1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com> 4 */ 5 6 #define _GNU_SOURCE /* memmem() */ 7 #include <fnmatch.h> 8 #include <string.h> 9 #include <stdlib.h> 10 #include <inttypes.h> 11 #include <sys/mman.h> 12 13 #include <objtool/builtin.h> 14 #include <objtool/cfi.h> 15 #include <objtool/arch.h> 16 #include <objtool/disas.h> 17 #include <objtool/check.h> 18 #include <objtool/special.h> 19 #include <objtool/trace.h> 20 #include <objtool/warn.h> 21 #include <objtool/util.h> 22 23 #include <linux/objtool_types.h> 24 #include <linux/hashtable.h> 25 #include <linux/kernel.h> 26 #include <linux/static_call_types.h> 27 #include <linux/string.h> 28 29 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache; 30 31 static struct cfi_init_state initial_func_cfi; 32 static struct cfi_state init_cfi; 33 static struct cfi_state func_cfi; 34 static struct cfi_state force_undefined_cfi; 35 36 struct disas_context *objtool_disas_ctx; 37 38 size_t sym_name_max_len; 39 40 struct instruction *find_insn(struct objtool_file *file, 41 struct section *sec, unsigned long offset) 42 { 43 struct instruction *insn; 44 45 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) { 46 if (insn->sec == sec && insn->offset == offset) 47 return insn; 48 } 49 50 return NULL; 51 } 52 53 struct instruction *next_insn_same_sec(struct objtool_file *file, 54 struct instruction *insn) 55 { 56 if (insn->idx == INSN_CHUNK_MAX) 57 return find_insn(file, insn->sec, insn->offset + insn->len); 58 59 insn++; 60 if (!insn->len) 61 return NULL; 62 63 return insn; 64 } 65 66 struct instruction *next_insn_same_func(struct objtool_file *file, 67 struct instruction *insn) 68 { 69 struct instruction *next = next_insn_same_sec(file, insn); 70 struct symbol *func = insn_func(insn); 71 72 if (!func) 73 return NULL; 74 75 if (next && insn_func(next) == func) 76 return next; 77 78 /* Check if we're already in the subfunction: */ 79 if (func == func->cfunc) 80 return NULL; 81 82 /* Move to the subfunction: */ 83 return find_insn(file, func->cfunc->sec, func->cfunc->offset); 84 } 85 86 static struct instruction *prev_insn_same_sec(struct objtool_file *file, 87 struct instruction *insn) 88 { 89 if (insn->idx == 0) { 90 if (insn->prev_len) 91 return find_insn(file, insn->sec, insn->offset - insn->prev_len); 92 return NULL; 93 } 94 95 return insn - 1; 96 } 97 98 static struct instruction *prev_insn_same_sym(struct objtool_file *file, 99 struct instruction *insn) 100 { 101 struct instruction *prev = prev_insn_same_sec(file, insn); 102 103 if (prev && insn_func(prev) == insn_func(insn)) 104 return prev; 105 106 return NULL; 107 } 108 109 #define for_each_insn(file, insn) \ 110 for (struct section *__sec, *__fake = (struct section *)1; \ 111 __fake; __fake = NULL) \ 112 for_each_sec(file->elf, __sec) \ 113 sec_for_each_insn(file, __sec, insn) 114 115 116 #define sym_for_each_insn(file, sym, insn) \ 117 for (insn = find_insn(file, sym->sec, sym->offset); \ 118 insn && insn->offset < sym->offset + sym->len; \ 119 insn = next_insn_same_sec(file, insn)) 120 121 #define sym_for_each_insn_continue_reverse(file, sym, insn) \ 122 for (insn = prev_insn_same_sec(file, insn); \ 123 insn && insn->offset >= sym->offset; \ 124 insn = prev_insn_same_sec(file, insn)) 125 126 #define sec_for_each_insn_from(file, insn) \ 127 for (; insn; insn = next_insn_same_sec(file, insn)) 128 129 #define sec_for_each_insn_continue(file, insn) \ 130 for (insn = next_insn_same_sec(file, insn); insn; \ 131 insn = next_insn_same_sec(file, insn)) 132 133 static inline struct reloc *insn_jump_table(struct instruction *insn) 134 { 135 if (insn->type == INSN_JUMP_DYNAMIC || 136 insn->type == INSN_CALL_DYNAMIC) 137 return insn->_jump_table; 138 139 return NULL; 140 } 141 142 static inline unsigned long insn_jump_table_size(struct instruction *insn) 143 { 144 if (insn->type == INSN_JUMP_DYNAMIC || 145 insn->type == INSN_CALL_DYNAMIC) 146 return insn->_jump_table_size; 147 148 return 0; 149 } 150 151 static bool is_jump_table_jump(struct instruction *insn) 152 { 153 struct alt_group *alt_group = insn->alt_group; 154 155 if (insn_jump_table(insn)) 156 return true; 157 158 /* Retpoline alternative for a jump table? */ 159 return alt_group && alt_group->orig_group && 160 insn_jump_table(alt_group->orig_group->first_insn); 161 } 162 163 static bool is_sibling_call(struct instruction *insn) 164 { 165 /* 166 * Assume only STT_FUNC calls have jump-tables. 167 */ 168 if (insn_func(insn)) { 169 /* An indirect jump is either a sibling call or a jump to a table. */ 170 if (insn->type == INSN_JUMP_DYNAMIC) 171 return !is_jump_table_jump(insn); 172 } 173 174 /* add_jump_destinations() sets insn_call_dest(insn) for sibling calls. */ 175 return (is_static_jump(insn) && insn_call_dest(insn)); 176 } 177 178 /* 179 * Checks if a function is a Rust "noreturn" one. 180 */ 181 static bool is_rust_noreturn(const struct symbol *func) 182 { 183 /* 184 * If it does not start with "_R", then it is not a Rust symbol. 185 */ 186 if (strncmp(func->name, "_R", 2)) 187 return false; 188 189 /* 190 * These are just heuristics -- we do not control the precise symbol 191 * name, due to the crate disambiguators (which depend on the compiler) 192 * as well as changes to the source code itself between versions (since 193 * these come from the Rust standard library). 194 */ 195 return str_ends_with(func->name, "_4core3num20from_str_radix_panic") || 196 str_ends_with(func->name, "_4core3num22from_ascii_radix_panic") || 197 str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") || 198 str_ends_with(func->name, "_4core6option13expect_failed") || 199 str_ends_with(func->name, "_4core6option13unwrap_failed") || 200 str_ends_with(func->name, "_4core6result13unwrap_failed") || 201 str_ends_with(func->name, "_4core9panicking5panic") || 202 str_ends_with(func->name, "_4core9panicking9panic_fmt") || 203 str_ends_with(func->name, "_4core9panicking14panic_explicit") || 204 str_ends_with(func->name, "_4core9panicking14panic_nounwind") || 205 str_ends_with(func->name, "_4core9panicking18panic_bounds_check") || 206 str_ends_with(func->name, "_4core9panicking18panic_nounwind_fmt") || 207 str_ends_with(func->name, "_4core9panicking19assert_failed_inner") || 208 str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") || 209 str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") || 210 str_ends_with(func->name, "_7___rustc17rust_begin_unwind") || 211 strstr(func->name, "_4core9panicking13assert_failed") || 212 strstr(func->name, "_4core9panicking11panic_const24panic_const_") || 213 (strstr(func->name, "_4core5slice5index") && 214 strstr(func->name, "slice_") && 215 str_ends_with(func->name, "_fail")); 216 } 217 218 /* 219 * This checks to see if the given function is a "noreturn" function. 220 * 221 * For global functions which are outside the scope of this object file, we 222 * have to keep a manual list of them. 223 * 224 * For local functions, we have to detect them manually by simply looking for 225 * the lack of a return instruction. 226 */ 227 static bool __dead_end_function(struct objtool_file *file, struct symbol *func, 228 int recursion) 229 { 230 int i; 231 struct instruction *insn; 232 bool empty = true; 233 234 #define NORETURN(func) __stringify(func), 235 static const char * const global_noreturns[] = { 236 #include "noreturns.h" 237 }; 238 #undef NORETURN 239 240 if (!func) 241 return false; 242 243 if (!is_local_sym(func)) { 244 if (is_rust_noreturn(func)) 245 return true; 246 247 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++) 248 if (!strcmp(func->name, global_noreturns[i])) 249 return true; 250 } 251 252 if (is_weak_sym(func)) 253 return false; 254 255 if (!func->len) 256 return false; 257 258 insn = find_insn(file, func->sec, func->offset); 259 if (!insn || !insn_func(insn)) 260 return false; 261 262 func_for_each_insn(file, func, insn) { 263 empty = false; 264 265 if (insn->type == INSN_RETURN) 266 return false; 267 } 268 269 if (empty) 270 return false; 271 272 /* 273 * A function can have a sibling call instead of a return. In that 274 * case, the function's dead-end status depends on whether the target 275 * of the sibling call returns. 276 */ 277 func_for_each_insn(file, func, insn) { 278 if (is_sibling_call(insn)) { 279 struct instruction *dest = insn->jump_dest; 280 281 if (!dest) 282 /* sibling call to another file */ 283 return false; 284 285 /* local sibling call */ 286 if (recursion == 5) { 287 /* 288 * Infinite recursion: two functions have 289 * sibling calls to each other. This is a very 290 * rare case. It means they aren't dead ends. 291 */ 292 return false; 293 } 294 295 return __dead_end_function(file, insn_func(dest), recursion+1); 296 } 297 } 298 299 return true; 300 } 301 302 static bool dead_end_function(struct objtool_file *file, struct symbol *func) 303 { 304 return __dead_end_function(file, func, 0); 305 } 306 307 static void init_cfi_state(struct cfi_state *cfi) 308 { 309 int i; 310 311 for (i = 0; i < CFI_NUM_REGS; i++) { 312 cfi->regs[i].base = CFI_UNDEFINED; 313 cfi->vals[i].base = CFI_UNDEFINED; 314 } 315 cfi->cfa.base = CFI_UNDEFINED; 316 cfi->drap_reg = CFI_UNDEFINED; 317 cfi->drap_offset = -1; 318 } 319 320 static void init_insn_state(struct objtool_file *file, struct insn_state *state, 321 struct section *sec) 322 { 323 memset(state, 0, sizeof(*state)); 324 init_cfi_state(&state->cfi); 325 326 if (opts.noinstr && sec) 327 state->noinstr = sec->noinstr; 328 } 329 330 static struct cfi_state *cfi_alloc(void) 331 { 332 struct cfi_state *cfi = calloc(1, sizeof(struct cfi_state)); 333 if (!cfi) { 334 ERROR_GLIBC("calloc"); 335 exit(1); 336 } 337 nr_cfi++; 338 return cfi; 339 } 340 341 static int cfi_bits; 342 static struct hlist_head *cfi_hash; 343 344 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2) 345 { 346 return memcmp((void *)cfi1 + sizeof(cfi1->hash), 347 (void *)cfi2 + sizeof(cfi2->hash), 348 sizeof(struct cfi_state) - sizeof(struct hlist_node)); 349 } 350 351 static inline u32 cfi_key(struct cfi_state *cfi) 352 { 353 return jhash((void *)cfi + sizeof(cfi->hash), 354 sizeof(*cfi) - sizeof(cfi->hash), 0); 355 } 356 357 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi) 358 { 359 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 360 struct cfi_state *obj; 361 362 hlist_for_each_entry(obj, head, hash) { 363 if (!cficmp(cfi, obj)) { 364 nr_cfi_cache++; 365 return obj; 366 } 367 } 368 369 obj = cfi_alloc(); 370 *obj = *cfi; 371 hlist_add_head(&obj->hash, head); 372 373 return obj; 374 } 375 376 static void cfi_hash_add(struct cfi_state *cfi) 377 { 378 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 379 380 hlist_add_head(&cfi->hash, head); 381 } 382 383 static void *cfi_hash_alloc(unsigned long size) 384 { 385 cfi_bits = max(10, ilog2(size)); 386 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits, 387 PROT_READ|PROT_WRITE, 388 MAP_PRIVATE|MAP_ANON, -1, 0); 389 if (cfi_hash == (void *)-1L) { 390 ERROR_GLIBC("mmap fail cfi_hash"); 391 cfi_hash = NULL; 392 } else if (opts.stats) { 393 printf("cfi_bits: %d\n", cfi_bits); 394 } 395 396 return cfi_hash; 397 } 398 399 static unsigned long nr_insns; 400 static unsigned long nr_insns_visited; 401 402 /* 403 * Call the arch-specific instruction decoder for all the instructions and add 404 * them to the global instruction list. 405 */ 406 static int decode_instructions(struct objtool_file *file) 407 { 408 struct section *sec; 409 struct symbol *func; 410 unsigned long offset; 411 struct instruction *insn; 412 413 for_each_sec(file->elf, sec) { 414 struct instruction *insns = NULL; 415 u8 prev_len = 0; 416 u8 idx = 0; 417 418 if (!is_text_sec(sec)) 419 continue; 420 421 if (strcmp(sec->name, ".altinstr_replacement") && 422 strcmp(sec->name, ".altinstr_aux") && 423 strncmp(sec->name, ".discard.", 9)) 424 sec->text = true; 425 426 if (!strcmp(sec->name, ".noinstr.text") || 427 !strcmp(sec->name, ".entry.text") || 428 !strcmp(sec->name, ".cpuidle.text") || 429 !strncmp(sec->name, ".text..__x86.", 13)) 430 sec->noinstr = true; 431 432 /* 433 * .init.text code is ran before userspace and thus doesn't 434 * strictly need retpolines, except for modules which are 435 * loaded late, they very much do need retpoline in their 436 * .init.text 437 */ 438 if (!strcmp(sec->name, ".init.text") && !opts.module) 439 sec->init = true; 440 441 for (offset = 0; offset < sec_size(sec); offset += insn->len) { 442 if (!insns || idx == INSN_CHUNK_MAX) { 443 insns = calloc(INSN_CHUNK_SIZE, sizeof(*insn)); 444 if (!insns) { 445 ERROR_GLIBC("calloc"); 446 return -1; 447 } 448 idx = 0; 449 } else { 450 idx++; 451 } 452 insn = &insns[idx]; 453 insn->idx = idx; 454 455 INIT_LIST_HEAD(&insn->call_node); 456 insn->sec = sec; 457 insn->offset = offset; 458 insn->prev_len = prev_len; 459 460 if (arch_decode_instruction(file, sec, offset, sec_size(sec) - offset, insn)) 461 return -1; 462 463 prev_len = insn->len; 464 465 /* 466 * By default, "ud2" is a dead end unless otherwise 467 * annotated, because GCC 7 inserts it for certain 468 * divide-by-zero cases. 469 */ 470 if (insn->type == INSN_BUG) 471 insn->dead_end = true; 472 473 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset)); 474 nr_insns++; 475 } 476 477 sec_for_each_sym(sec, func) { 478 if (!is_notype_sym(func) && !is_func_sym(func)) 479 continue; 480 481 if (func->offset == sec_size(sec)) { 482 /* Heuristic: likely an "end" symbol */ 483 if (is_notype_sym(func)) 484 continue; 485 ERROR("%s(): STT_FUNC at end of section", func->name); 486 return -1; 487 } 488 489 if (func->embedded_insn || is_alias_sym(func)) 490 continue; 491 492 if (!find_insn(file, sec, func->offset)) { 493 ERROR("%s(): can't find starting instruction", func->name); 494 return -1; 495 } 496 497 sym_for_each_insn(file, func, insn) { 498 insn->_sym = func; 499 if (is_func_sym(func) && 500 insn->type == INSN_ENDBR && 501 list_empty(&insn->call_node)) { 502 if (insn->offset == func->offset) { 503 list_add_tail(&insn->call_node, &file->endbr_list); 504 file->nr_endbr++; 505 } else { 506 file->nr_endbr_int++; 507 } 508 } 509 } 510 } 511 } 512 513 if (opts.stats) 514 printf("nr_insns: %lu\n", nr_insns); 515 516 return 0; 517 } 518 519 /* 520 * Known pv_ops*[] arrays. 521 */ 522 static struct { 523 const char *name; 524 int idx_off; 525 } pv_ops_tables[] = { 526 { .name = "pv_ops", }, 527 { .name = "pv_ops_lock", }, 528 { .name = NULL, .idx_off = -1 } 529 }; 530 531 /* 532 * Get index offset for a pv_ops* array. 533 */ 534 int pv_ops_idx_off(const char *symname) 535 { 536 int idx; 537 538 for (idx = 0; pv_ops_tables[idx].name; idx++) { 539 if (!strcmp(symname, pv_ops_tables[idx].name)) 540 break; 541 } 542 543 return pv_ops_tables[idx].idx_off; 544 } 545 546 /* 547 * Read a pv_ops*[] .data table to find the static initialized values. 548 */ 549 static int add_pv_ops(struct objtool_file *file, int pv_ops_idx) 550 { 551 struct symbol *sym, *func; 552 unsigned long off, end; 553 struct reloc *reloc; 554 int idx, idx_off; 555 const char *symname; 556 557 symname = pv_ops_tables[pv_ops_idx].name; 558 sym = find_symbol_by_name(file->elf, symname); 559 if (!sym) { 560 ERROR("Unknown pv_ops array %s", symname); 561 return -1; 562 } 563 564 off = sym->offset; 565 end = off + sym->len; 566 idx_off = pv_ops_tables[pv_ops_idx].idx_off; 567 if (idx_off < 0) { 568 ERROR("pv_ops array %s has unknown index offset", symname); 569 return -1; 570 } 571 572 for (;;) { 573 reloc = find_reloc_by_dest_range(file->elf, sym->sec, off, end - off); 574 if (!reloc) 575 break; 576 577 idx = (reloc_offset(reloc) - sym->offset) / sizeof(unsigned long); 578 579 func = reloc->sym; 580 if (is_sec_sym(func)) 581 func = find_symbol_by_offset(reloc->sym->sec, 582 reloc_addend(reloc)); 583 if (!func) { 584 ERROR_FUNC(reloc->sym->sec, reloc_addend(reloc), 585 "can't find func at %s[%d]", symname, idx); 586 return -1; 587 } 588 589 if (objtool_pv_add(file, idx + idx_off, func)) 590 return -1; 591 592 off = reloc_offset(reloc) + 1; 593 if (off > end) 594 break; 595 } 596 597 return 0; 598 } 599 600 /* 601 * Allocate and initialize file->pv_ops[]. 602 */ 603 static int init_pv_ops(struct objtool_file *file) 604 { 605 struct symbol *sym; 606 int idx, nr; 607 608 if (!opts.noinstr) 609 return 0; 610 611 file->pv_ops = NULL; 612 613 nr = 0; 614 for (idx = 0; pv_ops_tables[idx].name; idx++) { 615 sym = find_symbol_by_name(file->elf, pv_ops_tables[idx].name); 616 if (!sym) { 617 pv_ops_tables[idx].idx_off = -1; 618 continue; 619 } 620 pv_ops_tables[idx].idx_off = nr; 621 nr += sym->len / sizeof(unsigned long); 622 } 623 624 if (nr == 0) 625 return 0; 626 627 file->pv_ops = calloc(nr, sizeof(struct pv_state)); 628 if (!file->pv_ops) { 629 ERROR_GLIBC("calloc"); 630 return -1; 631 } 632 633 for (idx = 0; idx < nr; idx++) 634 INIT_LIST_HEAD(&file->pv_ops[idx].targets); 635 636 for (idx = 0; pv_ops_tables[idx].name; idx++) { 637 if (pv_ops_tables[idx].idx_off < 0) 638 continue; 639 if (add_pv_ops(file, idx)) 640 return -1; 641 } 642 643 return 0; 644 } 645 646 static bool is_livepatch_module(struct objtool_file *file) 647 { 648 struct section *sec; 649 650 if (!opts.module) 651 return false; 652 653 sec = find_section_by_name(file->elf, ".modinfo"); 654 if (!sec) 655 return false; 656 657 return memmem(sec->data->d_buf, sec_size(sec), "\0livepatch=Y", 12); 658 } 659 660 static int create_static_call_sections(struct objtool_file *file) 661 { 662 struct static_call_site *site; 663 struct section *sec; 664 struct instruction *insn; 665 struct symbol *key_sym; 666 char *key_name, *tmp; 667 int idx; 668 669 sec = find_section_by_name(file->elf, ".static_call_sites"); 670 if (sec) { 671 /* 672 * Livepatch modules may have already extracted the static call 673 * site entries to take advantage of vmlinux static call 674 * privileges. 675 */ 676 if (!file->klp) 677 WARN("file already has .static_call_sites section, skipping"); 678 679 return 0; 680 } 681 682 if (list_empty(&file->static_call_list)) 683 return 0; 684 685 idx = 0; 686 list_for_each_entry(insn, &file->static_call_list, call_node) 687 idx++; 688 689 sec = elf_create_section_pair(file->elf, ".static_call_sites", 690 sizeof(*site), idx, idx * 2); 691 if (!sec) 692 return -1; 693 694 /* Allow modules to modify the low bits of static_call_site::key */ 695 sec->sh.sh_flags |= SHF_WRITE; 696 697 idx = 0; 698 list_for_each_entry(insn, &file->static_call_list, call_node) { 699 700 /* populate reloc for 'addr' */ 701 if (!elf_init_reloc_text_sym(file->elf, sec, 702 idx * sizeof(*site), idx * 2, 703 insn->sec, insn->offset)) 704 return -1; 705 706 /* find key symbol */ 707 key_name = strdup(insn_call_dest(insn)->name); 708 if (!key_name) { 709 ERROR_GLIBC("strdup"); 710 return -1; 711 } 712 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR, 713 STATIC_CALL_TRAMP_PREFIX_LEN)) { 714 ERROR("static_call: trampoline name malformed: %s", key_name); 715 return -1; 716 } 717 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN; 718 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN); 719 720 key_sym = find_symbol_by_name(file->elf, tmp); 721 if (!key_sym) { 722 if (!opts.module) { 723 ERROR("static_call: can't find static_call_key symbol: %s", tmp); 724 return -1; 725 } 726 727 /* 728 * For modules(), the key might not be exported, which 729 * means the module can make static calls but isn't 730 * allowed to change them. 731 * 732 * In that case we temporarily set the key to be the 733 * trampoline address. This is fixed up in 734 * static_call_add_module(). 735 */ 736 key_sym = insn_call_dest(insn); 737 } 738 739 /* populate reloc for 'key' */ 740 if (!elf_init_reloc_data_sym(file->elf, sec, 741 idx * sizeof(*site) + 4, 742 (idx * 2) + 1, key_sym, 743 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL)) 744 return -1; 745 746 idx++; 747 } 748 749 return 0; 750 } 751 752 static int create_retpoline_sites_sections(struct objtool_file *file) 753 { 754 struct instruction *insn; 755 struct section *sec; 756 int idx; 757 758 sec = find_section_by_name(file->elf, ".retpoline_sites"); 759 if (sec) { 760 WARN("file already has .retpoline_sites, skipping"); 761 return 0; 762 } 763 764 idx = 0; 765 list_for_each_entry(insn, &file->retpoline_call_list, call_node) 766 idx++; 767 768 if (!idx) 769 return 0; 770 771 sec = elf_create_section_pair(file->elf, ".retpoline_sites", 772 sizeof(int), idx, idx); 773 if (!sec) 774 return -1; 775 776 idx = 0; 777 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 778 779 if (!elf_init_reloc_text_sym(file->elf, sec, 780 idx * sizeof(int), idx, 781 insn->sec, insn->offset)) 782 return -1; 783 784 idx++; 785 } 786 787 return 0; 788 } 789 790 static int create_return_sites_sections(struct objtool_file *file) 791 { 792 struct instruction *insn; 793 struct section *sec; 794 int idx; 795 796 sec = find_section_by_name(file->elf, ".return_sites"); 797 if (sec) { 798 WARN("file already has .return_sites, skipping"); 799 return 0; 800 } 801 802 idx = 0; 803 list_for_each_entry(insn, &file->return_thunk_list, call_node) 804 idx++; 805 806 if (!idx) 807 return 0; 808 809 sec = elf_create_section_pair(file->elf, ".return_sites", 810 sizeof(int), idx, idx); 811 if (!sec) 812 return -1; 813 814 idx = 0; 815 list_for_each_entry(insn, &file->return_thunk_list, call_node) { 816 817 if (!elf_init_reloc_text_sym(file->elf, sec, 818 idx * sizeof(int), idx, 819 insn->sec, insn->offset)) 820 return -1; 821 822 idx++; 823 } 824 825 return 0; 826 } 827 828 static int create_ibt_endbr_seal_sections(struct objtool_file *file) 829 { 830 struct instruction *insn; 831 struct section *sec; 832 int idx; 833 834 sec = find_section_by_name(file->elf, ".ibt_endbr_seal"); 835 if (sec) { 836 WARN("file already has .ibt_endbr_seal, skipping"); 837 return 0; 838 } 839 840 idx = 0; 841 list_for_each_entry(insn, &file->endbr_list, call_node) 842 idx++; 843 844 if (opts.stats) { 845 printf("ibt: ENDBR at function start: %d\n", file->nr_endbr); 846 printf("ibt: ENDBR inside functions: %d\n", file->nr_endbr_int); 847 printf("ibt: superfluous ENDBR: %d\n", idx); 848 } 849 850 if (!idx) 851 return 0; 852 853 sec = elf_create_section_pair(file->elf, ".ibt_endbr_seal", 854 sizeof(int), idx, idx); 855 if (!sec) 856 return -1; 857 858 idx = 0; 859 list_for_each_entry(insn, &file->endbr_list, call_node) { 860 861 int *site = (int *)sec->data->d_buf + idx; 862 struct symbol *func = insn_func(insn); 863 *site = 0; 864 865 if (opts.module && func && insn->offset == func->offset && 866 (!strcmp(func->name, "init_module") || 867 !strcmp(func->name, "cleanup_module"))) { 868 ERROR("%s(): Magic init_module() function name is deprecated, use module_init(fn) instead", 869 func->name); 870 return -1; 871 } 872 873 if (!elf_init_reloc_text_sym(file->elf, sec, 874 idx * sizeof(int), idx, 875 insn->sec, insn->offset)) 876 return -1; 877 878 idx++; 879 } 880 881 return 0; 882 } 883 884 /* 885 * Grow __cfi_ symbols to fill the NOP gap between the 'mov <hash>, %rax' and 886 * the start of the function. 887 */ 888 static int grow_cfi_symbols(struct objtool_file *file) 889 { 890 struct symbol *sym; 891 892 for_each_sym(file->elf, sym) { 893 if (!is_func_sym(sym) || !strstarts(sym->name, "__cfi_") || 894 sym->len != 5) 895 continue; 896 897 if (!find_func_by_offset(sym->sec, sym->offset + sym->len + opts.prefix)) 898 continue; 899 900 sym->len += opts.prefix; 901 sym->sym.st_size = sym->len; 902 if (elf_write_symbol(file->elf, sym)) 903 return -1; 904 } 905 906 return 0; 907 } 908 909 static int create_cfi_sections(struct objtool_file *file) 910 { 911 struct section *sec; 912 struct symbol *sym; 913 int idx; 914 915 sec = find_section_by_name(file->elf, ".cfi_sites"); 916 if (sec) { 917 WARN("file already has .cfi_sites section, skipping"); 918 return 0; 919 } 920 921 idx = 0; 922 for_each_sym(file->elf, sym) { 923 if (!is_func_sym(sym)) 924 continue; 925 926 if (strncmp(sym->name, "__cfi_", 6)) 927 continue; 928 929 idx++; 930 } 931 932 sec = elf_create_section_pair(file->elf, ".cfi_sites", 933 sizeof(unsigned int), idx, idx); 934 if (!sec) 935 return -1; 936 937 idx = 0; 938 for_each_sym(file->elf, sym) { 939 if (!is_func_sym(sym)) 940 continue; 941 942 if (strncmp(sym->name, "__cfi_", 6)) 943 continue; 944 945 if (!elf_init_reloc_text_sym(file->elf, sec, 946 idx * sizeof(unsigned int), idx, 947 sym->sec, sym->offset)) 948 return -1; 949 950 idx++; 951 } 952 953 return 0; 954 } 955 956 static int create_mcount_loc_sections(struct objtool_file *file) 957 { 958 size_t addr_size = elf_addr_size(file->elf); 959 struct instruction *insn; 960 struct section *sec; 961 int idx; 962 963 sec = find_section_by_name(file->elf, "__mcount_loc"); 964 if (sec) { 965 /* 966 * Livepatch modules have already extracted their __mcount_loc 967 * entries to cover the !CONFIG_FTRACE_MCOUNT_USE_OBJTOOL case. 968 */ 969 if (!file->klp) 970 WARN("file already has __mcount_loc section, skipping"); 971 972 return 0; 973 } 974 975 if (list_empty(&file->mcount_loc_list)) 976 return 0; 977 978 idx = 0; 979 list_for_each_entry(insn, &file->mcount_loc_list, call_node) 980 idx++; 981 982 sec = elf_create_section_pair(file->elf, "__mcount_loc", addr_size, 983 idx, idx); 984 if (!sec) 985 return -1; 986 987 sec->sh.sh_addralign = addr_size; 988 989 idx = 0; 990 list_for_each_entry(insn, &file->mcount_loc_list, call_node) { 991 992 struct reloc *reloc; 993 994 reloc = elf_init_reloc_text_sym(file->elf, sec, idx * addr_size, idx, 995 insn->sec, insn->offset); 996 if (!reloc) 997 return -1; 998 999 set_reloc_type(file->elf, reloc, addr_size == 8 ? R_ABS64 : R_ABS32); 1000 1001 idx++; 1002 } 1003 1004 return 0; 1005 } 1006 1007 static int create_direct_call_sections(struct objtool_file *file) 1008 { 1009 struct instruction *insn; 1010 struct section *sec; 1011 int idx; 1012 1013 sec = find_section_by_name(file->elf, ".call_sites"); 1014 if (sec) { 1015 WARN("file already has .call_sites section, skipping"); 1016 return 0; 1017 } 1018 1019 if (list_empty(&file->call_list)) 1020 return 0; 1021 1022 idx = 0; 1023 list_for_each_entry(insn, &file->call_list, call_node) 1024 idx++; 1025 1026 sec = elf_create_section_pair(file->elf, ".call_sites", 1027 sizeof(unsigned int), idx, idx); 1028 if (!sec) 1029 return -1; 1030 1031 idx = 0; 1032 list_for_each_entry(insn, &file->call_list, call_node) { 1033 1034 if (!elf_init_reloc_text_sym(file->elf, sec, 1035 idx * sizeof(unsigned int), idx, 1036 insn->sec, insn->offset)) 1037 return -1; 1038 1039 idx++; 1040 } 1041 1042 return 0; 1043 } 1044 1045 /* 1046 * Warnings shouldn't be reported for ignored functions. 1047 */ 1048 static int add_ignores(struct objtool_file *file) 1049 { 1050 struct section *rsec; 1051 struct symbol *func; 1052 struct reloc *reloc; 1053 1054 rsec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard"); 1055 if (!rsec) 1056 return 0; 1057 1058 for_each_reloc(rsec, reloc) { 1059 switch (reloc->sym->type) { 1060 case STT_FUNC: 1061 func = reloc->sym; 1062 break; 1063 1064 case STT_SECTION: 1065 func = find_func_by_offset(reloc->sym->sec, reloc_addend(reloc)); 1066 if (!func) 1067 continue; 1068 break; 1069 1070 default: 1071 ERROR("unexpected relocation symbol type in %s: %d", 1072 rsec->name, reloc->sym->type); 1073 return -1; 1074 } 1075 1076 func->ignore = true; 1077 if (func->cfunc) 1078 func->cfunc->ignore = true; 1079 } 1080 1081 return 0; 1082 } 1083 1084 /* 1085 * This is a whitelist of functions that is allowed to be called with AC set. 1086 * The list is meant to be minimal and only contains compiler instrumentation 1087 * ABI and a few functions used to implement *_{to,from}_user() functions. 1088 * 1089 * These functions must not directly change AC, but may PUSHF/POPF. 1090 */ 1091 static const char *uaccess_safe_builtin[] = { 1092 /* KASAN */ 1093 "kasan_report", 1094 "kasan_check_range", 1095 /* KASAN out-of-line */ 1096 "__asan_loadN_noabort", 1097 "__asan_load1_noabort", 1098 "__asan_load2_noabort", 1099 "__asan_load4_noabort", 1100 "__asan_load8_noabort", 1101 "__asan_load16_noabort", 1102 "__asan_storeN_noabort", 1103 "__asan_store1_noabort", 1104 "__asan_store2_noabort", 1105 "__asan_store4_noabort", 1106 "__asan_store8_noabort", 1107 "__asan_store16_noabort", 1108 "__kasan_check_read", 1109 "__kasan_check_write", 1110 /* KASAN in-line */ 1111 "__asan_report_load_n_noabort", 1112 "__asan_report_load1_noabort", 1113 "__asan_report_load2_noabort", 1114 "__asan_report_load4_noabort", 1115 "__asan_report_load8_noabort", 1116 "__asan_report_load16_noabort", 1117 "__asan_report_store_n_noabort", 1118 "__asan_report_store1_noabort", 1119 "__asan_report_store2_noabort", 1120 "__asan_report_store4_noabort", 1121 "__asan_report_store8_noabort", 1122 "__asan_report_store16_noabort", 1123 /* KCSAN */ 1124 "__kcsan_check_access", 1125 "__kcsan_mb", 1126 "__kcsan_wmb", 1127 "__kcsan_rmb", 1128 "__kcsan_release", 1129 "kcsan_found_watchpoint", 1130 "kcsan_setup_watchpoint", 1131 "kcsan_check_scoped_accesses", 1132 "kcsan_disable_current", 1133 "kcsan_enable_current_nowarn", 1134 /* KCSAN/TSAN */ 1135 "__tsan_func_entry", 1136 "__tsan_func_exit", 1137 "__tsan_read_range", 1138 "__tsan_write_range", 1139 "__tsan_read1", 1140 "__tsan_read2", 1141 "__tsan_read4", 1142 "__tsan_read8", 1143 "__tsan_read16", 1144 "__tsan_write1", 1145 "__tsan_write2", 1146 "__tsan_write4", 1147 "__tsan_write8", 1148 "__tsan_write16", 1149 "__tsan_read_write1", 1150 "__tsan_read_write2", 1151 "__tsan_read_write4", 1152 "__tsan_read_write8", 1153 "__tsan_read_write16", 1154 "__tsan_volatile_read1", 1155 "__tsan_volatile_read2", 1156 "__tsan_volatile_read4", 1157 "__tsan_volatile_read8", 1158 "__tsan_volatile_read16", 1159 "__tsan_volatile_write1", 1160 "__tsan_volatile_write2", 1161 "__tsan_volatile_write4", 1162 "__tsan_volatile_write8", 1163 "__tsan_volatile_write16", 1164 "__tsan_atomic8_load", 1165 "__tsan_atomic16_load", 1166 "__tsan_atomic32_load", 1167 "__tsan_atomic64_load", 1168 "__tsan_atomic8_store", 1169 "__tsan_atomic16_store", 1170 "__tsan_atomic32_store", 1171 "__tsan_atomic64_store", 1172 "__tsan_atomic8_exchange", 1173 "__tsan_atomic16_exchange", 1174 "__tsan_atomic32_exchange", 1175 "__tsan_atomic64_exchange", 1176 "__tsan_atomic8_fetch_add", 1177 "__tsan_atomic16_fetch_add", 1178 "__tsan_atomic32_fetch_add", 1179 "__tsan_atomic64_fetch_add", 1180 "__tsan_atomic8_fetch_sub", 1181 "__tsan_atomic16_fetch_sub", 1182 "__tsan_atomic32_fetch_sub", 1183 "__tsan_atomic64_fetch_sub", 1184 "__tsan_atomic8_fetch_and", 1185 "__tsan_atomic16_fetch_and", 1186 "__tsan_atomic32_fetch_and", 1187 "__tsan_atomic64_fetch_and", 1188 "__tsan_atomic8_fetch_or", 1189 "__tsan_atomic16_fetch_or", 1190 "__tsan_atomic32_fetch_or", 1191 "__tsan_atomic64_fetch_or", 1192 "__tsan_atomic8_fetch_xor", 1193 "__tsan_atomic16_fetch_xor", 1194 "__tsan_atomic32_fetch_xor", 1195 "__tsan_atomic64_fetch_xor", 1196 "__tsan_atomic8_fetch_nand", 1197 "__tsan_atomic16_fetch_nand", 1198 "__tsan_atomic32_fetch_nand", 1199 "__tsan_atomic64_fetch_nand", 1200 "__tsan_atomic8_compare_exchange_strong", 1201 "__tsan_atomic16_compare_exchange_strong", 1202 "__tsan_atomic32_compare_exchange_strong", 1203 "__tsan_atomic64_compare_exchange_strong", 1204 "__tsan_atomic8_compare_exchange_weak", 1205 "__tsan_atomic16_compare_exchange_weak", 1206 "__tsan_atomic32_compare_exchange_weak", 1207 "__tsan_atomic64_compare_exchange_weak", 1208 "__tsan_atomic8_compare_exchange_val", 1209 "__tsan_atomic16_compare_exchange_val", 1210 "__tsan_atomic32_compare_exchange_val", 1211 "__tsan_atomic64_compare_exchange_val", 1212 "__tsan_atomic_thread_fence", 1213 "__tsan_atomic_signal_fence", 1214 "__tsan_unaligned_read16", 1215 "__tsan_unaligned_write16", 1216 /* KCOV */ 1217 "write_comp_data", 1218 "check_kcov_mode", 1219 "__sanitizer_cov_trace_pc", 1220 "__sanitizer_cov_trace_const_cmp1", 1221 "__sanitizer_cov_trace_const_cmp2", 1222 "__sanitizer_cov_trace_const_cmp4", 1223 "__sanitizer_cov_trace_const_cmp8", 1224 "__sanitizer_cov_trace_cmp1", 1225 "__sanitizer_cov_trace_cmp2", 1226 "__sanitizer_cov_trace_cmp4", 1227 "__sanitizer_cov_trace_cmp8", 1228 "__sanitizer_cov_trace_switch", 1229 /* KMSAN */ 1230 "kmsan_copy_to_user", 1231 "kmsan_disable_current", 1232 "kmsan_enable_current", 1233 "kmsan_report", 1234 "kmsan_unpoison_entry_regs", 1235 "kmsan_unpoison_memory", 1236 "__msan_chain_origin", 1237 "__msan_get_context_state", 1238 "__msan_instrument_asm_store", 1239 "__msan_metadata_ptr_for_load_1", 1240 "__msan_metadata_ptr_for_load_2", 1241 "__msan_metadata_ptr_for_load_4", 1242 "__msan_metadata_ptr_for_load_8", 1243 "__msan_metadata_ptr_for_load_n", 1244 "__msan_metadata_ptr_for_store_1", 1245 "__msan_metadata_ptr_for_store_2", 1246 "__msan_metadata_ptr_for_store_4", 1247 "__msan_metadata_ptr_for_store_8", 1248 "__msan_metadata_ptr_for_store_n", 1249 "__msan_poison_alloca", 1250 "__msan_warning", 1251 /* UBSAN */ 1252 "ubsan_type_mismatch_common", 1253 "__ubsan_handle_type_mismatch", 1254 "__ubsan_handle_type_mismatch_v1", 1255 "__ubsan_handle_shift_out_of_bounds", 1256 "__ubsan_handle_load_invalid_value", 1257 /* KSTACK_ERASE */ 1258 "__sanitizer_cov_stack_depth", 1259 /* TRACE_BRANCH_PROFILING */ 1260 "ftrace_likely_update", 1261 /* STACKPROTECTOR */ 1262 "__stack_chk_fail", 1263 /* misc */ 1264 "csum_partial_copy_generic", 1265 "copy_mc_fragile", 1266 "copy_mc_fragile_handle_tail", 1267 "copy_mc_enhanced_fast_string", 1268 "rep_stos_alternative", 1269 "rep_movs_alternative", 1270 "copy_to_nontemporal", 1271 NULL 1272 }; 1273 1274 static void add_uaccess_safe(struct objtool_file *file) 1275 { 1276 struct symbol *func; 1277 const char **name; 1278 1279 if (!opts.uaccess) 1280 return; 1281 1282 for (name = uaccess_safe_builtin; *name; name++) { 1283 func = find_symbol_by_name(file->elf, *name); 1284 if (!func) 1285 continue; 1286 1287 func->uaccess_safe = true; 1288 } 1289 } 1290 1291 /* 1292 * Symbols that replace INSN_CALL_DYNAMIC, every (tail) call to such a symbol 1293 * will be added to the .retpoline_sites section. 