */
2808 cfa->offset = -cfi->vals[op->src.reg].offset;
2809 cfi->stack_size = cfa->offset;
2810
2811 } else if (cfa->base == CFI_SP &&
2812 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT &&
2813 cfi->vals[op->src.reg].offset == cfa->offset) {
2814
2815 /*
2816 * Stack swizzle:
2817 *
2818 * 1: mov %rsp, (%[tos])
2819 * 2: mov %[tos], %rsp
2820 * ...
2821 * 3: pop %rsp
2822 *
2823 * Where:
2824 *
2825 * 1 - places a pointer to the previous
2826 * stack at the Top-of-Stack of the
2827 * new stack.
2828 *
2829 * 2 - switches to the new stack.
2830 *
2831 * 3 - pops the Top-of-Stack to restore
2832 * the original stack.
2833 *
2834 * Note: we set base to SP_INDIRECT
2835 * here and preserve offset. Therefore
2836 * when the unwinder reaches ToS it
2837 * will dereference SP and then add the
2838 * offset to find the next frame, IOW:
2839 * (%rsp) + offset.
2840 */
2841 cfa->base = CFI_SP_INDIRECT;
2842
2843 } else {
2844 cfa->base = CFI_UNDEFINED;
2845 cfa->offset = 0;
2846 }
2847 }
2848
2849 else if (op->dest.reg == CFI_SP &&
2850 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT &&
2851 cfi->vals[op->src.reg].offset == cfa->offset) {
2852
2853 /*
2854 * The same stack swizzle case 2) as above. But
2855 * because we can't change cfa->base, case 3)
2856 * will become a regular POP. Pretend we're a
2857 * PUSH so things don't go unbalanced.
2858 */
2859 cfi->stack_size += 8;
2860 }
2861
2862
2863 break;
2864
2865 case OP_SRC_ADD:
2866 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) {
2867
2868 /* add imm, %rsp */
2869 cfi->stack_size -= op->src.offset;
2870 if (cfa->base == CFI_SP)
2871 cfa->offset -= op->src.offset;
2872 break;
2873 }
2874
2875 if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP &&
2876 insn->sym->frame_pointer) {
2877 /* addi.d fp,sp,imm on LoongArch */
2878 if (cfa->base == CFI_SP && cfa->offset == op->src.offset) {
2879 cfa->base = CFI_BP;
2880 cfa->offset = 0;
2881 }
2882 break;
2883 }
2884
2885 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) {
2886 /* addi.d sp,fp,imm on LoongArch */
2887 if (cfa->base == CFI_BP && cfa->offset == 0) {
2888 if (insn->sym->frame_pointer) {
2889 cfa->base = CFI_SP;
2890 cfa->offset = -op->src.offset;
2891 }
2892 } else {
2893 /* lea disp(%rbp), %rsp */
2894 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset);
2895 }
2896 break;
2897 }
2898
2899 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2900
2901 /* drap: lea disp(%rsp), %drap */
2902 cfi->drap_reg = op->dest.reg;
2903
2904 /*
2905 * lea disp(%rsp), %reg
2906 *
2907 * This is needed for the rare case where GCC
2908 * does something dumb like:
2909 *
2910 * lea 0x8(%rsp), %rcx
2911 * ...
2912 * mov %rcx, %rsp
2913 */
2914 cfi->vals[op->dest.reg].base = CFI_CFA;
2915 cfi->vals[op->dest.reg].offset = \
2916 -cfi->stack_size + op->src.offset;
2917
2918 break;
2919 }
2920
2921 if (cfi->drap && op->dest.reg == CFI_SP &&
2922 op->src.reg == cfi->drap_reg) {
2923
2924 /* drap: lea disp(%drap), %rsp */
2925 cfa->base = CFI_SP;
2926 cfa->offset = cfi->stack_size = -op->src.offset;
2927 cfi->drap_reg = CFI_UNDEFINED;
2928 cfi->drap = false;
2929 break;
2930 }
2931
2932 if (op->dest.reg == cfi->cfa.base && !(next_insn && next_insn->hint)) {
2933 WARN_INSN(insn, "unsupported stack register modification");
2934 return -1;
2935 }
2936
2937 break;
2938
2939 case OP_SRC_AND:
2940 if (op->dest.reg != CFI_SP ||
2941 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) ||
2942 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) {
2943 WARN_INSN(insn, "unsupported stack pointer realignment");
2944 return -1;
2945 }
2946
2947 if (cfi->drap_reg != CFI_UNDEFINED) {
2948 /* drap: and imm, %rsp */
2949 cfa->base = cfi->drap_reg;
2950 cfa->offset = cfi->stack_size = 0;
2951 cfi->drap = true;
2952 }
2953
2954 /*
2955 * Older versions of GCC (4.8ish) realign the stack
2956 * without DRAP, with a frame pointer.
2957 */
2958
2959 break;
2960
2961 case OP_SRC_POP:
2962 case OP_SRC_POPF:
2963 if (op->dest.reg == CFI_SP && cfa->base == CFI_SP_INDIRECT) {
2964
2965 /* pop %rsp; # restore from a stack swizzle */
2966 cfa->base = CFI_SP;
2967 break;
2968 }
2969
2970 if (!cfi->drap && op->dest.reg == cfa->base) {
2971
2972 /* pop %rbp */
2973 cfa->base = CFI_SP;
2974 }
2975
2976 if (cfi->drap && cfa->base == CFI_BP_INDIRECT &&
2977 op->dest.reg == cfi->drap_reg &&
2978 cfi->drap_offset == -cfi->stack_size) {
2979
2980 /* drap: pop %drap */
2981 cfa->base = cfi->drap_reg;
2982 cfa->offset = 0;
2983 cfi->drap_offset = -1;
2984
2985 } else if (cfi->stack_size == -regs[op->dest.reg].offset) {
2986
2987 /* pop %reg */
2988 restore_reg(cfi, op->dest.reg);
2989 }
2990
2991 cfi->stack_size -= 8;
2992 if (cfa->base == CFI_SP)
2993 cfa->offset -= 8;
2994
2995 break;
2996
2997 case OP_SRC_REG_INDIRECT:
2998 if (!cfi->drap && op->dest.reg == cfa->base &&
2999 op->dest.reg == CFI_BP) {
3000
3001 /* mov disp(%rsp), %rbp */
3002 cfa->base = CFI_SP;
3003 cfa->offset = cfi->stack_size;
3004 }
3005
3006 if (cfi->drap && op->src.reg == CFI_BP &&
3007 op->src.offset == cfi->drap_offset) {
3008
3009 /* drap: mov disp(%rbp), %drap */
3010 cfa->base = cfi->drap_reg;
3011 cfa->offset = 0;
3012 cfi->drap_offset = -1;
3013 }
3014
3015 if (cfi->drap && op->src.reg == CFI_BP &&
3016 op->src.offset == regs[op->dest.reg].offset) {
3017
3018 /* drap: mov disp(%rbp), %reg */
3019 restore_reg(cfi, op->dest.reg);
3020
3021 } else if (op->src.reg == cfa->base &&
3022 op->src.offset == regs[op->dest.reg].offset + cfa->offset) {
3023
3024 /* mov disp(%rbp), %reg */
3025 /* mov disp(%rsp), %reg */
3026 restore_reg(cfi, op->dest.reg);
3027
3028 } else if (op->src.reg == CFI_SP &&
3029 op->src.offset == regs[op->dest.reg].offset + cfi->stack_size) {
3030
3031 /* mov disp(%rsp), %reg */
3032 restore_reg(cfi, op->dest.reg);
3033 }
3034
3035 break;
3036
3037 default:
3038 WARN_INSN(insn, "unknown stack-related instruction");
3039 return -1;
3040 }
3041
3042 break;
3043
3044 case OP_DEST_PUSH:
3045 case OP_DEST_PUSHF:
3046 cfi->stack_size += 8;
3047 if (cfa->base == CFI_SP)
3048 cfa->offset += 8;
3049
3050 if (op->src.type != OP_SRC_REG)
3051 break;
3052
3053 if (cfi->drap) {
3054 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
3055
3056 /* drap: push %drap */
3057 cfa->base = CFI_BP_INDIRECT;
3058 cfa->offset = -cfi->stack_size;
3059
3060 /* save drap so we know when to restore it */
3061 cfi->drap_offset = -cfi->stack_size;
3062
3063 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) {
3064
3065 /* drap: push %rbp */
3066 cfi->stack_size = 0;
3067
3068 } else {
3069
3070 /* drap: push %reg */
3071 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size);
3072 }
3073
3074 } else {
3075
3076 /* push %reg */
3077 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size);
3078 }
3079
3080 /* detect when asm code uses rbp as a scratch register */
3081 if (opts.stackval && insn_func(insn) && op->src.reg == CFI_BP &&
3082 cfa->base != CFI_BP)
3083 cfi->bp_scratch = true;
3084 break;
3085
3086 case OP_DEST_REG_INDIRECT:
3087
3088 if (cfi->drap) {
3089 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
3090
3091 /* drap: mov %drap, disp(%rbp) */
