1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com>
4 */
5
6 #include <string.h>
7 #include <stdlib.h>
8 #include <inttypes.h>
9 #include <sys/mman.h>
10
11 #include <objtool/builtin.h>
12 #include <objtool/cfi.h>
13 #include <objtool/arch.h>
14 #include <objtool/check.h>
15 #include <objtool/special.h>
16 #include <objtool/warn.h>
17 #include <objtool/endianness.h>
18
19 #include <linux/objtool_types.h>
20 #include <linux/hashtable.h>
21 #include <linux/kernel.h>
22 #include <linux/static_call_types.h>
23 #include <linux/string.h>
24
25 struct alternative {
26 struct alternative *next;
27 struct instruction *insn;
28 };
29
30 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache;
31
32 static struct cfi_init_state initial_func_cfi;
33 static struct cfi_state init_cfi;
34 static struct cfi_state func_cfi;
35 static struct cfi_state force_undefined_cfi;
36
find_insn(struct objtool_file * file,struct section * sec,unsigned long offset)37 struct instruction *find_insn(struct objtool_file *file,
38 struct section *sec, unsigned long offset)
39 {
40 struct instruction *insn;
41
42 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) {
43 if (insn->sec == sec && insn->offset == offset)
44 return insn;
45 }
46
47 return NULL;
48 }
49
next_insn_same_sec(struct objtool_file * file,struct instruction * insn)50 struct instruction *next_insn_same_sec(struct objtool_file *file,
51 struct instruction *insn)
52 {
53 if (insn->idx == INSN_CHUNK_MAX)
54 return find_insn(file, insn->sec, insn->offset + insn->len);
55
56 insn++;
57 if (!insn->len)
58 return NULL;
59
60 return insn;
61 }
62
next_insn_same_func(struct objtool_file * file,struct instruction * insn)63 static struct instruction *next_insn_same_func(struct objtool_file *file,
64 struct instruction *insn)
65 {
66 struct instruction *next = next_insn_same_sec(file, insn);
67 struct symbol *func = insn_func(insn);
68
69 if (!func)
70 return NULL;
71
72 if (next && insn_func(next) == func)
73 return next;
74
75 /* Check if we're already in the subfunction: */
76 if (func == func->cfunc)
77 return NULL;
78
79 /* Move to the subfunction: */
80 return find_insn(file, func->cfunc->sec, func->cfunc->offset);
81 }
82
prev_insn_same_sec(struct objtool_file * file,struct instruction * insn)83 static struct instruction *prev_insn_same_sec(struct objtool_file *file,
84 struct instruction *insn)
85 {
86 if (insn->idx == 0) {
87 if (insn->prev_len)
88 return find_insn(file, insn->sec, insn->offset - insn->prev_len);
89 return NULL;
90 }
91
92 return insn - 1;
93 }
94
prev_insn_same_sym(struct objtool_file * file,struct instruction * insn)95 static struct instruction *prev_insn_same_sym(struct objtool_file *file,
96 struct instruction *insn)
97 {
98 struct instruction *prev = prev_insn_same_sec(file, insn);
99
100 if (prev && insn_func(prev) == insn_func(insn))
101 return prev;
102
103 return NULL;
104 }
105
106 #define for_each_insn(file, insn) \
107 for (struct section *__sec, *__fake = (struct section *)1; \
108 __fake; __fake = NULL) \
109 for_each_sec(file, __sec) \
110 sec_for_each_insn(file, __sec, insn)
111
112 #define func_for_each_insn(file, func, insn) \
113 for (insn = find_insn(file, func->sec, func->offset); \
114 insn; \
115 insn = next_insn_same_func(file, insn))
116
117 #define sym_for_each_insn(file, sym, insn) \
118 for (insn = find_insn(file, sym->sec, sym->offset); \
119 insn && insn->offset < sym->offset + sym->len; \
120 insn = next_insn_same_sec(file, insn))
121
122 #define sym_for_each_insn_continue_reverse(file, sym, insn) \
123 for (insn = prev_insn_same_sec(file, insn); \
124 insn && insn->offset >= sym->offset; \
125 insn = prev_insn_same_sec(file, insn))
126
127 #define sec_for_each_insn_from(file, insn) \
128 for (; insn; insn = next_insn_same_sec(file, insn))
129
130 #define sec_for_each_insn_continue(file, insn) \
131 for (insn = next_insn_same_sec(file, insn); insn; \
132 insn = next_insn_same_sec(file, insn))
133
insn_call_dest(struct instruction * insn)134 static inline struct symbol *insn_call_dest(struct instruction *insn)
135 {
136 if (insn->type == INSN_JUMP_DYNAMIC ||
137 insn->type == INSN_CALL_DYNAMIC)
138 return NULL;
139
140 return insn->_call_dest;
141 }
142
insn_jump_table(struct instruction * insn)143 static inline struct reloc *insn_jump_table(struct instruction *insn)
144 {
145 if (insn->type == INSN_JUMP_DYNAMIC ||
146 insn->type == INSN_CALL_DYNAMIC)
147 return insn->_jump_table;
148
149 return NULL;
150 }
151
insn_jump_table_size(struct instruction * insn)152 static inline unsigned long insn_jump_table_size(struct instruction *insn)
153 {
154 if (insn->type == INSN_JUMP_DYNAMIC ||
155 insn->type == INSN_CALL_DYNAMIC)
156 return insn->_jump_table_size;
157
158 return 0;
159 }
160
is_jump_table_jump(struct instruction * insn)161 static bool is_jump_table_jump(struct instruction *insn)
162 {
163 struct alt_group *alt_group = insn->alt_group;
164
165 if (insn_jump_table(insn))
166 return true;
167
168 /* Retpoline alternative for a jump table? */
169 return alt_group && alt_group->orig_group &&
170 insn_jump_table(alt_group->orig_group->first_insn);
171 }
172
is_sibling_call(struct instruction * insn)173 static bool is_sibling_call(struct instruction *insn)
174 {
175 /*
176 * Assume only STT_FUNC calls have jump-tables.
177 */
178 if (insn_func(insn)) {
179 /* An indirect jump is either a sibling call or a jump to a table. */
180 if (insn->type == INSN_JUMP_DYNAMIC)
181 return !is_jump_table_jump(insn);
182 }
183
184 /* add_jump_destinations() sets insn_call_dest(insn) for sibling calls. */
185 return (is_static_jump(insn) && insn_call_dest(insn));
186 }
187
188 /*
189 * Checks if a string ends with another.
190 */
str_ends_with(const char * s,const char * sub)191 static bool str_ends_with(const char *s, const char *sub)
192 {
193 const int slen = strlen(s);
194 const int sublen = strlen(sub);
195
196 if (sublen > slen)
197 return 0;
198
199 return !memcmp(s + slen - sublen, sub, sublen);
200 }
201
202 /*
203 * Checks if a function is a Rust "noreturn" one.
204 */
is_rust_noreturn(const struct symbol * func)205 static bool is_rust_noreturn(const struct symbol *func)
206 {
207 /*
208 * If it does not start with "_R", then it is not a Rust symbol.
209 */
210 if (strncmp(func->name, "_R", 2))
211 return false;
212
213 /*
214 * These are just heuristics -- we do not control the precise symbol
215 * name, due to the crate disambiguators (which depend on the compiler)
216 * as well as changes to the source code itself between versions (since
217 * these come from the Rust standard library).
218 */
219 return str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") ||
220 str_ends_with(func->name, "_4core6option13unwrap_failed") ||
221 str_ends_with(func->name, "_4core6result13unwrap_failed") ||
222 str_ends_with(func->name, "_4core9panicking5panic") ||
223 str_ends_with(func->name, "_4core9panicking9panic_fmt") ||
224 str_ends_with(func->name, "_4core9panicking14panic_explicit") ||
225 str_ends_with(func->name, "_4core9panicking14panic_nounwind") ||
226 str_ends_with(func->name, "_4core9panicking18panic_bounds_check") ||
227 str_ends_with(func->name, "_4core9panicking19assert_failed_inner") ||
228 str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") ||
229 str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") ||
230 strstr(func->name, "_4core9panicking13assert_failed") ||
231 strstr(func->name, "_4core9panicking11panic_const24panic_const_") ||
232 (strstr(func->name, "_4core5slice5index24slice_") &&
233 str_ends_with(func->name, "_fail"));
234 }
235
236 /*
237 * This checks to see if the given function is a "noreturn" function.
238 *
239 * For global functions which are outside the scope of this object file, we
240 * have to keep a manual list of them.
241 *
242 * For local functions, we have to detect them manually by simply looking for
243 * the lack of a return instruction.
244 */
__dead_end_function(struct objtool_file * file,struct symbol * func,int recursion)245 static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
246 int recursion)
247 {
248 int i;
249 struct instruction *insn;
250 bool empty = true;
251
252 #define NORETURN(func) __stringify(func),
253 static const char * const global_noreturns[] = {
254 #include "noreturns.h"
255 };
256 #undef NORETURN
257
258 if (!func)
259 return false;
260
261 if (func->bind == STB_GLOBAL || func->bind == STB_WEAK) {
262 if (is_rust_noreturn(func))
263 return true;
264
265 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++)
266 if (!strcmp(func->name, global_noreturns[i]))
267 return true;
268 }
269
270 if (func->bind == STB_WEAK)
271 return false;
272
273 if (!func->len)
274 return false;
275
276 insn = find_insn(file, func->sec, func->offset);
277 if (!insn || !insn_func(insn))
278 return false;
279
280 func_for_each_insn(file, func, insn) {
281 empty = false;
282
283 if (insn->type == INSN_RETURN)
284 return false;
285 }
286
287 if (empty)
288 return false;
289
290 /*
291 * A function can have a sibling call instead of a return. In that
292 * case, the function's dead-end status depends on whether the target
293 * of the sibling call returns.
294 */
295 func_for_each_insn(file, func, insn) {
296 if (is_sibling_call(insn)) {
297 struct instruction *dest = insn->jump_dest;
298
299 if (!dest)
300 /* sibling call to another file */
301 return false;
302
303 /* local sibling call */
304 if (recursion == 5) {
305 /*
306 * Infinite recursion: two functions have
307 * sibling calls to each other. This is a very
308 * rare case. It means they aren't dead ends.
309 */
310 return false;
311 }
312
313 return __dead_end_function(file, insn_func(dest), recursion+1);
314 }
315 }
316
317 return true;
318 }
319
dead_end_function(struct objtool_file * file,struct symbol * func)320 static bool dead_end_function(struct objtool_file *file, struct symbol *func)
321 {
322 return __dead_end_function(file, func, 0);
323 }
324
init_cfi_state(struct cfi_state * cfi)325 static void init_cfi_state(struct cfi_state *cfi)
326 {
327 int i;
328
329 for (i = 0; i < CFI_NUM_REGS; i++) {
330 cfi->regs[i].base = CFI_UNDEFINED;
331 cfi->vals[i].base = CFI_UNDEFINED;
332 }
333 cfi->cfa.base = CFI_UNDEFINED;
334 cfi->drap_reg = CFI_UNDEFINED;
335 cfi->drap_offset = -1;
336 }
337
init_insn_state(struct objtool_file * file,struct insn_state * state,struct section * sec)338 static void init_insn_state(struct objtool_file *file, struct insn_state *state,
339 struct section *sec)
340 {
341 memset(state, 0, sizeof(*state));
342 init_cfi_state(&state->cfi);
343
344 if (opts.noinstr && sec)
345 state->noinstr = sec->noinstr;
346 }
347
cfi_alloc(void)348 static struct cfi_state *cfi_alloc(void)
349 {
350 struct cfi_state *cfi = calloc(1, sizeof(struct cfi_state));
351 if (!cfi) {
352 ERROR_GLIBC("calloc");
353 exit(1);
354 }
355 nr_cfi++;
356 return cfi;
357 }
358
359 static int cfi_bits;
360 static struct hlist_head *cfi_hash;
361
cficmp(struct cfi_state * cfi1,struct cfi_state * cfi2)362 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2)
363 {
364 return memcmp((void *)cfi1 + sizeof(cfi1->hash),
365 (void *)cfi2 + sizeof(cfi2->hash),
366 sizeof(struct cfi_state) - sizeof(struct hlist_node));
367 }
368
cfi_key(struct cfi_state * cfi)369 static inline u32 cfi_key(struct cfi_state *cfi)
370 {
371 return jhash((void *)cfi + sizeof(cfi->hash),
372 sizeof(*cfi) - sizeof(cfi->hash), 0);
373 }
374
cfi_hash_find_or_add(struct cfi_state * cfi)375 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi)
376 {
377 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
378 struct cfi_state *obj;
379
380 hlist_for_each_entry(obj, head, hash) {
381 if (!cficmp(cfi, obj)) {
382 nr_cfi_cache++;
383 return obj;
384 }
385 }
386
387 obj = cfi_alloc();
388 *obj = *cfi;
389 hlist_add_head(&obj->hash, head);
390
391 return obj;
392 }
393
cfi_hash_add(struct cfi_state * cfi)394 static void cfi_hash_add(struct cfi_state *cfi)
395 {
396 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
397
398 hlist_add_head(&cfi->hash, head);
399 }
400
cfi_hash_alloc(unsigned long size)401 static void *cfi_hash_alloc(unsigned long size)
402 {
403 cfi_bits = max(10, ilog2(size));
404 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits,
405 PROT_READ|PROT_WRITE,
406 MAP_PRIVATE|MAP_ANON, -1, 0);
407 if (cfi_hash == (void *)-1L) {
408 ERROR_GLIBC("mmap fail cfi_hash");
409 cfi_hash = NULL;
410 } else if (opts.stats) {
411 printf("cfi_bits: %d\n", cfi_bits);
412 }
413
414 return cfi_hash;
415 }
416
417 static unsigned long nr_insns;
418 static unsigned long nr_insns_visited;
419
420 /*
421 * Call the arch-specific instruction decoder for all the instructions and add
422 * them to the global instruction list.
423 */
decode_instructions(struct objtool_file * file)424 static int decode_instructions(struct objtool_file *file)
425 {
426 struct section *sec;
427 struct symbol *func;
428 unsigned long offset;
429 struct instruction *insn;
430 int ret;
431
432 for_each_sec(file, sec) {
433 struct instruction *insns = NULL;
434 u8 prev_len = 0;
435 u8 idx = 0;
436
437 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
438 continue;
439
440 if (strcmp(sec->name, ".altinstr_replacement") &&
441 strcmp(sec->name, ".altinstr_aux") &&
442 strncmp(sec->name, ".discard.", 9))
443 sec->text = true;
444
445 if (!strcmp(sec->name, ".noinstr.text") ||
446 !strcmp(sec->name, ".entry.text") ||
447 !strcmp(sec->name, ".cpuidle.text") ||
448 !strncmp(sec->name, ".text..__x86.", 13))
449 sec->noinstr = true;
450
451 /*
452 * .init.text code is ran before userspace and thus doesn't
453 * strictly need retpolines, except for modules which are
454 * loaded late, they very much do need retpoline in their
455 * .init.text
456 */
457 if (!strcmp(sec->name, ".init.text") && !opts.module)
458 sec->init = true;
459
460 for (offset = 0; offset < sec->sh.sh_size; offset += insn->len) {
461 if (!insns || idx == INSN_CHUNK_MAX) {
462 insns = calloc(sizeof(*insn), INSN_CHUNK_SIZE);
463 if (!insns) {
464 ERROR_GLIBC("calloc");
465 return -1;
466 }
467 idx = 0;
468 } else {
469 idx++;
470 }
471 insn = &insns[idx];
472 insn->idx = idx;
473
474 INIT_LIST_HEAD(&insn->call_node);
475 insn->sec = sec;
476 insn->offset = offset;
477 insn->prev_len = prev_len;
478
479 ret = arch_decode_instruction(file, sec, offset,
480 sec->sh.sh_size - offset,
481 insn);
482 if (ret)
483 return ret;
484
485 prev_len = insn->len;
486
487 /*
488 * By default, "ud2" is a dead end unless otherwise
489 * annotated, because GCC 7 inserts it for certain
490 * divide-by-zero cases.
491 */
492 if (insn->type == INSN_BUG)
493 insn->dead_end = true;
494
495 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset));
496 nr_insns++;
497 }
498
499 sec_for_each_sym(sec, func) {
500 if (func->type != STT_NOTYPE && func->type != STT_FUNC)
501 continue;
502
503 if (func->offset == sec->sh.sh_size) {
504 /* Heuristic: likely an "end" symbol */
505 if (func->type == STT_NOTYPE)
506 continue;
507 ERROR("%s(): STT_FUNC at end of section", func->name);
508 return -1;
509 }
510
511 if (func->embedded_insn || func->alias != func)
512 continue;
513
514 if (!find_insn(file, sec, func->offset)) {
515 ERROR("%s(): can't find starting instruction", func->name);
516 return -1;
517 }
518
519 sym_for_each_insn(file, func, insn) {
520 insn->sym = func;
521 if (func->type == STT_FUNC &&
522 insn->type == INSN_ENDBR &&
523 list_empty(&insn->call_node)) {
524 if (insn->offset == func->offset) {
525 list_add_tail(&insn->call_node, &file->endbr_list);
526 file->nr_endbr++;
527 } else {
528 file->nr_endbr_int++;
529 }
530 }
531 }
532 }
533 }
534
535 if (opts.stats)
536 printf("nr_insns: %lu\n", nr_insns);
537
538 return 0;
539 }
540
541 /*
542 * Read the pv_ops[] .data table to find the static initialized values.
543 */
add_pv_ops(struct objtool_file * file,const char * symname)544 static int add_pv_ops(struct objtool_file *file, const char *symname)
545 {
546 struct symbol *sym, *func;
547 unsigned long off, end;
548 struct reloc *reloc;
549 int idx;
550
551 sym = find_symbol_by_name(file->elf, symname);
552 if (!sym)
553 return 0;
554
555 off = sym->offset;
556 end = off + sym->len;
557 for (;;) {
558 reloc = find_reloc_by_dest_range(file->elf, sym->sec, off, end - off);
559 if (!reloc)
560 break;
561
562 idx = (reloc_offset(reloc) - sym->offset) / sizeof(unsigned long);
563
564 func = reloc->sym;
565 if (func->type == STT_SECTION)
566 func = find_symbol_by_offset(reloc->sym->sec,
567 reloc_addend(reloc));
568 if (!func) {
569 ERROR_FUNC(reloc->sym->sec, reloc_addend(reloc),
570 "can't find func at %s[%d]", symname, idx);
571 return -1;
572 }
573
574 if (objtool_pv_add(file, idx, func))
575 return -1;
576
577 off = reloc_offset(reloc) + 1;
578 if (off > end)
579 break;
580 }
581
582 return 0;
583 }
584
585 /*
586 * Allocate and initialize file->pv_ops[].
