1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com>
16 #include <linux/hashtable.h>
17 #include <linux/kernel.h>
19 #define FAKE_JUMP_OFFSET -1
21 #define C_JUMP_TABLE_SECTION ".rodata..c_jump_table"
24 struct list_head list;
25 struct instruction *insn;
30 struct cfi_init_state initial_func_cfi;
32 struct instruction *find_insn(struct objtool_file *file,
33 struct section *sec, unsigned long offset)
35 struct instruction *insn;
37 hash_for_each_possible(file->insn_hash, insn, hash, sec_offset_hash(sec, offset)) {
38 if (insn->sec == sec && insn->offset == offset)
45 static struct instruction *next_insn_same_sec(struct objtool_file *file,
46 struct instruction *insn)
48 struct instruction *next = list_next_entry(insn, list);
50 if (!next || &next->list == &file->insn_list || next->sec != insn->sec)
56 static struct instruction *next_insn_same_func(struct objtool_file *file,
57 struct instruction *insn)
59 struct instruction *next = list_next_entry(insn, list);
60 struct symbol *func = insn->func;
65 if (&next->list != &file->insn_list && next->func == func)
68 /* Check if we're already in the subfunction: */
69 if (func == func->cfunc)
72 /* Move to the subfunction: */
73 return find_insn(file, func->cfunc->sec, func->cfunc->offset);
76 #define func_for_each_insn(file, func, insn) \
77 for (insn = find_insn(file, func->sec, func->offset); \
79 insn = next_insn_same_func(file, insn))
81 #define sym_for_each_insn(file, sym, insn) \
82 for (insn = find_insn(file, sym->sec, sym->offset); \
83 insn && &insn->list != &file->insn_list && \
84 insn->sec == sym->sec && \
85 insn->offset < sym->offset + sym->len; \
86 insn = list_next_entry(insn, list))
88 #define sym_for_each_insn_continue_reverse(file, sym, insn) \
89 for (insn = list_prev_entry(insn, list); \
90 &insn->list != &file->insn_list && \
91 insn->sec == sym->sec && insn->offset >= sym->offset; \
92 insn = list_prev_entry(insn, list))
94 #define sec_for_each_insn_from(file, insn) \
95 for (; insn; insn = next_insn_same_sec(file, insn))
97 #define sec_for_each_insn_continue(file, insn) \
98 for (insn = next_insn_same_sec(file, insn); insn; \
99 insn = next_insn_same_sec(file, insn))
101 static bool is_static_jump(struct instruction *insn)
103 return insn->type == INSN_JUMP_CONDITIONAL ||
104 insn->type == INSN_JUMP_UNCONDITIONAL;
107 static bool is_sibling_call(struct instruction *insn)
109 /* An indirect jump is either a sibling call or a jump to a table. */
110 if (insn->type == INSN_JUMP_DYNAMIC)
111 return list_empty(&insn->alts);
113 if (!is_static_jump(insn))
116 /* add_jump_destinations() sets insn->call_dest for sibling calls. */
117 return !!insn->call_dest;
121 * This checks to see if the given function is a "noreturn" function.
123 * For global functions which are outside the scope of this object file, we
124 * have to keep a manual list of them.
126 * For local functions, we have to detect them manually by simply looking for
127 * the lack of a return instruction.
129 static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
133 struct instruction *insn;
137 * Unfortunately these have to be hard coded because the noreturn
138 * attribute isn't provided in ELF data.
140 static const char * const global_noreturns[] = {
145 "__module_put_and_exit",
151 "machine_real_restart",
152 "rewind_stack_do_exit",
153 "kunit_try_catch_throw",
159 if (func->bind == STB_WEAK)
162 if (func->bind == STB_GLOBAL)
163 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++)
164 if (!strcmp(func->name, global_noreturns[i]))
170 insn = find_insn(file, func->sec, func->offset);
174 func_for_each_insn(file, func, insn) {
177 if (insn->type == INSN_RETURN)
185 * A function can have a sibling call instead of a return. In that
186 * case, the function's dead-end status depends on whether the target
187 * of the sibling call returns.
189 func_for_each_insn(file, func, insn) {
190 if (is_sibling_call(insn)) {
191 struct instruction *dest = insn->jump_dest;
194 /* sibling call to another file */
197 /* local sibling call */
198 if (recursion == 5) {
200 * Infinite recursion: two functions have
201 * sibling calls to each other. This is a very
202 * rare case. It means they aren't dead ends.
207 return __dead_end_function(file, dest->func, recursion+1);
214 static bool dead_end_function(struct objtool_file *file, struct symbol *func)
216 return __dead_end_function(file, func, 0);
219 static void init_cfi_state(struct cfi_state *cfi)
223 for (i = 0; i < CFI_NUM_REGS; i++) {
224 cfi->regs[i].base = CFI_UNDEFINED;
225 cfi->vals[i].base = CFI_UNDEFINED;
227 cfi->cfa.base = CFI_UNDEFINED;
228 cfi->drap_reg = CFI_UNDEFINED;
229 cfi->drap_offset = -1;
232 static void clear_insn_state(struct insn_state *state)
234 memset(state, 0, sizeof(*state));
235 init_cfi_state(&state->cfi);
239 * Call the arch-specific instruction decoder for all the instructions and add
240 * them to the global instruction list.
242 static int decode_instructions(struct objtool_file *file)
246 unsigned long offset;
247 struct instruction *insn;
248 unsigned long nr_insns = 0;
251 for_each_sec(file, sec) {
253 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
256 if (strcmp(sec->name, ".altinstr_replacement") &&
257 strcmp(sec->name, ".altinstr_aux") &&
258 strncmp(sec->name, ".discard.", 9))
261 if (!strcmp(sec->name, ".noinstr.text"))
264 for (offset = 0; offset < sec->len; offset += insn->len) {
265 insn = malloc(sizeof(*insn));
267 WARN("malloc failed");
270 memset(insn, 0, sizeof(*insn));
271 INIT_LIST_HEAD(&insn->alts);
272 INIT_LIST_HEAD(&insn->stack_ops);
273 init_cfi_state(&insn->cfi);
276 insn->offset = offset;
278 ret = arch_decode_instruction(file->elf, sec, offset,
280 &insn->len, &insn->type,
286 hash_add(file->insn_hash, &insn->hash, sec_offset_hash(sec, insn->offset));
287 list_add_tail(&insn->list, &file->insn_list);
291 list_for_each_entry(func, &sec->symbol_list, list) {
292 if (func->type != STT_FUNC || func->alias != func)
295 if (!find_insn(file, sec, func->offset)) {
296 WARN("%s(): can't find starting instruction",
301 sym_for_each_insn(file, func, insn)
307 printf("nr_insns: %lu\n", nr_insns);
317 * Mark "ud2" instructions and manually annotated dead ends.
319 static int add_dead_ends(struct objtool_file *file)
323 struct instruction *insn;
327 * By default, "ud2" is a dead end unless otherwise annotated, because
328 * GCC 7 inserts it for certain divide-by-zero cases.
330 for_each_insn(file, insn)
331 if (insn->type == INSN_BUG)
332 insn->dead_end = true;
335 * Check for manually annotated dead ends.