3092 cfa->base = CFI_BP_INDIRECT;
3093 cfa->offset = op->dest.offset;
3094
3095 /* save drap offset so we know when to restore it */
3096 cfi->drap_offset = op->dest.offset;
3097 } else {
3098
3099 /* drap: mov reg, disp(%rbp) */
3100 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset);
3101 }
3102
3103 } else if (op->dest.reg == cfa->base) {
3104
3105 /* mov reg, disp(%rbp) */
3106 /* mov reg, disp(%rsp) */
3107 save_reg(cfi, op->src.reg, CFI_CFA,
3108 op->dest.offset - cfi->cfa.offset);
3109
3110 } else if (op->dest.reg == CFI_SP) {
3111
3112 /* mov reg, disp(%rsp) */
3113 save_reg(cfi, op->src.reg, CFI_CFA,
3114 op->dest.offset - cfi->stack_size);
3115
3116 } else if (op->src.reg == CFI_SP && op->dest.offset == 0) {
3117
3118 /* mov %rsp, (%reg); # setup a stack swizzle. */
3119 cfi->vals[op->dest.reg].base = CFI_SP_INDIRECT;
3120 cfi->vals[op->dest.reg].offset = cfa->offset;
3121 }
3122
3123 break;
3124
3125 case OP_DEST_MEM:
3126 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) {
3127 WARN_INSN(insn, "unknown stack-related memory operation");
3128 return -1;
3129 }
3130
3131 /* pop mem */
3132 cfi->stack_size -= 8;
3133 if (cfa->base == CFI_SP)
3134 cfa->offset -= 8;
3135
3136 break;
3137
3138 default:
3139 WARN_INSN(insn, "unknown stack-related instruction");
3140 return -1;
3141 }
3142
3143 return 0;
3144 }
3145
3146 /*
3147 * The stack layouts of alternatives instructions can sometimes diverge when
3148 * they have stack modifications. That's fine as long as the potential stack
3149 * layouts don't conflict at any given potential instruction boundary.
3150 *
3151 * Flatten the CFIs of the different alternative code streams (both original
3152 * and replacement) into a single shared CFI array which can be used to detect
3153 * conflicts and nicely feed a linear array of ORC entries to the unwinder.
3154 */
propagate_alt_cfi(struct objtool_file * file,struct instruction * insn)3155 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn)
3156 {
3157 struct cfi_state **alt_cfi;
3158 int group_off;
3159
3160 if (!insn->alt_group)
3161 return 0;
3162
3163 if (!insn->cfi) {
3164 WARN("CFI missing");
3165 return -1;
3166 }
3167
3168 alt_cfi = insn->alt_group->cfi;
3169 group_off = insn->offset - insn->alt_group->first_insn->offset;
3170
3171 if (!alt_cfi[group_off]) {
3172 alt_cfi[group_off] = insn->cfi;
3173 } else {
3174 if (cficmp(alt_cfi[group_off], insn->cfi)) {
3175 struct alt_group *orig_group = insn->alt_group->orig_group ?: insn->alt_group;
3176 struct instruction *orig = orig_group->first_insn;
3177 char *where = offstr(insn->sec, insn->offset);
3178 WARN_INSN(orig, "stack layout conflict in alternatives: %s", where);
3179 free(where);
3180 return -1;
3181 }
3182 }
3183
3184 return 0;
3185 }
3186
handle_insn_ops(struct instruction * insn,struct instruction * next_insn,struct insn_state * state)3187 static int handle_insn_ops(struct instruction *insn,
3188 struct instruction *next_insn,
3189 struct insn_state *state)
3190 {
3191 struct stack_op *op;
3192
3193 for (op = insn->stack_ops; op; op = op->next) {
3194
3195 if (update_cfi_state(insn, next_insn, &state->cfi, op))
3196 return 1;
3197
3198 if (!insn->alt_group)
3199 continue;
3200
3201 if (op->dest.type == OP_DEST_PUSHF) {
3202 if (!state->uaccess_stack) {
3203 state->uaccess_stack = 1;
3204 } else if (state->uaccess_stack >> 31) {
3205 WARN_INSN(insn, "PUSHF stack exhausted");
3206 return 1;
3207 }
3208 state->uaccess_stack <<= 1;
3209 state->uaccess_stack |= state->uaccess;
3210 }
3211
3212 if (op->src.type == OP_SRC_POPF) {
3213 if (state->uaccess_stack) {
3214 state->uaccess = state->uaccess_stack & 1;
3215 state->uaccess_stack >>= 1;
3216 if (state->uaccess_stack == 1)
3217 state->uaccess_stack = 0;
3218 }
3219 }
3220 }
3221
3222 return 0;
3223 }
3224
insn_cfi_match(struct instruction * insn,struct cfi_state * cfi2)3225 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2)
3226 {
3227 struct cfi_state *cfi1 = insn->cfi;
3228 int i;
3229
3230 if (!cfi1) {
3231 WARN("CFI missing");
3232 return false;
3233 }
3234
3235 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) {
3236
3237 WARN_INSN(insn, "stack state mismatch: cfa1=%d%+d cfa2=%d%+d",
3238 cfi1->cfa.base, cfi1->cfa.offset,
3239 cfi2->cfa.base, cfi2->cfa.offset);
3240
3241 } else if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) {
3242 for (i = 0; i < CFI_NUM_REGS; i++) {
3243 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i],
3244 sizeof(struct cfi_reg)))
3245 continue;
3246
3247 WARN_INSN(insn, "stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d",
3248 i, cfi1->regs[i].base, cfi1->regs[i].offset,
3249 i, cfi2->regs[i].base, cfi2->regs[i].offset);
3250 break;
3251 }
3252
3253 } else if (cfi1->type != cfi2->type) {
3254
3255 WARN_INSN(insn, "stack state mismatch: type1=%d type2=%d",
3256 cfi1->type, cfi2->type);
3257
3258 } else if (cfi1->drap != cfi2->drap ||
3259 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) ||
3260 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) {
3261
3262 WARN_INSN(insn, "stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)",
3263 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset,
3264 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset);
3265
3266 } else
3267 return true;
3268
3269 return false;
3270 }
3271
func_uaccess_safe(struct symbol * func)3272 static inline bool func_uaccess_safe(struct symbol *func)
3273 {
3274 if (func)
3275 return func->uaccess_safe;
3276
3277 return false;
3278 }
3279
call_dest_name(struct instruction * insn)3280 static inline const char *call_dest_name(struct instruction *insn)
3281 {
3282 static char pvname[19];
3283 struct reloc *reloc;
3284 int idx;
3285
3286 if (insn_call_dest(insn))
3287 return insn_call_dest(insn)->name;
3288
3289 reloc = insn_reloc(NULL, insn);
3290 if (reloc && !strcmp(reloc->sym->name, "pv_ops")) {
3291 idx = (reloc_addend(reloc) / sizeof(void *));
3292 snprintf(pvname, sizeof(pvname), "pv_ops[%d]", idx);
3293 return pvname;
3294 }
3295
3296 return "{dynamic}";
3297 }
3298
pv_call_dest(struct objtool_file * file,struct instruction * insn)3299 static bool pv_call_dest(struct objtool_file *file, struct instruction *insn)
3300 {
3301 struct symbol *target;
3302 struct reloc *reloc;
3303 int idx;
3304
3305 reloc = insn_reloc(file, insn);
3306 if (!reloc || strcmp(reloc->sym->name, "pv_ops"))
3307 return false;
3308
3309 idx = (arch_dest_reloc_offset(reloc_addend(reloc)) / sizeof(void *));
3310
3311 if (file->pv_ops[idx].clean)
3312 return true;
3313
3314 file->pv_ops[idx].clean = true;
3315
3316 list_for_each_entry(target, &file->pv_ops[idx].targets, pv_target) {
3317 if (!target->sec->noinstr) {
3318 WARN("pv_ops[%d]: %s", idx, target->name);
3319 file->pv_ops[idx].clean = false;
3320 }
3321 }
3322
3323 return file->pv_ops[idx].clean;
3324 }
3325
noinstr_call_dest(struct objtool_file * file,struct instruction * insn,struct symbol * func)3326 static inline bool noinstr_call_dest(struct objtool_file *file,
3327 struct instruction *insn,
3328 struct symbol *func)
3329 {
3330 /*
3331 * We can't deal with indirect function calls at present;
3332 * assume they're instrumented.