587 */
init_pv_ops(struct objtool_file * file)588 static int init_pv_ops(struct objtool_file *file)
589 {
590 static const char *pv_ops_tables[] = {
591 "pv_ops",
592 "xen_cpu_ops",
593 "xen_irq_ops",
594 "xen_mmu_ops",
595 NULL,
596 };
597 const char *pv_ops;
598 struct symbol *sym;
599 int idx, nr, ret;
600
601 if (!opts.noinstr)
602 return 0;
603
604 file->pv_ops = NULL;
605
606 sym = find_symbol_by_name(file->elf, "pv_ops");
607 if (!sym)
608 return 0;
609
610 nr = sym->len / sizeof(unsigned long);
611 file->pv_ops = calloc(sizeof(struct pv_state), nr);
612 if (!file->pv_ops) {
613 ERROR_GLIBC("calloc");
614 return -1;
615 }
616
617 for (idx = 0; idx < nr; idx++)
618 INIT_LIST_HEAD(&file->pv_ops[idx].targets);
619
620 for (idx = 0; (pv_ops = pv_ops_tables[idx]); idx++) {
621 ret = add_pv_ops(file, pv_ops);
622 if (ret)
623 return ret;
624 }
625
626 return 0;
627 }
628
create_static_call_sections(struct objtool_file * file)629 static int create_static_call_sections(struct objtool_file *file)
630 {
631 struct static_call_site *site;
632 struct section *sec;
633 struct instruction *insn;
634 struct symbol *key_sym;
635 char *key_name, *tmp;
636 int idx;
637
638 sec = find_section_by_name(file->elf, ".static_call_sites");
639 if (sec) {
640 INIT_LIST_HEAD(&file->static_call_list);
641 WARN("file already has .static_call_sites section, skipping");
642 return 0;
643 }
644
645 if (list_empty(&file->static_call_list))
646 return 0;
647
648 idx = 0;
649 list_for_each_entry(insn, &file->static_call_list, call_node)
650 idx++;
651
652 sec = elf_create_section_pair(file->elf, ".static_call_sites",
653 sizeof(*site), idx, idx * 2);
654 if (!sec)
655 return -1;
656
657 /* Allow modules to modify the low bits of static_call_site::key */
658 sec->sh.sh_flags |= SHF_WRITE;
659
660 idx = 0;
661 list_for_each_entry(insn, &file->static_call_list, call_node) {
662
663 /* populate reloc for 'addr' */
664 if (!elf_init_reloc_text_sym(file->elf, sec,
665 idx * sizeof(*site), idx * 2,
666 insn->sec, insn->offset))
667 return -1;
668
669 /* find key symbol */
670 key_name = strdup(insn_call_dest(insn)->name);
671 if (!key_name) {
672 ERROR_GLIBC("strdup");
673 return -1;
674 }
675 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR,
676 STATIC_CALL_TRAMP_PREFIX_LEN)) {
677 ERROR("static_call: trampoline name malformed: %s", key_name);
678 return -1;
679 }
680 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN;
681 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN);
682
683 key_sym = find_symbol_by_name(file->elf, tmp);
684 if (!key_sym) {
685 if (!opts.module) {
686 ERROR("static_call: can't find static_call_key symbol: %s", tmp);
687 return -1;
688 }
689
690 /*
691 * For modules(), the key might not be exported, which
692 * means the module can make static calls but isn't
693 * allowed to change them.
694 *
695 * In that case we temporarily set the key to be the
696 * trampoline address. This is fixed up in
697 * static_call_add_module().
698 */
699 key_sym = insn_call_dest(insn);
700 }
701
702 /* populate reloc for 'key' */
703 if (!elf_init_reloc_data_sym(file->elf, sec,
704 idx * sizeof(*site) + 4,
705 (idx * 2) + 1, key_sym,
706 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL))
707 return -1;
708
709 idx++;
710 }
711
712 return 0;
713 }
714
create_retpoline_sites_sections(struct objtool_file * file)715 static int create_retpoline_sites_sections(struct objtool_file *file)
716 {
717 struct instruction *insn;
718 struct section *sec;
719 int idx;
720
721 sec = find_section_by_name(file->elf, ".retpoline_sites");
722 if (sec) {
723 WARN("file already has .retpoline_sites, skipping");
724 return 0;
725 }
726
727 idx = 0;
728 list_for_each_entry(insn, &file->retpoline_call_list, call_node)
729 idx++;
730
731 if (!idx)
732 return 0;
733
734 sec = elf_create_section_pair(file->elf, ".retpoline_sites",
735 sizeof(int), idx, idx);
736 if (!sec)
737 return -1;
738
739 idx = 0;
740 list_for_each_entry(insn, &file->retpoline_call_list, call_node) {
741
742 if (!elf_init_reloc_text_sym(file->elf, sec,
743 idx * sizeof(int), idx,
744 insn->sec, insn->offset))
745 return -1;
746
747 idx++;
748 }
749
750 return 0;
751 }
752
create_return_sites_sections(struct objtool_file * file)753 static int create_return_sites_sections(struct objtool_file *file)
754 {
755 struct instruction *insn;
756 struct section *sec;
757 int idx;
758
759 sec = find_section_by_name(file->elf, ".return_sites");
760 if (sec) {
761 WARN("file already has .return_sites, skipping");
762 return 0;
763 }
764
765 idx = 0;
766 list_for_each_entry(insn, &file->return_thunk_list, call_node)
767 idx++;
768
769 if (!idx)
770 return 0;
771
772 sec = elf_create_section_pair(file->elf, ".return_sites",
773 sizeof(int), idx, idx);
774 if (!sec)
775 return -1;
776
777 idx = 0;
778 list_for_each_entry(insn, &file->return_thunk_list, call_node) {
779
780 if (!elf_init_reloc_text_sym(file->elf, sec,
781 idx * sizeof(int), idx,
782 insn->sec, insn->offset))
783 return -1;
784
785 idx++;
786 }
787
788 return 0;
789 }
790
create_ibt_endbr_seal_sections(struct objtool_file * file)791 static int create_ibt_endbr_seal_sections(struct objtool_file *file)
792 {
793 struct instruction *insn;
794 struct section *sec;
795 int idx;
796
797 sec = find_section_by_name(file->elf, ".ibt_endbr_seal");
798 if (sec) {
799 WARN("file already has .ibt_endbr_seal, skipping");
800 return 0;
801 }
802
803 idx = 0;
804 list_for_each_entry(insn, &file->endbr_list, call_node)
805 idx++;
806
807 if (opts.stats) {
808 printf("ibt: ENDBR at function start: %d\n", file->nr_endbr);
809 printf("ibt: ENDBR inside functions: %d\n", file->nr_endbr_int);
810 printf("ibt: superfluous ENDBR: %d\n", idx);
811 }
812
813 if (!idx)
814 return 0;
815
816 sec = elf_create_section_pair(file->elf, ".ibt_endbr_seal",
817 sizeof(int), idx, idx);
818 if (!sec)
819 return -1;
820
821 idx = 0;
822 list_for_each_entry(insn, &file->endbr_list, call_node) {
823
824 int *site = (int *)sec->data->d_buf + idx;
825 struct symbol *sym = insn->sym;
826 *site = 0;
827
828 if (opts.module && sym && sym->type == STT_FUNC &&
829 insn->offset == sym->offset &&
830 (!strcmp(sym->name, "init_module") ||
831 !strcmp(sym->name, "cleanup_module"))) {
832 ERROR("%s(): Magic init_module() function name is deprecated, use module_init(fn) instead",
833 sym->name);
834 return -1;
835 }
836
837 if (!elf_init_reloc_text_sym(file->elf, sec,
838 idx * sizeof(int), idx,
839 insn->sec, insn->offset))
840 return -1;
841
842 idx++;
843 }
844
845 return 0;
846 }
847
create_cfi_sections(struct objtool_file * file)848 static int create_cfi_sections(struct objtool_file *file)
849 {
850 struct section *sec;
851 struct symbol *sym;
852 int idx;
853
854 sec = find_section_by_name(file->elf, ".cfi_sites");
855 if (sec) {
856 INIT_LIST_HEAD(&file->call_list);
857 WARN("file already has .cfi_sites section, skipping");
858 return 0;
859 }
860
861 idx = 0;
862 for_each_sym(file, sym) {
863 if (sym->type != STT_FUNC)
864 continue;
865
866 if (strncmp(sym->name, "__cfi_", 6))
867 continue;
868
869 idx++;
870 }
871
872 sec = elf_create_section_pair(file->elf, ".cfi_sites",
873 sizeof(unsigned int), idx, idx);
874 if (!sec)
875 return -1;
876
877 idx = 0;
878 for_each_sym(file, sym) {
879 if (sym->type != STT_FUNC)
880 continue;
881
882 if (strncmp(sym->name, "__cfi_", 6))
883 continue;
884
885 if (!elf_init_reloc_text_sym(file->elf, sec,
886 idx * sizeof(unsigned int), idx,
887 sym->sec, sym->offset))
888 return -1;
889
890 idx++;
891 }
892
893 return 0;
894 }
895
create_mcount_loc_sections(struct objtool_file * file)896 static int create_mcount_loc_sections(struct objtool_file *file)
897 {
898 size_t addr_size = elf_addr_size(file->elf);
899 struct instruction *insn;
900 struct section *sec;
901 int idx;
902
903 sec = find_section_by_name(file->elf, "__mcount_loc");
904 if (sec) {
905 INIT_LIST_HEAD(&file->mcount_loc_list);
906 WARN("file already has __mcount_loc section, skipping");
907 return 0;
908 }
909
910 if (list_empty(&file->mcount_loc_list))
911 return 0;
912
913 idx = 0;
914 list_for_each_entry(insn, &file->mcount_loc_list, call_node)
915 idx++;
916
917 sec = elf_create_section_pair(file->elf, "__mcount_loc", addr_size,
918 idx, idx);
919 if (!sec)
920 return -1;
921
922 sec->sh.sh_addralign = addr_size;
923
924 idx = 0;
925 list_for_each_entry(insn, &file->mcount_loc_list, call_node) {
926
927 struct reloc *reloc;
928
929 reloc = elf_init_reloc_text_sym(file->elf, sec, idx * addr_size, idx,
930 insn->sec, insn->offset);
931 if (!reloc)
932 return -1;
933
934 set_reloc_type(file->elf, reloc, addr_size == 8 ? R_ABS64 : R_ABS32);
935
936 idx++;
937 }
938
939 return 0;
940 }
941
create_direct_call_sections(struct objtool_file * file)942 static int create_direct_call_sections(struct objtool_file *file)
943 {
944 struct instruction *insn;
945 struct section *sec;
946 int idx;
947
948 sec = find_section_by_name(file->elf, ".call_sites");
949 if (sec) {
950 INIT_LIST_HEAD(&file->call_list);
951 WARN("file already has .call_sites section, skipping");
952 return 0;
953 }
954
955 if (list_empty(&file->call_list))
956 return 0;
957
958 idx = 0;
959 list_for_each_entry(insn, &file->call_list, call_node)
960 idx++;
961
962 sec = elf_create_section_pair(file->elf, ".call_sites",
963 sizeof(unsigned int), idx, idx);
964 if (!sec)
965 return -1;
966
967 idx = 0;
968 list_for_each_entry(insn, &file->call_list, call_node) {
969
970 if (!elf_init_reloc_text_sym(file->elf, sec,
971 idx * sizeof(unsigned int), idx,
972 insn->sec, insn->offset))
973 return -1;
974
975 idx++;
976 }
977
978 return 0;
979 }
980
981 /*
982 * Warnings shouldn't be reported for ignored functions.
983 */
add_ignores(struct objtool_file * file)984 static int add_ignores(struct objtool_file *file)
985 {
986 struct section *rsec;
987 struct symbol *func;
988 struct reloc *reloc;
989
990 rsec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard");
991 if (!rsec)
992 return 0;
993
994 for_each_reloc(rsec, reloc) {
995 switch (reloc->sym->type) {
996 case STT_FUNC:
997 func = reloc->sym;
998 break;
999
1000 case STT_SECTION:
1001 func = find_func_by_offset(reloc->sym->sec, reloc_addend(reloc));
1002 if (!func)
1003 continue;
1004 break;
1005
1006 default:
1007 ERROR("unexpected relocation symbol type in %s: %d",
1008 rsec->name, reloc->sym->type);
1009 return -1;
1010 }
1011
1012 func->ignore = true;
1013 if (func->cfunc)
1014 func->cfunc->ignore = true;
1015 }
1016
1017 return 0;
1018 }
1019
1020 /*
1021 * This is a whitelist of functions that is allowed to be called with AC set.
1022 * The list is meant to be minimal and only contains compiler instrumentation
1023 * ABI and a few functions used to implement *_{to,from}_user() functions.
1024 *
1025 * These functions must not directly change AC, but may PUSHF/POPF.
1026 */
1027 static const char *uaccess_safe_builtin[] = {
1028 /* KASAN */
1029 "kasan_report",
1030 "kasan_check_range",
1031 /* KASAN out-of-line */
1032 "__asan_loadN_noabort",
1033 "__asan_load1_noabort",
1034 "__asan_load2_noabort",
1035 "__asan_load4_noabort",
1036 "__asan_load8_noabort",
1037 "__asan_load16_noabort",
1038 "__asan_storeN_noabort",
1039 "__asan_store1_noabort",
1040 "__asan_store2_noabort",
1041 "__asan_store4_noabort",
1042 "__asan_store8_noabort",
1043 "__asan_store16_noabort",
1044 "__kasan_check_read",
1045 "__kasan_check_write",
1046 /* KASAN in-line */
1047 "__asan_report_load_n_noabort",
1048 "__asan_report_load1_noabort",
1049 "__asan_report_load2_noabort",
1050 "__asan_report_load4_noabort",
1051 "__asan_report_load8_noabort",
1052 "__asan_report_load16_noabort",
1053 "__asan_report_store_n_noabort",
1054 "__asan_report_store1_noabort",
1055 "__asan_report_store2_noabort",
1056 "__asan_report_store4_noabort",
1057 "__asan_report_store8_noabort",
1058 "__asan_report_store16_noabort",
1059 /* KCSAN */
1060 "__kcsan_check_access",
1061 "__kcsan_mb",
1062 "__kcsan_wmb",
1063 "__kcsan_rmb",
1064 "__kcsan_release",
1065 "kcsan_found_watchpoint",
1066 "kcsan_setup_watchpoint",
1067 "kcsan_check_scoped_accesses",
1068 "kcsan_disable_current",
1069 "kcsan_enable_current_nowarn",
1070 /* KCSAN/TSAN */
1071 "__tsan_func_entry",
1072 "__tsan_func_exit",
1073 "__tsan_read_range",
1074 "__tsan_write_range",
1075 "__tsan_read1",
1076 "__tsan_read2",
1077 "__tsan_read4",
1078 "__tsan_read8",
1079 "__tsan_read16",
1080 "__tsan_write1",
1081 "__tsan_write2",
1082 "__tsan_write4",
1083 "__tsan_write8",
1084 "__tsan_write16",
1085 "__tsan_read_write1",
1086 "__tsan_read_write2",
1087 "__tsan_read_write4",
1088 "__tsan_read_write8",
1089 "__tsan_read_write16",
1090 "__tsan_volatile_read1",
1091 "__tsan_volatile_read2",
1092 "__tsan_volatile_read4",
1093 "__tsan_volatile_read8",
1094 "__tsan_volatile_read16",
1095 "__tsan_volatile_write1",
1096 "__tsan_volatile_write2",
1097 "__tsan_volatile_write4",
1098 "__tsan_volatile_write8",
1099 "__tsan_volatile_write16",
1100 "__tsan_atomic8_load",
1101 "__tsan_atomic16_load",
1102 "__tsan_atomic32_load",
1103 "__tsan_atomic64_load",
1104 "__tsan_atomic8_store",
1105 "__tsan_atomic16_store",
1106 "__tsan_atomic32_store",
1107 "__tsan_atomic64_store",
1108 "__tsan_atomic8_exchange",
1109 "__tsan_atomic16_exchange",
1110 "__tsan_atomic32_exchange",
1111 "__tsan_atomic64_exchange",
1112 "__tsan_atomic8_fetch_add",
1113 "__tsan_atomic16_fetch_add",
1114 "__tsan_atomic32_fetch_add",
1115 "__tsan_atomic64_fetch_add",
1116 "__tsan_atomic8_fetch_sub",
1117 "__tsan_atomic16_fetch_sub",
1118 "__tsan_atomic32_fetch_sub",
1119 "__tsan_atomic64_fetch_sub",
1120 "__tsan_atomic8_fetch_and",
1121 "__tsan_atomic16_fetch_and",
1122 "__tsan_atomic32_fetch_and",
1123 "__tsan_atomic64_fetch_and",
1124 "__tsan_atomic8_fetch_or",
1125 "__tsan_atomic16_fetch_or",
1126 "__tsan_atomic32_fetch_or",
1127 "__tsan_atomic64_fetch_or",
1128 "__tsan_atomic8_fetch_xor",
1129 "__tsan_atomic16_fetch_xor",
1130 "__tsan_atomic32_fetch_xor",
1131 "__tsan_atomic64_fetch_xor",
1132 "__tsan_atomic8_fetch_nand",
1133 "__tsan_atomic16_fetch_nand",
1134 "__tsan_atomic32_fetch_nand",
1135 "__tsan_atomic64_fetch_nand",
1136 "__tsan_atomic8_compare_exchange_strong",
1137 "__tsan_atomic16_compare_exchange_strong",
1138 "__tsan_atomic32_compare_exchange_strong",
1139 "__tsan_atomic64_compare_exchange_strong",
1140 "__tsan_atomic8_compare_exchange_weak",
1141 "__tsan_atomic16_compare_exchange_weak",
1142 "__tsan_atomic32_compare_exchange_weak",
1143 "__tsan_atomic64_compare_exchange_weak",
1144 "__tsan_atomic8_compare_exchange_val",
1145 "__tsan_atomic16_compare_exchange_val",
1146 "__tsan_atomic32_compare_exchange_val",
1147 "__tsan_atomic64_compare_exchange_val",
1148 "__tsan_atomic_thread_fence",
1149 "__tsan_atomic_signal_fence",
1150 "__tsan_unaligned_read16",
1151 "__tsan_unaligned_write16",
1152 /* KCOV */
1153 "write_comp_data",
1154 "check_kcov_mode",
1155 "__sanitizer_cov_trace_pc",
1156 "__sanitizer_cov_trace_const_cmp1",
1157 "__sanitizer_cov_trace_const_cmp2",
1158 "__sanitizer_cov_trace_const_cmp4",
1159 "__sanitizer_cov_trace_const_cmp8",
1160 "__sanitizer_cov_trace_cmp1",
1161 "__sanitizer_cov_trace_cmp2",
1162 "__sanitizer_cov_trace_cmp4",
1163 "__sanitizer_cov_trace_cmp8",
1164 "__sanitizer_cov_trace_switch",
1165 /* KMSAN */
1166 "kmsan_copy_to_user",
1167 "kmsan_disable_current",
1168 "kmsan_enable_current",
1169 "kmsan_report",
1170 "kmsan_unpoison_entry_regs",
1171 "kmsan_unpoison_memory",
1172 "__msan_chain_origin",
1173 "__msan_get_context_state",
1174 "__msan_instrument_asm_store",
1175 "__msan_metadata_ptr_for_load_1",
1176 "__msan_metadata_ptr_for_load_2",
1177 "__msan_metadata_ptr_for_load_4",
1178 "__msan_metadata_ptr_for_load_8",
1179 "__msan_metadata_ptr_for_load_n",
1180 "__msan_metadata_ptr_for_store_1",
1181 "__msan_metadata_ptr_for_store_2",
1182 "__msan_metadata_ptr_for_store_4",
1183 "__msan_metadata_ptr_for_store_8",
1184 "__msan_metadata_ptr_for_store_n",
1185 "__msan_poison_alloca",
1186 "__msan_warning",
1187 /* UBSAN */
1188 "ubsan_type_mismatch_common",
1189 "__ubsan_handle_type_mismatch",
1190 "__ubsan_handle_type_mismatch_v1",
1191 "__ubsan_handle_shift_out_of_bounds",
1192 "__ubsan_handle_load_invalid_value",
1193 /* STACKLEAK */
1194 "stackleak_track_stack",
1195 /* TRACE_BRANCH_PROFILING */
1196 "ftrace_likely_update",
1197 /* STACKPROTECTOR */
1198 "__stack_chk_fail",
1199 /* misc */
1200 "csum_partial_copy_generic",
1201 "copy_mc_fragile",
1202 "copy_mc_fragile_handle_tail",
1203 "copy_mc_enhanced_fast_string",
1204 "rep_stos_alternative",
1205 "rep_movs_alternative",
1206 "__copy_user_nocache",
1207 NULL
1208 };
1209
add_uaccess_safe(struct objtool_file * file)1210 static void add_uaccess_safe(struct objtool_file *file)
1211 {
1212 struct symbol *func;
1213 const char **name;
1214
1215 if (!opts.uaccess)
1216 return;
1217
1218 for (name = uaccess_safe_builtin; *name; name++) {
1219 func = find_symbol_by_name(file->elf, *name);
1220 if (!func)
1221 continue;
1222
1223 func->uaccess_safe = true;
1224 }
1225 }
1226
1227 /*
1228 * Symbols that replace INSN_CALL_DYNAMIC, every (tail) call to such a symbol
1229 * will be added to the .retpoline_sites section.
