From: Kees Cook <kees@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Kees Cook <kees@kernel.org>,
David Woodhouse <dwmw2@infradead.org>,
Nathan Chancellor <nathan@kernel.org>,
Vegard Nossum <vegard.nossum@oracle.com>,
Miguel Ojeda <ojeda@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Jeff Johnson <jeff.johnson@oss.qualcomm.com>,
Randy Dunlap <rdunlap@infradead.org>,
"Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Marco Elver <elver@google.com>,
Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Ramon de C Valle <rcvalle@google.com>,
Jonathan Corbet <corbet@lwn.net>,
"Paul E. McKenney" <paulmck@kernel.org>,
Nicolas Schier <nicolas.schier@linux.dev>,
Masahiro Yamada <masahiroy@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Sami Tolvanen <samitolvanen@google.com>,
Mark Rutland <mark.rutland@arm.com>,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
linux-hardening@vger.kernel.org
Subject: [PATCH v2 6/9] x86/cfi: Remove __noinitretpoline and __noretpoline
Date: Wed, 3 Sep 2025 20:46:45 -0700 [thread overview]
Message-ID: <20250904034656.3670313-6-kees@kernel.org> (raw)
In-Reply-To: <20250904033217.it.414-kees@kernel.org>
Commit 66f793099a63 ("x86/retpoline: Avoid retpolines for built-in __init
functions") disabled retpolines in __init sections (__noinitretpoline)
as a precaution against potential issues with retpolines in early boot,
but it has not been a problem in practice (i.e. see Clang below).
Commit 87358710c1fb ("x86/retpoline: Support retpoline builds with Clang")
narrowed this to only GCC, as Clang doesn't have per-function control
over retpoline emission. As such, Clang has been booting with retpolines
in __init since retpoline support was introduced.
Clang KCFI has been instrumenting __init since CFI was introduced.
With the introduction of KCFI for GCC, KCFI instrumentation with
retpolines disabled means that objtool does not construct .retpoline_sites
section entries for the non-retpoline KCFI calls. At boot, the KCFI
rehashing code, via __apply_fineibt(), misses all __init KCFI calls
(since they are not retpolines), resulting in immediate hash mismatches:
all preambles are rehashed (via .cfi_sites) and none of the __init call
sites are rehashed.
Remove __noinitretpoline since it provides no meaningful utility and
creates problems with CFI. Additionally remove __noretpoline since it
is now unused.
Alternatively, cfi_rand_callers() could walk the .kcfi_traps section which
is exactly the list of KCFI instrumentation sites. But it seems better to
have as few differences in common instruction sequences between compilers
as possible, so better to remove the special handling of retpolines in
__init for GCC.
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: David Woodhouse <dwmw2@infradead.org>
---
include/linux/compiler-gcc.h | 4 ----
include/linux/init.h | 8 --------
2 files changed, 12 deletions(-)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 5d07c469b571..5de824a0b3d7 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -35,10 +35,6 @@
(typeof(ptr)) (__ptr + (off)); \
})
-#ifdef CONFIG_MITIGATION_RETPOLINE
-#define __noretpoline __attribute__((__indirect_branch__("keep")))
-#endif
-
#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
#define __latent_entropy __attribute__((latent_entropy))
#endif
diff --git a/include/linux/init.h b/include/linux/init.h
index a60d32d227ee..17c1bc712e23 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -7,13 +7,6 @@
#include <linux/stringify.h>
#include <linux/types.h>
-/* Built-in __init functions needn't be compiled with retpoline */
-#if defined(__noretpoline) && !defined(MODULE)
-#define __noinitretpoline __noretpoline
-#else
-#define __noinitretpoline
-#endif
-
/* These macros are used to mark some functions or
* initialized data (doesn't apply to uninitialized data)
* as `initialization' functions. The kernel can take this
@@ -50,7 +43,6 @@
/* These are for everybody (although not all archs will actually
discard it in modules) */
#define __init __section(".init.text") __cold __latent_entropy \
- __noinitretpoline \
__no_kstack_erase
#define __initdata __section(".init.data")
#define __initconst __section(".init.rodata")
--
2.34.1
next prev parent reply other threads:[~2025-09-04 3:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-04 3:46 [PATCH v2 0/9] kcfi: Prepare for GCC support Kees Cook
2025-09-04 3:46 ` [PATCH v2 1/9] compiler_types.h: Move __nocfi out of compiler-specific header Kees Cook
2025-09-04 18:28 ` Nathan Chancellor
2025-09-04 3:46 ` [PATCH v2 2/9] x86/traps: Clarify KCFI instruction layout Kees Cook
2025-09-04 3:46 ` [PATCH v2 3/9] x86/cfi: Document the "cfi=" bootparam options Kees Cook
2025-09-04 18:32 ` Nathan Chancellor
2025-09-04 3:46 ` [PATCH v2 4/9] x86/cfi: Standardize on common "CFI:" prefix for CFI reports Kees Cook
2025-09-04 18:40 ` Nathan Chancellor
2025-09-05 0:40 ` Kees Cook
2025-09-04 3:46 ` [PATCH v2 5/9] x86/cfi: Add "debug" option to "cfi=" bootparam Kees Cook
2025-09-04 7:00 ` Peter Zijlstra
2025-09-04 3:46 ` Kees Cook [this message]
2025-09-04 3:46 ` [PATCH v2 7/9] kconfig: Add transitional symbol attribute for migration support Kees Cook
2025-09-04 3:46 ` [PATCH v2 8/9] kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI Kees Cook
2025-09-04 3:46 ` [PATCH v2 9/9] ARM: traps: Implement KCFI trap handler for ARM32 Kees Cook
2025-09-04 7:04 ` [PATCH v2 0/9] kcfi: Prepare for GCC support Peter Zijlstra
2025-09-04 16:37 ` Kees Cook
2025-09-04 20:01 ` Peter Zijlstra
2025-09-05 0:42 ` Kees Cook
2025-09-05 7:44 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250904034656.3670313-6-kees@kernel.org \
--to=kees@kernel.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=dwmw2@infradead.org \
--cc=elver@google.com \
--cc=jeff.johnson@oss.qualcomm.com \
--cc=justinstitt@google.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas.schier@linux.dev \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=przemyslaw.kitszel@intel.com \
--cc=rcvalle@google.com \
--cc=rdunlap@infradead.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=samitolvanen@google.com \
--cc=vegard.nossum@oracle.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).