1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com> 4 */ 5 6 #define _GNU_SOURCE /* memmem() */ 7 #include <fnmatch.h> 8 #include <string.h> 9 #include <stdlib.h> 10 #include <inttypes.h> 11 #include <sys/mman.h> 12 13 #include <objtool/builtin.h> 14 #include <objtool/cfi.h> 15 #include <objtool/arch.h> 16 #include <objtool/disas.h> 17 #include <objtool/check.h> 18 #include <objtool/special.h> 19 #include <objtool/trace.h> 20 #include <objtool/warn.h> 21 #include <objtool/util.h> 22 23 #include <linux/objtool_types.h> 24 #include <linux/hashtable.h> 25 #include <linux/kernel.h> 26 #include <linux/static_call_types.h> 27 #include <linux/string.h> 28 29 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache; 30 31 static struct cfi_init_state initial_func_cfi; 32 static struct cfi_state init_cfi; 33 static struct cfi_state func_cfi; 34 static struct cfi_state force_undefined_cfi; 35 36 struct disas_context *objtool_disas_ctx; 37 38 size_t sym_name_max_len; 39 40 struct instruction *find_insn(struct objtool_file *file, 41 struct section *sec, unsigned long offset) 42 { 43 struct instruction *insn; 44 45 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) { 46 if (insn->sec == sec && insn->offset == offset) 47 return insn; 48 } 49 50 return NULL; 51 } 52 53 struct instruction *next_insn_same_sec(struct objtool_file *file, 54 struct instruction *insn) 55 { 56 if (insn->idx == INSN_CHUNK_MAX) 57 return find_insn(file, insn->sec, insn->offset + insn->len); 58 59 insn++; 60 if (!insn->len) 61 return NULL; 62 63 return insn; 64 } 65 66 struct instruction *next_insn_same_func(struct objtool_file *file, 67 struct instruction *insn) 68 { 69 struct instruction *next = next_insn_same_sec(file, insn); 70 struct symbol *func = insn_func(insn); 71 72 if (!func) 73 return NULL; 74 75 if (next && insn_func(next) == func) 76 return next; 77 78 /* Check if we're already in the subfunction: */ 79 if (func == func->cfunc) 80 return NULL; 81 82 /* Move to the subfunction: */ 83 return find_insn(file, func->cfunc->sec, func->cfunc->offset); 84 } 85 86 static struct instruction *prev_insn_same_sec(struct objtool_file *file, 87 struct instruction *insn) 88 { 89 if (insn->idx == 0) { 90 if (insn->prev_len) 91 return find_insn(file, insn->sec, insn->offset - insn->prev_len); 92 return NULL; 93 } 94 95 return insn - 1; 96 } 97 98 static struct instruction *prev_insn_same_sym(struct objtool_file *file, 99 struct instruction *insn) 100 { 101 struct instruction *prev = prev_insn_same_sec(file, insn); 102 103 if (prev && insn_func(prev) == insn_func(insn)) 104 return prev; 105 106 return NULL; 107 } 108 109 #define for_each_insn(file, insn) \ 110 for (struct section *__sec, *__fake = (struct section *)1; \ 111 __fake; __fake = NULL) \ 112 for_each_sec(file->elf, __sec) \ 113 sec_for_each_insn(file, __sec, insn) 114 115 116 #define sym_for_each_insn(file, sym, insn) \ 117 for (insn = find_insn(file, sym->sec, sym->offset); \ 118 insn && insn->offset < sym->offset + sym->len; \ 119 insn = next_insn_same_sec(file, insn)) 120 121 #define sym_for_each_insn_continue_reverse(file, sym, insn) \ 122 for (insn = prev_insn_same_sec(file, insn); \ 123 insn && insn->offset >= sym->offset; \ 124 insn = prev_insn_same_sec(file, insn)) 125 126 #define sec_for_each_insn_from(file, insn) \ 127 for (; insn; insn = next_insn_same_sec(file, insn)) 128 129 #define sec_for_each_insn_continue(file, insn) \ 130 for (insn = next_insn_same_sec(file, insn); insn; \ 131 insn = next_insn_same_sec(file, insn)) 132 133 static inline struct reloc *insn_jump_table(struct instruction *insn) 134 { 135 if (insn->type == INSN_JUMP_DYNAMIC || 136 insn->type == INSN_CALL_DYNAMIC) 137 return insn->_jump_table; 138 139 return NULL; 140 } 141 142 static inline unsigned long insn_jump_table_size(struct instruction *insn) 143 { 144 if (insn->type == INSN_JUMP_DYNAMIC || 145 insn->type == INSN_CALL_DYNAMIC) 146 return insn->_jump_table_size; 147 148 return 0; 149 } 150 151 static bool is_jump_table_jump(struct instruction *insn) 152 { 153 struct alt_group *alt_group = insn->alt_group; 154 155 if (insn_jump_table(insn)) 156 return true; 157 158 /* Retpoline alternative for a jump table? */ 159 return alt_group && alt_group->orig_group && 160 insn_jump_table(alt_group->orig_group->first_insn); 161 } 162 163 static bool is_sibling_call(struct instruction *insn) 164 { 165 /* 166 * Assume only STT_FUNC calls have jump-tables. 167 */ 168 if (insn_func(insn)) { 169 /* An indirect jump is either a sibling call or a jump to a table. */ 170 if (insn->type == INSN_JUMP_DYNAMIC) 171 return !is_jump_table_jump(insn); 172 } 173 174 /* add_jump_destinations() sets insn_call_dest(insn) for sibling calls. */ 175 return (is_static_jump(insn) && insn_call_dest(insn)); 176 } 177 178 /* 179 * Checks if a function is a Rust "noreturn" one. 180 */ 181 static bool is_rust_noreturn(const struct symbol *func) 182 { 183 /* 184 * If it does not start with "_R", then it is not a Rust symbol. 185 */ 186 if (strncmp(func->name, "_R", 2)) 187 return false; 188 189 /* 190 * These are just heuristics -- we do not control the precise symbol 191 * name, due to the crate disambiguators (which depend on the compiler) 192 * as well as changes to the source code itself between versions (since 193 * these come from the Rust standard library). 194 */ 195 return str_ends_with(func->name, "_4core3num20from_str_radix_panic") || 196 str_ends_with(func->name, "_4core3num22from_ascii_radix_panic") || 197 str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") || 198 str_ends_with(func->name, "_4core6option13expect_failed") || 199 str_ends_with(func->name, "_4core6option13unwrap_failed") || 200 str_ends_with(func->name, "_4core6result13unwrap_failed") || 201 str_ends_with(func->name, "_4core9panicking5panic") || 202 str_ends_with(func->name, "_4core9panicking9panic_fmt") || 203 str_ends_with(func->name, "_4core9panicking14panic_explicit") || 204 str_ends_with(func->name, "_4core9panicking14panic_nounwind") || 205 str_ends_with(func->name, "_4core9panicking18panic_bounds_check") || 206 str_ends_with(func->name, "_4core9panicking18panic_nounwind_fmt") || 207 str_ends_with(func->name, "_4core9panicking19assert_failed_inner") || 208 str_ends_with(func->name, "_4core9panicking30panic_null_pointer_dereference") || 209 str_ends_with(func->name, "_4core9panicking36panic_misaligned_pointer_dereference") || 210 str_ends_with(func->name, "_7___rustc17rust_begin_unwind") || 211 strstr(func->name, "_4core9panicking13assert_failed") || 212 strstr(func->name, "_4core9panicking11panic_const24panic_const_") || 213 (strstr(func->name, "_4core5slice5index") && 214 strstr(func->name, "slice_") && 215 str_ends_with(func->name, "_fail")); 216 } 217 218 /* 219 * This checks to see if the given function is a "noreturn" function. 220 * 221 * For global functions which are outside the scope of this object file, we 222 * have to keep a manual list of them. 223 * 224 * For local functions, we have to detect them manually by simply looking for 225 * the lack of a return instruction. 226 */ 227 static bool __dead_end_function(struct objtool_file *file, struct symbol *func, 228 int recursion) 229 { 230 int i; 231 struct instruction *insn; 232 bool empty = true; 233 234 #define NORETURN(func) __stringify(func), 235 static const char * const global_noreturns[] = { 236 #include "noreturns.h" 237 }; 238 #undef NORETURN 239 240 if (!func) 241 return false; 242 243 if (!is_local_sym(func)) { 244 if (is_rust_noreturn(func)) 245 return true; 246 247 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++) 248 if (!strcmp(func->name, global_noreturns[i])) 249 return true; 250 } 251 252 if (is_weak_sym(func)) 253 return false; 254 255 if (!func->len) 256 return false; 257 258 insn = find_insn(file, func->sec, func->offset); 259 if (!insn || !insn_func(insn)) 260 return false; 261 262 func_for_each_insn(file, func, insn) { 263 empty = false; 264 265 if (insn->type == INSN_RETURN) 266 return false; 267 } 268 269 if (empty) 270 return false; 271 272 /* 273 * A function can have a sibling call instead of a return. In that 274 * case, the function's dead-end status depends on whether the target 275 * of the sibling call returns. 276 */ 277 func_for_each_insn(file, func, insn) { 278 if (is_sibling_call(insn)) { 279 struct instruction *dest = insn->jump_dest; 280 281 if (!dest) 282 /* sibling call to another file */ 283 return false; 284 285 /* local sibling call */ 286 if (recursion == 5) { 287 /* 288 * Infinite recursion: two functions have 289 * sibling calls to each other. This is a very 290 * rare case. It means they aren't dead ends. 291 */ 292 return false; 293 } 294 295 return __dead_end_function(file, insn_func(dest), recursion+1); 296 } 297 } 298 299 return true; 300 } 301 302 static bool dead_end_function(struct objtool_file *file, struct symbol *func) 303 { 304 return __dead_end_function(file, func, 0); 305 } 306 307 static void init_cfi_state(struct cfi_state *cfi) 308 { 309 int i; 310 311 for (i = 0; i < CFI_NUM_REGS; i++) { 312 cfi->regs[i].base = CFI_UNDEFINED; 313 cfi->vals[i].base = CFI_UNDEFINED; 314 } 315 cfi->cfa.base = CFI_UNDEFINED; 316 cfi->drap_reg = CFI_UNDEFINED; 317 cfi->drap_offset = -1; 318 } 319 320 static void init_insn_state(struct objtool_file *file, struct insn_state *state, 321 struct section *sec) 322 { 323 memset(state, 0, sizeof(*state)); 324 init_cfi_state(&state->cfi); 325 326 if (opts.noinstr && sec) 327 state->noinstr = sec->noinstr; 328 } 329 330 static struct cfi_state *cfi_alloc(void) 331 { 332 struct cfi_state *cfi = calloc(1, sizeof(struct cfi_state)); 333 if (!cfi) { 334 ERROR_GLIBC("calloc"); 335 exit(1); 336 } 337 nr_cfi++; 338 return cfi; 339 } 340 341 static int cfi_bits; 342 static struct hlist_head *cfi_hash; 343 344 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2) 345 { 346 return memcmp((void *)cfi1 + sizeof(cfi1->hash), 347 (void *)cfi2 + sizeof(cfi2->hash), 348 sizeof(struct cfi_state) - sizeof(struct hlist_node)); 349 } 350 351 static inline u32 cfi_key(struct cfi_state *cfi) 352 { 353 return jhash((void *)cfi + sizeof(cfi->hash), 354 sizeof(*cfi) - sizeof(cfi->hash), 0); 355 } 356 357 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi) 358 { 359 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 360 struct cfi_state *obj; 361 362 hlist_for_each_entry(obj, head, hash) { 363 if (!cficmp(cfi, obj)) { 364 nr_cfi_cache++; 365 return obj; 366 } 367 } 368 369 obj = cfi_alloc(); 370 *obj = *cfi; 371 hlist_add_head(&obj->hash, head); 372 373 return obj; 374 } 375 376 static void cfi_hash_add(struct cfi_state *cfi) 377 { 378 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)]; 379 380 hlist_add_head(&cfi->hash, head); 381 } 382 383 static void *cfi_hash_alloc(unsigned long size) 384 { 385 cfi_bits = max(10, ilog2(size)); 386 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits, 387 PROT_READ|PROT_WRITE, 388 MAP_PRIVATE|MAP_ANON, -1, 0); 389 if (cfi_hash == (void *)-1L) { 390 ERROR_GLIBC("mmap fail cfi_hash"); 391 cfi_hash = NULL; 392 } else if (opts.stats) { 393 printf("cfi_bits: %d\n", cfi_bits); 394 } 395 396 return cfi_hash; 397 } 398 399 static unsigned long nr_insns; 400 static unsigned long nr_insns_visited; 401 402 /* 403 * Call the arch-specific instruction decoder for all the instructions and add 404 * them to the global instruction list. 405 */ 406 static int decode_instructions(struct objtool_file *file) 407 { 408 struct section *sec; 409 struct symbol *func; 410 unsigned long offset; 411 struct instruction *insn; 412 413 for_each_sec(file->elf, sec) { 414 struct instruction *insns = NULL; 415 u8 prev_len = 0; 416 u8 idx = 0; 417 418 if (!is_text_sec(sec)) 419 continue; 420 421 if (strcmp(sec->name, ".altinstr_replacement") && 422 strcmp(sec->name, ".altinstr_aux") && 423 strncmp(sec->name, ".discard.", 9)) 424 sec->text = true; 425 426 if (!strcmp(sec->name, ".noinstr.text") || 427 !strcmp(sec->name, ".entry.text") || 428 !strcmp(sec->name, ".cpuidle.text") || 429 !strncmp(sec->name, ".text..__x86.", 13)) 430 sec->noinstr = true; 431 432 /* 433 * .init.text code is ran before userspace and thus doesn't 434 * strictly need retpolines, except for modules which are 435 * loaded late, they very much do need retpoline in their 436 * .init.text 437 */ 438 if (!strcmp(sec->name, ".init.text") && !opts.module) 439 sec->init = true; 440 441 for (offset = 0; offset < sec_size(sec); offset += insn->len) { 442 if (!insns || idx == INSN_CHUNK_MAX) { 443 insns = calloc(INSN_CHUNK_SIZE, sizeof(*insn)); 444 if (!insns) { 445 ERROR_GLIBC("calloc"); 446 return -1; 447 } 448 idx = 0; 449 } else { 450 idx++; 451 } 452 insn = &insns[idx]; 453 insn->idx = idx; 454 455 INIT_LIST_HEAD(&insn->call_node); 456 insn->sec = sec; 457 insn->offset = offset; 458 insn->prev_len = prev_len; 459 460 if (arch_decode_instruction(file, sec, offset, sec_size(sec) - offset, insn)) 461 return -1; 462 463 prev_len = insn->len; 464 465 /* 466 * By default, "ud2" is a dead end unless otherwise 467 * annotated, because GCC 7 inserts it for certain 468 * divide-by-zero cases. 469 */ 470 if (insn->type == INSN_BUG) 471 insn->dead_end = true; 472 473 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset)); 474 nr_insns++; 475 } 476 477 sec_for_each_sym(sec, func) { 478 if (!is_notype_sym(func) && !is_func_sym(func)) 479 continue; 480 481 if (func->offset == sec_size(sec)) { 482 /* Heuristic: likely an "end" symbol */ 483 if (is_notype_sym(func)) 484 continue; 485 ERROR("%s(): STT_FUNC at end of section", func->name); 486 return -1; 487 } 488 489 if (func->embedded_insn || is_alias_sym(func)) 490 continue; 491 492 if (!find_insn(file, sec, func->offset)) { 493 ERROR("%s(): can't find starting instruction", func->name); 494 return -1; 495 } 496 497 sym_for_each_insn(file, func, insn) { 498 insn->sym = func; 499 if (is_func_sym(func) && 500 insn->type == INSN_ENDBR && 501 list_empty(&insn->call_node)) { 502 if (insn->offset == func->offset) { 503 list_add_tail(&insn->call_node, &file->endbr_list); 504 file->nr_endbr++; 505 } else { 506 file->nr_endbr_int++; 507 } 508 } 509 } 510 } 511 } 512 513 if (opts.stats) 514 printf("nr_insns: %lu\n", nr_insns); 515 516 return 0; 517 } 518 519 /* 520 * Known pv_ops*[] arrays. 521 */ 522 static struct { 523 const char *name; 524 int idx_off; 525 } pv_ops_tables[] = { 526 { .name = "pv_ops", }, 527 { .name = "pv_ops_lock", }, 528 { .name = NULL, .idx_off = -1 } 529 }; 530 531 /* 532 * Get index offset for a pv_ops* array. 533 */ 534 int pv_ops_idx_off(const char *symname) 535 { 536 int idx; 537 538 for (idx = 0; pv_ops_tables[idx].name; idx++) { 539 if (!strcmp(symname, pv_ops_tables[idx].name)) 540 break; 541 } 542 543 return pv_ops_tables[idx].idx_off; 544 } 545 546 /* 547 * Read a pv_ops*[] .data table to find the static initialized values. 548 */ 549 static int add_pv_ops(struct objtool_file *file, int pv_ops_idx) 550 { 551 struct symbol *sym, *func; 552 unsigned long off, end; 553 struct reloc *reloc; 554 int idx, idx_off; 555 const char *symname; 556 557 symname = pv_ops_tables[pv_ops_idx].name; 558 sym = find_symbol_by_name(file->elf, symname); 559 if (!sym) { 560 ERROR("Unknown pv_ops array %s", symname); 561 return -1; 562 } 563 564 off = sym->offset; 565 end = off + sym->len; 566 idx_off = pv_ops_tables[pv_ops_idx].idx_off; 567 if (idx_off < 0) { 568 ERROR("pv_ops array %s has unknown index offset", symname); 569 return -1; 570 } 571 572 for (;;) { 573 reloc = find_reloc_by_dest_range(file->elf, sym->sec, off, end - off); 574 if (!reloc) 575 break; 576 577 idx = (reloc_offset(reloc) - sym->offset) / sizeof(unsigned long); 578 579 func = reloc->sym; 580 if (is_sec_sym(func)) 581 func = find_symbol_by_offset(reloc->sym->sec, 582 reloc_addend(reloc)); 583 if (!func) { 584 ERROR_FUNC(reloc->sym->sec, reloc_addend(reloc), 585 "can't find func at %s[%d]", symname, idx); 586 return -1; 587 } 588 589 if (objtool_pv_add(file, idx + idx_off, func)) 590 return -1; 591 592 off = reloc_offset(reloc) + 1; 593 if (off > end) 594 break; 595 } 596 597 return 0; 598 } 599 600 /* 601 * Allocate and initialize file->pv_ops[]. 