1230 */
arch_is_retpoline(struct symbol * sym)1231 __weak bool arch_is_retpoline(struct symbol *sym)
1232 {
1233 return false;
1234 }
1235
1236 /*
1237 * Symbols that replace INSN_RETURN, every (tail) call to such a symbol
1238 * will be added to the .return_sites section.
1239 */
arch_is_rethunk(struct symbol * sym)1240 __weak bool arch_is_rethunk(struct symbol *sym)
1241 {
1242 return false;
1243 }
1244
1245 /*
1246 * Symbols that are embedded inside other instructions, because sometimes crazy
1247 * code exists. These are mostly ignored for validation purposes.
1248 */
arch_is_embedded_insn(struct symbol * sym)1249 __weak bool arch_is_embedded_insn(struct symbol *sym)
1250 {
1251 return false;
1252 }
1253
insn_reloc(struct objtool_file * file,struct instruction * insn)1254 static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn)
1255 {
1256 struct reloc *reloc;
1257
1258 if (insn->no_reloc)
1259 return NULL;
1260
1261 if (!file)
1262 return NULL;
1263
1264 reloc = find_reloc_by_dest_range(file->elf, insn->sec,
1265 insn->offset, insn->len);
1266 if (!reloc) {
1267 insn->no_reloc = 1;
1268 return NULL;
1269 }
1270
1271 return reloc;
1272 }
1273
remove_insn_ops(struct instruction * insn)1274 static void remove_insn_ops(struct instruction *insn)
1275 {
1276 struct stack_op *op, *next;
1277
1278 for (op = insn->stack_ops; op; op = next) {
1279 next = op->next;
1280 free(op);
1281 }
1282 insn->stack_ops = NULL;
1283 }
1284
annotate_call_site(struct objtool_file * file,struct instruction * insn,bool sibling)1285 static int annotate_call_site(struct objtool_file *file,
1286 struct instruction *insn, bool sibling)
1287 {
1288 struct reloc *reloc = insn_reloc(file, insn);
1289 struct symbol *sym = insn_call_dest(insn);
1290
1291 if (!sym)
1292 sym = reloc->sym;
1293
1294 if (sym->static_call_tramp) {
1295 list_add_tail(&insn->call_node, &file->static_call_list);
1296 return 0;
1297 }
1298
1299 if (sym->retpoline_thunk) {
1300 list_add_tail(&insn->call_node, &file->retpoline_call_list);
1301 return 0;
1302 }
1303
1304 /*
1305 * Many compilers cannot disable KCOV or sanitizer calls with a function
1306 * attribute so they need a little help, NOP out any such calls from
1307 * noinstr text.
1308 */
1309 if (opts.hack_noinstr && insn->sec->noinstr && sym->profiling_func) {
1310 if (reloc)
1311 set_reloc_type(file->elf, reloc, R_NONE);
1312
1313 if (elf_write_insn(file->elf, insn->sec,
1314 insn->offset, insn->len,
1315 sibling ? arch_ret_insn(insn->len)
1316 : arch_nop_insn(insn->len))) {
1317 return -1;
1318 }
1319
1320 insn->type = sibling ? INSN_RETURN : INSN_NOP;
1321
1322 if (sibling) {
1323 /*
1324 * We've replaced the tail-call JMP insn by two new
1325 * insn: RET; INT3, except we only have a single struct
1326 * insn here. Mark it retpoline_safe to avoid the SLS
1327 * warning, instead of adding another insn.
1328 */
1329 insn->retpoline_safe = true;
1330 }
1331
1332 return 0;
1333 }
1334
1335 if (opts.mcount && sym->fentry) {
1336 if (sibling)
1337 WARN_INSN(insn, "tail call to __fentry__ !?!?");
1338 if (opts.mnop) {
1339 if (reloc)
1340 set_reloc_type(file->elf, reloc, R_NONE);
1341
1342 if (elf_write_insn(file->elf, insn->sec,
1343 insn->offset, insn->len,
1344 arch_nop_insn(insn->len))) {
1345 return -1;
1346 }
1347
1348 insn->type = INSN_NOP;
1349 }
1350
1351 list_add_tail(&insn->call_node, &file->mcount_loc_list);
1352 return 0;
1353 }
1354
1355 if (insn->type == INSN_CALL && !insn->sec->init &&
1356 !insn->_call_dest->embedded_insn)
1357 list_add_tail(&insn->call_node, &file->call_list);
1358
1359 if (!sibling && dead_end_function(file, sym))
1360 insn->dead_end = true;
1361
1362 return 0;
1363 }
1364
add_call_dest(struct objtool_file * file,struct instruction * insn,struct symbol * dest,bool sibling)1365 static int add_call_dest(struct objtool_file *file, struct instruction *insn,
1366 struct symbol *dest, bool sibling)
1367 {
1368 insn->_call_dest = dest;
1369 if (!dest)
1370 return 0;
1371
1372 /*
1373 * Whatever stack impact regular CALLs have, should be undone
1374 * by the RETURN of the called function.
1375 *
1376 * Annotated intra-function calls retain the stack_ops but
1377 * are converted to JUMP, see read_intra_function_calls().
1378 */
1379 remove_insn_ops(insn);
1380
1381 return annotate_call_site(file, insn, sibling);
1382 }
1383
add_retpoline_call(struct objtool_file * file,struct instruction * insn)1384 static int add_retpoline_call(struct objtool_file *file, struct instruction *insn)
1385 {
1386 /*
1387 * Retpoline calls/jumps are really dynamic calls/jumps in disguise,
1388 * so convert them accordingly.
1389 */
1390 switch (insn->type) {
1391 case INSN_CALL:
1392 insn->type = INSN_CALL_DYNAMIC;
1393 break;
1394 case INSN_JUMP_UNCONDITIONAL:
1395 insn->type = INSN_JUMP_DYNAMIC;
1396 break;
1397 case INSN_JUMP_CONDITIONAL:
1398 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL;
1399 break;
1400 default:
1401 return 0;
1402 }
1403
1404 insn->retpoline_safe = true;
1405
1406 /*
1407 * Whatever stack impact regular CALLs have, should be undone
1408 * by the RETURN of the called function.
1409 *
1410 * Annotated intra-function calls retain the stack_ops but
1411 * are converted to JUMP, see read_intra_function_calls().
1412 */
1413 remove_insn_ops(insn);
1414
1415 return annotate_call_site(file, insn, false);
1416 }
1417
add_return_call(struct objtool_file * file,struct instruction * insn,bool add)1418 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add)
1419 {
1420 /*
1421 * Return thunk tail calls are really just returns in disguise,
1422 * so convert them accordingly.
1423 */
1424 insn->type = INSN_RETURN;
1425 insn->retpoline_safe = true;
1426
1427 if (add)
1428 list_add_tail(&insn->call_node, &file->return_thunk_list);
1429 }
1430
is_first_func_insn(struct objtool_file * file,struct instruction * insn,struct symbol * sym)1431 static bool is_first_func_insn(struct objtool_file *file,
1432 struct instruction *insn, struct symbol *sym)
1433 {
1434 if (insn->offset == sym->offset)
1435 return true;
1436
1437 /* Allow direct CALL/JMP past ENDBR */
1438 if (opts.ibt) {
1439 struct instruction *prev = prev_insn_same_sym(file, insn);
1440
1441 if (prev && prev->type == INSN_ENDBR &&
1442 insn->offset == sym->offset + prev->len)
1443 return true;
1444 }
1445
1446 return false;
1447 }
1448
1449 /*
1450 * A sibling call is a tail-call to another symbol -- to differentiate from a
1451 * recursive tail-call which is to the same symbol.
1452 */
jump_is_sibling_call(struct objtool_file * file,struct instruction * from,struct instruction * to)1453 static bool jump_is_sibling_call(struct objtool_file *file,
1454 struct instruction *from, struct instruction *to)
1455 {
1456 struct symbol *fs = from->sym;
1457 struct symbol *ts = to->sym;
1458
1459 /* Not a sibling call if from/to a symbol hole */
1460 if (!fs || !ts)
1461 return false;
1462
1463 /* Not a sibling call if not targeting the start of a symbol. */
1464 if (!is_first_func_insn(file, to, ts))
1465 return false;
1466
1467 /* Disallow sibling calls into STT_NOTYPE */
1468 if (ts->type == STT_NOTYPE)
1469 return false;
1470
1471 /* Must not be self to be a sibling */
1472 return fs->pfunc != ts->pfunc;
1473 }
1474
1475 /*
1476 * Find the destination instructions for all jumps.
1477 */
add_jump_destinations(struct objtool_file * file)1478 static int add_jump_destinations(struct objtool_file *file)
1479 {
1480 struct instruction *insn, *jump_dest;
1481 struct reloc *reloc;
1482 struct section *dest_sec;
1483 unsigned long dest_off;
1484 int ret;
1485
1486 for_each_insn(file, insn) {
1487 struct symbol *func = insn_func(insn);
1488
1489 if (insn->jump_dest) {
1490 /*
1491 * handle_group_alt() may have previously set
1492 * 'jump_dest' for some alternatives.
1493 */
1494 continue;
1495 }
1496 if (!is_static_jump(insn))
1497 continue;
1498
1499 reloc = insn_reloc(file, insn);
1500 if (!reloc) {
1501 dest_sec = insn->sec;
1502 dest_off = arch_jump_destination(insn);
1503 } else if (reloc->sym->type == STT_SECTION) {
1504 dest_sec = reloc->sym->sec;
1505 dest_off = arch_dest_reloc_offset(reloc_addend(reloc));
1506 } else if (reloc->sym->retpoline_thunk) {
1507 ret = add_retpoline_call(file, insn);
1508 if (ret)
1509 return ret;
1510 continue;
1511 } else if (reloc->sym->return_thunk) {
1512 add_return_call(file, insn, true);
1513 continue;
1514 } else if (func) {
1515 /*
1516 * External sibling call or internal sibling call with
1517 * STT_FUNC reloc.
1518 */
1519 ret = add_call_dest(file, insn, reloc->sym, true);
1520 if (ret)
1521 return ret;
1522 continue;
1523 } else if (reloc->sym->sec->idx) {
1524 dest_sec = reloc->sym->sec;
1525 dest_off = reloc->sym->sym.st_value +
1526 arch_dest_reloc_offset(reloc_addend(reloc));
1527 } else {
1528 /* non-func asm code jumping to another file */
1529 continue;
1530 }
1531
1532 jump_dest = find_insn(file, dest_sec, dest_off);
1533 if (!jump_dest) {
1534 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off);
1535
1536 /*
1537 * This is a special case for retbleed_untrain_ret().
1538 * It jumps to __x86_return_thunk(), but objtool
1539 * can't find the thunk's starting RET
1540 * instruction, because the RET is also in the
1541 * middle of another instruction. Objtool only
1542 * knows about the outer instruction.
1543 */
1544 if (sym && sym->embedded_insn) {
1545 add_return_call(file, insn, false);
1546 continue;
1547 }
1548
1549 /*
1550 * GCOV/KCOV dead code can jump to the end of the
1551 * function/section.
1552 */
1553 if (file->ignore_unreachables && func &&
1554 dest_sec == insn->sec &&
1555 dest_off == func->offset + func->len)
1556 continue;
1557
1558 ERROR_INSN(insn, "can't find jump dest instruction at %s+0x%lx",
1559 dest_sec->name, dest_off);
1560 return -1;
1561 }
1562
1563 /*
1564 * An intra-TU jump in retpoline.o might not have a relocation
1565 * for its jump dest, in which case the above
1566 * add_{retpoline,return}_call() didn't happen.
1567 */
1568 if (jump_dest->sym && jump_dest->offset == jump_dest->sym->offset) {
1569 if (jump_dest->sym->retpoline_thunk) {
1570 ret = add_retpoline_call(file, insn);
1571 if (ret)
1572 return ret;
1573 continue;
1574 }
1575 if (jump_dest->sym->return_thunk) {
1576 add_return_call(file, insn, true);
1577 continue;
1578 }
1579 }
1580
1581 /*
1582 * Cross-function jump.
1583 */
1584 if (func && insn_func(jump_dest) && func != insn_func(jump_dest)) {
1585
1586 /*
1587 * For GCC 8+, create parent/child links for any cold
1588 * subfunctions. This is _mostly_ redundant with a
1589 * similar initialization in read_symbols().
1590 *
1591 * If a function has aliases, we want the *first* such
1592 * function in the symbol table to be the subfunction's
1593 * parent. In that case we overwrite the
1594 * initialization done in read_symbols().
1595 *
1596 * However this code can't completely replace the
1597 * read_symbols() code because this doesn't detect the
1598 * case where the parent function's only reference to a
1599 * subfunction is through a jump table.
1600 */
1601 if (!strstr(func->name, ".cold") &&
1602 strstr(insn_func(jump_dest)->name, ".cold")) {
1603 func->cfunc = insn_func(jump_dest);
1604 insn_func(jump_dest)->pfunc = func;
1605 }
1606 }
1607
1608 if (jump_is_sibling_call(file, insn, jump_dest)) {
1609 /*
1610 * Internal sibling call without reloc or with
1611 * STT_SECTION reloc.
1612 */
1613 ret = add_call_dest(file, insn, insn_func(jump_dest), true);
1614 if (ret)
1615 return ret;
1616 continue;
1617 }
1618
1619 insn->jump_dest = jump_dest;
1620 }
1621
1622 return 0;
1623 }
1624
find_call_destination(struct section * sec,unsigned long offset)1625 static struct symbol *find_call_destination(struct section *sec, unsigned long offset)
1626 {
1627 struct symbol *call_dest;
1628
1629 call_dest = find_func_by_offset(sec, offset);
1630 if (!call_dest)
1631 call_dest = find_symbol_by_offset(sec, offset);
1632
1633 return call_dest;
1634 }
1635
1636 /*
1637 * Find the destination instructions for all calls.
1638 */
add_call_destinations(struct objtool_file * file)1639 static int add_call_destinations(struct objtool_file *file)
1640 {
1641 struct instruction *insn;
1642 unsigned long dest_off;
1643 struct symbol *dest;
1644 struct reloc *reloc;
1645 int ret;
1646
1647 for_each_insn(file, insn) {
1648 struct symbol *func = insn_func(insn);
1649 if (insn->type != INSN_CALL)
1650 continue;
1651
1652 reloc = insn_reloc(file, insn);
1653 if (!reloc) {
1654 dest_off = arch_jump_destination(insn);
1655 dest = find_call_destination(insn->sec, dest_off);
1656
1657 ret = add_call_dest(file, insn, dest, false);
1658 if (ret)
1659 return ret;
1660
1661 if (func && func->ignore)
1662 continue;
1663
1664 if (!insn_call_dest(insn)) {
1665 ERROR_INSN(insn, "unannotated intra-function call");
1666 return -1;
1667 }
1668
1669 if (func && insn_call_dest(insn)->type != STT_FUNC) {
1670 ERROR_INSN(insn, "unsupported call to non-function");
1671 return -1;
1672 }
1673
1674 } else if (reloc->sym->type == STT_SECTION) {
1675 dest_off = arch_dest_reloc_offset(reloc_addend(reloc));
1676 dest = find_call_destination(reloc->sym->sec, dest_off);
1677 if (!dest) {
1678 ERROR_INSN(insn, "can't find call dest symbol at %s+0x%lx",
1679 reloc->sym->sec->name, dest_off);
1680 return -1;
1681 }
1682
1683 ret = add_call_dest(file, insn, dest, false);
1684 if (ret)
1685 return ret;
1686
1687 } else if (reloc->sym->retpoline_thunk) {
1688 ret = add_retpoline_call(file, insn);
1689 if (ret)
1690 return ret;
1691
1692 } else {
1693 ret = add_call_dest(file, insn, reloc->sym, false);
1694 if (ret)
1695 return ret;
1696 }
1697 }
1698
1699 return 0;
1700 }
1701
1702 /*
1703 * The .alternatives section requires some extra special care over and above
1704 * other special sections because alternatives are patched in place.
1705 */
handle_group_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1706 static int handle_group_alt(struct objtool_file *file,
1707 struct special_alt *special_alt,
1708 struct instruction *orig_insn,
1709 struct instruction **new_insn)
1710 {
1711 struct instruction *last_new_insn = NULL, *insn, *nop = NULL;
1712 struct alt_group *orig_alt_group, *new_alt_group;
1713 unsigned long dest_off;
1714
1715 orig_alt_group = orig_insn->alt_group;
1716 if (!orig_alt_group) {
1717 struct instruction *last_orig_insn = NULL;
1718
1719 orig_alt_group = calloc(1, sizeof(*orig_alt_group));
1720 if (!orig_alt_group) {
1721 ERROR_GLIBC("calloc");
1722 return -1;
1723 }
1724 orig_alt_group->cfi = calloc(special_alt->orig_len,
1725 sizeof(struct cfi_state *));
1726 if (!orig_alt_group->cfi) {
1727 ERROR_GLIBC("calloc");
1728 return -1;
1729 }
1730
1731 insn = orig_insn;
1732 sec_for_each_insn_from(file, insn) {
1733 if (insn->offset >= special_alt->orig_off + special_alt->orig_len)
1734 break;
1735
1736 insn->alt_group = orig_alt_group;
1737 last_orig_insn = insn;
1738 }
1739 orig_alt_group->orig_group = NULL;
1740 orig_alt_group->first_insn = orig_insn;
1741 orig_alt_group->last_insn = last_orig_insn;
1742 orig_alt_group->nop = NULL;
1743 orig_alt_group->ignore = orig_insn->ignore_alts;
1744 } else {
1745 if (orig_alt_group->last_insn->offset + orig_alt_group->last_insn->len -
1746 orig_alt_group->first_insn->offset != special_alt->orig_len) {
1747 ERROR_INSN(orig_insn, "weirdly overlapping alternative! %ld != %d",
1748 orig_alt_group->last_insn->offset +
1749 orig_alt_group->last_insn->len -
1750 orig_alt_group->first_insn->offset,
1751 special_alt->orig_len);
1752 return -1;
1753 }
1754 }
1755
1756 new_alt_group = calloc(1, sizeof(*new_alt_group));
1757 if (!new_alt_group) {
1758 ERROR_GLIBC("calloc");
1759 return -1;
1760 }
1761
1762 if (special_alt->new_len < special_alt->orig_len) {
1763 /*
1764 * Insert a fake nop at the end to make the replacement
1765 * alt_group the same size as the original. This is needed to
1766 * allow propagate_alt_cfi() to do its magic. When the last
1767 * instruction affects the stack, the instruction after it (the
1768 * nop) will propagate the new state to the shared CFI array.
1769 */
1770 nop = calloc(1, sizeof(*nop));
1771 if (!nop) {
1772 ERROR_GLIBC("calloc");
1773 return -1;
1774 }
1775 memset(nop, 0, sizeof(*nop));
1776
1777 nop->sec = special_alt->new_sec;
1778 nop->offset = special_alt->new_off + special_alt->new_len;
1779 nop->len = special_alt->orig_len - special_alt->new_len;
1780 nop->type = INSN_NOP;
1781 nop->sym = orig_insn->sym;
1782 nop->alt_group = new_alt_group;
1783 }
1784
1785 if (!special_alt->new_len) {
1786 *new_insn = nop;
1787 goto end;
1788 }
1789
1790 insn = *new_insn;
1791 sec_for_each_insn_from(file, insn) {
1792 struct reloc *alt_reloc;
1793
1794 if (insn->offset >= special_alt->new_off + special_alt->new_len)
1795 break;
1796
1797 last_new_insn = insn;
1798
1799 insn->sym = orig_insn->sym;
1800 insn->alt_group = new_alt_group;
1801
1802 /*
1803 * Since alternative replacement code is copy/pasted by the
1804 * kernel after applying relocations, generally such code can't
1805 * have relative-address relocation references to outside the
1806 * .altinstr_replacement section, unless the arch's
1807 * alternatives code can adjust the relative offsets
1808 * accordingly.
1809 */
1810 alt_reloc = insn_reloc(file, insn);
1811 if (alt_reloc && arch_pc_relative_reloc(alt_reloc) &&
1812 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) {
1813
1814 ERROR_INSN(insn, "unsupported relocation in alternatives section");
1815 return -1;
1816 }
1817
1818 if (!is_static_jump(insn))
1819 continue;
1820
1821 if (!insn->immediate)
1822 continue;
1823
1824 dest_off = arch_jump_destination(insn);
1825 if (dest_off == special_alt->new_off + special_alt->new_len) {
1826 insn->jump_dest = next_insn_same_sec(file, orig_alt_group->last_insn);
1827 if (!insn->jump_dest) {
1828 ERROR_INSN(insn, "can't find alternative jump destination");
1829 return -1;
1830 }
1831 }
1832 }
1833
1834 if (!last_new_insn) {
1835 ERROR_FUNC(special_alt->new_sec, special_alt->new_off,
1836 "can't find last new alternative instruction");
1837 return -1;
1838 }
1839
1840 end:
1841 new_alt_group->orig_group = orig_alt_group;
1842 new_alt_group->first_insn = *new_insn;
1843 new_alt_group->last_insn = last_new_insn;
1844 new_alt_group->nop = nop;
1845 new_alt_group->ignore = (*new_insn)->ignore_alts;
1846 new_alt_group->cfi = orig_alt_group->cfi;
1847 return 0;
1848 }
1849
1850 /*
1851 * A jump table entry can either convert a nop to a jump or a jump to a nop.
1852 * If the original instruction is a jump, make the alt entry an effective nop
1853 * by just skipping the original instruction.
1854 */
handle_jump_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1855 static int handle_jump_alt(struct objtool_file *file,
1856 struct special_alt *special_alt,
1857 struct instruction *orig_insn,
1858 struct instruction **new_insn)
1859 {
1860 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL &&
1861 orig_insn->type != INSN_NOP) {
1862
1863 ERROR_INSN(orig_insn, "unsupported instruction at jump label");
1864 return -1;
1865 }
1866
1867 if (opts.hack_jump_label && special_alt->key_addend & 2) {
1868 struct reloc *reloc = insn_reloc(file, orig_insn);
1869
1870 if (reloc)
1871 set_reloc_type(file->elf, reloc, R_NONE);
1872
1873 if (elf_write_insn(file->elf, orig_insn->sec,
1874 orig_insn->offset, orig_insn->len,
1875 arch_nop_insn(orig_insn->len))) {
1876 return -1;
1877 }
1878
1879 orig_insn->type = INSN_NOP;
1880 }
1881
1882 if (orig_insn->type == INSN_NOP) {
1883 if (orig_insn->len == 2)
1884 file->jl_nop_short++;
1885 else
1886 file->jl_nop_long++;
1887
1888 return 0;
1889 }
1890
1891 if (orig_insn->len == 2)
1892 file->jl_short++;
1893 else
1894 file->jl_long++;
1895
1896 *new_insn = next_insn_same_sec(file, orig_insn);
1897 return 0;
1898 }
1899
1900 /*
1901 * Read all the special sections which have alternate instructions which can be
1902 * patched in or redirected to at runtime. Each instruction having alternate
1903 * instruction(s) has them added to its insn->alts list, which will be
1904 * traversed in validate_branch().
1905 */
add_special_section_alts(struct objtool_file * file)1906 static int add_special_section_alts(struct objtool_file *file)
1907 {
1908 struct list_head special_alts;
1909 struct instruction *orig_insn, *new_insn;
1910 struct special_alt *special_alt, *tmp;
1911 struct alternative *alt;
1912 int ret;
1913
1914 if (special_get_alts(file->elf, &special_alts))
1915 return -1;
1916
1917 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
1918
1919 orig_insn = find_insn(file, special_alt->orig_sec,
1920 special_alt->orig_off);
1921 if (!orig_insn) {
1922 ERROR_FUNC(special_alt->orig_sec, special_alt->orig_off,
1923 "special: can't find orig instruction");
1924 return -1;
1925 }
1926
1927 new_insn = NULL;
1928 if (!special_alt->group || special_alt->new_len) {
1929 new_insn = find_insn(file, special_alt->new_sec,
1930 special_alt->new_off);
1931 if (!new_insn) {
1932 ERROR_FUNC(special_alt->new_sec, special_alt->new_off,
1933 "special: can't find new instruction");
1934 return -1;
1935 }
1936 }
1937
1938 if (special_alt->group) {
1939 if (!special_alt->orig_len) {
1940 ERROR_INSN(orig_insn, "empty alternative entry");
1941 continue;
1942 }
1943
1944 ret = handle_group_alt(file, special_alt, orig_insn,
1945 &new_insn);
1946 if (ret)
1947 return ret;
1948
1949 } else if (special_alt->jump_or_nop) {
1950 ret = handle_jump_alt(file, special_alt, orig_insn,
1951 &new_insn);
1952 if (ret)
1953 return ret;
1954 }
1955
1956 alt = calloc(1, sizeof(*alt));
1957 if (!alt) {
1958 ERROR_GLIBC("calloc");
1959 return -1;
1960 }
1961
1962 alt->insn = new_insn;
1963 alt->next = orig_insn->alts;
1964 orig_insn->alts = alt;
1965
1966 list_del(&special_alt->list);
1967 free(special_alt);
1968 }
1969
1970 if (opts.stats) {
1971 printf("jl\\\tNOP\tJMP\n");
1972 printf("short:\t%ld\t%ld\n", file->jl_nop_short, file->jl_short);
1973 printf("long:\t%ld\t%ld\n", file->jl_nop_long, file->jl_long);
1974 }
1975
1976 return 0;
1977 }
1978
arch_jump_table_sym_offset(struct reloc * reloc,struct reloc * table)1979 __weak unsigned long arch_jump_table_sym_offset(struct reloc *reloc, struct reloc *table)
1980 {
1981 return reloc->sym->offset + reloc_addend(reloc);
1982 }
1983
add_jump_table(struct objtool_file * file,struct instruction * insn)1984 static int add_jump_table(struct objtool_file *file, struct instruction *insn)
1985 {
1986 unsigned long table_size = insn_jump_table_size(insn);
1987 struct symbol *pfunc = insn_func(insn)->pfunc;
1988 struct reloc *table = insn_jump_table(insn);
1989 struct instruction *dest_insn;
1990 unsigned int prev_offset = 0;
1991 struct reloc *reloc = table;
1992 struct alternative *alt;
1993 unsigned long sym_offset;
1994
1995 /*
1996 * Each @reloc is a switch table relocation which points to the target
1997 * instruction.
1998 */
1999 for_each_reloc_from(table->sec, reloc) {
2000
2001 /* Check for the end of the table: */
2002 if (table_size && reloc_offset(reloc) - reloc_offset(table) >= table_size)
2003 break;
2004 if (reloc != table && is_jump_table(reloc))
2005 break;
2006
2007 /* Make sure the table entries are consecutive: */
2008 if (prev_offset && reloc_offset(reloc) != prev_offset + arch_reloc_size(reloc))
2009 break;
2010
2011 sym_offset = arch_jump_table_sym_offset(reloc, table);
2012
2013 /* Detect function pointers from contiguous objects: */
2014 if (reloc->sym->sec == pfunc->sec && sym_offset == pfunc->offset)
2015 break;
2016
2017 /*
2018 * Clang sometimes leaves dangling unused jump table entries
2019 * which point to the end of the function. Ignore them.
2020 */
2021 if (reloc->sym->sec == pfunc->sec &&
2022 sym_offset == pfunc->offset + pfunc->len)
2023 goto next;
2024
2025 dest_insn = find_insn(file, reloc->sym->sec, sym_offset);
2026 if (!dest_insn)
2027 break;
2028
2029 /* Make sure the destination is in the same function: */
2030 if (!insn_func(dest_insn) || insn_func(dest_insn)->pfunc != pfunc)
2031 break;
2032
2033 alt = calloc(1, sizeof(*alt));
2034 if (!alt) {
2035 ERROR_GLIBC("calloc");
2036 return -1;
2037 }
2038
2039 alt->insn = dest_insn;
2040 alt->next = insn->alts;
2041 insn->alts = alt;
2042 next:
2043 prev_offset = reloc_offset(reloc);
2044 }
2045
2046 if (!prev_offset) {
2047 ERROR_INSN(insn, "can't find switch jump table");
2048 return -1;
2049 }
2050
2051 return 0;
2052 }
2053
2054 /*
2055 * find_jump_table() - Given a dynamic jump, find the switch jump table
2056 * associated with it.
2057 */
find_jump_table(struct objtool_file * file,struct symbol * func,struct instruction * insn)2058 static void find_jump_table(struct objtool_file *file, struct symbol *func,
2059 struct instruction *insn)
2060 {
2061 struct reloc *table_reloc;
2062 struct instruction *dest_insn, *orig_insn = insn;
2063 unsigned long table_size;
2064 unsigned long sym_offset;
2065
2066 /*
2067 * Backward search using the @first_jump_src links, these help avoid
2068 * much of the 'in between' code. Which avoids us getting confused by
2069 * it.
2070 */
2071 for (;
2072 insn && insn_func(insn) && insn_func(insn)->pfunc == func;
2073 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) {
2074
2075 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
2076 break;
2077
2078 /* allow small jumps within the range */
2079 if (insn->type == INSN_JUMP_UNCONDITIONAL &&
2080 insn->jump_dest &&
2081 (insn->jump_dest->offset <= insn->offset ||
2082 insn->jump_dest->offset > orig_insn->offset))
2083 break;
2084
2085 table_reloc = arch_find_switch_table(file, insn, &table_size);
2086 if (!table_reloc)
2087 continue;
2088
2089 sym_offset = table_reloc->sym->offset + reloc_addend(table_reloc);
2090
2091 dest_insn = find_insn(file, table_reloc->sym->sec, sym_offset);
2092 if (!dest_insn || !insn_func(dest_insn) || insn_func(dest_insn)->pfunc != func)
2093 continue;
2094
2095 set_jump_table(table_reloc);
2096 orig_insn->_jump_table = table_reloc;
2097 orig_insn->_jump_table_size = table_size;
2098
2099 break;
2100 }
2101 }
2102
2103 /*
2104 * First pass: Mark the head of each jump table so that in the next pass,
2105 * we know when a given jump table ends and the next one starts.
2106 */
mark_func_jump_tables(struct objtool_file * file,struct symbol * func)2107 static void mark_func_jump_tables(struct objtool_file *file,
2108 struct symbol *func)
2109 {
2110 struct instruction *insn, *last = NULL;
2111
2112 func_for_each_insn(file, func, insn) {
2113 if (!last)
2114 last = insn;
2115
2116 /*
2117 * Store back-pointers for unconditional forward jumps such
2118 * that find_jump_table() can back-track using those and
2119 * avoid some potentially confusing code.
2120 */
2121 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest &&
2122 insn->offset > last->offset &&
2123 insn->jump_dest->offset > insn->offset &&
2124 !insn->jump_dest->first_jump_src) {
2125
2126 insn->jump_dest->first_jump_src = insn;
2127 last = insn->jump_dest;
2128 }
2129
2130 if (insn->type != INSN_JUMP_DYNAMIC)
2131 continue;
2132
2133 find_jump_table(file, func, insn);
2134 }
2135 }
2136
add_func_jump_tables(struct objtool_file * file,struct symbol * func)2137 static int add_func_jump_tables(struct objtool_file *file,
2138 struct symbol *func)
2139 {
2140 struct instruction *insn;
2141 int ret;
2142
2143 func_for_each_insn(file, func, insn) {
2144 if (!insn_jump_table(insn))
2145 continue;
2146
2147 ret = add_jump_table(file, insn);
2148 if (ret)
2149 return ret;
2150 }
2151
2152 return 0;
2153 }
2154
2155 /*
2156 * For some switch statements, gcc generates a jump table in the .rodata
2157 * section which contains a list of addresses within the function to jump to.
2158 * This finds these jump tables and adds them to the insn->alts lists.
2159 */
add_jump_table_alts(struct objtool_file * file)2160 static int add_jump_table_alts(struct objtool_file *file)
2161 {
2162 struct symbol *func;
2163 int ret;
2164
2165 if (!file->rodata)
2166 return 0;
2167
2168 for_each_sym(file, func) {
2169 if (func->type != STT_FUNC)
2170 continue;
2171
2172 mark_func_jump_tables(file, func);
2173 ret = add_func_jump_tables(file, func);
2174 if (ret)
2175 return ret;
2176 }
2177
2178 return 0;
2179 }
2180
set_func_state(struct cfi_state * state)2181 static void set_func_state(struct cfi_state *state)
2182 {
2183 state->cfa = initial_func_cfi.cfa;
2184 memcpy(&state->regs, &initial_func_cfi.regs,
2185 CFI_NUM_REGS * sizeof(struct cfi_reg));
2186 state->stack_size = initial_func_cfi.cfa.offset;
2187 state->type = UNWIND_HINT_TYPE_CALL;
2188 }
2189
read_unwind_hints(struct objtool_file * file)2190 static int read_unwind_hints(struct objtool_file *file)
2191 {
2192 struct cfi_state cfi = init_cfi;
2193 struct section *sec;
2194 struct unwind_hint *hint;
2195 struct instruction *insn;
2196 struct reloc *reloc;
2197 unsigned long offset;
2198 int i;
2199
2200 sec = find_section_by_name(file->elf, ".discard.unwind_hints");
2201 if (!sec)
2202 return 0;
2203
2204 if (!sec->rsec) {
2205 ERROR("missing .rela.discard.unwind_hints section");
2206 return -1;
2207 }
2208
2209 if (sec->sh.sh_size % sizeof(struct unwind_hint)) {
2210 ERROR("struct unwind_hint size mismatch");
2211 return -1;
2212 }
2213
2214 file->hints = true;
2215
2216 for (i = 0; i < sec->sh.sh_size / sizeof(struct unwind_hint); i++) {
2217 hint = (struct unwind_hint *)sec->data->d_buf + i;
2218
2219 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint));
2220 if (!reloc) {
2221 ERROR("can't find reloc for unwind_hints[%d]", i);
2222 return -1;
2223 }
2224
2225 if (reloc->sym->type == STT_SECTION) {
2226 offset = reloc_addend(reloc);
2227 } else if (reloc->sym->local_label) {
2228 offset = reloc->sym->offset;
2229 } else {
2230 ERROR("unexpected relocation symbol type in %s", sec->rsec->name);
2231 return -1;
2232 }
2233
2234 insn = find_insn(file, reloc->sym->sec, offset);
2235 if (!insn) {
2236 ERROR("can't find insn for unwind_hints[%d]", i);
2237 return -1;
2238 }
2239
2240 insn->hint = true;
2241
2242 if (hint->type == UNWIND_HINT_TYPE_UNDEFINED) {
2243 insn->cfi = &force_undefined_cfi;
2244 continue;
2245 }
2246
2247 if (hint->type == UNWIND_HINT_TYPE_SAVE) {
2248 insn->hint = false;
2249 insn->save = true;
2250 continue;
2251 }
2252
2253 if (hint->type == UNWIND_HINT_TYPE_RESTORE) {
2254 insn->restore = true;
2255 continue;
2256 }
2257
2258 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) {
2259 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset);
2260
2261 if (sym && sym->bind == STB_GLOBAL) {
2262 if (opts.ibt && insn->type != INSN_ENDBR && !insn->noendbr) {
2263 ERROR_INSN(insn, "UNWIND_HINT_IRET_REGS without ENDBR");
2264 return -1;
2265 }
2266 }
2267 }
2268
2269 if (hint->type == UNWIND_HINT_TYPE_FUNC) {
2270 insn->cfi = &func_cfi;
2271 continue;
2272 }
2273
2274 if (insn->cfi)
2275 cfi = *(insn->cfi);
2276
2277 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) {
2278 ERROR_INSN(insn, "unsupported unwind_hint sp base reg %d", hint->sp_reg);
2279 return -1;
2280 }
2281
2282 cfi.cfa.offset = bswap_if_needed(file->elf, hint->sp_offset);
2283 cfi.type = hint->type;
2284 cfi.signal = hint->signal;
2285
2286 insn->cfi = cfi_hash_find_or_add(&cfi);
2287 }
2288
2289 return 0;
2290 }
2291
read_annotate(struct objtool_file * file,int (* func)(struct objtool_file * file,int type,struct instruction * insn))2292 static int read_annotate(struct objtool_file *file,
2293 int (*func)(struct objtool_file *file, int type, struct instruction *insn))
2294 {
2295 struct section *sec;
2296 struct instruction *insn;
2297 struct reloc *reloc;
2298 uint64_t offset;
2299 int type, ret;
2300
2301 sec = find_section_by_name(file->elf, ".discard.annotate_insn");
2302 if (!sec)
2303 return 0;
2304
2305 if (!sec->rsec)
2306 return 0;
2307
2308 if (sec->sh.sh_entsize != 8) {
2309 static bool warned = false;
2310 if (!warned && opts.verbose) {
2311 WARN("%s: dodgy linker, sh_entsize != 8", sec->name);
2312 warned = true;
2313 }
2314 sec->sh.sh_entsize = 8;
2315 }
2316
2317 for_each_reloc(sec->rsec, reloc) {
2318 type = *(u32 *)(sec->data->d_buf + (reloc_idx(reloc) * sec->sh.sh_entsize) + 4);
2319
2320 offset = reloc->sym->offset + reloc_addend(reloc);
2321 insn = find_insn(file, reloc->sym->sec, offset);
2322
2323 if (!insn) {
2324 ERROR("bad .discard.annotate_insn entry: %d of type %d", reloc_idx(reloc), type);
2325 return -1;
2326 }
2327
2328 ret = func(file, type, insn);
2329 if (ret < 0)
2330 return ret;
2331 }
2332
2333 return 0;
2334 }
2335
__annotate_early(struct objtool_file * file,int type,struct instruction * insn)2336 static int __annotate_early(struct objtool_file *file, int type, struct instruction *insn)
2337 {
2338 switch (type) {
2339
2340 /* Must be before add_special_section_alts() */
2341 case ANNOTYPE_IGNORE_ALTS:
2342 insn->ignore_alts = true;
2343 break;
2344
2345 /*
2346 * Must be before read_unwind_hints() since that needs insn->noendbr.