1294 */ 1295 __weak bool arch_is_retpoline(struct symbol *sym) 1296 { 1297 return false; 1298 } 1299 1300 /* 1301 * Symbols that replace INSN_RETURN, every (tail) call to such a symbol 1302 * will be added to the .return_sites section. 1303 */ 1304 __weak bool arch_is_rethunk(struct symbol *sym) 1305 { 1306 return false; 1307 } 1308 1309 /* 1310 * Symbols that are embedded inside other instructions, because sometimes crazy 1311 * code exists. These are mostly ignored for validation purposes. 1312 */ 1313 __weak bool arch_is_embedded_insn(struct symbol *sym) 1314 { 1315 return false; 1316 } 1317 1318 struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn) 1319 { 1320 struct reloc *reloc; 1321 1322 if (!file || insn->no_reloc || insn->fake) 1323 return NULL; 1324 1325 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 1326 insn->offset, insn->len); 1327 if (!reloc) { 1328 insn->no_reloc = 1; 1329 return NULL; 1330 } 1331 1332 return reloc; 1333 } 1334 1335 static void remove_insn_ops(struct instruction *insn) 1336 { 1337 struct stack_op *op, *next; 1338 1339 for (op = insn->stack_ops; op; op = next) { 1340 next = op->next; 1341 free(op); 1342 } 1343 insn->stack_ops = NULL; 1344 } 1345 1346 static int annotate_call_site(struct objtool_file *file, 1347 struct instruction *insn, bool sibling) 1348 { 1349 struct reloc *reloc = insn_reloc(file, insn); 1350 struct symbol *sym = insn_call_dest(insn); 1351 1352 if (!sym) 1353 sym = reloc->sym; 1354 1355 if (sym->static_call_tramp) { 1356 list_add_tail(&insn->call_node, &file->static_call_list); 1357 return 0; 1358 } 1359 1360 if (sym->retpoline_thunk) { 1361 list_add_tail(&insn->call_node, &file->retpoline_call_list); 1362 return 0; 1363 } 1364 1365 /* 1366 * Many compilers cannot disable KCOV or sanitizer calls with a function 1367 * attribute so they need a little help, NOP out any such calls from 1368 * noinstr text. 1369 */ 1370 if (opts.hack_noinstr && insn->sec->noinstr && sym->profiling_func) { 1371 if (reloc) 1372 set_reloc_type(file->elf, reloc, R_NONE); 1373 1374 if (elf_write_insn(file->elf, insn->sec, 1375 insn->offset, insn->len, 1376 sibling ? arch_ret_insn(insn->len) 1377 : arch_nop_insn(insn->len))) { 1378 return -1; 1379 } 1380 1381 insn->type = sibling ? INSN_RETURN : INSN_NOP; 1382 1383 if (sibling) { 1384 /* 1385 * We've replaced the tail-call JMP insn by two new 1386 * insn: RET; INT3, except we only have a single struct 1387 * insn here. Mark it retpoline_safe to avoid the SLS 1388 * warning, instead of adding another insn. 1389 */ 1390 insn->retpoline_safe = true; 1391 } 1392 1393 return 0; 1394 } 1395 1396 if (opts.mcount && sym->fentry) { 1397 if (sibling) 1398 WARN_INSN(insn, "tail call to __fentry__ !?!?"); 1399 if (opts.mnop) { 1400 if (reloc) 1401 set_reloc_type(file->elf, reloc, R_NONE); 1402 1403 if (elf_write_insn(file->elf, insn->sec, 1404 insn->offset, insn->len, 1405 arch_nop_insn(insn->len))) { 1406 return -1; 1407 } 1408 1409 insn->type = INSN_NOP; 1410 } 1411 1412 list_add_tail(&insn->call_node, &file->mcount_loc_list); 1413 return 0; 1414 } 1415 1416 if (insn->type == INSN_CALL && !insn->sec->init && 1417 !insn->_call_dest->embedded_insn) 1418 list_add_tail(&insn->call_node, &file->call_list); 1419 1420 if (!sibling && dead_end_function(file, sym)) 1421 insn->dead_end = true; 1422 1423 return 0; 1424 } 1425 1426 static int add_call_dest(struct objtool_file *file, struct instruction *insn, 1427 struct symbol *dest, bool sibling) 1428 { 1429 insn->_call_dest = dest; 1430 if (!dest) 1431 return 0; 1432 1433 /* 1434 * Whatever stack impact regular CALLs have, should be undone 1435 * by the RETURN of the called function. 1436 * 1437 * Annotated intra-function calls retain the stack_ops but 1438 * are converted to JUMP, see read_intra_function_calls(). 1439 */ 1440 remove_insn_ops(insn); 1441 1442 return annotate_call_site(file, insn, sibling); 1443 } 1444 1445 static int add_retpoline_call(struct objtool_file *file, struct instruction *insn) 1446 { 1447 /* 1448 * Retpoline calls/jumps are really dynamic calls/jumps in disguise, 1449 * so convert them accordingly. 1450 */ 1451 switch (insn->type) { 1452 case INSN_CALL: 1453 insn->type = INSN_CALL_DYNAMIC; 1454 break; 1455 case INSN_JUMP_UNCONDITIONAL: 1456 insn->type = INSN_JUMP_DYNAMIC; 1457 break; 1458 case INSN_JUMP_CONDITIONAL: 1459 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL; 1460 break; 1461 default: 1462 return 0; 1463 } 1464 1465 insn->retpoline_safe = true; 1466 1467 /* 1468 * Whatever stack impact regular CALLs have, should be undone 1469 * by the RETURN of the called function. 1470 * 1471 * Annotated intra-function calls retain the stack_ops but 1472 * are converted to JUMP, see read_intra_function_calls(). 1473 */ 1474 remove_insn_ops(insn); 1475 1476 return annotate_call_site(file, insn, false); 1477 } 1478 1479 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add) 1480 { 1481 /* 1482 * Return thunk tail calls are really just returns in disguise, 1483 * so convert them accordingly. 1484 */ 1485 insn->type = INSN_RETURN; 1486 insn->retpoline_safe = true; 1487 1488 if (add) 1489 list_add_tail(&insn->call_node, &file->return_thunk_list); 1490 } 1491 1492 static bool is_first_func_insn(struct objtool_file *file, 1493 struct instruction *insn) 1494 { 1495 struct symbol *func = insn_func(insn); 1496 1497 if (!func) 1498 return false; 1499 1500 if (insn->offset == func->offset) 1501 return true; 1502 1503 /* Allow direct CALL/JMP past ENDBR */ 1504 if (opts.ibt) { 1505 struct instruction *prev = prev_insn_same_sym(file, insn); 1506 1507 if (prev && prev->type == INSN_ENDBR && 1508 insn->offset == func->offset + prev->len) 1509 return true; 1510 } 1511 1512 return false; 1513 } 1514 1515 /* 1516 * Find the destination instructions for all jumps. 1517 */ 1518 static int add_jump_destinations(struct objtool_file *file) 1519 { 1520 struct instruction *insn; 1521 struct reloc *reloc; 1522 1523 for_each_insn(file, insn) { 1524 struct symbol *func = insn_func(insn); 1525 struct instruction *dest_insn; 1526 struct section *dest_sec; 1527 struct symbol *dest_sym; 1528 unsigned long dest_off; 1529 1530 if (!is_static_jump(insn)) 1531 continue; 1532 1533 if (insn->jump_dest) { 1534 /* 1535 * handle_group_alt() may have previously set 1536 * 'jump_dest' for some alternatives. 1537 */ 1538 continue; 1539 } 1540 1541 reloc = insn_reloc(file, insn); 1542 if (!reloc) { 1543 dest_sec = insn->sec; 1544 dest_off = arch_jump_destination(insn); 1545 dest_sym = dest_sec->sym; 1546 } else { 1547 dest_sym = reloc->sym; 1548 if (is_undef_sym(dest_sym)) { 1549 if (dest_sym->retpoline_thunk) { 1550 if (add_retpoline_call(file, insn)) 1551 return -1; 1552 continue; 1553 } 1554 1555 if (dest_sym->return_thunk) { 1556 add_return_call(file, insn, true); 1557 continue; 1558 } 1559 1560 /* External symbol */ 1561 if (func) { 1562 /* External sibling call */ 1563 if (add_call_dest(file, insn, dest_sym, true)) 1564 return -1; 1565 continue; 1566 } 1567 1568 /* Non-func asm code jumping to external symbol */ 1569 continue; 1570 } 1571 1572 dest_sec = dest_sym->sec; 1573 dest_off = dest_sym->offset + arch_insn_adjusted_addend(insn, reloc); 1574 } 1575 1576 dest_insn = find_insn(file, dest_sec, dest_off); 1577 if (!dest_insn) { 1578 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off); 1579 1580 /* 1581 * retbleed_untrain_ret() jumps to 1582 * __x86_return_thunk(), but objtool can't find 1583 * the thunk's starting RET instruction, 1584 * because the RET is also in the middle of 1585 * another instruction. Objtool only knows 1586 * about the outer instruction. 1587 */ 1588 if (sym && sym->embedded_insn) { 1589 add_return_call(file, insn, false); 1590 continue; 1591 } 1592 1593 /* 1594 * GCOV/KCOV dead code can jump to the end of 1595 * the function/section. 1596 */ 1597 if (file->ignore_unreachables && func && 1598 dest_sec == insn->sec && 1599 dest_off == func->offset + func->len) 1600 continue; 1601 1602 ERROR_INSN(insn, "can't find jump dest instruction at %s", 1603 offstr(dest_sec, dest_off)); 1604 return -1; 1605 } 1606 1607 if (!dest_sym || is_sec_sym(dest_sym)) { 1608 dest_sym = insn_sym(dest_insn); 1609 if (!dest_sym) 1610 goto set_jump_dest; 1611 } 1612 1613 if (dest_sym->retpoline_thunk && dest_insn->offset == dest_sym->offset) { 1614 if (add_retpoline_call(file, insn)) 1615 return -1; 1616 continue; 1617 } 1618 1619 if (dest_sym->return_thunk && dest_insn->offset == dest_sym->offset) { 1620 add_return_call(file, insn, true); 1621 continue; 1622 } 1623 1624 if (!insn_sym(insn) || insn_sym(insn)->pfunc == dest_sym->pfunc) 1625 goto set_jump_dest; 1626 1627 /* 1628 * Internal cross-function jump. 1629 */ 1630 1631 if (is_first_func_insn(file, dest_insn)) { 1632 /* Internal sibling call */ 1633 if (add_call_dest(file, insn, dest_sym, true)) 1634 return -1; 1635 continue; 1636 } 1637 1638 set_jump_dest: 1639 insn->jump_dest = dest_insn; 1640 } 1641 1642 return 0; 1643 } 1644 1645 static struct symbol *find_call_destination(struct section *sec, unsigned long offset) 1646 { 1647 struct symbol *call_dest; 1648 1649 call_dest = find_func_by_offset(sec, offset); 1650 if (!call_dest) 1651 call_dest = find_symbol_by_offset(sec, offset); 1652 1653 return call_dest; 1654 } 1655 1656 /* 1657 * Find the destination instructions for all calls. 1658 */ 1659 static int add_call_destinations(struct objtool_file *file) 1660 { 1661 struct instruction *insn; 1662 unsigned long dest_off; 1663 struct symbol *dest; 1664 struct reloc *reloc; 1665 1666 for_each_insn(file, insn) { 1667 struct symbol *func = insn_func(insn); 1668 if (insn->type != INSN_CALL) 1669 continue; 1670 1671 reloc = insn_reloc(file, insn); 1672 if (!reloc) { 1673 dest_off = arch_jump_destination(insn); 1674 dest = find_call_destination(insn->sec, dest_off); 1675 1676 if (add_call_dest(file, insn, dest, false)) 1677 return -1; 1678 1679 if (func && func->ignore) 1680 continue; 1681 1682 if (!insn_call_dest(insn)) { 1683 ERROR_INSN(insn, "unannotated intra-function call"); 1684 return -1; 1685 } 1686 1687 if (func && !is_func_sym(insn_call_dest(insn))) { 1688 ERROR_INSN(insn, "unsupported call to non-function"); 1689 return -1; 1690 } 1691 1692 } else if (is_sec_sym(reloc->sym)) { 1693 dest_off = arch_insn_adjusted_addend(insn, reloc); 1694 dest = find_call_destination(reloc->sym->sec, dest_off); 1695 if (!dest) { 1696 ERROR_INSN(insn, "can't find call dest symbol at %s+0x%lx", 1697 reloc->sym->sec->name, dest_off); 1698 return -1; 1699 } 1700 1701 if (add_call_dest(file, insn, dest, false)) 1702 return -1; 1703 1704 } else if (reloc->sym->retpoline_thunk) { 1705 if (add_retpoline_call(file, insn)) 1706 return -1; 1707 1708 } else { 1709 if (add_call_dest(file, insn, reloc->sym, false)) 1710 return -1; 1711 } 1712 } 1713 1714 return 0; 1715 } 1716 1717 /* 1718 * The .alternatives section requires some extra special care over and above 1719 * other special sections because alternatives are patched in place. 1720 */ 1721 static int handle_group_alt(struct objtool_file *file, 1722 struct special_alt *special_alt, 1723 struct instruction *orig_insn, 1724 struct instruction **new_insn) 1725 { 1726 struct instruction *last_new_insn = NULL, *insn, *nop = NULL; 1727 struct alt_group *orig_alt_group, *new_alt_group; 1728 unsigned long dest_off; 1729 1730 orig_alt_group = orig_insn->alt_group; 1731 if (!orig_alt_group) { 1732 struct instruction *last_orig_insn = NULL; 1733 1734 orig_alt_group = calloc(1, sizeof(*orig_alt_group)); 1735 if (!orig_alt_group) { 1736 ERROR_GLIBC("calloc"); 1737 return -1; 1738 } 1739 orig_alt_group->cfi = calloc(special_alt->orig_len, 1740 sizeof(struct cfi_state *)); 1741 if (!orig_alt_group->cfi) { 1742 ERROR_GLIBC("calloc"); 1743 return -1; 1744 } 1745 1746 insn = orig_insn; 1747 sec_for_each_insn_from(file, insn) { 1748 if (insn->offset >= special_alt->orig_off + special_alt->orig_len) 1749 break; 1750 1751 insn->alt_group = orig_alt_group; 1752 last_orig_insn = insn; 1753 } 1754 orig_alt_group->orig_group = NULL; 1755 orig_alt_group->first_insn = orig_insn; 1756 orig_alt_group->last_insn = last_orig_insn; 1757 orig_alt_group->nop = NULL; 1758 orig_alt_group->ignore = orig_insn->ignore_alts; 1759 orig_alt_group->feature = 0; 1760 } else { 1761 if (orig_alt_group->last_insn->offset + orig_alt_group->last_insn->len - 1762 orig_alt_group->first_insn->offset != special_alt->orig_len) { 1763 ERROR_INSN(orig_insn, "weirdly overlapping alternative! %ld != %d", 1764 orig_alt_group->last_insn->offset + 1765 orig_alt_group->last_insn->len - 1766 orig_alt_group->first_insn->offset, 1767 special_alt->orig_len); 1768 return -1; 1769 } 1770 } 1771 1772 new_alt_group = calloc(1, sizeof(*new_alt_group)); 1773 if (!new_alt_group) { 1774 ERROR_GLIBC("calloc"); 1775 return -1; 1776 } 1777 1778 if (special_alt->new_len < special_alt->orig_len) { 1779 /* 1780 * Insert a fake nop at the end to make the replacement 1781 * alt_group the same size as the original. This is needed to 1782 * allow propagate_alt_cfi() to do its magic. When the last 1783 * instruction affects the stack, the instruction after it (the 1784 * nop) will propagate the new state to the shared CFI array. 1785 */ 1786 nop = calloc(1, sizeof(*nop)); 1787 if (!nop) { 1788 ERROR_GLIBC("calloc"); 1789 return -1; 1790 } 1791 memset(nop, 0, sizeof(*nop)); 1792 1793 nop->sec = special_alt->new_sec; 1794 nop->offset = special_alt->new_off + special_alt->new_len; 1795 nop->len = special_alt->orig_len - special_alt->new_len; 1796 nop->type = INSN_NOP; 1797 nop->alt_group = new_alt_group; 1798 nop->fake = 1; 1799 } 1800 1801 if (!special_alt->new_len) { 1802 *new_insn = nop; 1803 goto end; 1804 } 1805 1806 insn = *new_insn; 1807 sec_for_each_insn_from(file, insn) { 1808 struct reloc *alt_reloc; 1809 1810 if (insn->offset >= special_alt->new_off + special_alt->new_len) 1811 break; 1812 1813 last_new_insn = insn; 1814 1815 insn->alt_group = new_alt_group; 1816 1817 /* 1818 * Since alternative replacement code is copy/pasted by the 1819 * kernel after applying relocations, generally such code can't 1820 * have relative-address relocation references to outside the 1821 * .altinstr_replacement section, unless the arch's 1822 * alternatives code can adjust the relative offsets 1823 * accordingly. 1824 */ 1825 alt_reloc = insn_reloc(file, insn); 1826 if (alt_reloc && arch_pc_relative_reloc(alt_reloc) && 1827 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) { 1828 1829 ERROR_INSN(insn, "unsupported relocation in alternatives section"); 1830 return -1; 1831 } 1832 1833 if (!is_static_jump(insn)) 1834 continue; 1835 1836 if (!insn->immediate) 1837 continue; 1838 1839 dest_off = arch_jump_destination(insn); 1840 if (dest_off == special_alt->new_off + special_alt->new_len) { 1841 insn->jump_dest = next_insn_same_sec(file, orig_alt_group->last_insn); 1842 if (!insn->jump_dest) { 1843 ERROR_INSN(insn, "can't find alternative jump destination"); 1844 return -1; 1845 } 1846 } 1847 } 1848 1849 if (!last_new_insn) { 1850 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1851 "can't find last new alternative instruction"); 1852 return -1; 1853 } 1854 1855 end: 1856 new_alt_group->orig_group = orig_alt_group; 1857 new_alt_group->first_insn = *new_insn; 1858 new_alt_group->last_insn = last_new_insn; 1859 new_alt_group->nop = nop; 1860 new_alt_group->ignore = (*new_insn)->ignore_alts; 1861 new_alt_group->cfi = orig_alt_group->cfi; 1862 new_alt_group->feature = special_alt->feature; 1863 return 0; 1864 } 1865 1866 /* 1867 * A jump table entry can either convert a nop to a jump or a jump to a nop. 1868 * If the original instruction is a jump, make the alt entry an effective nop 1869 * by just skipping the original instruction. 1870 */ 1871 static int handle_jump_alt(struct objtool_file *file, 1872 struct special_alt *special_alt, 1873 struct instruction *orig_insn, 1874 struct instruction **new_insn) 1875 { 1876 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL && 1877 orig_insn->type != INSN_NOP) { 1878 1879 ERROR_INSN(orig_insn, "unsupported instruction at jump label"); 1880 return -1; 1881 } 1882 1883 if (opts.hack_jump_label && special_alt->key_addend & 2) { 1884 struct reloc *reloc = insn_reloc(file, orig_insn); 1885 1886 if (reloc) 1887 set_reloc_type(file->elf, reloc, R_NONE); 1888 1889 if (elf_write_insn(file->elf, orig_insn->sec, 1890 orig_insn->offset, orig_insn->len, 1891 arch_nop_insn(orig_insn->len))) { 1892 return -1; 1893 } 1894 1895 orig_insn->type = INSN_NOP; 1896 } 1897 1898 if (orig_insn->type == INSN_NOP) { 1899 if (orig_insn->len == 2) 1900 file->jl_nop_short++; 1901 else 1902 file->jl_nop_long++; 1903 1904 return 0; 1905 } 1906 1907 if (orig_insn->len == 2) 1908 file->jl_short++; 1909 else 1910 file->jl_long++; 1911 1912 *new_insn = next_insn_same_sec(file, orig_insn); 1913 return 0; 1914 } 1915 1916 /* 1917 * Read all the special sections which have alternate instructions which can be 1918 * patched in or redirected to at runtime. Each instruction having alternate 1919 * instruction(s) has them added to its insn->alts list, which will be 1920 * traversed in validate_branch(). 1921 */ 1922 static int add_special_section_alts(struct objtool_file *file) 1923 { 1924 struct list_head special_alts; 1925 struct instruction *orig_insn, *new_insn; 1926 struct special_alt *special_alt, *tmp; 1927 enum alternative_type alt_type; 1928 struct alternative *alt; 1929 struct alternative *a; 1930 1931 if (special_get_alts(file->elf, &special_alts)) 1932 return -1; 1933 1934 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { 1935 1936 orig_insn = find_insn(file, special_alt->orig_sec, 1937 special_alt->orig_off); 1938 if (!orig_insn) { 1939 ERROR_FUNC(special_alt->orig_sec, special_alt->orig_off, 1940 "special: can't find orig instruction"); 1941 return -1; 1942 } 1943 1944 new_insn = NULL; 1945 if (!special_alt->group || special_alt->new_len) { 1946 new_insn = find_insn(file, special_alt->new_sec, 1947 special_alt->new_off); 1948 if (!new_insn) { 1949 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1950 "special: can't find new instruction"); 1951 return -1; 1952 } 1953 } 1954 1955 if (special_alt->group) { 1956 if (!special_alt->orig_len) { 1957 ERROR_INSN(orig_insn, "empty alternative entry"); 1958 continue; 1959 } 1960 1961 if (handle_group_alt(file, special_alt, orig_insn, &new_insn)) 1962 return -1; 1963 1964 alt_type = ALT_TYPE_INSTRUCTIONS; 1965 1966 } else if (special_alt->jump_or_nop) { 1967 if (handle_jump_alt(file, special_alt, orig_insn, &new_insn)) 1968 return -1; 1969 1970 alt_type = ALT_TYPE_JUMP_TABLE; 1971 } else { 1972 alt_type = ALT_TYPE_EX_TABLE; 1973 } 1974 1975 alt = calloc(1, sizeof(*alt)); 1976 if (!alt) { 1977 ERROR_GLIBC("calloc"); 1978 return -1; 1979 } 1980 1981 alt->insn = new_insn; 1982 alt->type = alt_type; 1983 alt->next = NULL; 1984 1985 /* 1986 * Store alternatives in the same order they have been 1987 * defined. 1988 */ 1989 if (!orig_insn->alts) { 1990 orig_insn->alts = alt; 1991 } else { 1992 for (a = orig_insn->alts; a->next; a = a->next) 1993 ; 1994 a->next = alt; 1995 } 1996 1997 list_del(&special_alt->list); 1998 free(special_alt); 1999 } 2000 2001 if (opts.stats) { 2002 printf("jl\\\tNOP\tJMP\n"); 2003 printf("short:\t%ld\t%ld\n", file->jl_nop_short, file->jl_short); 2004 printf("long:\t%ld\t%ld\n", file->jl_nop_long, file->jl_long); 2005 } 2006 2007 return 0; 2008 } 2009 2010 __weak unsigned long arch_jump_table_sym_offset(struct reloc *reloc, struct reloc *table) 2011 { 2012 return reloc->sym->offset + reloc_addend(reloc); 2013 } 2014 2015 static int add_jump_table(struct objtool_file *file, struct instruction *insn) 2016 { 2017 unsigned long table_size = insn_jump_table_size(insn); 2018 struct symbol *pfunc = insn_func(insn)->pfunc; 2019 struct reloc *table = insn_jump_table(insn); 2020 struct instruction *dest_insn; 2021 unsigned int prev_offset = 0; 2022 struct reloc *reloc = table; 2023 struct alternative *alt; 2024 unsigned long sym_offset; 2025 2026 /* 2027 * Each @reloc is a switch table relocation which points to the target 2028 * instruction. 2029 */ 2030 for_each_reloc_from(table->sec, reloc) { 2031 2032 /* Check for the end of the table: */ 2033 if (table_size && reloc_offset(reloc) - reloc_offset(table) >= table_size) 2034 break; 2035 if (reloc != table && is_jump_table(reloc)) 2036 break; 2037 2038 /* Make sure the table entries are consecutive: */ 2039 if (prev_offset && reloc_offset(reloc) != prev_offset + arch_reloc_size(reloc)) 2040 break; 2041 2042 sym_offset = arch_jump_table_sym_offset(reloc, table); 2043 2044 /* Detect function pointers from contiguous objects: */ 2045 if (reloc->sym->sec == pfunc->sec && sym_offset == pfunc->offset) 2046 break; 2047 2048 /* 2049 * Clang sometimes leaves dangling unused jump table entries 2050 * which point to the end of the function. Ignore them. 2051 */ 2052 if (reloc->sym->sec == pfunc->sec && 2053 sym_offset == pfunc->offset + pfunc->len) 2054 goto next; 2055 2056 dest_insn = find_insn(file, reloc->sym->sec, sym_offset); 2057 if (!dest_insn) 2058 break; 2059 2060 /* Make sure the destination is in the same function: */ 2061 if (!insn_func(dest_insn) || insn_func(dest_insn)->pfunc != pfunc) 2062 break; 2063 2064 alt = calloc(1, sizeof(*alt)); 2065 if (!alt) { 2066 ERROR_GLIBC("calloc"); 2067 return -1; 2068 } 2069 2070 alt->insn = dest_insn; 2071 alt->next = insn->alts; 2072 insn->alts = alt; 2073 next: 2074 prev_offset = reloc_offset(reloc); 2075 } 2076 2077 if (!prev_offset) { 2078 ERROR_INSN(insn, "can't find switch jump table"); 2079 return -1; 2080 } 2081 2082 return 0; 2083 } 2084 2085 /* 2086 * find_jump_table() - Given a dynamic jump, find the switch jump table 2087 * associated with it. 2088 */ 2089 static void find_jump_table(struct objtool_file *file, struct symbol *func, 2090 struct instruction *insn) 2091 { 2092 struct reloc *table_reloc; 2093 struct instruction *dest_insn, *orig_insn = insn; 2094 unsigned long table_size; 2095 unsigned long sym_offset; 2096 2097 /* 2098 * Backward search using the @first_jump_src links, these help avoid 2099 * much of the 'in between' code. Which avoids us getting confused by 2100 * it. 2101 */ 2102 for (; 2103 insn && insn_func(insn) && insn_func(insn)->pfunc == func; 2104 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) { 2105 2106 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) 2107 break; 2108 2109 /* allow small jumps within the range */ 2110 if (insn->type == INSN_JUMP_UNCONDITIONAL && 2111 insn->jump_dest && 2112 (insn->jump_dest->offset <= insn->offset || 2113 insn->jump_dest->offset > orig_insn->offset)) 2114 break; 2115 2116 table_reloc = arch_find_switch_table(file, insn, &table_size); 2117 if (!table_reloc) 2118 continue; 2119 2120 sym_offset = table_reloc->sym->offset + reloc_addend(table_reloc); 2121 2122 dest_insn = find_insn(file, table_reloc->sym->sec, sym_offset); 2123 if (!dest_insn || !insn_func(dest_insn) || insn_func(dest_insn)->pfunc != func) 2124 continue; 2125 2126 set_jump_table(table_reloc); 2127 orig_insn->_jump_table = table_reloc; 2128 orig_insn->_jump_table_size = table_size; 2129 2130 break; 2131 } 2132 } 2133 2134 /* 2135 * First pass: Mark the head of each jump table so that in the next pass, 2136 * we know when a given jump table ends and the next one starts. 2137 */ 2138 static void mark_func_jump_tables(struct objtool_file *file, 2139 struct symbol *func) 2140 { 2141 struct instruction *insn, *last = NULL; 2142 2143 func_for_each_insn(file, func, insn) { 2144 if (!last) 2145 last = insn; 2146 2147 /* 2148 * Store back-pointers for forward jumps such 2149 * that find_jump_table() can back-track using those and 2150 * avoid some potentially confusing code. 2151 */ 2152 if (insn->jump_dest && 2153 insn->jump_dest->offset > insn->offset && 2154 !insn->jump_dest->first_jump_src) { 2155 2156 insn->jump_dest->first_jump_src = insn; 2157 last = insn->jump_dest; 2158 } 2159 2160 if (insn->type != INSN_JUMP_DYNAMIC) 2161 continue; 2162 2163 find_jump_table(file, func, insn); 2164 } 2165 } 2166 2167 static int add_func_jump_tables(struct objtool_file *file, 2168 struct symbol *func) 2169 { 2170 struct instruction *insn; 2171 2172 func_for_each_insn(file, func, insn) { 2173 if (!insn_jump_table(insn)) 2174 continue; 2175 2176 if (add_jump_table(file, insn)) 2177 return -1; 2178 } 2179 2180 return 0; 2181 } 2182 2183 /* 2184 * For some switch statements, gcc generates a jump table in the .rodata 2185 * section which contains a list of addresses within the function to jump to. 2186 * This finds these jump tables and adds them to the insn->alts lists. 2187 */ 2188 static int add_jump_table_alts(struct objtool_file *file) 2189 { 2190 struct symbol *func; 2191 2192 if (!file->rodata) 2193 return 0; 2194 2195 for_each_sym(file->elf, func) { 2196 if (!is_func_sym(func) || is_alias_sym(func)) 2197 continue; 2198 2199 mark_func_jump_tables(file, func); 2200 if (add_func_jump_tables(file, func)) 2201 return -1; 2202 } 2203 2204 return 0; 2205 } 2206 2207 static void set_func_state(struct cfi_state *state) 2208 { 2209 state->cfa = initial_func_cfi.cfa; 2210 memcpy(&state->regs, &initial_func_cfi.regs, 2211 CFI_NUM_REGS * sizeof(struct cfi_reg)); 2212 state->stack_size = initial_func_cfi.cfa.offset; 2213 state->type = UNWIND_HINT_TYPE_CALL; 2214 } 2215 2216 static int read_unwind_hints(struct objtool_file *file) 2217 { 2218 struct cfi_state cfi = init_cfi; 2219 struct section *sec; 2220 struct unwind_hint *hint; 2221 struct instruction *insn; 2222 struct reloc *reloc; 2223 unsigned long offset; 2224 int i; 2225 2226 sec = find_section_by_name(file->elf, ".discard.unwind_hints"); 2227 if (!sec) 2228 return 0; 2229 2230 if (!sec->rsec) { 2231 ERROR("missing .rela.discard.unwind_hints section"); 2232 return -1; 2233 } 2234 2235 if (sec_size(sec) % sizeof(struct unwind_hint)) { 2236 ERROR("struct unwind_hint size mismatch"); 2237 return -1; 2238 } 2239 2240 file->hints = true; 2241 2242 for (i = 0; i < sec_size(sec) / sizeof(struct unwind_hint); i++) { 2243 hint = (struct unwind_hint *)sec->data->d_buf + i; 2244 2245 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint)); 2246 if (!reloc) { 2247 ERROR("can't find reloc for unwind_hints[%d]", i); 2248 return -1; 2249 } 2250 2251 offset = reloc->sym->offset + reloc_addend(reloc); 2252 2253 insn = find_insn(file, reloc->sym->sec, offset); 2254 if (!insn) { 2255 ERROR("can't find insn for unwind_hints[%d]", i); 2256 return -1; 2257 } 2258 2259 insn->hint = true; 2260 2261 if (hint->type == UNWIND_HINT_TYPE_UNDEFINED) { 2262 insn->cfi = &force_undefined_cfi; 2263 continue; 2264 } 2265 2266 if (hint->type == UNWIND_HINT_TYPE_SAVE) { 2267 insn->hint = false; 2268 insn->save = true; 2269 continue; 2270 } 2271 2272 if (hint->type == UNWIND_HINT_TYPE_RESTORE) { 2273 insn->restore = true; 2274 continue; 2275 } 2276 2277 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) { 2278 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset); 2279 2280 if (sym && is_global_sym(sym)) { 2281 if (opts.ibt && insn->type != INSN_ENDBR && !insn->noendbr) { 2282 ERROR_INSN(insn, "UNWIND_HINT_IRET_REGS without ENDBR"); 2283 return -1; 2284 } 2285 } 2286 } 2287 2288 if (hint->type == UNWIND_HINT_TYPE_FUNC) { 2289 insn->cfi = &func_cfi; 2290 continue; 2291 } 2292 2293 if (insn->cfi) 2294 cfi = *(insn->cfi); 2295 2296 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) { 2297 ERROR_INSN(insn, "unsupported unwind_hint sp base reg %d", hint->sp_reg); 2298 return -1; 2299 } 2300 2301 cfi.cfa.offset = bswap_if_needed(file->elf, hint->sp_offset); 2302 cfi.type = hint->type; 2303 cfi.signal = hint->signal; 2304 2305 insn->cfi = cfi_hash_find_or_add(&cfi); 2306 } 2307 2308 return 0; 2309 } 2310 2311 static int read_annotate(struct objtool_file *file, 2312 int (*func)(struct objtool_file *file, int type, struct instruction *insn)) 2313 { 2314 struct section *sec; 2315 struct instruction *insn; 2316 struct reloc *reloc; 2317 uint64_t offset; 2318 int type; 2319 2320 sec = find_section_by_name(file->elf, ".discard.annotate_insn"); 2321 if (!sec) 2322 return 0; 2323 2324 if (!sec->rsec) 2325 return 0; 2326 2327 if (sec->sh.sh_entsize != 8) { 2328 static bool warned = false; 2329 if (!warned && opts.verbose) { 2330 WARN("%s: dodgy linker, sh_entsize != 8", sec->name); 2331 warned = true; 2332 } 2333 sec->sh.sh_entsize = 8; 2334 } 2335 2336 if (sec_num_entries(sec) != sec_num_entries(sec->rsec)) { 2337 ERROR("bad .discard.annotate_insn section: missing relocs"); 2338 return -1; 2339 } 2340 2341 for_each_reloc(sec->rsec, reloc) { 2342 type = annotype(file->elf, sec, reloc); 2343 offset = reloc->sym->offset + reloc_addend(reloc); 2344 insn = find_insn(file, reloc->sym->sec, offset); 2345 2346 if (!insn) { 2347 ERROR("bad .discard.annotate_insn entry: %d of type %d", reloc_idx(reloc), type); 2348 return -1; 2349 } 2350 2351 if (func(file, type, insn)) 2352 return -1; 2353 } 2354 2355 return 0; 2356 } 2357 2358 static int __annotate_early(struct objtool_file *file, int type, struct instruction *insn) 2359 { 2360 switch (type) { 2361 2362 /* Must be before add_special_section_alts() */ 2363 case ANNOTYPE_IGNORE_ALTS: 2364 insn->ignore_alts = true; 2365 break; 2366 2367 /* 2368 * Must be before read_unwind_hints() since that needs insn->noendbr. 2369 */ 2370 case ANNOTYPE_NOENDBR: 2371 insn->noendbr = 1; 2372 break; 2373 2374 default: 2375 break; 2376 } 2377 2378 return 0; 2379 } 2380 2381 static int __annotate_ifc(struct objtool_file *file, int type, struct instruction *insn) 2382 { 2383 unsigned long dest_off; 2384 2385 if (type != ANNOTYPE_INTRA_FUNCTION_CALL) 2386 return 0; 2387 2388 if (insn->type != INSN_CALL) { 2389 ERROR_INSN(insn, "intra_function_call not a direct call"); 2390 return -1; 2391 } 2392 2393 /* 2394 * Treat intra-function CALLs as JMPs, but with a stack_op. 2395 * See add_call_destinations(), which strips stack_ops from 2396 * normal CALLs. 2397 */ 2398 insn->type = INSN_JUMP_UNCONDITIONAL; 2399 2400 dest_off = arch_jump_destination(insn); 2401 insn->jump_dest = find_insn(file, insn->sec, dest_off); 2402 if (!insn->jump_dest) { 2403 ERROR_INSN(insn, "can't find call dest at %s+0x%lx", 2404 insn->sec->name, dest_off); 2405 return -1; 2406 } 2407 2408 return 0; 2409 } 2410 2411 static int __annotate_late(struct objtool_file *file, int type, struct instruction *insn) 2412 { 2413 struct symbol *sym; 2414 2415 switch (type) { 2416 case ANNOTYPE_NOENDBR: 2417 /* early */ 2418 break; 2419 2420 case ANNOTYPE_RETPOLINE_SAFE: 2421 if (insn->type != INSN_JUMP_DYNAMIC && 2422 insn->type != INSN_CALL_DYNAMIC && 2423 insn->type != INSN_RETURN && 2424 insn->type != INSN_NOP) { 2425 ERROR_INSN(insn, "retpoline_safe hint not an indirect jump/call/ret/nop"); 2426 return -1; 2427 } 2428 2429 insn->retpoline_safe = true; 2430 break; 2431 2432 case ANNOTYPE_INSTR_BEGIN: 2433 insn->instr++; 2434 break; 2435 2436 case ANNOTYPE_INSTR_END: 2437 insn->instr--; 2438 break; 2439 2440 case ANNOTYPE_UNRET_BEGIN: 2441 insn->unret = 1; 2442 break; 2443 2444 case ANNOTYPE_IGNORE_ALTS: 2445 /* early */ 2446 break; 2447 2448 case ANNOTYPE_INTRA_FUNCTION_CALL: 2449 /* ifc */ 2450 break; 2451 2452 case ANNOTYPE_REACHABLE: 2453 insn->dead_end = false; 2454 break; 2455 2456 case ANNOTYPE_NOCFI: 2457 sym = insn_sym(insn); 2458 if (!sym) { 2459 ERROR_INSN(insn, "dodgy NOCFI annotation"); 2460 return -1; 2461 } 2462 sym->nocfi = 1; 2463 break; 2464 2465 default: 2466 ERROR_INSN(insn, "Unknown annotation type: %d", type); 2467 return -1; 2468 } 2469 2470 return 0; 2471 } 2472 2473 /* 2474 * Return true if name matches an instrumentation function, where calls to that 2475 * function from noinstr code can safely be removed, but compilers won't do so. 2476 */ 2477 static bool is_profiling_func(const char *name) 2478 { 2479 /* 2480 * Many compilers cannot disable KCOV with a function attribute. 2481 */ 2482 if (!strncmp(name, "__sanitizer_cov_", 16)) 2483 return true; 2484 2485 return false; 2486 } 2487 2488 static int classify_symbols(struct objtool_file *file) 2489 { 2490 struct symbol *func; 2491 size_t len; 2492 2493 for_each_sym(file->elf, func) { 2494 if (is_notype_sym(func) && strstarts(func->name, ".L")) 2495 func->local_label = true; 2496 2497 if (!is_global_sym(func)) 2498 continue; 2499 2500 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR, 2501 strlen(STATIC_CALL_TRAMP_PREFIX_STR))) 2502 func->static_call_tramp = true; 2503 2504 if (arch_is_retpoline(func)) 2505 func->retpoline_thunk = true; 2506 2507 if (arch_is_rethunk(func)) 2508 func->return_thunk = true; 2509 2510 if (arch_is_embedded_insn(func)) 2511 func->embedded_insn = true; 2512 2513 if (arch_ftrace_match(func->name)) 2514 func->fentry = true; 2515 2516 if (is_profiling_func(func->name)) 2517 func->profiling_func = true; 2518 2519 len = strlen(func->name); 2520 if (len > sym_name_max_len) 2521 sym_name_max_len = len; 2522 } 2523 2524 return 0; 2525 } 2526 2527 static void mark_rodata(struct objtool_file *file) 2528 { 2529 struct section *sec; 2530 2531 /* 2532 * Search for the following rodata sections, each of which can 2533 * potentially contain jump tables: 2534 * 2535 * - .rodata: can contain GCC switch tables 2536 * - .rodata.<func>: same, if -fdata-sections is being used 2537 * - .data.rel.ro.c_jump_table: contains C annotated jump tables 2538 * 2539 * .rodata.str1.* sections are ignored; they don't contain jump tables. 2540 */ 2541 for_each_sec(file->elf, sec) { 2542 if (is_rodata_sec(sec)) { 2543 file->rodata = true; 2544 return; 2545 } 2546 } 2547 } 2548 2549 static void mark_holes(struct objtool_file *file) 2550 { 2551 struct instruction *insn; 2552 bool in_hole = false; 2553 2554 if (!opts.link) 2555 return; 2556 2557 /* 2558 * Whole archive runs might encounter dead code from weak symbols. 2559 * This is where the linker will have dropped the weak symbol in 2560 * favour of a regular symbol, but leaves the code in place. 2561 */ 2562 for_each_insn(file, insn) { 2563 if (insn_sym(insn) || !find_symbol_hole_containing(insn->sec, insn->offset)) { 2564 in_hole = false; 2565 continue; 2566 } 2567 2568 /* Skip function padding and pfx code */ 2569 if (!in_hole && insn->type == INSN_NOP) 2570 continue; 2571 2572 in_hole = true; 2573 insn->hole = 1; 2574 2575 /* 2576 * If this hole jumps to a .cold function, mark it ignore. 2577 */ 2578 if (insn->jump_dest) { 2579 struct symbol *dest_func = insn_func(insn->jump_dest); 2580 2581 if (dest_func && is_cold_func(dest_func)) 2582 dest_func->ignore = true; 2583 } 2584 } 2585 } 2586 2587 static bool validate_branch_enabled(void) 2588 { 2589 return opts.stackval || 2590 opts.orc || 2591 opts.uaccess; 2592 } 2593 2594 static bool alts_needed(void) 2595 { 2596 return validate_branch_enabled() || 2597 opts.noinstr || 2598 opts.hack_jump_label || 2599 opts.disas || 2600 opts.checksum; 2601 } 2602 2603 int decode_file(struct objtool_file *file) 2604 { 2605 arch_initial_func_cfi_state(&initial_func_cfi); 2606 init_cfi_state(&init_cfi); 2607 init_cfi_state(&func_cfi); 2608 set_func_state(&func_cfi); 2609 init_cfi_state(&force_undefined_cfi); 2610 force_undefined_cfi.force_undefined = true; 2611 2612 if (!cfi_hash_alloc(1UL << (file->elf->symbol_bits - 3))) 2613 return -1; 2614 2615 cfi_hash_add(&init_cfi); 2616 cfi_hash_add(&func_cfi); 2617 2618 file->klp = is_livepatch_module(file); 2619 2620 mark_rodata(file); 2621 2622 if (init_pv_ops(file)) 2623 return -1; 2624 2625 /* 2626 * Must be before add_{jump_call}_destination. 2627 */ 2628 if (classify_symbols(file)) 2629 return -1; 2630 2631 if (decode_instructions(file)) 2632 return -1; 2633 2634 if (add_ignores(file)) 2635 return -1; 2636 2637 add_uaccess_safe(file); 2638 2639 if (read_annotate(file, __annotate_early)) 2640 return -1; 2641 2642 /* 2643 * Must be before add_jump_destinations(), which depends on 'func' 2644 * being set for alternatives, to enable proper sibling call detection. 2645 */ 2646 if (alts_needed()) { 2647 if (add_special_section_alts(file)) 2648 return -1; 2649 } 2650 2651 if (add_jump_destinations(file)) 2652 return -1; 2653 2654 /* 2655 * Must be before add_call_destination(); it changes INSN_CALL to 2656 * INSN_JUMP. 2657 */ 2658 if (read_annotate(file, __annotate_ifc)) 2659 return -1; 2660 2661 if (add_call_destinations(file)) 2662 return -1; 2663 2664 if (add_jump_table_alts(file)) 2665 return -1; 2666 2667 if (read_unwind_hints(file)) 2668 return -1; 2669 2670 /* Must be after add_jump_destinations() */ 2671 mark_holes(file); 2672 2673 /* 2674 * Must be after add_call_destinations() such that it can override 2675 * dead_end_function() marks. 2676 */ 2677 if (read_annotate(file, __annotate_late)) 2678 return -1; 2679 2680 return 0; 2681 } 2682 2683 static bool is_special_call(struct instruction *insn) 2684 { 2685 if (insn->type == INSN_CALL) { 2686 struct symbol *dest = insn_call_dest(insn); 2687 2688 if (!dest) 2689 return false; 2690 2691 if (dest->fentry || dest->embedded_insn) 2692 return true; 2693 } 2694 2695 return false; 2696 } 2697 2698 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state) 2699 { 2700 struct cfi_state *cfi = &state->cfi; 2701 int i; 2702 2703 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap) 2704 return true; 2705 2706 if (cfi->cfa.offset != initial_func_cfi.cfa.offset) 2707 return true; 2708 2709 if (cfi->stack_size != initial_func_cfi.cfa.offset) 2710 return true; 2711 2712 for (i = 0; i < CFI_NUM_REGS; i++) { 2713 if (cfi->regs[i].base != initial_func_cfi.regs[i].base || 2714 cfi->regs[i].offset != initial_func_cfi.regs[i].offset) 2715 return true; 2716 } 2717 2718 return false; 2719 } 2720 2721 static bool check_reg_frame_pos(const struct cfi_reg *reg, 2722 int expected_offset) 2723 { 2724 return reg->base == CFI_CFA && 2725 reg->offset == expected_offset; 2726 } 2727 2728 static bool has_valid_stack_frame(struct insn_state *state) 2729 { 2730 struct cfi_state *cfi = &state->cfi; 2731 2732 if (cfi->cfa.base == CFI_BP && 2733 check_reg_frame_pos(&cfi->regs[CFI_BP], -cfi->cfa.offset) && 2734 check_reg_frame_pos(&cfi->regs[CFI_RA], -cfi->cfa.offset + 8)) 2735 return true; 2736 2737 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP) 2738 return true; 2739 2740 return false; 2741 } 2742 2743 static int update_cfi_state_regs(struct instruction *insn, 2744 struct cfi_state *cfi, 2745 struct stack_op *op) 2746 { 2747 struct cfi_reg *cfa = &cfi->cfa; 2748 2749 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT) 2750 return 0; 2751 2752 /* push */ 2753 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF) 2754 cfa->offset += 8; 2755 2756 /* pop */ 2757 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF) 2758 cfa->offset -= 8; 2759 2760 /* add immediate to sp */ 2761 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD && 2762 op->dest.reg == CFI_SP && op->src.reg == CFI_SP) 2763 cfa->offset -= op->src.offset; 2764 2765 return 0; 2766 } 2767 2768 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset) 2769 { 2770 if (arch_callee_saved_reg(reg) && 2771 cfi->regs[reg].base == CFI_UNDEFINED) { 2772 cfi->regs[reg].base = base; 2773 cfi->regs[reg].offset = offset; 2774 } 2775 } 2776 2777 static void restore_reg(struct cfi_state *cfi, unsigned char reg) 2778 { 2779 cfi->regs[reg].base = initial_func_cfi.regs[reg].base; 2780 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset; 2781 } 2782 2783 /* 2784 * A note about DRAP stack alignment: 2785 * 2786 * GCC has the concept of a DRAP register, which is used to help keep track of 2787 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP 2788 * register. The typical DRAP pattern is: 2789 * 2790 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10 2791 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp 2792 * 41 ff 72 f8 pushq -0x8(%r10) 2793 * 55 push %rbp 2794 * 48 89 e5 mov %rsp,%rbp 2795 * (more pushes) 2796 * 41 52 push %r10 2797 * ... 2798 * 41 5a pop %r10 2799 * (more pops) 2800 * 5d pop %rbp 2801 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2802 * c3 retq 2803 * 2804 * There are some variations in the epilogues, like: 2805 * 2806 * 5b pop %rbx 2807 * 41 5a pop %r10 2808 * 41 5c pop %r12 2809 * 41 5d pop %r13 2810 * 41 5e pop %r14 2811 * c9 leaveq 2812 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2813 * c3 retq 2814 * 2815 * and: 2816 * 2817 * 4c 8b 55 e8 mov -0x18(%rbp),%r10 2818 * 48 8b 5d e0 mov -0x20(%rbp),%rbx 2819 * 4c 8b 65 f0 mov -0x10(%rbp),%r12 2820 * 4c 8b 6d f8 mov -0x8(%rbp),%r13 2821 * c9 leaveq 2822 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2823 * c3 retq 2824 * 2825 * Sometimes r13 is used as the DRAP register, in which case it's saved and 2826 * restored beforehand: 2827 * 2828 * 41 55 push %r13 2829 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13 2830 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 2831 * ... 2832 * 49 8d 65 f0 lea -0x10(%r13),%rsp 2833 * 41 5d pop %r13 2834 * c3 retq 2835 */ 2836 static int update_cfi_state(struct instruction *insn, 2837 struct instruction *next_insn, 2838 struct cfi_state *cfi, struct stack_op *op) 2839 { 2840 struct cfi_reg *cfa = &cfi->cfa; 2841 struct cfi_reg *regs = cfi->regs; 2842 2843 /* ignore UNWIND_HINT_UNDEFINED regions */ 2844 if (cfi->force_undefined) 2845 return 0; 2846 2847 /* stack operations don't make sense with an undefined CFA */ 2848 if (cfa->base == CFI_UNDEFINED) { 2849 if (insn_func(insn)) { 2850 WARN_INSN(insn, "undefined stack state"); 2851 return 1; 2852 } 2853 return 0; 2854 } 2855 2856 if (cfi->type == UNWIND_HINT_TYPE_REGS || 2857 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL) 2858 return update_cfi_state_regs(insn, cfi, op); 2859 2860 switch (op->dest.type) { 2861 2862 case OP_DEST_REG: 2863 switch (op->src.type) { 2864 2865 case OP_SRC_REG: 2866 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP && 2867 cfa->base == CFI_SP && 2868 check_reg_frame_pos(®s[CFI_BP], -cfa->offset)) { 2869 2870 /* mov %rsp, %rbp */ 2871 cfa->base = op->dest.reg; 2872 cfi->bp_scratch = false; 2873 } 2874 2875 else if (op->src.reg == CFI_SP && 2876 op->dest.reg == CFI_BP && cfi->drap) { 2877 2878 /* drap: mov %rsp, %rbp */ 2879 regs[CFI_BP].base = CFI_BP; 2880 regs[CFI_BP].offset = -cfi->stack_size; 2881 cfi->bp_scratch = false; 2882 } 2883 2884 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 2885 2886 /* 2887 * mov %rsp, %reg 2888 * 2889 * This is needed for the rare case where GCC 2890 * does: 2891 * 2892 * mov %rsp, %rax 2893 * ... 2894 * mov %rax, %rsp 2895 */ 2896 cfi->vals[op->dest.reg].base = CFI_CFA; 2897 cfi->vals[op->dest.reg].offset = -cfi->stack_size; 2898 } 2899 2900 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP && 2901 (cfa->base == CFI_BP || cfa->base == cfi->drap_reg)) { 2902 2903 /* 2904 * mov %rbp, %rsp 2905 * 2906 * Restore the original stack pointer (Clang). 2907 */ 2908 cfi->stack_size = -cfi->regs[CFI_BP].offset; 2909 } 2910 2911 else if (op->dest.reg == cfa->base) { 2912 2913 /* mov %reg, %rsp */ 2914 if (cfa->base == CFI_SP && 2915 cfi->vals[op->src.reg].base == CFI_CFA) { 2916 2917 /* 2918 * This is needed for the rare case 2919 * where GCC does something dumb like: 2920 * 2921 * lea 0x8(%rsp), %rcx 2922 * ... 2923 * mov %rcx, %rsp 2924 */ 2925 cfa->offset = -cfi->vals[op->src.reg].offset; 2926 cfi->stack_size = cfa->offset; 2927 2928 } else if (cfa->base == CFI_SP && 2929 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2930 cfi->vals[op->src.reg].offset == cfa->offset) { 2931 2932 /* 2933 * Stack swizzle: 2934 * 2935 * 1: mov %rsp, (%[tos]) 2936 * 2: mov %[tos], %rsp 2937 * ... 2938 * 3: pop %rsp 2939 * 2940 * Where: 2941 * 2942 * 1 - places a pointer to the previous 2943 * stack at the Top-of-Stack of the 2944 * new stack. 2945 * 2946 * 2 - switches to the new stack. 2947 * 2948 * 3 - pops the Top-of-Stack to restore 2949 * the original stack. 2950 * 2951 * Note: we set base to SP_INDIRECT 2952 * here and preserve offset. Therefore 2953 * when the unwinder reaches ToS it 2954 * will dereference SP and then add the 2955 * offset to find the next frame, IOW: 2956 * (%rsp) + offset. 2957 */ 2958 cfa->base = CFI_SP_INDIRECT; 2959 2960 } else { 2961 cfa->base = CFI_UNDEFINED; 2962 cfa->offset = 0; 2963 } 2964 } 2965 2966 else if (op->dest.reg == CFI_SP && 2967 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2968 cfi->vals[op->src.reg].offset == cfa->offset) { 2969 2970 /* 2971 * The same stack swizzle case 2) as above. But 2972 * because we can't change cfa->base, case 3) 2973 * will become a regular POP. Pretend we're a 2974 * PUSH so things don't go unbalanced. 2975 */ 2976 cfi->stack_size += 8; 2977 } 2978 2979 else if (cfi->vals[op->src.reg].base == CFI_CFA) { 2980 /* 2981 * Clang RSP musical chairs: 2982 * 2983 * mov %rsp, %rdx [handled above] 2984 * ... 2985 * mov %rdx, %rbx [handled here] 2986 * ... 2987 * mov %rbx, %rsp [handled above] 2988 */ 2989 cfi->vals[op->dest.reg].base = CFI_CFA; 2990 cfi->vals[op->dest.reg].offset = cfi->vals[op->src.reg].offset; 2991 } 2992 2993 2994 break; 2995 2996 case OP_SRC_ADD: 2997 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) { 2998 2999 /* add imm, %rsp */ 3000 cfi->stack_size -= op->src.offset; 3001 if (cfa->base == CFI_SP) 3002 cfa->offset -= op->src.offset; 3003 break; 3004 } 3005 3006 if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP && 3007 insn_sym(insn)->frame_pointer) { 3008 /* addi.d fp,sp,imm on LoongArch */ 3009 if (cfa->base == CFI_SP && cfa->offset == op->src.offset) { 3010 cfa->base = CFI_BP; 3011 cfa->offset = 0; 3012 } 3013 break; 3014 } 3015 3016 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { 3017 /* addi.d sp,fp,imm on LoongArch */ 3018 if (cfa->base == CFI_BP && cfa->offset == 0) { 3019 if (insn_sym(insn)->frame_pointer) { 3020 cfa->base = CFI_SP; 3021 cfa->offset = -op->src.offset; 3022 } 3023 } else { 3024 /* lea disp(%rbp), %rsp */ 3025 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); 3026 } 3027 break; 3028 } 3029 3030 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 3031 3032 /* drap: lea disp(%rsp), %drap */ 3033 cfi->drap_reg = op->dest.reg; 3034 3035 /* 3036 * lea disp(%rsp), %reg 3037 * 3038 * This is needed for the rare case where GCC 3039 * does something dumb like: 3040 * 3041 * lea 0x8(%rsp), %rcx 3042 * ... 3043 * mov %rcx, %rsp 3044 */ 3045 cfi->vals[op->dest.reg].base = CFI_CFA; 3046 cfi->vals[op->dest.reg].offset = \ 3047 -cfi->stack_size + op->src.offset; 3048 3049 break; 3050 } 3051 3052 if (cfi->drap && op->dest.reg == CFI_SP && 3053 op->src.reg == cfi->drap_reg) { 3054 3055 /* drap: lea disp(%drap), %rsp */ 3056 cfa->base = CFI_SP; 3057 cfa->offset = cfi->stack_size = -op->src.offset; 3058 cfi->drap_reg = CFI_UNDEFINED; 3059 cfi->drap = false; 3060 break; 3061 } 3062 3063 if (op->dest.reg == cfi->cfa.base && !(next_insn && next_insn->hint)) { 3064 WARN_INSN(insn, "unsupported stack register modification"); 3065 return -1; 3066 } 3067 3068 break; 3069 3070 case OP_SRC_AND: 3071 if (op->dest.reg != CFI_SP || 3072 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) || 3073 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) { 3074 WARN_INSN(insn, "unsupported stack pointer realignment"); 3075 return -1; 3076 } 3077 3078 if (cfi->drap_reg != CFI_UNDEFINED) { 3079 /* drap: and imm, %rsp */ 3080 cfa->base = cfi->drap_reg; 3081 cfa->offset = cfi->stack_size = 0; 3082 cfi->drap = true; 3083 } 3084 3085 /* 3086 * Older versions of GCC (4.8ish) realign the stack 3087 * without DRAP, with a frame pointer. 3088 */ 3089 3090 break; 3091 3092 case OP_SRC_POP: 3093 case OP_SRC_POPF: 3094 if (op->dest.reg == CFI_SP && cfa->base == CFI_SP_INDIRECT) { 3095 3096 /* pop %rsp; # restore from a stack swizzle */ 3097 cfa->base = CFI_SP; 3098 break; 3099 } 3100 3101 if (!cfi->drap && op->dest.reg == cfa->base) { 3102 3103 /* pop %rbp */ 3104 cfa->base = CFI_SP; 3105 } 3106 3107 if (cfi->drap && cfa->base == CFI_BP_INDIRECT && 3108 op->dest.reg == cfi->drap_reg && 3109 cfi->drap_offset == -cfi->stack_size) { 3110 3111 /* drap: pop %drap */ 3112 cfa->base = cfi->drap_reg; 3113 cfa->offset = 0; 3114 cfi->drap_offset = -1; 3115 3116 } else if (cfi->stack_size == -regs[op->dest.reg].offset) { 3117 3118 /* pop %reg */ 3119 restore_reg(cfi, op->dest.reg); 3120 } 3121 3122 cfi->stack_size -= 8; 3123 if (cfa->base == CFI_SP) 3124 cfa->offset -= 8; 3125 3126 break; 3127 3128 case OP_SRC_REG_INDIRECT: 3129 if (!cfi->drap && op->dest.reg == cfa->base && 3130 op->dest.reg == CFI_BP) { 3131 3132 /* mov disp(%rsp), %rbp */ 3133 cfa->base = CFI_SP; 3134 cfa->offset = cfi->stack_size; 3135 } 3136 3137 if (cfi->drap && op->src.reg == CFI_BP && 3138 op->src.offset == cfi->drap_offset) { 3139 3140 /* drap: mov disp(%rbp), %drap */ 3141 cfa->base = cfi->drap_reg; 3142 cfa->offset = 0; 3143 cfi->drap_offset = -1; 3144 } 3145 3146 if (cfi->drap && op->src.reg == CFI_BP && 3147 op->src.offset == regs[op->dest.reg].offset) { 3148 3149 /* drap: mov disp(%rbp), %reg */ 3150 restore_reg(cfi, op->dest.reg); 3151 3152 } else if (op->src.reg == cfa->base && 3153 op->src.offset == regs[op->dest.reg].offset + cfa->offset) { 3154 3155 /* mov disp(%rbp), %reg */ 3156 /* mov disp(%rsp), %reg */ 3157 restore_reg(cfi, op->dest.reg); 3158 3159 } else if (op->src.reg == CFI_SP && 3160 op->src.offset == regs[op->dest.reg].offset + cfi->stack_size) { 3161 3162 /* mov disp(%rsp), %reg */ 3163 restore_reg(cfi, op->dest.reg); 3164 } 3165 3166 break; 3167 3168 default: 3169 WARN_INSN(insn, "unknown stack-related instruction"); 3170 return -1; 3171 } 3172 3173 break; 3174 3175 case OP_DEST_PUSH: 3176 case OP_DEST_PUSHF: 3177 cfi->stack_size += 8; 3178 if (cfa->base == CFI_SP) 3179 cfa->offset += 8; 3180 3181 if (op->src.type != OP_SRC_REG) 3182 break; 3183 3184 if (cfi->drap) { 3185 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3186 3187 /* drap: push %drap */ 3188 cfa->base = CFI_BP_INDIRECT; 3189 cfa->offset = -cfi->stack_size; 3190 3191 /* save drap so we know when to restore it */ 3192 cfi->drap_offset = -cfi->stack_size; 3193 3194 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) { 3195 3196 /* drap: push %rbp */ 3197 cfi->stack_size = 0; 3198 3199 } else { 3200 3201 /* drap: push %reg */ 3202 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size); 3203 } 3204 3205 } else { 3206 3207 /* push %reg */ 3208 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size); 3209 } 3210 3211 /* detect when asm code uses rbp as a scratch register */ 3212 if (opts.stackval && insn_func(insn) && op->src.reg == CFI_BP && 3213 cfa->base != CFI_BP) 3214 cfi->bp_scratch = true; 3215 break; 3216 3217 case OP_DEST_REG_INDIRECT: 3218 3219 if (cfi->drap) { 3220 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3221 3222 /* drap: mov %drap, disp(%rbp) */ 3223 cfa->base = CFI_BP_INDIRECT; 3224 cfa->offset = op->dest.offset; 3225 3226 /* save drap offset so we know when to restore it */ 3227 cfi->drap_offset = op->dest.offset; 3228 } else { 3229 3230 /* drap: mov reg, disp(%rbp) */ 3231 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset); 3232 } 3233 3234 } else if (op->dest.reg == cfa->base) { 3235 3236 /* mov reg, disp(%rbp) */ 3237 /* mov reg, disp(%rsp) */ 3238 save_reg(cfi, op->src.reg, CFI_CFA, 3239 op->dest.offset - cfi->cfa.offset); 3240 3241 } else if (op->dest.reg == CFI_SP) { 3242 3243 /* mov reg, disp(%rsp) */ 3244 save_reg(cfi, op->src.reg, CFI_CFA, 3245 op->dest.offset - cfi->stack_size); 3246 3247 } else if (op->src.reg == CFI_SP && op->dest.offset == 0) { 3248 3249 /* mov %rsp, (%reg); # setup a stack swizzle. */ 3250 cfi->vals[op->dest.reg].base = CFI_SP_INDIRECT; 3251 cfi->vals[op->dest.reg].offset = cfa->offset; 3252 } 3253 3254 break; 3255 3256 case OP_DEST_MEM: 3257 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) { 3258 WARN_INSN(insn, "unknown stack-related memory operation"); 3259 return -1; 3260 } 3261 3262 /* pop mem */ 3263 cfi->stack_size -= 8; 3264 if (cfa->base == CFI_SP) 3265 cfa->offset -= 8; 3266 3267 break; 3268 3269 default: 3270 WARN_INSN(insn, "unknown stack-related instruction"); 3271 return -1; 3272 } 3273 3274 return 0; 3275 } 3276 3277 /* 3278 * The stack layouts of alternatives instructions can sometimes diverge when 3279 * they have stack modifications. That's fine as long as the potential stack 3280 * layouts don't conflict at any given potential instruction boundary. 3281 * 3282 * Flatten the CFIs of the different alternative code streams (both original 3283 * and replacement) into a single shared CFI array which can be used to detect 3284 * conflicts and nicely feed a linear array of ORC entries to the unwinder. 3285 */ 3286 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn) 3287 { 3288 struct cfi_state **alt_cfi; 3289 int group_off; 3290 3291 if (!insn->alt_group) 3292 return 0; 3293 3294 if (!insn->cfi) { 3295 WARN("CFI missing"); 3296 return -1; 3297 } 3298 3299 alt_cfi = insn->alt_group->cfi; 3300 group_off = insn->offset - insn->alt_group->first_insn->offset; 3301 3302 if (!alt_cfi[group_off]) { 3303 alt_cfi[group_off] = insn->cfi; 3304 } else { 3305 if (cficmp(alt_cfi[group_off], insn->cfi)) { 3306 struct alt_group *orig_group = insn->alt_group->orig_group ?: insn->alt_group; 3307 struct instruction *orig = orig_group->first_insn; 3308 WARN_INSN(orig, "stack layout conflict in alternatives: %s", 3309 offstr(insn->sec, insn->offset)); 3310 return -1; 3311 } 3312 } 3313 3314 return 0; 3315 } 3316 3317 static int noinline handle_insn_ops(struct instruction *insn, 3318 struct instruction *next_insn, 3319 struct insn_state *state) 3320 { 3321 struct insn_state prev_state __maybe_unused = *state; 3322 struct stack_op *op; 3323 int ret = 0; 3324 3325 for (op = insn->stack_ops; op; op = op->next) { 3326 3327 ret = update_cfi_state(insn, next_insn, &state->cfi, op); 3328 if (ret) 3329 goto done; 3330 3331 if (!opts.uaccess || !insn->alt_group) 3332 continue; 3333 3334 if (op->dest.type == OP_DEST_PUSHF) { 3335 if (!state->uaccess_stack) { 3336 state->uaccess_stack = 1; 3337 } else if (state->uaccess_stack >> 31) { 3338 WARN_INSN(insn, "PUSHF stack exhausted"); 3339 ret = 1; 3340 goto done; 3341 } 3342 state->uaccess_stack <<= 1; 3343 state->uaccess_stack |= state->uaccess; 3344 } 3345 3346 if (op->src.type == OP_SRC_POPF) { 3347 if (state->uaccess_stack) { 3348 state->uaccess = state->uaccess_stack & 1; 3349 state->uaccess_stack >>= 1; 3350 if (state->uaccess_stack == 1) 3351 state->uaccess_stack = 0; 3352 } 3353 } 3354 } 3355 3356 done: 3357 TRACE_INSN_STATE(insn, &prev_state, state); 3358 3359 return ret; 3360 } 3361 3362 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2) 3363 { 3364 struct cfi_state *cfi1 = insn->cfi; 3365 int i; 3366 3367 if (!cfi1) { 3368 WARN("CFI missing"); 3369 return false; 3370 } 3371 3372 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) { 3373 3374 WARN_INSN(insn, "stack state mismatch: cfa1=%d%+d cfa2=%d%+d", 3375 cfi1->cfa.base, cfi1->cfa.offset, 3376 cfi2->cfa.base, cfi2->cfa.offset); 3377 return false; 3378 3379 } 3380 3381 if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) { 3382 for (i = 0; i < CFI_NUM_REGS; i++) { 3383 3384 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i], sizeof(struct cfi_reg))) 3385 continue; 3386 3387 WARN_INSN(insn, "stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d", 3388 i, cfi1->regs[i].base, cfi1->regs[i].offset, 3389 i, cfi2->regs[i].base, cfi2->regs[i].offset); 3390 } 3391 return false; 3392 } 3393 3394 if (cfi1->type != cfi2->type) { 3395 3396 WARN_INSN(insn, "stack state mismatch: type1=%d type2=%d", 3397 cfi1->type, cfi2->type); 3398 return false; 3399 } 3400 3401 if (cfi1->drap != cfi2->drap || 3402 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) || 3403 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) { 3404 3405 WARN_INSN(insn, "stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)", 3406 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset, 3407 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset); 3408 return false; 3409 } 3410 3411 return true; 3412 } 3413 3414 static inline bool func_uaccess_safe(struct symbol *func) 3415 { 3416 if (func) 3417 return func->uaccess_safe; 3418 3419 return false; 3420 } 3421 3422 static inline const char *call_dest_name(struct instruction *insn) 3423 { 3424 static char pvname[19]; 3425 struct reloc *reloc; 3426 int idx; 3427 3428 if (insn_call_dest(insn)) 3429 return insn_call_dest(insn)->name; 3430 3431 reloc = insn_reloc(NULL, insn); 3432 if (reloc && !strcmp(reloc->sym->name, "pv_ops")) { 3433 idx = (reloc_addend(reloc) / sizeof(void *)); 3434 snprintf(pvname, sizeof(pvname), "pv_ops[%d]", idx); 3435 return pvname; 3436 } 3437 3438 return "{dynamic}"; 3439 } 3440 3441 static bool pv_call_dest(struct objtool_file *file, struct instruction *insn) 3442 { 3443 struct symbol *target; 3444 struct reloc *reloc; 3445 int idx; 3446 3447 reloc = insn_reloc(file, insn); 3448 if (!reloc || strcmp(reloc->sym->name, "pv_ops")) 3449 return false; 3450 3451 idx = arch_insn_adjusted_addend(insn, reloc) / sizeof(void *); 3452 3453 if (file->pv_ops[idx].clean) 3454 return true; 3455 3456 file->pv_ops[idx].clean = true; 3457 3458 list_for_each_entry(target, &file->pv_ops[idx].targets, pv_target) { 3459 if (!target->sec->noinstr) { 3460 WARN("pv_ops[%d]: %s", idx, target->name); 3461 file->pv_ops[idx].clean = false; 3462 } 3463 } 3464 3465 return file->pv_ops[idx].clean; 3466 } 3467 3468 static inline bool noinstr_call_dest(struct objtool_file *file, 3469 struct instruction *insn, 3470 struct symbol *func) 3471 { 3472 /* 3473 * We can't deal with indirect function calls at present; 3474 * assume they're instrumented. 3475 */ 3476 if (!func) { 3477 if (file->pv_ops) 3478 return pv_call_dest(file, insn); 3479 3480 return false; 3481 } 3482 3483 /* 3484 * If the symbol is from a noinstr section; we good. 3485 */ 3486 if (func->sec->noinstr) 3487 return true; 3488 3489 /* 3490 * If the symbol is a static_call trampoline, we can't tell. 3491 */ 3492 if (func->static_call_tramp) 3493 return true; 3494 3495 /* 3496 * The __ubsan_handle_*() calls are like WARN(), they only happen when 3497 * something 'BAD' happened. At the risk of taking the machine down, 3498 * let them proceed to get the message out. 3499 */ 3500 if (!strncmp(func->name, "__ubsan_handle_", 15)) 3501 return true; 3502 3503 return false; 3504 } 3505 3506 static int validate_call(struct objtool_file *file, 3507 struct instruction *insn, 3508 struct insn_state *state) 3509 { 3510 if (state->noinstr && state->instr <= 0 && 3511 !noinstr_call_dest(file, insn, insn_call_dest(insn))) { 3512 WARN_INSN(insn, "call to %s() leaves .noinstr.text section", call_dest_name(insn)); 3513 return 1; 3514 } 3515 3516 if (state->uaccess && !func_uaccess_safe(insn_call_dest(insn))) { 3517 WARN_INSN(insn, "call to %s() with UACCESS enabled", call_dest_name(insn)); 3518 return 1; 3519 } 3520 3521 if (state->df) { 3522 WARN_INSN(insn, "call to %s() with DF set", call_dest_name(insn)); 3523 return 1; 3524 } 3525 3526 return 0; 3527 } 3528 3529 static int validate_sibling_call(struct objtool_file *file, 3530 struct instruction *insn, 3531 struct insn_state *state) 3532 { 3533 if (insn_func(insn) && has_modified_stack_frame(insn, state)) { 3534 WARN_INSN(insn, "sibling call from callable instruction with modified stack frame"); 3535 return 1; 3536 } 3537 3538 return validate_call(file, insn, state); 3539 } 3540 3541 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state) 3542 { 3543 if (state->noinstr && state->instr > 0) { 3544 WARN_INSN(insn, "return with instrumentation enabled"); 3545 return 1; 3546 } 3547 3548 if (state->uaccess && !func_uaccess_safe(func)) { 3549 WARN_INSN(insn, "return with UACCESS enabled"); 3550 return 1; 3551 } 3552 3553 if (!state->uaccess && func_uaccess_safe(func)) { 3554 WARN_INSN(insn, "return with UACCESS disabled from a UACCESS-safe function"); 3555 return 1; 3556 } 3557 3558 if (state->df) { 3559 WARN_INSN(insn, "return with DF set"); 3560 return 1; 3561 } 3562 3563 if (func && has_modified_stack_frame(insn, state)) { 3564 WARN_INSN(insn, "return with modified stack frame"); 3565 return 1; 3566 } 3567 3568 if (state->cfi.bp_scratch) { 3569 WARN_INSN(insn, "BP used as a scratch register"); 3570 return 1; 3571 } 3572 3573 return 0; 3574 } 3575 3576 static struct instruction *next_insn_to_validate(struct objtool_file *file, 3577 struct instruction *insn) 3578 { 3579 struct alt_group *alt_group = insn->alt_group; 3580 3581 /* 3582 * Simulate the fact that alternatives are patched in-place. When the 3583 * end of a replacement alt_group is reached, redirect objtool flow to 3584 * the end of the original alt_group. 3585 * 3586 * insn->alts->insn -> alt_group->first_insn 3587 * ... 3588 * alt_group->last_insn 3589 * [alt_group->nop] -> next(orig_group->last_insn) 3590 */ 3591 if (alt_group) { 3592 if (alt_group->nop) { 3593 /* ->nop implies ->orig_group */ 3594 if (insn == alt_group->last_insn) 3595 return alt_group->nop; 3596 if (insn == alt_group->nop) 3597 goto next_orig; 3598 } 3599 if (insn == alt_group->last_insn && alt_group->orig_group) 3600 goto next_orig; 3601 } 3602 3603 return next_insn_same_sec(file, insn); 3604 3605 next_orig: 3606 return next_insn_same_sec(file, alt_group->orig_group->last_insn); 3607 } 3608 3609 static bool skip_alt_group(struct instruction *insn) 3610 { 3611 struct instruction *alt_insn = insn->alts ? insn->alts->insn : NULL; 3612 3613 if (!insn->alt_group) 3614 return false; 3615 3616 /* ANNOTATE_IGNORE_ALTERNATIVE */ 3617 if (insn->alt_group->ignore) { 3618 TRACE_ALT(insn, "alt group ignored"); 3619 return true; 3620 } 3621 3622 /* 3623 * For NOP patched with CLAC/STAC, only follow the latter to avoid 3624 * impossible code paths combining patched CLAC with unpatched STAC 3625 * or vice versa. 3626 * 3627 * ANNOTATE_IGNORE_ALTERNATIVE could have been used here, but Linus 3628 * requested not to do that to avoid hurting .s file readability 3629 * around CLAC/STAC alternative sites. 3630 */ 3631 3632 if (!alt_insn) 3633 return false; 3634 3635 /* Don't override ASM_{CLAC,STAC}_UNSAFE */ 3636 if (alt_insn->alt_group && alt_insn->alt_group->ignore) 3637 return false; 3638 3639 return alt_insn->type == INSN_CLAC || alt_insn->type == INSN_STAC; 3640 } 3641 3642 static int validate_branch(struct objtool_file *file, struct symbol *func, 3643 struct instruction *insn, struct insn_state state); 3644 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3645 struct instruction *insn, struct insn_state *state); 3646 3647 static int validate_insn(struct objtool_file *file, struct symbol *func, 3648 struct instruction *insn, struct insn_state *statep, 3649 struct instruction *prev_insn, struct instruction *next_insn, 3650 bool *dead_end) 3651 { 3652 char *alt_name __maybe_unused = NULL; 3653 struct alternative *alt; 3654 u8 visited; 3655 int ret; 3656 3657 /* 3658 * Any returns before the end of this function are effectively dead 3659 * ends, i.e. validate_branch() has reached the end of the branch. 