337 sec = find_section_by_name(file->elf, ".rela.discard.unreachable");
341 list_for_each_entry(rela, &sec->rela_list, list) {
342 if (rela->sym->type != STT_SECTION) {
343 WARN("unexpected relocation symbol type in %s", sec->name);
346 insn = find_insn(file, rela->sym->sec, rela->addend);
348 insn = list_prev_entry(insn, list);
349 else if (rela->addend == rela->sym->sec->len) {
351 list_for_each_entry_reverse(insn, &file->insn_list, list) {
352 if (insn->sec == rela->sym->sec) {
359 WARN("can't find unreachable insn at %s+0x%x",
360 rela->sym->sec->name, rela->addend);
364 WARN("can't find unreachable insn at %s+0x%x",
365 rela->sym->sec->name, rela->addend);
369 insn->dead_end = true;
374 * These manually annotated reachable checks are needed for GCC 4.4,
375 * where the Linux unreachable() macro isn't supported. In that case
376 * GCC doesn't know the "ud2" is fatal, so it generates code as if it's
379 sec = find_section_by_name(file->elf, ".rela.discard.reachable");
383 list_for_each_entry(rela, &sec->rela_list, list) {
384 if (rela->sym->type != STT_SECTION) {
385 WARN("unexpected relocation symbol type in %s", sec->name);
388 insn = find_insn(file, rela->sym->sec, rela->addend);
390 insn = list_prev_entry(insn, list);
391 else if (rela->addend == rela->sym->sec->len) {
393 list_for_each_entry_reverse(insn, &file->insn_list, list) {
394 if (insn->sec == rela->sym->sec) {
401 WARN("can't find reachable insn at %s+0x%x",
402 rela->sym->sec->name, rela->addend);
406 WARN("can't find reachable insn at %s+0x%x",
407 rela->sym->sec->name, rela->addend);
411 insn->dead_end = false;
418 * Warnings shouldn't be reported for ignored functions.
420 static void add_ignores(struct objtool_file *file)
422 struct instruction *insn;
427 sec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard");
431 list_for_each_entry(rela, &sec->rela_list, list) {
432 switch (rela->sym->type) {
438 func = find_func_by_offset(rela->sym->sec, rela->addend);
444 WARN("unexpected relocation symbol type in %s: %d", sec->name, rela->sym->type);
448 func_for_each_insn(file, func, insn)
454 * This is a whitelist of functions that is allowed to be called with AC set.
455 * The list is meant to be minimal and only contains compiler instrumentation
456 * ABI and a few functions used to implement *_{to,from}_user() functions.
458 * These functions must not directly change AC, but may PUSHF/POPF.
460 static const char *uaccess_safe_builtin[] = {
463 "check_memory_region",
464 /* KASAN out-of-line */
465 "__asan_loadN_noabort",
466 "__asan_load1_noabort",
467 "__asan_load2_noabort",
468 "__asan_load4_noabort",
469 "__asan_load8_noabort",
470 "__asan_load16_noabort",
471 "__asan_storeN_noabort",
472 "__asan_store1_noabort",
473 "__asan_store2_noabort",
474 "__asan_store4_noabort",
475 "__asan_store8_noabort",
476 "__asan_store16_noabort",
478 "__asan_report_load_n_noabort",
479 "__asan_report_load1_noabort",
480 "__asan_report_load2_noabort",
481 "__asan_report_load4_noabort",
482 "__asan_report_load8_noabort",
483 "__asan_report_load16_noabort",
484 "__asan_report_store_n_noabort",
485 "__asan_report_store1_noabort",
486 "__asan_report_store2_noabort",
487 "__asan_report_store4_noabort",
488 "__asan_report_store8_noabort",
489 "__asan_report_store16_noabort",
492 "__sanitizer_cov_trace_pc",
493 "__sanitizer_cov_trace_const_cmp1",
494 "__sanitizer_cov_trace_const_cmp2",
495 "__sanitizer_cov_trace_const_cmp4",
496 "__sanitizer_cov_trace_const_cmp8",
497 "__sanitizer_cov_trace_cmp1",
498 "__sanitizer_cov_trace_cmp2",
499 "__sanitizer_cov_trace_cmp4",
500 "__sanitizer_cov_trace_cmp8",
501 "__sanitizer_cov_trace_switch",
503 "ubsan_type_mismatch_common",
504 "__ubsan_handle_type_mismatch",
505 "__ubsan_handle_type_mismatch_v1",
506 "__ubsan_handle_shift_out_of_bounds",
508 "csum_partial_copy_generic",
510 "mcsafe_handle_tail",
511 "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */
515 static void add_uaccess_safe(struct objtool_file *file)
523 for (name = uaccess_safe_builtin; *name; name++) {
524 func = find_symbol_by_name(file->elf, *name);
528 func->uaccess_safe = true;
533 * FIXME: For now, just ignore any alternatives which add retpolines. This is
534 * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline.
535 * But it at least allows objtool to understand the control flow *around* the
538 static int add_ignore_alternatives(struct objtool_file *file)
542 struct instruction *insn;
544 sec = find_section_by_name(file->elf, ".rela.discard.ignore_alts");
548 list_for_each_entry(rela, &sec->rela_list, list) {
549 if (rela->sym->type != STT_SECTION) {
550 WARN("unexpected relocation symbol type in %s", sec->name);
554 insn = find_insn(file, rela->sym->sec, rela->addend);
556 WARN("bad .discard.ignore_alts entry");
560 insn->ignore_alts = true;
567 * Find the destination instructions for all jumps.
569 static int add_jump_destinations(struct objtool_file *file)
571 struct instruction *insn;
573 struct section *dest_sec;
574 unsigned long dest_off;
576 for_each_insn(file, insn) {
577 if (!is_static_jump(insn))
580 if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET)
583 rela = find_rela_by_dest_range(file->elf, insn->sec,
584 insn->offset, insn->len);
586 dest_sec = insn->sec;
587 dest_off = arch_jump_destination(insn);
588 } else if (rela->sym->type == STT_SECTION) {
589 dest_sec = rela->sym->sec;
590 dest_off = arch_dest_rela_offset(rela->addend);
591 } else if (rela->sym->sec->idx) {
592 dest_sec = rela->sym->sec;
593 dest_off = rela->sym->sym.st_value +
594 arch_dest_rela_offset(rela->addend);
595 } else if (strstr(rela->sym->name, "_indirect_thunk_")) {
597 * Retpoline jumps are really dynamic jumps in
598 * disguise, so convert them accordingly.
600 if (insn->type == INSN_JUMP_UNCONDITIONAL)
601 insn->type = INSN_JUMP_DYNAMIC;
603 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL;
605 insn->retpoline_safe = true;
608 /* external sibling call */
609 insn->call_dest = rela->sym;
613 insn->jump_dest = find_insn(file, dest_sec, dest_off);
614 if (!insn->jump_dest) {
617 * This is a special case where an alt instruction
618 * jumps past the end of the section. These are
619 * handled later in handle_group_alt().
621 if (!strcmp(insn->sec->name, ".altinstr_replacement"))
624 WARN_FUNC("can't find jump dest instruction at %s+0x%lx",
625 insn->sec, insn->offset, dest_sec->name,
631 * Cross-function jump.
633 if (insn->func && insn->jump_dest->func &&
634 insn->func != insn->jump_dest->func) {
637 * For GCC 8+, create parent/child links for any cold
638 * subfunctions. This is _mostly_ redundant with a
639 * similar initialization in read_symbols().
641 * If a function has aliases, we want the *first* such
642 * function in the symbol table to be the subfunction's
643 * parent. In that case we overwrite the
644 * initialization done in read_symbols().
646 * However this code can't completely replace the
647 * read_symbols() code because this doesn't detect the
648 * case where the parent function's only reference to a
649 * subfunction is through a jump table.