2347 */
2348 case ANNOTYPE_NOENDBR:
2349 insn->noendbr = 1;
2350 break;
2351
2352 default:
2353 break;
2354 }
2355
2356 return 0;
2357 }
2358
__annotate_ifc(struct objtool_file * file,int type,struct instruction * insn)2359 static int __annotate_ifc(struct objtool_file *file, int type, struct instruction *insn)
2360 {
2361 unsigned long dest_off;
2362
2363 if (type != ANNOTYPE_INTRA_FUNCTION_CALL)
2364 return 0;
2365
2366 if (insn->type != INSN_CALL) {
2367 ERROR_INSN(insn, "intra_function_call not a direct call");
2368 return -1;
2369 }
2370
2371 /*
2372 * Treat intra-function CALLs as JMPs, but with a stack_op.
2373 * See add_call_destinations(), which strips stack_ops from
2374 * normal CALLs.
2375 */
2376 insn->type = INSN_JUMP_UNCONDITIONAL;
2377
2378 dest_off = arch_jump_destination(insn);
2379 insn->jump_dest = find_insn(file, insn->sec, dest_off);
2380 if (!insn->jump_dest) {
2381 ERROR_INSN(insn, "can't find call dest at %s+0x%lx",
2382 insn->sec->name, dest_off);
2383 return -1;
2384 }
2385
2386 return 0;
2387 }
2388
__annotate_late(struct objtool_file * file,int type,struct instruction * insn)2389 static int __annotate_late(struct objtool_file *file, int type, struct instruction *insn)
2390 {
2391 switch (type) {
2392 case ANNOTYPE_NOENDBR:
2393 /* early */
2394 break;
2395
2396 case ANNOTYPE_RETPOLINE_SAFE:
2397 if (insn->type != INSN_JUMP_DYNAMIC &&
2398 insn->type != INSN_CALL_DYNAMIC &&
2399 insn->type != INSN_RETURN &&
2400 insn->type != INSN_NOP) {
2401 ERROR_INSN(insn, "retpoline_safe hint not an indirect jump/call/ret/nop");
2402 return -1;
2403 }
2404
2405 insn->retpoline_safe = true;
2406 break;
2407
2408 case ANNOTYPE_INSTR_BEGIN:
2409 insn->instr++;
2410 break;
2411
2412 case ANNOTYPE_INSTR_END:
2413 insn->instr--;
2414 break;
2415
2416 case ANNOTYPE_UNRET_BEGIN:
2417 insn->unret = 1;
2418 break;
2419
2420 case ANNOTYPE_IGNORE_ALTS:
2421 /* early */
2422 break;
2423
2424 case ANNOTYPE_INTRA_FUNCTION_CALL:
2425 /* ifc */
2426 break;
2427
2428 case ANNOTYPE_REACHABLE:
2429 insn->dead_end = false;
2430 break;
2431
2432 default:
2433 ERROR_INSN(insn, "Unknown annotation type: %d", type);
2434 return -1;
2435 }
2436
2437 return 0;
2438 }
2439
2440 /*
2441 * Return true if name matches an instrumentation function, where calls to that
2442 * function from noinstr code can safely be removed, but compilers won't do so.
2443 */
is_profiling_func(const char * name)2444 static bool is_profiling_func(const char *name)
2445 {
2446 /*
2447 * Many compilers cannot disable KCOV with a function attribute.
2448 */
2449 if (!strncmp(name, "__sanitizer_cov_", 16))
2450 return true;
2451
2452 /*
2453 * Some compilers currently do not remove __tsan_func_entry/exit nor
2454 * __tsan_atomic_signal_fence (used for barrier instrumentation) with
2455 * the __no_sanitize_thread attribute, remove them. Once the kernel's
2456 * minimum Clang version is 14.0, this can be removed.
2457 */
2458 if (!strncmp(name, "__tsan_func_", 12) ||
2459 !strcmp(name, "__tsan_atomic_signal_fence"))
2460 return true;
2461
2462 return false;
2463 }
2464
classify_symbols(struct objtool_file * file)2465 static int classify_symbols(struct objtool_file *file)
2466 {
2467 struct symbol *func;
2468
2469 for_each_sym(file, func) {
2470 if (func->type == STT_NOTYPE && strstarts(func->name, ".L"))
2471 func->local_label = true;
2472
2473 if (func->bind != STB_GLOBAL)
2474 continue;
2475
2476 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR,
2477 strlen(STATIC_CALL_TRAMP_PREFIX_STR)))
2478 func->static_call_tramp = true;
2479
2480 if (arch_is_retpoline(func))
2481 func->retpoline_thunk = true;
2482
2483 if (arch_is_rethunk(func))
2484 func->return_thunk = true;
2485
2486 if (arch_is_embedded_insn(func))
2487 func->embedded_insn = true;
2488
2489 if (arch_ftrace_match(func->name))
2490 func->fentry = true;
2491
2492 if (is_profiling_func(func->name))
2493 func->profiling_func = true;
2494 }
2495
2496 return 0;
2497 }
2498
mark_rodata(struct objtool_file * file)2499 static void mark_rodata(struct objtool_file *file)
2500 {
2501 struct section *sec;
2502 bool found = false;
2503
2504 /*
2505 * Search for the following rodata sections, each of which can
2506 * potentially contain jump tables:
2507 *
2508 * - .rodata: can contain GCC switch tables
2509 * - .rodata.<func>: same, if -fdata-sections is being used
2510 * - .data.rel.ro.c_jump_table: contains C annotated jump tables
2511 *
2512 * .rodata.str1.* sections are ignored; they don't contain jump tables.
2513 */
2514 for_each_sec(file, sec) {
2515 if ((!strncmp(sec->name, ".rodata", 7) &&
2516 !strstr(sec->name, ".str1.")) ||
2517 !strncmp(sec->name, ".data.rel.ro", 12)) {
2518 sec->rodata = true;
2519 found = true;
2520 }
2521 }
2522
2523 file->rodata = found;
2524 }
2525
decode_sections(struct objtool_file * file)2526 static int decode_sections(struct objtool_file *file)
2527 {
2528 int ret;
2529
2530 mark_rodata(file);
2531
2532 ret = init_pv_ops(file);
2533 if (ret)
2534 return ret;
2535
2536 /*
2537 * Must be before add_{jump_call}_destination.
2538 */
2539 ret = classify_symbols(file);
2540 if (ret)
2541 return ret;
2542
2543 ret = decode_instructions(file);
2544 if (ret)
2545 return ret;
2546
2547 ret = add_ignores(file);
2548 if (ret)
2549 return ret;
2550
2551 add_uaccess_safe(file);
2552
2553 ret = read_annotate(file, __annotate_early);
2554 if (ret)
2555 return ret;
2556
2557 /*
2558 * Must be before add_jump_destinations(), which depends on 'func'
2559 * being set for alternatives, to enable proper sibling call detection.
2560 */
2561 if (opts.stackval || opts.orc || opts.uaccess || opts.noinstr) {
2562 ret = add_special_section_alts(file);
2563 if (ret)
2564 return ret;
2565 }
2566
2567 ret = add_jump_destinations(file);
2568 if (ret)
2569 return ret;
2570
2571 /*
2572 * Must be before add_call_destination(); it changes INSN_CALL to
2573 * INSN_JUMP.
2574 */
2575 ret = read_annotate(file, __annotate_ifc);
2576 if (ret)
2577 return ret;
2578
2579 ret = add_call_destinations(file);
2580 if (ret)
2581 return ret;
2582
2583 ret = add_jump_table_alts(file);
2584 if (ret)
2585 return ret;
2586
2587 ret = read_unwind_hints(file);
2588 if (ret)
2589 return ret;
2590
2591 /*
2592 * Must be after add_call_destinations() such that it can override
2593 * dead_end_function() marks.
2594 */
2595 ret = read_annotate(file, __annotate_late);
2596 if (ret)
2597 return ret;
2598
2599 return 0;
2600 }
2601
is_special_call(struct instruction * insn)2602 static bool is_special_call(struct instruction *insn)
2603 {
2604 if (insn->type == INSN_CALL) {
2605 struct symbol *dest = insn_call_dest(insn);
2606
2607 if (!dest)
2608 return false;
2609
2610 if (dest->fentry || dest->embedded_insn)
2611 return true;
2612 }
2613
2614 return false;
2615 }
2616
has_modified_stack_frame(struct instruction * insn,struct insn_state * state)2617 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state)
2618 {
2619 struct cfi_state *cfi = &state->cfi;
2620 int i;
2621
2622 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap)
2623 return true;
2624
2625 if (cfi->cfa.offset != initial_func_cfi.cfa.offset)
2626 return true;
2627
2628 if (cfi->stack_size != initial_func_cfi.cfa.offset)
2629 return true;
2630
2631 for (i = 0; i < CFI_NUM_REGS; i++) {
2632 if (cfi->regs[i].base != initial_func_cfi.regs[i].base ||
2633 cfi->regs[i].offset != initial_func_cfi.regs[i].offset)
2634 return true;
2635 }
2636
2637 return false;
2638 }
2639
check_reg_frame_pos(const struct cfi_reg * reg,int expected_offset)2640 static bool check_reg_frame_pos(const struct cfi_reg *reg,
2641 int expected_offset)
2642 {
2643 return reg->base == CFI_CFA &&
2644 reg->offset == expected_offset;
2645 }
2646
has_valid_stack_frame(struct insn_state * state)2647 static bool has_valid_stack_frame(struct insn_state *state)
2648 {
2649 struct cfi_state *cfi = &state->cfi;
2650
2651 if (cfi->cfa.base == CFI_BP &&
2652 check_reg_frame_pos(&cfi->regs[CFI_BP], -cfi->cfa.offset) &&
2653 check_reg_frame_pos(&cfi->regs[CFI_RA], -cfi->cfa.offset + 8))
2654 return true;
2655
2656 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP)
2657 return true;
2658
2659 return false;
2660 }
2661
update_cfi_state_regs(struct instruction * insn,struct cfi_state * cfi,struct stack_op * op)2662 static int update_cfi_state_regs(struct instruction *insn,
2663 struct cfi_state *cfi,
2664 struct stack_op *op)
2665 {
2666 struct cfi_reg *cfa = &cfi->cfa;
2667
2668 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
2669 return 0;
2670
2671 /* push */
2672 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF)
2673 cfa->offset += 8;
2674
2675 /* pop */
2676 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF)
2677 cfa->offset -= 8;
2678
2679 /* add immediate to sp */
2680 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD &&
2681 op->dest.reg == CFI_SP && op->src.reg == CFI_SP)
2682 cfa->offset -= op->src.offset;
2683
2684 return 0;
2685 }
2686
save_reg(struct cfi_state * cfi,unsigned char reg,int base,int offset)2687 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset)
2688 {
2689 if (arch_callee_saved_reg(reg) &&
2690 cfi->regs[reg].base == CFI_UNDEFINED) {
2691 cfi->regs[reg].base = base;
2692 cfi->regs[reg].offset = offset;
2693 }
2694 }
2695
restore_reg(struct cfi_state * cfi,unsigned char reg)2696 static void restore_reg(struct cfi_state *cfi, unsigned char reg)
2697 {
2698 cfi->regs[reg].base = initial_func_cfi.regs[reg].base;
2699 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset;
2700 }
2701
2702 /*
2703 * A note about DRAP stack alignment:
2704 *
2705 * GCC has the concept of a DRAP register, which is used to help keep track of
2706 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP
2707 * register. The typical DRAP pattern is:
2708 *
2709 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10
2710 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp
2711 * 41 ff 72 f8 pushq -0x8(%r10)
2712 * 55 push %rbp
2713 * 48 89 e5 mov %rsp,%rbp
2714 * (more pushes)
2715 * 41 52 push %r10
2716 * ...
2717 * 41 5a pop %r10
2718 * (more pops)
2719 * 5d pop %rbp
2720 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2721 * c3 retq
2722 *
2723 * There are some variations in the epilogues, like:
2724 *
2725 * 5b pop %rbx
2726 * 41 5a pop %r10
2727 * 41 5c pop %r12
2728 * 41 5d pop %r13
2729 * 41 5e pop %r14
2730 * c9 leaveq
2731 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2732 * c3 retq
2733 *
2734 * and:
2735 *
2736 * 4c 8b 55 e8 mov -0x18(%rbp),%r10
2737 * 48 8b 5d e0 mov -0x20(%rbp),%rbx
2738 * 4c 8b 65 f0 mov -0x10(%rbp),%r12
2739 * 4c 8b 6d f8 mov -0x8(%rbp),%r13
2740 * c9 leaveq
2741 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2742 * c3 retq
2743 *
2744 * Sometimes r13 is used as the DRAP register, in which case it's saved and
2745 * restored beforehand:
2746 *
2747 * 41 55 push %r13
2748 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13
2749 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
2750 * ...
2751 * 49 8d 65 f0 lea -0x10(%r13),%rsp
2752 * 41 5d pop %r13
2753 * c3 retq
2754 */
update_cfi_state(struct instruction * insn,struct instruction * next_insn,struct cfi_state * cfi,struct stack_op * op)2755 static int update_cfi_state(struct instruction *insn,
2756 struct instruction *next_insn,
2757 struct cfi_state *cfi, struct stack_op *op)
2758 {
2759 struct cfi_reg *cfa = &cfi->cfa;
2760 struct cfi_reg *regs = cfi->regs;
2761
2762 /* ignore UNWIND_HINT_UNDEFINED regions */
2763 if (cfi->force_undefined)
2764 return 0;
2765
2766 /* stack operations don't make sense with an undefined CFA */
2767 if (cfa->base == CFI_UNDEFINED) {
2768 if (insn_func(insn)) {
2769 WARN_INSN(insn, "undefined stack state");
2770 return 1;
2771 }
2772 return 0;
2773 }
2774
2775 if (cfi->type == UNWIND_HINT_TYPE_REGS ||
2776 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL)
2777 return update_cfi_state_regs(insn, cfi, op);
2778
2779 switch (op->dest.type) {
2780
2781 case OP_DEST_REG:
2782 switch (op->src.type) {
2783
2784 case OP_SRC_REG:
2785 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP &&
2786 cfa->base == CFI_SP &&
2787 check_reg_frame_pos(®s[CFI_BP], -cfa->offset)) {
2788
2789 /* mov %rsp, %rbp */
2790 cfa->base = op->dest.reg;
2791 cfi->bp_scratch = false;
2792 }
2793
2794 else if (op->src.reg == CFI_SP &&
2795 op->dest.reg == CFI_BP && cfi->drap) {
2796
2797 /* drap: mov %rsp, %rbp */
2798 regs[CFI_BP].base = CFI_BP;
2799 regs[CFI_BP].offset = -cfi->stack_size;
2800 cfi->bp_scratch = false;
2801 }
2802
2803 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2804
2805 /*
2806 * mov %rsp, %reg
2807 *
2808 * This is needed for the rare case where GCC
2809 * does:
2810 *
2811 * mov %rsp, %rax
2812 * ...
2813 * mov %rax, %rsp
2814 */
2815 cfi->vals[op->dest.reg].base = CFI_CFA;
2816 cfi->vals[op->dest.reg].offset = -cfi->stack_size;
2817 }
2818
2819 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP &&
2820 (cfa->base == CFI_BP || cfa->base == cfi->drap_reg)) {
2821
2822 /*
2823 * mov %rbp, %rsp
2824 *
2825 * Restore the original stack pointer (Clang).
2826 */
2827 cfi->stack_size = -cfi->regs[CFI_BP].offset;
2828 }
2829
2830 else if (op->dest.reg == cfa->base) {
2831
2832 /* mov %reg, %rsp */
2833 if (cfa->base == CFI_SP &&
2834 cfi->vals[op->src.reg].base == CFI_CFA) {
2835
2836 /*
2837 * This is needed for the rare case
2838 * where GCC does something dumb like:
2839 *
2840 * lea 0x8(%rsp), %rcx
2841 * ...
2842 * mov %rcx, %rsp
2843 */
2844 cfa->offset = -cfi->vals[op->src.reg].offset;
2845 cfi->stack_size = cfa->offset;
2846
2847 } else if (cfa->base == CFI_SP &&
2848 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT &&
2849 cfi->vals[op->src.reg].offset == cfa->offset) {
2850
2851 /*
2852 * Stack swizzle:
2853 *
2854 * 1: mov %rsp, (%[tos])
2855 * 2: mov %[tos], %rsp
2856 * ...
2857 * 3: pop %rsp
2858 *
2859 * Where:
2860 *
2861 * 1 - places a pointer to the previous
2862 * stack at the Top-of-Stack of the
2863 * new stack.
2864 *
2865 * 2 - switches to the new stack.
2866 *
2867 * 3 - pops the Top-of-Stack to restore
2868 * the original stack.
2869 *
2870 * Note: we set base to SP_INDIRECT
2871 * here and preserve offset. Therefore
2872 * when the unwinder reaches ToS it
2873 * will dereference SP and then add the
2874 * offset to find the next frame, IOW:
2875 * (%rsp) + offset.
2876 */
2877 cfa->base = CFI_SP_INDIRECT;
2878
2879 } else {
2880 cfa->base = CFI_UNDEFINED;
2881 cfa->offset = 0;
2882 }
2883 }
2884
2885 else if (op->dest.reg == CFI_SP &&
2886 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT &&
2887 cfi->vals[op->src.reg].offset == cfa->offset) {
2888
2889 /*
2890 * The same stack swizzle case 2) as above. But
2891 * because we can't change cfa->base, case 3)
2892 * will become a regular POP. Pretend we're a
2893 * PUSH so things don't go unbalanced.
2894 */
2895 cfi->stack_size += 8;
2896 }
2897
2898
2899 break;
2900
2901 case OP_SRC_ADD:
2902 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) {
2903
2904 /* add imm, %rsp */
2905 cfi->stack_size -= op->src.offset;
2906 if (cfa->base == CFI_SP)
2907 cfa->offset -= op->src.offset;
2908 break;
2909 }
2910
2911 if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP &&
2912 insn->sym->frame_pointer) {
2913 /* addi.d fp,sp,imm on LoongArch */
2914 if (cfa->base == CFI_SP && cfa->offset == op->src.offset) {
2915 cfa->base = CFI_BP;
2916 cfa->offset = 0;
2917 }
2918 break;
2919 }
2920
2921 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) {
2922 /* addi.d sp,fp,imm on LoongArch */
2923 if (cfa->base == CFI_BP && cfa->offset == 0) {
2924 if (insn->sym->frame_pointer) {
2925 cfa->base = CFI_SP;
2926 cfa->offset = -op->src.offset;
2927 }
2928 } else {
2929 /* lea disp(%rbp), %rsp */
2930 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset);
2931 }
2932 break;
2933 }
2934
2935 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2936
2937 /* drap: lea disp(%rsp), %drap */
2938 cfi->drap_reg = op->dest.reg;
2939
2940 /*
2941 * lea disp(%rsp), %reg
2942 *
2943 * This is needed for the rare case where GCC
2944 * does something dumb like:
2945 *
2946 * lea 0x8(%rsp), %rcx
2947 * ...
2948 * mov %rcx, %rsp
2949 */
2950 cfi->vals[op->dest.reg].base = CFI_CFA;
2951 cfi->vals[op->dest.reg].offset = \
2952 -cfi->stack_size + op->src.offset;
2953
2954 break;
2955 }
2956
2957 if (cfi->drap && op->dest.reg == CFI_SP &&
2958 op->src.reg == cfi->drap_reg) {
2959
2960 /* drap: lea disp(%drap), %rsp */
2961 cfa->base = CFI_SP;
2962 cfa->offset = cfi->stack_size = -op->src.offset;
2963 cfi->drap_reg = CFI_UNDEFINED;
2964 cfi->drap = false;
2965 break;
2966 }
2967
2968 if (op->dest.reg == cfi->cfa.base && !(next_insn && next_insn->hint)) {
2969 WARN_INSN(insn, "unsupported stack register modification");
2970 return -1;
2971 }
2972
2973 break;
2974
2975 case OP_SRC_AND:
2976 if (op->dest.reg != CFI_SP ||
2977 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) ||
2978 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) {
2979 WARN_INSN(insn, "unsupported stack pointer realignment");
2980 return -1;
2981 }
2982
2983 if (cfi->drap_reg != CFI_UNDEFINED) {
2984 /* drap: and imm, %rsp */
2985 cfa->base = cfi->drap_reg;
2986 cfa->offset = cfi->stack_size = 0;
2987 cfi->drap = true;
2988 }
2989
2990 /*
2991 * Older versions of GCC (4.8ish) realign the stack
2992 * without DRAP, with a frame pointer.
2993 */
2994
2995 break;
2996
2997 case OP_SRC_POP:
2998 case OP_SRC_POPF:
2999 if (op->dest.reg == CFI_SP && cfa->base == CFI_SP_INDIRECT) {
3000
3001 /* pop %rsp; # restore from a stack swizzle */
3002 cfa->base = CFI_SP;
3003 break;
3004 }
3005
3006 if (!cfi->drap && op->dest.reg == cfa->base) {
3007
3008 /* pop %rbp */
3009 cfa->base = CFI_SP;
3010 }
3011
3012 if (cfi->drap && cfa->base == CFI_BP_INDIRECT &&
3013 op->dest.reg == cfi->drap_reg &&
3014 cfi->drap_offset == -cfi->stack_size) {
3015
3016 /* drap: pop %drap */
3017 cfa->base = cfi->drap_reg;
3018 cfa->offset = 0;
3019 cfi->drap_offset = -1;
3020
3021 } else if (cfi->stack_size == -regs[op->dest.reg].offset) {
3022
3023 /* pop %reg */
3024 restore_reg(cfi, op->dest.reg);
3025 }
3026
3027 cfi->stack_size -= 8;
3028 if (cfa->base == CFI_SP)
3029 cfa->offset -= 8;
3030
3031 break;
3032
3033 case OP_SRC_REG_INDIRECT:
3034 if (!cfi->drap && op->dest.reg == cfa->base &&
3035 op->dest.reg == CFI_BP) {
3036
3037 /* mov disp(%rsp), %rbp */
3038 cfa->base = CFI_SP;
3039 cfa->offset = cfi->stack_size;
3040 }
3041
3042 if (cfi->drap && op->src.reg == CFI_BP &&
3043 op->src.offset == cfi->drap_offset) {
3044
3045 /* drap: mov disp(%rbp), %drap */
3046 cfa->base = cfi->drap_reg;
3047 cfa->offset = 0;
3048 cfi->drap_offset = -1;
3049 }
3050
3051 if (cfi->drap && op->src.reg == CFI_BP &&
3052 op->src.offset == regs[op->dest.reg].offset) {
3053
3054 /* drap: mov disp(%rbp), %reg */
3055 restore_reg(cfi, op->dest.reg);
3056
3057 } else if (op->src.reg == cfa->base &&
3058 op->src.offset == regs[op->dest.reg].offset + cfa->offset) {
3059
3060 /* mov disp(%rbp), %reg */
3061 /* mov disp(%rsp), %reg */
3062 restore_reg(cfi, op->dest.reg);
3063
3064 } else if (op->src.reg == CFI_SP &&
3065 op->src.offset == regs[op->dest.reg].offset + cfi->stack_size) {
3066
3067 /* mov disp(%rsp), %reg */
3068 restore_reg(cfi, op->dest.reg);
3069 }
3070
3071 break;
3072
3073 default:
3074 WARN_INSN(insn, "unknown stack-related instruction");
3075 return -1;
3076 }
3077
3078 break;
3079
3080 case OP_DEST_PUSH:
3081 case OP_DEST_PUSHF:
3082 cfi->stack_size += 8;
3083 if (cfa->base == CFI_SP)
3084 cfa->offset += 8;
3085
3086 if (op->src.type != OP_SRC_REG)
3087 break;
3088
3089 if (cfi->drap) {
3090 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
3091
3092 /* drap: push %drap */
3093 cfa->base = CFI_BP_INDIRECT;
3094 cfa->offset = -cfi->stack_size;
3095
3096 /* save drap so we know when to restore it */
3097 cfi->drap_offset = -cfi->stack_size;
3098
3099 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) {
3100
3101 /* drap: push %rbp */
3102 cfi->stack_size = 0;
3103
3104 } else {
3105
3106 /* drap: push %reg */
3107 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size);
3108 }
3109
3110 } else {
3111
3112 /* push %reg */
3113 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size);
3114 }
3115
3116 /* detect when asm code uses rbp as a scratch register */
3117 if (opts.stackval && insn_func(insn) && op->src.reg == CFI_BP &&
3118 cfa->base != CFI_BP)
3119 cfi->bp_scratch = true;
3120 break;
3121
3122 case OP_DEST_REG_INDIRECT:
3123
3124 if (cfi->drap) {
3125 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
3126
3127 /* drap: mov %drap, disp(%rbp) */
3128 cfa->base = CFI_BP_INDIRECT;
3129 cfa->offset = op->dest.offset;
3130
3131 /* save drap offset so we know when to restore it */
3132 cfi->drap_offset = op->dest.offset;
3133 } else {
3134
3135 /* drap: mov reg, disp(%rbp) */
3136 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset);
3137 }
3138
3139 } else if (op->dest.reg == cfa->base) {
3140
3141 /* mov reg, disp(%rbp) */
3142 /* mov reg, disp(%rsp) */
3143 save_reg(cfi, op->src.reg, CFI_CFA,
3144 op->dest.offset - cfi->cfa.offset);
3145
3146 } else if (op->dest.reg == CFI_SP) {
3147
3148 /* mov reg, disp(%rsp) */
3149 save_reg(cfi, op->src.reg, CFI_CFA,
3150 op->dest.offset - cfi->stack_size);
3151
3152 } else if (op->src.reg == CFI_SP && op->dest.offset == 0) {
3153
3154 /* mov %rsp, (%reg); # setup a stack swizzle. */
3155 cfi->vals[op->dest.reg].base = CFI_SP_INDIRECT;
3156 cfi->vals[op->dest.reg].offset = cfa->offset;
3157 }
3158
3159 break;
3160
3161 case OP_DEST_MEM:
3162 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) {
3163 WARN_INSN(insn, "unknown stack-related memory operation");
3164 return -1;
3165 }
3166
3167 /* pop mem */
3168 cfi->stack_size -= 8;
3169 if (cfa->base == CFI_SP)
3170 cfa->offset -= 8;
3171
3172 break;
3173
3174 default:
3175 WARN_INSN(insn, "unknown stack-related instruction");
3176 return -1;
3177 }
3178
3179 return 0;
3180 }
3181
3182 /*
3183 * The stack layouts of alternatives instructions can sometimes diverge when
3184 * they have stack modifications. That's fine as long as the potential stack
3185 * layouts don't conflict at any given potential instruction boundary.
3186 *
3187 * Flatten the CFIs of the different alternative code streams (both original
3188 * and replacement) into a single shared CFI array which can be used to detect
3189 * conflicts and nicely feed a linear array of ORC entries to the unwinder.
3190 */
propagate_alt_cfi(struct objtool_file * file,struct instruction * insn)3191 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn)
3192 {
3193 struct cfi_state **alt_cfi;
3194 int group_off;
3195
3196 if (!insn->alt_group)
3197 return 0;
3198
3199 if (!insn->cfi) {
3200 WARN("CFI missing");
3201 return -1;
3202 }
3203
3204 alt_cfi = insn->alt_group->cfi;
3205 group_off = insn->offset - insn->alt_group->first_insn->offset;
3206
3207 if (!alt_cfi[group_off]) {
3208 alt_cfi[group_off] = insn->cfi;
3209 } else {
3210 if (cficmp(alt_cfi[group_off], insn->cfi)) {
3211 struct alt_group *orig_group = insn->alt_group->orig_group ?: insn->alt_group;
3212 struct instruction *orig = orig_group->first_insn;
3213 WARN_INSN(orig, "stack layout conflict in alternatives: %s",
3214 offstr(insn->sec, insn->offset));
3215 return -1;
3216 }
3217 }
3218
3219 return 0;
3220 }
3221
handle_insn_ops(struct instruction * insn,struct instruction * next_insn,struct insn_state * state)3222 static int handle_insn_ops(struct instruction *insn,
3223 struct instruction *next_insn,
3224 struct insn_state *state)
3225 {
3226 struct stack_op *op;
3227 int ret;
3228
3229 for (op = insn->stack_ops; op; op = op->next) {
3230
3231 ret = update_cfi_state(insn, next_insn, &state->cfi, op);
3232 if (ret)
3233 return ret;
3234
3235 if (!opts.uaccess || !insn->alt_group)
3236 continue;
3237
3238 if (op->dest.type == OP_DEST_PUSHF) {
3239 if (!state->uaccess_stack) {
3240 state->uaccess_stack = 1;
3241 } else if (state->uaccess_stack >> 31) {
3242 WARN_INSN(insn, "PUSHF stack exhausted");
3243 return 1;
3244 }
3245 state->uaccess_stack <<= 1;
3246 state->uaccess_stack |= state->uaccess;
3247 }
3248
3249 if (op->src.type == OP_SRC_POPF) {
3250 if (state->uaccess_stack) {
3251 state->uaccess = state->uaccess_stack & 1;
3252 state->uaccess_stack >>= 1;
3253 if (state->uaccess_stack == 1)
3254 state->uaccess_stack = 0;
3255 }
3256 }
3257 }
3258
3259 return 0;
3260 }
3261
insn_cfi_match(struct instruction * insn,struct cfi_state * cfi2)3262 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2)
3263 {
3264 struct cfi_state *cfi1 = insn->cfi;
3265 int i;
3266
3267 if (!cfi1) {
3268 WARN("CFI missing");
3269 return false;
3270 }
3271
3272 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) {
3273
3274 WARN_INSN(insn, "stack state mismatch: cfa1=%d%+d cfa2=%d%+d",
3275 cfi1->cfa.base, cfi1->cfa.offset,
3276 cfi2->cfa.base, cfi2->cfa.offset);
3277 return false;
3278
3279 }
3280
3281 if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) {
3282 for (i = 0; i < CFI_NUM_REGS; i++) {
3283
3284 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i], sizeof(struct cfi_reg)))
3285 continue;
3286
3287 WARN_INSN(insn, "stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d",
3288 i, cfi1->regs[i].base, cfi1->regs[i].offset,
3289 i, cfi2->regs[i].base, cfi2->regs[i].offset);
3290 }
3291 return false;
3292 }
3293
3294 if (cfi1->type != cfi2->type) {
3295
3296 WARN_INSN(insn, "stack state mismatch: type1=%d type2=%d",
3297 cfi1->type, cfi2->type);
3298 return false;
3299 }
3300
3301 if (cfi1->drap != cfi2->drap ||
3302 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) ||
3303 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) {
3304
3305 WARN_INSN(insn, "stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)",
3306 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset,
3307 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset);
3308 return false;
3309 }
3310
3311 return true;
3312 }
3313
func_uaccess_safe(struct symbol * func)3314 static inline bool func_uaccess_safe(struct symbol *func)
3315 {
3316 if (func)
3317 return func->uaccess_safe;
3318
3319 return false;
3320 }
3321
call_dest_name(struct instruction * insn)3322 static inline const char *call_dest_name(struct instruction *insn)
3323 {
3324 static char pvname[19];
3325 struct reloc *reloc;
3326 int idx;
3327
3328 if (insn_call_dest(insn))
3329 return insn_call_dest(insn)->name;
3330
3331 reloc = insn_reloc(NULL, insn);
3332 if (reloc && !strcmp(reloc->sym->name, "pv_ops")) {
3333 idx = (reloc_addend(reloc) / sizeof(void *));
3334 snprintf(pvname, sizeof(pvname), "pv_ops[%d]", idx);
3335 return pvname;
3336 }
3337
3338 return "{dynamic}";
3339 }
3340
pv_call_dest(struct objtool_file * file,struct instruction * insn)3341 static bool pv_call_dest(struct objtool_file *file, struct instruction *insn)
3342 {
3343 struct symbol *target;
3344 struct reloc *reloc;
3345 int idx;
3346
3347 reloc = insn_reloc(file, insn);
3348 if (!reloc || strcmp(reloc->sym->name, "pv_ops"))
3349 return false;
3350
3351 idx = (arch_dest_reloc_offset(reloc_addend(reloc)) / sizeof(void *));
3352
3353 if (file->pv_ops[idx].clean)
3354 return true;
3355
3356 file->pv_ops[idx].clean = true;
3357
3358 list_for_each_entry(target, &file->pv_ops[idx].targets, pv_target) {
3359 if (!target->sec->noinstr) {
3360 WARN("pv_ops[%d]: %s", idx, target->name);
3361 file->pv_ops[idx].clean = false;
3362 }
3363 }
3364
3365 return file->pv_ops[idx].clean;
3366 }
3367
noinstr_call_dest(struct objtool_file * file,struct instruction * insn,struct symbol * func)3368 static inline bool noinstr_call_dest(struct objtool_file *file,
3369 struct instruction *insn,
3370 struct symbol *func)
3371 {
3372 /*
3373 * We can't deal with indirect function calls at present;
3374 * assume they're instrumented.
3375 */
3376 if (!func) {
3377 if (file->pv_ops)
3378 return pv_call_dest(file, insn);
3379
3380 return false;
3381 }
3382
3383 /*
3384 * If the symbol is from a noinstr section; we good.
3385 */
3386 if (func->sec->noinstr)
3387 return true;
3388
3389 /*
3390 * If the symbol is a static_call trampoline, we can't tell.
3391 */
3392 if (func->static_call_tramp)
3393 return true;
3394
3395 /*
3396 * The __ubsan_handle_*() calls are like WARN(), they only happen when
3397 * something 'BAD' happened. At the risk of taking the machine down,
3398 * let them proceed to get the message out.
3399 */
3400 if (!strncmp(func->name, "__ubsan_handle_", 15))
3401 return true;
3402
3403 return false;
3404 }
3405
validate_call(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3406 static int validate_call(struct objtool_file *file,
3407 struct instruction *insn,
3408 struct insn_state *state)
3409 {
3410 if (state->noinstr && state->instr <= 0 &&
3411 !noinstr_call_dest(file, insn, insn_call_dest(insn))) {
3412 WARN_INSN(insn, "call to %s() leaves .noinstr.text section", call_dest_name(insn));
3413 return 1;
3414 }
3415
3416 if (state->uaccess && !func_uaccess_safe(insn_call_dest(insn))) {
3417 WARN_INSN(insn, "call to %s() with UACCESS enabled", call_dest_name(insn));
3418 return 1;
3419 }
3420
3421 if (state->df) {
3422 WARN_INSN(insn, "call to %s() with DF set", call_dest_name(insn));
3423 return 1;
3424 }
3425
3426 return 0;
3427 }
3428
validate_sibling_call(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3429 static int validate_sibling_call(struct objtool_file *file,
3430 struct instruction *insn,
3431 struct insn_state *state)
3432 {
3433 if (insn_func(insn) && has_modified_stack_frame(insn, state)) {
3434 WARN_INSN(insn, "sibling call from callable instruction with modified stack frame");
3435 return 1;
3436 }
3437
3438 return validate_call(file, insn, state);
3439 }
3440
validate_return(struct symbol * func,struct instruction * insn,struct insn_state * state)3441 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state)
3442 {
3443 if (state->noinstr && state->instr > 0) {
3444 WARN_INSN(insn, "return with instrumentation enabled");
3445 return 1;
3446 }
3447
3448 if (state->uaccess && !func_uaccess_safe(func)) {
3449 WARN_INSN(insn, "return with UACCESS enabled");
3450 return 1;
3451 }
3452
3453 if (!state->uaccess && func_uaccess_safe(func)) {
3454 WARN_INSN(insn, "return with UACCESS disabled from a UACCESS-safe function");
3455 return 1;
3456 }
3457
3458 if (state->df) {
3459 WARN_INSN(insn, "return with DF set");
3460 return 1;
3461 }
3462
3463 if (func && has_modified_stack_frame(insn, state)) {
3464 WARN_INSN(insn, "return with modified stack frame");
3465 return 1;
3466 }
3467
3468 if (state->cfi.bp_scratch) {
3469 WARN_INSN(insn, "BP used as a scratch register");
3470 return 1;
3471 }
3472
3473 return 0;
3474 }
3475
next_insn_to_validate(struct objtool_file * file,struct instruction * insn)3476 static struct instruction *next_insn_to_validate(struct objtool_file *file,
3477 struct instruction *insn)
3478 {
3479 struct alt_group *alt_group = insn->alt_group;
3480
3481 /*
3482 * Simulate the fact that alternatives are patched in-place. When the
3483 * end of a replacement alt_group is reached, redirect objtool flow to
3484 * the end of the original alt_group.
3485 *
3486 * insn->alts->insn -> alt_group->first_insn
3487 * ...
3488 * alt_group->last_insn
3489 * [alt_group->nop] -> next(orig_group->last_insn)
3490 */
3491 if (alt_group) {
3492 if (alt_group->nop) {
3493 /* ->nop implies ->orig_group */
3494 if (insn == alt_group->last_insn)
3495 return alt_group->nop;
3496 if (insn == alt_group->nop)
3497 goto next_orig;
3498 }
3499 if (insn == alt_group->last_insn && alt_group->orig_group)
3500 goto next_orig;
3501 }
3502
3503 return next_insn_same_sec(file, insn);
3504
3505 next_orig:
3506 return next_insn_same_sec(file, alt_group->orig_group->last_insn);
3507 }
3508
skip_alt_group(struct instruction * insn)3509 static bool skip_alt_group(struct instruction *insn)
3510 {
3511 struct instruction *alt_insn = insn->alts ? insn->alts->insn : NULL;
3512
3513 /* ANNOTATE_IGNORE_ALTERNATIVE */
3514 if (insn->alt_group && insn->alt_group->ignore)
3515 return true;
3516
3517 /*
3518 * For NOP patched with CLAC/STAC, only follow the latter to avoid
3519 * impossible code paths combining patched CLAC with unpatched STAC
3520 * or vice versa.
3521 *
3522 * ANNOTATE_IGNORE_ALTERNATIVE could have been used here, but Linus
3523 * requested not to do that to avoid hurting .s file readability
3524 * around CLAC/STAC alternative sites.
3525 */
3526
3527 if (!alt_insn)
3528 return false;
3529
3530 /* Don't override ASM_{CLAC,STAC}_UNSAFE */
3531 if (alt_insn->alt_group && alt_insn->alt_group->ignore)
3532 return false;
3533
3534 return alt_insn->type == INSN_CLAC || alt_insn->type == INSN_STAC;
3535 }
3536
3537 /*
3538 * Follow the branch starting at the given instruction, and recursively follow
3539 * any other branches (jumps). Meanwhile, track the frame pointer state at
3540 * each instruction and validate all the rules described in
3541 * tools/objtool/Documentation/objtool.txt.