3333 */
3334 if (!func) {
3335 if (file->pv_ops)
3336 return pv_call_dest(file, insn);
3337
3338 return false;
3339 }
3340
3341 /*
3342 * If the symbol is from a noinstr section; we good.
3343 */
3344 if (func->sec->noinstr)
3345 return true;
3346
3347 /*
3348 * If the symbol is a static_call trampoline, we can't tell.
3349 */
3350 if (func->static_call_tramp)
3351 return true;
3352
3353 /*
3354 * The __ubsan_handle_*() calls are like WARN(), they only happen when
3355 * something 'BAD' happened. At the risk of taking the machine down,
3356 * let them proceed to get the message out.
3357 */
3358 if (!strncmp(func->name, "__ubsan_handle_", 15))
3359 return true;
3360
3361 return false;
3362 }
3363
validate_call(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3364 static int validate_call(struct objtool_file *file,
3365 struct instruction *insn,
3366 struct insn_state *state)
3367 {
3368 if (state->noinstr && state->instr <= 0 &&
3369 !noinstr_call_dest(file, insn, insn_call_dest(insn))) {
3370 WARN_INSN(insn, "call to %s() leaves .noinstr.text section", call_dest_name(insn));
3371 return 1;
3372 }
3373
3374 if (state->uaccess && !func_uaccess_safe(insn_call_dest(insn))) {
3375 WARN_INSN(insn, "call to %s() with UACCESS enabled", call_dest_name(insn));
3376 return 1;
3377 }
3378
3379 if (state->df) {
3380 WARN_INSN(insn, "call to %s() with DF set", call_dest_name(insn));
3381 return 1;
3382 }
3383
3384 return 0;
3385 }
3386
validate_sibling_call(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3387 static int validate_sibling_call(struct objtool_file *file,
3388 struct instruction *insn,
3389 struct insn_state *state)
3390 {
3391 if (insn_func(insn) && has_modified_stack_frame(insn, state)) {
3392 WARN_INSN(insn, "sibling call from callable instruction with modified stack frame");
3393 return 1;
3394 }
3395
3396 return validate_call(file, insn, state);
3397 }
3398
validate_return(struct symbol * func,struct instruction * insn,struct insn_state * state)3399 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state)
3400 {
3401 if (state->noinstr && state->instr > 0) {
3402 WARN_INSN(insn, "return with instrumentation enabled");
3403 return 1;
3404 }
3405
3406 if (state->uaccess && !func_uaccess_safe(func)) {
3407 WARN_INSN(insn, "return with UACCESS enabled");
3408 return 1;
3409 }
3410
3411 if (!state->uaccess && func_uaccess_safe(func)) {
3412 WARN_INSN(insn, "return with UACCESS disabled from a UACCESS-safe function");
3413 return 1;
3414 }
3415
3416 if (state->df) {
3417 WARN_INSN(insn, "return with DF set");
3418 return 1;
3419 }
3420
3421 if (func && has_modified_stack_frame(insn, state)) {
3422 WARN_INSN(insn, "return with modified stack frame");
3423 return 1;
3424 }
3425
3426 if (state->cfi.bp_scratch) {
3427 WARN_INSN(insn, "BP used as a scratch register");
3428 return 1;
3429 }
3430
3431 return 0;
3432 }
3433
next_insn_to_validate(struct objtool_file * file,struct instruction * insn)3434 static struct instruction *next_insn_to_validate(struct objtool_file *file,
3435 struct instruction *insn)
3436 {
3437 struct alt_group *alt_group = insn->alt_group;
3438
3439 /*
3440 * Simulate the fact that alternatives are patched in-place. When the
3441 * end of a replacement alt_group is reached, redirect objtool flow to
3442 * the end of the original alt_group.
3443 *
3444 * insn->alts->insn -> alt_group->first_insn
3445 * ...
3446 * alt_group->last_insn
3447 * [alt_group->nop] -> next(orig_group->last_insn)
3448 */
3449 if (alt_group) {
3450 if (alt_group->nop) {
3451 /* ->nop implies ->orig_group */
3452 if (insn == alt_group->last_insn)
3453 return alt_group->nop;
3454 if (insn == alt_group->nop)
3455 goto next_orig;
3456 }
3457 if (insn == alt_group->last_insn && alt_group->orig_group)
3458 goto next_orig;
3459 }
3460
3461 return next_insn_same_sec(file, insn);
3462
3463 next_orig:
3464 return next_insn_same_sec(file, alt_group->orig_group->last_insn);
3465 }
3466
3467 /*
3468 * Follow the branch starting at the given instruction, and recursively follow
3469 * any other branches (jumps). Meanwhile, track the frame pointer state at
3470 * each instruction and validate all the rules described in
3471 * tools/objtool/Documentation/objtool.txt.
3472 */
validate_branch(struct objtool_file * file,struct symbol * func,struct instruction * insn,struct insn_state state)3473 static int validate_branch(struct objtool_file *file, struct symbol *func,
3474 struct instruction *insn, struct insn_state state)
3475 {
3476 struct alternative *alt;
3477 struct instruction *next_insn, *prev_insn = NULL;
3478 struct section *sec;
3479 u8 visited;
3480 int ret;
3481
3482 sec = insn->sec;
3483
3484 while (1) {
3485 next_insn = next_insn_to_validate(file, insn);
3486
3487 if (func && insn_func(insn) && func != insn_func(insn)->pfunc) {
3488 /* Ignore KCFI type preambles, which always fall through */
3489 if (!strncmp(func->name, "__cfi_", 6) ||
3490 !strncmp(func->name, "__pfx_", 6))
3491 return 0;
3492
3493 WARN("%s() falls through to next function %s()",
3494 func->name, insn_func(insn)->name);
3495 return 1;
3496 }
3497
3498 if (func && insn->ignore) {
3499 WARN_INSN(insn, "BUG: why am I validating an ignored function?");
3500 return 1;
3501 }
3502
3503 visited = VISITED_BRANCH << state.uaccess;
3504 if (insn->visited & VISITED_BRANCH_MASK) {
3505 if (!insn->hint && !insn_cfi_match(insn, &state.cfi))
3506 return 1;
3507
3508 if (insn->visited & visited)
3509 return 0;
3510 } else {
3511 nr_insns_visited++;
3512 }
3513
3514 if (state.noinstr)
3515 state.instr += insn->instr;
3516
3517 if (insn->hint) {
3518 if (insn->restore) {
3519 struct instruction *save_insn, *i;
3520
3521 i = insn;
3522 save_insn = NULL;
3523
3524 sym_for_each_insn_continue_reverse(file, func, i) {
3525 if (i->save) {
3526 save_insn = i;
3527 break;
3528 }
3529 }
3530
3531 if (!save_insn) {
3532 WARN_INSN(insn, "no corresponding CFI save for CFI restore");
3533 return 1;
3534 }
3535
3536 if (!save_insn->visited) {
3537 /*
3538 * If the restore hint insn is at the
3539 * beginning of a basic block and was
3540 * branched to from elsewhere, and the
3541 * save insn hasn't been visited yet,
3542 * defer following this branch for now.
