Received: by 2002:a05:6359:322:b0:b3:69d0:12d8 with SMTP id ef34csp142891rwb; Wed, 10 Aug 2022 16:34:49 -0700 (PDT) X-Google-Smtp-Source: AA6agR4ZtofJkj/jVszjJsAKuhEK+rnVHKVToKRiAcf8sz1+78oGFkSxk+/eKYPjsvAgN5fT+oub X-Received: by 2002:a63:1e11:0:b0:41c:d233:31f8 with SMTP id e17-20020a631e11000000b0041cd23331f8mr24667489pge.228.1660174489703; Wed, 10 Aug 2022 16:34:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660174489; cv=none; d=google.com; s=arc-20160816; b=idH6J8IYK0qx/b7eiNdyAVoEOl9aAWKFIAw+3ngXhixIy/ctArJ2N5ycJC5RTiZX0S dLIOnxRsoHR1+LtUndVRiUPXkUasR+0iAUD8+tVpKCpdpQTS5XmyoMXukPTURi99En11 JR5Lg+Wlb4qy5+ciSaYZZpz9o3iLzKf3bqsXyCSO87+yFk4+K7bUhvYUtyEq/wiumPDl qPWh8nIxEU8O5OzHd+MWCvdYdcuGo9w7BfoywhpHMRMUCirVqmvZ/7mksAv3capx9j5E 9IjC7soZm0wcrJ6RdU6fIJdjaarFbZ4/ln+fFgkXzBi6vp0hLCGGXJufeb39Bv4hB0gU ohGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=SfdBfi7Mx5CiwtaCrFt88m0cxW+5UTO23z89f2bNn7U=; b=yFhNOflQ18bdQGrePa809f+vl0sPGRUcjSYMbGa5UlDKD1Js6WbXadw9Rp+R3umGmd 7HeC3O/Hx6gFtRQbYiYsp6ArAp15oArow3BkGwsU1V03D8y2JTV9NUjL9gtsyVwkoAL0 D1dKXETOXEBTwSSjwLmn0+5FcV33aoz/uSjAltEdN/s0sQlRTFTnFb6XecI4dGKQz7Hu 2Jlfnf+s5MIEEV65wpE02WIVZOpRj5Q0l9y8UOIpcLDWKpyeTGkHcn1ZDXaO2h9BL9PO wOj7EFVSXkR2kAimY4DpwvpI/lWLTn5Tf6BakcoCZpCABRh+M2hghtXP+xGj58N66CzX D+JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=lFVVLrMH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i76-20020a62874f000000b0052bf6789f01si3301246pfe.231.2022.08.10.16.34.35; Wed, 10 Aug 2022 16:34:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=lFVVLrMH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232141AbiHJWYx (ORCPT + 99 others); Wed, 10 Aug 2022 18:24:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231557AbiHJWYv (ORCPT ); Wed, 10 Aug 2022 18:24:51 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84A838C474 for ; Wed, 10 Aug 2022 15:24:50 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id j144-20020a25d296000000b0067ba828624fso11414600ybg.16 for ; Wed, 10 Aug 2022 15:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:from:to:cc; bh=SfdBfi7Mx5CiwtaCrFt88m0cxW+5UTO23z89f2bNn7U=; b=lFVVLrMHSHntzCbJbyph7o0sN9PiQWnco1EwL5WqfpRf91tH8qslTCY2g6b5jCOk0Y ylmBq8ftUplOQdBpBqkp3ThkH4lxxi/CVL77eItkBxjPdQuWw83xFeIVqr7U9p17oTkf RuX//pcNkDSuZxN9B4v0bwdy5sxlS409E/UzfLDDS4qa94yMtoSW2wynFs9xpXd+cEe3 xgSxkLLZB4x8JIDxwsOOwGJg9eXFqXi3+wwN4DSkMjzJloEX1g1jkMyPMG2Tl59W0Cht YWY1kwvmssEbmYUYUB1IpOkepodDZTcEealsM8/s47LAOtxjmj1zX5RolaHtaZtjjexX CUDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:x-gm-message-state:from:to:cc; bh=SfdBfi7Mx5CiwtaCrFt88m0cxW+5UTO23z89f2bNn7U=; b=tcCPrNn0xAJpV620UGdFadRuaU+JlPRx+ARIzqYzUNLTTila68v1yhOARrsP+Sum4G dkMi+aiHBJkj/9+lqWi1p5RK+hEKnQaJWcPwO4scGs3Nl+aj+ti2UDyjXctmdpPcjKHC gtOGGdy9eBvlYAiL1rH9410FrFDn9p3G9W2rfy9BXcS1i9FSaKQHG3uN2rrHYi00Mst7 PTXu1KKyY3D18WMyoBcokFSlg9mYoVZLBbxs6aS5fa0pk7j5fhoMKFVHXmajRLkdc9dj