651 if (!strstr(insn->func->name, ".cold.") &&
652 strstr(insn->jump_dest->func->name, ".cold.")) {
653 insn->func->cfunc = insn->jump_dest->func;
654 insn->jump_dest->func->pfunc = insn->func;
656 } else if (insn->jump_dest->func->pfunc != insn->func->pfunc &&
657 insn->jump_dest->offset == insn->jump_dest->func->offset) {
659 /* internal sibling call */
660 insn->call_dest = insn->jump_dest->func;
669 * Find the destination instructions for all calls.
671 static int add_call_destinations(struct objtool_file *file)
673 struct instruction *insn;
674 unsigned long dest_off;
677 for_each_insn(file, insn) {
678 if (insn->type != INSN_CALL)
681 rela = find_rela_by_dest_range(file->elf, insn->sec,
682 insn->offset, insn->len);
684 dest_off = arch_jump_destination(insn);
685 insn->call_dest = find_func_by_offset(insn->sec, dest_off);
686 if (!insn->call_dest)
687 insn->call_dest = find_symbol_by_offset(insn->sec, dest_off);
692 if (!insn->call_dest) {
693 WARN_FUNC("unsupported intra-function call",
694 insn->sec, insn->offset);
696 WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE.");
700 if (insn->func && insn->call_dest->type != STT_FUNC) {
701 WARN_FUNC("unsupported call to non-function",
702 insn->sec, insn->offset);
706 } else if (rela->sym->type == STT_SECTION) {
707 dest_off = arch_dest_rela_offset(rela->addend);
708 insn->call_dest = find_func_by_offset(rela->sym->sec,
710 if (!insn->call_dest) {
711 WARN_FUNC("can't find call dest symbol at %s+0x%lx",
712 insn->sec, insn->offset,
713 rela->sym->sec->name,
718 insn->call_dest = rela->sym;
725 * The .alternatives section requires some extra special care, over and above
726 * what other special sections require:
728 * 1. Because alternatives are patched in-place, we need to insert a fake jump
729 * instruction at the end so that validate_branch() skips all the original
730 * replaced instructions when validating the new instruction path.
732 * 2. An added wrinkle is that the new instruction length might be zero. In
733 * that case the old instructions are replaced with noops. We simulate that
734 * by creating a fake jump as the only new instruction.
736 * 3. In some cases, the alternative section includes an instruction which
737 * conditionally jumps to the _end_ of the entry. We have to modify these
738 * jumps' destinations to point back to .text rather than the end of the
739 * entry in .altinstr_replacement.
741 static int handle_group_alt(struct objtool_file *file,
742 struct special_alt *special_alt,
743 struct instruction *orig_insn,
744 struct instruction **new_insn)
746 struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL;
747 unsigned long dest_off;
749 last_orig_insn = NULL;
751 sec_for_each_insn_from(file, insn) {
752 if (insn->offset >= special_alt->orig_off + special_alt->orig_len)
755 insn->alt_group = true;
756 last_orig_insn = insn;
759 if (next_insn_same_sec(file, last_orig_insn)) {
760 fake_jump = malloc(sizeof(*fake_jump));
762 WARN("malloc failed");
765 memset(fake_jump, 0, sizeof(*fake_jump));
766 INIT_LIST_HEAD(&fake_jump->alts);
767 INIT_LIST_HEAD(&fake_jump->stack_ops);
768 init_cfi_state(&fake_jump->cfi);
770 fake_jump->sec = special_alt->new_sec;
771 fake_jump->offset = FAKE_JUMP_OFFSET;
772 fake_jump->type = INSN_JUMP_UNCONDITIONAL;
773 fake_jump->jump_dest = list_next_entry(last_orig_insn, list);
774 fake_jump->func = orig_insn->func;
777 if (!special_alt->new_len) {
779 WARN("%s: empty alternative at end of section",
780 special_alt->orig_sec->name);
784 *new_insn = fake_jump;
788 last_new_insn = NULL;
790 sec_for_each_insn_from(file, insn) {
791 if (insn->offset >= special_alt->new_off + special_alt->new_len)
794 last_new_insn = insn;
796 insn->ignore = orig_insn->ignore_alts;
797 insn->func = orig_insn->func;
800 * Since alternative replacement code is copy/pasted by the
801 * kernel after applying relocations, generally such code can't
802 * have relative-address relocation references to outside the
803 * .altinstr_replacement section, unless the arch's
804 * alternatives code can adjust the relative offsets
807 * The x86 alternatives code adjusts the offsets only when it
808 * encounters a branch instruction at the very beginning of the
811 if ((insn->offset != special_alt->new_off ||
812 (insn->type != INSN_CALL && !is_static_jump(insn))) &&
813 find_rela_by_dest_range(file->elf, insn->sec, insn->offset, insn->len)) {
815 WARN_FUNC("unsupported relocation in alternatives section",
816 insn->sec, insn->offset);
820 if (!is_static_jump(insn))
823 if (!insn->immediate)
826 dest_off = arch_jump_destination(insn);
827 if (dest_off == special_alt->new_off + special_alt->new_len) {
829 WARN("%s: alternative jump to end of section",
830 special_alt->orig_sec->name);
833 insn->jump_dest = fake_jump;
836 if (!insn->jump_dest) {
837 WARN_FUNC("can't find alternative jump destination",
838 insn->sec, insn->offset);
843 if (!last_new_insn) {
844 WARN_FUNC("can't find last new alternative instruction",
845 special_alt->new_sec, special_alt->new_off);
850 list_add(&fake_jump->list, &last_new_insn->list);
856 * A jump table entry can either convert a nop to a jump or a jump to a nop.
857 * If the original instruction is a jump, make the alt entry an effective nop
858 * by just skipping the original instruction.
860 static int handle_jump_alt(struct objtool_file *file,
861 struct special_alt *special_alt,
862 struct instruction *orig_insn,
863 struct instruction **new_insn)
865 if (orig_insn->type == INSN_NOP)
868 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL) {
869 WARN_FUNC("unsupported instruction at jump label",
870 orig_insn->sec, orig_insn->offset);
874 *new_insn = list_next_entry(orig_insn, list);
879 * Read all the special sections which have alternate instructions which can be
880 * patched in or redirected to at runtime. Each instruction having alternate
881 * instruction(s) has them added to its insn->alts list, which will be
882 * traversed in validate_branch().