3543 * It will be seen later via the
3544 * straight-line path.
3545 */
3546 if (!prev_insn)
3547 return 0;
3548
3549 WARN_INSN(insn, "objtool isn't smart enough to handle this CFI save/restore combo");
3550 return 1;
3551 }
3552
3553 insn->cfi = save_insn->cfi;
3554 nr_cfi_reused++;
3555 }
3556
3557 state.cfi = *insn->cfi;
3558 } else {
3559 /* XXX track if we actually changed state.cfi */
3560
3561 if (prev_insn && !cficmp(prev_insn->cfi, &state.cfi)) {
3562 insn->cfi = prev_insn->cfi;
3563 nr_cfi_reused++;
3564 } else {
3565 insn->cfi = cfi_hash_find_or_add(&state.cfi);
3566 }
3567 }
3568
3569 insn->visited |= visited;
3570
3571 if (propagate_alt_cfi(file, insn))
3572 return 1;
3573
3574 if (!insn->ignore_alts && insn->alts) {
3575 bool skip_orig = false;
3576
3577 for (alt = insn->alts; alt; alt = alt->next) {
3578 if (alt->skip_orig)
3579 skip_orig = true;
3580
3581 ret = validate_branch(file, func, alt->insn, state);
3582 if (ret) {
3583 BT_INSN(insn, "(alt)");
3584 return ret;
3585 }
3586 }
3587
3588 if (skip_orig)
3589 return 0;
3590 }
3591
3592 if (handle_insn_ops(insn, next_insn, &state))
3593 return 1;
3594
3595 switch (insn->type) {
3596
3597 case INSN_RETURN:
3598 return validate_return(func, insn, &state);
3599
3600 case INSN_CALL:
3601 case INSN_CALL_DYNAMIC:
3602 ret = validate_call(file, insn, &state);
3603 if (ret)
3604 return ret;
3605
3606 if (opts.stackval && func && !is_special_call(insn) &&
3607 !has_valid_stack_frame(&state)) {
3608 WARN_INSN(insn, "call without frame pointer save/setup");
3609 return 1;
3610 }
3611
3612 if (insn->dead_end)
3613 return 0;
3614
3615 break;
3616
3617 case INSN_JUMP_CONDITIONAL:
3618 case INSN_JUMP_UNCONDITIONAL:
3619 if (is_sibling_call(insn)) {
3620 ret = validate_sibling_call(file, insn, &state);
3621 if (ret)
3622 return ret;
3623
3624 } else if (insn->jump_dest) {
3625 ret = validate_branch(file, func,
3626 insn->jump_dest, state);
3627 if (ret) {
3628 BT_INSN(insn, "(branch)");
3629 return ret;
3630 }
3631 }
3632
3633 if (insn->type == INSN_JUMP_UNCONDITIONAL)
3634 return 0;
3635
3636 break;
3637
3638 case INSN_JUMP_DYNAMIC:
3639 case INSN_JUMP_DYNAMIC_CONDITIONAL:
3640 if (is_sibling_call(insn)) {
3641 ret = validate_sibling_call(file, insn, &state);
3642 if (ret)
3643 return ret;
3644 }
3645
3646 if (insn->type == INSN_JUMP_DYNAMIC)
3647 return 0;
3648
3649 break;
3650
3651 case INSN_CONTEXT_SWITCH:
3652 if (func) {
3653 if (!next_insn || !next_insn->hint) {
3654 WARN_INSN(insn, "unsupported instruction in callable function");
3655 return 1;
3656 }
3657 break;
3658 }
3659 return 0;
3660
3661 case INSN_STAC:
3662 if (state.uaccess) {
3663 WARN_INSN(insn, "recursive UACCESS enable");
3664 return 1;
3665 }
3666
3667 state.uaccess = true;
3668 break;
3669
3670 case INSN_CLAC:
3671 if (!state.uaccess && func) {
3672 WARN_INSN(insn, "redundant UACCESS disable");
3673 return 1;
3674 }
3675
3676 if (func_uaccess_safe(func) && !state.uaccess_stack) {
3677 WARN_INSN(insn, "UACCESS-safe disables UACCESS");
3678 return 1;
3679 }
3680
3681 state.uaccess = false;
3682 break;
3683
3684 case INSN_STD:
3685 if (state.df) {
3686 WARN_INSN(insn, "recursive STD");
3687 return 1;
3688 }
3689
3690 state.df = true;
3691 break;
3692
3693 case INSN_CLD:
3694 if (!state.df && func) {
3695 WARN_INSN(insn, "redundant CLD");
3696 return 1;
3697 }
3698
3699 state.df = false;
3700 break;
3701
3702 default:
3703 break;
3704 }
3705
3706 if (insn->dead_end)
3707 return 0;
3708
3709 if (!next_insn) {
3710 if (state.cfi.cfa.base == CFI_UNDEFINED)
3711 return 0;
3712 WARN("%s: unexpected end of section", sec->name);
3713 return 1;
3714 }
3715
3716 prev_insn = insn;
3717 insn = next_insn;
3718 }
3719
3720 return 0;
3721 }
3722
validate_unwind_hint(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3723 static int validate_unwind_hint(struct objtool_file *file,
3724 struct instruction *insn,
3725 struct insn_state *state)
3726 {
3727 if (insn->hint && !insn->visited && !insn->ignore) {
3728 int ret = validate_branch(file, insn_func(insn), insn, *state);
3729 if (ret)
3730 BT_INSN(insn, "<=== (hint)");
3731 return ret;
3732 }
3733
3734 return 0;
3735 }
3736
validate_unwind_hints(struct objtool_file * file,struct section * sec)3737 static int validate_unwind_hints(struct objtool_file *file, struct section *sec)
3738 {
3739 struct instruction *insn;
3740 struct insn_state state;
3741 int warnings = 0;
3742
3743 if (!file->hints)
3744 return 0;
3745
3746 init_insn_state(file, &state, sec);
3747
3748 if (sec) {
3749 sec_for_each_insn(file, sec, insn)
3750 warnings += validate_unwind_hint(file, insn, &state);
3751 } else {
3752 for_each_insn(file, insn)
3753 warnings += validate_unwind_hint(file, insn, &state);
3754 }
3755
3756 return warnings;
3757 }
3758
3759 /*
3760 * Validate rethunk entry constraint: must untrain RET before the first RET.
3761 *
3762 * Follow every branch (intra-function) and ensure VALIDATE_UNRET_END comes
3763 * before an actual RET instruction.
3764 */
validate_unret(struct objtool_file * file,struct instruction * insn)3765 static int validate_unret(struct objtool_file *file, struct instruction *insn)
3766 {
3767 struct instruction *next, *dest;
3768 int ret;
3769
3770 for (;;) {
3771 next = next_insn_to_validate(file, insn);
3772
3773 if (insn->visited & VISITED_UNRET)
3774 return 0;
3775
3776 insn->visited |= VISITED_UNRET;
3777
3778 if (!insn->ignore_alts && insn->alts) {
3779 struct alternative *alt;
3780 bool skip_orig = false;
3781
3782 for (alt = insn->alts; alt; alt = alt->next) {
3783 if (alt->skip_orig)
3784 skip_orig = true;
3785
3786 ret = validate_unret(file, alt->insn);
3787 if (ret) {
3788 BT_INSN(insn, "(alt)");
3789 return ret;
3790 }
3791 }
3792
3793 if (skip_orig)
3794 return 0;
3795 }
3796
3797 switch (insn->type) {
3798
3799 case INSN_CALL_DYNAMIC:
3800 case INSN_JUMP_DYNAMIC:
3801 case INSN_JUMP_DYNAMIC_CONDITIONAL:
3802 WARN_INSN(insn, "early indirect call");
3803 return 1;
3804
3805 case INSN_JUMP_UNCONDITIONAL:
3806 case INSN_JUMP_CONDITIONAL:
3807 if (!is_sibling_call(insn)) {
3808 if (!insn->jump_dest) {
3809 WARN_INSN(insn, "unresolved jump target after linking?!?");
3810 return -1;
3811 }
3812 ret = validate_unret(file, insn->jump_dest);
3813 if (ret) {
3814 BT_INSN(insn, "(branch%s)",
3815 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : "");
3816 return ret;
3817 }
3818
3819 if (insn->type == INSN_JUMP_UNCONDITIONAL)
3820 return 0;
3821
3822 break;
3823 }
3824
3825 /* fallthrough */
3826 case INSN_CALL:
3827 dest = find_insn(file, insn_call_dest(insn)->sec,
3828 insn_call_dest(insn)->offset);
3829 if (!dest) {
3830 WARN("Unresolved function after linking!?: %s",
3831 insn_call_dest(insn)->name);
3832 return -1;
3833 }
3834
3835 ret = validate_unret(file, dest);
3836 if (ret) {
3837 BT_INSN(insn, "(call)");
3838 return ret;
3839 }
3840 /*
3841 * If a call returns without error, it must have seen UNTRAIN_RET.
3842 * Therefore any non-error return is a success.
3843 */
3844 return 0;
3845
3846 case INSN_RETURN:
3847 WARN_INSN(insn, "RET before UNTRAIN");
3848 return 1;
3849
3850 case INSN_CONTEXT_SWITCH:
3851 if (insn_func(insn))
3852 break;
3853 return 0;
3854
3855 case INSN_NOP:
3856 if (insn->retpoline_safe)
3857 return 0;
3858 break;
3859
3860 default:
3861 break;
3862 }
3863
3864 if (!next) {
3865 WARN_INSN(insn, "teh end!");
3866 return -1;
3867 }
3868 insn = next;
3869 }
3870
3871 return 0;
3872 }
3873
3874 /*
3875 * Validate that all branches starting at VALIDATE_UNRET_BEGIN encounter
3876 * VALIDATE_UNRET_END before RET.
3877 */
validate_unrets(struct objtool_file * file)3878 static int validate_unrets(struct objtool_file *file)
3879 {
3880 struct instruction *insn;
3881 int ret, warnings = 0;
3882
3883 for_each_insn(file, insn) {
3884 if (!insn->unret)
3885 continue;
3886
3887 ret = validate_unret(file, insn);
3888 if (ret < 0) {
3889 WARN_INSN(insn, "Failed UNRET validation");
3890 return ret;
3891 }
3892 warnings += ret;
3893 }
3894
3895 return warnings;
3896 }
3897
validate_retpoline(struct objtool_file * file)3898 static int validate_retpoline(struct objtool_file *file)
3899 {
3900 struct instruction *insn;
3901 int warnings = 0;
3902
3903 for_each_insn(file, insn) {
3904 if (insn->type != INSN_JUMP_DYNAMIC &&
3905 insn->type != INSN_CALL_DYNAMIC &&
3906 insn->type != INSN_RETURN)
3907 continue;
3908
3909 if (insn->retpoline_safe)
3910 continue;
3911
3912 if (insn->sec->init)
3913 continue;
3914
3915 if (insn->type == INSN_RETURN) {
3916 if (opts.rethunk) {
3917 WARN_INSN(insn, "'naked' return found in MITIGATION_RETHUNK build");
3918 } else
3919 continue;
3920 } else {
3921 WARN_INSN(insn, "indirect %s found in MITIGATION_RETPOLINE build",
3922 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
3923 }
3924
3925 warnings++;
3926 }
3927
3928 return warnings;
3929 }
3930
is_kasan_insn(struct instruction * insn)3931 static bool is_kasan_insn(struct instruction *insn)
3932 {
3933 return (insn->type == INSN_CALL &&
3934 !strcmp(insn_call_dest(insn)->name, "__asan_handle_no_return"));
3935 }
3936
is_ubsan_insn(struct instruction * insn)3937 static bool is_ubsan_insn(struct instruction *insn)
3938 {
3939 return (insn->type == INSN_CALL &&
3940 !strcmp(insn_call_dest(insn)->name,
3941 "__ubsan_handle_builtin_unreachable"));
3942 }
3943
ignore_unreachable_insn(struct objtool_file * file,struct instruction * insn)3944 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn)
3945 {
3946 int i;
3947 struct instruction *prev_insn;
3948
3949 if (insn->ignore || insn->type == INSN_NOP || insn->type == INSN_TRAP)
3950 return true;
3951
3952 /*
3953 * Ignore alternative replacement instructions. This can happen
3954 * when a whitelisted function uses one of the ALTERNATIVE macros.
3955 */
3956 if (!strcmp(insn->sec->name, ".altinstr_replacement") ||
3957 !strcmp(insn->sec->name, ".altinstr_aux"))
3958 return true;
3959
3960 /*
3961 * Whole archive runs might encounter dead code from weak symbols.
3962 * This is where the linker will have dropped the weak symbol in
3963 * favour of a regular symbol, but leaves the code in place.
3964 *
3965 * In this case we'll find a piece of code (whole function) that is not
3966 * covered by a !section symbol. Ignore them.
3967 */
3968 if (opts.link && !insn_func(insn)) {
3969 int size = find_symbol_hole_containing(insn->sec, insn->offset);
3970 unsigned long end = insn->offset + size;
3971
3972 if (!size) /* not a hole */
3973 return false;
3974
3975 if (size < 0) /* hole until the end */
3976 return true;
3977
3978 sec_for_each_insn_continue(file, insn) {
3979 /*
3980 * If we reach a visited instruction at or before the
3981 * end of the hole, ignore the unreachable.
3982 */
3983 if (insn->visited)
3984 return true;
3985
3986 if (insn->offset >= end)
3987 break;
3988
3989 /*
3990 * If this hole jumps to a .cold function, mark it ignore too.
3991 */
3992 if (insn->jump_dest && insn_func(insn->jump_dest) &&
3993 strstr(insn_func(insn->jump_dest)->name, ".cold")) {
3994 struct instruction *dest = insn->jump_dest;
3995 func_for_each_insn(file, insn_func(dest), dest)
3996 dest->ignore = true;
3997 }
3998 }
3999
4000 return false;
4001 }
4002
4003 if (!insn_func(insn))
4004 return false;
4005
4006 if (insn_func(insn)->static_call_tramp)
4007 return true;
4008
4009 /*
4010 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees
4011 * __builtin_unreachable(). The BUG() macro has an unreachable() after
4012 * the UD2, which causes GCC's undefined trap logic to emit another UD2
4013 * (or occasionally a JMP to UD2).
4014 *
4015 * It may also insert a UD2 after calling a __noreturn function.
4016 */
4017 prev_insn = prev_insn_same_sec(file, insn);
4018 if (prev_insn && prev_insn->dead_end &&
4019 (insn->type == INSN_BUG ||
4020 (insn->type == INSN_JUMP_UNCONDITIONAL &&
4021 insn->jump_dest && insn->jump_dest->type == INSN_BUG)))
4022 return true;
4023
4024 /*
4025 * Check if this (or a subsequent) instruction is related to
4026 * CONFIG_UBSAN or CONFIG_KASAN.
4027 *
4028 * End the search at 5 instructions to avoid going into the weeds.
4029 */
4030 for (i = 0; i < 5; i++) {
4031
4032 if (is_kasan_insn(insn) || is_ubsan_insn(insn))
4033 return true;
4034
4035 if (insn->type == INSN_JUMP_UNCONDITIONAL) {
4036 if (insn->jump_dest &&
4037 insn_func(insn->jump_dest) == insn_func(insn)) {
4038 insn = insn->jump_dest;
4039 continue;
4040 }
4041
4042 break;
4043 }
4044
4045 if (insn->offset + insn->len >= insn_func(insn)->offset + insn_func(insn)->len)
4046 break;
4047
4048 insn = next_insn_same_sec(file, insn);
4049 }
4050
4051 return false;
4052 }
4053
add_prefix_symbol(struct objtool_file * file,struct symbol * func)4054 static int add_prefix_symbol(struct objtool_file *file, struct symbol *func)
4055 {
4056 struct instruction *insn, *prev;
4057 struct cfi_state *cfi;
4058
4059 insn = find_insn(file, func->sec, func->offset);
4060 if (!insn)
4061 return -1;
4062
4063 for (prev = prev_insn_same_sec(file, insn);
4064 prev;
4065 prev = prev_insn_same_sec(file, prev)) {
4066 u64 offset;
4067
4068 if (prev->type != INSN_NOP)
4069 return -1;
4070
4071 offset = func->offset - prev->offset;
4072
4073 if (offset > opts.prefix)
4074 return -1;
4075
4076 if (offset < opts.prefix)
4077 continue;
4078
4079 elf_create_prefix_symbol(file->elf, func, opts.prefix);
4080 break;
4081 }
4082
4083 if (!prev)
4084 return -1;
4085
4086 if (!insn->cfi) {
4087 /*
4088 * This can happen if stack validation isn't enabled or the
4089 * function is annotated with STACK_FRAME_NON_STANDARD.
4090 */
4091 return 0;
4092 }
4093
4094 /* Propagate insn->cfi to the prefix code */
4095 cfi = cfi_hash_find_or_add(insn->cfi);
4096 for (; prev != insn; prev = next_insn_same_sec(file, prev))
4097 prev->cfi = cfi;
4098
4099 return 0;
4100 }
4101
add_prefix_symbols(struct objtool_file * file)4102 static int add_prefix_symbols(struct objtool_file *file)
4103 {
4104 struct section *sec;
4105 struct symbol *func;
4106
4107 for_each_sec(file, sec) {
4108 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
4109 continue;
4110
4111 sec_for_each_sym(sec, func) {
4112 if (func->type != STT_FUNC)
4113 continue;
4114
4115 add_prefix_symbol(file, func);
4116 }
4117 }
4118
4119 return 0;
4120 }
4121
validate_symbol(struct objtool_file * file,struct section * sec,struct symbol * sym,struct insn_state * state)4122 static int validate_symbol(struct objtool_file *file, struct section *sec,
4123 struct symbol *sym, struct insn_state *state)
4124 {
4125 struct instruction *insn;
4126 int ret;
4127
4128 if (!sym->len) {
4129 WARN("%s() is missing an ELF size annotation", sym->name);
4130 return 1;
4131 }
4132
4133 if (sym->pfunc != sym || sym->alias != sym)
4134 return 0;
4135
4136 insn = find_insn(file, sec, sym->offset);
4137 if (!insn || insn->ignore || insn->visited)
4138 return 0;
4139
4140 state->uaccess = sym->uaccess_safe;
4141
4142 ret = validate_branch(file, insn_func(insn), insn, *state);
4143 if (ret)
4144 BT_INSN(insn, "<=== (sym)");
4145 return ret;
4146 }
4147
validate_section(struct objtool_file * file,struct section * sec)4148 static int validate_section(struct objtool_file *file, struct section *sec)
4149 {
4150 struct insn_state state;
4151 struct symbol *func;
4152 int warnings = 0;
4153
4154 sec_for_each_sym(sec, func) {
4155 if (func->type != STT_FUNC)
4156 continue;
4157
4158 init_insn_state(file, &state, sec);
4159 set_func_state(&state.cfi);
4160
4161 warnings += validate_symbol(file, sec, func, &state);
4162 }
4163
4164 return warnings;
4165 }
4166
validate_noinstr_sections(struct objtool_file * file)4167 static int validate_noinstr_sections(struct objtool_file *file)
4168 {
4169 struct section *sec;
4170 int warnings = 0;
4171
4172 sec = find_section_by_name(file->elf, ".noinstr.text");
4173 if (sec) {
4174 warnings += validate_section(file, sec);
4175 warnings += validate_unwind_hints(file, sec);
4176 }
4177
4178 sec = find_section_by_name(file->elf, ".entry.text");
4179 if (sec) {
4180 warnings += validate_section(file, sec);
4181 warnings += validate_unwind_hints(file, sec);
4182 }
4183
4184 sec = find_section_by_name(file->elf, ".cpuidle.text");
4185 if (sec) {
4186 warnings += validate_section(file, sec);
4187 warnings += validate_unwind_hints(file, sec);
4188 }
4189
4190 return warnings;
4191 }
4192
validate_functions(struct objtool_file * file)4193 static int validate_functions(struct objtool_file *file)
4194 {
4195 struct section *sec;
4196 int warnings = 0;
4197
4198 for_each_sec(file, sec) {
4199 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
4200 continue;
4201
4202 warnings += validate_section(file, sec);
4203 }
4204
4205 return warnings;
4206 }
4207
mark_endbr_used(struct instruction * insn)4208 static void mark_endbr_used(struct instruction *insn)
4209 {
4210 if (!list_empty(&insn->call_node))
4211 list_del_init(&insn->call_node);
4212 }
4213
noendbr_range(struct objtool_file * file,struct instruction * insn)4214 static bool noendbr_range(struct objtool_file *file, struct instruction *insn)
4215 {
4216 struct symbol *sym = find_symbol_containing(insn->sec, insn->offset-1);
4217 struct instruction *first;
4218
4219 if (!sym)
4220 return false;
4221
4222 first = find_insn(file, sym->sec, sym->offset);
4223 if (!first)
4224 return false;
4225
4226 if (first->type != INSN_ENDBR && !first->noendbr)
4227 return false;
4228
4229 return insn->offset == sym->offset + sym->len;
4230 }
4231
__validate_ibt_insn(struct objtool_file * file,struct instruction * insn,struct instruction * dest)4232 static int __validate_ibt_insn(struct objtool_file *file, struct instruction *insn,
4233 struct instruction *dest)
4234 {
4235 if (dest->type == INSN_ENDBR) {
4236 mark_endbr_used(dest);
4237 return 0;
4238 }
4239
4240 if (insn_func(dest) && insn_func(insn) &&
4241 insn_func(dest)->pfunc == insn_func(insn)->pfunc) {
4242 /*
4243 * Anything from->to self is either _THIS_IP_ or
4244 * IRET-to-self.
4245 *
4246 * There is no sane way to annotate _THIS_IP_ since the
4247 * compiler treats the relocation as a constant and is
4248 * happy to fold in offsets, skewing any annotation we
4249 * do, leading to vast amounts of false-positives.
4250 *
4251 * There's also compiler generated _THIS_IP_ through
4252 * KCOV and such which we have no hope of annotating.
4253 *
4254 * As such, blanket accept self-references without
4255 * issue.
4256 */
4257 return 0;
4258 }
4259
4260 /*
4261 * Accept anything ANNOTATE_NOENDBR.
4262 */
4263 if (dest->noendbr)
4264 return 0;
4265
4266 /*
4267 * Accept if this is the instruction after a symbol
4268 * that is (no)endbr -- typical code-range usage.
4269 */
4270 if (noendbr_range(file, dest))
4271 return 0;
4272
4273 WARN_INSN(insn, "relocation to !ENDBR: %s", offstr(dest->sec, dest->offset));
4274 return 1;
4275 }
4276
validate_ibt_insn(struct objtool_file * file,struct instruction * insn)4277 static int validate_ibt_insn(struct objtool_file *file, struct instruction *insn)
4278 {
4279 struct instruction *dest;
4280 struct reloc *reloc;
4281 unsigned long off;
4282 int warnings = 0;
4283
4284 /*
4285 * Looking for function pointer load relocations. Ignore
4286 * direct/indirect branches:
4287 */
4288 switch (insn->type) {
4289
4290 case INSN_CALL:
4291 case INSN_CALL_DYNAMIC:
4292 case INSN_JUMP_CONDITIONAL:
4293 case INSN_JUMP_UNCONDITIONAL:
4294 case INSN_JUMP_DYNAMIC:
4295 case INSN_JUMP_DYNAMIC_CONDITIONAL:
4296 case INSN_RETURN:
4297 case INSN_NOP:
4298 return 0;
4299
4300 case INSN_LEA_RIP:
4301 if (!insn_reloc(file, insn)) {
4302 /* local function pointer reference without reloc */
4303
4304 off = arch_jump_destination(insn);
4305
4306 dest = find_insn(file, insn->sec, off);
4307 if (!dest) {
4308 WARN_INSN(insn, "corrupt function pointer reference");
4309 return 1;
4310 }
4311
4312 return __validate_ibt_insn(file, insn, dest);
4313 }
4314 break;
4315
4316 default:
4317 break;
4318 }
4319
4320 for (reloc = insn_reloc(file, insn);
4321 reloc;
4322 reloc = find_reloc_by_dest_range(file->elf, insn->sec,
4323 reloc_offset(reloc) + 1,
4324 (insn->offset + insn->len) - (reloc_offset(reloc) + 1))) {
4325
4326 off = reloc->sym->offset;
4327 if (reloc_type(reloc) == R_X86_64_PC32 ||
4328 reloc_type(reloc) == R_X86_64_PLT32)
4329 off += arch_dest_reloc_offset(reloc_addend(reloc));
4330 else
4331 off += reloc_addend(reloc);
4332
4333 dest = find_insn(file, reloc->sym->sec, off);
4334 if (!dest)
4335 continue;
4336
4337 warnings += __validate_ibt_insn(file, insn, dest);
4338 }
4339
4340 return warnings;
4341 }
4342
validate_ibt_data_reloc(struct objtool_file * file,struct reloc * reloc)4343 static int validate_ibt_data_reloc(struct objtool_file *file,
4344 struct reloc *reloc)
4345 {
4346 struct instruction *dest;
4347
4348 dest = find_insn(file, reloc->sym->sec,
4349 reloc->sym->offset + reloc_addend(reloc));
4350 if (!dest)
4351 return 0;
4352
4353 if (dest->type == INSN_ENDBR) {
4354 mark_endbr_used(dest);
4355 return 0;
4356 }
4357
4358 if (dest->noendbr)
4359 return 0;
4360
4361 WARN_FUNC("data relocation to !ENDBR: %s",
4362 reloc->sec->base, reloc_offset(reloc),
4363 offstr(dest->sec, dest->offset));
4364
4365 return 1;
4366 }
4367
4368 /*
4369 * Validate IBT rules and remove used ENDBR instructions from the seal list.
4370 * Unused ENDBR instructions will be annotated for sealing (i.e., replaced with
4371 * NOPs) later, in create_ibt_endbr_seal_sections().
4372 */
validate_ibt(struct objtool_file * file)4373 static int validate_ibt(struct objtool_file *file)
4374 {
4375 struct section *sec;
4376 struct reloc *reloc;
4377 struct instruction *insn;
4378 int warnings = 0;
4379
4380 for_each_insn(file, insn)
4381 warnings += validate_ibt_insn(file, insn);
4382
4383 for_each_sec(file, sec) {
4384
4385 /* Already done by validate_ibt_insn() */
4386 if (sec->sh.sh_flags & SHF_EXECINSTR)
4387 continue;
4388
4389 if (!sec->rsec)
4390 continue;
4391
4392 /*
4393 * These sections can reference text addresses, but not with
4394 * the intent to indirect branch to them.
4395 */
4396 if ((!strncmp(sec->name, ".discard", 8) &&
4397 strcmp(sec->name, ".discard.ibt_endbr_noseal")) ||
4398 !strncmp(sec->name, ".debug", 6) ||
4399 !strcmp(sec->name, ".altinstructions") ||
4400 !strcmp(sec->name, ".ibt_endbr_seal") ||
4401 !strcmp(sec->name, ".orc_unwind_ip") ||
4402 !strcmp(sec->name, ".parainstructions") ||
4403 !strcmp(sec->name, ".retpoline_sites") ||
4404 !strcmp(sec->name, ".smp_locks") ||
4405 !strcmp(sec->name, ".static_call_sites") ||
4406 !strcmp(sec->name, "_error_injection_whitelist") ||
4407 !strcmp(sec->name, "_kprobe_blacklist") ||
4408 !strcmp(sec->name, "__bug_table") ||
4409 !strcmp(sec->name, "__ex_table") ||
4410 !strcmp(sec->name, "__jump_table") ||
4411 !strcmp(sec->name, "__mcount_loc") ||
4412 !strcmp(sec->name, ".kcfi_traps") ||
4413 !strcmp(sec->name, ".llvm.call-graph-profile") ||
4414 !strcmp(sec->name, ".llvm_bb_addr_map") ||
4415 !strcmp(sec->name, "__tracepoints") ||
4416 strstr(sec->name, "__patchable_function_entries"))
4417 continue;
4418
4419 for_each_reloc(sec->rsec, reloc)
4420 warnings += validate_ibt_data_reloc(file, reloc);
4421 }
4422
4423 return warnings;
4424 }
4425
validate_sls(struct objtool_file * file)4426 static int validate_sls(struct objtool_file *file)
4427 {
4428 struct instruction *insn, *next_insn;
4429 int warnings = 0;
4430
4431 for_each_insn(file, insn) {
4432 next_insn = next_insn_same_sec(file, insn);
4433
4434 if (insn->retpoline_safe)
4435 continue;
4436
4437 switch (insn->type) {
4438 case INSN_RETURN:
4439 if (!next_insn || next_insn->type != INSN_TRAP) {
4440 WARN_INSN(insn, "missing int3 after ret");
4441 warnings++;
4442 }
4443
4444 break;
4445 case INSN_JUMP_DYNAMIC:
4446 if (!next_insn || next_insn->type != INSN_TRAP) {
4447 WARN_INSN(insn, "missing int3 after indirect jump");
4448 warnings++;
4449 }
4450 break;
4451 default:
4452 break;
4453 }
4454 }
4455
4456 return warnings;
4457 }
4458
validate_reachable_instructions(struct objtool_file * file)4459 static int validate_reachable_instructions(struct objtool_file *file)
4460 {
4461 struct instruction *insn, *prev_insn;
4462 struct symbol *call_dest;
4463 int warnings = 0;
4464
4465 if (file->ignore_unreachables)
4466 return 0;
4467
4468 for_each_insn(file, insn) {
4469 if (insn->visited || ignore_unreachable_insn(file, insn))
4470 continue;
4471
4472 prev_insn = prev_insn_same_sec(file, insn);
4473 if (prev_insn && prev_insn->dead_end) {
4474 call_dest = insn_call_dest(prev_insn);
4475 if (call_dest) {
4476 WARN_INSN(insn, "%s() is missing a __noreturn annotation",
4477 call_dest->name);
4478 warnings++;
4479 continue;
4480 }
4481 }
4482
4483 WARN_INSN(insn, "unreachable instruction");
4484 warnings++;
4485 }
4486
4487 return warnings;
4488 }
4489
4490 /* 'funcs' is a space-separated list of function names */
