[PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options
@ 2021-02-23  7:24 Ahmad Fatoum
  2021-02-23  7:24 ` [PATCH 2/2] kbuild: add '-fcf-protection=none' " Ahmad Fatoum
  2021-02-24  8:49 ` [PATCH 1/2] kbuild: add '-fno-stack-check' " Sascha Hauer
  0 siblings, 2 replies; 5+ messages in thread
From: Ahmad Fatoum @ 2021-02-23  7:24 UTC (permalink / raw)
  To: barebox

This ports over Linux commit 3ce120b16cc5 ("kbuild: add
'-fno-stack-check' to kernel build options"):

  Author:     Linus Torvalds <torvalds@linux-foundation.org>

    kbuild: add '-fno-stack-check' to kernel build options

    It appears that hardened gentoo enables "-fstack-check" by default for
    gcc.

    That doesn't work _at_all_ for the kernel, because the kernel stack
    doesn't act like a user stack at all: it's much smaller, and it doesn't
    auto-expand on use.  So the extra "probe one page below the stack" code
    generated by -fstack-check just breaks the kernel in horrible ways,
    causing infinite double faults etc.

    [ I have to say, that the particular code gcc generates looks very
      stupid even for user space where it works, but that's a separate
      issue.  ]

    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

I am porting it, because it may become more acute with the incoming
support for multiple stacks (via initjmp).

Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Makefile b/Makefile
index f3c85cff9430..fa7fbbeb35f0 100644
--- a/Makefile
+++ b/Makefile
@@ -622,6 +622,9 @@ KBUILD_CFLAGS += $(call cc-option, -fno-delete-null-pointer-checks,)
 # disable invalid "can't wrap" optimizations for signed / pointers
 KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
 
+# Make sure -fstack-check isn't enabled (like gentoo apparently did)
+KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check)
+
 KBUILD_CFLAGS   += $(call cc-disable-warning, address-of-packed-member)
 
 # Align the bit size of userspace programs with the kernel
-- 
2.30.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] kbuild: add '-fcf-protection=none' to barebox build options
  2021-02-23  7:24 [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options Ahmad Fatoum
@ 2021-02-23  7:24 ` Ahmad Fatoum
  2021-02-24  8:49 ` [PATCH 1/2] kbuild: add '-fno-stack-check' " Sascha Hauer
  1 sibling, 0 replies; 5+ messages in thread
From: Ahmad Fatoum @ 2021-02-23  7:24 UTC (permalink / raw)
  To: barebox

Ubuntu 19.10 enables this by default for x86 architectures. The option
instructs the compiler to generate special nop instruction at all places
where execution may jump to. This not only means the incoming setjmp
implementations will need to be adjusted[1], but in case the option is
extended to expose similar features of other microarches, this could
lead to breakages there with newer compilers. Only safe way to use it
seems to disable it wholesale and enable it selectively for platforms that
are aware of it. So do the disabling part.

[1]: https://github.com/ipxe/ipxe/commit/e8393c372

Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
---
 Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Makefile b/Makefile
index fa7fbbeb35f0..261c68c1865d 100644
--- a/Makefile
+++ b/Makefile
@@ -625,6 +625,10 @@ KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
 # Make sure -fstack-check isn't enabled (like gentoo apparently did)
 KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check)
 
+# ensure -fcf-protection is disabled as it is incompatible with our sjlj
+# Platforms that have their setjmp appropriately implemented may override this
+KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
+
 KBUILD_CFLAGS   += $(call cc-disable-warning, address-of-packed-member)
 
 # Align the bit size of userspace programs with the kernel
-- 
2.30.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options
  2021-02-23  7:24 [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options Ahmad Fatoum
  2021-02-23  7:24 ` [PATCH 2/2] kbuild: add '-fcf-protection=none' " Ahmad Fatoum
@ 2021-02-24  8:49 ` Sascha Hauer
  2021-03-16 19:10   ` Ahmad Fatoum
  1 sibling, 1 reply; 5+ messages in thread
From: Sascha Hauer @ 2021-02-24  8:49 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: barebox

On Tue, Feb 23, 2021 at 08:24:26AM +0100, Ahmad Fatoum wrote:
> This ports over Linux commit 3ce120b16cc5 ("kbuild: add
> '-fno-stack-check' to kernel build options"):
> 
>   Author:     Linus Torvalds <torvalds@linux-foundation.org>
> 
>     kbuild: add '-fno-stack-check' to kernel build options
> 
>     It appears that hardened gentoo enables "-fstack-check" by default for
>     gcc.
> 
>     That doesn't work _at_all_ for the kernel, because the kernel stack
>     doesn't act like a user stack at all: it's much smaller, and it doesn't
>     auto-expand on use.  So the extra "probe one page below the stack" code
>     generated by -fstack-check just breaks the kernel in horrible ways,
>     causing infinite double faults etc.
> 
>     [ I have to say, that the particular code gcc generates looks very
>       stupid even for user space where it works, but that's a separate
>       issue.  ]
> 
>     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> I am porting it, because it may become more acute with the incoming
> support for multiple stacks (via initjmp).
> 
> Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
> ---