3660 */ 3661 *dead_end = true; 3662 3663 visited = VISITED_BRANCH << statep->uaccess; 3664 if (insn->visited & VISITED_BRANCH_MASK) { 3665 if (!insn->hint && !insn_cfi_match(insn, &statep->cfi)) 3666 return 1; 3667 3668 if (insn->visited & visited) { 3669 TRACE_INSN(insn, "already visited"); 3670 return 0; 3671 } 3672 } else { 3673 nr_insns_visited++; 3674 } 3675 3676 if (statep->noinstr) 3677 statep->instr += insn->instr; 3678 3679 if (insn->hint) { 3680 if (insn->restore) { 3681 struct instruction *save_insn, *i; 3682 3683 i = insn; 3684 save_insn = NULL; 3685 3686 sym_for_each_insn_continue_reverse(file, func, i) { 3687 if (i->save) { 3688 save_insn = i; 3689 break; 3690 } 3691 } 3692 3693 if (!save_insn) { 3694 WARN_INSN(insn, "no corresponding CFI save for CFI restore"); 3695 return 1; 3696 } 3697 3698 if (!save_insn->visited) { 3699 /* 3700 * If the restore hint insn is at the 3701 * beginning of a basic block and was 3702 * branched to from elsewhere, and the 3703 * save insn hasn't been visited yet, 3704 * defer following this branch for now. 3705 * It will be seen later via the 3706 * straight-line path. 3707 */ 3708 if (!prev_insn) { 3709 TRACE_INSN(insn, "defer restore"); 3710 return 0; 3711 } 3712 3713 WARN_INSN(insn, "objtool isn't smart enough to handle this CFI save/restore combo"); 3714 return 1; 3715 } 3716 3717 insn->cfi = save_insn->cfi; 3718 nr_cfi_reused++; 3719 } 3720 3721 statep->cfi = *insn->cfi; 3722 } else { 3723 /* XXX track if we actually changed statep->cfi */ 3724 3725 if (prev_insn && !cficmp(prev_insn->cfi, &statep->cfi)) { 3726 insn->cfi = prev_insn->cfi; 3727 nr_cfi_reused++; 3728 } else { 3729 insn->cfi = cfi_hash_find_or_add(&statep->cfi); 3730 } 3731 } 3732 3733 insn->visited |= visited; 3734 3735 if (propagate_alt_cfi(file, insn)) 3736 return 1; 3737 3738 if (insn->alts) { 3739 for (alt = insn->alts; alt; alt = alt->next) { 3740 TRACE_ALT_BEGIN(insn, alt, alt_name); 3741 ret = validate_branch(file, func, alt->insn, *statep); 3742 TRACE_ALT_END(insn, alt, alt_name); 3743 if (ret) { 3744 BT_INSN(insn, "(alt)"); 3745 return ret; 3746 } 3747 } 3748 TRACE_ALT_INFO_NOADDR(insn, "/ ", "DEFAULT"); 3749 } 3750 3751 if (skip_alt_group(insn)) 3752 return 0; 3753 3754 if (handle_insn_ops(insn, next_insn, statep)) 3755 return 1; 3756 3757 switch (insn->type) { 3758 3759 case INSN_RETURN: 3760 TRACE_INSN(insn, "return"); 3761 return validate_return(func, insn, statep); 3762 3763 case INSN_CALL: 3764 case INSN_CALL_DYNAMIC: 3765 if (insn->type == INSN_CALL) 3766 TRACE_INSN(insn, "call"); 3767 else 3768 TRACE_INSN(insn, "indirect call"); 3769 3770 ret = validate_call(file, insn, statep); 3771 if (ret) 3772 return ret; 3773 3774 if (opts.stackval && func && !is_special_call(insn) && 3775 !has_valid_stack_frame(statep)) { 3776 WARN_INSN(insn, "call without frame pointer save/setup"); 3777 return 1; 3778 } 3779 3780 break; 3781 3782 case INSN_JUMP_CONDITIONAL: 3783 case INSN_JUMP_UNCONDITIONAL: 3784 if (is_sibling_call(insn)) { 3785 TRACE_INSN(insn, "sibling call"); 3786 ret = validate_sibling_call(file, insn, statep); 3787 if (ret) 3788 return ret; 3789 3790 } else if (insn->jump_dest) { 3791 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3792 TRACE_INSN(insn, "unconditional jump"); 3793 else 3794 TRACE_INSN(insn, "jump taken"); 3795 3796 ret = validate_branch(file, func, insn->jump_dest, *statep); 3797 if (ret) { 3798 BT_INSN(insn, "(branch)"); 3799 return ret; 3800 } 3801 } 3802 3803 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3804 return 0; 3805 3806 TRACE_INSN(insn, "jump not taken"); 3807 break; 3808 3809 case INSN_JUMP_DYNAMIC: 3810 case INSN_JUMP_DYNAMIC_CONDITIONAL: 3811 TRACE_INSN(insn, "indirect jump"); 3812 if (is_sibling_call(insn)) { 3813 ret = validate_sibling_call(file, insn, statep); 3814 if (ret) 3815 return ret; 3816 } 3817 3818 if (insn->type == INSN_JUMP_DYNAMIC) 3819 return 0; 3820 3821 break; 3822 3823 case INSN_SYSCALL: 3824 TRACE_INSN(insn, "syscall"); 3825 if (func && (!next_insn || !next_insn->hint)) { 3826 WARN_INSN(insn, "unsupported instruction in callable function"); 3827 return 1; 3828 } 3829 3830 break; 3831 3832 case INSN_SYSRET: 3833 TRACE_INSN(insn, "sysret"); 3834 if (func && (!next_insn || !next_insn->hint)) { 3835 WARN_INSN(insn, "unsupported instruction in callable function"); 3836 return 1; 3837 } 3838 3839 return 0; 3840 3841 case INSN_STAC: 3842 TRACE_INSN(insn, "stac"); 3843 if (!opts.uaccess) 3844 break; 3845 3846 if (statep->uaccess) { 3847 WARN_INSN(insn, "recursive UACCESS enable"); 3848 return 1; 3849 } 3850 3851 statep->uaccess = true; 3852 break; 3853 3854 case INSN_CLAC: 3855 TRACE_INSN(insn, "clac"); 3856 if (!opts.uaccess) 3857 break; 3858 3859 if (!statep->uaccess && func) { 3860 WARN_INSN(insn, "redundant UACCESS disable"); 3861 return 1; 3862 } 3863 3864 if (func_uaccess_safe(func) && !statep->uaccess_stack) { 3865 WARN_INSN(insn, "UACCESS-safe disables UACCESS"); 3866 return 1; 3867 } 3868 3869 statep->uaccess = false; 3870 break; 3871 3872 case INSN_STD: 3873 TRACE_INSN(insn, "std"); 3874 if (statep->df) { 3875 WARN_INSN(insn, "recursive STD"); 3876 return 1; 3877 } 3878 3879 statep->df = true; 3880 break; 3881 3882 case INSN_CLD: 3883 TRACE_INSN(insn, "cld"); 3884 if (!statep->df && func) { 3885 WARN_INSN(insn, "redundant CLD"); 3886 return 1; 3887 } 3888 3889 statep->df = false; 3890 break; 3891 3892 default: 3893 break; 3894 } 3895 3896 if (insn->dead_end) 3897 TRACE_INSN(insn, "dead end"); 3898 3899 *dead_end = insn->dead_end; 3900 return 0; 3901 } 3902 3903 /* 3904 * Follow the branch starting at the given instruction, and recursively follow 3905 * any other branches (jumps). Meanwhile, track the frame pointer state at 3906 * each instruction and validate all the rules described in 3907 * tools/objtool/Documentation/objtool.txt. 3908 */ 3909 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3910 struct instruction *insn, struct insn_state *state) 3911 { 3912 struct instruction *next_insn, *prev_insn = NULL; 3913 bool dead_end; 3914 int ret; 3915 3916 if (func && func->ignore) 3917 return 0; 3918 3919 do { 3920 insn->trace = 0; 3921 next_insn = next_insn_to_validate(file, insn); 3922 3923 if (func && insn_func(insn) && func != insn_func(insn)->pfunc) { 3924 /* Ignore KCFI type preambles, which always fall through */ 3925 if (is_prefix_func(func)) 3926 return 0; 3927 3928 if (file->ignore_unreachables) 3929 return 0; 3930 3931 WARN("%s() falls through to next function %s()", 3932 func->name, insn_func(insn)->name); 3933 func->warned = 1; 3934 3935 return 1; 3936 } 3937 3938 ret = validate_insn(file, func, insn, state, prev_insn, next_insn, 3939 &dead_end); 3940 3941 if (!insn->trace) { 3942 if (ret) 3943 TRACE_INSN(insn, "warning (%d)", ret); 3944 else 3945 TRACE_INSN(insn, NULL); 3946 } 3947 3948 if (!dead_end && !next_insn) { 3949 if (state->cfi.cfa.base == CFI_UNDEFINED) 3950 return 0; 3951 if (file->ignore_unreachables) 3952 return 0; 3953 3954 WARN("%s%sunexpected end of section %s", 3955 func ? func->name : "", func ? "(): " : "", 3956 insn->sec->name); 3957 return 1; 3958 } 3959 3960 prev_insn = insn; 3961 insn = next_insn; 3962 3963 } while (!dead_end); 3964 3965 return ret; 3966 } 3967 3968 static int validate_branch(struct objtool_file *file, struct symbol *func, 3969 struct instruction *insn, struct insn_state state) 3970 { 3971 int ret; 3972 3973 trace_depth_inc(); 3974 ret = do_validate_branch(file, func, insn, &state); 3975 trace_depth_dec(); 3976 3977 return ret; 3978 } 3979 3980 static int validate_unwind_hint(struct objtool_file *file, 3981 struct instruction *insn, 3982 struct insn_state *state) 3983 { 3984 if (insn->hint && !insn->visited) { 3985 struct symbol *func = insn_func(insn); 3986 int ret; 3987 3988 ret = validate_branch(file, func, insn, *state); 3989 if (ret) 3990 BT_INSN(insn, "<=== (hint)"); 3991 return ret; 3992 } 3993 3994 return 0; 3995 } 3996 3997 static int validate_unwind_hints(struct objtool_file *file, struct section *sec) 3998 { 3999 struct instruction *insn; 4000 struct insn_state state; 4001 int warnings = 0; 4002 4003 if (!file->hints) 4004 return 0; 4005 4006 init_insn_state(file, &state, sec); 4007 4008 if (sec) { 4009 sec_for_each_insn(file, sec, insn) 4010 warnings += validate_unwind_hint(file, insn, &state); 4011 } else { 4012 for_each_insn(file, insn) 4013 warnings += validate_unwind_hint(file, insn, &state); 4014 } 4015 4016 return warnings; 4017 } 4018 4019 /* 4020 * Validate rethunk entry constraint: must untrain RET before the first RET. 4021 * 4022 * Follow every branch (intra-function) and ensure VALIDATE_UNRET_END comes 4023 * before an actual RET instruction. 4024 */ 4025 static int validate_unret(struct objtool_file *file, struct instruction *insn) 4026 { 4027 struct instruction *next, *dest; 4028 int ret; 4029 4030 for (;;) { 4031 next = next_insn_to_validate(file, insn); 4032 4033 if (insn->visited & VISITED_UNRET) 4034 return 0; 4035 4036 insn->visited |= VISITED_UNRET; 4037 4038 if (insn->alts) { 4039 struct alternative *alt; 4040 for (alt = insn->alts; alt; alt = alt->next) { 4041 ret = validate_unret(file, alt->insn); 4042 if (ret) { 4043 BT_INSN(insn, "(alt)"); 4044 return ret; 4045 } 4046 } 4047 } 4048 4049 switch (insn->type) { 4050 4051 case INSN_CALL_DYNAMIC: 4052 case INSN_JUMP_DYNAMIC: 4053 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4054 WARN_INSN(insn, "early indirect call"); 4055 return 1; 4056 4057 case INSN_JUMP_UNCONDITIONAL: 4058 case INSN_JUMP_CONDITIONAL: 4059 if (!is_sibling_call(insn)) { 4060 if (!insn->jump_dest) { 4061 WARN_INSN(insn, "unresolved jump target after linking?!?"); 4062 return 1; 4063 } 4064 ret = validate_unret(file, insn->jump_dest); 4065 if (ret) { 4066 BT_INSN(insn, "(branch%s)", 4067 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : ""); 4068 return ret; 4069 } 4070 4071 if (insn->type == INSN_JUMP_UNCONDITIONAL) 4072 return 0; 4073 4074 break; 4075 } 4076 4077 /* fallthrough */ 4078 case INSN_CALL: 4079 dest = find_insn(file, insn_call_dest(insn)->sec, 4080 insn_call_dest(insn)->offset); 4081 if (!dest) { 4082 WARN("Unresolved function after linking!?: %s", 4083 insn_call_dest(insn)->name); 4084 return 1; 4085 } 4086 4087 ret = validate_unret(file, dest); 4088 if (ret) { 4089 BT_INSN(insn, "(call)"); 4090 return ret; 4091 } 4092 /* 4093 * If a call returns without error, it must have seen UNTRAIN_RET. 4094 * Therefore any non-error return is a success. 4095 */ 4096 return 0; 4097 4098 case INSN_RETURN: 4099 WARN_INSN(insn, "RET before UNTRAIN"); 4100 return 1; 4101 4102 case INSN_SYSCALL: 4103 break; 4104 4105 case INSN_SYSRET: 4106 return 0; 4107 4108 case INSN_NOP: 4109 if (insn->retpoline_safe) 4110 return 0; 4111 break; 4112 4113 default: 4114 break; 4115 } 4116 4117 if (insn->dead_end) 4118 return 0; 4119 4120 if (!next) { 4121 WARN_INSN(insn, "teh end!"); 4122 return 1; 4123 } 4124 insn = next; 4125 } 4126 4127 return 0; 4128 } 4129 4130 /* 4131 * Validate that all branches starting at VALIDATE_UNRET_BEGIN encounter 4132 * VALIDATE_UNRET_END before RET. 4133 */ 4134 static int validate_unrets(struct objtool_file *file) 4135 { 4136 struct instruction *insn; 4137 int warnings = 0; 4138 4139 for_each_insn(file, insn) { 4140 if (!insn->unret) 4141 continue; 4142 4143 warnings += validate_unret(file, insn); 4144 } 4145 4146 return warnings; 4147 } 4148 4149 static int validate_retpoline(struct objtool_file *file) 4150 { 4151 struct instruction *insn; 4152 int warnings = 0; 4153 4154 for_each_insn(file, insn) { 4155 if (insn->type != INSN_JUMP_DYNAMIC && 4156 insn->type != INSN_CALL_DYNAMIC && 4157 insn->type != INSN_RETURN) 4158 continue; 4159 4160 if (insn->retpoline_safe) 4161 continue; 4162 4163 if (insn->sec->init) 4164 continue; 4165 4166 if (insn->type == INSN_RETURN) { 4167 if (opts.rethunk) { 4168 WARN_INSN(insn, "'naked' return found in MITIGATION_RETHUNK build"); 4169 warnings++; 4170 } 4171 continue; 4172 } 4173 4174 WARN_INSN(insn, "indirect %s found in MITIGATION_RETPOLINE build", 4175 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); 4176 warnings++; 4177 } 4178 4179 if (!opts.cfi) 4180 return warnings; 4181 4182 /* 4183 * kCFI call sites look like: 4184 * 4185 * movl $(-0x12345678), %r10d 4186 * addl -4(%r11), %r10d 4187 * jz 1f 4188 * ud2 4189 * 1: cs call __x86_indirect_thunk_r11 4190 * 4191 * Verify all indirect calls are kCFI adorned by checking for the 4192 * UD2. Notably, doing __nocfi calls to regular (cfi) functions is 4193 * broken. 4194 */ 4195 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 4196 struct symbol *sym = insn_sym(insn); 4197 4198 if (sym && (is_notype_sym(sym) || 4199 is_func_sym(sym)) && !sym->nocfi) { 4200 struct instruction *prev = 4201 prev_insn_same_sym(file, insn); 4202 4203 if (!prev || prev->type != INSN_BUG) { 4204 WARN_INSN(insn, "no-cfi indirect call!"); 4205 warnings++; 4206 } 4207 } 4208 } 4209 4210 return warnings; 4211 } 4212 4213 static bool is_kasan_insn(struct instruction *insn) 4214 { 4215 return (insn->type == INSN_CALL && 4216 !strcmp(insn_call_dest(insn)->name, "__asan_handle_no_return")); 4217 } 4218 4219 static bool is_ubsan_insn(struct instruction *insn) 4220 { 4221 return (insn->type == INSN_CALL && 4222 !strcmp(insn_call_dest(insn)->name, 4223 "__ubsan_handle_builtin_unreachable")); 4224 } 4225 4226 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn) 4227 { 4228 struct symbol *func = insn_func(insn); 4229 struct instruction *prev_insn; 4230 int i; 4231 4232 if (insn->type == INSN_NOP || insn->type == INSN_TRAP || 4233 insn->hole || (func && func->ignore)) 4234 return true; 4235 4236 /* 4237 * Ignore alternative replacement instructions. This can happen 4238 * when a whitelisted function uses one of the ALTERNATIVE macros. 4239 */ 4240 if (!strcmp(insn->sec->name, ".altinstr_replacement") || 4241 !strcmp(insn->sec->name, ".altinstr_aux")) 4242 return true; 4243 4244 if (!func) 4245 return false; 4246 4247 if (func->static_call_tramp) 4248 return true; 4249 4250 /* 4251 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees 4252 * __builtin_unreachable(). The BUG() macro has an unreachable() after 4253 * the UD2, which causes GCC's undefined trap logic to emit another UD2 4254 * (or occasionally a JMP to UD2). 4255 * 4256 * It may also insert a UD2 after calling a __noreturn function. 4257 */ 4258 prev_insn = prev_insn_same_sec(file, insn); 4259 if (prev_insn && prev_insn->dead_end && 4260 (insn->type == INSN_BUG || 4261 (insn->type == INSN_JUMP_UNCONDITIONAL && 4262 insn->jump_dest && insn->jump_dest->type == INSN_BUG))) 4263 return true; 4264 4265 /* 4266 * Check if this (or a subsequent) instruction is related to 4267 * CONFIG_UBSAN or CONFIG_KASAN. 4268 * 4269 * End the search at 5 instructions to avoid going into the weeds. 4270 */ 4271 for (i = 0; i < 5; i++) { 4272 4273 if (is_kasan_insn(insn) || is_ubsan_insn(insn)) 4274 return true; 4275 4276 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 4277 if (insn->jump_dest && 4278 insn_func(insn->jump_dest) == func) { 4279 insn = insn->jump_dest; 4280 continue; 4281 } 4282 4283 break; 4284 } 4285 4286 if (insn->offset + insn->len >= func->offset + func->len) 4287 break; 4288 4289 insn = next_insn_same_sec(file, insn); 4290 } 4291 4292 return false; 4293 } 4294 4295 /* 4296 * For FineIBT or kCFI, a certain number of bytes preceding the function may be 4297 * NOPs. Those NOPs may be rewritten at runtime and executed, so give them a 4298 * proper function name: __pfx_<func>. 4299 */ 4300 static int create_prefix_symbol(struct objtool_file *file, struct symbol *func) 4301 { 4302 struct instruction *insn, *prev; 4303 char name[SYM_NAME_LEN]; 4304 struct cfi_state *cfi; 4305 4306 if ((strlen(func->name) + sizeof("__pfx_") > SYM_NAME_LEN)) { 4307 WARN("%s: symbol name too long, can't create __pfx_ symbol", 4308 func->name); 4309 return 0; 4310 } 4311 4312 if (snprintf_check(name, SYM_NAME_LEN, "__pfx_%s", func->name)) 4313 return -1; 4314 4315 if (!elf_create_symbol(file->elf, name, func->sec, 4316 GELF_ST_BIND(func->sym.st_info), 4317 GELF_ST_TYPE(func->sym.st_info), 4318 func->offset - opts.prefix, opts.prefix)) 4319 return -1; 4320 4321 /* Propagate insn->cfi to the prefix code */ 4322 insn = find_insn(file, func->sec, func->offset); 4323 if (!insn || !insn->cfi) 4324 return 0; 4325 4326 cfi = cfi_hash_find_or_add(insn->cfi); 4327 for (prev = find_insn(file, func->sec, func->offset - opts.prefix); 4328 prev && prev != insn; 4329 prev = next_insn_same_sec(file, prev)) 4330 prev->cfi = cfi; 4331 4332 return 0; 4333 } 4334 4335 static int create_prefix_symbols(struct objtool_file *file) 4336 { 4337 struct section *pfe_sec; 4338 struct symbol *func; 4339 struct reloc *reloc; 4340 4341 for_each_sec(file->elf, pfe_sec) { 4342 if (strcmp(pfe_sec->name, "__patchable_function_entries")) 4343 continue; 4344 if (!pfe_sec->rsec) 4345 continue; 4346 4347 for_each_reloc(pfe_sec->rsec, reloc) { 4348 func = find_func_by_offset(reloc->sym->sec, 4349 reloc->sym->offset + reloc_addend(reloc) + opts.prefix); 4350 if (func && create_prefix_symbol(file, func)) 4351 return -1; 4352 } 4353 } 4354 4355 return 0; 4356 } 4357 4358 static int validate_symbol(struct objtool_file *file, struct section *sec, 4359 struct symbol *sym, struct insn_state *state) 4360 { 4361 struct instruction *insn; 4362 struct symbol *func; 4363 int ret; 4364 4365 if (!sym->len) { 4366 WARN("%s() is missing an ELF size annotation", sym->name); 4367 return 1; 4368 } 4369 4370 if (sym->pfunc != sym || is_alias_sym(sym)) 4371 return 0; 4372 4373 insn = find_insn(file, sec, sym->offset); 4374 if (!insn || insn->visited) 4375 return 0; 4376 4377 if (opts.uaccess) 4378 state->uaccess = sym->uaccess_safe; 4379 4380 func = insn_func(insn); 4381 4382 if (opts.trace && !fnmatch(opts.trace, sym->name, 0)) { 4383 trace_enable(); 4384 TRACE("%s: validation begin\n", sym->name); 4385 } 4386 4387 ret = validate_branch(file, func, insn, *state); 4388 if (ret) 4389 BT_INSN(insn, "<=== (sym)"); 4390 4391 TRACE("%s: validation %s\n\n", sym->name, ret ? "failed" : "end"); 4392 trace_disable(); 4393 4394 return ret; 4395 } 4396 4397 static int validate_section(struct objtool_file *file, struct section *sec) 4398 { 4399 struct insn_state state; 4400 struct symbol *func; 4401 int warnings = 0; 4402 4403 sec_for_each_sym(sec, func) { 4404 if (!is_func_sym(func)) 4405 continue; 4406 4407 init_insn_state(file, &state, sec); 4408 set_func_state(&state.cfi); 4409 4410 warnings += validate_symbol(file, sec, func, &state); 4411 } 4412 4413 return warnings; 4414 } 4415 4416 static int validate_noinstr_sections(struct objtool_file *file) 4417 { 4418 struct section *sec; 4419 int warnings = 0; 4420 4421 sec = find_section_by_name(file->elf, ".noinstr.text"); 4422 if (sec) { 4423 warnings += validate_section(file, sec); 4424 warnings += validate_unwind_hints(file, sec); 4425 } 4426 4427 sec = find_section_by_name(file->elf, ".entry.text"); 4428 if (sec) { 4429 warnings += validate_section(file, sec); 4430 warnings += validate_unwind_hints(file, sec); 4431 } 4432 4433 sec = find_section_by_name(file->elf, ".cpuidle.text"); 4434 if (sec) { 4435 warnings += validate_section(file, sec); 4436 warnings += validate_unwind_hints(file, sec); 4437 } 4438 4439 return warnings; 4440 } 4441 4442 static int validate_functions(struct objtool_file *file) 4443 { 4444 struct section *sec; 4445 int warnings = 0; 4446 4447 for_each_sec(file->elf, sec) { 4448 if (!is_text_sec(sec)) 4449 continue; 4450 4451 warnings += validate_section(file, sec); 4452 } 4453 4454 return warnings; 4455 } 4456 4457 static void mark_endbr_used(struct instruction *insn) 4458 { 4459 if (!list_empty(&insn->call_node)) 4460 list_del_init(&insn->call_node); 4461 } 4462 4463 static bool noendbr_range(struct objtool_file *file, struct instruction *insn) 4464 { 4465 struct symbol *sym = find_symbol_containing(insn->sec, insn->offset-1); 4466 struct instruction *first; 4467 4468 if (!sym) 4469 return false; 4470 4471 first = find_insn(file, sym->sec, sym->offset); 4472 if (!first) 4473 return false; 4474 4475 if (first->type != INSN_ENDBR && !first->noendbr) 4476 return false; 4477 4478 return insn->offset == sym->offset + sym->len; 4479 } 4480 4481 static int __validate_ibt_insn(struct objtool_file *file, struct instruction *insn, 4482 struct instruction *dest) 4483 { 4484 if (dest->type == INSN_ENDBR) { 4485 mark_endbr_used(dest); 4486 return 0; 4487 } 4488 4489 if (insn_func(dest) && insn_func(insn) && 4490 insn_func(dest)->pfunc == insn_func(insn)->pfunc) { 4491 /* 4492 * Anything from->to self is either _THIS_IP_ or 4493 * IRET-to-self. 4494 * 4495 * There is no sane way to annotate _THIS_IP_ since the 4496 * compiler treats the relocation as a constant and is 4497 * happy to fold in offsets, skewing any annotation we 4498 * do, leading to vast amounts of false-positives. 4499 * 4500 * There's also compiler generated _THIS_IP_ through 4501 * KCOV and such which we have no hope of annotating. 4502 * 4503 * As such, blanket accept self-references without 4504 * issue. 4505 */ 4506 return 0; 4507 } 4508 4509 /* 4510 * Accept anything ANNOTATE_NOENDBR. 4511 */ 4512 if (dest->noendbr) 4513 return 0; 4514 4515 /* 4516 * Accept if this is the instruction after a symbol 4517 * that is (no)endbr -- typical code-range usage. 4518 */ 4519 if (noendbr_range(file, dest)) 4520 return 0; 4521 4522 WARN_INSN(insn, "relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4523 return 1; 4524 } 4525 4526 static int validate_ibt_insn(struct objtool_file *file, struct instruction *insn) 4527 { 4528 struct instruction *dest; 4529 struct reloc *reloc; 4530 unsigned long off; 4531 int warnings = 0; 4532 4533 /* 4534 * Looking for function pointer load relocations. Ignore 4535 * direct/indirect branches: 4536 */ 4537 switch (insn->type) { 4538 4539 case INSN_CALL: 4540 case INSN_CALL_DYNAMIC: 4541 case INSN_JUMP_CONDITIONAL: 4542 case INSN_JUMP_UNCONDITIONAL: 4543 case INSN_JUMP_DYNAMIC: 4544 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4545 case INSN_RETURN: 4546 case INSN_NOP: 4547 return 0; 4548 4549 case INSN_LEA_RIP: 4550 if (!insn_reloc(file, insn)) { 4551 /* local function pointer reference without reloc */ 4552 4553 off = arch_jump_destination(insn); 4554 4555 dest = find_insn(file, insn->sec, off); 4556 if (!dest) { 4557 WARN_INSN(insn, "corrupt function pointer reference"); 4558 return 1; 4559 } 4560 4561 return __validate_ibt_insn(file, insn, dest); 4562 } 4563 break; 4564 4565 default: 4566 break; 4567 } 4568 4569 for (reloc = insn_reloc(file, insn); 4570 reloc; 4571 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 4572 reloc_offset(reloc) + 1, 4573 (insn->offset + insn->len) - (reloc_offset(reloc) + 1))) { 4574 4575 off = reloc->sym->offset + arch_insn_adjusted_addend(insn, reloc); 4576 4577 dest = find_insn(file, reloc->sym->sec, off); 4578 if (!dest) 4579 continue; 4580 4581 warnings += __validate_ibt_insn(file, insn, dest); 4582 } 4583 4584 return warnings; 4585 } 4586 4587 static int validate_ibt_data_reloc(struct objtool_file *file, 4588 struct reloc *reloc) 4589 { 4590 struct instruction *dest; 4591 4592 dest = find_insn(file, reloc->sym->sec, 4593 reloc->sym->offset + reloc_addend(reloc)); 4594 if (!dest) 4595 return 0; 4596 4597 if (dest->type == INSN_ENDBR) { 4598 mark_endbr_used(dest); 4599 return 0; 4600 } 4601 4602 if (dest->noendbr) 4603 return 0; 4604 4605 WARN_FUNC(reloc->sec->base, reloc_offset(reloc), 4606 "data relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4607 4608 return 1; 4609 } 4610 4611 /* 4612 * Validate IBT rules and remove used ENDBR instructions from the seal list. 4613 * Unused ENDBR instructions will be annotated for sealing (i.e., replaced with 4614 * NOPs) later, in create_ibt_endbr_seal_sections(). 4615 */ 4616 static int validate_ibt(struct objtool_file *file) 4617 { 4618 struct section *sec; 4619 struct reloc *reloc; 4620 struct instruction *insn; 4621 int warnings = 0; 4622 4623 for_each_insn(file, insn) 4624 warnings += validate_ibt_insn(file, insn); 4625 4626 for_each_sec(file->elf, sec) { 4627 4628 /* Already done by validate_ibt_insn() */ 4629 if (is_text_sec(sec)) 4630 continue; 4631 4632 if (!sec->rsec) 4633 continue; 4634 4635 /* 4636 * These sections can reference text addresses, but not with 4637 * the intent to indirect branch to them. 4638 */ 4639 if ((!strncmp(sec->name, ".discard", 8) && 4640 strcmp(sec->name, ".discard.ibt_endbr_noseal")) || 4641 !strncmp(sec->name, ".debug", 6) || 4642 !strcmp(sec->name, ".altinstructions") || 4643 !strcmp(sec->name, ".ibt_endbr_seal") || 4644 !strcmp(sec->name, ".kcfi_traps") || 4645 !strcmp(sec->name, ".orc_unwind_ip") || 4646 !strcmp(sec->name, ".retpoline_sites") || 4647 !strcmp(sec->name, ".smp_locks") || 4648 !strcmp(sec->name, ".static_call_sites") || 4649 !strcmp(sec->name, "_error_injection_whitelist") || 4650 !strcmp(sec->name, "_kprobe_blacklist") || 4651 !strcmp(sec->name, "__bug_table") || 4652 !strcmp(sec->name, "__ex_table") || 4653 !strcmp(sec->name, "__jump_table") || 4654 !strcmp(sec->name, ".init.klp_funcs") || 4655 !strcmp(sec->name, "__mcount_loc") || 4656 !strcmp(sec->name, ".llvm.call-graph-profile") || 4657 !strcmp(sec->name, ".llvm_bb_addr_map") || 4658 !strcmp(sec->name, "__tracepoints") || 4659 !strcmp(sec->name, ".return_sites") || 4660 !strcmp(sec->name, ".call_sites") || 4661 !strcmp(sec->name, "__patchable_function_entries")) 4662 continue; 4663 4664 for_each_reloc(sec->rsec, reloc) 4665 warnings += validate_ibt_data_reloc(file, reloc); 4666 } 4667 4668 return warnings; 4669 } 4670 4671 static int validate_sls(struct objtool_file *file) 4672 { 4673 struct instruction *insn, *next_insn; 4674 int warnings = 0; 4675 4676 for_each_insn(file, insn) { 4677 next_insn = next_insn_same_sec(file, insn); 4678 4679 if (insn->retpoline_safe) 4680 continue; 4681 4682 switch (insn->type) { 4683 case INSN_RETURN: 4684 if (!next_insn || next_insn->type != INSN_TRAP) { 4685 WARN_INSN(insn, "missing int3 after ret"); 4686 warnings++; 4687 } 4688 4689 break; 4690 case INSN_JUMP_DYNAMIC: 4691 if (!next_insn || next_insn->type != INSN_TRAP) { 4692 WARN_INSN(insn, "missing int3 after indirect jump"); 4693 warnings++; 4694 } 4695 break; 4696 default: 4697 break; 4698 } 4699 } 4700 4701 return warnings; 4702 } 4703 4704 static int validate_reachable_instructions(struct objtool_file *file) 4705 { 4706 struct instruction *insn, *prev_insn; 4707 struct symbol *call_dest; 4708 int warnings = 0; 4709 4710 if (file->ignore_unreachables) 4711 return 0; 4712 4713 for_each_insn(file, insn) { 4714 if (insn->visited || ignore_unreachable_insn(file, insn)) 4715 continue; 4716 4717 prev_insn = prev_insn_same_sec(file, insn); 4718 if (prev_insn && prev_insn->dead_end) { 4719 call_dest = insn_call_dest(prev_insn); 4720 if (call_dest) { 4721 WARN_INSN(insn, "%s() missing __noreturn in .c/.h or NORETURN() in noreturns.h", 4722 call_dest->name); 4723 warnings++; 4724 continue; 4725 } 4726 } 4727 4728 WARN_INSN(insn, "unreachable instruction"); 4729 warnings++; 4730 } 4731 4732 return warnings; 4733 } 4734 4735 __weak bool arch_absolute_reloc(struct elf *elf, struct reloc *reloc) 4736 { 4737 unsigned int type = reloc_type(reloc); 4738 size_t sz = elf_addr_size(elf); 4739 4740 return (sz == 8) ? (type == R_ABS64) : (type == R_ABS32); 4741 } 4742 4743 static int check_abs_references(struct objtool_file *file) 4744 { 4745 struct section *sec; 4746 struct reloc *reloc; 4747 int ret = 0; 4748 4749 for_each_sec(file->elf, sec) { 4750 /* absolute references in non-loadable sections are fine */ 4751 if (!(sec->sh.sh_flags & SHF_ALLOC)) 4752 continue; 4753 4754 /* section must have an associated .rela section */ 4755 if (!sec->rsec) 4756 continue; 4757 4758 /* 4759 * Special case for compiler generated metadata that is not 4760 * consumed until after boot. 4761 */ 4762 if (!strcmp(sec->name, "__patchable_function_entries")) 4763 continue; 4764 4765 for_each_reloc(sec->rsec, reloc) { 4766 if (arch_absolute_reloc(file->elf, reloc)) { 4767 WARN("section %s has absolute relocation at offset 0x%llx", 4768 sec->name, (unsigned long long)reloc_offset(reloc)); 4769 ret++; 4770 } 4771 } 4772 } 4773 return ret; 4774 } 4775 4776 struct insn_chunk { 4777 void *addr; 4778 struct insn_chunk *next; 4779 }; 4780 4781 /* 4782 * Reduce peak RSS usage by freeing insns memory before writing the ELF file, 4783 * which can trigger more allocations for .debug_* sections whose data hasn't 4784 * been read yet. 4785 */ 4786 void free_insns(struct objtool_file *file) 4787 { 4788 struct instruction *insn; 4789 struct insn_chunk *chunks = NULL, *chunk; 4790 4791 for_each_insn(file, insn) { 4792 if (!insn->idx) { 4793 chunk = malloc(sizeof(*chunk)); 4794 chunk->addr = insn; 4795 chunk->next = chunks; 4796 chunks = chunk; 4797 } 4798 } 4799 4800 for (chunk = chunks; chunk; chunk = chunk->next) 4801 free(chunk->addr); 4802 } 4803 4804 const char *objtool_disas_insn(struct instruction *insn) 4805 { 4806 struct disas_context *dctx = objtool_disas_ctx; 4807 4808 if (!dctx) 4809 return ""; 4810 4811 disas_insn(dctx, insn); 4812 return disas_result(dctx); 4813 } 4814 4815 int check(struct objtool_file *file) 4816 { 4817 struct disas_context *disas_ctx = NULL; 4818 int ret = 0, warnings = 0; 4819 4820 /* 4821 * Create a disassembly context if we might disassemble any 4822 * instruction or function. 4823 */ 4824 if (opts.verbose || opts.backtrace || opts.trace || opts.disas) { 4825 disas_ctx = disas_context_create(file); 4826 if (!disas_ctx) { 4827 opts.disas = false; 4828 opts.trace = false; 4829 } 4830 objtool_disas_ctx = disas_ctx; 4831 } 4832 4833 ret = decode_file(file); 4834 if (ret) 4835 goto out; 4836 4837 if (!nr_insns) 4838 goto out; 4839 4840 if (opts.retpoline) 4841 warnings += validate_retpoline(file); 4842 4843 if (validate_branch_enabled()) { 4844 int w = 0; 4845 4846 w += validate_functions(file); 4847 w += validate_unwind_hints(file, NULL); 4848 if (!w) 4849 w += validate_reachable_instructions(file); 4850 4851 warnings += w; 4852 4853 } else if (opts.noinstr) { 4854 warnings += validate_noinstr_sections(file); 4855 } 4856 4857 if (opts.unret) { 4858 /* 4859 * Must be after validate_branch() and friends, it plays 4860 * further games with insn->visited. 4861 */ 4862 warnings += validate_unrets(file); 4863 } 4864 4865 if (opts.ibt) 4866 warnings += validate_ibt(file); 4867 4868 if (opts.sls) 4869 warnings += validate_sls(file); 4870 4871 if (opts.static_call) { 4872 ret = create_static_call_sections(file); 4873 if (ret) 4874 goto out; 4875 } 4876 4877 if (opts.retpoline) { 4878 ret = create_retpoline_sites_sections(file); 4879 if (ret) 4880 goto out; 4881 } 4882 4883 if (opts.rethunk) { 4884 ret = create_return_sites_sections(file); 4885 if (ret) 4886 goto out; 4887 4888 if (opts.hack_skylake) { 4889 ret = create_direct_call_sections(file); 4890 if (ret) 4891 goto out; 4892 } 4893 } 4894 4895 if (opts.mcount) { 4896 ret = create_mcount_loc_sections(file); 4897 if (ret) 4898 goto out; 4899 } 4900 4901 if (opts.prefix) { 4902 if (!opts.cfi) { 4903 ret = create_prefix_symbols(file); 4904 if (ret) 4905 goto out; 4906 } else { 4907 ret = grow_cfi_symbols(file); 4908 if (ret) 4909 goto out; 4910 4911 if (opts.fineibt) { 4912 ret = create_cfi_sections(file); 4913 if (ret) 4914 goto out; 4915 } 4916 } 4917 } 4918 4919 if (opts.ibt) { 4920 ret = create_ibt_endbr_seal_sections(file); 4921 if (ret) 4922 goto out; 4923 } 4924 4925 if (opts.noabs) 4926 warnings += check_abs_references(file); 4927 4928 if (opts.orc && nr_insns) { 4929 ret = orc_create(file); 4930 if (ret) 4931 goto out; 4932 } 4933 4934 if (opts.stats) { 4935 printf("nr_insns_visited: %ld\n", nr_insns_visited); 4936 printf("nr_cfi: %ld\n", nr_cfi); 4937 printf("nr_cfi_reused: %ld\n", nr_cfi_reused); 4938 printf("nr_cfi_cache: %ld\n", nr_cfi_cache); 4939 } 4940 4941 out: 4942 if (ret || warnings) { 4943 if (opts.werror && warnings) 4944 ret = 1; 4945 4946 if (opts.verbose) { 4947 if (opts.werror && warnings) 4948 WARN("%d warning(s) upgraded to errors", warnings); 4949 disas_warned_funcs(disas_ctx); 4950 } 4951 } 4952 4953 if (opts.disas) 4954 disas_funcs(disas_ctx); 4955 4956 if (disas_ctx) { 4957 disas_context_destroy(disas_ctx); 4958 objtool_disas_ctx = NULL; 4959 } 4960 4961 free_insns(file); 4962 4963 if (!ret && !warnings) 4964 return 0; 4965 4966 if (opts.backup && make_backup()) 4967 return 1; 4968 4969 return ret; 4970 } 4971