From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 197141EF09B for ; Tue, 5 May 2026 08:26:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777969577; cv=none; b=NjNyEpMbGYg9Fl+5bdj2RqCqzarO0z2sOZmVWga8G3O3PwMyCT+MAAyRTWw8mzTmwNkf5pLt6KMEPg6gE+MNN3tckmprCjX7BP4qlVLGaDm87IYD6Uc+Kd6jwcoqhhsbQ4MGnZrYWUNsuqxUYoltRCbzRDvE1aZLe6xo2OIkh2g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777969577; c=relaxed/simple; bh=/lWFIRU9SRB543jmDFL9gq4TU/UhA6QXqreAmW+BU8A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JEZC6S+50y7Kbt8wS0wzgK+7jpT7oNHnHACE3bpNNc7FPlo6y3AqwGKt5bW9aJkyzrfvLa6IrU/18AtNjdJRj+fzO8U9xPwd2vazlTAWSDc/rRk3Dt5OyV717iPQrDM3bJACtZNTp+gtVR++d2n1L4wYMBdLZfGLGScrB0tXJHA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LNz74hGw; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LNz74hGw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777969575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NXawfcaojucu47q8T9v3Cn51u7E3LXGsEZEr/+QqlTA=; b=LNz74hGw7v77jIN14agTfcJ0qEfAYVUiqr93xOLDJx9x6UpB08fjsRQKZSS/xdKcKCEXPR Y0YDhhiEIdwyRnpSqemzknYNdNMo44dLu9ra57NJXXqiEVSyKQxgGcwQlban8+ZVNV2YHQ PUyho0Vrgef9ODVX6leM1qE05dBs3jI= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-335-5Nce664eOQmWqZyYUu9pmA-1; Tue, 05 May 2026 04:26:10 -0400 X-MC-Unique: 5Nce664eOQmWqZyYUu9pmA-1 X-Mimecast-MFC-AGG-ID: 5Nce664eOQmWqZyYUu9pmA_1777969566 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 760721956095; Tue, 5 May 2026 08:26:05 +0000 (UTC) Received: from vschneid-thinkpadt14sgen2i.remote.csb (unknown [10.44.48.109]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EB11B30001BE; Tue, 5 May 2026 08:25:52 +0000 (UTC) From: Valentin Schneider To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org Cc: Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Arnaldo Carvalho de Melo , Paolo Bonzini , Arnd Bergmann , Frederic Weisbecker , "Paul E. McKenney" , Jason Baron , Steven Rostedt , Ard Biesheuvel , Sami Tolvanen , "David S. Miller" , Neeraj Upadhyay , Joel Fernandes , Josh Triplett , Boqun Feng , Uladzislau Rezki , Mathieu Desnoyers , Mel Gorman , Andrew Morton , Masahiro Yamada , Han Shen , Rik van Riel , Jann Horn , Dan Carpenter , Oleg Nesterov , Juri Lelli , Clark Williams , Tomas Glozar , Yair Podemsky , Marcelo Tosatti , Daniel Wagner , Petr Tesarik , Shrikanth Hegde Subject: [PATCH v9 06/10] objtool: Add .entry.text validation for static branches Date: Tue, 5 May 2026 10:23:51 +0200 Message-ID: <20260505082355.1982003-7-vschneid@redhat.com> In-Reply-To: <20260505082355.1982003-1-vschneid@redhat.com> References: <20260505082355.1982003-1-vschneid@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 From: Josh Poimboeuf Warn about static branches in entry text, unless the corresponding key is RO-after-init. Signed-off-by: Josh Poimboeuf [Reduced to only .entry.text rather than .noinstr] Signed-off-by: Valentin Schneider --- include/linux/jump_label.h | 17 ++++--- include/linux/objtool.h | 16 ++++++ tools/objtool/Documentation/objtool.txt | 15 ++++++ tools/objtool/check.c | 65 ++++++++++++++++++++++++- tools/objtool/include/objtool/check.h | 2 + tools/objtool/include/objtool/elf.h | 3 +- tools/objtool/include/objtool/special.h | 1 + tools/objtool/special.c | 15 +++++- 8 files changed, 125 insertions(+), 9 deletions(-) diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h index e05b4a52ba1b4..e39685061ebbe 100644 --- a/include/linux/jump_label.h +++ b/include/linux/jump_label.h @@ -76,6 +76,7 @@ #include #include #include +#include extern bool static_key_initialized; @@ -362,8 +363,9 @@ struct static_key_false { #define DEFINE_STATIC_KEY_TRUE(name) \ struct static_key_true name = STATIC_KEY_TRUE_INIT -#define DEFINE_STATIC_KEY_TRUE_RO(name) \ - struct static_key_true name __ro_after_init = STATIC_KEY_TRUE_INIT +#define DEFINE_STATIC_KEY_TRUE_RO(name) \ + struct static_key_true name __ro_after_init = STATIC_KEY_TRUE_INIT; \ + ANNOTATE_ENTRY_ALLOWED(name) #define DECLARE_STATIC_KEY_TRUE(name) \ extern struct static_key_true name @@ -371,8 +373,9 @@ struct static_key_false { #define DEFINE_STATIC_KEY_FALSE(name) \ struct static_key_false name = STATIC_KEY_FALSE_INIT -#define DEFINE_STATIC_KEY_FALSE_RO(name) \ - struct static_key_false name __ro_after_init = STATIC_KEY_FALSE_INIT +#define