wSL0BHCgDLLGbvRq+YJwVtU4kVXaoBDdmqYUeXP1SI/M+m+HUWXUTsIbPOyp7unLXhaV q3gQ== X-Gm-Message-State: ACgBeo1JF5lpae8NhdXkzPTfeFPdnBS/Tpp3J/pHNdAXbWwOTI/Drxsi 3Si8zaAVtOQHNSTtnQlB1EUYPAPF/0R2UfuMf6I= X-Received: from ndesaulniers1.mtv.corp.google.com ([2620:15c:211:202:88ad:cd41:8dd7:539]) (user=ndesaulniers job=sendgmr) by 2002:a05:6902:102d:b0:676:d624:ee91 with SMTP id x13-20020a056902102d00b00676d624ee91mr26116199ybt.10.1660170289777; Wed, 10 Aug 2022 15:24:49 -0700 (PDT) Date: Wed, 10 Aug 2022 15:24:40 -0700 In-Reply-To: <20220809013653.xtmeekefwkbo46vk@google.com> Message-Id: <20220810222442.2296651-1-ndesaulniers@google.com> Mime-Version: 1.0 References: <20220809013653.xtmeekefwkbo46vk@google.com> X-Developer-Key: i=ndesaulniers@google.com; a=ed25519; pk=lvO/pmg+aaCb6dPhyGC1GyOCvPueDrrc8Zeso5CaGKE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1660170281; l=2213; i=ndesaulniers@google.com; s=20211004; h=from:subject; bh=NinzIQmJcVXIzZMcPO+2uxtDhfBTzMzImrwCDVtvkFI=; b=KwgbZQliMALRYCIiUtuswI2ERGyH/jroMTb2yxtIvxH5YrYQgqdkc82NBm+3bqWUsKHABcX+vMgf ou2NSWLDDw2gBtN4XOxLwNlbbjGhaKdIrRpkZSYVD5Ow5Td6GGTM X-Mailer: git-send-email 2.37.1.559.g78731f0fdb-goog Subject: [PATCH v2 1/2] Makefile: link with -z noexecstack --no-warn-rwx-segments From: Nick Desaulniers To: Masahiro Yamada , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen Cc: Fangrui Song , Linus Torvalds , Nick Clifton , axboe@kernel.dk, brijesh.singh@amd.com, hpa@zytor.com, kirill.shutemov@linux.intel.com, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, michael.roth@amd.com, n.schier@avm.de, nathan@kernel.org, sathyanarayanan.kuppuswamy@linux.intel.com, trix@redhat.com, x86@kernel.org, Nick Desaulniers , Michal Marek , linux-kbuild@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form: ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: vmlinux has a LOAD segment with RWX permissions Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack. LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check. While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments. Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/ Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 Link: https://github.com/llvm/llvm-project/issues/57009 Reported-by: Jens Axboe Suggested-by: Fangrui Song Signed-off-by: Nick Desaulniers --- Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile b/Makefile index dc6295f91263..230e6e7679f9 100644 --- a/Makefile +++ b/Makefile @@ -1033,6 +1033,11 @@ KBUILD_CFLAGS += $(KCFLAGS) KBUILD_LDFLAGS_MODULE += --build-id=sha1 LDFLAGS_vmlinux += --build-id=sha1 +KBUILD_LDFLAGS += -z noexecstack +ifeq ($(CONFIG_LD_IS_BFD),y) +KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments) +endif + ifeq ($(CONFIG_STRIP_ASM_SYMS),y) LDFLAGS_vmlinux += $(call ld-option, -X,) endif -- 2.37.1.559.g78731f0fdb-goog