884 static int add_special_section_alts(struct objtool_file *file)
886 struct list_head special_alts;
887 struct instruction *orig_insn, *new_insn;
888 struct special_alt *special_alt, *tmp;
889 struct alternative *alt;
892 ret = special_get_alts(file->elf, &special_alts);
896 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
898 orig_insn = find_insn(file, special_alt->orig_sec,
899 special_alt->orig_off);
901 WARN_FUNC("special: can't find orig instruction",
902 special_alt->orig_sec, special_alt->orig_off);
908 if (!special_alt->group || special_alt->new_len) {
909 new_insn = find_insn(file, special_alt->new_sec,
910 special_alt->new_off);
912 WARN_FUNC("special: can't find new instruction",
913 special_alt->new_sec,
914 special_alt->new_off);
920 if (special_alt->group) {
921 if (!special_alt->orig_len) {
922 WARN_FUNC("empty alternative entry",
923 orig_insn->sec, orig_insn->offset);
927 ret = handle_group_alt(file, special_alt, orig_insn,
931 } else if (special_alt->jump_or_nop) {
932 ret = handle_jump_alt(file, special_alt, orig_insn,
938 alt = malloc(sizeof(*alt));
940 WARN("malloc failed");
945 alt->insn = new_insn;
946 alt->skip_orig = special_alt->skip_orig;
947 orig_insn->ignore_alts |= special_alt->skip_alt;
948 list_add_tail(&alt->list, &orig_insn->alts);
950 list_del(&special_alt->list);
958 static int add_jump_table(struct objtool_file *file, struct instruction *insn,
961 struct rela *rela = table;
962 struct instruction *dest_insn;
963 struct alternative *alt;
964 struct symbol *pfunc = insn->func->pfunc;
965 unsigned int prev_offset = 0;
968 * Each @rela is a switch table relocation which points to the target
971 list_for_each_entry_from(rela, &table->sec->rela_list, list) {
973 /* Check for the end of the table: */
974 if (rela != table && rela->jump_table_start)
977 /* Make sure the table entries are consecutive: */
978 if (prev_offset && rela->offset != prev_offset + 8)
981 /* Detect function pointers from contiguous objects: */
982 if (rela->sym->sec == pfunc->sec &&
983 rela->addend == pfunc->offset)
986 dest_insn = find_insn(file, rela->sym->sec, rela->addend);
990 /* Make sure the destination is in the same function: */
991 if (!dest_insn->func || dest_insn->func->pfunc != pfunc)
994 alt = malloc(sizeof(*alt));
996 WARN("malloc failed");
1000 alt->insn = dest_insn;
1001 list_add_tail(&alt->list, &insn->alts);
1002 prev_offset = rela->offset;
1006 WARN_FUNC("can't find switch jump table",
1007 insn->sec, insn->offset);
1015 * find_jump_table() - Given a dynamic jump, find the switch jump table in
1016 * .rodata associated with it.
1018 * There are 3 basic patterns:
1020 * 1. jmpq *[rodata addr](,%reg,8)
1022 * This is the most common case by far. It jumps to an address in a simple
1023 * jump table which is stored in .rodata.
1025 * 2. jmpq *[rodata addr](%rip)
1027 * This is caused by a rare GCC quirk, currently only seen in three driver
1028 * functions in the kernel, only with certain obscure non-distro configs.
1030 * As part of an optimization, GCC makes a copy of an existing switch jump
1031 * table, modifies it, and then hard-codes the jump (albeit with an indirect
1032 * jump) to use a single entry in the table. The rest of the jump table and
1033 * some of its jump targets remain as dead code.
1035 * In such a case we can just crudely ignore all unreachable instruction
1036 * warnings for the entire object file. Ideally we would just ignore them
1037 * for the function, but that would require redesigning the code quite a
1038 * bit. And honestly that's just not worth doing: unreachable instruction
1039 * warnings are of questionable value anyway, and this is such a rare issue.
1041 * 3. mov [rodata addr],%reg1
1042 * ... some instructions ...
1043 * jmpq *(%reg1,%reg2,8)
1045 * This is a fairly uncommon pattern which is new for GCC 6. As of this
1046 * writing, there are 11 occurrences of it in the allmodconfig kernel.
1048 * As of GCC 7 there are quite a few more of these and the 'in between' code
1049 * is significant. Esp. with KASAN enabled some of the code between the mov
1050 * and jmpq uses .rodata itself, which can confuse things.
1052 * TODO: Once we have DWARF CFI and smarter instruction decoding logic,
1053 * ensure the same register is used in the mov and jump instructions.
1055 * NOTE: RETPOLINE made it harder still to decode dynamic jumps.
1057 static struct rela *find_jump_table(struct objtool_file *file,
1058 struct symbol *func,
1059 struct instruction *insn)
1061 struct rela *text_rela, *table_rela;
1062 struct instruction *dest_insn, *orig_insn = insn;
1063 struct section *table_sec;
1064 unsigned long table_offset;
1067 * Backward search using the @first_jump_src links, these help avoid
1068 * much of the 'in between' code. Which avoids us getting confused by
1072 &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func;
1073 insn = insn->first_jump_src ?: list_prev_entry(insn, list)) {
1075 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
1078 /* allow small jumps within the range */
1079 if (insn->type == INSN_JUMP_UNCONDITIONAL &&
1081 (insn->jump_dest->offset <= insn->offset ||
1082 insn->jump_dest->offset > orig_insn->offset))
1085 /* look for a relocation which references .rodata */
1086 text_rela = find_rela_by_dest_range(file->elf, insn->sec,
1087 insn->offset, insn->len);
1088 if (!text_rela || text_rela->sym->type != STT_SECTION ||
1089 !text_rela->sym->sec->rodata)
1092 table_offset = text_rela->addend;
1093 table_sec = text_rela->sym->sec;
1095 if (text_rela->type == R_X86_64_PC32)
1099 * Make sure the .rodata address isn't associated with a
1100 * symbol. GCC jump tables are anonymous data.
1102 * Also support C jump tables which are in the same format as
1103 * switch jump tables. For objtool to recognize them, they
1104 * need to be placed in the C_JUMP_TABLE_SECTION section. They
1105 * have symbols associated with them.
1107 if (find_symbol_containing(table_sec, table_offset) &&
1108 strcmp(table_sec->name, C_JUMP_TABLE_SECTION))
1112 * Each table entry has a rela associated with it. The rela
1113 * should reference text in the same function as the original
1116 table_rela = find_rela_by_dest(file->elf, table_sec, table_offset);
1119 dest_insn = find_insn(file, table_rela->sym->sec, table_rela->addend);
1120 if (!dest_insn || !dest_insn->func || dest_insn->func->pfunc != func)
1124 * Use of RIP-relative switch jumps is quite rare, and
1125 * indicates a rare GCC quirk/bug which can leave dead code
1128 if (text_rela->type == R_X86_64_PC32)
1129 file->ignore_unreachables = true;
1138 * First pass: Mark the head of each jump table so that in the next pass,
1139 * we know when a given jump table ends and the next one starts.
1141 static void mark_func_jump_tables(struct objtool_file *file,
1142 struct symbol *func)
1144 struct instruction *insn, *last = NULL;
1147 func_for_each_insn(file, func, insn) {
1152 * Store back-pointers for unconditional forward jumps such
1153 * that find_jump_table() can back-track using those and
1154 * avoid some potentially confusing code.
1156 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest &&
1157 insn->offset > last->offset &&
1158 insn->jump_dest->offset > insn->offset &&
1159 !insn->jump_dest->first_jump_src) {
1161 insn->jump_dest->first_jump_src = insn;
1162 last = insn->jump_dest;
1165 if (insn->type != INSN_JUMP_DYNAMIC)
1168 rela = find_jump_table(file, func, insn);
1170 rela->jump_table_start = true;
1171 insn->jump_table = rela;
1176 static int add_func_jump_tables(struct objtool_file *file,
1177 struct symbol *func)
1179 struct instruction *insn;
1182 func_for_each_insn(file, func, insn) {
1183 if (!insn->jump_table)
1186 ret = add_jump_table(file, insn, insn->jump_table);
1195 * For some switch statements, gcc generates a jump table in the .rodata
1196 * section which contains a list of addresses within the function to jump to.
1197 * This finds these jump tables and adds them to the insn->alts lists.
1199 static int add_jump_table_alts(struct objtool_file *file)
1201 struct section *sec;
1202 struct symbol *func;
1208 for_each_sec(file, sec) {
1209 list_for_each_entry(func, &sec->symbol_list, list) {
1210 if (func->type != STT_FUNC)
1213 mark_func_jump_tables(file, func);
1214 ret = add_func_jump_tables(file, func);
1223 static int read_unwind_hints(struct objtool_file *file)
1225 struct section *sec, *relasec;
1227 struct unwind_hint *hint;
1228 struct instruction *insn;
1229 struct cfi_reg *cfa;
1232 sec = find_section_by_name(file->elf, ".discard.unwind_hints");
1236 relasec = sec->rela;
1238 WARN("missing .rela.discard.unwind_hints section");
1242 if (sec->len % sizeof(struct unwind_hint)) {
1243 WARN("struct unwind_hint size mismatch");
1249 for (i = 0; i < sec->len / sizeof(struct unwind_hint); i++) {
1250 hint = (struct unwind_hint *)sec->data->d_buf + i;
1252 rela = find_rela_by_dest(file->elf, sec, i * sizeof(*hint));
1254 WARN("can't find rela for unwind_hints[%d]", i);
1258 insn = find_insn(file, rela->sym->sec, rela->addend);
1260 WARN("can't find insn for unwind_hints[%d]", i);
1264 cfa = &insn->cfi.cfa;
1266 if (hint->type == UNWIND_HINT_TYPE_RET_OFFSET) {
1267 insn->ret_offset = hint->sp_offset;
1273 switch (hint->sp_reg) {
1274 case ORC_REG_UNDEFINED:
1275 cfa->base = CFI_UNDEFINED;
1283 case ORC_REG_SP_INDIRECT:
1284 cfa->base = CFI_SP_INDIRECT;
1287 cfa->base = CFI_R10;
1290 cfa->base = CFI_R13;
1299 WARN_FUNC("unsupported unwind_hint sp base reg %d",
1300 insn->sec, insn->offset, hint->sp_reg);
1304 cfa->offset = hint->sp_offset;
1305 insn->cfi.type = hint->type;
1306 insn->cfi.end = hint->end;
1312 static int read_retpoline_hints(struct objtool_file *file)
1314 struct section *sec;
1315 struct instruction *insn;
1318 sec = find_section_by_name(file->elf, ".rela.discard.retpoline_safe");
1322 list_for_each_entry(rela, &sec->rela_list, list) {
1323 if (rela->sym->type != STT_SECTION) {
1324 WARN("unexpected relocation symbol type in %s", sec->name);
1328 insn = find_insn(file, rela->sym->sec, rela->addend);
1330 WARN("bad .discard.retpoline_safe entry");
1334 if (insn->type != INSN_JUMP_DYNAMIC &&
1335 insn->type != INSN_CALL_DYNAMIC) {
1336 WARN_FUNC("retpoline_safe hint not an indirect jump/call",
1337 insn->sec, insn->offset);
1341 insn->retpoline_safe = true;
1347 static int read_instr_hints(struct objtool_file *file)
1349 struct section *sec;
1350 struct instruction *insn;
1353 sec = find_section_by_name(file->elf, ".rela.discard.instr_end");
1357 list_for_each_entry(rela, &sec->rela_list, list) {
1358 if (rela->sym->type != STT_SECTION) {
1359 WARN("unexpected relocation symbol type in %s", sec->name);
1363 insn = find_insn(file, rela->sym->sec, rela->addend);
1365 WARN("bad .discard.instr_end entry");
1372 sec = find_section_by_name(file->elf, ".rela.discard.instr_begin");
1376 list_for_each_entry(rela, &sec->rela_list, list) {
1377 if (rela->sym->type != STT_SECTION) {
1378 WARN("unexpected relocation symbol type in %s", sec->name);
1382 insn = find_insn(file, rela->sym->sec, rela->addend);
1384 WARN("bad .discard.instr_begin entry");
1394 static void mark_rodata(struct objtool_file *file)
1396 struct section *sec;
1400 * Search for the following rodata sections, each of which can
1401 * potentially contain jump tables:
1403 * - .rodata: can contain GCC switch tables
1404 * - .rodata.<func>: same, if -fdata-sections is being used
1405 * - .rodata..c_jump_table: contains C annotated jump tables
1407 * .rodata.str1.* sections are ignored; they don't contain jump tables.
1409 for_each_sec(file, sec) {
1410 if (!strncmp(sec->name, ".rodata", 7) &&
1411 !strstr(sec->name, ".str1.")) {
1417 file->rodata = found;
1420 static int decode_sections(struct objtool_file *file)
1426 ret = decode_instructions(file);
1430 ret = add_dead_ends(file);
1435 add_uaccess_safe(file);
1437 ret = add_ignore_alternatives(file);
1441 ret = add_jump_destinations(file);
1445 ret = add_special_section_alts(file);
1449 ret = add_call_destinations(file);
1453 ret = add_jump_table_alts(file);
1457 ret = read_unwind_hints(file);
1461 ret = read_retpoline_hints(file);
1465 ret = read_instr_hints(file);
1472 static bool is_fentry_call(struct instruction *insn)
1474 if (insn->type == INSN_CALL &&
1475 insn->call_dest->type == STT_NOTYPE &&
1476 !strcmp(insn->call_dest->name, "__fentry__"))
1482 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state)
1484 u8 ret_offset = insn->ret_offset;
1485 struct cfi_state *cfi = &state->cfi;
1488 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap)
1491 if (cfi->cfa.offset != initial_func_cfi.cfa.offset + ret_offset)
1494 if (cfi->stack_size != initial_func_cfi.cfa.offset + ret_offset)
1497 for (i = 0; i < CFI_NUM_REGS; i++) {
1498 if (cfi->regs[i].base != initial_func_cfi.regs[i].base ||
1499 cfi->regs[i].offset != initial_func_cfi.regs[i].offset)
1506 static bool has_valid_stack_frame(struct insn_state *state)
1508 struct cfi_state *cfi = &state->cfi;
1510 if (cfi->cfa.base == CFI_BP && cfi->regs[CFI_BP].base == CFI_CFA &&
1511 cfi->regs[CFI_BP].offset == -16)
1514 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP)
1520 static int update_cfi_state_regs(struct instruction *insn,
1521 struct cfi_state *cfi,
1522 struct stack_op *op)
1524 struct cfi_reg *cfa = &cfi->cfa;
1526 if (cfa->base != CFI_SP)
1530 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF)
1534 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF)
1537 /* add immediate to sp */
1538 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD &&
1539 op->dest.reg == CFI_SP && op->src.reg == CFI_SP)
1540 cfa->offset -= op->src.offset;
1545 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset)
1547 if (arch_callee_saved_reg(reg) &&
1548 cfi->regs[reg].base == CFI_UNDEFINED) {
1549 cfi->regs[reg].base = base;
1550 cfi->regs[reg].offset = offset;
1554 static void restore_reg(struct cfi_state *cfi, unsigned char reg)
1556 cfi->regs[reg].base = initial_func_cfi.regs[reg].base;
1557 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset;
1561 * A note about DRAP stack alignment:
1563 * GCC has the concept of a DRAP register, which is used to help keep track of
1564 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP
1565 * register. The typical DRAP pattern is:
1567 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10
1568 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp
1569 * 41 ff 72 f8 pushq -0x8(%r10)
1571 * 48 89 e5 mov %rsp,%rbp
1578 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1581 * There are some variations in the epilogues, like:
1589 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1594 * 4c 8b 55 e8 mov -0x18(%rbp),%r10
1595 * 48 8b 5d e0 mov -0x20(%rbp),%rbx
1596 * 4c 8b 65 f0 mov -0x10(%rbp),%r12
1597 * 4c 8b 6d f8 mov -0x8(%rbp),%r13
1599 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1602 * Sometimes r13 is used as the DRAP register, in which case it's saved and
1603 * restored beforehand:
1606 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13
1607 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
1609 * 49 8d 65 f0 lea -0x10(%r13),%rsp
1613 static int update_cfi_state(struct instruction *insn, struct cfi_state *cfi,
1614 struct stack_op *op)
1616 struct cfi_reg *cfa = &cfi->cfa;
1617 struct cfi_reg *regs = cfi->regs;
1619 /* stack operations don't make sense with an undefined CFA */
1620 if (cfa->base == CFI_UNDEFINED) {
1622 WARN_FUNC("undefined stack state", insn->sec, insn->offset);
1628 if (cfi->type == ORC_TYPE_REGS || cfi->type == ORC_TYPE_REGS_IRET)
1629 return update_cfi_state_regs(insn, cfi, op);
1631 switch (op->dest.type) {
1634 switch (op->src.type) {
1637 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP &&
1638 cfa->base == CFI_SP &&
1639 regs[CFI_BP].base == CFI_CFA &&
1640 regs[CFI_BP].offset == -cfa->offset) {
1642 /* mov %rsp, %rbp */
1643 cfa->base = op->dest.reg;
1644 cfi->bp_scratch = false;
1647 else if (op->src.reg == CFI_SP &&
1648 op->dest.reg == CFI_BP && cfi->drap) {
1650 /* drap: mov %rsp, %rbp */
1651 regs[CFI_BP].base = CFI_BP;
1652 regs[CFI_BP].offset = -cfi->stack_size;
1653 cfi->bp_scratch = false;
1656 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
1661 * This is needed for the rare case where GCC
1668 cfi->vals[op->dest.reg].base = CFI_CFA;
1669 cfi->vals[op->dest.reg].offset = -cfi->stack_size;
1672 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP &&
1673 cfa->base == CFI_BP) {
1678 * Restore the original stack pointer (Clang).
1680 cfi->stack_size = -cfi->regs[CFI_BP].offset;
1683 else if (op->dest.reg == cfa->base) {
1685 /* mov %reg, %rsp */
1686 if (cfa->base == CFI_SP &&
1687 cfi->vals[op->src.reg].base == CFI_CFA) {
1690 * This is needed for the rare case
1691 * where GCC does something dumb like:
1693 * lea 0x8(%rsp), %rcx
1697 cfa->offset = -cfi->vals[op->src.reg].offset;
1698 cfi->stack_size = cfa->offset;
1701 cfa->base = CFI_UNDEFINED;
1709 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) {
1712 cfi->stack_size -= op->src.offset;
1713 if (cfa->base == CFI_SP)
1714 cfa->offset -= op->src.offset;
1718 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) {
1720 /* lea disp(%rbp), %rsp */
1721 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset);
1725 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
1727 /* drap: lea disp(%rsp), %drap */
1728 cfi->drap_reg = op->dest.reg;
1731 * lea disp(%rsp), %reg
1733 * This is needed for the rare case where GCC
1734 * does something dumb like:
1736 * lea 0x8(%rsp), %rcx
1740 cfi->vals[op->dest.reg].base = CFI_CFA;
1741 cfi->vals[op->dest.reg].offset = \
1742 -cfi->stack_size + op->src.offset;
1747 if (cfi->drap && op->dest.reg == CFI_SP &&
1748 op->src.reg == cfi->drap_reg) {
1750 /* drap: lea disp(%drap), %rsp */
1752 cfa->offset = cfi->stack_size = -op->src.offset;
1753 cfi->drap_reg = CFI_UNDEFINED;
1758 if (op->dest.reg == cfi->cfa.base) {
1759 WARN_FUNC("unsupported stack register modification",
1760 insn->sec, insn->offset);
1767 if (op->dest.reg != CFI_SP ||
1768 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) ||
1769 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) {
1770 WARN_FUNC("unsupported stack pointer realignment",
1771 insn->sec, insn->offset);
1775 if (cfi->drap_reg != CFI_UNDEFINED) {
1776 /* drap: and imm, %rsp */
1777 cfa->base = cfi->drap_reg;
1778 cfa->offset = cfi->stack_size = 0;
1783 * Older versions of GCC (4.8ish) realign the stack
1784 * without DRAP, with a frame pointer.
1791 if (!cfi->drap && op->dest.reg == cfa->base) {
1797 if (cfi->drap && cfa->base == CFI_BP_INDIRECT &&
1798 op->dest.reg == cfi->drap_reg &&
1799 cfi->drap_offset == -cfi->stack_size) {
1801 /* drap: pop %drap */
1802 cfa->base = cfi->drap_reg;
1804 cfi->drap_offset = -1;
1806 } else if (regs[op->dest.reg].offset == -cfi->stack_size) {
1809 restore_reg(cfi, op->dest.reg);
1812 cfi->stack_size -= 8;
1813 if (cfa->base == CFI_SP)
1818 case OP_SRC_REG_INDIRECT:
1819 if (cfi->drap && op->src.reg == CFI_BP &&
1820 op->src.offset == cfi->drap_offset) {
1822 /* drap: mov disp(%rbp), %drap */
1823 cfa->base = cfi->drap_reg;
1825 cfi->drap_offset = -1;
1828 if (cfi->drap && op->src.reg == CFI_BP &&
1829 op->src.offset == regs[op->dest.reg].offset) {
1831 /* drap: mov disp(%rbp), %reg */
1832 restore_reg(cfi, op->dest.reg);
1834 } else if (op->src.reg == cfa->base &&
1835 op->src.offset == regs[op->dest.reg].offset + cfa->offset) {
1837 /* mov disp(%rbp), %reg */
1838 /* mov disp(%rsp), %reg */
1839 restore_reg(cfi, op->dest.reg);
1845 WARN_FUNC("unknown stack-related instruction",
1846 insn->sec, insn->offset);
1854 cfi->stack_size += 8;
1855 if (cfa->base == CFI_SP)
1858 if (op->src.type != OP_SRC_REG)
1862 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
1864 /* drap: push %drap */
1865 cfa->base = CFI_BP_INDIRECT;
1866 cfa->offset = -cfi->stack_size;
1868 /* save drap so we know when to restore it */
1869 cfi->drap_offset = -cfi->stack_size;
1871 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) {
1873 /* drap: push %rbp */
1874 cfi->stack_size = 0;
1876 } else if (regs[op->src.reg].base == CFI_UNDEFINED) {
1878 /* drap: push %reg */
1879 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size);
1885 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size);
1888 /* detect when asm code uses rbp as a scratch register */
1889 if (!no_fp && insn->func && op->src.reg == CFI_BP &&
1890 cfa->base != CFI_BP)
1891 cfi->bp_scratch = true;
1894 case OP_DEST_REG_INDIRECT:
1897 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
1899 /* drap: mov %drap, disp(%rbp) */
1900 cfa->base = CFI_BP_INDIRECT;
1901 cfa->offset = op->dest.offset;
1903 /* save drap offset so we know when to restore it */
1904 cfi->drap_offset = op->dest.offset;
1907 else if (regs[op->src.reg].base == CFI_UNDEFINED) {
1909 /* drap: mov reg, disp(%rbp) */
1910 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset);
1913 } else if (op->dest.reg == cfa->base) {
1915 /* mov reg, disp(%rbp) */
1916 /* mov reg, disp(%rsp) */
1917 save_reg(cfi, op->src.reg, CFI_CFA,
1918 op->dest.offset - cfi->cfa.offset);
1924 if ((!cfi->drap && cfa->base != CFI_BP) ||
1925 (cfi->drap && cfa->base != cfi->drap_reg)) {
1926 WARN_FUNC("leave instruction with modified stack frame",
1927 insn->sec, insn->offset);
1931 /* leave (mov %rbp, %rsp; pop %rbp) */
1933 cfi->stack_size = -cfi->regs[CFI_BP].offset - 8;
1934 restore_reg(cfi, CFI_BP);
1944 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) {
1945 WARN_FUNC("unknown stack-related memory operation",
1946 insn->sec, insn->offset);
1951 cfi->stack_size -= 8;
1952 if (cfa->base == CFI_SP)
1958 WARN_FUNC("unknown stack-related instruction",
1959 insn->sec, insn->offset);
1966 static int handle_insn_ops(struct instruction *insn, struct insn_state *state)
1968 struct stack_op *op;
1970 list_for_each_entry(op, &insn->stack_ops, list) {
1973 res = update_cfi_state(insn, &state->cfi, op);
1977 if (op->dest.type == OP_DEST_PUSHF) {
1978 if (!state->uaccess_stack) {
1979 state->uaccess_stack = 1;
1980 } else if (state->uaccess_stack >> 31) {
1981 WARN_FUNC("PUSHF stack exhausted",
1982 insn->sec, insn->offset);
1985 state->uaccess_stack <<= 1;
1986 state->uaccess_stack |= state->uaccess;
1989 if (op->src.type == OP_SRC_POPF) {
1990 if (state->uaccess_stack) {
1991 state->uaccess = state->uaccess_stack & 1;
1992 state->uaccess_stack >>= 1;
1993 if (state->uaccess_stack == 1)
1994 state->uaccess_stack = 0;
2002 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2)
2004 struct cfi_state *cfi1 = &insn->cfi;
2007 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) {
2009 WARN_FUNC("stack state mismatch: cfa1=%d%+d cfa2=%d%+d",
2010 insn->sec, insn->offset,
2011 cfi1->cfa.base, cfi1->cfa.offset,
2012 cfi2->cfa.base, cfi2->cfa.offset);
2014 } else if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) {
2015 for (i = 0; i < CFI_NUM_REGS; i++) {
2016 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i],
2017 sizeof(struct cfi_reg)))
2020 WARN_FUNC("stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d",
2021 insn->sec, insn->offset,
2022 i, cfi1->regs[i].base, cfi1->regs[i].offset,
2023 i, cfi2->regs[i].base, cfi2->regs[i].offset);
2027 } else if (cfi1->type != cfi2->type) {
2029 WARN_FUNC("stack state mismatch: type1=%d type2=%d",
2030 insn->sec, insn->offset, cfi1->type, cfi2->type);
2032 } else if (cfi1->drap != cfi2->drap ||
2033 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) ||
2034 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) {
2036 WARN_FUNC("stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)",
2037 insn->sec, insn->offset,
2038 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset,
2039 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset);
2047 static inline bool func_uaccess_safe(struct symbol *func)
2050 return func->uaccess_safe;
2055 static inline const char *call_dest_name(struct instruction *insn)
2057 if (insn->call_dest)
2058 return insn->call_dest->name;
2063 static int validate_call(struct instruction *insn, struct insn_state *state)
2065 if (state->noinstr && state->instr <= 0 &&
2066 (!insn->call_dest || insn->call_dest->sec != insn->sec)) {
2067 WARN_FUNC("call to %s() leaves .noinstr.text section",
2068 insn->sec, insn->offset, call_dest_name(insn));
2072 if (state->uaccess && !func_uaccess_safe(insn->call_dest)) {
2073 WARN_FUNC("call to %s() with UACCESS enabled",
2074 insn->sec, insn->offset, call_dest_name(insn));
2079 WARN_FUNC("call to %s() with DF set",
2080 insn->sec, insn->offset, call_dest_name(insn));
2087 static int validate_sibling_call(struct instruction *insn, struct insn_state *state)
2089 if (has_modified_stack_frame(insn, state)) {
2090 WARN_FUNC("sibling call from callable instruction with modified stack frame",
2091 insn->sec, insn->offset);
2095 return validate_call(insn, state);
2098 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state)
2100 if (state->noinstr && state->instr > 0) {
2101 WARN_FUNC("return with instrumentation enabled",
2102 insn->sec, insn->offset);
2106 if (state->uaccess && !func_uaccess_safe(func)) {
2107 WARN_FUNC("return with UACCESS enabled",
2108 insn->sec, insn->offset);
2112 if (!state->uaccess && func_uaccess_safe(func)) {
2113 WARN_FUNC("return with UACCESS disabled from a UACCESS-safe function",
2114 insn->sec, insn->offset);
2119 WARN_FUNC("return with DF set",
2120 insn->sec, insn->offset);
2124 if (func && has_modified_stack_frame(insn, state)) {
2125 WARN_FUNC("return with modified stack frame",
2126 insn->sec, insn->offset);
2130 if (state->cfi.bp_scratch) {
2131 WARN_FUNC("BP used as a scratch register",
2132 insn->sec, insn->offset);
2140 * Follow the branch starting at the given instruction, and recursively follow
2141 * any other branches (jumps). Meanwhile, track the frame pointer state at
2142 * each instruction and validate all the rules described in
2143 * tools/objtool/Documentation/stack-validation.txt.
2145 static int validate_branch(struct objtool_file *file, struct symbol *func,
2146 struct instruction *insn, struct insn_state state)
2148 struct alternative *alt;
2149 struct instruction *next_insn;
2150 struct section *sec;
2156 if (insn->alt_group && list_empty(&insn->alts)) {
2157 WARN_FUNC("don't know how to handle branch to middle of alternative instruction group",
2163 next_insn = next_insn_same_sec(file, insn);
2165 if (file->c_file && func && insn->func && func != insn->func->pfunc) {
2166 WARN("%s() falls through to next function %s()",
2167 func->name, insn->func->name);
2171 if (func && insn->ignore) {
2172 WARN_FUNC("BUG: why am I validating an ignored function?",
2177 visited = 1 << state.uaccess;
2178 if (insn->visited) {
2179 if (!insn->hint && !insn_cfi_match(insn, &state.cfi))
2182 if (insn->visited & visited)
2187 state.instr += insn->instr;
2190 state.cfi = insn->cfi;
2192 insn->cfi = state.cfi;
2194 insn->visited |= visited;
2196 if (!insn->ignore_alts) {
2197 bool skip_orig = false;
2199 list_for_each_entry(alt, &insn->alts, list) {
2203 ret = validate_branch(file, func, alt->insn, state);
2206 BT_FUNC("(alt)", insn);
2215 switch (insn->type) {
2218 return validate_return(func, insn, &state);
2221 case INSN_CALL_DYNAMIC:
2222 ret = validate_call(insn, &state);
2226 if (!no_fp && func && !is_fentry_call(insn) &&
2227 !has_valid_stack_frame(&state)) {
2228 WARN_FUNC("call without frame pointer save/setup",
2233 if (dead_end_function(file, insn->call_dest))
2238 case INSN_JUMP_CONDITIONAL:
2239 case INSN_JUMP_UNCONDITIONAL:
2240 if (func && is_sibling_call(insn)) {
2241 ret = validate_sibling_call(insn, &state);
2245 } else if (insn->jump_dest) {
2246 ret = validate_branch(file, func,
2247 insn->jump_dest, state);
2250 BT_FUNC("(branch)", insn);
2255 if (insn->type == INSN_JUMP_UNCONDITIONAL)
2260 case INSN_JUMP_DYNAMIC:
2261 case INSN_JUMP_DYNAMIC_CONDITIONAL:
2262 if (func && is_sibling_call(insn)) {
2263 ret = validate_sibling_call(insn, &state);
2268 if (insn->type == INSN_JUMP_DYNAMIC)
2273 case INSN_EXCEPTION_RETURN:
2274 if (handle_insn_ops(insn, &state))
2278 * This handles x86's sync_core() case, where we use an
2279 * IRET to self. All 'normal' IRET instructions are in
2280 * STT_NOTYPE entry symbols.