Applied, thanks

Sascha

>  Makefile | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/Makefile b/Makefile
> index f3c85cff9430..fa7fbbeb35f0 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -622,6 +622,9 @@ KBUILD_CFLAGS += $(call cc-option, -fno-delete-null-pointer-checks,)
>  # disable invalid "can't wrap" optimizations for signed / pointers
>  KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
>  
> +# Make sure -fstack-check isn't enabled (like gentoo apparently did)
> +KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check)
> +
>  KBUILD_CFLAGS   += $(call cc-disable-warning, address-of-packed-member)
>  
>  # Align the bit size of userspace programs with the kernel
> -- 
> 2.30.0
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options
  2021-02-24  8:49 ` [PATCH 1/2] kbuild: add '-fno-stack-check' " Sascha Hauer
@ 2021-03-16 19:10   ` Ahmad Fatoum
  2021-03-22  5:12     ` Sascha Hauer
  0 siblings, 1 reply; 5+ messages in thread
From: Ahmad Fatoum @ 2021-03-16 19:10 UTC (permalink / raw)
  To: Sascha Hauer, Ahmad Fatoum; +Cc: barebox

Hello Sascha,

On 24.02.21 09:49, Sascha Hauer wrote:
> On Tue, Feb 23, 2021 at 08:24:26AM +0100, Ahmad Fatoum wrote:
>> This ports over Linux commit 3ce120b16cc5 ("kbuild: add
>> '-fno-stack-check' to kernel build options"):
>>
>>   Author:     Linus Torvalds <torvalds@linux-foundation.org>
>>
>>     kbuild: add '-fno-stack-check' to kernel build options
>>
>>     It appears that hardened gentoo enables "-fstack-check" by default for
>>     gcc.
>>
>>     That doesn't work _at_all_ for the kernel, because the kernel stack
>>     doesn't act like a user stack at all: it's much smaller, and it doesn't
>>     auto-expand on use.  So the extra "probe one page below the stack" code
>>     generated by -fstack-check just breaks the kernel in horrible ways,
>>     causing infinite double faults etc.
>>
>>     [ I have to say, that the particular code gcc generates looks very
>>       stupid even for user space where it works, but that's a separate
>>       issue.  ]
>>
>>     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>>
>> I am porting it, because it may become more acute with the incoming
>> support for multiple stacks (via initjmp).
>>
>> Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
>> ---
> 
> Applied, thanks

Can't find both patches in next.

Cheers,
Ahmad

> 
> Sascha
> 
>>  Makefile | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/Makefile b/Makefile
>> index f3c85cff9430..fa7fbbeb35f0 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -622,6 +622,9 @@ KBUILD_CFLAGS += $(call cc-option, -fno-delete-null-pointer-checks,)
>>  # disable invalid "can't wrap" optimizations for signed / pointers
>>  KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
>>  
>> +# Make sure -fstack-check isn't enabled (like gentoo apparently did)
>> +KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check)
>> +
>>  KBUILD_CFLAGS   += $(call cc-disable-warning, address-of-packed-member)
>>  
>>  # Align the bit size of userspace programs with the kernel
>> -- 
>> 2.30.0
>>
>>
>> _______________________________________________
>> barebox mailing list
>> barebox@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/barebox
>>
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options
  2021-03-16 19:10   ` Ahmad Fatoum
@ 2021-03-22  5:12     ` Sascha Hauer
  0 siblings, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2021-03-22  5:12 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: Ahmad Fatoum, barebox

On Tue, Mar 16, 2021 at 08:10:45PM +0100, Ahmad Fatoum wrote:
> Hello Sascha,
> 
> On 24.02.21 09:49, Sascha Hauer wrote:
> > On Tue, Feb 23, 2021 at 08:24:26AM +0100, Ahmad Fatoum wrote:
> >> This ports over Linux commit 3ce120b16cc5 ("kbuild: add
> >> '-fno-stack-check' to kernel build options"):
> >>
> >>   Author:     Linus Torvalds <torvalds@linux-foundation.org>
> >>
> >>     kbuild: add '-fno-stack-check' to kernel build options
> >>
> >>     It appears that hardened gentoo enables "-fstack-check" by default for
> >>     gcc.
> >>
> >>     That doesn't work _at_all_ for the kernel, because the kernel stack
> >>     doesn't act like a user stack at all: it's much smaller, and it doesn't
> >>     auto-expand on use.  So the extra "probe one page below the stack" code
> >>     generated by -fstack-check just breaks the kernel in horrible ways,
> >>     causing infinite double faults etc.
> >>
> >>     [ I have to say, that the particular code gcc generates looks very
> >>       stupid even for user space where it works, but that's a separate
> >>       issue.  ]
> >>
> >>     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> >>
> >> I am porting it, because it may become more acute with the incoming
> >> support for multiple stacks (via initjmp).
> >>
> >> Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
> >> ---
> > 
> > Applied, thanks
> 
> Can't find both patches in next.

They should be there now.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-03-22  5:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-23  7:24 [PATCH 1/2] kbuild: add '-fno-stack-check' to barebox build options Ahmad Fatoum
2021-02-23  7:24 ` [PATCH 2/2] kbuild: add '-fcf-protection=none' " Ahmad Fatoum
2021-02-24  8:49 ` [PATCH 1/2] kbuild: add '-fno-stack-check' " Sascha Hauer
2021-03-16 19:10   ` Ahmad Fatoum
2021-03-22  5:12     ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox