This is a note to let you know that I've just added the patch titled
objtool, retpolines: Integrate objtool with retpoline support more closely
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
objtool-retpolines-integrate-objtool-with-retpoline-support-more-closely.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From d5028ba8ee5a18c9d0bb926d883c28b370f89009 Mon Sep 17 00:00:00 2001
From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Date: Tue, 6 Feb 2018 09:46:13 +0100
Subject: objtool, retpolines: Integrate objtool with retpoline support more closely
From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
commit d5028ba8ee5a18c9d0bb926d883c28b370f89009 upstream.
Disable retpoline validation in objtool if your compiler sucks, and otherwise
select the validation stuff for CONFIG_RETPOLINE=y (most builds would already
have it set due to ORC).
Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
Acked-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Dan Williams <dan.j.williams@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
Makefile | 5 +++++
arch/x86/Kconfig | 1 +
arch/x86/Makefile | 10 +++-------
scripts/Makefile.build | 2 ++
4 files changed, 11 insertions(+), 7 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -487,6 +487,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG
KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
endif
+RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register
+RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
+RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))
+export RETPOLINE_CFLAGS
+
ifeq ($(config-targets),1)
# ===========================================================================
# *config targets only - make sure prerequisites are updated, and descend
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -432,6 +432,7 @@ config GOLDFISH
config RETPOLINE
bool "Avoid speculative indirect branches in kernel"
default y
+ select STACK_VALIDATION if HAVE_STACK_VALIDATION
help
Compile kernel with the retpoline compiler options to guard against
kernel-to-user data leaks by avoiding speculative indirect
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -232,13 +232,9 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin
# Avoid indirect branches in kernel to deal with Spectre
ifdef CONFIG_RETPOLINE
- RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register
- RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
-
- RETPOLINE_CFLAGS += $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))
- ifneq ($(RETPOLINE_CFLAGS),)
- KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
- endif
+ifneq ($(RETPOLINE_CFLAGS),)
+ KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
+endif
endif
archscripts: scripts_basic
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -267,8 +267,10 @@ else
objtool_args += $(call cc-ifversion, -lt, 0405, --no-unreachable)
endif
ifdef CONFIG_RETPOLINE
+ifneq ($(RETPOLINE_CFLAGS),)
objtool_args += --retpoline
endif
+endif
ifdef CONFIG_MODVERSIONS
Patches currently in stable-queue which might be from peterz@xxxxxxxxxxxxx are
queue-4.15/x86-kprobes-fix-kernel-crash-when-probing-.entry_trampoline-code.patch
queue-4.15/objtool-fix-32-bit-build.patch
queue-4.15/x86-boot-objtool-annotate-indirect-jump-in-secondary_startup_64.patch
queue-4.15/objtool-add-module-specific-retpoline-rules.patch
queue-4.15/x86-retpoline-support-retpoline-builds-with-clang.patch
queue-4.15/x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch
queue-4.15/x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch
queue-4.15/objtool-retpolines-integrate-objtool-with-retpoline-support-more-closely.patch
queue-4.15/bug-use-pb-in-bug-and-stack-protector-failure.patch
queue-4.15/revert-x86-retpoline-simplify-vmexit_fill_rsb.patch
queue-4.15/nospec-include-asm-barrier.h-dependency.patch
queue-4.15/x86-mm-remove-stale-comment-about-kmemcheck.patch
queue-4.15/objtool-add-retpoline-validation.patch
queue-4.15/x86-mm-sme-objtool-annotate-indirect-call-in-sme_encrypt_execute.patch
queue-4.15/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch
queue-4.15/x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch
queue-4.15/x86-64-realmode-add-instruction-suffix.patch
queue-4.15/objtool-fix-another-switch-table-detection-issue.patch
queue-4.15/x86-speculation-move-firmware_restrict_branch_speculation_-from-c-to-cpp.patch
queue-4.15/x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch
queue-4.15/x86-paravirt-objtool-annotate-indirect-calls.patch
queue-4.15/objtool-use-existing-global-variables-for-options.patch
queue-4.15/x86-entry-64-use-xorl-for-faster-register-clearing.patch
queue-4.15/nospec-kill-array_index_nospec_mask_check.patch
queue-4.15/lib-bug.c-exclude-non-bug-warn-exceptions-from-report_bug.patch
queue-4.15/x86-io-apic-avoid-warning-in-32-bit-builds.patch