2287 case INSN_CONTEXT_SWITCH:
2288 if (func && (!next_insn || !next_insn->hint)) {
2289 WARN_FUNC("unsupported instruction in callable function",
2296 if (handle_insn_ops(insn, &state))
2301 if (state.uaccess) {
2302 WARN_FUNC("recursive UACCESS enable", sec, insn->offset);
2306 state.uaccess = true;
2310 if (!state.uaccess && func) {
2311 WARN_FUNC("redundant UACCESS disable", sec, insn->offset);
2315 if (func_uaccess_safe(func) && !state.uaccess_stack) {
2316 WARN_FUNC("UACCESS-safe disables UACCESS", sec, insn->offset);
2320 state.uaccess = false;
2325 WARN_FUNC("recursive STD", sec, insn->offset);
2331 if (!state.df && func)
2332 WARN_FUNC("redundant CLD", sec, insn->offset);
2345 if (state.cfi.cfa.base == CFI_UNDEFINED)
2347 WARN("%s: unexpected end of section", sec->name);
2357 static int validate_unwind_hints(struct objtool_file *file)
2359 struct instruction *insn;
2360 int ret, warnings = 0;
2361 struct insn_state state;
2366 clear_insn_state(&state);
2368 for_each_insn(file, insn) {
2369 if (insn->hint && !insn->visited) {
2370 ret = validate_branch(file, insn->func, insn, state);
2371 if (ret && backtrace)
2372 BT_FUNC("<=== (hint)", insn);
2380 static int validate_retpoline(struct objtool_file *file)
2382 struct instruction *insn;
2385 for_each_insn(file, insn) {
2386 if (insn->type != INSN_JUMP_DYNAMIC &&
2387 insn->type != INSN_CALL_DYNAMIC)
2390 if (insn->retpoline_safe)
2394 * .init.text code is ran before userspace and thus doesn't
2395 * strictly need retpolines, except for modules which are
2396 * loaded late, they very much do need retpoline in their
2399 if (!strcmp(insn->sec->name, ".init.text") && !module)
2402 WARN_FUNC("indirect %s found in RETPOLINE build",
2403 insn->sec, insn->offset,
2404 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
2412 static bool is_kasan_insn(struct instruction *insn)
2414 return (insn->type == INSN_CALL &&
2415 !strcmp(insn->call_dest->name, "__asan_handle_no_return"));
2418 static bool is_ubsan_insn(struct instruction *insn)
2420 return (insn->type == INSN_CALL &&
2421 !strcmp(insn->call_dest->name,
2422 "__ubsan_handle_builtin_unreachable"));
2425 static bool ignore_unreachable_insn(struct instruction *insn)
2429 if (insn->ignore || insn->type == INSN_NOP)
2433 * Ignore any unused exceptions. This can happen when a whitelisted
2434 * function has an exception table entry.
2436 * Also ignore alternative replacement instructions. This can happen
2437 * when a whitelisted function uses one of the ALTERNATIVE macros.
2439 if (!strcmp(insn->sec->name, ".fixup") ||
2440 !strcmp(insn->sec->name, ".altinstr_replacement") ||
2441 !strcmp(insn->sec->name, ".altinstr_aux"))
2448 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees
2449 * __builtin_unreachable(). The BUG() macro has an unreachable() after
2450 * the UD2, which causes GCC's undefined trap logic to emit another UD2
2451 * (or occasionally a JMP to UD2).
2453 if (list_prev_entry(insn, list)->dead_end &&
2454 (insn->type == INSN_BUG ||
2455 (insn->type == INSN_JUMP_UNCONDITIONAL &&
2456 insn->jump_dest && insn->jump_dest->type == INSN_BUG)))
2460 * Check if this (or a subsequent) instruction is related to
2461 * CONFIG_UBSAN or CONFIG_KASAN.
2463 * End the search at 5 instructions to avoid going into the weeds.
2465 for (i = 0; i < 5; i++) {
2467 if (is_kasan_insn(insn) || is_ubsan_insn(insn))
2470 if (insn->type == INSN_JUMP_UNCONDITIONAL) {
2471 if (insn->jump_dest &&
2472 insn->jump_dest->func == insn->func) {
2473 insn = insn->jump_dest;
2480 if (insn->offset + insn->len >= insn->func->offset + insn->func->len)
2483 insn = list_next_entry(insn, list);
2489 static int validate_section(struct objtool_file *file, struct section *sec)
2491 struct symbol *func;
2492 struct instruction *insn;
2493 struct insn_state state;
2494 int ret, warnings = 0;
2497 * We need the full vmlinux for noinstr validation, otherwise we can
2498 * not correctly determine insn->call_dest->sec (external symbols do
2499 * not have a section).
2502 state.noinstr = sec->noinstr;
2504 list_for_each_entry(func, &sec->symbol_list, list) {
2505 if (func->type != STT_FUNC)
2509 WARN("%s() is missing an ELF size annotation",
2514 if (func->pfunc != func || func->alias != func)
2517 insn = find_insn(file, sec, func->offset);
2518 if (!insn || insn->ignore || insn->visited)
2521 clear_insn_state(&state);
2522 state.cfi.cfa = initial_func_cfi.cfa;
2523 memcpy(&state.cfi.regs, &initial_func_cfi.regs,
2524 CFI_NUM_REGS * sizeof(struct cfi_reg));
2525 state.cfi.stack_size = initial_func_cfi.cfa.offset;
2527 state.uaccess = func->uaccess_safe;
2529 ret = validate_branch(file, func, insn, state);
2530 if (ret && backtrace)
2531 BT_FUNC("<=== (func)", insn);
2538 static int validate_vmlinux_functions(struct objtool_file *file)
2540 struct section *sec;
2542 sec = find_section_by_name(file->elf, ".noinstr.text");
2546 return validate_section(file, sec);
2549 static int validate_functions(struct objtool_file *file)
2551 struct section *sec;
2554 for_each_sec(file, sec)
2555 warnings += validate_section(file, sec);
2560 static int validate_reachable_instructions(struct objtool_file *file)
2562 struct instruction *insn;
2564 if (file->ignore_unreachables)
2567 for_each_insn(file, insn) {
2568 if (insn->visited || ignore_unreachable_insn(insn))
2571 WARN_FUNC("unreachable instruction", insn->sec, insn->offset);
2578 static struct objtool_file file;
2580 int check(const char *_objname, bool orc)
2582 int ret, warnings = 0;
2586 file.elf = elf_read(objname, orc ? O_RDWR : O_RDONLY);
2590 INIT_LIST_HEAD(&file.insn_list);
2591 hash_init(file.insn_hash);
2592 file.c_file = find_section_by_name(file.elf, ".comment");
2593 file.ignore_unreachables = no_unreachable;
2596 arch_initial_func_cfi_state(&initial_func_cfi);
2598 ret = decode_sections(&file);
2603 if (list_empty(&file.insn_list))
2606 if (vmlinux && !validate_dup) {
2607 ret = validate_vmlinux_functions(&file);
2616 ret = validate_retpoline(&file);
2622 ret = validate_functions(&file);
2627 ret = validate_unwind_hints(&file);
2633 ret = validate_reachable_instructions(&file);
2640 ret = create_orc(&file);
2644 ret = create_orc_sections(&file);
2648 ret = elf_write(file.elf);
2656 * Fatal error. The binary is corrupt or otherwise broken in
2657 * some way, or objtool itself is broken. Fail the kernel
projects / platform / kernel / linux-rpi.git / blob