1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Copyright (C) 2015-2017 Josh Poimboeuf <jpoimboe@redhat.com>
16 #include <linux/hashtable.h>
17 #include <linux/kernel.h>
19 #define FAKE_JUMP_OFFSET -1
21 #define C_JUMP_TABLE_SECTION ".rodata..c_jump_table"
24 struct list_head list;
25 struct instruction *insn;
30 struct cfi_init_state initial_func_cfi;
32 struct instruction *find_insn(struct objtool_file *file,
33 struct section *sec, unsigned long offset)
35 struct instruction *insn;
37 hash_for_each_possible(file->insn_hash, insn, hash, offset)
38 if (insn->sec == sec && insn->offset == offset)
44 static struct instruction *next_insn_same_sec(struct objtool_file *file,
45 struct instruction *insn)
47 struct instruction *next = list_next_entry(insn, list);
49 if (!next || &next->list == &file->insn_list || next->sec != insn->sec)
55 static struct instruction *next_insn_same_func(struct objtool_file *file,
56 struct instruction *insn)
58 struct instruction *next = list_next_entry(insn, list);
59 struct symbol *func = insn->func;
64 if (&next->list != &file->insn_list && next->func == func)
67 /* Check if we're already in the subfunction: */
68 if (func == func->cfunc)
71 /* Move to the subfunction: */
72 return find_insn(file, func->cfunc->sec, func->cfunc->offset);
75 #define func_for_each_insn(file, func, insn) \
76 for (insn = find_insn(file, func->sec, func->offset); \
78 insn = next_insn_same_func(file, insn))
80 #define sym_for_each_insn(file, sym, insn) \
81 for (insn = find_insn(file, sym->sec, sym->offset); \
82 insn && &insn->list != &file->insn_list && \
83 insn->sec == sym->sec && \
84 insn->offset < sym->offset + sym->len; \
85 insn = list_next_entry(insn, list))
87 #define sym_for_each_insn_continue_reverse(file, sym, insn) \
88 for (insn = list_prev_entry(insn, list); \
89 &insn->list != &file->insn_list && \
90 insn->sec == sym->sec && insn->offset >= sym->offset; \
91 insn = list_prev_entry(insn, list))
93 #define sec_for_each_insn_from(file, insn) \
94 for (; insn; insn = next_insn_same_sec(file, insn))
96 #define sec_for_each_insn_continue(file, insn) \
97 for (insn = next_insn_same_sec(file, insn); insn; \
98 insn = next_insn_same_sec(file, insn))
100 static bool is_static_jump(struct instruction *insn)
102 return insn->type == INSN_JUMP_CONDITIONAL ||
103 insn->type == INSN_JUMP_UNCONDITIONAL;
106 static bool is_sibling_call(struct instruction *insn)
108 /* An indirect jump is either a sibling call or a jump to a table. */
109 if (insn->type == INSN_JUMP_DYNAMIC)
110 return list_empty(&insn->alts);
112 if (!is_static_jump(insn))
115 /* add_jump_destinations() sets insn->call_dest for sibling calls. */
116 return !!insn->call_dest;
120 * This checks to see if the given function is a "noreturn" function.
122 * For global functions which are outside the scope of this object file, we
123 * have to keep a manual list of them.
125 * For local functions, we have to detect them manually by simply looking for
126 * the lack of a return instruction.
128 static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
132 struct instruction *insn;
136 * Unfortunately these have to be hard coded because the noreturn
137 * attribute isn't provided in ELF data.
139 static const char * const global_noreturns[] = {
144 "__module_put_and_exit",
150 "machine_real_restart",
151 "rewind_stack_do_exit",
152 "kunit_try_catch_throw",
158 if (func->bind == STB_WEAK)
161 if (func->bind == STB_GLOBAL)
162 for (i = 0; i < ARRAY_SIZE(global_noreturns); i++)
163 if (!strcmp(func->name, global_noreturns[i]))
169 insn = find_insn(file, func->sec, func->offset);
173 func_for_each_insn(file, func, insn) {
176 if (insn->type == INSN_RETURN)
184 * A function can have a sibling call instead of a return. In that
185 * case, the function's dead-end status depends on whether the target
186 * of the sibling call returns.
188 func_for_each_insn(file, func, insn) {
189 if (is_sibling_call(insn)) {
190 struct instruction *dest = insn->jump_dest;
193 /* sibling call to another file */
196 /* local sibling call */
197 if (recursion == 5) {
199 * Infinite recursion: two functions have
200 * sibling calls to each other. This is a very
201 * rare case. It means they aren't dead ends.
206 return __dead_end_function(file, dest->func, recursion+1);
213 static bool dead_end_function(struct objtool_file *file, struct symbol *func)
215 return __dead_end_function(file, func, 0);
218 static void init_cfi_state(struct cfi_state *cfi)
222 for (i = 0; i < CFI_NUM_REGS; i++) {
223 cfi->regs[i].base = CFI_UNDEFINED;
224 cfi->vals[i].base = CFI_UNDEFINED;
226 cfi->cfa.base = CFI_UNDEFINED;
227 cfi->drap_reg = CFI_UNDEFINED;
228 cfi->drap_offset = -1;
231 static void clear_insn_state(struct insn_state *state)
233 memset(state, 0, sizeof(*state));
234 init_cfi_state(&state->cfi);
238 * Call the arch-specific instruction decoder for all the instructions and add
239 * them to the global instruction list.
241 static int decode_instructions(struct objtool_file *file)
245 unsigned long offset;
246 struct instruction *insn;
247 unsigned long nr_insns = 0;
250 for_each_sec(file, sec) {
252 if (!(sec->sh.sh_flags & SHF_EXECINSTR))
255 if (strcmp(sec->name, ".altinstr_replacement") &&
256 strcmp(sec->name, ".altinstr_aux") &&
257 strncmp(sec->name, ".discard.", 9))
260 for (offset = 0; offset < sec->len; offset += insn->len) {
261 insn = malloc(sizeof(*insn));
263 WARN("malloc failed");
266 memset(insn, 0, sizeof(*insn));
267 INIT_LIST_HEAD(&insn->alts);
268 INIT_LIST_HEAD(&insn->stack_ops);
269 init_cfi_state(&insn->cfi);
272 insn->offset = offset;
274 ret = arch_decode_instruction(file->elf, sec, offset,
276 &insn->len, &insn->type,
282 hash_add(file->insn_hash, &insn->hash, insn->offset);
283 list_add_tail(&insn->list, &file->insn_list);
287 list_for_each_entry(func, &sec->symbol_list, list) {
288 if (func->type != STT_FUNC || func->alias != func)
291 if (!find_insn(file, sec, func->offset)) {
292 WARN("%s(): can't find starting instruction",
297 sym_for_each_insn(file, func, insn)
303 printf("nr_insns: %lu\n", nr_insns);
313 * Mark "ud2" instructions and manually annotated dead ends.
315 static int add_dead_ends(struct objtool_file *file)
319 struct instruction *insn;
323 * By default, "ud2" is a dead end unless otherwise annotated, because
324 * GCC 7 inserts it for certain divide-by-zero cases.
326 for_each_insn(file, insn)
327 if (insn->type == INSN_BUG)
328 insn->dead_end = true;
331 * Check for manually annotated dead ends.