602 */ 603 static int init_pv_ops(struct objtool_file *file) 604 { 605 struct symbol *sym; 606 int idx, nr; 607 608 if (!opts.noinstr) 609 return 0; 610 611 file->pv_ops = NULL; 612 613 nr = 0; 614 for (idx = 0; pv_ops_tables[idx].name; idx++) { 615 sym = find_symbol_by_name(file->elf, pv_ops_tables[idx].name); 616 if (!sym) { 617 pv_ops_tables[idx].idx_off = -1; 618 continue; 619 } 620 pv_ops_tables[idx].idx_off = nr; 621 nr += sym->len / sizeof(unsigned long); 622 } 623 624 if (nr == 0) 625 return 0; 626 627 file->pv_ops = calloc(nr, sizeof(struct pv_state)); 628 if (!file->pv_ops) { 629 ERROR_GLIBC("calloc"); 630 return -1; 631 } 632 633 for (idx = 0; idx < nr; idx++) 634 INIT_LIST_HEAD(&file->pv_ops[idx].targets); 635 636 for (idx = 0; pv_ops_tables[idx].name; idx++) { 637 if (pv_ops_tables[idx].idx_off < 0) 638 continue; 639 if (add_pv_ops(file, idx)) 640 return -1; 641 } 642 643 return 0; 644 } 645 646 static bool is_livepatch_module(struct objtool_file *file) 647 { 648 struct section *sec; 649 650 if (!opts.module) 651 return false; 652 653 sec = find_section_by_name(file->elf, ".modinfo"); 654 if (!sec) 655 return false; 656 657 return memmem(sec->data->d_buf, sec_size(sec), "\0livepatch=Y", 12); 658 } 659 660 static int create_static_call_sections(struct objtool_file *file) 661 { 662 struct static_call_site *site; 663 struct section *sec; 664 struct instruction *insn; 665 struct symbol *key_sym; 666 char *key_name, *tmp; 667 int idx; 668 669 sec = find_section_by_name(file->elf, ".static_call_sites"); 670 if (sec) { 671 /* 672 * Livepatch modules may have already extracted the static call 673 * site entries to take advantage of vmlinux static call 674 * privileges. 675 */ 676 if (!file->klp) 677 WARN("file already has .static_call_sites section, skipping"); 678 679 return 0; 680 } 681 682 if (list_empty(&file->static_call_list)) 683 return 0; 684 685 idx = 0; 686 list_for_each_entry(insn, &file->static_call_list, call_node) 687 idx++; 688 689 sec = elf_create_section_pair(file->elf, ".static_call_sites", 690 sizeof(*site), idx, idx * 2); 691 if (!sec) 692 return -1; 693 694 /* Allow modules to modify the low bits of static_call_site::key */ 695 sec->sh.sh_flags |= SHF_WRITE; 696 697 idx = 0; 698 list_for_each_entry(insn, &file->static_call_list, call_node) { 699 700 /* populate reloc for 'addr' */ 701 if (!elf_init_reloc_text_sym(file->elf, sec, 702 idx * sizeof(*site), idx * 2, 703 insn->sec, insn->offset)) 704 return -1; 705 706 /* find key symbol */ 707 key_name = strdup(insn_call_dest(insn)->name); 708 if (!key_name) { 709 ERROR_GLIBC("strdup"); 710 return -1; 711 } 712 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR, 713 STATIC_CALL_TRAMP_PREFIX_LEN)) { 714 ERROR("static_call: trampoline name malformed: %s", key_name); 715 return -1; 716 } 717 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN; 718 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN); 719 720 key_sym = find_symbol_by_name(file->elf, tmp); 721 if (!key_sym) { 722 if (!opts.module) { 723 ERROR("static_call: can't find static_call_key symbol: %s", tmp); 724 return -1; 725 } 726 727 /* 728 * For modules(), the key might not be exported, which 729 * means the module can make static calls but isn't 730 * allowed to change them. 731 * 732 * In that case we temporarily set the key to be the 733 * trampoline address. This is fixed up in 734 * static_call_add_module(). 735 */ 736 key_sym = insn_call_dest(insn); 737 } 738 739 /* populate reloc for 'key' */ 740 if (!elf_init_reloc_data_sym(file->elf, sec, 741 idx * sizeof(*site) + 4, 742 (idx * 2) + 1, key_sym, 743 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL)) 744 return -1; 745 746 idx++; 747 } 748 749 return 0; 750 } 751 752 static int create_retpoline_sites_sections(struct objtool_file *file) 753 { 754 struct instruction *insn; 755 struct section *sec; 756 int idx; 757 758 sec = find_section_by_name(file->elf, ".retpoline_sites"); 759 if (sec) { 760 WARN("file already has .retpoline_sites, skipping"); 761 return 0; 762 } 763 764 idx = 0; 765 list_for_each_entry(insn, &file->retpoline_call_list, call_node) 766 idx++; 767 768 if (!idx) 769 return 0; 770 771 sec = elf_create_section_pair(file->elf, ".retpoline_sites", 772 sizeof(int), idx, idx); 773 if (!sec) 774 return -1; 775 776 idx = 0; 777 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 778 779 if (!elf_init_reloc_text_sym(file->elf, sec, 780 idx * sizeof(int), idx, 781 insn->sec, insn->offset)) 782 return -1; 783 784 idx++; 785 } 786 787 return 0; 788 } 789 790 static int create_return_sites_sections(struct objtool_file *file) 791 { 792 struct instruction *insn; 793 struct section *sec; 794 int idx; 795 796 sec = find_section_by_name(file->elf, ".return_sites"); 797 if (sec) { 798 WARN("file already has .return_sites, skipping"); 799 return 0; 800 } 801 802 idx = 0; 803 list_for_each_entry(insn, &file->return_thunk_list, call_node) 804 idx++; 805 806 if (!idx) 807 return 0; 808 809 sec = elf_create_section_pair(file->elf, ".return_sites", 810 sizeof(int), idx, idx); 811 if (!sec) 812 return -1; 813 814 idx = 0; 815 list_for_each_entry(insn, &file->return_thunk_list, call_node) { 816 817 if (!elf_init_reloc_text_sym(file->elf, sec, 818 idx * sizeof(int), idx, 819 insn->sec, insn->offset)) 820 return -1; 821 822 idx++; 823 } 824 825 return 0; 826 } 827 828 static int create_ibt_endbr_seal_sections(struct objtool_file *file) 829 { 830 struct instruction *insn; 831 struct section *sec; 832 int idx; 833 834 sec = find_section_by_name(file->elf, ".ibt_endbr_seal"); 835 if (sec) { 836 WARN("file already has .ibt_endbr_seal, skipping"); 837 return 0; 838 } 839 840 idx = 0; 841 list_for_each_entry(insn, &file->endbr_list, call_node) 842 idx++; 843 844 if (opts.stats) { 845 printf("ibt: ENDBR at function start: %d\n", file->nr_endbr); 846 printf("ibt: ENDBR inside functions: %d\n", file->nr_endbr_int); 847 printf("ibt: superfluous ENDBR: %d\n", idx); 848 } 849 850 if (!idx) 851 return 0; 852 853 sec = elf_create_section_pair(file->elf, ".ibt_endbr_seal", 854 sizeof(int), idx, idx); 855 if (!sec) 856 return -1; 857 858 idx = 0; 859 list_for_each_entry(insn, &file->endbr_list, call_node) { 860 861 int *site = (int *)sec->data->d_buf + idx; 862 struct symbol *sym = insn->sym; 863 *site = 0; 864 865 if (opts.module && sym && is_func_sym(sym) && 866 insn->offset == sym->offset && 867 (!strcmp(sym->name, "init_module") || 868 !strcmp(sym->name, "cleanup_module"))) { 869 ERROR("%s(): Magic init_module() function name is deprecated, use module_init(fn) instead", 870 sym->name); 871 return -1; 872 } 873 874 if (!elf_init_reloc_text_sym(file->elf, sec, 875 idx * sizeof(int), idx, 876 insn->sec, insn->offset)) 877 return -1; 878 879 idx++; 880 } 881 882 return 0; 883 } 884 885 static int create_cfi_sections(struct objtool_file *file) 886 { 887 struct section *sec; 888 struct symbol *sym; 889 int idx; 890 891 sec = find_section_by_name(file->elf, ".cfi_sites"); 892 if (sec) { 893 WARN("file already has .cfi_sites section, skipping"); 894 return 0; 895 } 896 897 idx = 0; 898 for_each_sym(file->elf, sym) { 899 if (!is_func_sym(sym)) 900 continue; 901 902 if (strncmp(sym->name, "__cfi_", 6)) 903 continue; 904 905 idx++; 906 } 907 908 sec = elf_create_section_pair(file->elf, ".cfi_sites", 909 sizeof(unsigned int), idx, idx); 910 if (!sec) 911 return -1; 912 913 idx = 0; 914 for_each_sym(file->elf, sym) { 915 if (!is_func_sym(sym)) 916 continue; 917 918 if (strncmp(sym->name, "__cfi_", 6)) 919 continue; 920 921 if (!elf_init_reloc_text_sym(file->elf, sec, 922 idx * sizeof(unsigned int), idx, 923 sym->sec, sym->offset)) 924 return -1; 925 926 idx++; 927 } 928 929 return 0; 930 } 931 932 static int create_mcount_loc_sections(struct objtool_file *file) 933 { 934 size_t addr_size = elf_addr_size(file->elf); 935 struct instruction *insn; 936 struct section *sec; 937 int idx; 938 939 sec = find_section_by_name(file->elf, "__mcount_loc"); 940 if (sec) { 941 /* 942 * Livepatch modules have already extracted their __mcount_loc 943 * entries to cover the !CONFIG_FTRACE_MCOUNT_USE_OBJTOOL case. 944 */ 945 if (!file->klp) 946 WARN("file already has __mcount_loc section, skipping"); 947 948 return 0; 949 } 950 951 if (list_empty(&file->mcount_loc_list)) 952 return 0; 953 954 idx = 0; 955 list_for_each_entry(insn, &file->mcount_loc_list, call_node) 956 idx++; 957 958 sec = elf_create_section_pair(file->elf, "__mcount_loc", addr_size, 959 idx, idx); 960 if (!sec) 961 return -1; 962 963 sec->sh.sh_addralign = addr_size; 964 965 idx = 0; 966 list_for_each_entry(insn, &file->mcount_loc_list, call_node) { 967 968 struct reloc *reloc; 969 970 reloc = elf_init_reloc_text_sym(file->elf, sec, idx * addr_size, idx, 971 insn->sec, insn->offset); 972 if (!reloc) 973 return -1; 974 975 set_reloc_type(file->elf, reloc, addr_size == 8 ? R_ABS64 : R_ABS32); 976 977 idx++; 978 } 979 980 return 0; 981 } 982 983 static int create_direct_call_sections(struct objtool_file *file) 984 { 985 struct instruction *insn; 986 struct section *sec; 987 int idx; 988 989 sec = find_section_by_name(file->elf, ".call_sites"); 990 if (sec) { 991 WARN("file already has .call_sites section, skipping"); 992 return 0; 993 } 994 995 if (list_empty(&file->call_list)) 996 return 0; 997 998 idx = 0; 999 list_for_each_entry(insn, &file->call_list, call_node) 1000 idx++; 1001 1002 sec = elf_create_section_pair(file->elf, ".call_sites", 1003 sizeof(unsigned int), idx, idx); 1004 if (!sec) 1005 return -1; 1006 1007 idx = 0; 1008 list_for_each_entry(insn, &file->call_list, call_node) { 1009 1010 if (!elf_init_reloc_text_sym(file->elf, sec, 1011 idx * sizeof(unsigned int), idx, 1012 insn->sec, insn->offset)) 1013 return -1; 1014 1015 idx++; 1016 } 1017 1018 return 0; 1019 } 1020 1021 /* 1022 * Warnings shouldn't be reported for ignored functions. 1023 */ 1024 static int add_ignores(struct objtool_file *file) 1025 { 1026 struct section *rsec; 1027 struct symbol *func; 1028 struct reloc *reloc; 1029 1030 rsec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard"); 1031 if (!rsec) 1032 return 0; 1033 1034 for_each_reloc(rsec, reloc) { 1035 switch (reloc->sym->type) { 1036 case STT_FUNC: 1037 func = reloc->sym; 1038 break; 1039 1040 case STT_SECTION: 1041 func = find_func_by_offset(reloc->sym->sec, reloc_addend(reloc)); 1042 if (!func) 1043 continue; 1044 break; 1045 1046 default: 1047 ERROR("unexpected relocation symbol type in %s: %d", 1048 rsec->name, reloc->sym->type); 1049 return -1; 1050 } 1051 1052 func->ignore = true; 1053 if (func->cfunc) 1054 func->cfunc->ignore = true; 1055 } 1056 1057 return 0; 1058 } 1059 1060 /* 1061 * This is a whitelist of functions that is allowed to be called with AC set. 1062 * The list is meant to be minimal and only contains compiler instrumentation 1063 * ABI and a few functions used to implement *_{to,from}_user() functions. 1064 * 1065 * These functions must not directly change AC, but may PUSHF/POPF. 1066 */ 1067 static const char *uaccess_safe_builtin[] = { 1068 /* KASAN */ 1069 "kasan_report", 1070 "kasan_check_range", 1071 /* KASAN out-of-line */ 1072 "__asan_loadN_noabort", 1073 "__asan_load1_noabort", 1074 "__asan_load2_noabort", 1075 "__asan_load4_noabort", 1076 "__asan_load8_noabort", 1077 "__asan_load16_noabort", 1078 "__asan_storeN_noabort", 1079 "__asan_store1_noabort", 1080 "__asan_store2_noabort", 1081 "__asan_store4_noabort", 1082 "__asan_store8_noabort", 1083 "__asan_store16_noabort", 1084 "__kasan_check_read", 1085 "__kasan_check_write", 1086 /* KASAN in-line */ 1087 "__asan_report_load_n_noabort", 1088 "__asan_report_load1_noabort", 1089 "__asan_report_load2_noabort", 1090 "__asan_report_load4_noabort", 1091 "__asan_report_load8_noabort", 1092 "__asan_report_load16_noabort", 1093 "__asan_report_store_n_noabort", 1094 "__asan_report_store1_noabort", 1095 "__asan_report_store2_noabort", 1096 "__asan_report_store4_noabort", 1097 "__asan_report_store8_noabort", 1098 "__asan_report_store16_noabort", 1099 /* KCSAN */ 1100 "__kcsan_check_access", 1101 "__kcsan_mb", 1102 "__kcsan_wmb", 1103 "__kcsan_rmb", 1104 "__kcsan_release", 1105 "kcsan_found_watchpoint", 1106 "kcsan_setup_watchpoint", 1107 "kcsan_check_scoped_accesses", 1108 "kcsan_disable_current", 1109 "kcsan_enable_current_nowarn", 1110 /* KCSAN/TSAN */ 1111 "__tsan_func_entry", 1112 "__tsan_func_exit", 1113 "__tsan_read_range", 1114 "__tsan_write_range", 1115 "__tsan_read1", 1116 "__tsan_read2", 1117 "__tsan_read4", 1118 "__tsan_read8", 1119 "__tsan_read16", 1120 "__tsan_write1", 1121 "__tsan_write2", 1122 "__tsan_write4", 1123 "__tsan_write8", 1124 "__tsan_write16", 1125 "__tsan_read_write1", 1126 "__tsan_read_write2", 1127 "__tsan_read_write4", 1128 "__tsan_read_write8", 1129 "__tsan_read_write16", 1130 "__tsan_volatile_read1", 1131 "__tsan_volatile_read2", 1132 "__tsan_volatile_read4", 1133 "__tsan_volatile_read8", 1134 "__tsan_volatile_read16", 1135 "__tsan_volatile_write1", 1136 "__tsan_volatile_write2", 1137 "__tsan_volatile_write4", 1138 "__tsan_volatile_write8", 1139 "__tsan_volatile_write16", 1140 "__tsan_atomic8_load", 1141 "__tsan_atomic16_load", 1142 "__tsan_atomic32_load", 1143 "__tsan_atomic64_load", 1144 "__tsan_atomic8_store", 1145 "__tsan_atomic16_store", 1146 "__tsan_atomic32_store", 1147 "__tsan_atomic64_store", 1148 "__tsan_atomic8_exchange", 1149 "__tsan_atomic16_exchange", 1150 "__tsan_atomic32_exchange", 1151 "__tsan_atomic64_exchange", 1152 "__tsan_atomic8_fetch_add", 1153 "__tsan_atomic16_fetch_add", 1154 "__tsan_atomic32_fetch_add", 1155 "__tsan_atomic64_fetch_add", 1156 "__tsan_atomic8_fetch_sub", 1157 "__tsan_atomic16_fetch_sub", 1158 "__tsan_atomic32_fetch_sub", 1159 "__tsan_atomic64_fetch_sub", 1160 "__tsan_atomic8_fetch_and", 1161 "__tsan_atomic16_fetch_and", 1162 "__tsan_atomic32_fetch_and", 1163 "__tsan_atomic64_fetch_and", 1164 "__tsan_atomic8_fetch_or", 1165 "__tsan_atomic16_fetch_or", 1166 "__tsan_atomic32_fetch_or", 1167 "__tsan_atomic64_fetch_or", 1168 "__tsan_atomic8_fetch_xor", 1169 "__tsan_atomic16_fetch_xor", 1170 "__tsan_atomic32_fetch_xor", 1171 "__tsan_atomic64_fetch_xor", 1172 "__tsan_atomic8_fetch_nand", 1173 "__tsan_atomic16_fetch_nand", 1174 "__tsan_atomic32_fetch_nand", 1175 "__tsan_atomic64_fetch_nand", 1176 "__tsan_atomic8_compare_exchange_strong", 1177 "__tsan_atomic16_compare_exchange_strong", 1178 "__tsan_atomic32_compare_exchange_strong", 1179 "__tsan_atomic64_compare_exchange_strong", 1180 "__tsan_atomic8_compare_exchange_weak", 1181 "__tsan_atomic16_compare_exchange_weak", 1182 "__tsan_atomic32_compare_exchange_weak", 1183 "__tsan_atomic64_compare_exchange_weak", 1184 "__tsan_atomic8_compare_exchange_val", 1185 "__tsan_atomic16_compare_exchange_val", 1186 "__tsan_atomic32_compare_exchange_val", 1187 "__tsan_atomic64_compare_exchange_val", 1188 "__tsan_atomic_thread_fence", 1189 "__tsan_atomic_signal_fence", 1190 "__tsan_unaligned_read16", 1191 "__tsan_unaligned_write16", 1192 /* KCOV */ 1193 "write_comp_data", 1194 "check_kcov_mode", 1195 "__sanitizer_cov_trace_pc", 1196 "__sanitizer_cov_trace_const_cmp1", 1197 "__sanitizer_cov_trace_const_cmp2", 1198 "__sanitizer_cov_trace_const_cmp4", 1199 "__sanitizer_cov_trace_const_cmp8", 1200 "__sanitizer_cov_trace_cmp1", 1201 "__sanitizer_cov_trace_cmp2", 1202 "__sanitizer_cov_trace_cmp4", 1203 "__sanitizer_cov_trace_cmp8", 1204 "__sanitizer_cov_trace_switch", 1205 /* KMSAN */ 1206 "kmsan_copy_to_user", 1207 "kmsan_disable_current", 1208 "kmsan_enable_current", 1209 "kmsan_report", 1210 "kmsan_unpoison_entry_regs", 1211 "kmsan_unpoison_memory", 1212 "__msan_chain_origin", 1213 "__msan_get_context_state", 1214 "__msan_instrument_asm_store", 1215 "__msan_metadata_ptr_for_load_1", 1216 "__msan_metadata_ptr_for_load_2", 1217 "__msan_metadata_ptr_for_load_4", 1218 "__msan_metadata_ptr_for_load_8", 1219 "__msan_metadata_ptr_for_load_n", 1220 "__msan_metadata_ptr_for_store_1", 1221 "__msan_metadata_ptr_for_store_2", 1222 "__msan_metadata_ptr_for_store_4", 1223 "__msan_metadata_ptr_for_store_8", 1224 "__msan_metadata_ptr_for_store_n", 1225 "__msan_poison_alloca", 1226 "__msan_warning", 1227 /* UBSAN */ 1228 "ubsan_type_mismatch_common", 1229 "__ubsan_handle_type_mismatch", 1230 "__ubsan_handle_type_mismatch_v1", 1231 "__ubsan_handle_shift_out_of_bounds", 1232 "__ubsan_handle_load_invalid_value", 1233 /* KSTACK_ERASE */ 1234 "__sanitizer_cov_stack_depth", 1235 /* TRACE_BRANCH_PROFILING */ 1236 "ftrace_likely_update", 1237 /* STACKPROTECTOR */ 1238 "__stack_chk_fail", 1239 /* misc */ 1240 "csum_partial_copy_generic", 1241 "copy_mc_fragile", 1242 "copy_mc_fragile_handle_tail", 1243 "copy_mc_enhanced_fast_string", 1244 "rep_stos_alternative", 1245 "rep_movs_alternative", 1246 "copy_to_nontemporal", 1247 NULL 1248 }; 1249 1250 static void add_uaccess_safe(struct objtool_file *file) 1251 { 1252 struct symbol *func; 1253 const char **name; 1254 1255 if (!opts.uaccess) 1256 return; 1257 1258 for (name = uaccess_safe_builtin; *name; name++) { 1259 func = find_symbol_by_name(file->elf, *name); 1260 if (!func) 1261 continue; 1262 1263 func->uaccess_safe = true; 1264 } 1265 } 1266 1267 /* 1268 * Symbols that replace INSN_CALL_DYNAMIC, every (tail) call to such a symbol 1269 * will be added to the .retpoline_sites section. 1270 */ 1271 __weak bool arch_is_retpoline(struct symbol *sym) 1272 { 1273 return false; 1274 } 1275 1276 /* 1277 * Symbols that replace INSN_RETURN, every (tail) call to such a symbol 1278 * will be added to the .return_sites section. 1279 */ 1280 __weak bool arch_is_rethunk(struct symbol *sym) 1281 { 1282 return false; 1283 } 1284 1285 /* 1286 * Symbols that are embedded inside other instructions, because sometimes crazy 1287 * code exists. These are mostly ignored for validation purposes. 1288 */ 1289 __weak bool arch_is_embedded_insn(struct symbol *sym) 1290 { 1291 return false; 1292 } 1293 1294 struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn) 1295 { 1296 struct reloc *reloc; 1297 1298 if (!file || insn->no_reloc || insn->fake) 1299 return NULL; 1300 1301 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 1302 insn->offset, insn->len); 1303 if (!reloc) { 1304 insn->no_reloc = 1; 1305 return NULL; 1306 } 1307 1308 return reloc; 1309 } 1310 1311 static void remove_insn_ops(struct instruction *insn) 1312 { 1313 struct stack_op *op, *next; 1314 1315 for (op = insn->stack_ops; op; op = next) { 1316 next = op->next; 1317 free(op); 1318 } 1319 insn->stack_ops = NULL; 1320 } 1321 1322 static int annotate_call_site(struct objtool_file *file, 1323 struct instruction *insn, bool sibling) 1324 { 1325 struct reloc *reloc = insn_reloc(file, insn); 1326 struct symbol *sym = insn_call_dest(insn); 1327 1328 if (!sym) 1329 sym = reloc->sym; 1330 1331 if (sym->static_call_tramp) { 1332 list_add_tail(&insn->call_node, &file->static_call_list); 1333 return 0; 1334 } 1335 1336 if (sym->retpoline_thunk) { 1337 list_add_tail(&insn->call_node, &file->retpoline_call_list); 1338 return 0; 1339 } 1340 1341 /* 1342 * Many compilers cannot disable KCOV or sanitizer calls with a function 1343 * attribute so they need a little help, NOP out any such calls from 1344 * noinstr text. 1345 */ 1346 if (opts.hack_noinstr && insn->sec->noinstr && sym->profiling_func) { 1347 if (reloc) 1348 set_reloc_type(file->elf, reloc, R_NONE); 1349 1350 if (elf_write_insn(file->elf, insn->sec, 1351 insn->offset, insn->len, 1352 sibling ? arch_ret_insn(insn->len) 1353 : arch_nop_insn(insn->len))) { 1354 return -1; 1355 } 1356 1357 insn->type = sibling ? INSN_RETURN : INSN_NOP; 1358 1359 if (sibling) { 1360 /* 1361 * We've replaced the tail-call JMP insn by two new 1362 * insn: RET; INT3, except we only have a single struct 1363 * insn here. Mark it retpoline_safe to avoid the SLS 1364 * warning, instead of adding another insn. 1365 */ 1366 insn->retpoline_safe = true; 1367 } 1368 1369 return 0; 1370 } 1371 1372 if (opts.mcount && sym->fentry) { 1373 if (sibling) 1374 WARN_INSN(insn, "tail call to __fentry__ !?!?"); 1375 if (opts.mnop) { 1376 if (reloc) 1377 set_reloc_type(file->elf, reloc, R_NONE); 1378 1379 if (elf_write_insn(file->elf, insn->sec, 1380 insn->offset, insn->len, 1381 arch_nop_insn(insn->len))) { 1382 return -1; 1383 } 1384 1385 insn->type = INSN_NOP; 1386 } 1387 1388 list_add_tail(&insn->call_node, &file->mcount_loc_list); 1389 return 0; 1390 } 1391 1392 if (insn->type == INSN_CALL && !insn->sec->init && 1393 !insn->_call_dest->embedded_insn) 1394 list_add_tail(&insn->call_node, &file->call_list); 1395 1396 if (!sibling && dead_end_function(file, sym)) 1397 insn->dead_end = true; 1398 1399 return 0; 1400 } 1401 1402 static int add_call_dest(struct objtool_file *file, struct instruction *insn, 1403 struct symbol *dest, bool sibling) 1404 { 1405 insn->_call_dest = dest; 1406 if (!dest) 1407 return 0; 1408 1409 /* 1410 * Whatever stack impact regular CALLs have, should be undone 1411 * by the RETURN of the called function. 1412 * 1413 * Annotated intra-function calls retain the stack_ops but 1414 * are converted to JUMP, see read_intra_function_calls(). 1415 */ 1416 remove_insn_ops(insn); 1417 1418 return annotate_call_site(file, insn, sibling); 1419 } 1420 1421 static int add_retpoline_call(struct objtool_file *file, struct instruction *insn) 1422 { 1423 /* 1424 * Retpoline calls/jumps are really dynamic calls/jumps in disguise, 1425 * so convert them accordingly. 1426 */ 1427 switch (insn->type) { 1428 case INSN_CALL: 1429 insn->type = INSN_CALL_DYNAMIC; 1430 break; 1431 case INSN_JUMP_UNCONDITIONAL: 1432 insn->type = INSN_JUMP_DYNAMIC; 1433 break; 1434 case INSN_JUMP_CONDITIONAL: 1435 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL; 1436 break; 1437 default: 1438 return 0; 1439 } 1440 1441 insn->retpoline_safe = true; 1442 1443 /* 1444 * Whatever stack impact regular CALLs have, should be undone 1445 * by the RETURN of the called function. 1446 * 1447 * Annotated intra-function calls retain the stack_ops but 1448 * are converted to JUMP, see read_intra_function_calls(). 1449 */ 1450 remove_insn_ops(insn); 1451 1452 return annotate_call_site(file, insn, false); 1453 } 1454 1455 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add) 1456 { 1457 /* 1458 * Return thunk tail calls are really just returns in disguise, 1459 * so convert them accordingly. 1460 */ 1461 insn->type = INSN_RETURN; 1462 insn->retpoline_safe = true; 1463 1464 if (add) 1465 list_add_tail(&insn->call_node, &file->return_thunk_list); 1466 } 1467 1468 static bool is_first_func_insn(struct objtool_file *file, 1469 struct instruction *insn) 1470 { 1471 struct symbol *func = insn_func(insn); 1472 1473 if (!func) 1474 return false; 1475 1476 if (insn->offset == func->offset) 1477 return true; 1478 1479 /* Allow direct CALL/JMP past ENDBR */ 1480 if (opts.ibt) { 1481 struct instruction *prev = prev_insn_same_sym(file, insn); 1482 1483 if (prev && prev->type == INSN_ENDBR && 1484 insn->offset == func->offset + prev->len) 1485 return true; 1486 } 1487 1488 return false; 1489 } 1490 1491 /* 1492 * Find the destination instructions for all jumps. 1493 */ 1494 static int add_jump_destinations(struct objtool_file *file) 1495 { 1496 struct instruction *insn; 1497 struct reloc *reloc; 1498 1499 for_each_insn(file, insn) { 1500 struct symbol *func = insn_func(insn); 1501 struct instruction *dest_insn; 1502 struct section *dest_sec; 1503 struct symbol *dest_sym; 1504 unsigned long dest_off; 1505 1506 if (!is_static_jump(insn)) 1507 continue; 1508 1509 if (insn->jump_dest) { 1510 /* 1511 * handle_group_alt() may have previously set 1512 * 'jump_dest' for some alternatives. 1513 */ 1514 continue; 1515 } 1516 1517 reloc = insn_reloc(file, insn); 1518 if (!reloc) { 1519 dest_sec = insn->sec; 1520 dest_off = arch_jump_destination(insn); 1521 dest_sym = dest_sec->sym; 1522 } else { 1523 dest_sym = reloc->sym; 1524 if (is_undef_sym(dest_sym)) { 1525 if (dest_sym->retpoline_thunk) { 1526 if (add_retpoline_call(file, insn)) 1527 return -1; 1528 continue; 1529 } 1530 1531 if (dest_sym->return_thunk) { 1532 add_return_call(file, insn, true); 1533 continue; 1534 } 1535 1536 /* External symbol */ 1537 if (func) { 1538 /* External sibling call */ 1539 if (add_call_dest(file, insn, dest_sym, true)) 1540 return -1; 1541 continue; 1542 } 1543 1544 /* Non-func asm code jumping to external symbol */ 1545 continue; 1546 } 1547 1548 dest_sec = dest_sym->sec; 1549 dest_off = dest_sym->offset + arch_insn_adjusted_addend(insn, reloc); 1550 } 1551 1552 dest_insn = find_insn(file, dest_sec, dest_off); 1553 if (!dest_insn) { 1554 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off); 1555 1556 /* 1557 * retbleed_untrain_ret() jumps to 1558 * __x86_return_thunk(), but objtool can't find 1559 * the thunk's starting RET instruction, 1560 * because the RET is also in the middle of 1561 * another instruction. Objtool only knows 1562 * about the outer instruction. 1563 */ 1564 if (sym && sym->embedded_insn) { 1565 add_return_call(file, insn, false); 1566 continue; 1567 } 1568 1569 /* 1570 * GCOV/KCOV dead code can jump to the end of 1571 * the function/section. 1572 */ 1573 if (file->ignore_unreachables && func && 1574 dest_sec == insn->sec && 1575 dest_off == func->offset + func->len) 1576 continue; 1577 1578 ERROR_INSN(insn, "can't find jump dest instruction at %s", 1579 offstr(dest_sec, dest_off)); 1580 return -1; 1581 } 1582 1583 if (!dest_sym || is_sec_sym(dest_sym)) { 1584 dest_sym = dest_insn->sym; 1585 if (!dest_sym) 1586 goto set_jump_dest; 1587 } 1588 1589 if (dest_sym->retpoline_thunk && dest_insn->offset == dest_sym->offset) { 1590 if (add_retpoline_call(file, insn)) 1591 return -1; 1592 continue; 1593 } 1594 1595 if (dest_sym->return_thunk && dest_insn->offset == dest_sym->offset) { 1596 add_return_call(file, insn, true); 1597 continue; 1598 } 1599 1600 if (!insn->sym || insn->sym->pfunc == dest_sym->pfunc) 1601 goto set_jump_dest; 1602 1603 /* 1604 * Internal cross-function jump. 1605 */ 1606 1607 if (is_first_func_insn(file, dest_insn)) { 1608 /* Internal sibling call */ 1609 if (add_call_dest(file, insn, dest_sym, true)) 1610 return -1; 1611 continue; 1612 } 1613 1614 set_jump_dest: 1615 insn->jump_dest = dest_insn; 1616 } 1617 1618 return 0; 1619 } 1620 1621 static struct symbol *find_call_destination(struct section *sec, unsigned long offset) 1622 { 1623 struct symbol *call_dest; 1624 1625 call_dest = find_func_by_offset(sec, offset); 1626 if (!call_dest) 1627 call_dest = find_symbol_by_offset(sec, offset); 1628 1629 return call_dest; 1630 } 1631 1632 /* 1633 * Find the destination instructions for all calls. 1634 */ 1635 static int add_call_destinations(struct objtool_file *file) 1636 { 1637 struct instruction *insn; 1638 unsigned long dest_off; 1639 struct symbol *dest; 1640 struct reloc *reloc; 1641 1642 for_each_insn(file, insn) { 1643 struct symbol *func = insn_func(insn); 1644 if (insn->type != INSN_CALL) 1645 continue; 1646 1647 reloc = insn_reloc(file, insn); 1648 if (!reloc) { 1649 dest_off = arch_jump_destination(insn); 1650 dest = find_call_destination(insn->sec, dest_off); 1651 1652 if (add_call_dest(file, insn, dest, false)) 1653 return -1; 1654 1655 if (func && func->ignore) 1656 continue; 1657 1658 if (!insn_call_dest(insn)) { 1659 ERROR_INSN(insn, "unannotated intra-function call"); 1660 return -1; 1661 } 1662 1663 if (func && !is_func_sym(insn_call_dest(insn))) { 1664 ERROR_INSN(insn, "unsupported call to non-function"); 1665 return -1; 1666 } 1667 1668 } else if (is_sec_sym(reloc->sym)) { 1669 dest_off = arch_insn_adjusted_addend(insn, reloc); 1670 dest = find_call_destination(reloc->sym->sec, dest_off); 1671 if (!dest) { 1672 ERROR_INSN(insn, "can't find call dest symbol at %s+0x%lx", 1673 reloc->sym->sec->name, dest_off); 1674 return -1; 1675 } 1676 1677 if (add_call_dest(file, insn, dest, false)) 1678 return -1; 1679 1680 } else if (reloc->sym->retpoline_thunk) { 1681 if (add_retpoline_call(file, insn)) 1682 return -1; 1683 1684 } else { 1685 if (add_call_dest(file, insn, reloc->sym, false)) 1686 return -1; 1687 } 1688 } 1689 1690 return 0; 1691 } 1692 1693 /* 1694 * The .alternatives section requires some extra special care over and above 1695 * other special sections because alternatives are patched in place. 1696 */ 1697 static int handle_group_alt(struct objtool_file *file, 1698 struct special_alt *special_alt, 1699 struct instruction *orig_insn, 1700 struct instruction **new_insn) 1701 { 1702 struct instruction *last_new_insn = NULL, *insn, *nop = NULL; 1703 struct alt_group *orig_alt_group, *new_alt_group; 1704 unsigned long dest_off; 1705 1706 orig_alt_group = orig_insn->alt_group; 1707 if (!orig_alt_group) { 1708 struct instruction *last_orig_insn = NULL; 1709 1710 orig_alt_group = calloc(1, sizeof(*orig_alt_group)); 1711 if (!orig_alt_group) { 1712 ERROR_GLIBC("calloc"); 1713 return -1; 1714 } 1715 orig_alt_group->cfi = calloc(special_alt->orig_len, 1716 sizeof(struct cfi_state *)); 1717 if (!orig_alt_group->cfi) { 1718 ERROR_GLIBC("calloc"); 1719 return -1; 1720 } 1721 1722 insn = orig_insn; 1723 sec_for_each_insn_from(file, insn) { 1724 if (insn->offset >= special_alt->orig_off + special_alt->orig_len) 1725 break; 1726 1727 insn->alt_group = orig_alt_group; 1728 last_orig_insn = insn; 1729 } 1730 orig_alt_group->orig_group = NULL; 1731 orig_alt_group->first_insn = orig_insn; 1732 orig_alt_group->last_insn = last_orig_insn; 1733 orig_alt_group->nop = NULL; 1734 orig_alt_group->ignore = orig_insn->ignore_alts; 1735 orig_alt_group->feature = 0; 1736 } else { 1737 if (orig_alt_group->last_insn->offset + orig_alt_group->last_insn->len - 1738 orig_alt_group->first_insn->offset != special_alt->orig_len) { 1739 ERROR_INSN(orig_insn, "weirdly overlapping alternative! %ld != %d", 1740 orig_alt_group->last_insn->offset + 1741 orig_alt_group->last_insn->len - 1742 orig_alt_group->first_insn->offset, 1743 special_alt->orig_len); 1744 return -1; 1745 } 1746 } 1747 1748 new_alt_group = calloc(1, sizeof(*new_alt_group)); 1749 if (!new_alt_group) { 1750 ERROR_GLIBC("calloc"); 1751 return -1; 1752 } 1753 1754 if (special_alt->new_len < special_alt->orig_len) { 1755 /* 1756 * Insert a fake nop at the end to make the replacement 1757 * alt_group the same size as the original. This is needed to 1758 * allow propagate_alt_cfi() to do its magic. When the last 1759 * instruction affects the stack, the instruction after it (the 1760 * nop) will propagate the new state to the shared CFI array. 1761 */ 1762 nop = calloc(1, sizeof(*nop)); 1763 if (!nop) { 1764 ERROR_GLIBC("calloc"); 1765 return -1; 1766 } 1767 memset(nop, 0, sizeof(*nop)); 1768 1769 nop->sec = special_alt->new_sec; 1770 nop->offset = special_alt->new_off + special_alt->new_len; 1771 nop->len = special_alt->orig_len - special_alt->new_len; 1772 nop->type = INSN_NOP; 1773 nop->sym = orig_insn->sym; 1774 nop->alt_group = new_alt_group; 1775 nop->fake = 1; 1776 } 1777 1778 if (!special_alt->new_len) { 1779 *new_insn = nop; 1780 goto end; 1781 } 1782 1783 insn = *new_insn; 1784 sec_for_each_insn_from(file, insn) { 1785 struct reloc *alt_reloc; 1786 1787 if (insn->offset >= special_alt->new_off + special_alt->new_len) 1788 break; 1789 1790 last_new_insn = insn; 1791 1792 insn->sym = orig_insn->sym; 1793 insn->alt_group = new_alt_group; 1794 1795 /* 1796 * Since alternative replacement code is copy/pasted by the 1797 * kernel after applying relocations, generally such code can't 1798 * have relative-address relocation references to outside the 1799 * .altinstr_replacement section, unless the arch's 1800 * alternatives code can adjust the relative offsets 1801 * accordingly. 1802 */ 1803 alt_reloc = insn_reloc(file, insn); 1804 if (alt_reloc && arch_pc_relative_reloc(alt_reloc) && 1805 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) { 1806 1807 ERROR_INSN(insn, "unsupported relocation in alternatives section"); 1808 return -1; 1809 } 1810 1811 if (!is_static_jump(insn)) 1812 continue; 1813 1814 if (!insn->immediate) 1815 continue; 1816 1817 dest_off = arch_jump_destination(insn); 1818 if (dest_off == special_alt->new_off + special_alt->new_len) { 1819 insn->jump_dest = next_insn_same_sec(file, orig_alt_group->last_insn); 1820 if (!insn->jump_dest) { 1821 ERROR_INSN(insn, "can't find alternative jump destination"); 1822 return -1; 1823 } 1824 } 1825 } 1826 1827 if (!last_new_insn) { 1828 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1829 "can't find last new alternative instruction"); 1830 return -1; 1831 } 1832 1833 end: 1834 new_alt_group->orig_group = orig_alt_group; 1835 new_alt_group->first_insn = *new_insn; 1836 new_alt_group->last_insn = last_new_insn; 1837 new_alt_group->nop = nop; 1838 new_alt_group->ignore = (*new_insn)->ignore_alts; 1839 new_alt_group->cfi = orig_alt_group->cfi; 1840 new_alt_group->feature = special_alt->feature; 1841 return 0; 1842 } 1843 1844 /* 1845 * A jump table entry can either convert a nop to a jump or a jump to a nop. 1846 * If the original instruction is a jump, make the alt entry an effective nop 1847 * by just skipping the original instruction. 1848 */ 1849 static int handle_jump_alt(struct objtool_file *file, 1850 struct special_alt *special_alt, 1851 struct instruction *orig_insn, 1852 struct instruction **new_insn) 1853 { 1854 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL && 1855 orig_insn->type != INSN_NOP) { 1856 1857 ERROR_INSN(orig_insn, "unsupported instruction at jump label"); 1858 return -1; 1859 } 1860 1861 if (opts.hack_jump_label && special_alt->key_addend & 2) { 1862 struct reloc *reloc = insn_reloc(file, orig_insn); 1863 1864 if (reloc) 1865 set_reloc_type(file->elf, reloc, R_NONE); 1866 1867 if (elf_write_insn(file->elf, orig_insn->sec, 1868 orig_insn->offset, orig_insn->len, 1869 arch_nop_insn(orig_insn->len))) { 1870 return -1; 1871 } 1872 1873 orig_insn->type = INSN_NOP; 1874 } 1875 1876 if (orig_insn->type == INSN_NOP) { 1877 if (orig_insn->len == 2) 1878 file->jl_nop_short++; 1879 else 1880 file->jl_nop_long++; 1881 1882 return 0; 1883 } 1884 1885 if (orig_insn->len == 2) 1886 file->jl_short++; 1887 else 1888 file->jl_long++; 1889 1890 *new_insn = next_insn_same_sec(file, orig_insn); 1891 return 0; 1892 } 1893 1894 /* 1895 * Read all the special sections which have alternate instructions which can be 1896 * patched in or redirected to at runtime. Each instruction having alternate 1897 * instruction(s) has them added to its insn->alts list, which will be 1898 * traversed in validate_branch(). 1899 */ 1900 static int add_special_section_alts(struct objtool_file *file) 1901 { 1902 struct list_head special_alts; 1903 struct instruction *orig_insn, *new_insn; 1904 struct special_alt *special_alt, *tmp; 1905 enum alternative_type alt_type; 1906 struct alternative *alt; 1907 struct alternative *a; 1908 1909 if (special_get_alts(file->elf, &special_alts)) 1910 return -1; 1911 1912 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) { 1913 1914 orig_insn = find_insn(file, special_alt->orig_sec, 1915 special_alt->orig_off); 1916 if (!orig_insn) { 1917 ERROR_FUNC(special_alt->orig_sec, special_alt->orig_off, 1918 "special: can't find orig instruction"); 1919 return -1; 1920 } 1921 1922 new_insn = NULL; 1923 if (!special_alt->group || special_alt->new_len) { 1924 new_insn = find_insn(file, special_alt->new_sec, 1925 special_alt->new_off); 1926 if (!new_insn) { 1927 ERROR_FUNC(special_alt->new_sec, special_alt->new_off, 1928 "special: can't find new instruction"); 1929 return -1; 1930 } 1931 } 1932 1933 if (special_alt->group) { 1934 if (!special_alt->orig_len) { 1935 ERROR_INSN(orig_insn, "empty alternative entry"); 1936 continue; 1937 } 1938 1939 if (handle_group_alt(file, special_alt, orig_insn, &new_insn)) 1940 return -1; 1941 1942 alt_type = ALT_TYPE_INSTRUCTIONS; 1943 1944 } else if (special_alt->jump_or_nop) { 1945 if (handle_jump_alt(file, special_alt, orig_insn, &new_insn)) 1946 return -1; 1947 1948 alt_type = ALT_TYPE_JUMP_TABLE; 1949 } else { 1950 alt_type = ALT_TYPE_EX_TABLE; 1951 } 1952 1953 alt = calloc(1, sizeof(*alt)); 1954 if (!alt) { 1955 ERROR_GLIBC("calloc"); 1956 return -1; 1957 } 1958 1959 alt->insn = new_insn; 1960 alt->type = alt_type; 1961 alt->next = NULL; 1962 1963 /* 1964 * Store alternatives in the same order they have been 1965 * defined. 1966 */ 1967 if (!orig_insn->alts) { 1968 orig_insn->alts = alt; 1969 } else { 1970 for (a = orig_insn->alts; a->next; a = a->next) 1971 ; 1972 a->next = alt; 1973 } 1974 1975 list_del(&special_alt->list); 1976 free(special_alt); 1977 } 1978 1979 if (opts.stats) { 1980 printf("jl\\\tNOP\tJMP\n"); 1981 printf("short:\t%ld\t%ld\n", file->jl_nop_short, file->jl_short); 1982 printf("long:\t%ld\t%ld\n", file->jl_nop_long, file->jl_long); 1983 } 1984 1985 return 0; 1986 } 1987 1988 __weak unsigned long arch_jump_table_sym_offset(struct reloc *reloc, struct reloc *table) 1989 { 1990 return reloc->sym->offset + reloc_addend(reloc); 1991 } 1992 1993 static int add_jump_table(struct objtool_file *file, struct instruction *insn) 1994 { 1995 unsigned long table_size = insn_jump_table_size(insn); 1996 struct symbol *pfunc = insn_func(insn)->pfunc; 1997 struct reloc *table = insn_jump_table(insn); 1998 struct instruction *dest_insn; 1999 unsigned int prev_offset = 0; 2000 struct reloc *reloc = table; 2001 struct alternative *alt; 2002 unsigned long sym_offset; 2003 2004 /* 2005 * Each @reloc is a switch table relocation which points to the target 2006 * instruction. 2007 */ 2008 for_each_reloc_from(table->sec, reloc) { 2009 2010 /* Check for the end of the table: */ 2011 if (table_size && reloc_offset(reloc) - reloc_offset(table) >= table_size) 2012 break; 2013 if (reloc != table && is_jump_table(reloc)) 2014 break; 2015 2016 /* Make sure the table entries are consecutive: */ 2017 if (prev_offset && reloc_offset(reloc) != prev_offset + arch_reloc_size(reloc)) 2018 break; 2019 2020 sym_offset = arch_jump_table_sym_offset(reloc, table); 2021 2022 /* Detect function pointers from contiguous objects: */ 2023 if (reloc->sym->sec == pfunc->sec && sym_offset == pfunc->offset) 2024 break; 2025 2026 /* 2027 * Clang sometimes leaves dangling unused jump table entries 2028 * which point to the end of the function. Ignore them. 2029 */ 2030 if (reloc->sym->sec == pfunc->sec && 2031 sym_offset == pfunc->offset + pfunc->len) 2032 goto next; 2033 2034 dest_insn = find_insn(file, reloc->sym->sec, sym_offset); 2035 if (!dest_insn) 2036 break; 2037 2038 /* Make sure the destination is in the same function: */ 2039 if (!insn_func(dest_insn) || insn_func(dest_insn)->pfunc != pfunc) 2040 break; 2041 2042 alt = calloc(1, sizeof(*alt)); 2043 if (!alt) { 2044 ERROR_GLIBC("calloc"); 2045 return -1; 2046 } 2047 2048 alt->insn = dest_insn; 2049 alt->next = insn->alts; 2050 insn->alts = alt; 2051 next: 2052 prev_offset = reloc_offset(reloc); 2053 } 2054 2055 if (!prev_offset) { 2056 ERROR_INSN(insn, "can't find switch jump table"); 2057 return -1; 2058 } 2059 2060 return 0; 2061 } 2062 2063 /* 2064 * find_jump_table() - Given a dynamic jump, find the switch jump table 2065 * associated with it. 2066 */ 2067 static void find_jump_table(struct objtool_file *file, struct symbol *func, 2068 struct instruction *insn) 2069 { 2070 struct reloc *table_reloc; 2071 struct instruction *dest_insn, *orig_insn = insn; 2072 unsigned long table_size; 2073 unsigned long sym_offset; 2074 2075 /* 2076 * Backward search using the @first_jump_src links, these help avoid 2077 * much of the 'in between' code. Which avoids us getting confused by 2078 * it. 2079 */ 2080 for (; 2081 insn && insn_func(insn) && insn_func(insn)->pfunc == func; 2082 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) { 2083 2084 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) 2085 break; 2086 2087 /* allow small jumps within the range */ 2088 if (insn->type == INSN_JUMP_UNCONDITIONAL && 2089 insn->jump_dest && 2090 (insn->jump_dest->offset <= insn->offset || 2091 insn->jump_dest->offset > orig_insn->offset)) 2092 break; 2093 2094 table_reloc = arch_find_switch_table(file, insn, &table_size); 2095 if (!table_reloc) 2096 continue; 2097 2098 sym_offset = table_reloc->sym->offset + reloc_addend(table_reloc); 2099 2100 dest_insn = find_insn(file, table_reloc->sym->sec, sym_offset); 2101 if (!dest_insn || !insn_func(dest_insn) || insn_func(dest_insn)->pfunc != func) 2102 continue; 2103 2104 set_jump_table(table_reloc); 2105 orig_insn->_jump_table = table_reloc; 2106 orig_insn->_jump_table_size = table_size; 2107 2108 break; 2109 } 2110 } 2111 2112 /* 2113 * First pass: Mark the head of each jump table so that in the next pass, 2114 * we know when a given jump table ends and the next one starts. 2115 */ 2116 static void mark_func_jump_tables(struct objtool_file *file, 2117 struct symbol *func) 2118 { 2119 struct instruction *insn, *last = NULL; 2120 2121 func_for_each_insn(file, func, insn) { 2122 if (!last) 2123 last = insn; 2124 2125 /* 2126 * Store back-pointers for forward jumps such 2127 * that find_jump_table() can back-track using those and 2128 * avoid some potentially confusing code. 2129 */ 2130 if (insn->jump_dest && 2131 insn->jump_dest->offset > insn->offset && 2132 !insn->jump_dest->first_jump_src) { 2133 2134 insn->jump_dest->first_jump_src = insn; 2135 last = insn->jump_dest; 2136 } 2137 2138 if (insn->type != INSN_JUMP_DYNAMIC) 2139 continue; 2140 2141 find_jump_table(file, func, insn); 2142 } 2143 } 2144 2145 static int add_func_jump_tables(struct objtool_file *file, 2146 struct symbol *func) 2147 { 2148 struct instruction *insn; 2149 2150 func_for_each_insn(file, func, insn) { 2151 if (!insn_jump_table(insn)) 2152 continue; 2153 2154 if (add_jump_table(file, insn)) 2155 return -1; 2156 } 2157 2158 return 0; 2159 } 2160 2161 /* 2162 * For some switch statements, gcc generates a jump table in the .rodata 2163 * section which contains a list of addresses within the function to jump to. 2164 * This finds these jump tables and adds them to the insn->alts lists. 2165 */ 2166 static int add_jump_table_alts(struct objtool_file *file) 2167 { 2168 struct symbol *func; 2169 2170 if (!file->rodata) 2171 return 0; 2172 2173 for_each_sym(file->elf, func) { 2174 if (!is_func_sym(func) || is_alias_sym(func)) 2175 continue; 2176 2177 mark_func_jump_tables(file, func); 2178 if (add_func_jump_tables(file, func)) 2179 return -1; 2180 } 2181 2182 return 0; 2183 } 2184 2185 static void set_func_state(struct cfi_state *state) 2186 { 2187 state->cfa = initial_func_cfi.cfa; 2188 memcpy(&state->regs, &initial_func_cfi.regs, 2189 CFI_NUM_REGS * sizeof(struct cfi_reg)); 2190 state->stack_size = initial_func_cfi.cfa.offset; 2191 state->type = UNWIND_HINT_TYPE_CALL; 2192 } 2193 2194 static int read_unwind_hints(struct objtool_file *file) 2195 { 2196 struct cfi_state cfi = init_cfi; 2197 struct section *sec; 2198 struct unwind_hint *hint; 2199 struct instruction *insn; 2200 struct reloc *reloc; 2201 unsigned long offset; 2202 int i; 2203 2204 sec = find_section_by_name(file->elf, ".discard.unwind_hints"); 2205 if (!sec) 2206 return 0; 2207 2208 if (!sec->rsec) { 2209 ERROR("missing .rela.discard.unwind_hints section"); 2210 return -1; 2211 } 2212 2213 if (sec_size(sec) % sizeof(struct unwind_hint)) { 2214 ERROR("struct unwind_hint size mismatch"); 2215 return -1; 2216 } 2217 2218 file->hints = true; 2219 2220 for (i = 0; i < sec_size(sec) / sizeof(struct unwind_hint); i++) { 2221 hint = (struct unwind_hint *)sec->data->d_buf + i; 2222 2223 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint)); 2224 if (!reloc) { 2225 ERROR("can't find reloc for unwind_hints[%d]", i); 2226 return -1; 2227 } 2228 2229 offset = reloc->sym->offset + reloc_addend(reloc); 2230 2231 insn = find_insn(file, reloc->sym->sec, offset); 2232 if (!insn) { 2233 ERROR("can't find insn for unwind_hints[%d]", i); 2234 return -1; 2235 } 2236 2237 insn->hint = true; 2238 2239 if (hint->type == UNWIND_HINT_TYPE_UNDEFINED) { 2240 insn->cfi = &force_undefined_cfi; 2241 continue; 2242 } 2243 2244 if (hint->type == UNWIND_HINT_TYPE_SAVE) { 2245 insn->hint = false; 2246 insn->save = true; 2247 continue; 2248 } 2249 2250 if (hint->type == UNWIND_HINT_TYPE_RESTORE) { 2251 insn->restore = true; 2252 continue; 2253 } 2254 2255 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) { 2256 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset); 2257 2258 if (sym && is_global_sym(sym)) { 2259 if (opts.ibt && insn->type != INSN_ENDBR && !insn->noendbr) { 2260 ERROR_INSN(insn, "UNWIND_HINT_IRET_REGS without ENDBR"); 2261 return -1; 2262 } 2263 } 2264 } 2265 2266 if (hint->type == UNWIND_HINT_TYPE_FUNC) { 2267 insn->cfi = &func_cfi; 2268 continue; 2269 } 2270 2271 if (insn->cfi) 2272 cfi = *(insn->cfi); 2273 2274 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) { 2275 ERROR_INSN(insn, "unsupported unwind_hint sp base reg %d", hint->sp_reg); 2276 return -1; 2277 } 2278 2279 cfi.cfa.offset = bswap_if_needed(file->elf, hint->sp_offset); 2280 cfi.type = hint->type; 2281 cfi.signal = hint->signal; 2282 2283 insn->cfi = cfi_hash_find_or_add(&cfi); 2284 } 2285 2286 return 0; 2287 } 2288 2289 static int read_annotate(struct objtool_file *file, 2290 int (*func)(struct objtool_file *file, int type, struct instruction *insn)) 2291 { 2292 struct section *sec; 2293 struct instruction *insn; 2294 struct reloc *reloc; 2295 uint64_t offset; 2296 int type; 2297 2298 sec = find_section_by_name(file->elf, ".discard.annotate_insn"); 2299 if (!sec) 2300 return 0; 2301 2302 if (!sec->rsec) 2303 return 0; 2304 2305 if (sec->sh.sh_entsize != 8) { 2306 static bool warned = false; 2307 if (!warned && opts.verbose) { 2308 WARN("%s: dodgy linker, sh_entsize != 8", sec->name); 2309 warned = true; 2310 } 2311 sec->sh.sh_entsize = 8; 2312 } 2313 2314 if (sec_num_entries(sec) != sec_num_entries(sec->rsec)) { 2315 ERROR("bad .discard.annotate_insn section: missing relocs"); 2316 return -1; 2317 } 2318 2319 for_each_reloc(sec->rsec, reloc) { 2320 type = annotype(file->elf, sec, reloc); 2321 offset = reloc->sym->offset + reloc_addend(reloc); 2322 insn = find_insn(file, reloc->sym->sec, offset); 2323 2324 if (!insn) { 2325 ERROR("bad .discard.annotate_insn entry: %d of type %d", reloc_idx(reloc), type); 2326 return -1; 2327 } 2328 2329 if (func(file, type, insn)) 2330 return -1; 2331 } 2332 2333 return 0; 2334 } 2335 2336 static int __annotate_early(struct objtool_file *file, int type, struct instruction *insn) 2337 { 2338 switch (type) { 2339 2340 /* Must be before add_special_section_alts() */ 2341 case ANNOTYPE_IGNORE_ALTS: 2342 insn->ignore_alts = true; 2343 break; 2344 2345 /* 2346 * Must be before read_unwind_hints() since that needs insn->noendbr. 2347 */ 2348 case ANNOTYPE_NOENDBR: 2349 insn->noendbr = 1; 2350 break; 2351 2352 default: 2353 break; 2354 } 2355 2356 return 0; 2357 } 2358 2359 static int __annotate_ifc(struct objtool_file *file, int type, struct instruction *insn) 2360 { 2361 unsigned long dest_off; 2362 2363 if (type != ANNOTYPE_INTRA_FUNCTION_CALL) 2364 return 0; 2365 2366 if (insn->type != INSN_CALL) { 2367 ERROR_INSN(insn, "intra_function_call not a direct call"); 2368 return -1; 2369 } 2370 2371 /* 2372 * Treat intra-function CALLs as JMPs, but with a stack_op. 2373 * See add_call_destinations(), which strips stack_ops from 2374 * normal CALLs. 2375 */ 2376 insn->type = INSN_JUMP_UNCONDITIONAL; 2377 2378 dest_off = arch_jump_destination(insn); 2379 insn->jump_dest = find_insn(file, insn->sec, dest_off); 2380 if (!insn->jump_dest) { 2381 ERROR_INSN(insn, "can't find call dest at %s+0x%lx", 2382 insn->sec->name, dest_off); 2383 return -1; 2384 } 2385 2386 return 0; 2387 } 2388 2389 static int __annotate_late(struct objtool_file *file, int type, struct instruction *insn) 2390 { 2391 struct symbol *sym; 2392 2393 switch (type) { 2394 case ANNOTYPE_NOENDBR: 2395 /* early */ 2396 break; 2397 2398 case ANNOTYPE_RETPOLINE_SAFE: 2399 if (insn->type != INSN_JUMP_DYNAMIC && 2400 insn->type != INSN_CALL_DYNAMIC && 2401 insn->type != INSN_RETURN && 2402 insn->type != INSN_NOP) { 2403 ERROR_INSN(insn, "retpoline_safe hint not an indirect jump/call/ret/nop"); 2404 return -1; 2405 } 2406 2407 insn->retpoline_safe = true; 2408 break; 2409 2410 case ANNOTYPE_INSTR_BEGIN: 2411 insn->instr++; 2412 break; 2413 2414 case ANNOTYPE_INSTR_END: 2415 insn->instr--; 2416 break; 2417 2418 case ANNOTYPE_UNRET_BEGIN: 2419 insn->unret = 1; 2420 break; 2421 2422 case ANNOTYPE_IGNORE_ALTS: 2423 /* early */ 2424 break; 2425 2426 case ANNOTYPE_INTRA_FUNCTION_CALL: 2427 /* ifc */ 2428 break; 2429 2430 case ANNOTYPE_REACHABLE: 2431 insn->dead_end = false; 2432 break; 2433 2434 case ANNOTYPE_NOCFI: 2435 sym = insn->sym; 2436 if (!sym) { 2437 ERROR_INSN(insn, "dodgy NOCFI annotation"); 2438 return -1; 2439 } 2440 insn->sym->nocfi = 1; 2441 break; 2442 2443 default: 2444 ERROR_INSN(insn, "Unknown annotation type: %d", type); 2445 return -1; 2446 } 2447 2448 return 0; 2449 } 2450 2451 /* 2452 * Return true if name matches an instrumentation function, where calls to that 2453 * function from noinstr code can safely be removed, but compilers won't do so. 2454 */ 2455 static bool is_profiling_func(const char *name) 2456 { 2457 /* 2458 * Many compilers cannot disable KCOV with a function attribute. 2459 */ 2460 if (!strncmp(name, "__sanitizer_cov_", 16)) 2461 return true; 2462 2463 return false; 2464 } 2465 2466 static int classify_symbols(struct objtool_file *file) 2467 { 2468 struct symbol *func; 2469 size_t len; 2470 2471 for_each_sym(file->elf, func) { 2472 if (is_notype_sym(func) && strstarts(func->name, ".L")) 2473 func->local_label = true; 2474 2475 if (!is_global_sym(func)) 2476 continue; 2477 2478 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR, 2479 strlen(STATIC_CALL_TRAMP_PREFIX_STR))) 2480 func->static_call_tramp = true; 2481 2482 if (arch_is_retpoline(func)) 2483 func->retpoline_thunk = true; 2484 2485 if (arch_is_rethunk(func)) 2486 func->return_thunk = true; 2487 2488 if (arch_is_embedded_insn(func)) 2489 func->embedded_insn = true; 2490 2491 if (arch_ftrace_match(func->name)) 2492 func->fentry = true; 2493 2494 if (is_profiling_func(func->name)) 2495 func->profiling_func = true; 2496 2497 len = strlen(func->name); 2498 if (len > sym_name_max_len) 2499 sym_name_max_len = len; 2500 } 2501 2502 return 0; 2503 } 2504 2505 static void mark_rodata(struct objtool_file *file) 2506 { 2507 struct section *sec; 2508 2509 /* 2510 * Search for the following rodata sections, each of which can 2511 * potentially contain jump tables: 2512 * 2513 * - .rodata: can contain GCC switch tables 2514 * - .rodata.<func>: same, if -fdata-sections is being used 2515 * - .data.rel.ro.c_jump_table: contains C annotated jump tables 2516 * 2517 * .rodata.str1.* sections are ignored; they don't contain jump tables. 2518 */ 2519 for_each_sec(file->elf, sec) { 2520 if (is_rodata_sec(sec)) { 2521 file->rodata = true; 2522 return; 2523 } 2524 } 2525 } 2526 2527 static void mark_holes(struct objtool_file *file) 2528 { 2529 struct instruction *insn; 2530 bool in_hole = false; 2531 2532 if (!opts.link) 2533 return; 2534 2535 /* 2536 * Whole archive runs might encounter dead code from weak symbols. 2537 * This is where the linker will have dropped the weak symbol in 2538 * favour of a regular symbol, but leaves the code in place. 2539 */ 2540 for_each_insn(file, insn) { 2541 if (insn->sym || !find_symbol_hole_containing(insn->sec, insn->offset)) { 2542 in_hole = false; 2543 continue; 2544 } 2545 2546 /* Skip function padding and pfx code */ 2547 if (!in_hole && insn->type == INSN_NOP) 2548 continue; 2549 2550 in_hole = true; 2551 insn->hole = 1; 2552 2553 /* 2554 * If this hole jumps to a .cold function, mark it ignore. 2555 */ 2556 if (insn->jump_dest) { 2557 struct symbol *dest_func = insn_func(insn->jump_dest); 2558 2559 if (dest_func && is_cold_func(dest_func)) 2560 dest_func->ignore = true; 2561 } 2562 } 2563 } 2564 2565 static bool validate_branch_enabled(void) 2566 { 2567 return opts.stackval || 2568 opts.orc || 2569 opts.uaccess; 2570 } 2571 2572 static bool alts_needed(void) 2573 { 2574 return validate_branch_enabled() || 2575 opts.noinstr || 2576 opts.hack_jump_label || 2577 opts.disas || 2578 opts.checksum; 2579 } 2580 2581 int decode_file(struct objtool_file *file) 2582 { 2583 arch_initial_func_cfi_state(&initial_func_cfi); 2584 init_cfi_state(&init_cfi); 2585 init_cfi_state(&func_cfi); 2586 set_func_state(&func_cfi); 2587 init_cfi_state(&force_undefined_cfi); 2588 force_undefined_cfi.force_undefined = true; 2589 2590 if (!cfi_hash_alloc(1UL << (file->elf->symbol_bits - 3))) 2591 return -1; 2592 2593 cfi_hash_add(&init_cfi); 2594 cfi_hash_add(&func_cfi); 2595 2596 file->klp = is_livepatch_module(file); 2597 2598 mark_rodata(file); 2599 2600 if (init_pv_ops(file)) 2601 return -1; 2602 2603 /* 2604 * Must be before add_{jump_call}_destination. 2605 */ 2606 if (classify_symbols(file)) 2607 return -1; 2608 2609 if (decode_instructions(file)) 2610 return -1; 2611 2612 if (add_ignores(file)) 2613 return -1; 2614 2615 add_uaccess_safe(file); 2616 2617 if (read_annotate(file, __annotate_early)) 2618 return -1; 2619 2620 /* 2621 * Must be before add_jump_destinations(), which depends on 'func' 2622 * being set for alternatives, to enable proper sibling call detection. 2623 */ 2624 if (alts_needed()) { 2625 if (add_special_section_alts(file)) 2626 return -1; 2627 } 2628 2629 if (add_jump_destinations(file)) 2630 return -1; 2631 2632 /* 2633 * Must be before add_call_destination(); it changes INSN_CALL to 2634 * INSN_JUMP. 2635 */ 2636 if (read_annotate(file, __annotate_ifc)) 2637 return -1; 2638 2639 if (add_call_destinations(file)) 2640 return -1; 2641 2642 if (add_jump_table_alts(file)) 2643 return -1; 2644 2645 if (read_unwind_hints(file)) 2646 return -1; 2647 2648 /* Must be after add_jump_destinations() */ 2649 mark_holes(file); 2650 2651 /* 2652 * Must be after add_call_destinations() such that it can override 2653 * dead_end_function() marks. 2654 */ 2655 if (read_annotate(file, __annotate_late)) 2656 return -1; 2657 2658 return 0; 2659 } 2660 2661 static bool is_special_call(struct instruction *insn) 2662 { 2663 if (insn->type == INSN_CALL) { 2664 struct symbol *dest = insn_call_dest(insn); 2665 2666 if (!dest) 2667 return false; 2668 2669 if (dest->fentry || dest->embedded_insn) 2670 return true; 2671 } 2672 2673 return false; 2674 } 2675 2676 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state) 2677 { 2678 struct cfi_state *cfi = &state->cfi; 2679 int i; 2680 2681 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap) 2682 return true; 2683 2684 if (cfi->cfa.offset != initial_func_cfi.cfa.offset) 2685 return true; 2686 2687 if (cfi->stack_size != initial_func_cfi.cfa.offset) 2688 return true; 2689 2690 for (i = 0; i < CFI_NUM_REGS; i++) { 2691 if (cfi->regs[i].base != initial_func_cfi.regs[i].base || 2692 cfi->regs[i].offset != initial_func_cfi.regs[i].offset) 2693 return true; 2694 } 2695 2696 return false; 2697 } 2698 2699 static bool check_reg_frame_pos(const struct cfi_reg *reg, 2700 int expected_offset) 2701 { 2702 return reg->base == CFI_CFA && 2703 reg->offset == expected_offset; 2704 } 2705 2706 static bool has_valid_stack_frame(struct insn_state *state) 2707 { 2708 struct cfi_state *cfi = &state->cfi; 2709 2710 if (cfi->cfa.base == CFI_BP && 2711 check_reg_frame_pos(&cfi->regs[CFI_BP], -cfi->cfa.offset) && 2712 check_reg_frame_pos(&cfi->regs[CFI_RA], -cfi->cfa.offset + 8)) 2713 return true; 2714 2715 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP) 2716 return true; 2717 2718 return false; 2719 } 2720 2721 static int update_cfi_state_regs(struct instruction *insn, 2722 struct cfi_state *cfi, 2723 struct stack_op *op) 2724 { 2725 struct cfi_reg *cfa = &cfi->cfa; 2726 2727 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT) 2728 return 0; 2729 2730 /* push */ 2731 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF) 2732 cfa->offset += 8; 2733 2734 /* pop */ 2735 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF) 2736 cfa->offset -= 8; 2737 2738 /* add immediate to sp */ 2739 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD && 2740 op->dest.reg == CFI_SP && op->src.reg == CFI_SP) 2741 cfa->offset -= op->src.offset; 2742 2743 return 0; 2744 } 2745 2746 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset) 2747 { 2748 if (arch_callee_saved_reg(reg) && 2749 cfi->regs[reg].base == CFI_UNDEFINED) { 2750 cfi->regs[reg].base = base; 2751 cfi->regs[reg].offset = offset; 2752 } 2753 } 2754 2755 static void restore_reg(struct cfi_state *cfi, unsigned char reg) 2756 { 2757 cfi->regs[reg].base = initial_func_cfi.regs[reg].base; 2758 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset; 2759 } 2760 2761 /* 2762 * A note about DRAP stack alignment: 2763 * 2764 * GCC has the concept of a DRAP register, which is used to help keep track of 2765 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP 2766 * register. The typical DRAP pattern is: 2767 * 2768 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10 2769 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp 2770 * 41 ff 72 f8 pushq -0x8(%r10) 2771 * 55 push %rbp 2772 * 48 89 e5 mov %rsp,%rbp 2773 * (more pushes) 2774 * 41 52 push %r10 2775 * ... 2776 * 41 5a pop %r10 2777 * (more pops) 2778 * 5d pop %rbp 2779 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2780 * c3 retq 2781 * 2782 * There are some variations in the epilogues, like: 2783 * 2784 * 5b pop %rbx 2785 * 41 5a pop %r10 2786 * 41 5c pop %r12 2787 * 41 5d pop %r13 2788 * 41 5e pop %r14 2789 * c9 leaveq 2790 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2791 * c3 retq 2792 * 2793 * and: 2794 * 2795 * 4c 8b 55 e8 mov -0x18(%rbp),%r10 2796 * 48 8b 5d e0 mov -0x20(%rbp),%rbx 2797 * 4c 8b 65 f0 mov -0x10(%rbp),%r12 2798 * 4c 8b 6d f8 mov -0x8(%rbp),%r13 2799 * c9 leaveq 2800 * 49 8d 62 f8 lea -0x8(%r10),%rsp 2801 * c3 retq 2802 * 2803 * Sometimes r13 is used as the DRAP register, in which case it's saved and 2804 * restored beforehand: 2805 * 2806 * 41 55 push %r13 2807 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13 2808 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 2809 * ... 2810 * 49 8d 65 f0 lea -0x10(%r13),%rsp 2811 * 41 5d pop %r13 2812 * c3 retq 2813 */ 2814 static int update_cfi_state(struct instruction *insn, 2815 struct instruction *next_insn, 2816 struct cfi_state *cfi, struct stack_op *op) 2817 { 2818 struct cfi_reg *cfa = &cfi->cfa; 2819 struct cfi_reg *regs = cfi->regs; 2820 2821 /* ignore UNWIND_HINT_UNDEFINED regions */ 2822 if (cfi->force_undefined) 2823 return 0; 2824 2825 /* stack operations don't make sense with an undefined CFA */ 2826 if (cfa->base == CFI_UNDEFINED) { 2827 if (insn_func(insn)) { 2828 WARN_INSN(insn, "undefined stack state"); 2829 return 1; 2830 } 2831 return 0; 2832 } 2833 2834 if (cfi->type == UNWIND_HINT_TYPE_REGS || 2835 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL) 2836 return update_cfi_state_regs(insn, cfi, op); 2837 2838 switch (op->dest.type) { 2839 2840 case OP_DEST_REG: 2841 switch (op->src.type) { 2842 2843 case OP_SRC_REG: 2844 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP && 2845 cfa->base == CFI_SP && 2846 check_reg_frame_pos(®s[CFI_BP], -cfa->offset)) { 2847 2848 /* mov %rsp, %rbp */ 2849 cfa->base = op->dest.reg; 2850 cfi->bp_scratch = false; 2851 } 2852 2853 else if (op->src.reg == CFI_SP && 2854 op->dest.reg == CFI_BP && cfi->drap) { 2855 2856 /* drap: mov %rsp, %rbp */ 2857 regs[CFI_BP].base = CFI_BP; 2858 regs[CFI_BP].offset = -cfi->stack_size; 2859 cfi->bp_scratch = false; 2860 } 2861 2862 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 2863 2864 /* 2865 * mov %rsp, %reg 2866 * 2867 * This is needed for the rare case where GCC 2868 * does: 2869 * 2870 * mov %rsp, %rax 2871 * ... 2872 * mov %rax, %rsp 2873 */ 2874 cfi->vals[op->dest.reg].base = CFI_CFA; 2875 cfi->vals[op->dest.reg].offset = -cfi->stack_size; 2876 } 2877 2878 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP && 2879 (cfa->base == CFI_BP || cfa->base == cfi->drap_reg)) { 2880 2881 /* 2882 * mov %rbp, %rsp 2883 * 2884 * Restore the original stack pointer (Clang). 2885 */ 2886 cfi->stack_size = -cfi->regs[CFI_BP].offset; 2887 } 2888 2889 else if (op->dest.reg == cfa->base) { 2890 2891 /* mov %reg, %rsp */ 2892 if (cfa->base == CFI_SP && 2893 cfi->vals[op->src.reg].base == CFI_CFA) { 2894 2895 /* 2896 * This is needed for the rare case 2897 * where GCC does something dumb like: 2898 * 2899 * lea 0x8(%rsp), %rcx 2900 * ... 2901 * mov %rcx, %rsp 2902 */ 2903 cfa->offset = -cfi->vals[op->src.reg].offset; 2904 cfi->stack_size = cfa->offset; 2905 2906 } else if (cfa->base == CFI_SP && 2907 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2908 cfi->vals[op->src.reg].offset == cfa->offset) { 2909 2910 /* 2911 * Stack swizzle: 2912 * 2913 * 1: mov %rsp, (%[tos]) 2914 * 2: mov %[tos], %rsp 2915 * ... 2916 * 3: pop %rsp 2917 * 2918 * Where: 2919 * 2920 * 1 - places a pointer to the previous 2921 * stack at the Top-of-Stack of the 2922 * new stack. 2923 * 2924 * 2 - switches to the new stack. 2925 * 2926 * 3 - pops the Top-of-Stack to restore 2927 * the original stack. 2928 * 2929 * Note: we set base to SP_INDIRECT 2930 * here and preserve offset. Therefore 2931 * when the unwinder reaches ToS it 2932 * will dereference SP and then add the 2933 * offset to find the next frame, IOW: 2934 * (%rsp) + offset. 2935 */ 2936 cfa->base = CFI_SP_INDIRECT; 2937 2938 } else { 2939 cfa->base = CFI_UNDEFINED; 2940 cfa->offset = 0; 2941 } 2942 } 2943 2944 else if (op->dest.reg == CFI_SP && 2945 cfi->vals[op->src.reg].base == CFI_SP_INDIRECT && 2946 cfi->vals[op->src.reg].offset == cfa->offset) { 2947 2948 /* 2949 * The same stack swizzle case 2) as above. But 2950 * because we can't change cfa->base, case 3) 2951 * will become a regular POP. Pretend we're a 2952 * PUSH so things don't go unbalanced. 2953 */ 2954 cfi->stack_size += 8; 2955 } 2956 2957 else if (cfi->vals[op->src.reg].base == CFI_CFA) { 2958 /* 2959 * Clang RSP musical chairs: 2960 * 2961 * mov %rsp, %rdx [handled above] 2962 * ... 2963 * mov %rdx, %rbx [handled here] 2964 * ... 2965 * mov %rbx, %rsp [handled above] 2966 */ 2967 cfi->vals[op->dest.reg].base = CFI_CFA; 2968 cfi->vals[op->dest.reg].offset = cfi->vals[op->src.reg].offset; 2969 } 2970 2971 2972 break; 2973 2974 case OP_SRC_ADD: 2975 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) { 2976 2977 /* add imm, %rsp */ 2978 cfi->stack_size -= op->src.offset; 2979 if (cfa->base == CFI_SP) 2980 cfa->offset -= op->src.offset; 2981 break; 2982 } 2983 2984 if (op->dest.reg == CFI_BP && op->src.reg == CFI_SP && 2985 insn->sym->frame_pointer) { 2986 /* addi.d fp,sp,imm on LoongArch */ 2987 if (cfa->base == CFI_SP && cfa->offset == op->src.offset) { 2988 cfa->base = CFI_BP; 2989 cfa->offset = 0; 2990 } 2991 break; 2992 } 2993 2994 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) { 2995 /* addi.d sp,fp,imm on LoongArch */ 2996 if (cfa->base == CFI_BP && cfa->offset == 0) { 2997 if (insn->sym->frame_pointer) { 2998 cfa->base = CFI_SP; 2999 cfa->offset = -op->src.offset; 3000 } 3001 } else { 3002 /* lea disp(%rbp), %rsp */ 3003 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset); 3004 } 3005 break; 3006 } 3007 3008 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) { 3009 3010 /* drap: lea disp(%rsp), %drap */ 3011 cfi->drap_reg = op->dest.reg; 3012 3013 /* 3014 * lea disp(%rsp), %reg 3015 * 3016 * This is needed for the rare case where GCC 3017 * does something dumb like: 3018 * 3019 * lea 0x8(%rsp), %rcx 3020 * ... 3021 * mov %rcx, %rsp 3022 */ 3023 cfi->vals[op->dest.reg].base = CFI_CFA; 3024 cfi->vals[op->dest.reg].offset = \ 3025 -cfi->stack_size + op->src.offset; 3026 3027 break; 3028 } 3029 3030 if (cfi->drap && op->dest.reg == CFI_SP && 3031 op->src.reg == cfi->drap_reg) { 3032 3033 /* drap: lea disp(%drap), %rsp */ 3034 cfa->base = CFI_SP; 3035 cfa->offset = cfi->stack_size = -op->src.offset; 3036 cfi->drap_reg = CFI_UNDEFINED; 3037 cfi->drap = false; 3038 break; 3039 } 3040 3041 if (op->dest.reg == cfi->cfa.base && !(next_insn && next_insn->hint)) { 3042 WARN_INSN(insn, "unsupported stack register modification"); 3043 return -1; 3044 } 3045 3046 break; 3047 3048 case OP_SRC_AND: 3049 if (op->dest.reg != CFI_SP || 3050 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) || 3051 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) { 3052 WARN_INSN(insn, "unsupported stack pointer realignment"); 3053 return -1; 3054 } 3055 3056 if (cfi->drap_reg != CFI_UNDEFINED) { 3057 /* drap: and imm, %rsp */ 3058 cfa->base = cfi->drap_reg; 3059 cfa->offset = cfi->stack_size = 0; 3060 cfi->drap = true; 3061 } 3062 3063 /* 3064 * Older versions of GCC (4.8ish) realign the stack 3065 * without DRAP, with a frame pointer. 3066 */ 3067 3068 break; 3069 3070 case OP_SRC_POP: 3071 case OP_SRC_POPF: 3072 if (op->dest.reg == CFI_SP && cfa->base == CFI_SP_INDIRECT) { 3073 3074 /* pop %rsp; # restore from a stack swizzle */ 3075 cfa->base = CFI_SP; 3076 break; 3077 } 3078 3079 if (!cfi->drap && op->dest.reg == cfa->base) { 3080 3081 /* pop %rbp */ 3082 cfa->base = CFI_SP; 3083 } 3084 3085 if (cfi->drap && cfa->base == CFI_BP_INDIRECT && 3086 op->dest.reg == cfi->drap_reg && 3087 cfi->drap_offset == -cfi->stack_size) { 3088 3089 /* drap: pop %drap */ 3090 cfa->base = cfi->drap_reg; 3091 cfa->offset = 0; 3092 cfi->drap_offset = -1; 3093 3094 } else if (cfi->stack_size == -regs[op->dest.reg].offset) { 3095 3096 /* pop %reg */ 3097 restore_reg(cfi, op->dest.reg); 3098 } 3099 3100 cfi->stack_size -= 8; 3101 if (cfa->base == CFI_SP) 3102 cfa->offset -= 8; 3103 3104 break; 3105 3106 case OP_SRC_REG_INDIRECT: 3107 if (!cfi->drap && op->dest.reg == cfa->base && 3108 op->dest.reg == CFI_BP) { 3109 3110 /* mov disp(%rsp), %rbp */ 3111 cfa->base = CFI_SP; 3112 cfa->offset = cfi->stack_size; 3113 } 3114 3115 if (cfi->drap && op->src.reg == CFI_BP && 3116 op->src.offset == cfi->drap_offset) { 3117 3118 /* drap: mov disp(%rbp), %drap */ 3119 cfa->base = cfi->drap_reg; 3120 cfa->offset = 0; 3121 cfi->drap_offset = -1; 3122 } 3123 3124 if (cfi->drap && op->src.reg == CFI_BP && 3125 op->src.offset == regs[op->dest.reg].offset) { 3126 3127 /* drap: mov disp(%rbp), %reg */ 3128 restore_reg(cfi, op->dest.reg); 3129 3130 } else if (op->src.reg == cfa->base && 3131 op->src.offset == regs[op->dest.reg].offset + cfa->offset) { 3132 3133 /* mov disp(%rbp), %reg */ 3134 /* mov disp(%rsp), %reg */ 3135 restore_reg(cfi, op->dest.reg); 3136 3137 } else if (op->src.reg == CFI_SP && 3138 op->src.offset == regs[op->dest.reg].offset + cfi->stack_size) { 3139 3140 /* mov disp(%rsp), %reg */ 3141 restore_reg(cfi, op->dest.reg); 3142 } 3143 3144 break; 3145 3146 default: 3147 WARN_INSN(insn, "unknown stack-related instruction"); 3148 return -1; 3149 } 3150 3151 break; 3152 3153 case OP_DEST_PUSH: 3154 case OP_DEST_PUSHF: 3155 cfi->stack_size += 8; 3156 if (cfa->base == CFI_SP) 3157 cfa->offset += 8; 3158 3159 if (op->src.type != OP_SRC_REG) 3160 break; 3161 3162 if (cfi->drap) { 3163 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3164 3165 /* drap: push %drap */ 3166 cfa->base = CFI_BP_INDIRECT; 3167 cfa->offset = -cfi->stack_size; 3168 3169 /* save drap so we know when to restore it */ 3170 cfi->drap_offset = -cfi->stack_size; 3171 3172 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) { 3173 3174 /* drap: push %rbp */ 3175 cfi->stack_size = 0; 3176 3177 } else { 3178 3179 /* drap: push %reg */ 3180 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size); 3181 } 3182 3183 } else { 3184 3185 /* push %reg */ 3186 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size); 3187 } 3188 3189 /* detect when asm code uses rbp as a scratch register */ 3190 if (opts.stackval && insn_func(insn) && op->src.reg == CFI_BP && 3191 cfa->base != CFI_BP) 3192 cfi->bp_scratch = true; 3193 break; 3194 3195 case OP_DEST_REG_INDIRECT: 3196 3197 if (cfi->drap) { 3198 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) { 3199 3200 /* drap: mov %drap, disp(%rbp) */ 3201 cfa->base = CFI_BP_INDIRECT; 3202 cfa->offset = op->dest.offset; 3203 3204 /* save drap offset so we know when to restore it */ 3205 cfi->drap_offset = op->dest.offset; 3206 } else { 3207 3208 /* drap: mov reg, disp(%rbp) */ 3209 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset); 3210 } 3211 3212 } else if (op->dest.reg == cfa->base) { 3213 3214 /* mov reg, disp(%rbp) */ 3215 /* mov reg, disp(%rsp) */ 3216 save_reg(cfi, op->src.reg, CFI_CFA, 3217 op->dest.offset - cfi->cfa.offset); 3218 3219 } else if (op->dest.reg == CFI_SP) { 3220 3221 /* mov reg, disp(%rsp) */ 3222 save_reg(cfi, op->src.reg, CFI_CFA, 3223 op->dest.offset - cfi->stack_size); 3224 3225 } else if (op->src.reg == CFI_SP && op->dest.offset == 0) { 3226 3227 /* mov %rsp, (%reg); # setup a stack swizzle. */ 3228 cfi->vals[op->dest.reg].base = CFI_SP_INDIRECT; 3229 cfi->vals[op->dest.reg].offset = cfa->offset; 3230 } 3231 3232 break; 3233 3234 case OP_DEST_MEM: 3235 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) { 3236 WARN_INSN(insn, "unknown stack-related memory operation"); 3237 return -1; 3238 } 3239 3240 /* pop mem */ 3241 cfi->stack_size -= 8; 3242 if (cfa->base == CFI_SP) 3243 cfa->offset -= 8; 3244 3245 break; 3246 3247 default: 3248 WARN_INSN(insn, "unknown stack-related instruction"); 3249 return -1; 3250 } 3251 3252 return 0; 3253 } 3254 3255 /* 3256 * The stack layouts of alternatives instructions can sometimes diverge when 3257 * they have stack modifications. That's fine as long as the potential stack 3258 * layouts don't conflict at any given potential instruction boundary. 3259 * 3260 * Flatten the CFIs of the different alternative code streams (both original 3261 * and replacement) into a single shared CFI array which can be used to detect 3262 * conflicts and nicely feed a linear array of ORC entries to the unwinder. 3263 */ 3264 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn) 3265 { 3266 struct cfi_state **alt_cfi; 3267 int group_off; 3268 3269 if (!insn->alt_group) 3270 return 0; 3271 3272 if (!insn->cfi) { 3273 WARN("CFI missing"); 3274 return -1; 3275 } 3276 3277 alt_cfi = insn->alt_group->cfi; 3278 group_off = insn->offset - insn->alt_group->first_insn->offset; 3279 3280 if (!alt_cfi[group_off]) { 3281 alt_cfi[group_off] = insn->cfi; 3282 } else { 3283 if (cficmp(alt_cfi[group_off], insn->cfi)) { 3284 struct alt_group *orig_group = insn->alt_group->orig_group ?: insn->alt_group; 3285 struct instruction *orig = orig_group->first_insn; 3286 WARN_INSN(orig, "stack layout conflict in alternatives: %s", 3287 offstr(insn->sec, insn->offset)); 3288 return -1; 3289 } 3290 } 3291 3292 return 0; 3293 } 3294 3295 static int noinline handle_insn_ops(struct instruction *insn, 3296 struct instruction *next_insn, 3297 struct insn_state *state) 3298 { 3299 struct insn_state prev_state __maybe_unused = *state; 3300 struct stack_op *op; 3301 int ret = 0; 3302 3303 for (op = insn->stack_ops; op; op = op->next) { 3304 3305 ret = update_cfi_state(insn, next_insn, &state->cfi, op); 3306 if (ret) 3307 goto done; 3308 3309 if (!opts.uaccess || !insn->alt_group) 3310 continue; 3311 3312 if (op->dest.type == OP_DEST_PUSHF) { 3313 if (!state->uaccess_stack) { 3314 state->uaccess_stack = 1; 3315 } else if (state->uaccess_stack >> 31) { 3316 WARN_INSN(insn, "PUSHF stack exhausted"); 3317 ret = 1; 3318 goto done; 3319 } 3320 state->uaccess_stack <<= 1; 3321 state->uaccess_stack |= state->uaccess; 3322 } 3323 3324 if (op->src.type == OP_SRC_POPF) { 3325 if (state->uaccess_stack) { 3326 state->uaccess = state->uaccess_stack & 1; 3327 state->uaccess_stack >>= 1; 3328 if (state->uaccess_stack == 1) 3329 state->uaccess_stack = 0; 3330 } 3331 } 3332 } 3333 3334 done: 3335 TRACE_INSN_STATE(insn, &prev_state, state); 3336 3337 return ret; 3338 } 3339 3340 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2) 3341 { 3342 struct cfi_state *cfi1 = insn->cfi; 3343 int i; 3344 3345 if (!cfi1) { 3346 WARN("CFI missing"); 3347 return false; 3348 } 3349 3350 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) { 3351 3352 WARN_INSN(insn, "stack state mismatch: cfa1=%d%+d cfa2=%d%+d", 3353 cfi1->cfa.base, cfi1->cfa.offset, 3354 cfi2->cfa.base, cfi2->cfa.offset); 3355 return false; 3356 3357 } 3358 3359 if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) { 3360 for (i = 0; i < CFI_NUM_REGS; i++) { 3361 3362 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i], sizeof(struct cfi_reg))) 3363 continue; 3364 3365 WARN_INSN(insn, "stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d", 3366 i, cfi1->regs[i].base, cfi1->regs[i].offset, 3367 i, cfi2->regs[i].base, cfi2->regs[i].offset); 3368 } 3369 return false; 3370 } 3371 3372 if (cfi1->type != cfi2->type) { 3373 3374 WARN_INSN(insn, "stack state mismatch: type1=%d type2=%d", 3375 cfi1->type, cfi2->type); 3376 return false; 3377 } 3378 3379 if (cfi1->drap != cfi2->drap || 3380 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) || 3381 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) { 3382 3383 WARN_INSN(insn, "stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)", 3384 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset, 3385 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset); 3386 return false; 3387 } 3388 3389 return true; 3390 } 3391 3392 static inline bool func_uaccess_safe(struct symbol *func) 3393 { 3394 if (func) 3395 return func->uaccess_safe; 3396 3397 return false; 3398 } 3399 3400 static inline const char *call_dest_name(struct instruction *insn) 3401 { 3402 static char pvname[19]; 3403 struct reloc *reloc; 3404 int idx; 3405 3406 if (insn_call_dest(insn)) 3407 return insn_call_dest(insn)->name; 3408 3409 reloc = insn_reloc(NULL, insn); 3410 if (reloc && !strcmp(reloc->sym->name, "pv_ops")) { 3411 idx = (reloc_addend(reloc) / sizeof(void *)); 3412 snprintf(pvname, sizeof(pvname), "pv_ops[%d]", idx); 3413 return pvname; 3414 } 3415 3416 return "{dynamic}"; 3417 } 3418 3419 static bool pv_call_dest(struct objtool_file *file, struct instruction *insn) 3420 { 3421 struct symbol *target; 3422 struct reloc *reloc; 3423 int idx; 3424 3425 reloc = insn_reloc(file, insn); 3426 if (!reloc || strcmp(reloc->sym->name, "pv_ops")) 3427 return false; 3428 3429 idx = arch_insn_adjusted_addend(insn, reloc) / sizeof(void *); 3430 3431 if (file->pv_ops[idx].clean) 3432 return true; 3433 3434 file->pv_ops[idx].clean = true; 3435 3436 list_for_each_entry(target, &file->pv_ops[idx].targets, pv_target) { 3437 if (!target->sec->noinstr) { 3438 WARN("pv_ops[%d]: %s", idx, target->name); 3439 file->pv_ops[idx].clean = false; 3440 } 3441 } 3442 3443 return file->pv_ops[idx].clean; 3444 } 3445 3446 static inline bool noinstr_call_dest(struct objtool_file *file, 3447 struct instruction *insn, 3448 struct symbol *func) 3449 { 3450 /* 3451 * We can't deal with indirect function calls at present; 3452 * assume they're instrumented. 3453 */ 3454 if (!func) { 3455 if (file->pv_ops) 3456 return pv_call_dest(file, insn); 3457 3458 return false; 3459 } 3460 3461 /* 3462 * If the symbol is from a noinstr section; we good. 3463 */ 3464 if (func->sec->noinstr) 3465 return true; 3466 3467 /* 3468 * If the symbol is a static_call trampoline, we can't tell. 3469 */ 3470 if (func->static_call_tramp) 3471 return true; 3472 3473 /* 3474 * The __ubsan_handle_*() calls are like WARN(), they only happen when 3475 * something 'BAD' happened. At the risk of taking the machine down, 3476 * let them proceed to get the message out. 3477 */ 3478 if (!strncmp(func->name, "__ubsan_handle_", 15)) 3479 return true; 3480 3481 return false; 3482 } 3483 3484 static int validate_call(struct objtool_file *file, 3485 struct instruction *insn, 3486 struct insn_state *state) 3487 { 3488 if (state->noinstr && state->instr <= 0 && 3489 !noinstr_call_dest(file, insn, insn_call_dest(insn))) { 3490 WARN_INSN(insn, "call to %s() leaves .noinstr.text section", call_dest_name(insn)); 3491 return 1; 3492 } 3493 3494 if (state->uaccess && !func_uaccess_safe(insn_call_dest(insn))) { 3495 WARN_INSN(insn, "call to %s() with UACCESS enabled", call_dest_name(insn)); 3496 return 1; 3497 } 3498 3499 if (state->df) { 3500 WARN_INSN(insn, "call to %s() with DF set", call_dest_name(insn)); 3501 return 1; 3502 } 3503 3504 return 0; 3505 } 3506 3507 static int validate_sibling_call(struct objtool_file *file, 3508 struct instruction *insn, 3509 struct insn_state *state) 3510 { 3511 if (insn_func(insn) && has_modified_stack_frame(insn, state)) { 3512 WARN_INSN(insn, "sibling call from callable instruction with modified stack frame"); 3513 return 1; 3514 } 3515 3516 return validate_call(file, insn, state); 3517 } 3518 3519 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state) 3520 { 3521 if (state->noinstr && state->instr > 0) { 3522 WARN_INSN(insn, "return with instrumentation enabled"); 3523 return 1; 3524 } 3525 3526 if (state->uaccess && !func_uaccess_safe(func)) { 3527 WARN_INSN(insn, "return with UACCESS enabled"); 3528 return 1; 3529 } 3530 3531 if (!state->uaccess && func_uaccess_safe(func)) { 3532 WARN_INSN(insn, "return with UACCESS disabled from a UACCESS-safe function"); 3533 return 1; 3534 } 3535 3536 if (state->df) { 3537 WARN_INSN(insn, "return with DF set"); 3538 return 1; 3539 } 3540 3541 if (func && has_modified_stack_frame(insn, state)) { 3542 WARN_INSN(insn, "return with modified stack frame"); 3543 return 1; 3544 } 3545 3546 if (state->cfi.bp_scratch) { 3547 WARN_INSN(insn, "BP used as a scratch register"); 3548 return 1; 3549 } 3550 3551 return 0; 3552 } 3553 3554 static struct instruction *next_insn_to_validate(struct objtool_file *file, 3555 struct instruction *insn) 3556 { 3557 struct alt_group *alt_group = insn->alt_group; 3558 3559 /* 3560 * Simulate the fact that alternatives are patched in-place. When the 3561 * end of a replacement alt_group is reached, redirect objtool flow to 3562 * the end of the original alt_group. 3563 * 3564 * insn->alts->insn -> alt_group->first_insn 3565 * ... 3566 * alt_group->last_insn 3567 * [alt_group->nop] -> next(orig_group->last_insn) 3568 */ 3569 if (alt_group) { 3570 if (alt_group->nop) { 3571 /* ->nop implies ->orig_group */ 3572 if (insn == alt_group->last_insn) 3573 return alt_group->nop; 3574 if (insn == alt_group->nop) 3575 goto next_orig; 3576 } 3577 if (insn == alt_group->last_insn && alt_group->orig_group) 3578 goto next_orig; 3579 } 3580 3581 return next_insn_same_sec(file, insn); 3582 3583 next_orig: 3584 return next_insn_same_sec(file, alt_group->orig_group->last_insn); 3585 } 3586 3587 static bool skip_alt_group(struct instruction *insn) 3588 { 3589 struct instruction *alt_insn = insn->alts ? insn->alts->insn : NULL; 3590 3591 if (!insn->alt_group) 3592 return false; 3593 3594 /* ANNOTATE_IGNORE_ALTERNATIVE */ 3595 if (insn->alt_group->ignore) { 3596 TRACE_ALT(insn, "alt group ignored"); 3597 return true; 3598 } 3599 3600 /* 3601 * For NOP patched with CLAC/STAC, only follow the latter to avoid 3602 * impossible code paths combining patched CLAC with unpatched STAC 3603 * or vice versa. 3604 * 3605 * ANNOTATE_IGNORE_ALTERNATIVE could have been used here, but Linus 3606 * requested not to do that to avoid hurting .s file readability 3607 * around CLAC/STAC alternative sites. 3608 */ 3609 3610 if (!alt_insn) 3611 return false; 3612 3613 /* Don't override ASM_{CLAC,STAC}_UNSAFE */ 3614 if (alt_insn->alt_group && alt_insn->alt_group->ignore) 3615 return false; 3616 3617 return alt_insn->type == INSN_CLAC || alt_insn->type == INSN_STAC; 3618 } 3619 3620 static int validate_branch(struct objtool_file *file, struct symbol *func, 3621 struct instruction *insn, struct insn_state state); 3622 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3623 struct instruction *insn, struct insn_state *state); 3624 3625 static int validate_insn(struct objtool_file *file, struct symbol *func, 3626 struct instruction *insn, struct insn_state *statep, 3627 struct instruction *prev_insn, struct instruction *next_insn, 3628 bool *dead_end) 3629 { 3630 char *alt_name __maybe_unused = NULL; 3631 struct alternative *alt; 3632 u8 visited; 3633 int ret; 3634 3635 /* 3636 * Any returns before the end of this function are effectively dead 3637 * ends, i.e. validate_branch() has reached the end of the branch. 3638 */ 3639 *dead_end = true; 3640 3641 visited = VISITED_BRANCH << statep->uaccess; 3642 if (insn->visited & VISITED_BRANCH_MASK) { 3643 if (!insn->hint && !insn_cfi_match(insn, &statep->cfi)) 3644 return 1; 3645 3646 if (insn->visited & visited) { 3647 TRACE_INSN(insn, "already visited"); 3648 return 0; 3649 } 3650 } else { 3651 nr_insns_visited++; 3652 } 3653 3654 if (statep->noinstr) 3655 statep->instr += insn->instr; 3656 3657 if (insn->hint) { 3658 if (insn->restore) { 3659 struct instruction *save_insn, *i; 3660 3661 i = insn; 3662 save_insn = NULL; 3663 3664 sym_for_each_insn_continue_reverse(file, func, i) { 3665 if (i->save) { 3666 save_insn = i; 3667 break; 3668 } 3669 } 3670 3671 if (!save_insn) { 3672 WARN_INSN(insn, "no corresponding CFI save for CFI restore"); 3673 return 1; 3674 } 3675 3676 if (!save_insn->visited) { 3677 /* 3678 * If the restore hint insn is at the 3679 * beginning of a basic block and was 3680 * branched to from elsewhere, and the 3681 * save insn hasn't been visited yet, 3682 * defer following this branch for now. 3683 * It will be seen later via the 3684 * straight-line path. 3685 */ 3686 if (!prev_insn) { 3687 TRACE_INSN(insn, "defer restore"); 3688 return 0; 3689 } 3690 3691 WARN_INSN(insn, "objtool isn't smart enough to handle this CFI save/restore combo"); 3692 return 1; 3693 } 3694 3695 insn->cfi = save_insn->cfi; 3696 nr_cfi_reused++; 3697 } 3698 3699 statep->cfi = *insn->cfi; 3700 } else { 3701 /* XXX track if we actually changed statep->cfi */ 3702 3703 if (prev_insn && !cficmp(prev_insn->cfi, &statep->cfi)) { 3704 insn->cfi = prev_insn->cfi; 3705 nr_cfi_reused++; 3706 } else { 3707 insn->cfi = cfi_hash_find_or_add(&statep->cfi); 3708 } 3709 } 3710 3711 insn->visited |= visited; 3712 3713 if (propagate_alt_cfi(file, insn)) 3714 return 1; 3715 3716 if (insn->alts) { 3717 for (alt = insn->alts; alt; alt = alt->next) { 3718 TRACE_ALT_BEGIN(insn, alt, alt_name); 3719 ret = validate_branch(file, func, alt->insn, *statep); 3720 TRACE_ALT_END(insn, alt, alt_name); 3721 if (ret) { 3722 BT_INSN(insn, "(alt)"); 3723 return ret; 3724 } 3725 } 3726 TRACE_ALT_INFO_NOADDR(insn, "/ ", "DEFAULT"); 3727 } 3728 3729 if (skip_alt_group(insn)) 3730 return 0; 3731 3732 if (handle_insn_ops(insn, next_insn, statep)) 3733 return 1; 3734 3735 switch (insn->type) { 3736 3737 case INSN_RETURN: 3738 TRACE_INSN(insn, "return"); 3739 return validate_return(func, insn, statep); 3740 3741 case INSN_CALL: 3742 case INSN_CALL_DYNAMIC: 3743 if (insn->type == INSN_CALL) 3744 TRACE_INSN(insn, "call"); 3745 else 3746 TRACE_INSN(insn, "indirect call"); 3747 3748 ret = validate_call(file, insn, statep); 3749 if (ret) 3750 return ret; 3751 3752 if (opts.stackval && func && !is_special_call(insn) && 3753 !has_valid_stack_frame(statep)) { 3754 WARN_INSN(insn, "call without frame pointer save/setup"); 3755 return 1; 3756 } 3757 3758 break; 3759 3760 case INSN_JUMP_CONDITIONAL: 3761 case INSN_JUMP_UNCONDITIONAL: 3762 if (is_sibling_call(insn)) { 3763 TRACE_INSN(insn, "sibling call"); 3764 ret = validate_sibling_call(file, insn, statep); 3765 if (ret) 3766 return ret; 3767 3768 } else if (insn->jump_dest) { 3769 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3770 TRACE_INSN(insn, "unconditional jump"); 3771 else 3772 TRACE_INSN(insn, "jump taken"); 3773 3774 ret = validate_branch(file, func, insn->jump_dest, *statep); 3775 if (ret) { 3776 BT_INSN(insn, "(branch)"); 3777 return ret; 3778 } 3779 } 3780 3781 if (insn->type == INSN_JUMP_UNCONDITIONAL) 3782 return 0; 3783 3784 TRACE_INSN(insn, "jump not taken"); 3785 break; 3786 3787 case INSN_JUMP_DYNAMIC: 3788 case INSN_JUMP_DYNAMIC_CONDITIONAL: 3789 TRACE_INSN(insn, "indirect jump"); 3790 if (is_sibling_call(insn)) { 3791 ret = validate_sibling_call(file, insn, statep); 3792 if (ret) 3793 return ret; 3794 } 3795 3796 if (insn->type == INSN_JUMP_DYNAMIC) 3797 return 0; 3798 3799 break; 3800 3801 case INSN_SYSCALL: 3802 TRACE_INSN(insn, "syscall"); 3803 if (func && (!next_insn || !next_insn->hint)) { 3804 WARN_INSN(insn, "unsupported instruction in callable function"); 3805 return 1; 3806 } 3807 3808 break; 3809 3810 case INSN_SYSRET: 3811 TRACE_INSN(insn, "sysret"); 3812 if (func && (!next_insn || !next_insn->hint)) { 3813 WARN_INSN(insn, "unsupported instruction in callable function"); 3814 return 1; 3815 } 3816 3817 return 0; 3818 3819 case INSN_STAC: 3820 TRACE_INSN(insn, "stac"); 3821 if (!opts.uaccess) 3822 break; 3823 3824 if (statep->uaccess) { 3825 WARN_INSN(insn, "recursive UACCESS enable"); 3826 return 1; 3827 } 3828 3829 statep->uaccess = true; 3830 break; 3831 3832 case INSN_CLAC: 3833 TRACE_INSN(insn, "clac"); 3834 if (!opts.uaccess) 3835 break; 3836 3837 if (!statep->uaccess && func) { 3838 WARN_INSN(insn, "redundant UACCESS disable"); 3839 return 1; 3840 } 3841 3842 if (func_uaccess_safe(func) && !statep->uaccess_stack) { 3843 WARN_INSN(insn, "UACCESS-safe disables UACCESS"); 3844 return 1; 3845 } 3846 3847 statep->uaccess = false; 3848 break; 3849 3850 case INSN_STD: 3851 TRACE_INSN(insn, "std"); 3852 if (statep->df) { 3853 WARN_INSN(insn, "recursive STD"); 3854 return 1; 3855 } 3856 3857 statep->df = true; 3858 break; 3859 3860 case INSN_CLD: 3861 TRACE_INSN(insn, "cld"); 3862 if (!statep->df && func) { 3863 WARN_INSN(insn, "redundant CLD"); 3864 return 1; 3865 } 3866 3867 statep->df = false; 3868 break; 3869 3870 default: 3871 break; 3872 } 3873 3874 if (insn->dead_end) 3875 TRACE_INSN(insn, "dead end"); 3876 3877 *dead_end = insn->dead_end; 3878 return 0; 3879 } 3880 3881 /* 3882 * Follow the branch starting at the given instruction, and recursively follow 3883 * any other branches (jumps). Meanwhile, track the frame pointer state at 3884 * each instruction and validate all the rules described in 3885 * tools/objtool/Documentation/objtool.txt. 3886 */ 3887 static int do_validate_branch(struct objtool_file *file, struct symbol *func, 3888 struct instruction *insn, struct insn_state *state) 3889 { 3890 struct instruction *next_insn, *prev_insn = NULL; 3891 bool dead_end; 3892 int ret; 3893 3894 if (func && func->ignore) 3895 return 0; 3896 3897 do { 3898 insn->trace = 0; 3899 next_insn = next_insn_to_validate(file, insn); 3900 3901 if (func && insn_func(insn) && func != insn_func(insn)->pfunc) { 3902 /* Ignore KCFI type preambles, which always fall through */ 3903 if (is_prefix_func(func)) 3904 return 0; 3905 3906 if (file->ignore_unreachables) 3907 return 0; 3908 3909 WARN("%s() falls through to next function %s()", 3910 func->name, insn_func(insn)->name); 3911 func->warned = 1; 3912 3913 return 1; 3914 } 3915 3916 ret = validate_insn(file, func, insn, state, prev_insn, next_insn, 3917 &dead_end); 3918 3919 if (!insn->trace) { 3920 if (ret) 3921 TRACE_INSN(insn, "warning (%d)", ret); 3922 else 3923 TRACE_INSN(insn, NULL); 3924 } 3925 3926 if (!dead_end && !next_insn) { 3927 if (state->cfi.cfa.base == CFI_UNDEFINED) 3928 return 0; 3929 if (file->ignore_unreachables) 3930 return 0; 3931 3932 WARN("%s%sunexpected end of section %s", 3933 func ? func->name : "", func ? "(): " : "", 3934 insn->sec->name); 3935 return 1; 3936 } 3937 3938 prev_insn = insn; 3939 insn = next_insn; 3940 3941 } while (!dead_end); 3942 3943 return ret; 3944 } 3945 3946 static int validate_branch(struct objtool_file *file, struct symbol *func, 3947 struct instruction *insn, struct insn_state state) 3948 { 3949 int ret; 3950 3951 trace_depth_inc(); 3952 ret = do_validate_branch(file, func, insn, &state); 3953 trace_depth_dec(); 3954 3955 return ret; 3956 } 3957 3958 static int validate_unwind_hint(struct objtool_file *file, 3959 struct instruction *insn, 3960 struct insn_state *state) 3961 { 3962 if (insn->hint && !insn->visited) { 3963 struct symbol *func = insn_func(insn); 3964 int ret; 3965 3966 ret = validate_branch(file, func, insn, *state); 3967 if (ret) 3968 BT_INSN(insn, "<=== (hint)"); 3969 return ret; 3970 } 3971 3972 return 0; 3973 } 3974 3975 static int validate_unwind_hints(struct objtool_file *file, struct section *sec) 3976 { 3977 struct instruction *insn; 3978 struct insn_state state; 3979 int warnings = 0; 3980 3981 if (!file->hints) 3982 return 0; 3983 3984 init_insn_state(file, &state, sec); 3985 3986 if (sec) { 3987 sec_for_each_insn(file, sec, insn) 3988 warnings += validate_unwind_hint(file, insn, &state); 3989 } else { 3990 for_each_insn(file, insn) 3991 warnings += validate_unwind_hint(file, insn, &state); 3992 } 3993 3994 return warnings; 3995 } 3996 3997 /* 3998 * Validate rethunk entry constraint: must untrain RET before the first RET. 3999 * 4000 * Follow every branch (intra-function) and ensure VALIDATE_UNRET_END comes 4001 * before an actual RET instruction. 4002 */ 4003 static int validate_unret(struct objtool_file *file, struct instruction *insn) 4004 { 4005 struct instruction *next, *dest; 4006 int ret; 4007 4008 for (;;) { 4009 next = next_insn_to_validate(file, insn); 4010 4011 if (insn->visited & VISITED_UNRET) 4012 return 0; 4013 4014 insn->visited |= VISITED_UNRET; 4015 4016 if (insn->alts) { 4017 struct alternative *alt; 4018 for (alt = insn->alts; alt; alt = alt->next) { 4019 ret = validate_unret(file, alt->insn); 4020 if (ret) { 4021 BT_INSN(insn, "(alt)"); 4022 return ret; 4023 } 4024 } 4025 } 4026 4027 switch (insn->type) { 4028 4029 case INSN_CALL_DYNAMIC: 4030 case INSN_JUMP_DYNAMIC: 4031 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4032 WARN_INSN(insn, "early indirect call"); 4033 return 1; 4034 4035 case INSN_JUMP_UNCONDITIONAL: 4036 case INSN_JUMP_CONDITIONAL: 4037 if (!is_sibling_call(insn)) { 4038 if (!insn->jump_dest) { 4039 WARN_INSN(insn, "unresolved jump target after linking?!?"); 4040 return 1; 4041 } 4042 ret = validate_unret(file, insn->jump_dest); 4043 if (ret) { 4044 BT_INSN(insn, "(branch%s)", 4045 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : ""); 4046 return ret; 4047 } 4048 4049 if (insn->type == INSN_JUMP_UNCONDITIONAL) 4050 return 0; 4051 4052 break; 4053 } 4054 4055 /* fallthrough */ 4056 case INSN_CALL: 4057 dest = find_insn(file, insn_call_dest(insn)->sec, 4058 insn_call_dest(insn)->offset); 4059 if (!dest) { 4060 WARN("Unresolved function after linking!?: %s", 4061 insn_call_dest(insn)->name); 4062 return 1; 4063 } 4064 4065 ret = validate_unret(file, dest); 4066 if (ret) { 4067 BT_INSN(insn, "(call)"); 4068 return ret; 4069 } 4070 /* 4071 * If a call returns without error, it must have seen UNTRAIN_RET. 4072 * Therefore any non-error return is a success. 4073 */ 4074 return 0; 4075 4076 case INSN_RETURN: 4077 WARN_INSN(insn, "RET before UNTRAIN"); 4078 return 1; 4079 4080 case INSN_SYSCALL: 4081 break; 4082 4083 case INSN_SYSRET: 4084 return 0; 4085 4086 case INSN_NOP: 4087 if (insn->retpoline_safe) 4088 return 0; 4089 break; 4090 4091 default: 4092 break; 4093 } 4094 4095 if (insn->dead_end) 4096 return 0; 4097 4098 if (!next) { 4099 WARN_INSN(insn, "teh end!"); 4100 return 1; 4101 } 4102 insn = next; 4103 } 4104 4105 return 0; 4106 } 4107 4108 /* 4109 * Validate that all branches starting at VALIDATE_UNRET_BEGIN encounter 4110 * VALIDATE_UNRET_END before RET. 4111 */ 4112 static int validate_unrets(struct objtool_file *file) 4113 { 4114 struct instruction *insn; 4115 int warnings = 0; 4116 4117 for_each_insn(file, insn) { 4118 if (!insn->unret) 4119 continue; 4120 4121 warnings += validate_unret(file, insn); 4122 } 4123 4124 return warnings; 4125 } 4126 4127 static int validate_retpoline(struct objtool_file *file) 4128 { 4129 struct instruction *insn; 4130 int warnings = 0; 4131 4132 for_each_insn(file, insn) { 4133 if (insn->type != INSN_JUMP_DYNAMIC && 4134 insn->type != INSN_CALL_DYNAMIC && 4135 insn->type != INSN_RETURN) 4136 continue; 4137 4138 if (insn->retpoline_safe) 4139 continue; 4140 4141 if (insn->sec->init) 4142 continue; 4143 4144 if (insn->type == INSN_RETURN) { 4145 if (opts.rethunk) { 4146 WARN_INSN(insn, "'naked' return found in MITIGATION_RETHUNK build"); 4147 warnings++; 4148 } 4149 continue; 4150 } 4151 4152 WARN_INSN(insn, "indirect %s found in MITIGATION_RETPOLINE build", 4153 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call"); 4154 warnings++; 4155 } 4156 4157 if (!opts.cfi) 4158 return warnings; 4159 4160 /* 4161 * kCFI call sites look like: 4162 * 4163 * movl $(-0x12345678), %r10d 4164 * addl -4(%r11), %r10d 4165 * jz 1f 4166 * ud2 4167 * 1: cs call __x86_indirect_thunk_r11 4168 * 4169 * Verify all indirect calls are kCFI adorned by checking for the 4170 * UD2. Notably, doing __nocfi calls to regular (cfi) functions is 4171 * broken. 4172 */ 4173 list_for_each_entry(insn, &file->retpoline_call_list, call_node) { 4174 struct symbol *sym = insn->sym; 4175 4176 if (sym && (is_notype_sym(sym) || 4177 is_func_sym(sym)) && !sym->nocfi) { 4178 struct instruction *prev = 4179 prev_insn_same_sym(file, insn); 4180 4181 if (!prev || prev->type != INSN_BUG) { 4182 WARN_INSN(insn, "no-cfi indirect call!"); 4183 warnings++; 4184 } 4185 } 4186 } 4187 4188 return warnings; 4189 } 4190 4191 static bool is_kasan_insn(struct instruction *insn) 4192 { 4193 return (insn->type == INSN_CALL && 4194 !strcmp(insn_call_dest(insn)->name, "__asan_handle_no_return")); 4195 } 4196 4197 static bool is_ubsan_insn(struct instruction *insn) 4198 { 4199 return (insn->type == INSN_CALL && 4200 !strcmp(insn_call_dest(insn)->name, 4201 "__ubsan_handle_builtin_unreachable")); 4202 } 4203 4204 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn) 4205 { 4206 struct symbol *func = insn_func(insn); 4207 struct instruction *prev_insn; 4208 int i; 4209 4210 if (insn->type == INSN_NOP || insn->type == INSN_TRAP || 4211 insn->hole || (func && func->ignore)) 4212 return true; 4213 4214 /* 4215 * Ignore alternative replacement instructions. This can happen 4216 * when a whitelisted function uses one of the ALTERNATIVE macros. 4217 */ 4218 if (!strcmp(insn->sec->name, ".altinstr_replacement") || 4219 !strcmp(insn->sec->name, ".altinstr_aux")) 4220 return true; 4221 4222 if (!func) 4223 return false; 4224 4225 if (func->static_call_tramp) 4226 return true; 4227 4228 /* 4229 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees 4230 * __builtin_unreachable(). The BUG() macro has an unreachable() after 4231 * the UD2, which causes GCC's undefined trap logic to emit another UD2 4232 * (or occasionally a JMP to UD2). 4233 * 4234 * It may also insert a UD2 after calling a __noreturn function. 4235 */ 4236 prev_insn = prev_insn_same_sec(file, insn); 4237 if (prev_insn && prev_insn->dead_end && 4238 (insn->type == INSN_BUG || 4239 (insn->type == INSN_JUMP_UNCONDITIONAL && 4240 insn->jump_dest && insn->jump_dest->type == INSN_BUG))) 4241 return true; 4242 4243 /* 4244 * Check if this (or a subsequent) instruction is related to 4245 * CONFIG_UBSAN or CONFIG_KASAN. 4246 * 4247 * End the search at 5 instructions to avoid going into the weeds. 4248 */ 4249 for (i = 0; i < 5; i++) { 4250 4251 if (is_kasan_insn(insn) || is_ubsan_insn(insn)) 4252 return true; 4253 4254 if (insn->type == INSN_JUMP_UNCONDITIONAL) { 4255 if (insn->jump_dest && 4256 insn_func(insn->jump_dest) == func) { 4257 insn = insn->jump_dest; 4258 continue; 4259 } 4260 4261 break; 4262 } 4263 4264 if (insn->offset + insn->len >= func->offset + func->len) 4265 break; 4266 4267 insn = next_insn_same_sec(file, insn); 4268 } 4269 4270 return false; 4271 } 4272 4273 /* 4274 * For FineIBT or kCFI, a certain number of bytes preceding the function may be 4275 * NOPs. Those NOPs may be rewritten at runtime and executed, so give them a 4276 * proper function name: __pfx_<func>. 4277 * 4278 * The NOPs may not exist for the following cases: 4279 * 4280 * - compiler cloned functions (*.cold, *.part0, etc) 4281 * - asm functions created with inline asm or without SYM_FUNC_START() 4282 * 4283 * Also, the function may already have a prefix from a previous objtool run 4284 * (livepatch extracted functions, or manually running objtool multiple times). 4285 * 4286 * So return 0 if the NOPs are missing or the function already has a prefix 4287 * symbol. 4288 */ 4289 static int create_prefix_symbol(struct objtool_file *file, struct symbol *func) 4290 { 4291 struct instruction *insn, *prev; 4292 char name[SYM_NAME_LEN]; 4293 struct cfi_state *cfi; 4294 4295 if (!is_func_sym(func) || is_prefix_func(func) || is_cold_func(func) || 4296 func->static_call_tramp) 4297 return 0; 4298 4299 if ((strlen(func->name) + sizeof("__pfx_") > SYM_NAME_LEN)) { 4300 WARN("%s: symbol name too long, can't create __pfx_ symbol", 4301 func->name); 4302 return 0; 4303 } 4304 4305 if (snprintf_check(name, SYM_NAME_LEN, "__pfx_%s", func->name)) 4306 return -1; 4307 4308 if (file->klp) { 4309 struct symbol *pfx; 4310 4311 pfx = find_symbol_by_offset(func->sec, func->offset - opts.prefix); 4312 if (pfx && is_prefix_func(pfx) && !strcmp(pfx->name, name)) 4313 return 0; 4314 } 4315 4316 insn = find_insn(file, func->sec, func->offset); 4317 if (!insn) { 4318 WARN("%s: can't find starting instruction", func->name); 4319 return -1; 4320 } 4321 4322 for (prev = prev_insn_same_sec(file, insn); 4323 prev; 4324 prev = prev_insn_same_sec(file, prev)) { 4325 u64 offset; 4326 4327 if (prev->type != INSN_NOP) 4328 return 0; 4329 4330 offset = func->offset - prev->offset; 4331 4332 if (offset > opts.prefix) 4333 return 0; 4334 4335 if (offset < opts.prefix) 4336 continue; 4337 4338 if (!elf_create_symbol(file->elf, name, func->sec, 4339 GELF_ST_BIND(func->sym.st_info), 4340 GELF_ST_TYPE(func->sym.st_info), 4341 prev->offset, opts.prefix)) 4342 return -1; 4343 4344 break; 4345 } 4346 4347 if (!prev) 4348 return 0; 4349 4350 if (!insn->cfi) { 4351 /* 4352 * This can happen if stack validation isn't enabled or the 4353 * function is annotated with STACK_FRAME_NON_STANDARD. 