3542 */
validate_branch(struct objtool_file * file,struct symbol * func,struct instruction * insn,struct insn_state state)3543 static int validate_branch(struct objtool_file *file, struct symbol *func,
3544 struct instruction *insn, struct insn_state state)
3545 {
3546 struct alternative *alt;
3547 struct instruction *next_insn, *prev_insn = NULL;
3548 struct section *sec;
3549 u8 visited;
3550 int ret;
3551
3552 if (func && func->ignore)
3553 return 0;
3554
3555 sec = insn->sec;
3556
3557 while (1) {
3558 next_insn = next_insn_to_validate(file, insn);
3559
3560 if (func && insn_func(insn) && func != insn_func(insn)->pfunc) {
3561 /* Ignore KCFI type preambles, which always fall through */
3562 if (!strncmp(func->name, "__cfi_", 6) ||
3563 !strncmp(func->name, "__pfx_", 6))
3564 return 0;
3565
3566 if (file->ignore_unreachables)
3567 return 0;
3568
3569 WARN("%s() falls through to next function %s()",
3570 func->name, insn_func(insn)->name);
3571 func->warned = 1;
3572
3573 return 1;
3574 }
3575
3576 visited = VISITED_BRANCH << state.uaccess;
3577 if (insn->visited & VISITED_BRANCH_MASK) {
3578 if (!insn->hint && !insn_cfi_match(insn, &state.cfi))
3579 return 1;
3580
3581 if (insn->visited & visited)
3582 return 0;
3583 } else {
3584 nr_insns_visited++;
3585 }
3586
3587 if (state.noinstr)
3588 state.instr += insn->instr;
3589
3590 if (insn->hint) {
3591 if (insn->restore) {
3592 struct instruction *save_insn, *i;
3593
3594 i = insn;
3595 save_insn = NULL;
3596
3597 sym_for_each_insn_continue_reverse(file, func, i) {
3598 if (i->save) {
3599 save_insn = i;
3600 break;
3601 }
3602 }
3603
3604 if (!save_insn) {
3605 WARN_INSN(insn, "no corresponding CFI save for CFI restore");
3606 return 1;
3607 }
3608
3609 if (!save_insn->visited) {
3610 /*
3611 * If the restore hint insn is at the
3612 * beginning of a basic block and was
3613 * branched to from elsewhere, and the
3614 * save insn hasn't been visited yet,
3615 * defer following this branch for now.
3616 * It will be seen later via the
3617 * straight-line path.
3618 */
3619 if (!prev_insn)
3620 return 0;
3621
3622 WARN_INSN(insn, "objtool isn't smart enough to handle this CFI save/restore combo");
3623 return 1;
3624 }
3625
3626 insn->cfi = save_insn->cfi;
3627 nr_cfi_reused++;
3628 }
3629
3630 state.cfi = *insn->cfi;
3631 } else {
3632 /* XXX track if we actually changed state.cfi */
3633
3634 if (prev_insn && !cficmp(prev_insn->cfi, &state.cfi)) {
3635 insn->cfi = prev_insn->cfi;
3636 nr_cfi_reused++;
3637 } else {
3638 insn->cfi = cfi_hash_find_or_add(&state.cfi);
3639 }
3640 }
3641
3642 insn->visited |= visited;
3643
3644 if (propagate_alt_cfi(file, insn))
3645 return 1;
3646
3647 if (insn->alts) {
3648 for (alt = insn->alts; alt; alt = alt->next) {
3649 ret = validate_branch(file, func, alt->insn, state);
3650 if (ret) {
3651 BT_INSN(insn, "(alt)");
3652 return ret;
3653 }
3654 }
3655 }
3656
3657 if (skip_alt_group(insn))
3658 return 0;
3659
3660 if (handle_insn_ops(insn, next_insn, &state))
3661 return 1;
3662
3663 switch (insn->type) {
3664
3665 case INSN_RETURN:
3666 return validate_return(func, insn, &state);
3667
3668 case INSN_CALL:
3669 case INSN_CALL_DYNAMIC:
3670 ret = validate_call(file, insn, &state);
3671 if (ret)
3672 return ret;
3673
3674 if (opts.stackval && func && !is_special_call(insn) &&
3675 !has_valid_stack_frame(&state)) {
3676 WARN_INSN(insn, "call without frame pointer save/setup");
3677 return 1;
3678 }
3679
3680 break;
3681
3682 case INSN_JUMP_CONDITIONAL:
3683 case INSN_JUMP_UNCONDITIONAL:
3684 if (is_sibling_call(insn)) {
3685 ret = validate_sibling_call(file, insn, &state);
3686 if (ret)
3687 return ret;
3688
3689 } else if (insn->jump_dest) {
3690 ret = validate_branch(file, func,
3691 insn->jump_dest, state);
3692 if (ret) {
3693 BT_INSN(insn, "(branch)");
3694 return ret;
3695 }
3696 }
3697
3698 if (insn->type == INSN_JUMP_UNCONDITIONAL)
3699 return 0;
3700
3701 break;
3702
3703 case INSN_JUMP_DYNAMIC:
3704 case INSN_JUMP_DYNAMIC_CONDITIONAL:
3705 if (is_sibling_call(insn)) {
3706 ret = validate_sibling_call(file, insn, &state);
3707 if (ret)
3708 return ret;
3709 }
3710
3711 if (insn->type == INSN_JUMP_DYNAMIC)
3712 return 0;
3713
3714 break;
3715
3716 case INSN_SYSCALL:
3717 if (func && (!next_insn || !next_insn->hint)) {
3718 WARN_INSN(insn, "unsupported instruction in callable function");
3719 return 1;
3720 }
3721
3722 break;
3723
3724 case INSN_SYSRET:
3725 if (func && (!next_insn || !next_insn->hint)) {
3726 WARN_INSN(insn, "unsupported instruction in callable function");
3727 return 1;
3728 }
3729
3730 return 0;
3731
3732 case INSN_STAC:
3733 if (!opts.uaccess)
3734 break;
3735
3736 if (state.uaccess) {
3737 WARN_INSN(insn, "recursive UACCESS enable");
3738 return 1;
3739 }
3740
3741 state.uaccess = true;
3742 break;
3743
3744 case INSN_CLAC:
3745 if (!opts.uaccess)
3746 break;
3747
3748 if (!state.uaccess && func) {
3749 WARN_INSN(insn, "redundant UACCESS disable");
3750 return 1;
3751 }
3752
3753 if (func_uaccess_safe(func) && !state.uaccess_stack) {
3754 WARN_INSN(insn, "UACCESS-safe disables UACCESS");
3755 return 1;
3756 }
3757
3758 state.uaccess = false;
3759 break;
3760
3761 case INSN_STD:
3762 if (state.df) {
3763 WARN_INSN(insn, "recursive STD");
3764 return 1;
3765 }
3766
3767 state.df = true;
3768 break;
3769
3770 case INSN_CLD:
3771 if (!state.df && func) {
3772 WARN_INSN(insn, "redundant CLD");
3773 return 1;
3774 }
3775
3776 state.df = false;
3777 break;
3778
3779 default:
3780 break;
3781 }
3782
3783 if (insn->dead_end)
3784 return 0;
3785
3786 if (!next_insn) {
3787 if (state.cfi.cfa.base == CFI_UNDEFINED)
3788 return 0;
3789 if (file->ignore_unreachables)
3790 return 0;
3791
3792 WARN("%s%sunexpected end of section %s",
3793 func ? func->name : "", func ? "(): " : "",
3794 sec->name);
3795 return 1;
3796 }
3797
3798 prev_insn = insn;
3799 insn = next_insn;
3800 }
3801
3802 return 0;
3803 }
3804
validate_unwind_hint(struct objtool_file * file,struct instruction * insn,struct insn_state * state)3805 static int validate_unwind_hint(struct objtool_file *file,
3806 struct instruction *insn,
3807 struct insn_state *state)
3808 {
3809 if (insn->hint && !insn->visited) {
3810 int ret = validate_branch(file, insn_func(insn), insn, *state);
3811 if (ret)
3812 BT_INSN(insn, "<=== (hint)");
3813 return ret;
3814 }
3815
3816 return 0;
3817 }
3818
validate_unwind_hints(struct objtool_file * file,struct section * sec)3819 static int validate_unwind_hints(struct objtool_file *file, struct section *sec)
3820 {
3821 struct instruction *insn;
3822 struct insn_state state;
3823 int warnings = 0;
3824
3825 if (!file->hints)
3826 return 0;
3827
3828 init_insn_state(file, &state, sec);
3829
3830 if (sec) {
3831 sec_for_each_insn(file, sec, insn)
3832 warnings += validate_unwind_hint(file, insn, &state);
3833 } else {
3834 for_each_insn(file, insn)
3835 warnings += validate_unwind_hint(file, insn, &state);
3836 }
3837
3838 return warnings;
3839 }
3840
3841 /*
3842 * Validate rethunk entry constraint: must untrain RET before the first RET.
3843 *
3844 * Follow every branch (intra-function) and ensure VALIDATE_UNRET_END comes
3845 * before an actual RET instruction.
3846 */
validate_unret(struct objtool_file * file,struct instruction * insn)3847 static int validate_unret(struct objtool_file *file, struct instruction *insn)
3848 {
3849 struct instruction *next, *dest;
3850 int ret;
3851
3852 for (;;) {
3853 next = next_insn_to_validate(file, insn);
3854
3855 if (insn->visited & VISITED_UNRET)
3856 return 0;
3857
3858 insn->visited |= VISITED_UNRET;
3859
3860 if (insn->alts) {
3861 struct alternative *alt;
3862 for (alt = insn->alts; alt; alt = alt->next) {
3863 ret = validate_unret(file, alt->insn);
3864 if (ret) {
3865 BT_INSN(insn, "(alt)");
3866 return ret;
3867 }
3868 }
3869 }
3870
3871 switch (insn->type) {
3872
3873 case INSN_CALL_DYNAMIC:
3874 case INSN_JUMP_DYNAMIC:
3875 case INSN_JUMP_DYNAMIC_CONDITIONAL:
3876 WARN_INSN(insn, "early indirect call");
3877 return 1;
3878
3879 case INSN_JUMP_UNCONDITIONAL:
3880 case INSN_JUMP_CONDITIONAL:
3881 if (!is_sibling_call(insn)) {
3882 if (!insn->jump_dest) {
3883 WARN_INSN(insn, "unresolved jump target after linking?!?");
3884 return 1;
3885 }
3886 ret = validate_unret(file, insn->jump_dest);
3887 if (ret) {
3888 BT_INSN(insn, "(branch%s)",
3889 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : "");
3890 return ret;
3891 }
3892
3893 if (insn->type == INSN_JUMP_UNCONDITIONAL)
3894 return 0;
3895
3896 break;
3897 }
3898
3899 /* fallthrough */
3900 case INSN_CALL:
3901 dest = find_insn(file, insn_call_dest(insn)->sec,
3902 insn_call_dest(insn)->offset);
3903 if (!dest) {
3904 WARN("Unresolved function after linking!?: %s",
3905 insn_call_dest(insn)->name);
3906 return 1;
3907 }
3908
3909 ret = validate_unret(file, dest);
3910 if (ret) {
3911 BT_INSN(insn, "(call)");
3912 return ret;
3913 }
3914 /*
3915 * If a call returns without error, it must have seen UNTRAIN_RET.
3916 * Therefore any non-error return is a success.
3917 */
3918 return 0;
3919
3920 case INSN_RETURN:
3921 WARN_INSN(insn, "RET before UNTRAIN");
3922 return 1;
3923
3924 case INSN_SYSCALL:
3925 break;
3926
3927 case INSN_SYSRET:
3928 return 0;
3929
3930 case INSN_NOP:
3931 if (insn->retpoline_safe)
3932 return 0;
3933 break;
3934
3935 default:
3936 break;
3937 }
3938
3939 if (insn->dead_end)
3940 return 0;
3941
3942 if (!next) {
3943 WARN_INSN(insn, "teh end!");
3944 return 1;
3945 }
3946 insn = next;
3947 }
3948
3949 return 0;
3950 }
3951
3952 /*
3953 * Validate that all branches starting at VALIDATE_UNRET_BEGIN encounter
3954 * VALIDATE_UNRET_END before RET.
3955 */
validate_unrets(struct objtool_file * file)3956 static int validate_unrets(struct objtool_file *file)
3957 {
3958 struct instruction *insn;
3959 int warnings = 0;
3960
3961 for_each_insn(file, insn) {
3962 if (!insn->unret)
3963 continue;
3964
3965 warnings += validate_unret(file, insn);
3966 }
3967
3968 return warnings;
3969 }
3970
validate_retpoline(struct objtool_file * file)3971 static int validate_retpoline(struct objtool_file *file)
3972 {
3973 struct instruction *insn;
3974 int warnings = 0;
3975
3976 for_each_insn(file, insn) {
3977 if (insn->type != INSN_JUMP_DYNAMIC &&
3978 insn->type != INSN_CALL_DYNAMIC &&
3979 insn->type != INSN_RETURN)
3980 continue;
3981
3982 if (insn->retpoline_safe)
3983 continue;
3984
3985 if (insn->sec->init)
3986 continue;
3987
3988 if (insn->type == INSN_RETURN) {
3989 if (opts.rethunk) {
3990 WARN_INSN(insn, "'naked' return found in MITIGATION_RETHUNK build");
3991 warnings++;
3992 }
3993 continue;
3994 }
3995
3996 WARN_INSN(insn, "indirect %s found in MITIGATION_RETPOLINE build",
3997 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
3998 warnings++;
3999 }
4000
4001 return warnings;
4002 }
4003
is_kasan_insn(struct instruction * insn)4004 static bool is_kasan_insn(struct instruction *insn)
4005 {
4006 return (insn->type == INSN_CALL &&
4007 !strcmp(insn_call_dest(insn)->name, "__asan_handle_no_return"));
4008 }
4009
is_ubsan_insn(struct instruction * insn)4010 static bool is_ubsan_insn(struct instruction *insn)
4011 {
4012 return (insn->type == INSN_CALL &&
4013 !strcmp(insn_call_dest(insn)->name,
4014 "__ubsan_handle_builtin_unreachable"));
4015 }
4016
ignore_unreachable_insn(struct objtool_file * file,struct instruction * insn)4017 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn)
4018 {
4019 struct symbol *func = insn_func(insn);
4020 struct instruction *prev_insn;
4021 int i;
4022
4023 if (insn->type == INSN_NOP || insn->type == INSN_TRAP || (func && func->ignore))
4024 return true;
4025
4026 /*
4027 * Ignore alternative replacement instructions. This can happen
4028 * when a whitelisted function uses one of the ALTERNATIVE macros.
4029 */
4030 if (!strcmp(insn->sec->name, ".altinstr_replacement") ||
4031 !strcmp(insn->sec->name, ".altinstr_aux"))
4032 return true;
4033
4034 /*
4035 * Whole archive runs might encounter dead code from weak symbols.
4036 * This is where the linker will have dropped the weak symbol in
4037 * favour of a regular symbol, but leaves the code in place.
4038 *
4039 * In this case we'll find a piece of code (whole function) that is not
4040 * covered by a !section symbol. Ignore them.
4041 */
4042 if (opts.link && !func) {
4043 int size = find_symbol_hole_containing(insn->sec, insn->offset);
4044 unsigned long end = insn->offset + size;
4045
4046 if (!size) /* not a hole */
4047 return false;
4048
4049 if (size < 0) /* hole until the end */
4050 return true;
4051
4052 sec_for_each_insn_continue(file, insn) {
4053 /*
4054 * If we reach a visited instruction at or before the
4055 * end of the hole, ignore the unreachable.
4056 */
4057 if (insn->visited)
4058 return true;
4059
4060 if (insn->offset >= end)
4061 break;
4062
4063 /*
4064 * If this hole jumps to a .cold function, mark it ignore too.
4065 */
4066 if (insn->jump_dest && insn_func(insn->jump_dest) &&
4067 strstr(insn_func(insn->jump_dest)->name, ".cold")) {
4068 insn_func(insn->jump_dest)->ignore = true;
4069 }
4070 }
4071
4072 return false;
4073 }
4074
4075 if (!func)
4076 return false;
4077
4078 if (func->static_call_tramp)
4079 return true;
4080
4081 /*
4082 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees
4083 * __builtin_unreachable(). The BUG() macro has an unreachable() after
4084 * the UD2, which causes GCC's undefined trap logic to emit another UD2
4085 * (or occasionally a JMP to UD2).
4086 *
4087 * It may also insert a UD2 after calling a __noreturn function.
4088 */
4089 prev_insn = prev_insn_same_sec(file, insn);
4090 if (prev_insn && prev_insn->dead_end &&
4091 (insn->type == INSN_BUG ||
4092 (insn->type == INSN_JUMP_UNCONDITIONAL &&
4093 insn->jump_dest && insn->jump_dest->type == INSN_BUG)))
4094 return true;
4095
4096 /*
4097 * Check if this (or a subsequent) instruction is related to
4098 * CONFIG_UBSAN or CONFIG_KASAN.
4099 *
4100 * End the search at 5 instructions to avoid going into the weeds.
4101 */
4102 for (i = 0; i < 5; i++) {
4103
4104 if (is_kasan_insn(insn) || is_ubsan_insn(insn))
4105 return true;
4106
4107 if (insn->type == INSN_JUMP_UNCONDITIONAL) {
4108 if (insn->jump_dest &&
4109 insn_func(insn->jump_dest) == func) {
4110 insn = insn->jump_dest;
4111 continue;
4112 }
4113
4114 break;
4115 }
4116
4117 if (insn->offset + insn->len >= func->offset + func->len)
4118 break;
4119
4120 insn = next_insn_same_sec(file, insn);
4121 }
4122
4123 return false;
4124 }
4125
add_prefix_symbol(struct objtool_file * file,struct symbol * func)4126 static int add_prefix_symbol(struct objtool_file *file, struct symbol *func)
4127 {
4128 struct instruction *insn, *prev;
4129 struct cfi_state *cfi;
4130
4131 insn = find_insn(file, func->sec, func->offset);
4132 if (!insn)
4133 return -1;
4134
4135 for (prev = prev_insn_same_sec(file, insn);
4136 prev;
4137 prev = prev_insn_same_sec(file, prev)) {
4138 u64 offset;
4139
4140 if (prev->type != INSN_NOP)
4141 return -1;
4142
4143 offset = func->offset - prev->offset;
4144
4145 if (offset > opts.prefix)
4146 return -1;
4147
4148 if (offset < opts.prefix)
4149 continue;
4150
4151 elf_create_prefix_symbol(file->elf, func, opts.prefix);
4152 break;
4153 }
4154
4155 if (!prev)
4156 return -1;
4157
4158 if (!insn->cfi) {
4159 /*
4160 * This can happen if stack validation isn't enabled or the
4161 * function is annotated with STACK_FRAME_NON_STANDARD.