333 sec = find_section_by_name(file->elf, ".rela.discard.unreachable");
337 list_for_each_entry(rela, &sec->rela_list, list) {
338 if (rela->sym->type != STT_SECTION) {
339 WARN("unexpected relocation symbol type in %s", sec->name);
342 insn = find_insn(file, rela->sym->sec, rela->addend);
344 insn = list_prev_entry(insn, list);
345 else if (rela->addend == rela->sym->sec->len) {
347 list_for_each_entry_reverse(insn, &file->insn_list, list) {
348 if (insn->sec == rela->sym->sec) {
355 WARN("can't find unreachable insn at %s+0x%x",
356 rela->sym->sec->name, rela->addend);
360 WARN("can't find unreachable insn at %s+0x%x",
361 rela->sym->sec->name, rela->addend);
365 insn->dead_end = true;
370 * These manually annotated reachable checks are needed for GCC 4.4,
371 * where the Linux unreachable() macro isn't supported. In that case
372 * GCC doesn't know the "ud2" is fatal, so it generates code as if it's
375 sec = find_section_by_name(file->elf, ".rela.discard.reachable");
379 list_for_each_entry(rela, &sec->rela_list, list) {
380 if (rela->sym->type != STT_SECTION) {
381 WARN("unexpected relocation symbol type in %s", sec->name);
384 insn = find_insn(file, rela->sym->sec, rela->addend);
386 insn = list_prev_entry(insn, list);
387 else if (rela->addend == rela->sym->sec->len) {
389 list_for_each_entry_reverse(insn, &file->insn_list, list) {
390 if (insn->sec == rela->sym->sec) {
397 WARN("can't find reachable insn at %s+0x%x",
398 rela->sym->sec->name, rela->addend);
402 WARN("can't find reachable insn at %s+0x%x",
403 rela->sym->sec->name, rela->addend);
407 insn->dead_end = false;
414 * Warnings shouldn't be reported for ignored functions.
416 static void add_ignores(struct objtool_file *file)
418 struct instruction *insn;
423 sec = find_section_by_name(file->elf, ".rela.discard.func_stack_frame_non_standard");
427 list_for_each_entry(rela, &sec->rela_list, list) {
428 switch (rela->sym->type) {
434 func = find_func_by_offset(rela->sym->sec, rela->addend);
440 WARN("unexpected relocation symbol type in %s: %d", sec->name, rela->sym->type);
444 func_for_each_insn(file, func, insn)
450 * This is a whitelist of functions that is allowed to be called with AC set.
451 * The list is meant to be minimal and only contains compiler instrumentation
452 * ABI and a few functions used to implement *_{to,from}_user() functions.
454 * These functions must not directly change AC, but may PUSHF/POPF.
456 static const char *uaccess_safe_builtin[] = {
459 "check_memory_region",
460 /* KASAN out-of-line */
461 "__asan_loadN_noabort",
462 "__asan_load1_noabort",
463 "__asan_load2_noabort",
464 "__asan_load4_noabort",
465 "__asan_load8_noabort",
466 "__asan_load16_noabort",
467 "__asan_storeN_noabort",
468 "__asan_store1_noabort",
469 "__asan_store2_noabort",
470 "__asan_store4_noabort",
471 "__asan_store8_noabort",
472 "__asan_store16_noabort",
474 "__asan_report_load_n_noabort",
475 "__asan_report_load1_noabort",
476 "__asan_report_load2_noabort",
477 "__asan_report_load4_noabort",
478 "__asan_report_load8_noabort",
479 "__asan_report_load16_noabort",
480 "__asan_report_store_n_noabort",
481 "__asan_report_store1_noabort",
482 "__asan_report_store2_noabort",
483 "__asan_report_store4_noabort",
484 "__asan_report_store8_noabort",
485 "__asan_report_store16_noabort",
488 "__sanitizer_cov_trace_pc",
489 "__sanitizer_cov_trace_const_cmp1",
490 "__sanitizer_cov_trace_const_cmp2",
491 "__sanitizer_cov_trace_const_cmp4",
492 "__sanitizer_cov_trace_const_cmp8",
493 "__sanitizer_cov_trace_cmp1",
494 "__sanitizer_cov_trace_cmp2",
495 "__sanitizer_cov_trace_cmp4",
496 "__sanitizer_cov_trace_cmp8",
497 "__sanitizer_cov_trace_switch",
499 "ubsan_type_mismatch_common",
500 "__ubsan_handle_type_mismatch",
501 "__ubsan_handle_type_mismatch_v1",
502 "__ubsan_handle_shift_out_of_bounds",
504 "csum_partial_copy_generic",
506 "mcsafe_handle_tail",
507 "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */
511 static void add_uaccess_safe(struct objtool_file *file)
519 for (name = uaccess_safe_builtin; *name; name++) {
520 func = find_symbol_by_name(file->elf, *name);
524 func->uaccess_safe = true;
529 * FIXME: For now, just ignore any alternatives which add retpolines. This is
530 * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline.
531 * But it at least allows objtool to understand the control flow *around* the
534 static int add_ignore_alternatives(struct objtool_file *file)
538 struct instruction *insn;
540 sec = find_section_by_name(file->elf, ".rela.discard.ignore_alts");
544 list_for_each_entry(rela, &sec->rela_list, list) {
545 if (rela->sym->type != STT_SECTION) {
546 WARN("unexpected relocation symbol type in %s", sec->name);
550 insn = find_insn(file, rela->sym->sec, rela->addend);
552 WARN("bad .discard.ignore_alts entry");
556 insn->ignore_alts = true;
563 * Find the destination instructions for all jumps.
565 static int add_jump_destinations(struct objtool_file *file)
567 struct instruction *insn;
569 struct section *dest_sec;
570 unsigned long dest_off;
572 for_each_insn(file, insn) {
573 if (!is_static_jump(insn))
576 if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET)
579 rela = find_rela_by_dest_range(file->elf, insn->sec,
580 insn->offset, insn->len);
582 dest_sec = insn->sec;
583 dest_off = arch_jump_destination(insn);
584 } else if (rela->sym->type == STT_SECTION) {
585 dest_sec = rela->sym->sec;
586 dest_off = arch_dest_rela_offset(rela->addend);
587 } else if (rela->sym->sec->idx) {
588 dest_sec = rela->sym->sec;
589 dest_off = rela->sym->sym.st_value +
590 arch_dest_rela_offset(rela->addend);
591 } else if (strstr(rela->sym->name, "_indirect_thunk_")) {
593 * Retpoline jumps are really dynamic jumps in
594 * disguise, so convert them accordingly.
596 if (insn->type == INSN_JUMP_UNCONDITIONAL)
597 insn->type = INSN_JUMP_DYNAMIC;
599 insn->type = INSN_JUMP_DYNAMIC_CONDITIONAL;
601 insn->retpoline_safe = true;
604 /* external sibling call */
605 insn->call_dest = rela->sym;
609 insn->jump_dest = find_insn(file, dest_sec, dest_off);
610 if (!insn->jump_dest) {
613 * This is a special case where an alt instruction
614 * jumps past the end of the section. These are
615 * handled later in handle_group_alt().
617 if (!strcmp(insn->sec->name, ".altinstr_replacement"))
620 WARN_FUNC("can't find jump dest instruction at %s+0x%lx",
621 insn->sec, insn->offset, dest_sec->name,
627 * Cross-function jump.
629 if (insn->func && insn->jump_dest->func &&
630 insn->func != insn->jump_dest->func) {
633 * For GCC 8+, create parent/child links for any cold
634 * subfunctions. This is _mostly_ redundant with a
635 * similar initialization in read_symbols().
637 * If a function has aliases, we want the *first* such
638 * function in the symbol table to be the subfunction's
639 * parent. In that case we overwrite the
640 * initialization done in read_symbols().
642 * However this code can't completely replace the
643 * read_symbols() code because this doesn't detect the
644 * case where the parent function's only reference to a
645 * subfunction is through a jump table.
647 if (!strstr(insn->func->name, ".cold.") &&
648 strstr(insn->jump_dest->func->name, ".cold.")) {
649 insn->func->cfunc = insn->jump_dest->func;
650 insn->jump_dest->func->pfunc = insn->func;
652 } else if (insn->jump_dest->func->pfunc != insn->func->pfunc &&
653 insn->jump_dest->offset == insn->jump_dest->func->offset) {
655 /* internal sibling call */
656 insn->call_dest = insn->jump_dest->func;
665 * Find the destination instructions for all calls.
667 static int add_call_destinations(struct objtool_file *file)
669 struct instruction *insn;
670 unsigned long dest_off;
673 for_each_insn(file, insn) {
674 if (insn->type != INSN_CALL)
677 rela = find_rela_by_dest_range(file->elf, insn->sec,
678 insn->offset, insn->len);
680 dest_off = arch_jump_destination(insn);
681 insn->call_dest = find_func_by_offset(insn->sec, dest_off);
682 if (!insn->call_dest)
683 insn->call_dest = find_symbol_by_offset(insn->sec, dest_off);
688 if (!insn->call_dest) {
689 WARN_FUNC("unsupported intra-function call",
690 insn->sec, insn->offset);
692 WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE.");
696 if (insn->func && insn->call_dest->type != STT_FUNC) {
697 WARN_FUNC("unsupported call to non-function",
698 insn->sec, insn->offset);
702 } else if (rela->sym->type == STT_SECTION) {
703 dest_off = arch_dest_rela_offset(rela->addend);
704 insn->call_dest = find_func_by_offset(rela->sym->sec,
706 if (!insn->call_dest) {
707 WARN_FUNC("can't find call dest symbol at %s+0x%lx",
708 insn->sec, insn->offset,
709 rela->sym->sec->name,
714 insn->call_dest = rela->sym;
721 * The .alternatives section requires some extra special care, over and above
722 * what other special sections require:
724 * 1. Because alternatives are patched in-place, we need to insert a fake jump
725 * instruction at the end so that validate_branch() skips all the original
726 * replaced instructions when validating the new instruction path.
728 * 2. An added wrinkle is that the new instruction length might be zero. In
729 * that case the old instructions are replaced with noops. We simulate that
730 * by creating a fake jump as the only new instruction.
732 * 3. In some cases, the alternative section includes an instruction which
733 * conditionally jumps to the _end_ of the entry. We have to modify these
734 * jumps' destinations to point back to .text rather than the end of the
735 * entry in .altinstr_replacement.
737 static int handle_group_alt(struct objtool_file *file,
738 struct special_alt *special_alt,
739 struct instruction *orig_insn,
740 struct instruction **new_insn)
742 struct instruction *last_orig_insn, *last_new_insn, *insn, *fake_jump = NULL;
743 unsigned long dest_off;
745 last_orig_insn = NULL;
747 sec_for_each_insn_from(file, insn) {
748 if (insn->offset >= special_alt->orig_off + special_alt->orig_len)
751 insn->alt_group = true;
752 last_orig_insn = insn;
755 if (next_insn_same_sec(file, last_orig_insn)) {
756 fake_jump = malloc(sizeof(*fake_jump));
758 WARN("malloc failed");
761 memset(fake_jump, 0, sizeof(*fake_jump));
762 INIT_LIST_HEAD(&fake_jump->alts);
763 INIT_LIST_HEAD(&fake_jump->stack_ops);
764 init_cfi_state(&fake_jump->cfi);
766 fake_jump->sec = special_alt->new_sec;
767 fake_jump->offset = FAKE_JUMP_OFFSET;
768 fake_jump->type = INSN_JUMP_UNCONDITIONAL;
769 fake_jump->jump_dest = list_next_entry(last_orig_insn, list);
770 fake_jump->func = orig_insn->func;
773 if (!special_alt->new_len) {
775 WARN("%s: empty alternative at end of section",
776 special_alt->orig_sec->name);
780 *new_insn = fake_jump;
784 last_new_insn = NULL;
786 sec_for_each_insn_from(file, insn) {
787 if (insn->offset >= special_alt->new_off + special_alt->new_len)
790 last_new_insn = insn;
792 insn->ignore = orig_insn->ignore_alts;
793 insn->func = orig_insn->func;
796 * Since alternative replacement code is copy/pasted by the
797 * kernel after applying relocations, generally such code can't
798 * have relative-address relocation references to outside the
799 * .altinstr_replacement section, unless the arch's
800 * alternatives code can adjust the relative offsets
803 * The x86 alternatives code adjusts the offsets only when it
804 * encounters a branch instruction at the very beginning of the
807 if ((insn->offset != special_alt->new_off ||
808 (insn->type != INSN_CALL && !is_static_jump(insn))) &&
809 find_rela_by_dest_range(file->elf, insn->sec, insn->offset, insn->len)) {
811 WARN_FUNC("unsupported relocation in alternatives section",
812 insn->sec, insn->offset);
816 if (!is_static_jump(insn))
819 if (!insn->immediate)
822 dest_off = arch_jump_destination(insn);
823 if (dest_off == special_alt->new_off + special_alt->new_len) {
825 WARN("%s: alternative jump to end of section",
826 special_alt->orig_sec->name);
829 insn->jump_dest = fake_jump;
832 if (!insn->jump_dest) {
833 WARN_FUNC("can't find alternative jump destination",
834 insn->sec, insn->offset);
839 if (!last_new_insn) {
840 WARN_FUNC("can't find last new alternative instruction",
841 special_alt->new_sec, special_alt->new_off);
846 list_add(&fake_jump->list, &last_new_insn->list);
852 * A jump table entry can either convert a nop to a jump or a jump to a nop.
853 * If the original instruction is a jump, make the alt entry an effective nop
854 * by just skipping the original instruction.
856 static int handle_jump_alt(struct objtool_file *file,
857 struct special_alt *special_alt,
858 struct instruction *orig_insn,
859 struct instruction **new_insn)
861 if (orig_insn->type == INSN_NOP)
864 if (orig_insn->type != INSN_JUMP_UNCONDITIONAL) {
865 WARN_FUNC("unsupported instruction at jump label",
866 orig_insn->sec, orig_insn->offset);
870 *new_insn = list_next_entry(orig_insn, list);
875 * Read all the special sections which have alternate instructions which can be
876 * patched in or redirected to at runtime. Each instruction having alternate
877 * instruction(s) has them added to its insn->alts list, which will be
878 * traversed in validate_branch().
880 static int add_special_section_alts(struct objtool_file *file)
882 struct list_head special_alts;
883 struct instruction *orig_insn, *new_insn;
884 struct special_alt *special_alt, *tmp;
885 struct alternative *alt;
888 ret = special_get_alts(file->elf, &special_alts);
892 list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
894 orig_insn = find_insn(file, special_alt->orig_sec,
895 special_alt->orig_off);
897 WARN_FUNC("special: can't find orig instruction",
898 special_alt->orig_sec, special_alt->orig_off);
904 if (!special_alt->group || special_alt->new_len) {
905 new_insn = find_insn(file, special_alt->new_sec,
906 special_alt->new_off);
908 WARN_FUNC("special: can't find new instruction",
909 special_alt->new_sec,
910 special_alt->new_off);
916 if (special_alt->group) {
917 if (!special_alt->orig_len) {
918 WARN_FUNC("empty alternative entry",
919 orig_insn->sec, orig_insn->offset);
923 ret = handle_group_alt(file, special_alt, orig_insn,
927 } else if (special_alt->jump_or_nop) {
928 ret = handle_jump_alt(file, special_alt, orig_insn,
934 alt = malloc(sizeof(*alt));
936 WARN("malloc failed");
941 alt->insn = new_insn;
942 alt->skip_orig = special_alt->skip_orig;
943 orig_insn->ignore_alts |= special_alt->skip_alt;
944 list_add_tail(&alt->list, &orig_insn->alts);
946 list_del(&special_alt->list);
954 static int add_jump_table(struct objtool_file *file, struct instruction *insn,
957 struct rela *rela = table;
958 struct instruction *dest_insn;
959 struct alternative *alt;
960 struct symbol *pfunc = insn->func->pfunc;
961 unsigned int prev_offset = 0;
964 * Each @rela is a switch table relocation which points to the target
967 list_for_each_entry_from(rela, &table->sec->rela_list, list) {
969 /* Check for the end of the table: */
970 if (rela != table && rela->jump_table_start)
973 /* Make sure the table entries are consecutive: */
974 if (prev_offset && rela->offset != prev_offset + 8)
977 /* Detect function pointers from contiguous objects: */
978 if (rela->sym->sec == pfunc->sec &&
979 rela->addend == pfunc->offset)
982 dest_insn = find_insn(file, rela->sym->sec, rela->addend);
986 /* Make sure the destination is in the same function: */
987 if (!dest_insn->func || dest_insn->func->pfunc != pfunc)
990 alt = malloc(sizeof(*alt));
992 WARN("malloc failed");
996 alt->insn = dest_insn;
997 list_add_tail(&alt->list, &insn->alts);
998 prev_offset = rela->offset;
1002 WARN_FUNC("can't find switch jump table",
1003 insn->sec, insn->offset);
1011 * find_jump_table() - Given a dynamic jump, find the switch jump table in
1012 * .rodata associated with it.
1014 * There are 3 basic patterns:
1016 * 1. jmpq *[rodata addr](,%reg,8)
1018 * This is the most common case by far. It jumps to an address in a simple
1019 * jump table which is stored in .rodata.
1021 * 2. jmpq *[rodata addr](%rip)
1023 * This is caused by a rare GCC quirk, currently only seen in three driver
1024 * functions in the kernel, only with certain obscure non-distro configs.
1026 * As part of an optimization, GCC makes a copy of an existing switch jump
1027 * table, modifies it, and then hard-codes the jump (albeit with an indirect
1028 * jump) to use a single entry in the table. The rest of the jump table and
1029 * some of its jump targets remain as dead code.
1031 * In such a case we can just crudely ignore all unreachable instruction
1032 * warnings for the entire object file. Ideally we would just ignore them
1033 * for the function, but that would require redesigning the code quite a
1034 * bit. And honestly that's just not worth doing: unreachable instruction
1035 * warnings are of questionable value anyway, and this is such a rare issue.
1037 * 3. mov [rodata addr],%reg1
1038 * ... some instructions ...
1039 * jmpq *(%reg1,%reg2,8)
1041 * This is a fairly uncommon pattern which is new for GCC 6. As of this
1042 * writing, there are 11 occurrences of it in the allmodconfig kernel.
1044 * As of GCC 7 there are quite a few more of these and the 'in between' code
1045 * is significant. Esp. with KASAN enabled some of the code between the mov
1046 * and jmpq uses .rodata itself, which can confuse things.
1048 * TODO: Once we have DWARF CFI and smarter instruction decoding logic,
1049 * ensure the same register is used in the mov and jump instructions.
1051 * NOTE: RETPOLINE made it harder still to decode dynamic jumps.
1053 static struct rela *find_jump_table(struct objtool_file *file,
1054 struct symbol *func,
1055 struct instruction *insn)
1057 struct rela *text_rela, *table_rela;
1058 struct instruction *dest_insn, *orig_insn = insn;
1059 struct section *table_sec;
1060 unsigned long table_offset;
1063 * Backward search using the @first_jump_src links, these help avoid
1064 * much of the 'in between' code. Which avoids us getting confused by
1068 &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func;
1069 insn = insn->first_jump_src ?: list_prev_entry(insn, list)) {
1071 if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC)
1074 /* allow small jumps within the range */
1075 if (insn->type == INSN_JUMP_UNCONDITIONAL &&
1077 (insn->jump_dest->offset <= insn->offset ||
1078 insn->jump_dest->offset > orig_insn->offset))
1081 /* look for a relocation which references .rodata */
1082 text_rela = find_rela_by_dest_range(file->elf, insn->sec,
1083 insn->offset, insn->len);
1084 if (!text_rela || text_rela->sym->type != STT_SECTION ||
1085 !text_rela->sym->sec->rodata)
1088 table_offset = text_rela->addend;
1089 table_sec = text_rela->sym->sec;
1091 if (text_rela->type == R_X86_64_PC32)
1095 * Make sure the .rodata address isn't associated with a
1096 * symbol. GCC jump tables are anonymous data.
1098 * Also support C jump tables which are in the same format as
1099 * switch jump tables. For objtool to recognize them, they
1100 * need to be placed in the C_JUMP_TABLE_SECTION section. They
1101 * have symbols associated with them.
1103 if (find_symbol_containing(table_sec, table_offset) &&
1104 strcmp(table_sec->name, C_JUMP_TABLE_SECTION))
1108 * Each table entry has a rela associated with it. The rela
1109 * should reference text in the same function as the original
1112 table_rela = find_rela_by_dest(file->elf, table_sec, table_offset);
1115 dest_insn = find_insn(file, table_rela->sym->sec, table_rela->addend);
1116 if (!dest_insn || !dest_insn->func || dest_insn->func->pfunc != func)
1120 * Use of RIP-relative switch jumps is quite rare, and
1121 * indicates a rare GCC quirk/bug which can leave dead code
1124 if (text_rela->type == R_X86_64_PC32)
1125 file->ignore_unreachables = true;
1134 * First pass: Mark the head of each jump table so that in the next pass,
1135 * we know when a given jump table ends and the next one starts.
1137 static void mark_func_jump_tables(struct objtool_file *file,
1138 struct symbol *func)
1140 struct instruction *insn, *last = NULL;
1143 func_for_each_insn(file, func, insn) {
1148 * Store back-pointers for unconditional forward jumps such
1149 * that find_jump_table() can back-track using those and
1150 * avoid some potentially confusing code.
1152 if (insn->type == INSN_JUMP_UNCONDITIONAL && insn->jump_dest &&
1153 insn->offset > last->offset &&
1154 insn->jump_dest->offset > insn->offset &&
1155 !insn->jump_dest->first_jump_src) {
1157 insn->jump_dest->first_jump_src = insn;
1158 last = insn->jump_dest;
1161 if (insn->type != INSN_JUMP_DYNAMIC)
1164 rela = find_jump_table(file, func, insn);
1166 rela->jump_table_start = true;
1167 insn->jump_table = rela;
1172 static int add_func_jump_tables(struct objtool_file *file,
1173 struct symbol *func)
1175 struct instruction *insn;
1178 func_for_each_insn(file, func, insn) {
1179 if (!insn->jump_table)
1182 ret = add_jump_table(file, insn, insn->jump_table);
1191 * For some switch statements, gcc generates a jump table in the .rodata
1192 * section which contains a list of addresses within the function to jump to.
1193 * This finds these jump tables and adds them to the insn->alts lists.