disas_funcs(const char * funcs)4491 static int disas_funcs(const char *funcs)
4492 {
4493 const char *objdump_str, *cross_compile;
4494 int size, ret;
4495 char *cmd;
4496
4497 cross_compile = getenv("CROSS_COMPILE");
4498 if (!cross_compile)
4499 cross_compile = "";
4500
4501 objdump_str = "%sobjdump -wdr %s | gawk -M -v _funcs='%s' '"
4502 "BEGIN { split(_funcs, funcs); }"
4503 "/^$/ { func_match = 0; }"
4504 "/<.*>:/ { "
4505 "f = gensub(/.*<(.*)>:/, \"\\\\1\", 1);"
4506 "for (i in funcs) {"
4507 "if (funcs[i] == f) {"
4508 "func_match = 1;"
4509 "base = strtonum(\"0x\" $1);"
4510 "break;"
4511 "}"
4512 "}"
4513 "}"
4514 "{"
4515 "if (func_match) {"
4516 "addr = strtonum(\"0x\" $1);"
4517 "printf(\"%%04x \", addr - base);"
4518 "print;"
4519 "}"
4520 "}' 1>&2";
4521
4522 /* fake snprintf() to calculate the size */
4523 size = snprintf(NULL, 0, objdump_str, cross_compile, objname, funcs) + 1;
4524 if (size <= 0) {
4525 WARN("objdump string size calculation failed");
4526 return -1;
4527 }
4528
4529 cmd = malloc(size);
4530
4531 /* real snprintf() */
4532 snprintf(cmd, size, objdump_str, cross_compile, objname, funcs);
4533 ret = system(cmd);
4534 if (ret) {
4535 WARN("disassembly failed: %d", ret);
4536 return -1;
4537 }
4538
4539 return 0;
4540 }
4541
disas_warned_funcs(struct objtool_file * file)4542 static int disas_warned_funcs(struct objtool_file *file)
4543 {
4544 struct symbol *sym;
4545 char *funcs = NULL, *tmp;
4546
4547 for_each_sym(file, sym) {
4548 if (sym->warned) {
4549 if (!funcs) {
4550 funcs = malloc(strlen(sym->name) + 1);
4551 strcpy(funcs, sym->name);
4552 } else {
4553 tmp = malloc(strlen(funcs) + strlen(sym->name) + 2);
4554 sprintf(tmp, "%s %s", funcs, sym->name);
4555 free(funcs);
4556 funcs = tmp;
4557 }
4558 }
4559 }
4560
4561 if (funcs)
4562 disas_funcs(funcs);
4563
4564 return 0;
4565 }
4566
4567 struct insn_chunk {
4568 void *addr;
4569 struct insn_chunk *next;
4570 };
4571
4572 /*
4573 * Reduce peak RSS usage by freeing insns memory before writing the ELF file,
4574 * which can trigger more allocations for .debug_* sections whose data hasn't
4575 * been read yet.
4576 */
free_insns(struct objtool_file * file)4577 static void free_insns(struct objtool_file *file)
4578 {
4579 struct instruction *insn;
4580 struct insn_chunk *chunks = NULL, *chunk;
4581
4582 for_each_insn(file, insn) {
4583 if (!insn->idx) {
4584 chunk = malloc(sizeof(*chunk));
4585 chunk->addr = insn;
4586 chunk->next = chunks;
4587 chunks = chunk;
4588 }
4589 }
4590
4591 for (chunk = chunks; chunk; chunk = chunk->next)
4592 free(chunk->addr);
4593 }
4594
check(struct objtool_file * file)4595 int check(struct objtool_file *file)
4596 {
4597 int ret, warnings = 0;
4598
4599 arch_initial_func_cfi_state(&initial_func_cfi);
4600 init_cfi_state(&init_cfi);
4601 init_cfi_state(&func_cfi);
4602 set_func_state(&func_cfi);
4603 init_cfi_state(&force_undefined_cfi);
4604 force_undefined_cfi.force_undefined = true;
4605
4606 if (!cfi_hash_alloc(1UL << (file->elf->symbol_bits - 3)))
4607 goto out;
4608
4609 cfi_hash_add(&init_cfi);
4610 cfi_hash_add(&func_cfi);
4611
4612 ret = decode_sections(file);
4613 if (ret < 0)
4614 goto out;
4615
4616 warnings += ret;
4617
4618 if (!nr_insns)
4619 goto out;
4620
4621 if (opts.retpoline) {
4622 ret = validate_retpoline(file);
4623 if (ret < 0)
4624 return ret;
4625 warnings += ret;
4626 }
4627
4628 if (opts.stackval || opts.orc || opts.uaccess) {
4629 ret = validate_functions(file);
4630 if (ret < 0)
4631 goto out;
4632 warnings += ret;
4633
4634 ret = validate_unwind_hints(file, NULL);
4635 if (ret < 0)
4636 goto out;
4637 warnings += ret;
4638
4639 if (!warnings) {
4640 ret = validate_reachable_instructions(file);
4641 if (ret < 0)
4642 goto out;
4643 warnings += ret;
4644 }
4645
4646 } else if (opts.noinstr) {
4647 ret = validate_noinstr_sections(file);
4648 if (ret < 0)
4649 goto out;
4650 warnings += ret;
4651 }
4652
4653 if (opts.unret) {
4654 /*
4655 * Must be after validate_branch() and friends, it plays
4656 * further games with insn->visited.
4657 */
4658 ret = validate_unrets(file);
4659 if (ret < 0)
4660 return ret;
4661 warnings += ret;
4662 }
4663
4664 if (opts.ibt) {
4665 ret = validate_ibt(file);
4666 if (ret < 0)
4667 goto out;
4668 warnings += ret;
4669 }
4670
4671 if (opts.sls) {
4672 ret = validate_sls(file);
4673 if (ret < 0)
4674 goto out;
4675 warnings += ret;
4676 }
4677
4678 if (opts.static_call) {
4679 ret = create_static_call_sections(file);
4680 if (ret < 0)
4681 goto out;
4682 warnings += ret;
4683 }
4684
4685 if (opts.retpoline) {
4686 ret = create_retpoline_sites_sections(file);
4687 if (ret < 0)
4688 goto out;
4689 warnings += ret;
4690 }
4691
4692 if (opts.cfi) {
4693 ret = create_cfi_sections(file);
4694 if (ret < 0)
4695 goto out;
4696 warnings += ret;
4697 }
4698
4699 if (opts.rethunk) {
4700 ret = create_return_sites_sections(file);
4701 if (ret < 0)
4702 goto out;
4703 warnings += ret;
4704
4705 if (opts.hack_skylake) {
4706 ret = create_direct_call_sections(file);
4707 if (ret < 0)
4708 goto out;
4709 warnings += ret;
4710 }
4711 }
4712
4713 if (opts.mcount) {
4714 ret = create_mcount_loc_sections(file);
4715 if (ret < 0)
4716 goto out;
4717 warnings += ret;
4718 }
4719
4720 if (opts.prefix) {
4721 ret = add_prefix_symbols(file);
4722 if (ret < 0)
4723 return ret;
4724 warnings += ret;
4725 }
4726
4727 if (opts.ibt) {
4728 ret = create_ibt_endbr_seal_sections(file);
4729 if (ret < 0)
4730 goto out;
4731 warnings += ret;
4732 }
4733
4734 if (opts.orc && nr_insns) {
4735 ret = orc_create(file);
4736 if (ret < 0)
4737 goto out;
4738 warnings += ret;
4739 }
4740
4741 free_insns(file);
4742
4743 if (opts.verbose)
4744 disas_warned_funcs(file);
4745
4746 if (opts.stats) {
4747 printf("nr_insns_visited: %ld\n", nr_insns_visited);
4748 printf("nr_cfi: %ld\n", nr_cfi);
4749 printf("nr_cfi_reused: %ld\n", nr_cfi_reused);
4750 printf("nr_cfi_cache: %ld\n", nr_cfi_cache);
4751 }
4752
4753 out:
4754 /*
4755 * For now, don't fail the kernel build on fatal warnings. These
4756 * errors are still fairly common due to the growing matrix of
4757 * supported toolchains and their recent pace of change.
4758 */
4759 return 0;
4760 }
4761