4162 */
4163 return 0;
4164 }
4165
4166 /* Propagate insn->cfi to the prefix code */
4167 cfi = cfi_hash_find_or_add(insn->cfi);
4168 for (; prev != insn; prev = next_insn_same_sec(file, prev))
4169 prev->cfi = cfi;
4170
4171 return 0;
4172 }
4173
add_prefix_symbols(struct objtool_file * file)4174 static int add_prefix_symbols(struct objtool_file *file)
4175 {
4176 struct section *sec;
4177 struct symbol *func;
4178
4179 for_each_sec(file, sec) {
4180 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
4181 continue;
4182
4183 sec_for_each_sym(sec, func) {
4184 if (func->type != STT_FUNC)
4185 continue;
4186
4187 add_prefix_symbol(file, func);
4188 }
4189 }
4190
4191 return 0;
4192 }
4193
validate_symbol(struct objtool_file * file,struct section * sec,struct symbol * sym,struct insn_state * state)4194 static int validate_symbol(struct objtool_file *file, struct section *sec,
4195 struct symbol *sym, struct insn_state *state)
4196 {
4197 struct instruction *insn;
4198 int ret;
4199
4200 if (!sym->len) {
4201 WARN("%s() is missing an ELF size annotation", sym->name);
4202 return 1;
4203 }
4204
4205 if (sym->pfunc != sym || sym->alias != sym)
4206 return 0;
4207
4208 insn = find_insn(file, sec, sym->offset);
4209 if (!insn || insn->visited)
4210 return 0;
4211
4212 if (opts.uaccess)
4213 state->uaccess = sym->uaccess_safe;
4214
4215 ret = validate_branch(file, insn_func(insn), insn, *state);
4216 if (ret)
4217 BT_INSN(insn, "<=== (sym)");
4218 return ret;
4219 }
4220
validate_section(struct objtool_file * file,struct section * sec)4221 static int validate_section(struct objtool_file *file, struct section *sec)
4222 {
4223 struct insn_state state;
4224 struct symbol *func;
4225 int warnings = 0;
4226
4227 sec_for_each_sym(sec, func) {
4228 if (func->type != STT_FUNC)
4229 continue;
4230
4231 init_insn_state(file, &state, sec);
4232 set_func_state(&state.cfi);
4233
4234 warnings += validate_symbol(file, sec, func, &state);
4235 }
4236
4237 return warnings;
4238 }
4239
validate_noinstr_sections(struct objtool_file * file)4240 static int validate_noinstr_sections(struct objtool_file *file)
4241 {
4242 struct section *sec;
4243 int warnings = 0;
4244
4245 sec = find_section_by_name(file->elf, ".noinstr.text");
4246 if (sec) {
4247 warnings += validate_section(file, sec);
4248 warnings += validate_unwind_hints(file, sec);
4249 }
4250
4251 sec = find_section_by_name(file->elf, ".entry.text");
4252 if (sec) {
4253 warnings += validate_section(file, sec);
4254 warnings += validate_unwind_hints(file, sec);
4255 }
4256
4257 sec = find_section_by_name(file->elf, ".cpuidle.text");
4258 if (sec) {
4259 warnings += validate_section(file, sec);
4260 warnings += validate_unwind_hints(file, sec);
4261 }
4262
4263 return warnings;
4264 }
4265
validate_functions(struct objtool_file * file)4266 static int validate_functions(struct objtool_file *file)
4267 {
4268 struct section *sec;
4269 int warnings = 0;
4270
4271 for_each_sec(file, sec) {
4272 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
4273 continue;
4274
4275 warnings += validate_section(file, sec);
4276 }
4277
4278 return warnings;
4279 }
4280
mark_endbr_used(struct instruction * insn)4281 static void mark_endbr_used(struct instruction *insn)
4282 {
4283 if (!list_empty(&insn->call_node))
4284 list_del_init(&insn->call_node);
4285 }
4286
noendbr_range(struct objtool_file * file,struct instruction * insn)4287 static bool noendbr_range(struct objtool_file *file, struct instruction *insn)
4288 {
4289 struct symbol *sym = find_symbol_containing(insn->sec, insn->offset-1);
4290 struct instruction *first;
4291
4292 if (!sym)
4293 return false;
4294
4295 first = find_insn(file, sym->sec, sym->offset);
4296 if (!first)
4297 return false;
4298
4299 if (first->type != INSN_ENDBR && !first->noendbr)
4300 return false;
4301
4302 return insn->offset == sym->offset + sym->len;
4303 }
4304
__validate_ibt_insn(struct objtool_file * file,struct instruction * insn,struct instruction * dest)4305 static int __validate_ibt_insn(struct objtool_file *file, struct instruction *insn,
4306 struct instruction *dest)
4307 {
4308 if (dest->type == INSN_ENDBR) {
4309 mark_endbr_used(dest);
4310 return 0;
4311 }
4312
4313 if (insn_func(dest) && insn_func(insn) &&
4314 insn_func(dest)->pfunc == insn_func(insn)->pfunc) {
4315 /*
4316 * Anything from->to self is either _THIS_IP_ or
4317 * IRET-to-self.
4318 *
4319 * There is no sane way to annotate _THIS_IP_ since the
4320 * compiler treats the relocation as a constant and is
4321 * happy to fold in offsets, skewing any annotation we
4322 * do, leading to vast amounts of false-positives.
4323 *
4324 * There's also compiler generated _THIS_IP_ through
4325 * KCOV and such which we have no hope of annotating.
4326 *
4327 * As such, blanket accept self-references without
4328 * issue.
4329 */
4330 return 0;
4331 }
4332
4333 /*
4334 * Accept anything ANNOTATE_NOENDBR.
4335 */
4336 if (dest->noendbr)
4337 return 0;
4338
4339 /*
4340 * Accept if this is the instruction after a symbol
4341 * that is (no)endbr -- typical code-range usage.
4342 */
4343 if (noendbr_range(file, dest))
4344 return 0;
4345
4346 WARN_INSN(insn, "relocation to !ENDBR: %s", offstr(dest->sec, dest->offset));
4347 return 1;
4348 }
4349
validate_ibt_insn(struct objtool_file * file,struct instruction * insn)4350 static int validate_ibt_insn(struct objtool_file *file, struct instruction *insn)
4351 {
4352 struct instruction *dest;
4353 struct reloc *reloc;
4354 unsigned long off;
4355 int warnings = 0;
4356
4357 /*
4358 * Looking for function pointer load relocations. Ignore
4359 * direct/indirect branches:
4360 */
4361 switch (insn->type) {
4362
4363 case INSN_CALL:
4364 case INSN_CALL_DYNAMIC:
4365 case INSN_JUMP_CONDITIONAL:
4366 case INSN_JUMP_UNCONDITIONAL:
4367 case INSN_JUMP_DYNAMIC:
4368 case INSN_JUMP_DYNAMIC_CONDITIONAL:
4369 case INSN_RETURN:
4370 case INSN_NOP:
4371 return 0;
4372
4373 case INSN_LEA_RIP:
4374 if (!insn_reloc(file, insn)) {
4375 /* local function pointer reference without reloc */
4376
4377 off = arch_jump_destination(insn);
4378
4379 dest = find_insn(file, insn->sec, off);
4380 if (!dest) {
4381 WARN_INSN(insn, "corrupt function pointer reference");
4382 return 1;
4383 }
4384
4385 return __validate_ibt_insn(file, insn, dest);
4386 }
4387 break;
4388
4389 default:
4390 break;
4391 }
4392
4393 for (reloc = insn_reloc(file, insn);
4394 reloc;
4395 reloc = find_reloc_by_dest_range(file->elf, insn->sec,
4396 reloc_offset(reloc) + 1,
4397 (insn->offset + insn->len) - (reloc_offset(reloc) + 1))) {
4398
4399 off = reloc->sym->offset;
4400 if (reloc_type(reloc) == R_X86_64_PC32 ||
4401 reloc_type(reloc) == R_X86_64_PLT32)
4402 off += arch_dest_reloc_offset(reloc_addend(reloc));
4403 else
4404 off += reloc_addend(reloc);
4405
4406 dest = find_insn(file, reloc->sym->sec, off);
4407 if (!dest)
4408 continue;
4409
4410 warnings += __validate_ibt_insn(file, insn, dest);
4411 }
4412
4413 return warnings;
4414 }
4415
validate_ibt_data_reloc(struct objtool_file * file,struct reloc * reloc)4416 static int validate_ibt_data_reloc(struct objtool_file *file,
4417 struct reloc *reloc)
4418 {
4419 struct instruction *dest;
4420
4421 dest = find_insn(file, reloc->sym->sec,
4422 reloc->sym->offset + reloc_addend(reloc));
4423 if (!dest)
4424 return 0;
4425
4426 if (dest->type == INSN_ENDBR) {
4427 mark_endbr_used(dest);
4428 return 0;
4429 }
4430
4431 if (dest->noendbr)
4432 return 0;
4433
4434 WARN_FUNC(reloc->sec->base, reloc_offset(reloc),
4435 "data relocation to !ENDBR: %s", offstr(dest->sec, dest->offset));
4436
4437 return 1;
4438 }
4439
4440 /*
4441 * Validate IBT rules and remove used ENDBR instructions from the seal list.
4442 * Unused ENDBR instructions will be annotated for sealing (i.e., replaced with
4443 * NOPs) later, in create_ibt_endbr_seal_sections().
4444 */
validate_ibt(struct objtool_file * file)4445 static int validate_ibt(struct objtool_file *file)
4446 {
4447 struct section *sec;
4448 struct reloc *reloc;
4449 struct instruction *insn;
4450 int warnings = 0;
4451
4452 for_each_insn(file, insn)
4453 warnings += validate_ibt_insn(file, insn);
4454
4455 for_each_sec(file, sec) {
4456
4457 /* Already done by validate_ibt_insn() */
4458 if (sec->sh.sh_flags & SHF_EXECINSTR)
4459 continue;
4460
4461 if (!sec->rsec)
4462 continue;
4463
4464 /*
4465 * These sections can reference text addresses, but not with
4466 * the intent to indirect branch to them.
4467 */
4468 if ((!strncmp(sec->name, ".discard", 8) &&
4469 strcmp(sec->name, ".discard.ibt_endbr_noseal")) ||
4470 !strncmp(sec->name, ".debug", 6) ||
4471 !strcmp(sec->name, ".altinstructions") ||
4472 !strcmp(sec->name, ".ibt_endbr_seal") ||
4473 !strcmp(sec->name, ".orc_unwind_ip") ||
4474 !strcmp(sec->name, ".parainstructions") ||
4475 !strcmp(sec->name, ".retpoline_sites") ||
4476 !strcmp(sec->name, ".smp_locks") ||
4477 !strcmp(sec->name, ".static_call_sites") ||
4478 !strcmp(sec->name, "_error_injection_whitelist") ||
4479 !strcmp(sec->name, "_kprobe_blacklist") ||
4480 !strcmp(sec->name, "__bug_table") ||
4481 !strcmp(sec->name, "__ex_table") ||
4482 !strcmp(sec->name, "__jump_table") ||
4483 !strcmp(sec->name, "__mcount_loc") ||
4484 !strcmp(sec->name, ".kcfi_traps") ||
4485 !strcmp(sec->name, ".llvm.call-graph-profile") ||
4486 !strcmp(sec->name, ".llvm_bb_addr_map") ||
4487 !strcmp(sec->name, "__tracepoints") ||
4488 strstr(sec->name, "__patchable_function_entries"))
4489 continue;
4490
4491 for_each_reloc(sec->rsec, reloc)
4492 warnings += validate_ibt_data_reloc(file, reloc);
4493 }
4494
4495 return warnings;
4496 }
4497
validate_sls(struct objtool_file * file)4498 static int validate_sls(struct objtool_file *file)
4499 {
4500 struct instruction *insn, *next_insn;
4501 int warnings = 0;
4502
4503 for_each_insn(file, insn) {
4504 next_insn = next_insn_same_sec(file, insn);
4505
4506 if (insn->retpoline_safe)
4507 continue;
4508
4509 switch (insn->type) {
4510 case INSN_RETURN:
4511 if (!next_insn || next_insn->type != INSN_TRAP) {
4512 WARN_INSN(insn, "missing int3 after ret");
4513 warnings++;
4514 }
4515
4516 break;
4517 case INSN_JUMP_DYNAMIC:
4518 if (!next_insn || next_insn->type != INSN_TRAP) {
4519 WARN_INSN(insn, "missing int3 after indirect jump");
4520 warnings++;
4521 }
4522 break;
4523 default:
4524 break;
4525 }
4526 }
4527
4528 return warnings;
4529 }
4530
validate_reachable_instructions(struct objtool_file * file)4531 static int validate_reachable_instructions(struct objtool_file *file)
4532 {
4533 struct instruction *insn, *prev_insn;
4534 struct symbol *call_dest;
4535 int warnings = 0;
4536
4537 if (file->ignore_unreachables)
4538 return 0;
4539
4540 for_each_insn(file, insn) {
4541 if (insn->visited || ignore_unreachable_insn(file, insn))
4542 continue;
4543
4544 prev_insn = prev_insn_same_sec(file, insn);
4545 if (prev_insn && prev_insn->dead_end) {
4546 call_dest = insn_call_dest(prev_insn);
4547 if (call_dest) {
4548 WARN_INSN(insn, "%s() missing __noreturn in .c/.h or NORETURN() in noreturns.h",
4549 call_dest->name);
4550 warnings++;
4551 continue;
4552 }
4553 }
4554
4555 WARN_INSN(insn, "unreachable instruction");
4556 warnings++;
4557 }
4558
4559 return warnings;
4560 }
4561
4562 /* 'funcs' is a space-separated list of function names */
disas_funcs(const char * funcs)4563 static void disas_funcs(const char *funcs)
4564 {
4565 const char *objdump_str, *cross_compile;
4566 int size, ret;
4567 char *cmd;
4568
4569 cross_compile = getenv("CROSS_COMPILE");
4570 if (!cross_compile)
4571 cross_compile = "";
4572
4573 objdump_str = "%sobjdump -wdr %s | gawk -M -v _funcs='%s' '"
4574 "BEGIN { split(_funcs, funcs); }"
4575 "/^$/ { func_match = 0; }"
4576 "/<.*>:/ { "
4577 "f = gensub(/.*<(.*)>:/, \"\\\\1\", 1);"
4578 "for (i in funcs) {"
4579 "if (funcs[i] == f) {"
4580 "func_match = 1;"
4581 "base = strtonum(\"0x\" $1);"
4582 "break;"
4583 "}"
4584 "}"
4585 "}"
4586 "{"
4587 "if (func_match) {"
4588 "addr = strtonum(\"0x\" $1);"
4589 "printf(\"%%04x \", addr - base);"
4590 "print;"
4591 "}"
4592 "}' 1>&2";
4593
4594 /* fake snprintf() to calculate the size */
4595 size = snprintf(NULL, 0, objdump_str, cross_compile, objname, funcs) + 1;
4596 if (size <= 0) {
4597 WARN("objdump string size calculation failed");
4598 return;
4599 }
4600
4601 cmd = malloc(size);
4602
4603 /* real snprintf() */
4604 snprintf(cmd, size, objdump_str, cross_compile, objname, funcs);
4605 ret = system(cmd);
4606 if (ret) {
4607 WARN("disassembly failed: %d", ret);
4608 return;
4609 }
4610 }
4611
disas_warned_funcs(struct objtool_file * file)4612 static void disas_warned_funcs(struct objtool_file *file)
4613 {
4614 struct symbol *sym;
4615 char *funcs = NULL, *tmp;
4616
4617 for_each_sym(file, sym) {
4618 if (sym->warned) {
4619 if (!funcs) {
4620 funcs = malloc(strlen(sym->name) + 1);
4621 if (!funcs) {
4622 ERROR_GLIBC("malloc");
4623 return;
4624 }
4625 strcpy(funcs, sym->name);
4626 } else {
4627 tmp = malloc(strlen(funcs) + strlen(sym->name) + 2);
4628 if (!tmp) {
4629 ERROR_GLIBC("malloc");
4630 return;
4631 }
4632 sprintf(tmp, "%s %s", funcs, sym->name);
4633 free(funcs);
4634 funcs = tmp;
4635 }
4636 }
4637 }
4638
4639 if (funcs)
4640 disas_funcs(funcs);
4641 }
4642
4643 struct insn_chunk {
4644 void *addr;
4645 struct insn_chunk *next;
4646 };
4647
4648 /*
4649 * Reduce peak RSS usage by freeing insns memory before writing the ELF file,
4650 * which can trigger more allocations for .debug_* sections whose data hasn't
4651 * been read yet.
4652 */
free_insns(struct objtool_file * file)4653 static void free_insns(struct objtool_file *file)
4654 {
4655 struct instruction *insn;
4656 struct insn_chunk *chunks = NULL, *chunk;
4657
4658 for_each_insn(file, insn) {
4659 if (!insn->idx) {
4660 chunk = malloc(sizeof(*chunk));
4661 chunk->addr = insn;
4662 chunk->next = chunks;
4663 chunks = chunk;
4664 }
4665 }
4666
4667 for (chunk = chunks; chunk; chunk = chunk->next)
4668 free(chunk->addr);
4669 }
4670
check(struct objtool_file * file)4671 int check(struct objtool_file *file)
4672 {
4673 int ret = 0, warnings = 0;
4674
4675 arch_initial_func_cfi_state(&initial_func_cfi);
4676 init_cfi_state(&init_cfi);
4677 init_cfi_state(&func_cfi);
4678 set_func_state(&func_cfi);
4679 init_cfi_state(&force_undefined_cfi);
4680 force_undefined_cfi.force_undefined = true;
4681
4682 if (!cfi_hash_alloc(1UL << (file->elf->symbol_bits - 3))) {
4683 ret = -1;
4684 goto out;
4685 }
4686
4687 cfi_hash_add(&init_cfi);
4688 cfi_hash_add(&func_cfi);
4689
4690 ret = decode_sections(file);
4691 if (ret)
4692 goto out;
4693
4694 if (!nr_insns)
4695 goto out;
4696
4697 if (opts.retpoline)
4698 warnings += validate_retpoline(file);
4699
4700 if (opts.stackval || opts.orc || opts.uaccess) {
4701 int w = 0;
4702
4703 w += validate_functions(file);
4704 w += validate_unwind_hints(file, NULL);
4705 if (!w)
4706 w += validate_reachable_instructions(file);
4707
4708 warnings += w;
4709
4710 } else if (opts.noinstr) {
4711 warnings += validate_noinstr_sections(file);
4712 }
4713
4714 if (opts.unret) {
4715 /*
4716 * Must be after validate_branch() and friends, it plays
4717 * further games with insn->visited.
4718 */
4719 warnings += validate_unrets(file);
4720 }
4721
4722 if (opts.ibt)
4723 warnings += validate_ibt(file);
4724
4725 if (opts.sls)
4726 warnings += validate_sls(file);
4727
4728 if (opts.static_call) {
4729 ret = create_static_call_sections(file);
4730 if (ret)
4731 goto out;
4732 }
4733
4734 if (opts.retpoline) {
4735 ret = create_retpoline_sites_sections(file);
4736 if (ret)
4737 goto out;
4738 }
4739
4740 if (opts.cfi) {
4741 ret = create_cfi_sections(file);
4742 if (ret)
4743 goto out;
4744 }
4745
4746 if (opts.rethunk) {
4747 ret = create_return_sites_sections(file);
4748 if (ret)
4749 goto out;
4750
4751 if (opts.hack_skylake) {
4752 ret = create_direct_call_sections(file);
4753 if (ret)
4754 goto out;
4755 }
4756 }
4757
4758 if (opts.mcount) {
4759 ret = create_mcount_loc_sections(file);
4760 if (ret)
4761 goto out;
4762 }
4763
4764 if (opts.prefix) {
4765 ret = add_prefix_symbols(file);
4766 if (ret)
4767 goto out;
4768 }
4769
4770 if (opts.ibt) {
4771 ret = create_ibt_endbr_seal_sections(file);
4772 if (ret)
4773 goto out;
4774 }
4775
4776 if (opts.orc && nr_insns) {
4777 ret = orc_create(file);
4778 if (ret)
4779 goto out;
4780 }
4781
4782 free_insns(file);
4783
4784 if (opts.stats) {
4785 printf("nr_insns_visited: %ld\n", nr_insns_visited);
4786 printf("nr_cfi: %ld\n", nr_cfi);
4787 printf("nr_cfi_reused: %ld\n", nr_cfi_reused);
4788 printf("nr_cfi_cache: %ld\n", nr_cfi_cache);
4789 }
4790
4791 out:
4792 if (!ret && !warnings)
4793 return 0;
4794
4795 if (opts.werror && warnings)
4796 ret = 1;
4797
4798 if (opts.verbose) {
4799 if (opts.werror && warnings)
4800 WARN("%d warning(s) upgraded to errors", warnings);
4801 print_args();
4802 disas_warned_funcs(file);
4803 }
4804
4805 return ret;
4806 }
4807