[PATCH 0/2] arm64: Fix for dynamic SCS under full LTO take #2

[PATCH 0/2] arm64: Fix for dynamic SCS under full LTO take #2

[Ard Biesheuvel]

From: Ard Biesheuvel <ardb@kernel.org>

Disabling unwind table generation turns out not to fix the issue with
full LTO and dynamic shadow call stack, as reported by Sami. So instead,
disable LTO for the compilation unit in question.

Implemented as a revert + new patch so that only the real fix needs to
go to -stable.

Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Kees Cook <keescook@chromium.org>

Ard Biesheuvel (2):
  arm64: Revert "scs: Work around full LTO issue with dynamic SCS"
  arm64: scs: Disable LTO for SCS patching code

 arch/arm64/kernel/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

-- 
2.43.0.429.g432eaa2c6b-goog


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 1/2] arm64: Revert "scs: Work around full LTO issue with dynamic SCS"

[Ard Biesheuvel]

From: Ard Biesheuvel <ardb@kernel.org>

This reverts commit 8c5a19cb17a71e ("arm64: scs: Work around full LTO
issue with dynamic SCS"), which did not quite fix the issue as intended.
Apparently, -fno-unwind-tables is ignored for the final full LTO link
when it is set on any of the objects, resulting in an early boot crash
due to the SCS patching code patching itself, and attempting to pop the
return address from the shadow stack while the associated push was still
a PACIASP instruction when it executed.

Reported-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm64/kernel/Makefile | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index e5d03a7039b4..d95b3d6b471a 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -73,13 +73,7 @@ obj-$(CONFIG_ARM64_MTE)			+= mte.o
 obj-y					+= vdso-wrap.o
 obj-$(CONFIG_COMPAT_VDSO)		+= vdso32-wrap.o
 obj-$(CONFIG_UNWIND_PATCH_PAC_INTO_SCS)	+= patch-scs.o
-
-# We need to prevent the SCS patching code from patching itself. Using
-# -mbranch-protection=none here to avoid the patchable PAC opcodes from being
-# generated triggers an issue with full LTO on Clang, which stops emitting PAC
-# instructions altogether. So instead, omit the unwind tables used by the
-# patching code, so it will not be able to locate its own PAC instructions.
-CFLAGS_patch-scs.o			+= -fno-asynchronous-unwind-tables -fno-unwind-tables
+CFLAGS_patch-scs.o			+= -mbranch-protection=none
 
 # Force dependency (vdso*-wrap.S includes vdso.so through incbin)
 $(obj)/vdso-wrap.o: $(obj)/vdso/vdso.so
-- 
2.43.0.429.g432eaa2c6b-goog


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 2/2] arm64: scs: Disable LTO for SCS patching code

[Ard Biesheuvel]

From: Ard Biesheuvel <ardb@kernel.org>

Full LTO takes the '-mbranch-protection=none' passed to the compiler
when generating the dynamic shadow call stack patching code as a hint to
stop emitting PAC instructions altogether. (Thin LTO appears unaffected
by this)

Work around this by disabling LTO for the compilation unit, which
appears to convince the linker that it should still use PAC in the rest
of the kernel..

Fixes: 3b619e22c460 ("arm64: implement dynamic shadow call stack for Clang")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm64/kernel/Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index d95b3d6b471a..467cb7117273 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -73,7 +73,13 @@ obj-$(CONFIG_ARM64_MTE)			+= mte.o
 obj-y					+= vdso-wrap.o
 obj-$(CONFIG_COMPAT_VDSO)		+= vdso32-wrap.o
 obj-$(CONFIG_UNWIND_PATCH_PAC_INTO_SCS)	+= patch-scs.o
+
+# We need to prevent the SCS patching code from patching itself. Using
+# -mbranch-protection=none here to avoid the patchable PAC opcodes from being
+# generated triggers an issue with full LTO on Clang, which stops emitting PAC
+# instructions altogether. So disable LTO as well for the compilation unit.
 CFLAGS_patch-scs.o			+= -mbranch-protection=none
+CFLAGS_REMOVE_patch-scs.o		+= $(CC_FLAGS_LTO)
 
 # Force dependency (vdso*-wrap.S includes vdso.so through incbin)
 $(obj)/vdso-wrap.o: $(obj)/vdso/vdso.so
-- 
2.43.0.429.g432eaa2c6b-goog


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 0/2] arm64: Fix for dynamic SCS under full LTO take #2

[Sami Tolvanen]

Hi Ard,

On Tue, Jan 23, 2024 at 1:31 PM Ard Biesheuvel <ardb+git@google.com> wrote:
>
> From: Ard Biesheuvel <ardb@kernel.org>
>
> Disabling unwind table generation turns out not to fix the issue with
> full LTO and dynamic shadow call stack, as reported by Sami. So instead,
> disable LTO for the compilation unit in question.
>
> Implemented as a revert + new patch so that only the real fix needs to
> go to -stable.
>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Kees Cook <keescook@chromium.org>
>
> Ard Biesheuvel (2):
>   arm64: Revert "scs: Work around full LTO issue with dynamic SCS"
>   arm64: scs: Disable LTO for SCS patching code
>
>  arch/arm64/kernel/Makefile | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Thanks for the patches! I confirmed that this fixes the boot issue I was seeing.

Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: Sami Tolvanen <samitolvanen@google.com>

Sami

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 0/2] arm64: Fix for dynamic SCS under full LTO take #2

[Kees Cook]

On Tue, Jan 23, 2024 at 02:30:53PM +0100, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> Disabling unwind table generation turns out not to fix the issue with
> full LTO and dynamic shadow call stack, as reported by Sami. So instead,
> disable LTO for the compilation unit in question.
> 
> Implemented as a revert + new patch so that only the real fix needs to
> go to -stable.
> 
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Kees Cook <keescook@chromium.org>
> 
> Ard Biesheuvel (2):
>   arm64: Revert "scs: Work around full LTO issue with dynamic SCS"
>   arm64: scs: Disable LTO for SCS patching code
> 
>  arch/arm64/kernel/Makefile | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Thanks for figuring this out!

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 0/2] arm64: Fix for dynamic SCS under full LTO take #2

[Will Deacon]

On Tue, 23 Jan 2024 14:30:53 +0100, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> Disabling unwind table generation turns out not to fix the issue with
> full LTO and dynamic shadow call stack, as reported by Sami. So instead,
> disable LTO for the compilation unit in question.
> 
> Implemented as a revert + new patch so that only the real fix needs to
> go to -stable.
> 
> [...]

Applied to arm64 (for-next/fixes), thanks!

[1/2] arm64: Revert "scs: Work around full LTO issue with dynamic SCS"
      https://git.kernel.org/arm64/c/2fa28abd1090
[2/2] arm64: scs: Disable LTO for SCS patching code
      https://git.kernel.org/arm64/c/d104a6fef3fe

Cheers,
-- 
Will

https://fixes.arm64.dev
https://next.arm64.dev
https://will.arm64.dev

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel