1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com>
4 */
5
6 #include <string.h>
7 #include <stdlib.h>
8 #include <sys/mman.h>
9
10 #include "builtin.h"
11 #include "cfi.h"
12 #include "arch.h"
13 #include "check.h"
14 #include "special.h"
15 #include "warn.h"
16 #include "arch_elf.h"
17
18 #include <linux/objtool.h>
19 #include <linux/hashtable.h>
20 #include <linux/kernel.h>
21 #include <linux/static_call_types.h>
22
23 struct alternative {
24 struct list_head list;
25 struct instruction *insn;
26 bool skip_orig;
27 };
28
29 static unsigned long nr_cfi, nr_cfi_reused, nr_cfi_cache;
30
31 static struct cfi_init_state initial_func_cfi;
32 static struct cfi_state init_cfi;
33 static struct cfi_state func_cfi;
34
find_insn(struct objtool_file * file,struct section * sec,unsigned long offset)35 struct instruction *find_insn(struct objtool_file *file,
36 struct section *sec, unsigned long offset)
37 {
38 struct instruction *insn;
39
40 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) {
41 if (insn->sec == sec && insn->offset == offset)
42 return insn;
43 }
44
45 return NULL;
46 }
47
next_insn_same_sec(struct objtool_file * file,struct instruction * insn)48 static struct instruction *next_insn_same_sec(struct objtool_file *file,
49 struct instruction *insn)
50 {
51 struct instruction *next = list_next_entry(insn, list);
52
53 if (!next || &next->list == &file->insn_list || next->sec != insn->sec)
54 return NULL;
55
56 return next;
57 }
58
next_insn_same_func(struct objtool_file * file,struct instruction * insn)59 static struct instruction *next_insn_same_func(struct objtool_file *file,
60 struct instruction *insn)
61 {
62 struct instruction *next = list_next_entry(insn, list);
63 struct symbol *func = insn->func;
64
65 if (!func)
66 return NULL;
67
68 if (&next->list != &file->insn_list && next->func == func)
69 return next;
70
71 /* Check if we're already in the subfunction: */
72 if (func == func->cfunc)
73 return NULL;
74
75 /* Move to the subfunction: */
76 return find_insn(file, func->cfunc->sec, func->cfunc->offset);
77 }
78
prev_insn_same_sym(struct objtool_file * file,struct instruction * insn)79 static struct instruction *prev_insn_same_sym(struct objtool_file *file,
80 struct instruction *insn)
81 {
82 struct instruction *prev = list_prev_entry(insn, list);
83
84 if (&prev->list != &file->insn_list && prev->func == insn->func)
85 return prev;
86
87 return NULL;
88 }
89
90 #define func_for_each_insn(file, func, insn) \
91 for (insn = find_insn(file, func->sec, func->offset); \
92 insn; \
93 insn = next_insn_same_func(file, insn))
94
95 #define sym_for_each_insn(file, sym, insn) \
96 for (insn = find_insn(file, sym->sec, sym->offset); \
97 insn && &insn->list != &file->insn_list && \
98 insn->sec == sym->sec && \
99 insn->offset < sym->offset + sym->len; \
100 insn = list_next_entry(insn, list))
101
102 #define sym_for_each_insn_continue_reverse(file, sym, insn) \
103 for (insn = list_prev_entry(insn, list); \
104 &insn->list != &file->insn_list && \
105 insn->sec == sym->sec && insn->offset >= sym->offset; \
106 insn = list_prev_entry(insn, list))
107
108 #define sec_for_each_insn_from(file, insn) \
109 for (; insn; insn = next_insn_same_sec(file, insn))
110
111 #define sec_for_each_insn_continue(file, insn) \
112 for (insn = next_insn_same_sec(file, insn); insn; \
113 insn = next_insn_same_sec(file, insn))
114
is_jump_table_jump(struct instruction * insn)115 static bool is_jump_table_jump(struct instruction *insn)
116 {
117 struct alt_group *alt_group = insn->alt_group;
118
119 if (insn->jump_table)
120 return true;
121
122 /* Retpoline alternative for a jump table? */
123 return alt_group && alt_group->orig_group &&
124 alt_group->orig_group->first_insn->jump_table;
125 }
126
is_sibling_call(struct instruction * insn)127 static bool is_sibling_call(struct instruction *insn)
128 {
129 /*
130 * Assume only ELF functions can make sibling calls. This ensures
131 * sibling call detection consistency between vmlinux.o and individual
132 * objects.
133 */
134 if (!insn->func)
135 return false;
136
137 /* An indirect jump is either a sibling call or a jump to a table. */
138 if (insn->type == INSN_JUMP_DYNAMIC)
139 return !is_jump_table_jump(insn);
140
141 /* add_jump_destinations() sets insn->call_dest for sibling calls. */
142 return (is_static_jump(insn) && insn->call_dest);
143 }
144
145 /*
146 * This checks to see if the given function is a "noreturn" function.
147 *
148 * For global functions which are outside the scope of this object file, we
149 * have to keep a manual list of them.
150 *
151 * For local functions, we have to detect them manually by simply looking for
152 * the lack of a return instruction.
153 */
__dead_end_function(struct objtool_file * file,struct symbol * func,int recursion)154 static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
155 int recursion)
156 {
157 int i;
158 struct instruction *insn;
159 bool empty = true;
160
161 /*
162 * Unfortunately these have to be hard coded because the noreturn
163 * attribute isn't provided in ELF data.
164 */
165 static const char * const global_noreturns[] = {
166 "__stack_chk_fail",
167 "panic",
168 "do_exit",
169 "do_task_dead",
170 "__module_put_and_exit",
171 "complete_and_exit",
172 "__reiserfs_panic",
173 "lbug_with_loc",
174 "fortify_panic",
175 "usercopy_abort",
176 "machine_real_restart",
177 "rewind_stack_do_exit",
178 "kunit_try_catch_throw",
179 "xen_start_kernel",
180 "cpu_bringup_and_idle",
181 };
182
183 if (!func)
184 return false;
185
186 if (func->bind == STB_WEAK)
187 return false;
188
189 if (func->bind == STB_GLOBAL)
190 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++)
191 if (!strcmp(func->name, global_noreturns[i]))
192 return true;
193
194 if (!func->len)
195 return false;
196
197 insn = find_insn(file, func->sec, func->offset);
198 if (!insn->func)
199 return false;
200
201 func_for_each_insn(file, func, insn) {
202 empty = false;
203
204 if (insn->type == INSN_RETURN)
205 return false;
206 }
207
208 if (empty)
209 return false;
210
211 /*
212 * A function can have a sibling call instead of a return. In that
213 * case, the function's dead-end status depends on whether the target
214 * of the sibling call returns.
215 */
216 func_for_each_insn(file, func, insn) {
217 if (is_sibling_call(insn)) {
218 struct instruction *dest = insn->jump_dest;
219
220 if (!dest)
221 /* sibling call to another file */
222 return false;
223
224 /* local sibling call */
225 if (recursion == 5) {
226 /*
227 * Infinite recursion: two functions have
228 * sibling calls to each other. This is a very
229 * rare case. It means they aren't dead ends.
230 */
231 return false;
232 }
233
234 return __dead_end_function(file, dest->func, recursion+1);
235 }
236 }
237
238 return true;
239 }
240
dead_end_function(struct objtool_file * file,struct symbol * func)241 static bool dead_end_function(struct objtool_file *file, struct symbol *func)
242 {
243 return __dead_end_function(file, func, 0);
244 }
245
init_cfi_state(struct cfi_state * cfi)246 static void init_cfi_state(struct cfi_state *cfi)
247 {
248 int i;
249
250 for (i = 0; i < CFI_NUM_REGS; i++) {
251 cfi->regs[i].base = CFI_UNDEFINED;
252 cfi->vals[i].base = CFI_UNDEFINED;
253 }
254 cfi->cfa.base = CFI_UNDEFINED;
255 cfi->drap_reg = CFI_UNDEFINED;
256 cfi->drap_offset = -1;
257 }
258
init_insn_state(struct insn_state * state,struct section * sec)259 static void init_insn_state(struct insn_state *state, struct section *sec)
260 {
261 memset(state, 0, sizeof(*state));
262 init_cfi_state(&state->cfi);
263
264 /*
265 * We need the full vmlinux for noinstr validation, otherwise we can
266 * not correctly determine insn->call_dest->sec (external symbols do
267 * not have a section).
268 */
269 if (vmlinux && sec)
270 state->noinstr = sec->noinstr;
271 }
272
cfi_alloc(void)273 static struct cfi_state *cfi_alloc(void)
274 {
275 struct cfi_state *cfi = calloc(sizeof(struct cfi_state), 1);
276 if (!cfi) {
277 WARN("calloc failed");
278 exit(1);
279 }
280 nr_cfi++;
281 return cfi;
282 }
283
284 static int cfi_bits;
285 static struct hlist_head *cfi_hash;
286
cficmp(struct cfi_state * cfi1,struct cfi_state * cfi2)287 static inline bool cficmp(struct cfi_state *cfi1, struct cfi_state *cfi2)
288 {
289 return memcmp((void *)cfi1 + sizeof(cfi1->hash),
290 (void *)cfi2 + sizeof(cfi2->hash),
291 sizeof(struct cfi_state) - sizeof(struct hlist_node));
292 }
293
cfi_key(struct cfi_state * cfi)294 static inline u32 cfi_key(struct cfi_state *cfi)
295 {
296 return jhash((void *)cfi + sizeof(cfi->hash),
297 sizeof(*cfi) - sizeof(cfi->hash), 0);
298 }
299
cfi_hash_find_or_add(struct cfi_state * cfi)300 static struct cfi_state *cfi_hash_find_or_add(struct cfi_state *cfi)
301 {
302 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
303 struct cfi_state *obj;
304
305 hlist_for_each_entry(obj, head, hash) {
306 if (!cficmp(cfi, obj)) {
307 nr_cfi_cache++;
308 return obj;
309 }
310 }
311
312 obj = cfi_alloc();
313 *obj = *cfi;
314 hlist_add_head(&obj->hash, head);
315
316 return obj;
317 }
318
cfi_hash_add(struct cfi_state * cfi)319 static void cfi_hash_add(struct cfi_state *cfi)
320 {
321 struct hlist_head *head = &cfi_hash[hash_min(cfi_key(cfi), cfi_bits)];
322
323 hlist_add_head(&cfi->hash, head);
324 }
325
cfi_hash_alloc(void)326 static void *cfi_hash_alloc(void)
327 {
328 cfi_bits = vmlinux ? ELF_HASH_BITS - 3 : 13;
329 cfi_hash = mmap(NULL, sizeof(struct hlist_head) << cfi_bits,
330 PROT_READ|PROT_WRITE,
331 MAP_PRIVATE|MAP_ANON, -1, 0);
332 if (cfi_hash == (void *)-1L) {
333 WARN("mmap fail cfi_hash");
334 cfi_hash = NULL;
335 } else if (stats) {
336 printf("cfi_bits: %d\n", cfi_bits);
337 }
338
339 return cfi_hash;
340 }
341
342 static unsigned long nr_insns;
343 static unsigned long nr_insns_visited;
344
345 /*
346 * Call the arch-specific instruction decoder for all the instructions and add
347 * them to the global instruction list.
348 */
decode_instructions(struct objtool_file * file)349 static int decode_instructions(struct objtool_file *file)
350 {
351 struct section *sec;
352 struct symbol *func;
353 unsigned long offset;
354 struct instruction *insn;
355 int ret;
356
357 for_each_sec(file, sec) {
358
359 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
360 continue;
361
362 if (strcmp(sec->name, ".altinstr_replacement") &&
363 strcmp(sec->name, ".altinstr_aux") &&
364 strncmp(sec->name, ".discard.", 9))
365 sec->text = true;
366
367 if (!strcmp(sec->name, ".noinstr.text") ||
368 !strcmp(sec->name, ".entry.text") ||
369 !strncmp(sec->name, ".text.__x86.", 12))
370 sec->noinstr = true;
371
372 for (offset = 0; offset < sec->len; offset += insn->len) {
373 insn = malloc(sizeof(*insn));
374 if (!insn) {
375 WARN("malloc failed");
376 return -1;
377 }
378 memset(insn, 0, sizeof(*insn));
379 INIT_LIST_HEAD(&insn->alts);
380 INIT_LIST_HEAD(&insn->stack_ops);
381
382 insn->sec = sec;
383 insn->offset = offset;
384
385 ret = arch_decode_instruction(file->elf, sec, offset,
386 sec->len - offset,
387 &insn->len, &insn->type,
388 &insn->immediate,
389 &insn->stack_ops);
390 if (ret)
391 goto err;
392
393 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset));
394 list_add_tail(&insn->list, &file->insn_list);
395 nr_insns++;
396 }
397
398 list_for_each_entry(func, &sec->symbol_list, list) {
399 if (func->type != STT_FUNC || func->alias != func)
400 continue;
401
402 if (!find_insn(file, sec, func->offset)) {
403 WARN("%s(): can't find starting instruction",
404 func->name);
405 return -1;
406 }
407
408 sym_for_each_insn(file, func, insn)
409 insn->func = func;
410 }
411 }
412
413 if (stats)
414 printf("nr_insns: %lu\n", nr_insns);
415
416 return 0;
417
418 err:
419 free(insn);
420 return ret;
421 }
422
find_last_insn(struct objtool_file * file,struct section * sec)423 static struct instruction *find_last_insn(struct objtool_file *file,
424 struct section *sec)
425 {
426 struct instruction *insn = NULL;
427 unsigned int offset;
428 unsigned int end = (sec->len > 10) ? sec->len - 10 : 0;
429
430 for (offset = sec->len - 1; offset >= end && !insn; offset--)
431 insn = find_insn(file, sec, offset);
432
433 return insn;
434 }
435
436 /*
437 * Mark "ud2" instructions and manually annotated dead ends.
438 */
add_dead_ends(struct objtool_file * file)439 static int add_dead_ends(struct objtool_file *file)
440 {
441 struct section *sec;
442 struct reloc *reloc;
443 struct instruction *insn;
444
445 /*
446 * By default, "ud2" is a dead end unless otherwise annotated, because
447 * GCC 7 inserts it for certain divide-by-zero cases.
448 */
449 for_each_insn(file, insn)
450 if (insn->type == INSN_BUG)
451 insn->dead_end = true;
452
453 /*
454 * Check for manually annotated dead ends.
455 */
456 sec = find_section_by_name(file->elf, ".rela.discard.unreachable");
457 if (!sec)
458 goto reachable;
459
460 list_for_each_entry(reloc, &sec->reloc_list, list) {
461 if (reloc->sym->type != STT_SECTION) {
462 WARN("unexpected relocation symbol type in %s", sec->name);
463 return -1;
464 }
465 insn = find_insn(file, reloc->sym->sec, reloc->addend);
466 if (insn)
467 insn = list_prev_entry(insn, list);
468 else if (reloc->addend == reloc->sym->sec->len) {
469 insn = find_last_insn(file, reloc->sym->sec);
470 if (!insn) {
471 WARN("can't find unreachable insn at %s+0x%x",
472 reloc->sym->sec->name, reloc->addend);
473 return -1;
474 }
475 } else {
476 WARN("can't find unreachable insn at %s+0x%x",
477 reloc->sym->sec->name, reloc->addend);
478 return -1;
479 }
480
481 insn->dead_end = true;
482 }
483
484 reachable:
485 /*
486 * These manually annotated reachable checks are needed for GCC 4.4,
487 * where the Linux unreachable() macro isn't supported. In that case
488 * GCC doesn't know the "ud2" is fatal, so it generates code as if it's
489 * not a dead end.
490 */
491 sec = find_section_by_name(file->elf, ".rela.discard.reachable");
492 if (!sec)
493 return 0;
494
495 list_for_each_entry(reloc, &sec->reloc_list, list) {
496 if (reloc->sym->type != STT_SECTION) {
497 WARN("unexpected relocation symbol type in %s", sec->name);
498 return -1;
499 }
500 insn = find_insn(file, reloc->sym->sec, reloc->addend);
501 if (insn)
502 insn = list_prev_entry(insn, list);
503 else if (reloc->addend == reloc->sym->sec->len) {
504 insn = find_last_insn(file, reloc->sym->sec);
505 if (!insn) {
506 WARN("can't find reachable insn at %s+0x%x",
507 reloc->sym->sec->name, reloc->addend);
508 return -1;
509 }
510 } else {
511 WARN("can't find reachable insn at %s+0x%x",
512 reloc->sym->sec->name, reloc->addend);
513 return -1;
514 }
515
516 insn->dead_end = false;
517 }
518
519 return 0;
520 }
521
create_static_call_sections(struct objtool_file * file)522 static int create_static_call_sections(struct objtool_file *file)
523 {
524 struct section *sec;
525 struct static_call_site *site;
526 struct instruction *insn;
527 struct symbol *key_sym;
528 char *key_name, *tmp;
529 int idx;
530
531 sec = find_section_by_name(file->elf, ".static_call_sites");
532 if (sec) {
533 INIT_LIST_HEAD(&file->static_call_list);
534 WARN("file already has .static_call_sites section, skipping");
535 return 0;
536 }
537
538 if (list_empty(&file->static_call_list))
539 return 0;
540
541 idx = 0;
542 list_for_each_entry(insn, &file->static_call_list, call_node)
543 idx++;
544
545 sec = elf_create_section(file->elf, ".static_call_sites", SHF_WRITE,
546 sizeof(struct static_call_site), idx);
547 if (!sec)
548 return -1;
549
550 idx = 0;
551 list_for_each_entry(insn, &file->static_call_list, call_node) {
552
553 site = (struct static_call_site *)sec->data->d_buf + idx;
554 memset(site, 0, sizeof(struct static_call_site));
555
556 /* populate reloc for 'addr' */
557 if (elf_add_reloc_to_insn(file->elf, sec,
558 idx * sizeof(struct static_call_site),
559 R_X86_64_PC32,
560 insn->sec, insn->offset))
561 return -1;
562
563 /* find key symbol */
564 key_name = strdup(insn->call_dest->name);
565 if (!key_name) {
566 perror("strdup");
567 return -1;
568 }
569 if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR,
570 STATIC_CALL_TRAMP_PREFIX_LEN)) {
571 WARN("static_call: trampoline name malformed: %s", key_name);
572 return -1;
573 }
574 tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN;
575 memcpy(tmp, STATIC_CALL_KEY_PREFIX_STR, STATIC_CALL_KEY_PREFIX_LEN);
576
577 key_sym = find_symbol_by_name(file->elf, tmp);
578 if (!key_sym) {
579 if (!module) {
580 WARN("static_call: can't find static_call_key symbol: %s", tmp);
581 return -1;
582 }
583
584 /*
585 * For modules(), the key might not be exported, which
586 * means the module can make static calls but isn't
587 * allowed to change them.
588 *
589 * In that case we temporarily set the key to be the
590 * trampoline address. This is fixed up in
591 * static_call_add_module().
592 */
593 key_sym = insn->call_dest;
594 }
595 free(key_name);
596
597 /* populate reloc for 'key' */
598 if (elf_add_reloc(file->elf, sec,
599 idx * sizeof(struct static_call_site) + 4,
600 R_X86_64_PC32, key_sym,
601 is_sibling_call(insn) * STATIC_CALL_SITE_TAIL))
602 return -1;
603
604 idx++;
605 }
606
607 return 0;
608 }
609
create_retpoline_sites_sections(struct objtool_file * file)610 static int create_retpoline_sites_sections(struct objtool_file *file)
611 {
612 struct instruction *insn;
613 struct section *sec;
614 int idx;
615
616 sec = find_section_by_name(file->elf, ".retpoline_sites");
617 if (sec) {
618 WARN("file already has .retpoline_sites, skipping");
619 return 0;
620 }
621
622 idx = 0;
623 list_for_each_entry(insn, &file->retpoline_call_list, call_node)
624 idx++;
625
626 if (!idx)
627 return 0;
628
629 sec = elf_create_section(file->elf, ".retpoline_sites", 0,
630 sizeof(int), idx);
631 if (!sec) {
632 WARN("elf_create_section: .retpoline_sites");
633 return -1;
634 }
635
636 idx = 0;
637 list_for_each_entry(insn, &file->retpoline_call_list, call_node) {
638
639 int *site = (int *)sec->data->d_buf + idx;
640 *site = 0;
641
642 if (elf_add_reloc_to_insn(file->elf, sec,
643 idx * sizeof(int),
644 R_X86_64_PC32,
645 insn->sec, insn->offset)) {
646 WARN("elf_add_reloc_to_insn: .retpoline_sites");
647 return -1;
648 }
649
650 idx++;
651 }
652
653 return 0;
654 }
655
create_return_sites_sections(struct objtool_file * file)656 static int create_return_sites_sections(struct objtool_file *file)
657 {
658 struct instruction *insn;
659 struct section *sec;
660 int idx;
661
662 sec = find_section_by_name(file->elf, ".return_sites");
663 if (sec) {
664 WARN("file already has .return_sites, skipping");
665 return 0;
666 }
667
668 idx = 0;
669 list_for_each_entry(insn, &file->return_thunk_list, call_node)
670 idx++;
671
672 if (!idx)
673 return 0;
674
675 sec = elf_create_section(file->elf, ".return_sites", 0,
676 sizeof(int), idx);
677 if (!sec) {
678 WARN("elf_create_section: .return_sites");
679 return -1;
680 }
681
682 idx = 0;
683 list_for_each_entry(insn, &file->return_thunk_list, call_node) {
684
685 int *site = (int *)sec->data->d_buf + idx;
686 *site = 0;
687
688 if (elf_add_reloc_to_insn(file->elf, sec,
689 idx * sizeof(int),
690 R_X86_64_PC32,
691 insn->sec, insn->offset)) {
692 WARN("elf_add_reloc_to_insn: .return_sites");
693 return -1;
694 }
695
696 idx++;
697 }
698
699 return 0;
700 }
701
702 /*
703 * Warnings shouldn't be reported for ignored functions.
704 */
add_ignores(struct objtool_file * file)705 static void add_ignores(struct objtool_file *file)
706 {
707 struct instruction *insn;
708 struct section *sec;
709 struct symbol *func;
710 struct reloc *reloc;
711
712 sec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard");
713 if (!sec)
714 return;
715
716 list_for_each_entry(reloc, &sec->reloc_list, list) {
717 switch (reloc->sym->type) {
718 case STT_FUNC:
719 func = reloc->sym;
720 break;
721
722 case STT_SECTION:
723 func = find_func_by_offset(reloc->sym->sec, reloc->addend);
724 if (!func)
725 continue;
726 break;
727
728 default:
729 WARN("unexpected relocation symbol type in %s: %d", sec->name, reloc->sym->type);
730 continue;
731 }
732
733 func_for_each_insn(file, func, insn)
734 insn->ignore = true;
735 }
736 }
737
738 /*
739 * This is a whitelist of functions that is allowed to be called with AC set.
740 * The list is meant to be minimal and only contains compiler instrumentation
741 * ABI and a few functions used to implement *_{to,from}_user() functions.
742 *
743 * These functions must not directly change AC, but may PUSHF/POPF.
744 */
745 static const char *uaccess_safe_builtin[] = {
746 /* KASAN */
747 "kasan_report",
748 "check_memory_region",
749 /* KASAN out-of-line */
750 "__asan_loadN_noabort",
751 "__asan_load1_noabort",
752 "__asan_load2_noabort",
753 "__asan_load4_noabort",
754 "__asan_load8_noabort",
755 "__asan_load16_noabort",
756 "__asan_storeN_noabort",
757 "__asan_store1_noabort",
758 "__asan_store2_noabort",
759 "__asan_store4_noabort",
760 "__asan_store8_noabort",
761 "__asan_store16_noabort",
762 "__kasan_check_read",
763 "__kasan_check_write",
764 /* KASAN in-line */
765 "__asan_report_load_n_noabort",
766 "__asan_report_load1_noabort",
767 "__asan_report_load2_noabort",
768 "__asan_report_load4_noabort",
769 "__asan_report_load8_noabort",
770 "__asan_report_load16_noabort",
771 "__asan_report_store_n_noabort",
772 "__asan_report_store1_noabort",
773 "__asan_report_store2_noabort",
774 "__asan_report_store4_noabort",
775 "__asan_report_store8_noabort",
776 "__asan_report_store16_noabort",
777 /* KCSAN */
778 "__kcsan_check_access",
779 "kcsan_found_watchpoint",
780 "kcsan_setup_watchpoint",
781 "kcsan_check_scoped_accesses",
782 "kcsan_disable_current",
783 "kcsan_enable_current_nowarn",
784 /* KCSAN/TSAN */
785 "__tsan_func_entry",
786 "__tsan_func_exit",
787 "__tsan_read_range",
788 "__tsan_write_range",
789 "__tsan_read1",
790 "__tsan_read2",
791 "__tsan_read4",
792 "__tsan_read8",
793 "__tsan_read16",
794 "__tsan_write1",
795 "__tsan_write2",
796 "__tsan_write4",
797 "__tsan_write8",
798 "__tsan_write16",
799 "__tsan_read_write1",
800 "__tsan_read_write2",
801 "__tsan_read_write4",
802 "__tsan_read_write8",
803 "__tsan_read_write16",
804 "__tsan_atomic8_load",
805 "__tsan_atomic16_load",
806 "__tsan_atomic32_load",
807 "__tsan_atomic64_load",
808 "__tsan_atomic8_store",
809 "__tsan_atomic16_store",
810 "__tsan_atomic32_store",
811 "__tsan_atomic64_store",
812 "__tsan_atomic8_exchange",
813 "__tsan_atomic16_exchange",
814 "__tsan_atomic32_exchange",
815 "__tsan_atomic64_exchange",
816 "__tsan_atomic8_fetch_add",
817 "__tsan_atomic16_fetch_add",
818 "__tsan_atomic32_fetch_add",
819 "__tsan_atomic64_fetch_add",
820 "__tsan_atomic8_fetch_sub",
821 "__tsan_atomic16_fetch_sub",
822 "__tsan_atomic32_fetch_sub",
823 "__tsan_atomic64_fetch_sub",
824 "__tsan_atomic8_fetch_and",
825 "__tsan_atomic16_fetch_and",
826 "__tsan_atomic32_fetch_and",
827 "__tsan_atomic64_fetch_and",
828 "__tsan_atomic8_fetch_or",
829 "__tsan_atomic16_fetch_or",
830 "__tsan_atomic32_fetch_or",
831 "__tsan_atomic64_fetch_or",
832 "__tsan_atomic8_fetch_xor",
833 "__tsan_atomic16_fetch_xor",
834 "__tsan_atomic32_fetch_xor",
835 "__tsan_atomic64_fetch_xor",
836 "__tsan_atomic8_fetch_nand",
837 "__tsan_atomic16_fetch_nand",
838 "__tsan_atomic32_fetch_nand",
839 "__tsan_atomic64_fetch_nand",
840 "__tsan_atomic8_compare_exchange_strong",
841 "__tsan_atomic16_compare_exchange_strong",
842 "__tsan_atomic32_compare_exchange_strong",
843 "__tsan_atomic64_compare_exchange_strong",
844 "__tsan_atomic8_compare_exchange_weak",
845 "__tsan_atomic16_compare_exchange_weak",
846 "__tsan_atomic32_compare_exchange_weak",
847 "__tsan_atomic64_compare_exchange_weak",
848 "__tsan_atomic8_compare_exchange_val",
849 "__tsan_atomic16_compare_exchange_val",
850 "__tsan_atomic32_compare_exchange_val",
851 "__tsan_atomic64_compare_exchange_val",
852 "__tsan_atomic_thread_fence",
853 "__tsan_atomic_signal_fence",
854 /* KCOV */
855 "write_comp_data",
856 "check_kcov_mode",
857 "__sanitizer_cov_trace_pc",
858 "__sanitizer_cov_trace_const_cmp1",
859 "__sanitizer_cov_trace_const_cmp2",
860 "__sanitizer_cov_trace_const_cmp4",
861 "__sanitizer_cov_trace_const_cmp8",
862 "__sanitizer_cov_trace_cmp1",
863 "__sanitizer_cov_trace_cmp2",
864 "__sanitizer_cov_trace_cmp4",
865 "__sanitizer_cov_trace_cmp8",
866 "__sanitizer_cov_trace_switch",
867 /* UBSAN */
868 "ubsan_type_mismatch_common",
869 "__ubsan_handle_type_mismatch",
870 "__ubsan_handle_type_mismatch_v1",
871 "__ubsan_handle_shift_out_of_bounds",
872 /* misc */
873 "csum_partial_copy_generic",
874 "copy_mc_fragile",
875 "copy_mc_fragile_handle_tail",
876 "copy_mc_enhanced_fast_string",
877 "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */
878 NULL
879 };
880
add_uaccess_safe(struct objtool_file * file)881 static void add_uaccess_safe(struct objtool_file *file)
882 {
883 struct symbol *func;
884 const char **name;
885
886 if (!uaccess)
887 return;
888
889 for (name = uaccess_safe_builtin; *name; name++) {
890 func = find_symbol_by_name(file->elf, *name);
891 if (!func)
892 continue;
893
894 func->uaccess_safe = true;
895 }
896 }
897
898 /*
899 * FIXME: For now, just ignore any alternatives which add retpolines. This is
900 * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline.