1195 static int add_jump_table_alts(struct objtool_file *file)
1197 struct section *sec;
1198 struct symbol *func;
1204 for_each_sec(file, sec) {
1205 list_for_each_entry(func, &sec->symbol_list, list) {
1206 if (func->type != STT_FUNC)
1209 mark_func_jump_tables(file, func);
1210 ret = add_func_jump_tables(file, func);
1219 static int read_unwind_hints(struct objtool_file *file)
1221 struct section *sec, *relasec;
1223 struct unwind_hint *hint;
1224 struct instruction *insn;
1225 struct cfi_reg *cfa;
1228 sec = find_section_by_name(file->elf, ".discard.unwind_hints");
1232 relasec = sec->rela;
1234 WARN("missing .rela.discard.unwind_hints section");
1238 if (sec->len % sizeof(struct unwind_hint)) {
1239 WARN("struct unwind_hint size mismatch");
1245 for (i = 0; i < sec->len / sizeof(struct unwind_hint); i++) {
1246 hint = (struct unwind_hint *)sec->data->d_buf + i;
1248 rela = find_rela_by_dest(file->elf, sec, i * sizeof(*hint));
1250 WARN("can't find rela for unwind_hints[%d]", i);
1254 insn = find_insn(file, rela->sym->sec, rela->addend);
1256 WARN("can't find insn for unwind_hints[%d]", i);
1260 cfa = &insn->cfi.cfa;
1262 if (hint->type == UNWIND_HINT_TYPE_RET_OFFSET) {
1263 insn->ret_offset = hint->sp_offset;
1269 switch (hint->sp_reg) {
1270 case ORC_REG_UNDEFINED:
1271 cfa->base = CFI_UNDEFINED;
1279 case ORC_REG_SP_INDIRECT:
1280 cfa->base = CFI_SP_INDIRECT;
1283 cfa->base = CFI_R10;
1286 cfa->base = CFI_R13;
1295 WARN_FUNC("unsupported unwind_hint sp base reg %d",
1296 insn->sec, insn->offset, hint->sp_reg);
1300 cfa->offset = hint->sp_offset;
1301 insn->cfi.type = hint->type;
1302 insn->cfi.end = hint->end;
1308 static int read_retpoline_hints(struct objtool_file *file)
1310 struct section *sec;
1311 struct instruction *insn;
1314 sec = find_section_by_name(file->elf, ".rela.discard.retpoline_safe");
1318 list_for_each_entry(rela, &sec->rela_list, list) {
1319 if (rela->sym->type != STT_SECTION) {
1320 WARN("unexpected relocation symbol type in %s", sec->name);
1324 insn = find_insn(file, rela->sym->sec, rela->addend);
1326 WARN("bad .discard.retpoline_safe entry");
1330 if (insn->type != INSN_JUMP_DYNAMIC &&
1331 insn->type != INSN_CALL_DYNAMIC) {
1332 WARN_FUNC("retpoline_safe hint not an indirect jump/call",
1333 insn->sec, insn->offset);
1337 insn->retpoline_safe = true;
1343 static void mark_rodata(struct objtool_file *file)
1345 struct section *sec;
1349 * Search for the following rodata sections, each of which can
1350 * potentially contain jump tables:
1352 * - .rodata: can contain GCC switch tables
1353 * - .rodata.<func>: same, if -fdata-sections is being used
1354 * - .rodata..c_jump_table: contains C annotated jump tables
1356 * .rodata.str1.* sections are ignored; they don't contain jump tables.
1358 for_each_sec(file, sec) {
1359 if (!strncmp(sec->name, ".rodata", 7) &&
1360 !strstr(sec->name, ".str1.")) {
1366 file->rodata = found;
1369 static int decode_sections(struct objtool_file *file)
1375 ret = decode_instructions(file);
1379 ret = add_dead_ends(file);
1384 add_uaccess_safe(file);
1386 ret = add_ignore_alternatives(file);
1390 ret = add_jump_destinations(file);
1394 ret = add_special_section_alts(file);
1398 ret = add_call_destinations(file);
1402 ret = add_jump_table_alts(file);
1406 ret = read_unwind_hints(file);
1410 ret = read_retpoline_hints(file);
1417 static bool is_fentry_call(struct instruction *insn)
1419 if (insn->type == INSN_CALL &&
1420 insn->call_dest->type == STT_NOTYPE &&
1421 !strcmp(insn->call_dest->name, "__fentry__"))
1427 static bool has_modified_stack_frame(struct instruction *insn, struct insn_state *state)
1429 u8 ret_offset = insn->ret_offset;
1430 struct cfi_state *cfi = &state->cfi;
1433 if (cfi->cfa.base != initial_func_cfi.cfa.base || cfi->drap)
1436 if (cfi->cfa.offset != initial_func_cfi.cfa.offset + ret_offset)
1439 if (cfi->stack_size != initial_func_cfi.cfa.offset + ret_offset)
1442 for (i = 0; i < CFI_NUM_REGS; i++) {
1443 if (cfi->regs[i].base != initial_func_cfi.regs[i].base ||
1444 cfi->regs[i].offset != initial_func_cfi.regs[i].offset)
1451 static bool has_valid_stack_frame(struct insn_state *state)
1453 struct cfi_state *cfi = &state->cfi;
1455 if (cfi->cfa.base == CFI_BP && cfi->regs[CFI_BP].base == CFI_CFA &&
1456 cfi->regs[CFI_BP].offset == -16)
1459 if (cfi->drap && cfi->regs[CFI_BP].base == CFI_BP)
1465 static int update_cfi_state_regs(struct instruction *insn,
1466 struct cfi_state *cfi,
1467 struct stack_op *op)
1469 struct cfi_reg *cfa = &cfi->cfa;
1471 if (cfa->base != CFI_SP)
1475 if (op->dest.type == OP_DEST_PUSH || op->dest.type == OP_DEST_PUSHF)
1479 if (op->src.type == OP_SRC_POP || op->src.type == OP_SRC_POPF)
1482 /* add immediate to sp */
1483 if (op->dest.type == OP_DEST_REG && op->src.type == OP_SRC_ADD &&
1484 op->dest.reg == CFI_SP && op->src.reg == CFI_SP)
1485 cfa->offset -= op->src.offset;
1490 static void save_reg(struct cfi_state *cfi, unsigned char reg, int base, int offset)
1492 if (arch_callee_saved_reg(reg) &&
1493 cfi->regs[reg].base == CFI_UNDEFINED) {
1494 cfi->regs[reg].base = base;
1495 cfi->regs[reg].offset = offset;
1499 static void restore_reg(struct cfi_state *cfi, unsigned char reg)
1501 cfi->regs[reg].base = initial_func_cfi.regs[reg].base;
1502 cfi->regs[reg].offset = initial_func_cfi.regs[reg].offset;
1506 * A note about DRAP stack alignment:
1508 * GCC has the concept of a DRAP register, which is used to help keep track of
1509 * the stack pointer when aligning the stack. r10 or r13 is used as the DRAP
1510 * register. The typical DRAP pattern is:
1512 * 4c 8d 54 24 08 lea 0x8(%rsp),%r10
1513 * 48 83 e4 c0 and $0xffffffffffffffc0,%rsp
1514 * 41 ff 72 f8 pushq -0x8(%r10)
1516 * 48 89 e5 mov %rsp,%rbp
1523 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1526 * There are some variations in the epilogues, like:
1534 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1539 * 4c 8b 55 e8 mov -0x18(%rbp),%r10
1540 * 48 8b 5d e0 mov -0x20(%rbp),%rbx
1541 * 4c 8b 65 f0 mov -0x10(%rbp),%r12
1542 * 4c 8b 6d f8 mov -0x8(%rbp),%r13
1544 * 49 8d 62 f8 lea -0x8(%r10),%rsp
1547 * Sometimes r13 is used as the DRAP register, in which case it's saved and
1548 * restored beforehand:
1551 * 4c 8d 6c 24 10 lea 0x10(%rsp),%r13
1552 * 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
1554 * 49 8d 65 f0 lea -0x10(%r13),%rsp
1558 static int update_cfi_state(struct instruction *insn, struct cfi_state *cfi,
1559 struct stack_op *op)
1561 struct cfi_reg *cfa = &cfi->cfa;
1562 struct cfi_reg *regs = cfi->regs;
1564 /* stack operations don't make sense with an undefined CFA */
1565 if (cfa->base == CFI_UNDEFINED) {
1567 WARN_FUNC("undefined stack state", insn->sec, insn->offset);
1573 if (cfi->type == ORC_TYPE_REGS || cfi->type == ORC_TYPE_REGS_IRET)
1574 return update_cfi_state_regs(insn, cfi, op);
1576 switch (op->dest.type) {
1579 switch (op->src.type) {
1582 if (op->src.reg == CFI_SP && op->dest.reg == CFI_BP &&
1583 cfa->base == CFI_SP &&
1584 regs[CFI_BP].base == CFI_CFA &&
1585 regs[CFI_BP].offset == -cfa->offset) {
1587 /* mov %rsp, %rbp */
1588 cfa->base = op->dest.reg;
1589 cfi->bp_scratch = false;
1592 else if (op->src.reg == CFI_SP &&
1593 op->dest.reg == CFI_BP && cfi->drap) {
1595 /* drap: mov %rsp, %rbp */
1596 regs[CFI_BP].base = CFI_BP;
1597 regs[CFI_BP].offset = -cfi->stack_size;
1598 cfi->bp_scratch = false;
1601 else if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
1606 * This is needed for the rare case where GCC
1613 cfi->vals[op->dest.reg].base = CFI_CFA;
1614 cfi->vals[op->dest.reg].offset = -cfi->stack_size;
1617 else if (op->src.reg == CFI_BP && op->dest.reg == CFI_SP &&
1618 cfa->base == CFI_BP) {
1623 * Restore the original stack pointer (Clang).
