diff options
author | Ard Biesheuvel <ardb@kernel.org> | 2024-01-10 14:26:20 +0100 |
---|---|---|
committer | Will Deacon <will@kernel.org> | 2024-01-12 12:47:19 +0000 |
commit | 8c5a19cb17a71e52303150335b459c7d2d28a155 (patch) | |
tree | 630c65317a8d350959b90fd2ac2f5c235402c3c1 /arch | |
parent | b95df3bd1ea31fadc9e1471a036b4c08199aa0f0 (diff) | |
download | linux-stable-8c5a19cb17a71e52303150335b459c7d2d28a155.tar.gz linux-stable-8c5a19cb17a71e52303150335b459c7d2d28a155.tar.bz2 linux-stable-8c5a19cb17a71e52303150335b459c7d2d28a155.zip |
arm64: scs: Work around full LTO issue with dynamic SCS
Full LTO takes the '-mbranch-protection=none' passed to the compiler
when generating the dynamic shadow call stack patching code as a hint to
stop emitting PAC instructions altogether. (Thin LTO appears unaffected
by this)
Work around this by stripping unwind tables from the object in question,
which should be sufficient to prevent the patching code from attempting
to patch itself.
Fixes: 3b619e22c460 ("arm64: implement dynamic shadow call stack for Clang")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20240110132619.258809-2-ardb+git@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/arm64/kernel/Makefile | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index d95b3d6b471a..e5d03a7039b4 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -73,7 +73,13 @@ obj-$(CONFIG_ARM64_MTE) += mte.o obj-y += vdso-wrap.o obj-$(CONFIG_COMPAT_VDSO) += vdso32-wrap.o obj-$(CONFIG_UNWIND_PATCH_PAC_INTO_SCS) += patch-scs.o -CFLAGS_patch-scs.o += -mbranch-protection=none + +# We need to prevent the SCS patching code from patching itself. Using +# -mbranch-protection=none here to avoid the patchable PAC opcodes from being +# generated triggers an issue with full LTO on Clang, which stops emitting PAC +# instructions altogether. So instead, omit the unwind tables used by the +# patching code, so it will not be able to locate its own PAC instructions. +CFLAGS_patch-scs.o += -fno-asynchronous-unwind-tables -fno-unwind-tables # Force dependency (vdso*-wrap.S includes vdso.so through incbin) $(obj)/vdso-wrap.o: $(obj)/vdso/vdso.so |