DEFINE_STATIC_KEY_FALSE_RO(name) \ + struct static_key_false name __ro_after_init = STATIC_KEY_FALSE_INIT; \ + ANNOTATE_ENTRY_ALLOWED(name) /* * Objtool will warn about static keys used in early entry code, as they may @@ -383,10 +386,12 @@ struct static_key_false { * definition with the rationale. */ #define DEFINE_STATIC_KEY_TRUE_ENTRY(name) \ - DEFINE_STATIC_KEY_TRUE(name) + DEFINE_STATIC_KEY_TRUE(name); \ + ANNOTATE_ENTRY_ALLOWED(name) #define DEFINE_STATIC_KEY_FALSE_ENTRY(name) \ - DEFINE_STATIC_KEY_FALSE(name) + DEFINE_STATIC_KEY_FALSE(name); \ + ANNOTATE_ENTRY_ALLOWED(name) #define DECLARE_STATIC_KEY_FALSE(name) \ extern struct static_key_false name diff --git a/include/linux/objtool.h b/include/linux/objtool.h index 9a00e701454c5..d738450897b3b 100644 --- a/include/linux/objtool.h +++ b/include/linux/objtool.h @@ -34,6 +34,19 @@ static void __used __section(".discard.func_stack_frame_non_standard") \ *__func_stack_frame_non_standard_##func = func +#define __ANNOTATE_ENTRY_ALLOWED(key) \ + static void __used __section(".discard.entry_allowed") \ + *__annotate_entry_allowed_##key = &key + +/* + * This is used to tell objtool that a given static key is safe to be used + * within .noinstr code, and it doesn't need to generate a warning about it. + * + * For more information, see tools/objtool/Documentation/objtool.txt, + * "non-RO static key usage in entry code" + */ +#define ANNOTATE_ENTRY_ALLOWED(key) __ANNOTATE_ENTRY_ALLOWED(key) + /* * STACK_FRAME_NON_STANDARD_FP() is a frame-pointer-specific function ignore * for the case where a function is intentionally missing frame pointer setup, @@ -111,6 +124,9 @@ #define UNWIND_HINT(type, sp_reg, sp_offset, signal) "\n\t" #define STACK_FRAME_NON_STANDARD(func) #define STACK_FRAME_NON_STANDARD_FP(func) +#define __ASM_ANNOTATE(label, type) "" +#define ASM_ANNOTATE(type) +#define ANNOTATE_ENTRY_ALLOWED(key) #else .macro UNWIND_HINT type:req sp_reg=0 sp_offset=0 signal=0 .endm diff --git a/tools/objtool/Documentation/objtool.txt b/tools/objtool/Documentation/objtool.txt index 9e97fc25b2d8a..7b92e85ab5e49 100644 --- a/tools/objtool/Documentation/objtool.txt +++ b/tools/objtool/Documentation/objtool.txt @@ -456,6 +456,21 @@ the objtool maintainers. these special names and does not use module_init() / module_exit() macros to create them. +vmlinux.o: warning: objtool: entry_SYSCALL_64+0x108: housekeeping_overridden: non-RO static key usage in entry code + +13. file.o: warning: func()+0x2a: key: non-RO static key usage in entry code + + This means that .entry.text function func() uses a static key named 'key' + which can be modified at runtime. This is discouraged because the jump + location may be accessed before a serializating operation has been + executed. + + Check whether the static key in question is only modified during init. If so, + define it as read-only-after-init with DEFINE_STATIC_KEY_*_RO(). + + Alternatively, if observing a stale/wrong value of the key isn't critical + (i.e. the system is in a transient state as lots of things are being updated), + you can mark it as safe with DEFINE_STATIC_KEY_*_ENTRY(). If the error doesn't seem to make sense, it could be a bug in objtool. Feel free to ask objtool maintainers for help. diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 2bb927aa34047..1d976287af3ad 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -328,8 +328,10 @@ static void init_insn_state(struct objtool_file *file, struct insn_state *state, memset(state, 0, sizeof(*state)); init_cfi_state(&state->cfi); - if (opts.noinstr && sec) + if (opts.noinstr && sec) { state->noinstr = sec->noinstr; + state->entry = sec->entry; + } } static struct cfi_state *cfi_alloc(void) @@ -434,6 +436,9 @@ static int decode_instructions(struct objtool_file *file) !strncmp(sec->name, ".text..