1625 cfi->stack_size = -cfi->regs[CFI_BP].offset;
1628 else if (op->dest.reg == cfa->base) {
1630 /* mov %reg, %rsp */
1631 if (cfa->base == CFI_SP &&
1632 cfi->vals[op->src.reg].base == CFI_CFA) {
1635 * This is needed for the rare case
1636 * where GCC does something dumb like:
1638 * lea 0x8(%rsp), %rcx
1642 cfa->offset = -cfi->vals[op->src.reg].offset;
1643 cfi->stack_size = cfa->offset;
1646 cfa->base = CFI_UNDEFINED;
1654 if (op->dest.reg == CFI_SP && op->src.reg == CFI_SP) {
1657 cfi->stack_size -= op->src.offset;
1658 if (cfa->base == CFI_SP)
1659 cfa->offset -= op->src.offset;
1663 if (op->dest.reg == CFI_SP && op->src.reg == CFI_BP) {
1665 /* lea disp(%rbp), %rsp */
1666 cfi->stack_size = -(op->src.offset + regs[CFI_BP].offset);
1670 if (op->src.reg == CFI_SP && cfa->base == CFI_SP) {
1672 /* drap: lea disp(%rsp), %drap */
1673 cfi->drap_reg = op->dest.reg;
1676 * lea disp(%rsp), %reg
1678 * This is needed for the rare case where GCC
1679 * does something dumb like:
1681 * lea 0x8(%rsp), %rcx
1685 cfi->vals[op->dest.reg].base = CFI_CFA;
1686 cfi->vals[op->dest.reg].offset = \
1687 -cfi->stack_size + op->src.offset;
1692 if (cfi->drap && op->dest.reg == CFI_SP &&
1693 op->src.reg == cfi->drap_reg) {
1695 /* drap: lea disp(%drap), %rsp */
1697 cfa->offset = cfi->stack_size = -op->src.offset;
1698 cfi->drap_reg = CFI_UNDEFINED;
1703 if (op->dest.reg == cfi->cfa.base) {
1704 WARN_FUNC("unsupported stack register modification",
1705 insn->sec, insn->offset);
1712 if (op->dest.reg != CFI_SP ||
1713 (cfi->drap_reg != CFI_UNDEFINED && cfa->base != CFI_SP) ||
1714 (cfi->drap_reg == CFI_UNDEFINED && cfa->base != CFI_BP)) {
1715 WARN_FUNC("unsupported stack pointer realignment",
1716 insn->sec, insn->offset);
1720 if (cfi->drap_reg != CFI_UNDEFINED) {
1721 /* drap: and imm, %rsp */
1722 cfa->base = cfi->drap_reg;
1723 cfa->offset = cfi->stack_size = 0;
1728 * Older versions of GCC (4.8ish) realign the stack
1729 * without DRAP, with a frame pointer.
1736 if (!cfi->drap && op->dest.reg == cfa->base) {
1742 if (cfi->drap && cfa->base == CFI_BP_INDIRECT &&
1743 op->dest.reg == cfi->drap_reg &&
1744 cfi->drap_offset == -cfi->stack_size) {
1746 /* drap: pop %drap */
1747 cfa->base = cfi->drap_reg;
1749 cfi->drap_offset = -1;
1751 } else if (regs[op->dest.reg].offset == -cfi->stack_size) {
1754 restore_reg(cfi, op->dest.reg);
1757 cfi->stack_size -= 8;
1758 if (cfa->base == CFI_SP)
1763 case OP_SRC_REG_INDIRECT:
1764 if (cfi->drap && op->src.reg == CFI_BP &&
1765 op->src.offset == cfi->drap_offset) {
1767 /* drap: mov disp(%rbp), %drap */
1768 cfa->base = cfi->drap_reg;
1770 cfi->drap_offset = -1;
1773 if (cfi->drap && op->src.reg == CFI_BP &&
1774 op->src.offset == regs[op->dest.reg].offset) {
1776 /* drap: mov disp(%rbp), %reg */
1777 restore_reg(cfi, op->dest.reg);
1779 } else if (op->src.reg == cfa->base &&
1780 op->src.offset == regs[op->dest.reg].offset + cfa->offset) {
1782 /* mov disp(%rbp), %reg */
1783 /* mov disp(%rsp), %reg */
1784 restore_reg(cfi, op->dest.reg);
1790 WARN_FUNC("unknown stack-related instruction",
1791 insn->sec, insn->offset);
1799 cfi->stack_size += 8;
1800 if (cfa->base == CFI_SP)
1803 if (op->src.type != OP_SRC_REG)
1807 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
1809 /* drap: push %drap */
1810 cfa->base = CFI_BP_INDIRECT;
1811 cfa->offset = -cfi->stack_size;
1813 /* save drap so we know when to restore it */
1814 cfi->drap_offset = -cfi->stack_size;
1816 } else if (op->src.reg == CFI_BP && cfa->base == cfi->drap_reg) {
1818 /* drap: push %rbp */
1819 cfi->stack_size = 0;
1821 } else if (regs[op->src.reg].base == CFI_UNDEFINED) {
1823 /* drap: push %reg */
1824 save_reg(cfi, op->src.reg, CFI_BP, -cfi->stack_size);
1830 save_reg(cfi, op->src.reg, CFI_CFA, -cfi->stack_size);
1833 /* detect when asm code uses rbp as a scratch register */
1834 if (!no_fp && insn->func && op->src.reg == CFI_BP &&
1835 cfa->base != CFI_BP)
1836 cfi->bp_scratch = true;
1839 case OP_DEST_REG_INDIRECT:
1842 if (op->src.reg == cfa->base && op->src.reg == cfi->drap_reg) {
1844 /* drap: mov %drap, disp(%rbp) */
1845 cfa->base = CFI_BP_INDIRECT;
1846 cfa->offset = op->dest.offset;
1848 /* save drap offset so we know when to restore it */
1849 cfi->drap_offset = op->dest.offset;
1852 else if (regs[op->src.reg].base == CFI_UNDEFINED) {
1854 /* drap: mov reg, disp(%rbp) */
1855 save_reg(cfi, op->src.reg, CFI_BP, op->dest.offset);
1858 } else if (op->dest.reg == cfa->base) {
1860 /* mov reg, disp(%rbp) */
1861 /* mov reg, disp(%rsp) */
1862 save_reg(cfi, op->src.reg, CFI_CFA,
1863 op->dest.offset - cfi->cfa.offset);
1869 if ((!cfi->drap && cfa->base != CFI_BP) ||
1870 (cfi->drap && cfa->base != cfi->drap_reg)) {
1871 WARN_FUNC("leave instruction with modified stack frame",
1872 insn->sec, insn->offset);
1876 /* leave (mov %rbp, %rsp; pop %rbp) */
1878 cfi->stack_size = -cfi->regs[CFI_BP].offset - 8;
1879 restore_reg(cfi, CFI_BP);
1889 if (op->src.type != OP_SRC_POP && op->src.type != OP_SRC_POPF) {
1890 WARN_FUNC("unknown stack-related memory operation",
1891 insn->sec, insn->offset);
1896 cfi->stack_size -= 8;
1897 if (cfa->base == CFI_SP)
1903 WARN_FUNC("unknown stack-related instruction",
1904 insn->sec, insn->offset);
1911 static int handle_insn_ops(struct instruction *insn, struct insn_state *state)
1913 struct stack_op *op;
1915 list_for_each_entry(op, &insn->stack_ops, list) {
1918 res = update_cfi_state(insn, &state->cfi, op);
1922 if (op->dest.type == OP_DEST_PUSHF) {
1923 if (!state->uaccess_stack) {
1924 state->uaccess_stack = 1;
1925 } else if (state->uaccess_stack >> 31) {
1926 WARN_FUNC("PUSHF stack exhausted",
1927 insn->sec, insn->offset);
1930 state->uaccess_stack <<= 1;
1931 state->uaccess_stack |= state->uaccess;
1934 if (op->src.type == OP_SRC_POPF) {
1935 if (state->uaccess_stack) {
1936 state->uaccess = state->uaccess_stack & 1;
1937 state->uaccess_stack >>= 1;
1938 if (state->uaccess_stack == 1)
1939 state->uaccess_stack = 0;
1947 static bool insn_cfi_match(struct instruction *insn, struct cfi_state *cfi2)
1949 struct cfi_state *cfi1 = &insn->cfi;
1952 if (memcmp(&cfi1->cfa, &cfi2->cfa, sizeof(cfi1->cfa))) {
1954 WARN_FUNC("stack state mismatch: cfa1=%d%+d cfa2=%d%+d",
1955 insn->sec, insn->offset,
1956 cfi1->cfa.base, cfi1->cfa.offset,
1957 cfi2->cfa.base, cfi2->cfa.offset);
1959 } else if (memcmp(&cfi1->regs, &cfi2->regs, sizeof(cfi1->regs))) {
1960 for (i = 0; i < CFI_NUM_REGS; i++) {
1961 if (!memcmp(&cfi1->regs[i], &cfi2->regs[i],
1962 sizeof(struct cfi_reg)))
1965 WARN_FUNC("stack state mismatch: reg1[%d]=%d%+d reg2[%d]=%d%+d",
1966 insn->sec, insn->offset,
1967 i, cfi1->regs[i].base, cfi1->regs[i].offset,
1968 i, cfi2->regs[i].base, cfi2->regs[i].offset);
1972 } else if (cfi1->type != cfi2->type) {
1974 WARN_FUNC("stack state mismatch: type1=%d type2=%d",
1975 insn->sec, insn->offset, cfi1->type, cfi2->type);
1977 } else if (cfi1->drap != cfi2->drap ||
1978 (cfi1->drap && cfi1->drap_reg != cfi2->drap_reg) ||
1979 (cfi1->drap && cfi1->drap_offset != cfi2->drap_offset)) {
1981 WARN_FUNC("stack state mismatch: drap1=%d(%d,%d) drap2=%d(%d,%d)",
1982 insn->sec, insn->offset,
1983 cfi1->drap, cfi1->drap_reg, cfi1->drap_offset,
1984 cfi2->drap, cfi2->drap_reg, cfi2->drap_offset);
1992 static inline bool func_uaccess_safe(struct symbol *func)
1995 return func->uaccess_safe;
2000 static inline const char *call_dest_name(struct instruction *insn)
2002 if (insn->call_dest)
2003 return insn->call_dest->name;
2008 static int validate_call(struct instruction *insn, struct insn_state *state)
2010 if (state->uaccess && !func_uaccess_safe(insn->call_dest)) {
2011 WARN_FUNC("call to %s() with UACCESS enabled",
2012 insn->sec, insn->offset, call_dest_name(insn));
2017 WARN_FUNC("call to %s() with DF set",
2018 insn->sec, insn->offset, call_dest_name(insn));
2025 static int validate_sibling_call(struct instruction *insn, struct insn_state *state)
2027 if (has_modified_stack_frame(insn, state)) {
2028 WARN_FUNC("sibling call from callable instruction with modified stack frame",
2029 insn->sec, insn->offset);
2033 return validate_call(insn, state);
2036 static int validate_return(struct symbol *func, struct instruction *insn, struct insn_state *state)
2038 if (state->uaccess && !func_uaccess_safe(func)) {
2039 WARN_FUNC("return with UACCESS enabled",
2040 insn->sec, insn->offset);
2044 if (!state->uaccess && func_uaccess_safe(func)) {
2045 WARN_FUNC("return with UACCESS disabled from a UACCESS-safe function",
2046 insn->sec, insn->offset);
2051 WARN_FUNC("return with DF set",
2052 insn->sec, insn->offset);
2056 if (func && has_modified_stack_frame(insn, state)) {
2057 WARN_FUNC("return with modified stack frame",
2058 insn->sec, insn->offset);
2062 if (state->cfi.bp_scratch) {
2063 WARN_FUNC("BP used as a scratch register",
2064 insn->sec, insn->offset);
2072 * Follow the branch starting at the given instruction, and recursively follow
2073 * any other branches (jumps). Meanwhile, track the frame pointer state at
2074 * each instruction and validate all the rules described in
2075 * tools/objtool/Documentation/stack-validation.txt.
2077 static int validate_branch(struct objtool_file *file, struct symbol *func,
2078 struct instruction *insn, struct insn_state state)
2080 struct alternative *alt;
2081 struct instruction *next_insn;
2082 struct section *sec;
2088 if (insn->alt_group && list_empty(&insn->alts)) {
2089 WARN_FUNC("don't know how to handle branch to middle of alternative instruction group",
2095 next_insn = next_insn_same_sec(file, insn);
2097 if (file->c_file && func && insn->func && func != insn->func->pfunc) {
2098 WARN("%s() falls through to next function %s()",
2099 func->name, insn->func->name);
2103 if (func && insn->ignore) {
2104 WARN_FUNC("BUG: why am I validating an ignored function?",
2109 visited = 1 << state.uaccess;
2110 if (insn->visited) {
2111 if (!insn->hint && !insn_cfi_match(insn, &state.cfi))
2114 if (insn->visited & visited)
2119 state.cfi = insn->cfi;
2121 insn->cfi = state.cfi;
2123 insn->visited |= visited;
2125 if (!insn->ignore_alts) {
2126 bool skip_orig = false;
2128 list_for_each_entry(alt, &insn->alts, list) {
2132 ret = validate_branch(file, func, alt->insn, state);
2135 BT_FUNC("(alt)", insn);
2144 switch (insn->type) {
2147 return validate_return(func, insn, &state);
2150 case INSN_CALL_DYNAMIC:
2151 ret = validate_call(insn, &state);
2155 if (!no_fp && func && !is_fentry_call(insn) &&
2156 !has_valid_stack_frame(&state)) {
2157 WARN_FUNC("call without frame pointer save/setup",
2162 if (dead_end_function(file, insn->call_dest))
2167 case INSN_JUMP_CONDITIONAL:
2168 case INSN_JUMP_UNCONDITIONAL:
2169 if (func && is_sibling_call(insn)) {
2170 ret = validate_sibling_call(insn, &state);
2174 } else if (insn->jump_dest) {
2175 ret = validate_branch(file, func,
2176 insn->jump_dest, state);
2179 BT_FUNC("(branch)", insn);
2184 if (insn->type == INSN_JUMP_UNCONDITIONAL)
2189 case INSN_JUMP_DYNAMIC:
2190 case INSN_JUMP_DYNAMIC_CONDITIONAL:
2191 if (func && is_sibling_call(insn)) {
2192 ret = validate_sibling_call(insn, &state);
2197 if (insn->type == INSN_JUMP_DYNAMIC)
2202 case INSN_EXCEPTION_RETURN:
2203 if (handle_insn_ops(insn, &state))
2207 * This handles x86's sync_core() case, where we use an
2208 * IRET to self. All 'normal' IRET instructions are in
2209 * STT_NOTYPE entry symbols.
2216 case INSN_CONTEXT_SWITCH:
2217 if (func && (!next_insn || !next_insn->hint)) {
2218 WARN_FUNC("unsupported instruction in callable function",
2225 if (handle_insn_ops(insn, &state))
2230 if (state.uaccess) {
2231 WARN_FUNC("recursive UACCESS enable", sec, insn->offset);
2235 state.uaccess = true;
2239 if (!state.uaccess && func) {
2240 WARN_FUNC("redundant UACCESS disable", sec, insn->offset);
2244 if (func_uaccess_safe(func) && !state.uaccess_stack) {
2245 WARN_FUNC("UACCESS-safe disables UACCESS", sec, insn->offset);
2249 state.uaccess = false;
2254 WARN_FUNC("recursive STD", sec, insn->offset);
2260 if (!state.df && func)
2261 WARN_FUNC("redundant CLD", sec, insn->offset);
2274 if (state.cfi.cfa.base == CFI_UNDEFINED)
2276 WARN("%s: unexpected end of section", sec->name);
2286 static int validate_unwind_hints(struct objtool_file *file)
2288 struct instruction *insn;
2289 int ret, warnings = 0;
2290 struct insn_state state;
2295 clear_insn_state(&state);
2297 for_each_insn(file, insn) {
2298 if (insn->hint && !insn->visited) {
2299 ret = validate_branch(file, insn->func, insn, state);
2300 if (ret && backtrace)
2301 BT_FUNC("<=== (hint)", insn);
2309 static int validate_retpoline(struct objtool_file *file)
2311 struct instruction *insn;
2314 for_each_insn(file, insn) {
2315 if (insn->type != INSN_JUMP_DYNAMIC &&
2316 insn->type != INSN_CALL_DYNAMIC)
2319 if (insn->retpoline_safe)
2323 * .init.text code is ran before userspace and thus doesn't
2324 * strictly need retpolines, except for modules which are
2325 * loaded late, they very much do need retpoline in their
2328 if (!strcmp(insn->sec->name, ".init.text") && !module)
2331 WARN_FUNC("indirect %s found in RETPOLINE build",
2332 insn->sec, insn->offset,
2333 insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
2341 static bool is_kasan_insn(struct instruction *insn)
2343 return (insn->type == INSN_CALL &&
2344 !strcmp(insn->call_dest->name, "__asan_handle_no_return"));
2347 static bool is_ubsan_insn(struct instruction *insn)
2349 return (insn->type == INSN_CALL &&
2350 !strcmp(insn->call_dest->name,
2351 "__ubsan_handle_builtin_unreachable"));
2354 static bool ignore_unreachable_insn(struct instruction *insn)
2358 if (insn->ignore || insn->type == INSN_NOP)
2362 * Ignore any unused exceptions. This can happen when a whitelisted
2363 * function has an exception table entry.
2365 * Also ignore alternative replacement instructions. This can happen
2366 * when a whitelisted function uses one of the ALTERNATIVE macros.
2368 if (!strcmp(insn->sec->name, ".fixup") ||
2369 !strcmp(insn->sec->name, ".altinstr_replacement") ||
2370 !strcmp(insn->sec->name, ".altinstr_aux"))
2377 * CONFIG_UBSAN_TRAP inserts a UD2 when it sees
2378 * __builtin_unreachable(). The BUG() macro has an unreachable() after
2379 * the UD2, which causes GCC's undefined trap logic to emit another UD2
2380 * (or occasionally a JMP to UD2).
2382 if (list_prev_entry(insn, list)->dead_end &&
2383 (insn->type == INSN_BUG ||
2384 (insn->type == INSN_JUMP_UNCONDITIONAL &&
2385 insn->jump_dest && insn->jump_dest->type == INSN_BUG)))
2389 * Check if this (or a subsequent) instruction is related to
2390 * CONFIG_UBSAN or CONFIG_KASAN.
2392 * End the search at 5 instructions to avoid going into the weeds.
2394 for (i = 0; i < 5; i++) {
2396 if (is_kasan_insn(insn) || is_ubsan_insn(insn))
2399 if (insn->type == INSN_JUMP_UNCONDITIONAL) {
2400 if (insn->jump_dest &&
2401 insn->jump_dest->func == insn->func) {
2402 insn = insn->jump_dest;
2409 if (insn->offset + insn->len >= insn->func->offset + insn->func->len)
2412 insn = list_next_entry(insn, list);
2418 static int validate_section(struct objtool_file *file, struct section *sec)
2420 struct symbol *func;
2421 struct instruction *insn;
2422 struct insn_state state;
2423 int ret, warnings = 0;
2425 list_for_each_entry(func, &sec->symbol_list, list) {
2426 if (func->type != STT_FUNC)
2430 WARN("%s() is missing an ELF size annotation",
2435 if (func->pfunc != func || func->alias != func)
2438 insn = find_insn(file, sec, func->offset);
2439 if (!insn || insn->ignore || insn->visited)
2442 clear_insn_state(&state);
2443 state.cfi.cfa = initial_func_cfi.cfa;
2444 memcpy(&state.cfi.regs, &initial_func_cfi.regs,
2445 CFI_NUM_REGS * sizeof(struct cfi_reg));
2446 state.cfi.stack_size = initial_func_cfi.cfa.offset;
2448 state.uaccess = func->uaccess_safe;
2450 ret = validate_branch(file, func, insn, state);
2451 if (ret && backtrace)
2452 BT_FUNC("<=== (func)", insn);
2459 static int validate_functions(struct objtool_file *file)
2461 struct section *sec;
2464 for_each_sec(file, sec)
2465 warnings += validate_section(file, sec);
2470 static int validate_reachable_instructions(struct objtool_file *file)
2472 struct instruction *insn;
2474 if (file->ignore_unreachables)
2477 for_each_insn(file, insn) {
2478 if (insn->visited || ignore_unreachable_insn(insn))
2481 WARN_FUNC("unreachable instruction", insn->sec, insn->offset);
2488 static struct objtool_file file;
2490 int check(const char *_objname, bool orc)
2492 int ret, warnings = 0;
2496 file.elf = elf_read(objname, orc ? O_RDWR : O_RDONLY);
2500 INIT_LIST_HEAD(&file.insn_list);
2501 hash_init(file.insn_hash);
2502 file.c_file = find_section_by_name(file.elf, ".comment");
2503 file.ignore_unreachables = no_unreachable;
2506 arch_initial_func_cfi_state(&initial_func_cfi);
2508 ret = decode_sections(&file);
2513 if (list_empty(&file.insn_list))
2517 ret = validate_retpoline(&file);
2523 ret = validate_functions(&file);
2528 ret = validate_unwind_hints(&file);
2534 ret = validate_reachable_instructions(&file);
2541 ret = create_orc(&file);
2545 ret = create_orc_sections(&file);
2549 ret = elf_write(file.elf);
2557 * Fatal error. The binary is corrupt or otherwise broken in
2558 * some way, or objtool itself is broken. Fail the kernel
projects / platform / kernel / linux-rpi.git / blob