From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <nsz@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1944)
 id DF8F73857340; Wed, 20 Dec 2023 15:59:59 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DF8F73857340
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Szabolcs Nagy <nsz@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb/binutils-2_41-branch] bfd: aarch64: Fix broken BTI stub
 PR30930
X-Act-Checkin: binutils-gdb
X-Git-Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
X-Git-Refname: refs/heads/binutils-2_41-branch
X-Git-Oldrev: 8b9de994244a85f6d87564a798e00d5acefa75b7
X-Git-Newrev: d00636070750a9be57eb5a24aca75a06efa93140
Message-Id: <20231220155959.DF8F73857340@sourceware.org>
Date: Wed, 20 Dec 2023 15:59:59 +0000 (GMT)
X-BeenThere: binutils-cvs@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Binutils-cvs mailing list <binutils-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils-cvs/>
List-Help: <mailto:binutils-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2023 16:00:00 -0000

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3Dd00636070750=
a9be57eb5a24aca75a06efa93140

commit d00636070750a9be57eb5a24aca75a06efa93140
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Mon Oct 16 13:18:13 2023 +0100

    bfd: aarch64: Fix broken BTI stub PR30930
   =20
    Input sections are grouped together that can use the same stub area
    (within reach) and these groups have a stable id.
   =20
    Stubs have a name generated from the stub group id and target symbol.
    When a relocation requires a stub with a name that already exists, the
    stub is reused instead of adding a new one.
   =20
    For an indirect branch stub another BTI stub may be inserted near the
    target to provide a BTI landing pad.
   =20
    The BTI stub can end up with the same stub group id and thus the same
    name as the indirect stub. This happens if the target symbol is within
    reach of the indirect branch stub. Then, due to the name collision,
    only a single stub was emmitted which branched to itself causing an
    infinite loop at runtime.
   =20
    A possible solution is to just name the BTI stubs differently, but
    since in the problematic case the indirect and BTI stub are in the
    same stub area, a better solution is to emit a single stub with a
    direct branch. The stub is still needed since the caller cannot reach
    the target directly and we also want a BTI landing pad in the stub in
    case other indirect stubs target the same symbol and thus need a BTI
    stub.
   =20
    In short we convert an indirect branch stub into a BTI stub when the
    target is within reach and has no BTI. It is a hassle to change the
    symbol of the stub so a BTI stub may end up with *_veneer instead of
    *_bti_veneer after the conversion, but this should not matter much.
    (Refactoring some of _bfd_aarch64_add_call_stub_entries would be
    useful but too much for this bug fix patch.)
   =20
    The same conversion to direct branch could be done even if the target
    did not need a BTI. The stub groups are fixed in the current logic so
    linking can fail if too many stubs are inserted and the section layout
    is changed too much, but this only happens in extreme cases that can
    be reasonably ignored. Because of this the target cannot go out of
    reach during stub insertion so the optimization is valid, but not
    implemented by this patch for the non-BTI case.
   =20
    Fixes bug 30930.
   =20
    (cherry picked from commit d3a8dfdef0797244d0f2f3a8ec5db8f1dcf1337b)

Diff:
---
 bfd/elfnn-aarch64.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
index a0dd17faa7e..798643ade7c 100644
--- a/bfd/elfnn-aarch64.c
+++ b/bfd/elfnn-aarch64.c
@@ -4638,9 +4638,22 @@ _bfd_aarch64_add_call_stub_entries (bool *stub_chang=
ed, bfd *output_bfd,
 		 insert another stub with direct jump near the target then.  */
 	      if (need_bti && !aarch64_bti_stub_p (stub_entry))
 		{
+		  id_sec_bti =3D htab->stub_group[sym_sec->id].link_sec;
+
+		  /* If the stub with indirect jump and the BTI stub are in
+		     the same stub group: change the indirect jump stub into
+		     a BTI stub since a direct branch can reach the target.
+		     The BTI landing pad is still needed in case another
+		     stub indirectly jumps to it.  */
+		  if (id_sec_bti =3D=3D id_sec)
+		    {
+		      stub_entry->stub_type =3D aarch64_stub_bti_direct_branch;
+		      goto skip_double_stub;
+		    }
+
 		  stub_entry->double_stub =3D true;
 		  htab->has_double_stub =3D true;
-		  id_sec_bti =3D htab->stub_group[sym_sec->id].link_sec;
+
 		  stub_name_bti =3D
 		    elfNN_aarch64_stub_name (id_sec_bti, sym_sec, hash, irela);
 		  if (!stub_name_bti)
@@ -4687,7 +4700,7 @@ _bfd_aarch64_add_call_stub_entries (bool *stub_change=
d, bfd *output_bfd,
 		  stub_entry->h =3D NULL;
 		  stub_entry->st_type =3D STT_FUNC;
 		}
-
+skip_double_stub:
 	      *stub_changed =3D true;
 	    }