tools/objtool/arch/x86/decode.c | 8 ++++++++ 1 file changed, 8 insertions(+)
The encoding of an x86 instruction can include a ModR/M and a SIB
(Scale-Index-Base) byte to describe the addressing mode of the
instruction.
objtool processes all addressing mode with a SIB base of 5 as having
%rbp as the base register. However, a SIB base of 5 means that the
effective address has either no base (if ModR/M mod is zero) or %rbp
as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse
an absolute address access with a stack operation.
For example, objtool will see the following instruction:
4c 8b 24 25 e0 ff ff mov 0xffffffffffffffe0,%r12
as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12).
[Note that this kind of weird absolute address access is added by the
compiler when using KASAN.]
If this perceived stack operation happens to reference the location
where %r12 was pushed on the stack then the objtool validation will
think that %r12 is being restored and this can cause a stack state
mismatch.
This kind behavior was seen on xfs code, after a minor change (convert
kmem_alloc() to kmalloc()):
>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/
Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
---
tools/objtool/arch/x86/decode.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c
index 3a1d80a7878d3..18a9140173326 100644
--- a/tools/objtool/arch/x86/decode.c
+++ b/tools/objtool/arch/x86/decode.c
@@ -412,6 +412,14 @@ int arch_decode_instruction(struct objtool_file *file, const struct section *sec
if (!rex_w)
break;
+ /*
+ * If the SIB base is 5, and ModRM mod is 0 then there
+ * is no base. But SIB decoding will set sib_base to
+ * CFI_BP (register 5).
+ */
+ if (have_SIB() && sib_base == CFI_BP && modrm_mod == 0)
+ break;
+
if (rm_is_mem(CFI_BP)) {
/* mov disp(%rbp), reg */
--
2.39.3On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote: > The encoding of an x86 instruction can include a ModR/M and a SIB > (Scale-Index-Base) byte to describe the addressing mode of the > instruction. > > objtool processes all addressing mode with a SIB base of 5 as having > %rbp as the base register. However, a SIB base of 5 means that the > effective address has either no base (if ModR/M mod is zero) or %rbp > as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse > an absolute address access with a stack operation. > > For example, objtool will see the following instruction: > > 4c 8b 24 25 e0 ff ff mov 0xffffffffffffffe0,%r12 > > as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12). > > [Note that this kind of weird absolute address access is added by the > compiler when using KASAN.] > > If this perceived stack operation happens to reference the location > where %r12 was pushed on the stack then the objtool validation will > think that %r12 is being restored and this can cause a stack state > mismatch. > > This kind behavior was seen on xfs code, after a minor change (convert > kmem_alloc() to kmalloc()): > > >> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0 > > Reported-by: kernel test robot <lkp@intel.com> > Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/ > Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com> Nice, thanks for finding and debugging this. Would it make sense to make the check more generic by putting it into rm_is()? -- Josh
On 3/29/24 02:39, Josh Poimboeuf wrote: > On Thu, Mar 28, 2024 at 02:46:34PM +0100, Alexandre Chartre wrote: >> The encoding of an x86 instruction can include a ModR/M and a SIB >> (Scale-Index-Base) byte to describe the addressing mode of the >> instruction. >> >> objtool processes all addressing mode with a SIB base of 5 as having >> %rbp as the base register. However, a SIB base of 5 means that the >> effective address has either no base (if ModR/M mod is zero) or %rbp >> as the base (if ModR/M mod is 1 or 2). This can cause objtool to confuse >> an absolute address access with a stack operation. >> >> For example, objtool will see the following instruction: >> >> 4c 8b 24 25 e0 ff ff mov 0xffffffffffffffe0,%r12 >> >> as a stack operation (i.e. similar to: mov -0x20(%rbp), %r12). >> >> [Note that this kind of weird absolute address access is added by the >> compiler when using KASAN.] >> >> If this perceived stack operation happens to reference the location >> where %r12 was pushed on the stack then the objtool validation will >> think that %r12 is being restored and this can cause a stack state >> mismatch. >> >> This kind behavior was seen on xfs code, after a minor change (convert >> kmem_alloc() to kmalloc()): >> >>>> fs/xfs/xfs.o: warning: objtool: xfs_da_grow_inode_int+0x6c1: stack state mismatch: reg1[12]=-2-48 reg2[12]=-1+0 >> >> Reported-by: kernel test robot <lkp@intel.com> >> Closes: https://lore.kernel.org/oe-kbuild-all/202402220435.MGN0EV6l-lkp@intel.com/ >> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com> > > Nice, thanks for finding and debugging this. > > Would it make sense to make the check more generic by putting it into > rm_is()? > Yes. Making the change. Thanks, alex.
© 2016 - 2026 Red Hat, Inc.