Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp535867rdd; Tue, 9 Jan 2024 11:25:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IGpwQfMnxulDB9xjflL/8EUeNtFo0HDwaDEvdZcDINlsYxCW+JQamSagseN6PMXUzwp03Vd X-Received: by 2002:a05:6a20:8426:b0:199:f7ce:2fa7 with SMTP id c38-20020a056a20842600b00199f7ce2fa7mr1714173pzd.9.1704828330505; Tue, 09 Jan 2024 11:25:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704828330; cv=none; d=google.com; s=arc-20160816; b=xEm0/4H0Z8hh7gT2xjTo1n6T5BN1UCHKoPrAePBKOimgaU6aCKrAAbAAs3O7HRMeFc g9TeQzGAZLzM7sxL0ww2KqcEX3rx7tMH7cgGSSkEbaZ8GRFNjRYghYOSKZBkCD3lQWBj DzsgG0t9cMmGORBmmhXaa/QPzYv/MMKDBwIKEiYv9DrNPCJi/4kXGSoCTuxK6jt/c33M wGa7z+kmQghdqTUprLf9J52Bx2HF1/S3MBYyJ7hhkg3bn7hhc2J3L+lZdiXnJuJJfnmA 3MLAt8BzRRswwoPHcRg7rZSDJB8SMQvCqILT8eLnfJHbPvLCXWbqGHdIfWkWS3Tk14FN 5qWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=YCvYT6O6wllBKAmEYaqpyZ7/4XulP45RUeq+fu7kKhY=; fh=31e6l7jGqrylDzNd/PAYKFTYnL5bDAqj08TUdsm43KI=; b=WlxC6leI+1tu1aRNeqDnafjbkAcv1b6wHZ3F0R/VVhNR+ymXP4gOPR+QwlS252yLY0 Jcmb5hZovsPgJ3pPJ+WV3rH9GJXXF6gcRdDGvrvXDyzLqBi9yuDVtG2exaMX3KzghBkR 8Bz0tBQDJJ++gyWxOamV3x+RWOuyfIrm+KWkSF0b9i+ddGz7S9eAtey5OOqYrexZvHN9 Dx1D1CDgNsp2TzBmd1hmt2RUPYB87shqRpTVGNCXn+Hb+cLfPEQ0Gwp1jk0ReeHpYoKL Ozpa24NpbxghosqkCqAU7Rr9q32OwvIGS1yIZGk/M+H+WBvuRfhHlnXJ+ISu121ip4Gp GxGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QJ8+UsGX; spf=pass (google.com: domain of linux-kernel+bounces-21304-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21304-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id j16-20020a635510000000b005b8f61fcba6si1903523pgb.452.2024.01.09.11.25.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jan 2024 11:25:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-21304-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QJ8+UsGX; spf=pass (google.com: domain of linux-kernel+bounces-21304-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21304-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 2FEDFB212BC for ; Tue, 9 Jan 2024 19:25:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 60D573D384; Tue, 9 Jan 2024 19:24:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QJ8+UsGX" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99E5F3D386 for ; Tue, 9 Jan 2024 19:24:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB0D7C433C7; Tue, 9 Jan 2024 19:24:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1704828290; bh=/e9LxDb1CBh13mkApPvc0HzMekgrbaSLhIJ+IzmwCr8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QJ8+UsGXQ6cna6NfLoEciCG+JmeOweL+lgMYkfYYfscf31yDcwY1Rz0scgfortsVU aPsoCqOcNJULN+cjtkofcqwZUsRGCkRo2FLKrX1EXNEm6O+eQ+D6J/lwegVW3AycV7 4rvUthtxd0zFZNwsfguIRIJ84MR/tuX0IAiaiA85v/soaoT9naKeGqld84XJF+NDRK I/GvJkDfrxQV9KnpthMcqEObXARl8OVMMA08H9FSAmEx0qmCII+Ic3XQK8M0X6kiwY aRhbAj0OgbXGRyCD2sQcZmOCC/eMieATf8sfhH2rDVT7XnSHU60Muh0HTZtkOPidwq 3h6ewk2OvlbHQ== Date: Tue, 9 Jan 2024 11:24:47 -0800 From: Josh Poimboeuf To: Ingo Molnar Cc: Dimitri John Ledkov , peterz@infradead.org, x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/3] objtool: Make objtool check actually fatal upon fatal errors Message-ID: <20240109192447.yhl37mwaw5jdkxjs@treble> References: <20231213134303.2302285-1-dimitri.ledkov@canonical.com> <20231213134303.2302285-2-dimitri.ledkov@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Mon, Jan 08, 2024 at 10:15:34AM +0100, Ingo Molnar wrote: > > * Dimitri John Ledkov wrote: > > > Currently function calls within check() are sensitive to fatal errors > > (negative return codes) and abort execution prematurely. However, in > > all such cases the check() function still returns 0, and thus > > resulting in a successful kernel build. > > > > The only correct code paths were the ones that escpae the control flow > > with `return ret`. > > > > Make the check() function return `ret` status code, and make all > > negative return codes goto that instruction. This makes fatal errors > > (not warnings) from various function calls actually fail the > > build. E.g. if create_retpoline_sites_sections() fails to create elf > > section pair retpoline_sites the tool now exits with an error code. > > > > Signed-off-by: Dimitri John Ledkov > > So, is this not expected to be the case anymore: > > > out: > > - /* > > - * For now, don't fail the kernel build on fatal warnings. These > > - * errors are still fairly common due to the growing matrix of > > - * supported toolchains and their recent pace of change. > > - */ > > - return 0; > > ? > > How about making it only fatal if CONFIG_WERROR=y, ie. an analogue to our > treatment of compiler warnings? Objtool has two classes of warnings: 1) "fatal" - allocation failures - CFG recreation failures - annotation parsing errors - other objtool bugs 2) non-"fatal": - missing security features (retpolines, IBT, SLS INT3) - unreachable instructions (note this warning may indicate more serious issues like an incomplete or buggy objtool CFG) The first class of "warning" is actually an error. It means objtool couldn't reasonably continue, so it exited early. I'm thinking this should always fail the build so it can be reported and fixed ASAP. We tried doing that before, but ending up reverting it (for raisins). We should try again (as per the above patch). The second class of warning, though it doesn't abort objtool, can still be quite serious. Ignoring it can fail the boot, or can expose the user to certain attacks. My proposal would be to always fail for #1, and to make #2 dependent on CONFIG_WERROR. Note the latter may be problematic at the moment due to some outstanding warnings reported by Arnd and randconfig build bots. I try to fix those when I can, but any help would be appreciated. -- Josh