4354 */ 4355 return 0; 4356 } 4357 4358 /* Propagate insn->cfi to the prefix code */ 4359 cfi = cfi_hash_find_or_add(insn->cfi); 4360 for (; prev != insn; prev = next_insn_same_sec(file, prev)) 4361 prev->cfi = cfi; 4362 4363 return 0; 4364 } 4365 4366 static int create_prefix_symbols(struct objtool_file *file) 4367 { 4368 struct section *sec; 4369 struct symbol *func; 4370 4371 for_each_sec(file->elf, sec) { 4372 if (!is_text_sec(sec)) 4373 continue; 4374 4375 sec_for_each_sym(sec, func) { 4376 if (create_prefix_symbol(file, func)) 4377 return -1; 4378 } 4379 } 4380 4381 return 0; 4382 } 4383 4384 static int validate_symbol(struct objtool_file *file, struct section *sec, 4385 struct symbol *sym, struct insn_state *state) 4386 { 4387 struct instruction *insn; 4388 struct symbol *func; 4389 int ret; 4390 4391 if (!sym->len) { 4392 WARN("%s() is missing an ELF size annotation", sym->name); 4393 return 1; 4394 } 4395 4396 if (sym->pfunc != sym || is_alias_sym(sym)) 4397 return 0; 4398 4399 insn = find_insn(file, sec, sym->offset); 4400 if (!insn || insn->visited) 4401 return 0; 4402 4403 if (opts.uaccess) 4404 state->uaccess = sym->uaccess_safe; 4405 4406 func = insn_func(insn); 4407 4408 if (opts.trace && !fnmatch(opts.trace, sym->name, 0)) { 4409 trace_enable(); 4410 TRACE("%s: validation begin\n", sym->name); 4411 } 4412 4413 ret = validate_branch(file, func, insn, *state); 4414 if (ret) 4415 BT_INSN(insn, "<=== (sym)"); 4416 4417 TRACE("%s: validation %s\n\n", sym->name, ret ? "failed" : "end"); 4418 trace_disable(); 4419 4420 return ret; 4421 } 4422 4423 static int validate_section(struct objtool_file *file, struct section *sec) 4424 { 4425 struct insn_state state; 4426 struct symbol *func; 4427 int warnings = 0; 4428 4429 sec_for_each_sym(sec, func) { 4430 if (!is_func_sym(func)) 4431 continue; 4432 4433 init_insn_state(file, &state, sec); 4434 set_func_state(&state.cfi); 4435 4436 warnings += validate_symbol(file, sec, func, &state); 4437 } 4438 4439 return warnings; 4440 } 4441 4442 static int validate_noinstr_sections(struct objtool_file *file) 4443 { 4444 struct section *sec; 4445 int warnings = 0; 4446 4447 sec = find_section_by_name(file->elf, ".noinstr.text"); 4448 if (sec) { 4449 warnings += validate_section(file, sec); 4450 warnings += validate_unwind_hints(file, sec); 4451 } 4452 4453 sec = find_section_by_name(file->elf, ".entry.text"); 4454 if (sec) { 4455 warnings += validate_section(file, sec); 4456 warnings += validate_unwind_hints(file, sec); 4457 } 4458 4459 sec = find_section_by_name(file->elf, ".cpuidle.text"); 4460 if (sec) { 4461 warnings += validate_section(file, sec); 4462 warnings += validate_unwind_hints(file, sec); 4463 } 4464 4465 return warnings; 4466 } 4467 4468 static int validate_functions(struct objtool_file *file) 4469 { 4470 struct section *sec; 4471 int warnings = 0; 4472 4473 for_each_sec(file->elf, sec) { 4474 if (!is_text_sec(sec)) 4475 continue; 4476 4477 warnings += validate_section(file, sec); 4478 } 4479 4480 return warnings; 4481 } 4482 4483 static void mark_endbr_used(struct instruction *insn) 4484 { 4485 if (!list_empty(&insn->call_node)) 4486 list_del_init(&insn->call_node); 4487 } 4488 4489 static bool noendbr_range(struct objtool_file *file, struct instruction *insn) 4490 { 4491 struct symbol *sym = find_symbol_containing(insn->sec, insn->offset-1); 4492 struct instruction *first; 4493 4494 if (!sym) 4495 return false; 4496 4497 first = find_insn(file, sym->sec, sym->offset); 4498 if (!first) 4499 return false; 4500 4501 if (first->type != INSN_ENDBR && !first->noendbr) 4502 return false; 4503 4504 return insn->offset == sym->offset + sym->len; 4505 } 4506 4507 static int __validate_ibt_insn(struct objtool_file *file, struct instruction *insn, 4508 struct instruction *dest) 4509 { 4510 if (dest->type == INSN_ENDBR) { 4511 mark_endbr_used(dest); 4512 return 0; 4513 } 4514 4515 if (insn_func(dest) && insn_func(insn) && 4516 insn_func(dest)->pfunc == insn_func(insn)->pfunc) { 4517 /* 4518 * Anything from->to self is either _THIS_IP_ or 4519 * IRET-to-self. 4520 * 4521 * There is no sane way to annotate _THIS_IP_ since the 4522 * compiler treats the relocation as a constant and is 4523 * happy to fold in offsets, skewing any annotation we 4524 * do, leading to vast amounts of false-positives. 4525 * 4526 * There's also compiler generated _THIS_IP_ through 4527 * KCOV and such which we have no hope of annotating. 4528 * 4529 * As such, blanket accept self-references without 4530 * issue. 4531 */ 4532 return 0; 4533 } 4534 4535 /* 4536 * Accept anything ANNOTATE_NOENDBR. 4537 */ 4538 if (dest->noendbr) 4539 return 0; 4540 4541 /* 4542 * Accept if this is the instruction after a symbol 4543 * that is (no)endbr -- typical code-range usage. 4544 */ 4545 if (noendbr_range(file, dest)) 4546 return 0; 4547 4548 WARN_INSN(insn, "relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4549 return 1; 4550 } 4551 4552 static int validate_ibt_insn(struct objtool_file *file, struct instruction *insn) 4553 { 4554 struct instruction *dest; 4555 struct reloc *reloc; 4556 unsigned long off; 4557 int warnings = 0; 4558 4559 /* 4560 * Looking for function pointer load relocations. Ignore 4561 * direct/indirect branches: 4562 */ 4563 switch (insn->type) { 4564 4565 case INSN_CALL: 4566 case INSN_CALL_DYNAMIC: 4567 case INSN_JUMP_CONDITIONAL: 4568 case INSN_JUMP_UNCONDITIONAL: 4569 case INSN_JUMP_DYNAMIC: 4570 case INSN_JUMP_DYNAMIC_CONDITIONAL: 4571 case INSN_RETURN: 4572 case INSN_NOP: 4573 return 0; 4574 4575 case INSN_LEA_RIP: 4576 if (!insn_reloc(file, insn)) { 4577 /* local function pointer reference without reloc */ 4578 4579 off = arch_jump_destination(insn); 4580 4581 dest = find_insn(file, insn->sec, off); 4582 if (!dest) { 4583 WARN_INSN(insn, "corrupt function pointer reference"); 4584 return 1; 4585 } 4586 4587 return __validate_ibt_insn(file, insn, dest); 4588 } 4589 break; 4590 4591 default: 4592 break; 4593 } 4594 4595 for (reloc = insn_reloc(file, insn); 4596 reloc; 4597 reloc = find_reloc_by_dest_range(file->elf, insn->sec, 4598 reloc_offset(reloc) + 1, 4599 (insn->offset + insn->len) - (reloc_offset(reloc) + 1))) { 4600 4601 off = reloc->sym->offset + arch_insn_adjusted_addend(insn, reloc); 4602 4603 dest = find_insn(file, reloc->sym->sec, off); 4604 if (!dest) 4605 continue; 4606 4607 warnings += __validate_ibt_insn(file, insn, dest); 4608 } 4609 4610 return warnings; 4611 } 4612 4613 static int validate_ibt_data_reloc(struct objtool_file *file, 4614 struct reloc *reloc) 4615 { 4616 struct instruction *dest; 4617 4618 dest = find_insn(file, reloc->sym->sec, 4619 reloc->sym->offset + reloc_addend(reloc)); 4620 if (!dest) 4621 return 0; 4622 4623 if (dest->type == INSN_ENDBR) { 4624 mark_endbr_used(dest); 4625 return 0; 4626 } 4627 4628 if (dest->noendbr) 4629 return 0; 4630 4631 WARN_FUNC(reloc->sec->base, reloc_offset(reloc), 4632 "data relocation to !ENDBR: %s", offstr(dest->sec, dest->offset)); 4633 4634 return 1; 4635 } 4636 4637 /* 4638 * Validate IBT rules and remove used ENDBR instructions from the seal list. 4639 * Unused ENDBR instructions will be annotated for sealing (i.e., replaced with 4640 * NOPs) later, in create_ibt_endbr_seal_sections(). 4641 */ 4642 static int validate_ibt(struct objtool_file *file) 4643 { 4644 struct section *sec; 4645 struct reloc *reloc; 4646 struct instruction *insn; 4647 int warnings = 0; 4648 4649 for_each_insn(file, insn) 4650 warnings += validate_ibt_insn(file, insn); 4651 4652 for_each_sec(file->elf, sec) { 4653 4654 /* Already done by validate_ibt_insn() */ 4655 if (is_text_sec(sec)) 4656 continue; 4657 4658 if (!sec->rsec) 4659 continue; 4660 4661 /* 4662 * These sections can reference text addresses, but not with 4663 * the intent to indirect branch to them. 4664 */ 4665 if ((!strncmp(sec->name, ".discard", 8) && 4666 strcmp(sec->name, ".discard.ibt_endbr_noseal")) || 4667 !strncmp(sec->name, ".debug", 6) || 4668 !strcmp(sec->name, ".altinstructions") || 4669 !strcmp(sec->name, ".ibt_endbr_seal") || 4670 !strcmp(sec->name, ".kcfi_traps") || 4671 !strcmp(sec->name, ".orc_unwind_ip") || 4672 !strcmp(sec->name, ".retpoline_sites") || 4673 !strcmp(sec->name, ".smp_locks") || 4674 !strcmp(sec->name, ".static_call_sites") || 4675 !strcmp(sec->name, "_error_injection_whitelist") || 4676 !strcmp(sec->name, "_kprobe_blacklist") || 4677 !strcmp(sec->name, "__bug_table") || 4678 !strcmp(sec->name, "__ex_table") || 4679 !strcmp(sec->name, "__jump_table") || 4680 !strcmp(sec->name, ".init.klp_funcs") || 4681 !strcmp(sec->name, "__mcount_loc") || 4682 !strcmp(sec->name, ".llvm.call-graph-profile") || 4683 !strcmp(sec->name, ".llvm_bb_addr_map") || 4684 !strcmp(sec->name, "__tracepoints") || 4685 !strcmp(sec->name, ".return_sites") || 4686 !strcmp(sec->name, ".call_sites") || 4687 !strcmp(sec->name, "__patchable_function_entries")) 4688 continue; 4689 4690 for_each_reloc(sec->rsec, reloc) 4691 warnings += validate_ibt_data_reloc(file, reloc); 4692 } 4693 4694 return warnings; 4695 } 4696 4697 static int validate_sls(struct objtool_file *file) 4698 { 4699 struct instruction *insn, *next_insn; 4700 int warnings = 0; 4701 4702 for_each_insn(file, insn) { 4703 next_insn = next_insn_same_sec(file, insn); 4704 4705 if (insn->retpoline_safe) 4706 continue; 4707 4708 switch (insn->type) { 4709 case INSN_RETURN: 4710 if (!next_insn || next_insn->type != INSN_TRAP) { 4711 WARN_INSN(insn, "missing int3 after ret"); 4712 warnings++; 4713 } 4714 4715 break; 4716 case INSN_JUMP_DYNAMIC: 4717 if (!next_insn || next_insn->type != INSN_TRAP) { 4718 WARN_INSN(insn, "missing int3 after indirect jump"); 4719 warnings++; 4720 } 4721 break; 4722 default: 4723 break; 4724 } 4725 } 4726 4727 return warnings; 4728 } 4729 4730 static int validate_reachable_instructions(struct objtool_file *file) 4731 { 4732 struct instruction *insn, *prev_insn; 4733 struct symbol *call_dest; 4734 int warnings = 0; 4735 4736 if (file->ignore_unreachables) 4737 return 0; 4738 4739 for_each_insn(file, insn) { 4740 if (insn->visited || ignore_unreachable_insn(file, insn)) 4741 continue; 4742 4743 prev_insn = prev_insn_same_sec(file, insn); 4744 if (prev_insn && prev_insn->dead_end) { 4745 call_dest = insn_call_dest(prev_insn); 4746 if (call_dest) { 4747 WARN_INSN(insn, "%s() missing __noreturn in .c/.h or NORETURN() in noreturns.h", 4748 call_dest->name); 4749 warnings++; 4750 continue; 4751 } 4752 } 4753 4754 WARN_INSN(insn, "unreachable instruction"); 4755 warnings++; 4756 } 4757 4758 return warnings; 4759 } 4760 4761 __weak bool arch_absolute_reloc(struct elf *elf, struct reloc *reloc) 4762 { 4763 unsigned int type = reloc_type(reloc); 4764 size_t sz = elf_addr_size(elf); 4765 4766 return (sz == 8) ? (type == R_ABS64) : (type == R_ABS32); 4767 } 4768 4769 static int check_abs_references(struct objtool_file *file) 4770 { 4771 struct section *sec; 4772 struct reloc *reloc; 4773 int ret = 0; 4774 4775 for_each_sec(file->elf, sec) { 4776 /* absolute references in non-loadable sections are fine */ 4777 if (!(sec->sh.sh_flags & SHF_ALLOC)) 4778 continue; 4779 4780 /* section must have an associated .rela section */ 4781 if (!sec->rsec) 4782 continue; 4783 4784 /* 4785 * Special case for compiler generated metadata that is not 4786 * consumed until after boot. 4787 */ 4788 if (!strcmp(sec->name, "__patchable_function_entries")) 4789 continue; 4790 4791 for_each_reloc(sec->rsec, reloc) { 4792 if (arch_absolute_reloc(file->elf, reloc)) { 4793 WARN("section %s has absolute relocation at offset 0x%llx", 4794 sec->name, (unsigned long long)reloc_offset(reloc)); 4795 ret++; 4796 } 4797 } 4798 } 4799 return ret; 4800 } 4801 4802 struct insn_chunk { 4803 void *addr; 4804 struct insn_chunk *next; 4805 }; 4806 4807 /* 4808 * Reduce peak RSS usage by freeing insns memory before writing the ELF file, 4809 * which can trigger more allocations for .debug_* sections whose data hasn't 4810 * been read yet. 4811 */ 4812 void free_insns(struct objtool_file *file) 4813 { 4814 struct instruction *insn; 4815 struct insn_chunk *chunks = NULL, *chunk; 4816 4817 for_each_insn(file, insn) { 4818 if (!insn->idx) { 4819 chunk = malloc(sizeof(*chunk)); 4820 chunk->addr = insn; 4821 chunk->next = chunks; 4822 chunks = chunk; 4823 } 4824 } 4825 4826 for (chunk = chunks; chunk; chunk = chunk->next) 4827 free(chunk->addr); 4828 } 4829 4830 const char *objtool_disas_insn(struct instruction *insn) 4831 { 4832 struct disas_context *dctx = objtool_disas_ctx; 4833 4834 if (!dctx) 4835 return ""; 4836 4837 disas_insn(dctx, insn); 4838 return disas_result(dctx); 4839 } 4840 4841 int check(struct objtool_file *file) 4842 { 4843 struct disas_context *disas_ctx = NULL; 4844 int ret = 0, warnings = 0; 4845 4846 /* 4847 * Create a disassembly context if we might disassemble any 4848 * instruction or function. 4849 */ 4850 if (opts.verbose || opts.backtrace || opts.trace || opts.disas) { 4851 disas_ctx = disas_context_create(file); 4852 if (!disas_ctx) { 4853 opts.disas = false; 4854 opts.trace = false; 4855 } 4856 objtool_disas_ctx = disas_ctx; 4857 } 4858 4859 ret = decode_file(file); 4860 if (ret) 4861 goto out; 4862 4863 if (!nr_insns) 4864 goto out; 4865 4866 if (opts.retpoline) 4867 warnings += validate_retpoline(file); 4868 4869 if (validate_branch_enabled()) { 4870 int w = 0; 4871 4872 w += validate_functions(file); 4873 w += validate_unwind_hints(file, NULL); 4874 if (!w) 4875 w += validate_reachable_instructions(file); 4876 4877 warnings += w; 4878 4879 } else if (opts.noinstr) { 4880 warnings += validate_noinstr_sections(file); 4881 } 4882 4883 if (opts.unret) { 4884 /* 4885 * Must be after validate_branch() and friends, it plays 4886 * further games with insn->visited. 4887 */ 4888 warnings += validate_unrets(file); 4889 } 4890 4891 if (opts.ibt) 4892 warnings += validate_ibt(file); 4893 4894 if (opts.sls) 4895 warnings += validate_sls(file); 4896 4897 if (opts.static_call) { 4898 ret = create_static_call_sections(file); 4899 if (ret) 4900 goto out; 4901 } 4902 4903 if (opts.retpoline) { 4904 ret = create_retpoline_sites_sections(file); 4905 if (ret) 4906 goto out; 4907 } 4908 4909 if (opts.cfi) { 4910 ret = create_cfi_sections(file); 4911 if (ret) 4912 goto out; 4913 } 4914 4915 if (opts.rethunk) { 4916 ret = create_return_sites_sections(file); 4917 if (ret) 4918 goto out; 4919 4920 if (opts.hack_skylake) { 4921 ret = create_direct_call_sections(file); 4922 if (ret) 4923 goto out; 4924 } 4925 } 4926 4927 if (opts.mcount) { 4928 ret = create_mcount_loc_sections(file); 4929 if (ret) 4930 goto out; 4931 } 4932 4933 if (opts.prefix) { 4934 ret = create_prefix_symbols(file); 4935 if (ret) 4936 goto out; 4937 } 4938 4939 if (opts.ibt) { 4940 ret = create_ibt_endbr_seal_sections(file); 4941 if (ret) 4942 goto out; 4943 } 4944 4945 if (opts.noabs) 4946 warnings += check_abs_references(file); 4947 4948 if (opts.orc && nr_insns) { 4949 ret = orc_create(file); 4950 if (ret) 4951 goto out; 4952 } 4953 4954 if (opts.stats) { 4955 printf("nr_insns_visited: %ld\n", nr_insns_visited); 4956 printf("nr_cfi: %ld\n", nr_cfi); 4957 printf("nr_cfi_reused: %ld\n", nr_cfi_reused); 4958 printf("nr_cfi_cache: %ld\n", nr_cfi_cache); 4959 } 4960 4961 out: 4962 if (ret || warnings) { 4963 if (opts.werror && warnings) 4964 ret = 1; 4965 4966 if (opts.verbose) { 4967 if (opts.werror && warnings) 4968 WARN("%d warning(s) upgraded to errors", warnings); 4969 disas_warned_funcs(disas_ctx); 4970 } 4971 } 4972 4973 if (opts.disas) 4974 disas_funcs(disas_ctx); 4975 4976 if (disas_ctx) { 4977 disas_context_destroy(disas_ctx); 4978 objtool_disas_ctx = NULL; 4979 } 4980 4981 free_insns(file); 4982 4983 if (!ret && !warnings) 4984 return 0; 4985 4986 if (opts.backup && make_backup()) 4987 return 1; 4988 4989 return ret; 4990 } 4991