__x86.", 13)) sec->noinstr = true; + if (!strcmp(sec->name, ".entry.text")) + sec->entry= true; + /* * .init.text code is ran before userspace and thus doesn't * strictly need retpolines, except for modules which are @@ -1076,6 +1081,45 @@ static int create_sym_checksum_section(struct objtool_file *file) static int create_sym_checksum_section(struct objtool_file *file) { return -EINVAL; } #endif +static int read_entry_allowed(struct objtool_file *file) +{ + struct section *rsec; + struct symbol *sym; + struct reloc *reloc; + + rsec = find_section_by_name(file->elf, ".rela.discard.entry_allowed"); + if (!rsec) + return 0; + + for_each_reloc(rsec, reloc) { + switch (reloc->sym->type) { + case STT_OBJECT: + case STT_FUNC: + sym = reloc->sym; + break; + + case STT_SECTION: + sym = find_symbol_by_offset(reloc->sym->sec, + reloc_addend(reloc)); + if (!sym) { + WARN_FUNC(reloc->sym->sec, reloc_addend(reloc), + "can't find static key/call symbol"); + return -1; + } + break; + + default: + WARN("unexpected relocation symbol type in %s: %d", + rsec->name, reloc->sym->type); + return -1; + } + + sym->entry_allowed = 1; + } + + return 0; +} + /* * Warnings shouldn't be reported for ignored functions. */ @@ -1919,6 +1963,8 @@ static int handle_jump_alt(struct objtool_file *file, return -1; } + orig_insn->key = special_alt->key; + if (opts.hack_jump_label && special_alt->key_addend & 2) { struct reloc *reloc = insn_reloc(file, orig_insn); @@ -2700,6 +2746,9 @@ static int decode_sections(struct objtool_file *file) if (read_annotate(file, __annotate_late)) return -1; + if (read_entry_allowed(file)) + return -1; + return 0; } @@ -3598,6 +3647,17 @@ static int validate_return(struct symbol *func, struct instruction *insn, struct return 0; } +static int validate_static_key(struct instruction *insn, struct insn_state *state) +{ + if (state->entry && !insn->key->entry_allowed) { + WARN_INSN(insn, "%s: non-RO static key usage in entry code", + insn->key->name); + return 1; + } + + return 0; +} + static struct instruction *next_insn_to_validate(struct objtool_file *file, struct instruction *insn) { @@ -3861,6 +3921,9 @@ static int validate_insn(struct objtool_file *file, struct symbol *func, if (handle_insn_ops(insn, next_insn, statep)) return 1; + if (insn->key) + validate_static_key(insn, statep); + switch (insn->type) { case INSN_RETURN: diff --git a/tools/objtool/include/objtool/check.h b/tools/objtool/include/objtool/check.h index 5f2f77bd9b416..23b9c717bd20a 100644 --- a/tools/objtool/include/objtool/check.h +++ b/tools/objtool/include/objtool/check.h @@ -16,6 +16,7 @@ struct insn_state { bool uaccess; bool df; bool noinstr; + bool entry; s8 instr; }; @@ -97,6 +98,7 @@ struct instruction { struct symbol *sym; struct stack_op *stack_ops; struct cfi_state *cfi; + struct symbol *key; }; static inline struct symbol *insn_func(struct instruction *insn) diff --git a/tools/objtool/include/objtool/elf.h b/tools/objtool/include/objtool/elf.h index 25573e5af76ef..c05c441cf90df 100644 --- a/tools/objtool/include/objtool/elf.h +++ b/tools/objtool/include/objtool/elf.h @@ -51,7 +51,7 @@ struct section { Elf_Data *data; const char *name; int idx; - bool _changed, text, rodata, noinstr, init, truncate; + bool _changed, text, rodata, noinstr, init, truncate, entry; struct reloc *relocs; unsigned long nr_alloc_relocs; struct section *twin; @@ -89,6 +89,7 @@ struct symbol { u8 changed : 1; u8 included : 1; u8 klp : 1; + u8 entry_allowed : 1; struct list_head pv_target; struct reloc *relocs; struct section *group_sec; diff --git a/tools/objtool/include/objtool/special.h b/tools/objtool/include/objtool/special.h index 121c3761899c1..2298586a75479 100644 --- a/tools/objtool/include/objtool/special.h +++ b/tools/objtool/include/objtool/special.h @@ -18,6 +18,7 @@ struct special_alt { bool group; bool jump_or_nop; u8 key_addend; + struct symbol *key; struct section *orig_sec; unsigned long orig_off; diff --git a/tools/objtool/special.c b/tools/objtool/special.c index 2a533afbc69aa..adec1d0d8a5fe 100644 --- a/tools/objtool/special.c +++ b/tools/objtool/special.c @@ -111,13 +111,26 @@ static int get_alt_entry(struct elf *elf, const struct special_entry *entry, if (entry->key) { struct reloc *key_reloc; + struct symbol *key; + s64 key_addend; key_reloc = find_reloc_by_dest(elf, sec, offset + entry->key); if (!key_reloc) { ERROR_FUNC(sec, offset + entry->key, "can't find key reloc"); return -1; } - alt->key_addend = reloc_addend(key_reloc); + + key = key_reloc->sym; + key_addend = reloc_addend(key_reloc); + + if (key->type == STT_SECTION) + key = find_symbol_by_offset(key->sec, key_addend & ~3); + + /* embedded keys not supported */ + if (key) { + alt->key = key; + alt->key_addend = key_addend; + } } return 0; -- 2.52.0