901 * But it at least allows objtool to understand the control flow *around* the
902 * retpoline.
903 */
add_ignore_alternatives(struct objtool_file * file)904 static int add_ignore_alternatives(struct objtool_file *file)
905 {
906 struct section *sec;
907 struct reloc *reloc;
908 struct instruction *insn;
909
910 sec = find_section_by_name(file->elf, ".rela.discard.ignore_alts");
911 if (!sec)
912 return 0;
913
914 list_for_each_entry(reloc, &sec->reloc_list, list) {
915 if (reloc->sym->type != STT_SECTION) {
916 WARN("unexpected relocation symbol type in %s", sec->name);
917 return -1;
918 }
919
920 insn = find_insn(file, reloc->sym->sec, reloc->addend);
921 if (!insn) {
922 WARN("bad .discard.ignore_alts entry");
923 return -1;
924 }
925
926 insn->ignore_alts = true;
927 }
928
929 return 0;
930 }
931
arch_is_retpoline(struct symbol * sym)932 __weak bool arch_is_retpoline(struct symbol *sym)
933 {
934 return false;
935 }
936
arch_is_rethunk(struct symbol * sym)937 __weak bool arch_is_rethunk(struct symbol *sym)
938 {
939 return false;
940 }
941
942 #define NEGATIVE_RELOC ((void *)-1L)
943
insn_reloc(struct objtool_file * file,struct instruction * insn)944 static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *insn)
945 {
946 if (insn->reloc == NEGATIVE_RELOC)
947 return NULL;
948
949 if (!insn->reloc) {
950 insn->reloc = find_reloc_by_dest_range(file->elf, insn->sec,
951 insn->offset, insn->len);
952 if (!insn->reloc) {
953 insn->reloc = NEGATIVE_RELOC;
954 return NULL;
955 }
956 }
957
958 return insn->reloc;
959 }
960
remove_insn_ops(struct instruction * insn)961 static void remove_insn_ops(struct instruction *insn)
962 {
963 struct stack_op *op, *tmp;
964
965 list_for_each_entry_safe(op, tmp, &insn->stack_ops, list) {
966 list_del(&op->list);
967 free(op);
968 }
969 }
970
annotate_call_site(struct objtool_file * file,struct instruction * insn,bool sibling)971 static void annotate_call_site(struct objtool_file *file,
972 struct instruction *insn, bool sibling)
973 {
974 struct reloc *reloc = insn_reloc(file, insn);
975 struct symbol *sym = insn->call_dest;
976
977 if (!sym)
978 sym = reloc->sym;
979
980 /*
981 * Alternative replacement code is just template code which is
982 * sometimes copied to the original instruction. For now, don't
983 * annotate it. (In the future we might consider annotating the
984 * original instruction if/when it ever makes sense to do so.)
985 */
986 if (!strcmp(insn->sec->name, ".altinstr_replacement"))
987 return;
988
989 if (sym->static_call_tramp) {
990 list_add_tail(&insn->call_node, &file->static_call_list);
991 return;
992 }
993
994 if (sym->retpoline_thunk) {
995 list_add_tail(&insn->call_node, &file->retpoline_call_list);
996 return;
997 }
998
999 /*
1000 * Many compilers cannot disable KCOV with a function attribute
1001 * so they need a little help, NOP out any KCOV calls from noinstr
1002 * text.
1003 */
1004 if (insn->sec->noinstr && sym->kcov) {
1005 if (reloc) {
1006 reloc->type = R_NONE;
1007 elf_write_reloc(file->elf, reloc);
1008 }
1009
1010 elf_write_insn(file->elf, insn->sec,
1011 insn->offset, insn->len,
1012 sibling ? arch_ret_insn(insn->len)
1013 : arch_nop_insn(insn->len));
1014
1015 insn->type = sibling ? INSN_RETURN : INSN_NOP;
1016
1017 if (sibling) {
1018 /*
1019 * We've replaced the tail-call JMP insn by two new
1020 * insn: RET; INT3, except we only have a single struct
1021 * insn here. Mark it retpoline_safe to avoid the SLS
1022 * warning, instead of adding another insn.
1023 */
1024 insn->retpoline_safe = true;
1025 }
1026
1027 return;
1028 }
1029 }
1030
add_call_dest(struct objtool_file * file,struct instruction * insn,struct symbol * dest,bool sibling)1031 static void add_call_dest(struct objtool_file *file, struct instruction *insn,
1032 struct symbol *dest, bool sibling)
1033 {
1034 insn->call_dest = dest;
1035 if (!dest)
1036 return;
1037
1038 /*
1039 * Whatever stack impact regular CALLs have, should be undone
1040 * by the RETURN of the called function.
1041 *
1042 * Annotated intra-function calls retain the stack_ops but
1043 * are converted to JUMP, see read_intra_function_calls().
1044 */
1045 remove_insn_ops(insn);
1046
1047 annotate_call_site(file, insn, sibling);
1048 }
1049
add_retpoline_call(struct objtool_file * file,struct instruction * insn)1050 static void add_retpoline_call(struct objtool_file *file, struct instruction *insn)
1051 {
1052 /*
1053 * Retpoline calls/jumps are really dynamic calls/jumps in disguise,
1054 * so convert them accordingly.
1055 */
1056 switch (insn->type) {
1057 case INSN_CALL:
1058 insn->type = INSN_CALL_DYNAMIC;
1059 break;
1060 case INSN_JUMP_UNCONDITIONAL:
1061 insn->type = INSN_JUMP_DYNAMIC;
1062 break;
1063 case INSN_JUMP_CONDITIONAL:
1064 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL;
1065 break;
1066 default:
1067 return;
1068 }
1069
1070 insn->retpoline_safe = true;
1071
1072 /*
1073 * Whatever stack impact regular CALLs have, should be undone
1074 * by the RETURN of the called function.
1075 *
1076 * Annotated intra-function calls retain the stack_ops but
1077 * are converted to JUMP, see read_intra_function_calls().
1078 */
1079 remove_insn_ops(insn);
1080
1081 annotate_call_site(file, insn, false);
1082 }
1083
add_return_call(struct objtool_file * file,struct instruction * insn,bool add)1084 static void add_return_call(struct objtool_file *file, struct instruction *insn, bool add)
1085 {
1086 /*
1087 * Return thunk tail calls are really just returns in disguise,
1088 * so convert them accordingly.
1089 */
1090 insn->type = INSN_RETURN;
1091 insn->retpoline_safe = true;
1092
1093 /* Skip the non-text sections, specially .discard ones */
1094 if (add && insn->sec->text)
1095 list_add_tail(&insn->call_node, &file->return_thunk_list);
1096 }
1097
1098 /*
1099 * Find the destination instructions for all jumps.
1100 */
add_jump_destinations(struct objtool_file * file)1101 static int add_jump_destinations(struct objtool_file *file)
1102 {
1103 struct instruction *insn;
1104 struct reloc *reloc;
1105 struct section *dest_sec;
1106 unsigned long dest_off;
1107
1108 for_each_insn(file, insn) {
1109 if (!is_static_jump(insn))
1110 continue;
1111
1112 reloc = insn_reloc(file, insn);
1113 if (!reloc) {
1114 dest_sec = insn->sec;
1115 dest_off = arch_jump_destination(insn);
1116 } else if (reloc->sym->type == STT_SECTION) {
1117 dest_sec = reloc->sym->sec;
1118 dest_off = arch_dest_reloc_offset(reloc->addend);
1119 } else if (reloc->sym->retpoline_thunk) {
1120 add_retpoline_call(file, insn);
1121 continue;
1122 } else if (reloc->sym->return_thunk) {
1123 add_return_call(file, insn, true);
1124 continue;
1125 } else if (insn->func) {
1126 /* internal or external sibling call (with reloc) */
1127 add_call_dest(file, insn, reloc->sym, true);
1128 continue;
1129 } else if (reloc->sym->sec->idx) {
1130 dest_sec = reloc->sym->sec;
1131 dest_off = reloc->sym->sym.st_value +
1132 arch_dest_reloc_offset(reloc->addend);
1133 } else {
1134 /* non-func asm code jumping to another file */
1135 continue;
1136 }
1137
1138 insn->jump_dest = find_insn(file, dest_sec, dest_off);
1139 if (!insn->jump_dest) {
1140 struct symbol *sym = find_symbol_by_offset(dest_sec, dest_off);
1141
1142 /*
1143 * This is a special case where an alt instruction
1144 * jumps past the end of the section. These are
1145 * handled later in handle_group_alt().
1146 */
1147 if (!strcmp(insn->sec->name, ".altinstr_replacement"))
1148 continue;
1149
1150 /*
1151 * This is a special case for zen_untrain_ret().
1152 * It jumps to __x86_return_thunk(), but objtool
1153 * can't find the thunk's starting RET
1154 * instruction, because the RET is also in the
1155 * middle of another instruction. Objtool only
1156 * knows about the outer instruction.
1157 */
1158 if (sym && sym->return_thunk) {
1159 add_return_call(file, insn, false);
1160 continue;
1161 }
1162
1163 WARN_FUNC("can't find jump dest instruction at %s+0x%lx",
1164 insn->sec, insn->offset, dest_sec->name,
1165 dest_off);
1166 return -1;
1167 }
1168
1169 /*
1170 * Cross-function jump.
1171 */
1172 if (insn->func && insn->jump_dest->func &&
1173 insn->func != insn->jump_dest->func) {
1174
1175 /*
1176 * For GCC 8+, create parent/child links for any cold
1177 * subfunctions. This is _mostly_ redundant with a
1178 * similar initialization in read_symbols().
1179 *
1180 * If a function has aliases, we want the *first* such
1181 * function in the symbol table to be the subfunction's
1182 * parent. In that case we overwrite the
1183 * initialization done in read_symbols().
1184 *
1185 * However this code can't completely replace the
1186 * read_symbols() code because this doesn't detect the
1187 * case where the parent function's only reference to a
1188 * subfunction is through a jump table.
1189 */
1190 if (!strstr(insn->func->name, ".cold") &&
1191 strstr(insn->jump_dest->func->name, ".cold")) {
1192 insn->func->cfunc = insn->jump_dest->func;
1193 insn->jump_dest->func->pfunc = insn->func;
1194
1195 } else if (insn->jump_dest->func->pfunc != insn->func->pfunc &&
1196 insn->jump_dest->offset == insn->jump_dest->func->offset) {
1197 /* internal sibling call (without reloc) */
1198 add_call_dest(file, insn, insn->jump_dest->func, true);
1199 }
1200 }
1201 }
1202
1203 return 0;
1204 }
1205
find_call_destination(struct section * sec,unsigned long offset)1206 static struct symbol *find_call_destination(struct section *sec, unsigned long offset)
1207 {
1208 struct symbol *call_dest;
1209
1210 call_dest = find_func_by_offset(sec, offset);
1211 if (!call_dest)
1212 call_dest = find_symbol_by_offset(sec, offset);
1213
1214 return call_dest;
1215 }
1216
1217 /*
1218 * Find the destination instructions for all calls.
1219 */
add_call_destinations(struct objtool_file * file)1220 static int add_call_destinations(struct objtool_file *file)
1221 {
1222 struct instruction *insn;
1223 unsigned long dest_off;
1224 struct symbol *dest;
1225 struct reloc *reloc;
1226
1227 for_each_insn(file, insn) {
1228 if (insn->type != INSN_CALL)
1229 continue;
1230
1231 reloc = insn_reloc(file, insn);
1232 if (!reloc) {
1233 dest_off = arch_jump_destination(insn);
1234 dest = find_call_destination(insn->sec, dest_off);
1235
1236 add_call_dest(file, insn, dest, false);
1237
1238 if (insn->ignore)
1239 continue;
1240
1241 if (!insn->call_dest) {
1242 WARN_FUNC("unannotated intra-function call", insn->sec, insn->offset);
1243 return -1;
1244 }
1245
1246 if (insn->func && insn->call_dest->type != STT_FUNC) {
1247 WARN_FUNC("unsupported call to non-function",
1248 insn->sec, insn->offset);
1249 return -1;
1250 }
1251
1252 } else if (reloc->sym->type == STT_SECTION) {
1253 dest_off = arch_dest_reloc_offset(reloc->addend);
1254 dest = find_call_destination(reloc->sym->sec, dest_off);
1255 if (!dest) {
1256 WARN_FUNC("can't find call dest symbol at %s+0x%lx",
1257 insn->sec, insn->offset,
1258 reloc->sym->sec->name,
1259 dest_off);
1260 return -1;
1261 }
1262
1263 add_call_dest(file, insn, dest, false);
1264
1265 } else if (reloc->sym->retpoline_thunk) {
1266 add_retpoline_call(file, insn);
1267
1268 } else
1269 add_call_dest(file, insn, reloc->sym, false);
1270 }
1271
1272 return 0;
1273 }
1274
1275 /*
1276 * The .alternatives section requires some extra special care over and above
1277 * other special sections because alternatives are patched in place.
1278 */
handle_group_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1279 static int handle_group_alt(struct objtool_file *file,
1280 struct special_alt *special_alt,
1281 struct instruction *orig_insn,
1282 struct instruction **new_insn)
1283 {
1284 struct instruction *last_orig_insn, *last_new_insn = NULL, *insn, *nop = NULL;
1285 struct alt_group *orig_alt_group, *new_alt_group;
1286 unsigned long dest_off;
1287
1288
1289 orig_alt_group = malloc(sizeof(*orig_alt_group));
1290 if (!orig_alt_group) {
1291 WARN("malloc failed");
1292 return -1;
1293 }
1294 orig_alt_group->cfi = calloc(special_alt->orig_len,
1295 sizeof(struct cfi_state *));
1296 if (!orig_alt_group->cfi) {
1297 WARN("calloc failed");
1298 return -1;
1299 }
1300
1301 last_orig_insn = NULL;
1302 insn = orig_insn;
1303 sec_for_each_insn_from(file, insn) {
1304 if (insn->offset >= special_alt->orig_off + special_alt->orig_len)
1305 break;
1306
1307 insn->alt_group = orig_alt_group;
1308 last_orig_insn = insn;
1309 }
1310 orig_alt_group->orig_group = NULL;
1311 orig_alt_group->first_insn = orig_insn;
1312 orig_alt_group->last_insn = last_orig_insn;
1313
1314
1315 new_alt_group = malloc(sizeof(*new_alt_group));
1316 if (!new_alt_group) {
1317 WARN("malloc failed");
1318 return -1;
1319 }
1320
1321 if (special_alt->new_len < special_alt->orig_len) {
1322 /*
1323 * Insert a fake nop at the end to make the replacement
1324 * alt_group the same size as the original. This is needed to
1325 * allow propagate_alt_cfi() to do its magic. When the last
1326 * instruction affects the stack, the instruction after it (the
1327 * nop) will propagate the new state to the shared CFI array.
1328 */
1329 nop = malloc(sizeof(*nop));
1330 if (!nop) {
1331 WARN("malloc failed");
1332 return -1;
1333 }
1334 memset(nop, 0, sizeof(*nop));
1335 INIT_LIST_HEAD(&nop->alts);
1336 INIT_LIST_HEAD(&nop->stack_ops);
1337
1338 nop->sec = special_alt->new_sec;
1339 nop->offset = special_alt->new_off + special_alt->new_len;
1340 nop->len = special_alt->orig_len - special_alt->new_len;
1341 nop->type = INSN_NOP;
1342 nop->func = orig_insn->func;
1343 nop->alt_group = new_alt_group;
1344 nop->ignore = orig_insn->ignore_alts;
1345 }
1346
1347 if (!special_alt->new_len) {
1348 *new_insn = nop;
1349 goto end;
1350 }
1351
1352 insn = *new_insn;
1353 sec_for_each_insn_from(file, insn) {
1354 struct reloc *alt_reloc;
1355
1356 if (insn->offset >= special_alt->new_off + special_alt->new_len)
1357 break;
1358
1359 last_new_insn = insn;
1360
1361 insn->ignore = orig_insn->ignore_alts;
1362 insn->func = orig_insn->func;
1363 insn->alt_group = new_alt_group;
1364
1365 /*
1366 * Since alternative replacement code is copy/pasted by the
1367 * kernel after applying relocations, generally such code can't
1368 * have relative-address relocation references to outside the
1369 * .altinstr_replacement section, unless the arch's
1370 * alternatives code can adjust the relative offsets
1371 * accordingly.
1372 */
1373 alt_reloc = insn_reloc(file, insn);
1374 if (alt_reloc &&
1375 !arch_support_alt_relocation(special_alt, insn, alt_reloc)) {
1376
1377 WARN_FUNC("unsupported relocation in alternatives section",
1378 insn->sec, insn->offset);
1379 return -1;
1380 }
1381
1382 if (!is_static_jump(insn))
1383 continue;
1384
1385 if (!insn->immediate)
1386 continue;
1387
1388 dest_off = arch_jump_destination(insn);
1389 if (dest_off == special_alt->new_off + special_alt->new_len)
1390 insn->jump_dest = next_insn_same_sec(file, last_orig_insn);
1391
1392 if (!insn->jump_dest) {
1393 WARN_FUNC("can't find alternative jump destination",
1394 insn->sec, insn->offset);
1395 return -1;
1396 }
1397 }
1398
1399 if (!last_new_insn) {
1400 WARN_FUNC("can't find last new alternative instruction",
1401 special_alt->new_sec, special_alt->new_off);
1402 return -1;
1403 }
1404
1405 if (nop)
1406 list_add(&nop->list, &last_new_insn->list);
1407 end:
1408 new_alt_group->orig_group = orig_alt_group;
1409 new_alt_group->first_insn = *new_insn;
1410 new_alt_group->last_insn = nop ? : last_new_insn;
1411 new_alt_group->cfi = orig_alt_group->cfi;
1412 return 0;
1413 }
1414
1415 /*
1416 * A jump table entry can either convert a nop to a jump or a jump to a nop.
1417 * If the original instruction is a jump, make the alt entry an effective nop
1418 * by just skipping the original instruction.
1419 */
handle_jump_alt(struct objtool_file * file,struct special_alt * special_alt,struct instruction * orig_insn,struct instruction ** new_insn)1420 static int handle_jump_alt(struct objtool_file *file,
1421 struct special_alt *special_alt,
1422 struct instruction *orig_insn,
1423 struct instruction **new_insn)
1424 {
1425 if (orig_insn->type == INSN_NOP)
1426 return 0;
1427
1428 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL) {
1429 WARN_FUNC("unsupported instruction at jump label",
1430 orig_insn->sec, orig_insn->offset);
1431 return -1;
1432 }
1433
1434 *new_insn = list_next_entry(orig_insn, list);
1435 return 0;
1436 }
1437
1438 /*
1439 * Read all the special sections which have alternate instructions which can be
1440 * patched in or redirected to at runtime. Each instruction having alternate
1441 * instruction(s) has them added to its insn->alts list, which will be
1442 * traversed in validate_branch().
1443 */
add_special_section_alts(struct objtool_file * file)1444 static int add_special_section_alts(struct objtool_file *file)
1445 {
1446 struct list_head special_alts;
1447 struct instruction *orig_insn, *new_insn;
1448 struct special_alt *special_alt, *tmp;
1449 struct alternative *alt;
1450 int ret;
1451
1452 ret = special_get_alts(file->elf, &special_alts);
1453 if (ret)
1454 return ret;
1455
1456 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
1457
1458 orig_insn = find_insn(file, special_alt->orig_sec,
1459 special_alt->orig_off);
1460 if (!orig_insn) {
1461 WARN_FUNC("special: can't find orig instruction",
1462 special_alt->orig_sec, special_alt->orig_off);
1463 ret = -1;
1464 goto out;
1465 }
1466
1467 new_insn = NULL;
1468 if (!special_alt->group || special_alt->new_len) {
1469 new_insn = find_insn(file, special_alt->new_sec,
1470 special_alt->new_off);
1471 if (!new_insn) {
1472 WARN_FUNC("special: can't find new instruction",
1473 special_alt->new_sec,
1474 special_alt->new_off);
1475 ret = -1;
1476 goto out;
1477 }
1478 }
1479
1480 if (special_alt->group) {
1481 if (!special_alt->orig_len) {
1482 WARN_FUNC("empty alternative entry",
1483 orig_insn->sec, orig_insn->offset);
1484 continue;
1485 }
1486
1487 ret = handle_group_alt(file, special_alt, orig_insn,
1488 &new_insn);
1489 if (ret)
1490 goto out;
1491 } else if (special_alt->jump_or_nop) {
1492 ret = handle_jump_alt(file, special_alt, orig_insn,
1493 &new_insn);
1494 if (ret)
1495 goto out;
1496 }
1497
1498 alt = malloc(sizeof(*alt));
1499 if (!alt) {
1500 WARN("malloc failed");
1501 ret = -1;
1502 goto out;
1503 }
1504
1505 alt->insn = new_insn;
1506 alt->skip_orig = special_alt->skip_orig;
1507 orig_insn->ignore_alts |= special_alt->skip_alt;
1508 list_add_tail(&alt->list, &orig_insn->alts);
1509
1510 list_del(&special_alt->list);
1511 free(special_alt);
1512 }
1513
1514 out:
1515 return ret;
1516 }
1517
add_jump_table(struct objtool_file * file,struct instruction * insn,struct reloc * table)1518 static int add_jump_table(struct objtool_file *file, struct instruction *insn,
1519 struct reloc *table)
1520 {
1521 struct reloc *reloc = table;
1522 struct instruction *dest_insn;
1523 struct alternative *alt;
1524 struct symbol *pfunc = insn->func->pfunc;
1525 unsigned int prev_offset = 0;
1526
1527 /*
1528 * Each @reloc is a switch table relocation which points to the target
1529 * instruction.
1530 */
1531 list_for_each_entry_from(reloc, &table->sec->reloc_list, list) {
1532
1533 /* Check for the end of the table: */
1534 if (reloc != table && reloc->jump_table_start)
1535 break;
1536
1537 /* Make sure the table entries are consecutive: */
1538 if (prev_offset && reloc->offset != prev_offset + 8)
1539 break;
1540
1541 /* Detect function pointers from contiguous objects: */
1542 if (reloc->sym->sec == pfunc->sec &&
1543 reloc->addend == pfunc->offset)
1544 break;
1545
1546 dest_insn = find_insn(file, reloc->sym->sec, reloc->addend);
1547 if (!dest_insn)
1548 break;
1549
1550 /* Make sure the destination is in the same function: */
1551 if (!dest_insn->func || dest_insn->func->pfunc != pfunc)
1552 break;
1553
1554 alt = malloc(sizeof(*alt));
1555 if (!alt) {
1556 WARN("malloc failed");
1557 return -1;
1558 }
1559
1560 alt->insn = dest_insn;
1561 list_add_tail(&alt->list, &insn->alts);
1562 prev_offset = reloc->offset;
1563 }
1564
1565 if (!prev_offset) {
1566 WARN_FUNC("can't find switch jump table",
1567 insn->sec, insn->offset);
1568 return -1;
1569 }
1570
1571 return 0;
1572 }
1573
1574 /*
1575 * find_jump_table() - Given a dynamic jump, find the switch jump table
1576 * associated with it.
1577 */
find_jump_table(struct objtool_file * file,struct symbol * func,struct instruction * insn)1578 static struct reloc *find_jump_table(struct objtool_file *file,
1579 struct symbol *func,
1580 struct instruction *insn)
1581 {
1582 struct reloc *table_reloc;
1583 struct instruction *dest_insn, *orig_insn = insn;
1584
1585 /*
1586 * Backward search using the @first_jump_src links, these help avoid
1587 * much of the 'in between' code. Which avoids us getting confused by
1588 * it.
1589 */
1590 for (;
1591 insn && insn->func && insn->func->pfunc == func;
1592 insn = insn->first_jump_src ?: prev_insn_same_sym(file, insn)) {
1593
1594 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
1595 break;
1596
1597 /* allow small jumps within the range */
1598 if (insn->type == INSN_JUMP_UNCONDITIONAL &&
1599 insn->jump_dest &&
1600 (insn->jump_dest->offset <= insn->offset ||
1601 insn->jump_dest->offset > orig_insn->offset))
1602 break;
1603
1604 table_reloc = arch_find_switch_table(file, insn);
1605 if (!table_reloc)
1606 continue;
1607 dest_insn = find_insn(file, table_reloc->sym->sec, table_reloc->addend);
1608 if (!dest_insn || !dest_insn->func || dest_insn->func->pfunc != func)
1609 continue;
1610
1611 return table_reloc;
1612 }
1613
1614 return NULL;
1615 }
1616
1617 /*
1618 * First pass: Mark the head of each jump table so that in the next pass,
1619 * we know when a given jump table ends and the next one starts.
1620 */
mark_func_jump_tables(struct objtool_file * file,struct symbol * func)1621 static void mark_func_jump_tables(struct objtool_file *file,
1622 struct symbol *func)
1623 {
1624 struct instruction *insn, *last = NULL;
1625 struct reloc *reloc;
1626
1627 func_for_each_insn(file, func, insn) {
1628 if (!last)
1629 last = insn;
1630
1631 /*
1632 * Store back-pointers for unconditional forward jumps such
1633 * that find_jump_table() can back-track using those and
1634 * avoid some potentially confusing code.
1635 */
1636 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest &&
1637 insn->offset > last->offset &&
1638 insn->jump_dest->offset > insn->offset &&
1639 !insn->jump_dest->first_jump_src) {
1640
1641 insn->jump_dest->first_jump_src = insn;
1642 last = insn->jump_dest;
1643 }
1644
1645 if (insn->type != INSN_JUMP_DYNAMIC)
1646 continue;
1647
1648 reloc = find_jump_table(file, func, insn);
1649 if (reloc) {
1650 reloc->jump_table_start = true;
1651 insn->jump_table = reloc;
1652 }
1653 }
1654 }
1655
add_func_jump_tables(struct objtool_file * file,struct symbol * func)1656 static int add_func_jump_tables(struct objtool_file *file,
1657 struct symbol *func)
1658 {
1659 struct instruction *insn;
1660 int ret;
1661
1662 func_for_each_insn(file, func, insn) {
1663 if (!insn->jump_table)
1664 continue;
1665
1666 ret = add_jump_table(file, insn, insn->jump_table);
1667 if (ret)
1668 return ret;
1669 }
1670
1671 return 0;
1672 }
1673
1674 /*
1675 * For some switch statements, gcc generates a jump table in the .rodata
1676 * section which contains a list of addresses within the function to jump to.
1677 * This finds these jump tables and adds them to the insn->alts lists.
1678 */
add_jump_table_alts(struct objtool_file * file)1679 static int add_jump_table_alts(struct objtool_file *file)
1680 {
1681 struct section *sec;
1682 struct symbol *func;
1683 int ret;
1684
1685 if (!file->rodata)
1686 return 0;
1687
1688 for_each_sec(file, sec) {
1689 list_for_each_entry(func, &sec->symbol_list, list) {
1690 if (func->type != STT_FUNC)
1691 continue;
1692
1693 mark_func_jump_tables(file, func);
1694 ret = add_func_jump_tables(file, func);
1695 if (ret)
1696 return ret;
1697 }
1698 }
1699
1700 return 0;
1701 }
1702
set_func_state(struct cfi_state * state)1703 static void set_func_state(struct cfi_state *state)
1704 {
1705 state->cfa = initial_func_cfi.cfa;
1706 memcpy(&state->regs, &initial_func_cfi.regs,
1707 CFI_NUM_REGS * sizeof(struct cfi_reg));
1708 state->stack_size = initial_func_cfi.cfa.offset;
1709 }
1710
read_unwind_hints(struct objtool_file * file)1711 static int read_unwind_hints(struct objtool_file *file)
1712 {
1713 struct cfi_state cfi = init_cfi;
1714 struct section *sec, *relocsec;
1715 struct unwind_hint *hint;
1716 struct instruction *insn;
1717 struct reloc *reloc;
1718 int i;
1719
1720 sec = find_section_by_name(file->elf, ".discard.unwind_hints");
1721 if (!sec)
1722 return 0;
1723
1724 relocsec = sec->reloc;
1725 if (!relocsec) {
1726 WARN("missing .rela.discard.unwind_hints section");
1727 return -1;
1728 }
1729
1730 if (sec->len % sizeof(struct unwind_hint)) {
1731 WARN("struct unwind_hint size mismatch");
1732 return -1;
1733 }
1734
1735 file->hints = true;
1736
1737 for (i = 0; i < sec->len / sizeof(struct unwind_hint); i++) {
1738 hint = (struct unwind_hint *)sec->data->d_buf + i;
1739
1740 reloc = find_reloc_by_dest(file->elf, sec, i * sizeof(*hint));
1741 if (!reloc) {
1742 WARN("can't find reloc for unwind_hints[%d]", i);
1743 return -1;
1744 }
1745
1746 insn = find_insn(file, reloc->sym->sec, reloc->addend);
1747 if (!insn) {
1748 WARN("can't find insn for unwind_hints[%d]", i);
1749 return -1;
1750 }
1751
1752 insn->hint = true;
1753
1754 if (hint->type == UNWIND_HINT_TYPE_SAVE) {
1755 insn->hint = false;
1756 insn->save = true;
1757 continue;
1758 }
1759
1760 if (hint->type == UNWIND_HINT_TYPE_RESTORE) {
1761 insn->restore = true;
1762 continue;
1763 }
1764
1765 if (hint->type == UNWIND_HINT_TYPE_REGS_PARTIAL) {
1766 struct symbol *sym = find_symbol_by_offset(insn->sec, insn->offset);
1767
1768 if (sym && sym->bind == STB_GLOBAL) {
1769 insn->entry = 1;
1770 }
1771 }
1772
1773 if (hint->type == UNWIND_HINT_TYPE_ENTRY) {
1774 hint->type = UNWIND_HINT_TYPE_CALL;
1775 insn->entry = 1;
1776 }
1777
1778 if (hint->type == UNWIND_HINT_TYPE_FUNC) {
1779 insn->cfi = &func_cfi;
1780 continue;
1781 }
1782
1783 if (insn->cfi)
1784 cfi = *(insn->cfi);
1785
1786 if (arch_decode_hint_reg(hint->sp_reg, &cfi.cfa.base)) {
1787 WARN_FUNC("unsupported unwind_hint sp base reg %d",
1788 insn->sec, insn->offset, hint->sp_reg);
1789 return -1;
1790 }
1791
1792 cfi.cfa.offset = hint->sp_offset;
1793 cfi.type = hint->type;
1794 cfi.end = hint->end;
1795
1796 insn->cfi = cfi_hash_find_or_add(&cfi);
1797 }
1798
1799 return 0;
1800 }
1801
read_retpoline_hints(struct objtool_file * file)1802 static int read_retpoline_hints(struct objtool_file *file)
1803 {
1804 struct section *sec;
1805 struct instruction *insn;
1806 struct reloc *reloc;
1807
1808 sec = find_section_by_name(file->elf, ".rela.discard.retpoline_safe");
1809 if (!sec)
1810 return 0;
1811
1812 list_for_each_entry(reloc, &sec->reloc_list, list) {
1813 if (reloc->sym->type != STT_SECTION) {
1814 WARN("unexpected relocation symbol type in %s", sec->name);
1815 return -1;
1816 }
1817
1818 insn = find_insn(file, reloc->sym->sec, reloc->addend);
1819 if (!insn) {
1820 WARN("bad .discard.retpoline_safe entry");
1821 return -1;
1822 }
1823
1824 if (insn->type != INSN_JUMP_DYNAMIC &&
1825 insn->type != INSN_CALL_DYNAMIC &&
1826 insn->type != INSN_RETURN &&
1827 insn->type != INSN_NOP) {
1828 WARN_FUNC("retpoline_safe hint not an indirect jump/call/ret/nop",
1829 insn->sec, insn->offset);
1830 return -1;
1831 }
1832
1833 insn->retpoline_safe = true;
1834 }
1835
1836 return 0;
1837 }
1838
read_instr_hints(struct objtool_file * file)1839 static int read_instr_hints(struct objtool_file *file)
1840 {
1841 struct section *sec;
1842 struct instruction *insn;
1843 struct reloc *reloc;
1844
1845 sec = find_section_by_name(file->elf, ".rela.discard.instr_end");
1846 if (!sec)
1847 return 0;
1848
1849 list_for_each_entry(reloc, &sec->reloc_list, list) {
1850 if (reloc->sym->type != STT_SECTION) {
1851 WARN("unexpected relocation symbol type in %s", sec->name);
1852 return -1;
1853 }
1854
1855 insn = find_insn(file, reloc->sym->sec, reloc->addend);
1856 if (!insn) {
1857 WARN("bad .discard.instr_end entry");
1858 return -1;
1859 }
1860
1861 insn->instr--;
1862 }
1863
1864 sec = find_section_by_name(file->elf, ".rela.discard.instr_begin");
1865 if (!sec)
1866 return 0;
1867
1868 list_for_each_entry(reloc, &sec->reloc_list, list) {
1869 if (reloc->sym->type != STT_SECTION) {
1870 WARN("unexpected relocation symbol type in %s", sec->name);
1871 return -1;
1872 }
1873
1874 insn = find_insn(file, reloc->sym->sec, reloc->addend);
1875 if (!insn) {
1876 WARN("bad .discard.instr_begin entry");
1877 return -1;
1878 }
1879
1880 insn->instr++;
1881 }
1882
1883 return 0;
1884 }
1885
read_intra_function_calls(struct objtool_file * file)1886 static int read_intra_function_calls(struct objtool_file *file)
1887 {
1888 struct instruction *insn;
1889 struct section *sec;
1890 struct reloc *reloc;
1891
1892 sec = find_section_by_name(file->elf, ".rela.discard.intra_function_calls");
1893 if (!sec)
1894 return 0;
1895
1896 list_for_each_entry(reloc, &sec->reloc_list, list) {
1897 unsigned long dest_off;
1898
1899 if (reloc->sym->type != STT_SECTION) {
1900 WARN("unexpected relocation symbol type in %s",
1901 sec->name);
1902 return -1;
1903 }
1904
1905 insn = find_insn(file, reloc->sym->sec, reloc->addend);
1906 if (!insn) {
1907 WARN("bad .discard.intra_function_call entry");
1908 return -1;
1909 }
1910
1911 if (insn->type != INSN_CALL) {
1912 WARN_FUNC("intra_function_call not a direct call",
1913 insn->sec, insn->offset);
1914 return -1;
1915 }
1916
1917 /*
1918 * Treat intra-function CALLs as JMPs, but with a stack_op.
1919 * See add_call_destinations(), which strips stack_ops from
1920 * normal CALLs.
1921 */
1922 insn->type = INSN_JUMP_UNCONDITIONAL;
1923
1924 dest_off = insn->offset + insn->len + insn->immediate;
1925 insn->jump_dest = find_insn(file, insn->sec, dest_off);
1926 if (!insn->jump_dest) {
1927 WARN_FUNC("can't find call dest at %s+0x%lx",
1928 insn->sec, insn->offset,
1929 insn->sec->name, dest_off);
1930 return -1;
1931 }
1932 }
1933
1934 return 0;
1935 }
1936
classify_symbols(struct objtool_file * file)1937 static int classify_symbols(struct objtool_file *file)
1938 {
1939 struct section *sec;
1940 struct symbol *func;
1941
1942 for_each_sec(file, sec) {
1943 list_for_each_entry(func, &sec->symbol_list, list) {
1944 if (func->bind != STB_GLOBAL)
1945 continue;
1946
1947 if (!strncmp(func->name, STATIC_CALL_TRAMP_PREFIX_STR,
1948 strlen(STATIC_CALL_TRAMP_PREFIX_STR)))
1949 func->static_call_tramp = true;
1950
1951 if (arch_is_retpoline(func))
1952 func->retpoline_thunk = true;
1953
1954 if (arch_is_rethunk(func))
1955 func->return_thunk = true;
1956
1957 if (!strcmp(func->name, "__fentry__"))
1958 func->fentry = true;
1959
1960 if (!strncmp(func->name, "__sanitizer_cov_", 16))
1961 func->kcov = true;
1962 }
1963 }
1964
1965 return 0;
1966 }
1967
mark_rodata(struct objtool_file * file)1968 static void mark_rodata(struct objtool_file *file)
1969 {
1970 struct section *sec;
1971 bool found = false;
1972
1973 /*
1974 * Search for the following rodata sections, each of which can
1975 * potentially contain jump tables:
1976 *
1977 * - .rodata: can contain GCC switch tables
1978 * - .rodata.<func>: same, if -fdata-sections is being used
1979 * - .rodata..c_jump_table: contains C annotated jump tables
1980 *
1981 * .rodata.str1.* sections are ignored; they don't contain jump tables.
1982 */
1983 for_each_sec(file, sec) {
1984 if (!strncmp(sec->name, ".rodata", 7) &&
1985 !strstr(sec->name, ".str1.")) {
1986 sec->rodata = true;
1987 found = true;
1988 }
1989 }
1990
1991 file->rodata = found;
1992 }
1993
decode_sections(struct objtool_file * file)1994 static int decode_sections(struct objtool_file *file)
1995 {
1996 int ret;
1997
1998 mark_rodata(file);
1999
2000 ret = decode_instructions(file);
2001 if (ret)
2002 return ret;
2003
2004 ret = add_dead_ends(file);
2005 if (ret)
2006 return ret;
2007
2008 add_ignores(file);
2009 add_uaccess_safe(file);
2010
2011 ret = add_ignore_alternatives(file);
2012 if (ret)
2013 return ret;
2014
2015 /*
2016 * Must be before add_{jump_call}_destination.
2017 */
2018 ret = classify_symbols(file);
2019 if (ret)
2020 return ret;
2021
2022 /*
2023 * Must be before add_special_section_alts() as that depends on
2024 * jump_dest being set.
2025 */
2026 ret = add_jump_destinations(file);
2027 if (ret)
2028 return ret;
2029
2030 ret = add_special_section_alts(file);
2031 if (ret)
2032 return ret;
2033
2034 /*
2035 * Must be before add_call_destination(); it changes INSN_CALL to
2036 * INSN_JUMP.
2037 */
2038 ret = read_intra_function_calls(file);
2039 if (ret)
2040 return ret;
2041
2042 ret = add_call_destinations(file);
2043 if (ret)
2044 return ret;
2045
2046 ret = add_jump_table_alts(file);
2047 if (ret)
2048 return ret;
2049
2050 ret = read_unwind_hints(file);
2051 if (ret)
2052 return ret;
2053
2054 ret = read_retpoline_hints(file);
2055 if (ret)
2056 return ret;
2057
2058 ret = read_instr_hints(file);
2059 if (ret)
2060 return ret;
2061
2062 return 0;
2063 }
2064
is_fentry_call(struct instruction * insn)2065 static bool is_fentry_call(struct instruction *insn)
2066 {
2067 if (insn->type == INSN_CALL &&
2068 insn->call_dest &&
2069 insn->call_dest->fentry)
2070 return true;
2071
2072 return false;
2073 }
2074
has_modified_stack_frame(struct instruction * insn,struct insn_state * state)2075 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state)
2076 {
2077 struct cfi_state *cfi = &state->cfi;
2078 int i;
2079
2080 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap)
2081 return true;
2082
2083 if (cfi->cfa.offset != initial_func_cfi.cfa.offset)
2084 return true;
2085
2086 if (cfi->stack_size != initial_func_cfi.cfa.offset)
2087 return true;
2088
2089 for (i = 0; i < CFI_NUM_REGS; i++) {
2090 if (cfi->regs[i].base != initial_func_cfi.regs[i].base ||
2091 cfi->regs[i].offset != initial_func_cfi.regs[i].offset)
2092 return true;
2093 }
2094
2095 return false;
2096 }
2097
has_valid_stack_frame(struct insn_state * state)2098 static bool has_valid_stack_frame(struct insn_state *state)
2099 {
2100 struct cfi_state *cfi = &state->cfi;
2101
2102 if (cfi->cfa.base == CFI_BP && cfi->regs[CFI_BP].base == CFI_CFA &&
2103 cfi->regs[CFI_BP].offset == -16)
2104 return true;
2105
2106 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP)
2107 return true;
2108
2109 return false;
2110 }
2111
update_cfi_state_regs(struct instruction * insn,struct cfi_state * cfi,struct stack_op * op)2112 static int update_cfi_state_regs(struct instruction *insn,
2113 struct cfi_state *cfi,
2114 struct stack_op *op)
2115 {
2116 struct cfi_reg *cfa = &cfi->cfa;
2117
2118 if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT)
2119 return 0;
2120
2121 /* push */
2122 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF)
2123 cfa->offset += 8;
2124
2125 /* pop */
2126 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF)
2127 cfa->offset -= 8;
2128
2129 /* add immediate to sp */
2130 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD &&
2131 op->dest.reg == CFI_SP && op->src.reg == CFI_SP)
2132 cfa->offset -= op->src.offset;
2133
2134 return 0;
2135 }
2136
save_reg(struct cfi_state * cfi,unsigned char reg,int base,int offset)2137 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset)
2138 {
2139 if (arch_callee_saved_reg(reg) &&
2140 cfi->regs[reg].base == CFI_UNDEFINED) {
2141 cfi->regs[reg].base = base;
2142 cfi->regs[reg].offset = offset;
2143 }
2144 }
2145
restore_reg(struct cfi_state * cfi,unsigned char reg)2146 static void restore_reg(struct cfi_state *cfi, unsigned char reg)
2147 {
2148 cfi->regs[reg].base = initial_func_cfi.regs[reg].base;
2149 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset;
2150 }
2151
2152 /*
2153 * A note about DRAP stack alignment:
2154 *
2155 * GCC has the concept of a DRAP register, which is used to help keep track of
2156 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP
2157 * register. The typical DRAP pattern is:
2158 *
2159 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10
2160 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp
2161 * 41 ff 72 f8 pushq -0x8(%r10)
2162 * 55 push %rbp
2163 * 48 89 e5 mov %rsp,%rbp
2164 * (more pushes)
2165 * 41 52 push %r10
2166 * ...
2167 * 41 5a pop %r10
2168 * (more pops)
2169 * 5d pop %rbp
2170 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2171 * c3 retq
2172 *
2173 * There are some variations in the epilogues, like:
2174 *
2175 * 5b pop %rbx
2176 * 41 5a pop %r10
2177 * 41 5c pop %r12
2178 * 41 5d pop %r13
2179 * 41 5e pop %r14
2180 * c9 leaveq
2181 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2182 * c3 retq
2183 *
2184 * and:
2185 *
2186 * 4c 8b 55 e8 mov -0x18(%rbp),%r10
2187 * 48 8b 5d e0 mov -0x20(%rbp),%rbx
2188 * 4c 8b 65 f0 mov -0x10(%rbp),%r12
2189 * 4c 8b 6d f8 mov -0x8(%rbp),%r13
2190 * c9 leaveq
2191 * 49 8d 62 f8 lea -0x8(%r10),%rsp
2192 * c3 retq
2193 *
2194 * Sometimes r13 is used as the DRAP register, in which case it's saved and
2195 * restored beforehand:
2196 *
2197 * 41 55 push %r13
2198 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13
2199 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
2200 * ...
2201 * 49 8d 65 f0 lea -0x10(%r13),%rsp
2202 * 41 5d pop %r13
2203 * c3 retq
2204 */
update_cfi_state(struct instruction * insn,struct cfi_state * cfi,struct stack_op * op)2205 static int update_cfi_state(struct instruction *insn, struct cfi_state *cfi,
2206 struct stack_op *op)
2207 {
2208 struct cfi_reg *cfa = &cfi->cfa;
2209 struct cfi_reg *regs = cfi->regs;
2210
2211 /* stack operations don't make sense with an undefined CFA */
2212 if (cfa->base == CFI_UNDEFINED) {
2213 if (insn->func) {
2214 WARN_FUNC("undefined stack state", insn->sec, insn->offset);
2215 return -1;
2216 }
2217 return 0;
2218 }
2219
2220 if (cfi->type == UNWIND_HINT_TYPE_REGS ||
2221 cfi->type == UNWIND_HINT_TYPE_REGS_PARTIAL)
2222 return update_cfi_state_regs(insn, cfi, op);
2223
2224 switch (op->dest.type) {
2225
2226 case OP_DEST_REG:
2227 switch (op->src.type) {
2228
2229 case OP_SRC_REG:
2230 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP &&
2231 cfa->base == CFI_SP &&
2232 regs[CFI_BP].base == CFI_CFA &&
2233 regs[CFI_BP].offset == -cfa->offset) {
2234
2235 /* mov %rsp, %rbp */
2236 cfa->base = op->dest.reg;
2237 cfi->bp_scratch = false;
2238 }
2239
2240 else if (op->src.reg == CFI_SP &&
2241 op->dest.reg == CFI_BP && cfi->drap) {
2242
2243 /* drap: mov %rsp, %rbp */
2244 regs[CFI_BP].base = CFI_BP;
2245 regs[CFI_BP].offset = -cfi->stack_size;
2246 cfi->bp_scratch = false;
2247 }
2248
2249 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2250
2251 /*
2252 * mov %rsp, %reg
2253 *
2254 * This is needed for the rare case where GCC
2255 * does:
2256 *
2257 * mov %rsp, %rax
2258 * ...
2259 * mov %rax, %rsp
2260 */
2261 cfi->vals[op->dest.reg].base = CFI_CFA;
2262 cfi->vals[op->dest.reg].offset = -cfi->stack_size;
2263 }
2264
2265 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP &&
2266 cfa->base == CFI_BP) {
2267
2268 /*
2269 * mov %rbp, %rsp
2270 *
2271 * Restore the original stack pointer (Clang).
2272 */
2273 cfi->stack_size = -cfi->regs[CFI_BP].offset;
2274 }
2275
2276 else if (op->dest.reg == cfa->base) {
2277
2278 /* mov %reg, %rsp */
2279 if (cfa->base == CFI_SP &&
2280 cfi->vals[op->src.reg].base == CFI_CFA) {
2281
2282 /*
2283 * This is needed for the rare case
2284 * where GCC does something dumb like:
2285 *
2286 * lea 0x8(%rsp), %rcx
2287 * ...
2288 * mov %rcx, %rsp
2289 */
2290 cfa->offset = -cfi->vals[op->src.reg].offset;
2291 cfi->stack_size = cfa->offset;
2292
2293 } else {
2294 cfa->base = CFI_UNDEFINED;
2295 cfa->offset = 0;
2296 }
2297 }
2298
2299 break;
2300
2301 case OP_SRC_ADD:
2302 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) {
2303
2304 /* add imm, %rsp */
2305 cfi->stack_size -= op->src.offset;
2306 if (cfa->base == CFI_SP)
2307 cfa->offset -= op->src.offset;
2308 break;
2309 }
2310
2311 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) {
2312
2313 /* lea disp(%rbp), %rsp */
2314 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset);
2315 break;
2316 }
2317
2318 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
2319
2320 /* drap: lea disp(%rsp), %drap */
2321 cfi->drap_reg = op->dest.reg;
2322
2323 /*
2324 * lea disp(%rsp), %reg
2325 *
2326 * This is needed for the rare case where GCC
2327 * does something dumb like:
2328 *
2329 * lea 0x8(%rsp), %rcx
2330 * ...
2331 * mov %rcx, %rsp
2332 */
2333 cfi->vals[op->dest.reg].base = CFI_CFA;
2334 cfi->vals[op->dest.reg].offset = \
2335 -cfi->stack_size + op->src.offset;
2336
2337 break;
2338 }
2339
2340 if (cfi->drap && op->dest.reg == CFI_SP &&
2341 op->src.reg == cfi->drap_reg) {
2342
2343 /* drap: lea disp(%drap), %rsp */
2344 cfa->base = CFI_SP;
2345 cfa->offset = cfi->stack_size = -op->src.offset;
2346 cfi->drap_reg = CFI_UNDEFINED;
2347 cfi->drap = false;
2348 break;
2349 }
2350
2351 if (op->dest.reg == cfi->cfa.base) {
2352 WARN_FUNC("unsupported stack register modification",
2353 insn->sec, insn->offset);
2354 return -1;
2355 }
2356
2357 break;
2358
2359 case OP_SRC_AND:
2360 if (op->dest.reg != CFI_SP ||
2361 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) ||
2362 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) {
2363 WARN_FUNC("unsupported stack pointer realignment",
2364 insn->sec, insn->offset);
2365 return -1;
2366 }
2367
2368 if (cfi->drap_reg != CFI_UNDEFINED) {
2369 /* drap: and imm, %rsp */
2370 cfa->base = cfi->drap_reg;
2371 cfa->offset = cfi->stack_size = 0;
2372 cfi->drap = true;
2373 }
2374
2375 /*
2376 * Older versions of GCC (4.8ish) realign the stack
2377 * without DRAP, with a frame pointer.
2378 */
2379
2380 break;
2381
2382 case OP_SRC_POP:
2383 case OP_SRC_POPF:
2384 if (!cfi->drap && op->dest.reg == cfa->base) {
2385
2386 /* pop %rbp */
2387 cfa->base = CFI_SP;
2388 }
2389
2390 if (cfi->drap && cfa->base == CFI_BP_INDIRECT &&
2391 op->dest.reg == cfi->drap_reg &&
2392 cfi->drap_offset == -cfi->stack_size) {
2393
2394 /* drap: pop %drap */
2395 cfa->base = cfi->drap_reg;
2396 cfa->offset = 0;
2397 cfi->drap_offset = -1;
2398
2399 } else if (regs[op->dest.reg].offset == -cfi->stack_size) {
2400
2401 /* pop %reg */
2402 restore_reg(cfi, op->dest.reg);
2403 }
2404
2405 cfi->stack_size -= 8;
2406 if (cfa->base == CFI_SP)
2407 cfa->offset -= 8;
2408
2409 break;
2410
2411 case OP_SRC_REG_INDIRECT:
2412 if (cfi->drap && op->src.reg == CFI_BP &&
2413 op->src.offset == cfi->drap_offset) {
2414
2415 /* drap: mov disp(%rbp), %drap */
2416 cfa->base = cfi->drap_reg;
2417 cfa->offset = 0;
2418 cfi->drap_offset = -1;
2419 }
2420
2421 if (cfi->drap && op->src.reg == CFI_BP &&
2422 op->src.offset == regs[op->dest.reg].offset) {
2423
2424 /* drap: mov disp(%rbp), %reg */
2425 restore_reg(cfi, op->dest.reg);
2426
2427 } else if (op->src.reg == cfa->base &&
2428 op->src.offset == regs[op->dest.reg].offset + cfa->offset) {
2429
2430 /* mov disp(%rbp), %reg */
2431 /* mov disp(%rsp), %reg */
2432 restore_reg(cfi, op->dest.reg);
2433 }
2434
2435 break;
2436
2437 default:
2438 WARN_FUNC("unknown stack-related instruction",
2439 insn->sec, insn->offset);
2440 return -1;
2441 }
2442
2443 break;
2444
2445 case OP_DEST_PUSH:
2446 case OP_DEST_PUSHF:
2447 cfi->stack_size += 8;
2448 if (cfa->base == CFI_SP)
2449 cfa->offset += 8;
2450
2451 if (op->src.type != OP_SRC_REG)
2452 break;
2453
2454 if (cfi->drap) {
2455 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
2456
2457 /* drap: push %drap */
2458 cfa->base = CFI_BP_INDIRECT;
2459 cfa->offset = -cfi->stack_size;
2460
2461 /* save drap so we know when to restore it */
2462 cfi->drap_offset = -cfi->stack_size;
2463
2464 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) {
2465
2466 /* drap: push %rbp */
2467 cfi->stack_size = 0;
2468
2469 } else {
2470
2471 /* drap: push %reg */
2472 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size);
2473 }
2474
2475 } else {
2476
2477 /* push %reg */
2478 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size);
2479 }
2480
2481 /* detect when asm code uses rbp as a scratch register */
2482 if (!no_fp && insn->func && op->src.reg == CFI_BP &&
2483 cfa->base != CFI_BP)
2484 cfi->bp_scratch = true;
2485 break;
2486
2487 case OP_DEST_REG_INDIRECT:
2488
2489 if (cfi->drap) {
2490 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
2491
2492 /* drap: mov %drap, disp(%rbp) */
2493 cfa->base = CFI_BP_INDIRECT;
2494 cfa->offset = op->dest.offset;
2495
2496 /* save drap offset so we know when to restore it */
2497 cfi->drap_offset = op->dest.offset;
2498 } else {
2499
2500 /* drap: mov reg, disp(%rbp) */
2501 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset);
2502 }
2503
2504 } else if (op->dest.reg == cfa->base) {
2505
2506 /* mov reg, disp(%rbp) */
2507 /* mov reg, disp(%rsp) */
2508 save_reg(cfi, op->src.reg, CFI_CFA,
2509 op->dest.offset - cfi->cfa.offset);
2510 }
2511
2512 break;
2513
2514 case OP_DEST_LEAVE:
2515 if ((!cfi->drap && cfa->base != CFI_BP) ||
2516 (cfi->drap && cfa->base != cfi->drap_reg)) {
2517 WARN_FUNC("leave instruction with modified stack frame",
2518 insn->sec, insn->offset);
2519 return -1;
2520 }
2521
2522 /* leave (mov %rbp, %rsp; pop %rbp) */
2523
2524 cfi->stack_size = -cfi->regs[CFI_BP].offset - 8;
2525 restore_reg(cfi, CFI_BP);
2526
2527 if (!cfi->drap) {
2528 cfa->base = CFI_SP;
2529 cfa->offset -= 8;
2530 }
2531
2532 break;
2533
2534 case OP_DEST_MEM:
2535 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) {
2536 WARN_FUNC("unknown stack-related memory operation",
2537 insn->sec, insn->offset);
2538 return -1;
2539 }
2540
2541 /* pop mem */
2542 cfi->stack_size -= 8;
2543 if (cfa->base == CFI_SP)
2544 cfa->offset -= 8;
2545
2546 break;
2547
2548 default:
2549 WARN_FUNC("unknown stack-related instruction",
2550 insn->sec, insn->offset);
2551 return -1;
2552 }
2553
2554 return 0;
2555 }
2556
2557 /*
2558 * The stack layouts of alternatives instructions can sometimes diverge when
2559 * they have stack modifications. That's fine as long as the potential stack
2560 * layouts don't conflict at any given potential instruction boundary.
2561 *
2562 * Flatten the CFIs of the different alternative code streams (both original
2563 * and replacement) into a single shared CFI array which can be used to detect
2564 * conflicts and nicely feed a linear array of ORC entries to the unwinder.
2565 */
propagate_alt_cfi(struct objtool_file * file,struct instruction * insn)2566 static int propagate_alt_cfi(struct objtool_file *file, struct instruction *insn)
2567 {
2568 struct cfi_state **alt_cfi;
2569 int group_off;
2570
2571 if (!insn->alt_group)
2572 return 0;
2573
2574 if (!insn->cfi) {
2575 WARN("CFI missing");
2576 return -1;
2577 }
2578
2579 alt_cfi = insn->alt_group->cfi;
2580 group_off = insn->offset - insn->alt_group->first_insn->offset;
2581
2582 if (!alt_cfi[group_off]) {
2583 alt_cfi[group_off] = insn->cfi;
2584 } else {
2585 if (cficmp(alt_cfi[group_off], insn->cfi)) {
2586 WARN_FUNC("stack layout conflict in alternatives",
2587 insn->sec, insn->offset);
2588 return -1;
2589 }
2590 }
2591
2592 return 0;
2593 }
2594
handle_insn_ops(struct instruction * insn,struct insn_state * state)2595 static int handle_insn_ops(struct instruction *insn, struct insn_state *state)
2596 {
2597 struct stack_op *op;
2598
2599 list_for_each_entry(op, &insn->stack_ops, list) {
2600
2601 if (update_cfi_state(insn, &state->cfi, op))
2602 return 1;
2603
2604 if (op->dest.type == OP_DEST_PUSHF) {
2605 if (!state->uaccess_stack) {
2606 state->uaccess_stack = 1;
2607 } else if (state->uaccess_stack >> 31) {
2608 WARN_FUNC("PUSHF stack exhausted",
2609 insn->sec, insn->offset);
2610 return 1;
2611 }
2612 state->uaccess_stack <<= 1;
2613 state->uaccess_stack |= state->uaccess;
2614 }
2615
2616 if (op->src.type == OP_SRC_POPF) {
2617 if (state->uaccess_stack) {
2618 state->uaccess = state->uaccess_stack & 1;
2619 state->uaccess_stack >>= 1;
2620 if (state->uaccess_stack == 1)
2621 state->uaccess_stack = 0;
2622 }
2623 }
2624 }
2625
2626 return 0;
2627 }
2628
insn_cfi_match(struct instruction * insn,struct cfi_state * cfi2)2629 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2)
2630 {
2631 struct cfi_state *cfi1 = insn->cfi;
2632 int i;
2633
2634 if (!cfi1) {
2635 WARN("CFI missing");
2636 return false;
2637 }
2638
2639 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) {
2640
2641 WARN_FUNC("stack state mismatch: cfa1=%d%+d cfa2=%d%+d",
2642 insn->sec, insn->offset,
2643 cfi1->cfa.base, cfi1->cfa.offset,
2644 cfi2->cfa.base, cfi2->cfa.offset);
2645
2646 } else if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) {
2647 for (i = 0; i < CFI_NUM_REGS; i++) {
2648 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i],
2649 sizeof(struct cfi_reg)))
2650 continue;
2651
2652 WARN_FUNC("stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d",
2653 insn->sec, insn->offset,
2654 i, cfi1->regs[i].base, cfi1->regs[i].offset,
2655 i, cfi2->regs[i].base, cfi2->regs[i].offset);
2656 break;
2657 }
2658
2659 } else if (cfi1->type != cfi2->type) {
2660
2661 WARN_FUNC("stack state mismatch: type1=%d type2=%d",
2662 insn->sec, insn->offset, cfi1->type, cfi2->type);
2663
2664 } else if (cfi1->drap != cfi2->drap ||
2665 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) ||
2666 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) {
2667
2668 WARN_FUNC("stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)",
2669 insn->sec, insn->offset,
2670 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset,
2671 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset);
2672
2673 } else
2674 return true;
2675
2676 return false;
2677 }
2678
func_uaccess_safe(struct symbol * func)2679 static inline bool func_uaccess_safe(struct symbol *func)
2680 {
2681 if (func)
2682 return func->uaccess_safe;
2683
2684 return false;
2685 }
2686
call_dest_name(struct instruction * insn)2687 static inline const char *call_dest_name(struct instruction *insn)
2688 {
2689 if (insn->call_dest)
2690 return insn->call_dest->name;
2691
2692 return "{dynamic}";
2693 }
2694
noinstr_call_dest(struct symbol * func)2695 static inline bool noinstr_call_dest(struct symbol *func)
2696 {
2697 /*
2698 * We can't deal with indirect function calls at present;
2699 * assume they're instrumented.
2700 */
2701 if (!func)
2702 return false;
2703
2704 /*
2705 * If the symbol is from a noinstr section; we good.
2706 */
2707 if (func->sec->noinstr)
2708 return true;
2709
2710 /*
2711 * The __ubsan_handle_*() calls are like WARN(), they only happen when
2712 * something 'BAD' happened. At the risk of taking the machine down,
2713 * let them proceed to get the message out.
2714 */
2715 if (!strncmp(func->name, "__ubsan_handle_", 15))
2716 return true;
2717
2718 return false;
2719 }
2720
validate_call(struct instruction * insn,struct insn_state * state)2721 static int validate_call(struct instruction *insn, struct insn_state *state)
2722 {
2723 if (state->noinstr && state->instr <= 0 &&
2724 !noinstr_call_dest(insn->call_dest)) {
2725 WARN_FUNC("call to %s() leaves .noinstr.text section",
2726 insn->sec, insn->offset, call_dest_name(insn));
2727 return 1;
2728 }
2729
2730 if (state->uaccess && !func_uaccess_safe(insn->call_dest)) {
2731 WARN_FUNC("call to %s() with UACCESS enabled",
2732 insn->sec, insn->offset, call_dest_name(insn));
2733 return 1;
2734 }
2735
2736 if (state->df) {
2737 WARN_FUNC("call to %s() with DF set",
2738 insn->sec, insn->offset, call_dest_name(insn));
2739 return 1;
2740 }
2741
2742 return 0;
2743 }
2744
validate_sibling_call(struct instruction * insn,struct insn_state * state)2745 static int validate_sibling_call(struct instruction *insn, struct insn_state *state)
2746 {
2747 if (has_modified_stack_frame(insn, state)) {
2748 WARN_FUNC("sibling call from callable instruction with modified stack frame",
2749 insn->sec, insn->offset);
2750 return 1;
2751 }
2752
2753 return validate_call(insn, state);
2754 }
2755
validate_return(struct symbol * func,struct instruction * insn,struct insn_state * state)2756 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state)
2757 {
2758 if (state->noinstr && state->instr > 0) {
2759 WARN_FUNC("return with instrumentation enabled",
2760 insn->sec, insn->offset);
2761 return 1;
2762 }
2763
2764 if (state->uaccess && !func_uaccess_safe(func)) {
2765 WARN_FUNC("return with UACCESS enabled",
2766 insn->sec, insn->offset);
2767 return 1;
2768 }
2769
2770 if (!state->uaccess && func_uaccess_safe(func)) {
2771 WARN_FUNC("return with UACCESS disabled from a UACCESS-safe function",
2772 insn->sec, insn->offset);
2773 return 1;
2774 }
2775
2776 if (state->df) {
2777 WARN_FUNC("return with DF set",
2778 insn->sec, insn->offset);
2779 return 1;
2780 }
2781
2782 if (func && has_modified_stack_frame(insn, state)) {
2783 WARN_FUNC("return with modified stack frame",
2784 insn->sec, insn->offset);
2785 return 1;
2786 }
2787
2788 if (state->cfi.bp_scratch) {
2789 WARN_FUNC("BP used as a scratch register",
2790 insn->sec, insn->offset);
2791 return 1;
2792 }
2793
2794 return 0;
2795 }
2796
next_insn_to_validate(struct objtool_file * file,struct instruction * insn)2797 static struct instruction *next_insn_to_validate(struct objtool_file *file,
2798 struct instruction *insn)
2799 {
2800 struct alt_group *alt_group = insn->alt_group;
2801
2802 /*
2803 * Simulate the fact that alternatives are patched in-place. When the
2804 * end of a replacement alt_group is reached, redirect objtool flow to
2805 * the end of the original alt_group.
2806 */
2807 if (alt_group && insn == alt_group->last_insn && alt_group->orig_group)
2808 return next_insn_same_sec(file, alt_group->orig_group->last_insn);
2809
2810 return next_insn_same_sec(file, insn);
2811 }
2812
2813 /*
2814 * Follow the branch starting at the given instruction, and recursively follow
2815 * any other branches (jumps). Meanwhile, track the frame pointer state at
2816 * each instruction and validate all the rules described in
2817 * tools/objtool/Documentation/stack-validation.txt.
2818 */
validate_branch(struct objtool_file * file,struct symbol * func,struct instruction * insn,struct insn_state state)2819 static int validate_branch(struct objtool_file *file, struct symbol *func,
2820 struct instruction *insn, struct insn_state state)
2821 {
2822 struct alternative *alt;
2823 struct instruction *next_insn, *prev_insn = NULL;
2824 struct section *sec;
2825 u8 visited;
2826 int ret;
2827
2828 sec = insn->sec;
2829
2830 while (1) {
2831 next_insn = next_insn_to_validate(file, insn);
2832
2833 if (file->c_file && func && insn->func && func != insn->func->pfunc) {
2834 WARN("%s() falls through to next function %s()",
2835 func->name, insn->func->name);
2836 return 1;
2837 }
2838
2839 if (func && insn->ignore) {
2840 WARN_FUNC("BUG: why am I validating an ignored function?",
2841 sec, insn->offset);
2842 return 1;
2843 }
2844
2845 visited = VISITED_BRANCH << state.uaccess;
2846 if (insn->visited & VISITED_BRANCH_MASK) {
2847 if (!insn->hint && !insn_cfi_match(insn, &state.cfi))
2848 return 1;
2849
2850 if (insn->visited & visited)
2851 return 0;
2852 } else {
2853 nr_insns_visited++;
2854 }
2855
2856 if (state.noinstr)
2857 state.instr += insn->instr;
2858
2859 if (insn->hint) {
2860 if (insn->restore) {
2861 struct instruction *save_insn, *i;
2862
2863 i = insn;
2864 save_insn = NULL;
2865
2866 sym_for_each_insn_continue_reverse(file, func, i) {
2867 if (i->save) {
2868 save_insn = i;
2869 break;
2870 }
2871 }
2872
2873 if (!save_insn) {
2874 WARN_FUNC("no corresponding CFI save for CFI restore",
2875 sec, insn->offset);
2876 return 1;
2877 }
2878
2879 if (!save_insn->visited) {
2880 WARN_FUNC("objtool isn't smart enough to handle this CFI save/restore combo",
2881 sec, insn->offset);
2882 return 1;
2883 }
2884
2885 insn->cfi = save_insn->cfi;
2886 nr_cfi_reused++;
2887 }
2888
2889 state.cfi = *insn->cfi;
2890 } else {
2891 /* XXX track if we actually changed state.cfi */
2892
2893 if (prev_insn && !cficmp(prev_insn->cfi, &state.cfi)) {
2894 insn->cfi = prev_insn->cfi;
2895 nr_cfi_reused++;
2896 } else {
2897 insn->cfi = cfi_hash_find_or_add(&state.cfi);
2898 }
2899 }
2900
2901 insn->visited |= visited;
2902
2903 if (propagate_alt_cfi(file, insn))
2904 return 1;
2905
2906 if (!insn->ignore_alts && !list_empty(&insn->alts)) {
2907 bool skip_orig = false;
2908
2909 list_for_each_entry(alt, &insn->alts, list) {
2910 if (alt->skip_orig)
2911 skip_orig = true;
2912
2913 ret = validate_branch(file, func, alt->insn, state);
2914 if (ret) {
2915 if (backtrace)
2916 BT_FUNC("(alt)", insn);
2917 return ret;
2918 }
2919 }
2920
2921 if (skip_orig)
2922 return 0;
2923 }
2924
2925 if (handle_insn_ops(insn, &state))
2926 return 1;
2927
2928 switch (insn->type) {
2929
2930 case INSN_RETURN:
2931 if (sls && !insn->retpoline_safe &&
2932 next_insn && next_insn->type != INSN_TRAP) {
2933 WARN_FUNC("missing int3 after ret",
2934 insn->sec, insn->offset);
2935 }
2936 return validate_return(func, insn, &state);
2937
2938 case INSN_CALL:
2939 case INSN_CALL_DYNAMIC:
2940 ret = validate_call(insn, &state);
2941 if (ret)
2942 return ret;
2943
2944 if (!no_fp && func && !is_fentry_call(insn) &&
2945 !has_valid_stack_frame(&state)) {
2946 WARN_FUNC("call without frame pointer save/setup",
2947 sec, insn->offset);
2948 return 1;
2949 }
2950
2951 if (dead_end_function(file, insn->call_dest))
2952 return 0;
2953
2954 break;
2955
2956 case INSN_JUMP_CONDITIONAL:
2957 case INSN_JUMP_UNCONDITIONAL:
2958 if (is_sibling_call(insn)) {
2959 ret = validate_sibling_call(insn, &state);
2960 if (ret)
2961 return ret;
2962
2963 } else if (insn->jump_dest) {
2964 ret = validate_branch(file, func,
2965 insn->jump_dest, state);
2966 if (ret) {
2967 if (backtrace)
2968 BT_FUNC("(branch)", insn);
2969 return ret;
2970 }
2971 }
2972
2973 if (insn->type == INSN_JUMP_UNCONDITIONAL)
2974 return 0;
2975
2976 break;
2977
2978 case INSN_JUMP_DYNAMIC:
2979 if (sls && !insn->retpoline_safe &&
2980 next_insn && next_insn->type != INSN_TRAP) {
2981 WARN_FUNC("missing int3 after indirect jump",
2982 insn->sec, insn->offset);
2983 }
2984
2985 /* fallthrough */
2986 case INSN_JUMP_DYNAMIC_CONDITIONAL:
2987 if (is_sibling_call(insn)) {
2988 ret = validate_sibling_call(insn, &state);
2989 if (ret)
2990 return ret;
2991 }
2992
2993 if (insn->type == INSN_JUMP_DYNAMIC)
2994 return 0;
2995
2996 break;
2997
2998 case INSN_CONTEXT_SWITCH:
2999 if (func && (!next_insn || !next_insn->hint)) {
3000 WARN_FUNC("unsupported instruction in callable function",
3001 sec, insn->offset);
3002 return 1;
3003 }
3004 return 0;
3005
3006 case INSN_STAC:
3007 if (state.uaccess) {
3008 WARN_FUNC("recursive UACCESS enable", sec, insn->offset);
3009 return 1;
3010 }
3011
3012 state.uaccess = true;
3013 break;
3014
3015 case INSN_CLAC:
3016 if (!state.uaccess && func) {
3017 WARN_FUNC("redundant UACCESS disable", sec, insn->offset);
3018 return 1;
3019 }
3020
3021 if (func_uaccess_safe(func) && !state.uaccess_stack) {
3022 WARN_FUNC("UACCESS-safe disables UACCESS", sec, insn->offset);
3023 return 1;
3024 }
3025
3026 state.uaccess = false;
3027 break;
3028
3029 case INSN_STD:
3030 if (state.df) {
3031 WARN_FUNC("recursive STD", sec, insn->offset);
3032 return 1;
3033 }
3034
3035 state.df = true;
3036 break;
3037
3038 case INSN_CLD:
3039 if (!state.df && func) {
3040 WARN_FUNC("redundant CLD", sec, insn->offset);
3041 return 1;
3042 }
3043
3044 state.df = false;
3045 break;
3046
3047 default:
3048 break;
3049 }
3050
3051 if (insn->dead_end)
3052 return 0;
3053
3054 if (!next_insn) {
3055 if (state.cfi.cfa.base == CFI_UNDEFINED)
3056 return 0;
3057 WARN("%s: unexpected end of section", sec->name);
3058 return 1;
3059 }
3060
3061 prev_insn = insn;
3062 insn = next_insn;
3063 }
3064
3065 return 0;
3066 }
3067
validate_unwind_hints(struct objtool_file * file,struct section * sec)3068 static int validate_unwind_hints(struct objtool_file *file, struct section *sec)
3069 {
3070 struct instruction *insn;
3071 struct insn_state state;
3072 int ret, warnings = 0;
3073
3074 if (!file->hints)
3075 return 0;
3076
3077 init_insn_state(&state, sec);
3078
3079 if (sec) {
3080 insn = find_insn(file, sec, 0);
3081 if (!insn)
3082 return 0;
3083 } else {
3084 insn = list_first_entry(&file->insn_list, typeof(*insn), list);
3085 }
3086
3087 while (&insn->list != &file->insn_list && (!sec || insn->sec == sec)) {
3088 if (insn->hint && !insn->visited) {
3089 ret = validate_branch(file, insn->func, insn, state);
3090 if (ret && backtrace)
3091 BT_FUNC("<=== (hint)", insn);
3092 warnings += ret;
3093 }
3094
3095 insn = list_next_entry(insn, list);
3096 }
3097
3098 return warnings;
3099 }
3100
3101 /*
3102 * Validate rethunk entry constraint: must untrain RET before the first RET.
3103 *
3104 * Follow every branch (intra-function) and ensure ANNOTATE_UNRET_END comes
3105 * before an actual RET instruction.
3106 */
validate_entry(struct objtool_file * file,struct instruction * insn)3107 static int validate_entry(struct objtool_file *file, struct instruction *insn)
3108 {
3109 struct instruction *next, *dest;
3110 int ret, warnings = 0;
3111
3112 for (;;) {
3113 next = next_insn_to_validate(file, insn);
3114
3115 if (insn->visited & VISITED_ENTRY)
3116 return 0;
3117
3118 insn->visited |= VISITED_ENTRY;
3119
3120 if (!insn->ignore_alts && !list_empty(&insn->alts)) {
3121 struct alternative *alt;
3122 bool skip_orig = false;
3123
3124 list_for_each_entry(alt, &insn->alts, list) {
3125 if (alt->skip_orig)
3126 skip_orig = true;
3127
3128 ret = validate_entry(file, alt->insn);
3129 if (ret) {
3130 if (backtrace)
3131 BT_FUNC("(alt)", insn);
3132 return ret;
3133 }
3134 }
3135
3136 if (skip_orig)
3137 return 0;
3138 }
3139
3140 switch (insn->type) {
3141
3142 case INSN_CALL_DYNAMIC:
3143 case INSN_JUMP_DYNAMIC:
3144 case INSN_JUMP_DYNAMIC_CONDITIONAL:
3145 WARN_FUNC("early indirect call", insn->sec, insn->offset);
3146 return 1;
3147
3148 case INSN_JUMP_UNCONDITIONAL:
3149 case INSN_JUMP_CONDITIONAL:
3150 if (!is_sibling_call(insn)) {
3151 if (!insn->jump_dest) {
3152 WARN_FUNC("unresolved jump target after linking?!?",
3153 insn->sec, insn->offset);
3154 return -1;
3155 }
3156 ret = validate_entry(file, insn->jump_dest);
3157 if (ret) {
3158 if (backtrace) {
3159 BT_FUNC("(branch%s)", insn,
3160 insn->type == INSN_JUMP_CONDITIONAL ? "-cond" : "");
3161 }
3162 return ret;
3163 }
3164
3165 if (insn->type == INSN_JUMP_UNCONDITIONAL)
3166 return 0;
3167
3168 break;
3169 }
3170
3171 /* fallthrough */
3172 case INSN_CALL:
3173 dest = find_insn(file, insn->call_dest->sec,
3174 insn->call_dest->offset);
3175 if (!dest) {
3176 WARN("Unresolved function after linking!?: %s",
3177 insn->call_dest->name);
3178 return -1;
3179 }
3180
3181 ret = validate_entry(file, dest);
3182 if (ret) {
3183 if (backtrace)
3184 BT_FUNC("(call)", insn);
3185 return ret;
3186 }
3187 /*
3188 * If a call returns without error, it must have seen UNTRAIN_RET.
3189 * Therefore any non-error return is a success.
3190 */
3191 return 0;
3192
3193 case INSN_RETURN:
3194 WARN_FUNC("RET before UNTRAIN", insn->sec, insn->offset);
3195 return 1;
3196
3197 case INSN_NOP:
3198 if (insn->retpoline_safe)
3199 return 0;
3200 break;
3201
3202 default:
3203 break;
3204 }
3205
3206 if (!next) {
3207 WARN_FUNC("teh end!", insn->sec, insn->offset);
3208 return -1;
3209 }
3210 insn = next;
3211 }
3212
3213 return warnings;
3214 }
3215
3216 /*
3217 * Validate that all branches starting at 'insn->entry' encounter UNRET_END
3218 * before RET.
3219 */
validate_unret(struct objtool_file * file)3220 static int validate_unret(struct objtool_file *file)
3221 {
3222 struct instruction *insn;
3223 int ret, warnings = 0;
3224
3225 for_each_insn(file, insn) {
3226 if (!insn->entry)
3227 continue;
3228
3229 ret = validate_entry(file, insn);
3230 if (ret < 0) {
3231 WARN_FUNC("Failed UNRET validation", insn->sec, insn->offset);
3232 return ret;
3233 }
3234 warnings += ret;
3235 }
3236
3237 return warnings;
3238 }
3239
validate_retpoline(struct objtool_file * file)3240 static int validate_retpoline(struct objtool_file *file)
3241 {
3242 struct instruction *insn;
3243 int warnings = 0;
3244
3245 for_each_insn(file, insn) {
3246 if (insn->type != INSN_JUMP_DYNAMIC &&
3247 insn->type != INSN_CALL_DYNAMIC &&
3248 insn->type != INSN_RETURN)
3249 continue;
3250
3251 if (insn->retpoline_safe)
3252 continue;
3253
3254 /*
3255 * .init.text code is ran before userspace and thus doesn't
3256 * strictly need retpolines, except for modules which are
3257 * loaded late, they very much do need retpoline in their
3258 * .init.text
3259 */
3260 if (!strcmp(insn->sec->name, ".init.text") && !module)
3261 continue;
3262
3263 if (insn->type == INSN_RETURN) {
3264 if (rethunk) {
3265 WARN_FUNC("'naked' return found in RETHUNK build",
3266 insn->sec, insn->offset);
3267 } else
3268 continue;
3269 } else {
3270 WARN_FUNC("indirect %s found in RETPOLINE build",
3271 insn->sec, insn->offset,
3272 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
3273 }
3274
3275 warnings++;
3276 }
3277
3278 return warnings;
3279 }
3280
is_kasan_insn(struct instruction * insn)3281 static bool is_kasan_insn(struct instruction *insn)
3282 {
3283 return (insn->type == INSN_CALL &&
3284 !strcmp(insn->call_dest->name, "__asan_handle_no_return"));
3285 }
3286
is_ubsan_insn(struct instruction * insn)3287 static bool is_ubsan_insn(struct instruction *insn)
3288 {
3289 return (insn->type == INSN_CALL &&
3290 !strcmp(insn->call_dest->name,
3291 "__ubsan_handle_builtin_unreachable"));
3292 }
3293
ignore_unreachable_insn(struct objtool_file * file,struct instruction * insn)3294 static bool ignore_unreachable_insn(struct objtool_file *file, struct instruction *insn)
3295 {
3296 int i;
3297 struct instruction *prev_insn;
3298
3299 if (insn->ignore || insn->type == INSN_NOP || insn->type == INSN_TRAP)
3300 return true;
3301
3302 /*
3303 * Ignore any unused exceptions. This can happen when a whitelisted
3304 * function has an exception table entry.
3305 *
3306 * Also ignore alternative replacement instructions. This can happen
3307 * when a whitelisted function uses one of the ALTERNATIVE macros.
3308 */
3309 if (!strcmp(insn->sec->name, ".fixup") ||
3310 !strcmp(insn->sec->name, ".altinstr_replacement") ||
3311 !strcmp(insn->sec->name, ".altinstr_aux"))
3312 return true;
3313
3314 if (!insn->func)
3315 return false;
3316
3317 /*
3318 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees
3319 * __builtin_unreachable(). The BUG() macro has an unreachable() after
3320 * the UD2, which causes GCC's undefined trap logic to emit another UD2
3321 * (or occasionally a JMP to UD2).
3322 *
3323 * It may also insert a UD2 after calling a __noreturn function.
3324 */
3325 prev_insn = list_prev_entry(insn, list);
3326 if ((prev_insn->dead_end || dead_end_function(file, prev_insn->call_dest)) &&
3327 (insn->type == INSN_BUG ||
3328 (insn->type == INSN_JUMP_UNCONDITIONAL &&
3329 insn->jump_dest && insn->jump_dest->type == INSN_BUG)))
3330 return true;
3331
3332 /*
3333 * Check if this (or a subsequent) instruction is related to
3334 * CONFIG_UBSAN or CONFIG_KASAN.
3335 *
3336 * End the search at 5 instructions to avoid going into the weeds.
3337 */
3338 for (i = 0; i < 5; i++) {
3339
3340 if (is_kasan_insn(insn) || is_ubsan_insn(insn))
3341 return true;
3342
3343 if (insn->type == INSN_JUMP_UNCONDITIONAL) {
3344 if (insn->jump_dest &&
3345 insn->jump_dest->func == insn->func) {
3346 insn = insn->jump_dest;
3347 continue;
3348 }
3349
3350 break;
3351 }
3352
3353 if (insn->offset + insn->len >= insn->func->offset + insn->func->len)
3354 break;
3355
3356 insn = list_next_entry(insn, list);
3357 }
3358
3359 return false;
3360 }
3361
validate_symbol(struct objtool_file * file,struct section * sec,struct symbol * sym,struct insn_state * state)3362 static int validate_symbol(struct objtool_file *file, struct section *sec,
3363 struct symbol *sym, struct insn_state *state)
3364 {
3365 struct instruction *insn;
3366 int ret;
3367
3368 if (!sym->len) {
3369 WARN("%s() is missing an ELF size annotation", sym->name);
3370 return 1;
3371 }
3372
3373 if (sym->pfunc != sym || sym->alias != sym)
3374 return 0;
3375
3376 insn = find_insn(file, sec, sym->offset);
3377 if (!insn || insn->ignore || insn->visited)
3378 return 0;
3379
3380 state->uaccess = sym->uaccess_safe;
3381
3382 ret = validate_branch(file, insn->func, insn, *state);
3383 if (ret && backtrace)
3384 BT_FUNC("<=== (sym)", insn);
3385 return ret;
3386 }
3387
validate_section(struct objtool_file * file,struct section * sec)3388 static int validate_section(struct objtool_file *file, struct section *sec)
3389 {
3390 struct insn_state state;
3391 struct symbol *func;
3392 int warnings = 0;
3393
3394 list_for_each_entry(func, &sec->symbol_list, list) {
3395 if (func->type != STT_FUNC)
3396 continue;
3397
3398 init_insn_state(&state, sec);
3399 set_func_state(&state.cfi);
3400
3401 warnings += validate_symbol(file, sec, func, &state);
3402 }
3403
3404 return warnings;
3405 }
3406
validate_vmlinux_functions(struct objtool_file * file)3407 static int validate_vmlinux_functions(struct objtool_file *file)
3408 {
3409 struct section *sec;
3410 int warnings = 0;
3411
3412 sec = find_section_by_name(file->elf, ".noinstr.text");
3413 if (sec) {
3414 warnings += validate_section(file, sec);
3415 warnings += validate_unwind_hints(file, sec);
3416 }
3417
3418 sec = find_section_by_name(file->elf, ".entry.text");
3419 if (sec) {
3420 warnings += validate_section(file, sec);
3421 warnings += validate_unwind_hints(file, sec);
3422 }
3423
3424 return warnings;
3425 }
3426
validate_functions(struct objtool_file * file)3427 static int validate_functions(struct objtool_file *file)
3428 {
3429 struct section *sec;
3430 int warnings = 0;
3431
3432 for_each_sec(file, sec) {
3433 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
3434 continue;
3435
3436 warnings += validate_section(file, sec);
3437 }
3438
3439 return warnings;
3440 }
3441
validate_reachable_instructions(struct objtool_file * file)3442 static int validate_reachable_instructions(struct objtool_file *file)
3443 {
3444 struct instruction *insn;
3445
3446 if (file->ignore_unreachables)
3447 return 0;
3448
3449 for_each_insn(file, insn) {
3450 if (insn->visited || ignore_unreachable_insn(file, insn))
3451 continue;
3452
3453 WARN_FUNC("unreachable instruction", insn->sec, insn->offset);
3454 return 1;
3455 }
3456
3457 return 0;
3458 }
3459
check(struct objtool_file * file)3460 int check(struct objtool_file *file)
3461 {
3462 int ret, warnings = 0;
3463
3464 arch_initial_func_cfi_state(&initial_func_cfi);
3465 init_cfi_state(&init_cfi);
3466 init_cfi_state(&func_cfi);
3467 set_func_state(&func_cfi);
3468
3469 if (!cfi_hash_alloc())
3470 goto out;
3471
3472 cfi_hash_add(&init_cfi);
3473 cfi_hash_add(&func_cfi);
3474
3475 ret = decode_sections(file);
3476 if (ret < 0)
3477 goto out;
3478
3479 warnings += ret;
3480
3481 if (list_empty(&file->insn_list))
3482 goto out;
3483
3484 if (vmlinux && !validate_dup) {
3485 ret = validate_vmlinux_functions(file);
3486 if (ret < 0)
3487 goto out;
3488
3489 warnings += ret;
3490 goto out;
3491 }
3492
3493 if (retpoline) {
3494 ret = validate_retpoline(file);
3495 if (ret < 0)
3496 return ret;
3497 warnings += ret;
3498 }
3499
3500 ret = validate_functions(file);
3501 if (ret < 0)
3502 goto out;
3503 warnings += ret;
3504
3505 ret = validate_unwind_hints(file, NULL);
3506 if (ret < 0)
3507 goto out;
3508 warnings += ret;
3509
3510 if (unret) {
3511 /*
3512 * Must be after validate_branch() and friends, it plays
3513 * further games with insn->visited.
3514 */
3515 ret = validate_unret(file);
3516 if (ret < 0)
3517 return ret;
3518 warnings += ret;
3519 }
3520
3521 if (!warnings) {
3522 ret = validate_reachable_instructions(file);
3523 if (ret < 0)
3524 goto out;
3525 warnings += ret;
3526 }
3527
3528 ret = create_static_call_sections(file);
3529 if (ret < 0)
3530 goto out;
3531 warnings += ret;
3532
3533 if (retpoline) {
3534 ret = create_retpoline_sites_sections(file);
3535 if (ret < 0)
3536 goto out;
3537 warnings += ret;
3538 }
3539
3540 if (rethunk) {
3541 ret = create_return_sites_sections(file);
3542 if (ret < 0)
3543 goto out;
3544 warnings += ret;
3545 }
3546
3547 if (stats) {
3548 printf("nr_insns_visited: %ld\n", nr_insns_visited);
3549 printf("nr_cfi: %ld\n", nr_cfi);
3550 printf("nr_cfi_reused: %ld\n", nr_cfi_reused);
3551 printf("nr_cfi_cache: %ld\n", nr_cfi_cache);
3552 }
3553
3554 out:
3555 /*
3556 * For now, don't fail the kernel build on fatal warnings. These
3557 * errors are still fairly common due to the growing matrix of
3558 * supported toolchains and their recent pace of change.
3559 */
3560 return 0;
3561 }
3562