From: Segher Boessenkool <segher@kernel.crashing.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
kbuild-all@lists.01.org,
clang-built-linux <clang-built-linux@googlegroups.com>,
linux-toolchains@vger.kernel.org,
kernel test robot <lkp@intel.com>,
Arvind Sankar <nivedita@alum.mit.edu>
Subject: Re: [RFC][PATCH 21/24] x86/entry: Disable stack-protector for IST entry C handlers
Date: Thu, 26 Nov 2020 14:22:07 -0600 [thread overview]
Message-ID: <20201126202207.GE2672@gate.crashing.org> (raw)
In-Reply-To: <CAMj1kXH--kzizmzy8kFZMJkR5R17zr2aq-O=VN0uN2Viq1mFwg@mail.gmail.com>
On Thu, Nov 26, 2020 at 07:40:10AM +0100, Ard Biesheuvel wrote:
> On Thu, 26 Nov 2020 at 00:03, Segher Boessenkool
> <segher@kernel.crashing.org> wrote:
> > On Wed, Nov 25, 2020 at 11:56:40AM -0800, Kees Cook wrote:
> > > On Sat, Nov 14, 2020 at 11:20:17AM +0100, Ard Biesheuvel wrote:
> > > > In spite of the apparent difference of opinion here, there are two
> > > > irrefutable facts about __attribute__((optimize)) on GCC that can only
> > > > lead to the conclusion that we must never use it in Linux:
> > > > - the GCC developers refuse to rigorously define its behavior, so we
> > > > don't know what it actually does;
> >
> > This is because it isn't clear at all what it *should* do, for some
> > options. For others it is obvious, and it works just fine for those.
>
> The problem is that the distinction of some vs. others is not
> documented, and may change between architectures or GCC versions.
And obvious is still obvious.
> > (And we do not rigorously define the behaviour of almost *anything*, not
> > in the user manual anyway!)
> >
> > The interface has huge usability problems. We want to wean people off
> > of using this attribute. But claiming all kinds of FUD about it is a
> > disservice to users: it works fine for where it does work, there is no
> > reason for people to hurriedly change their code (or change it at all).
>
> What do you mean by all kinds of FUD? The kind of FUD appearing on the
> GCC wiki? I'll quote it again here for everyone's convenience.
<snip>
No, saying "ohnoes this feature (that always worked fine for many
purposes) is so broken that it is super dangerous to keep using it even
a minute longer". _That_ FUD.
> The reason we have to change code in the kernel is because it actually
> breaks stuff.
That makes sense. Then please write *that*? :-)
> For instance, functions using __attribute__((optimize))
> to disable GCSE are suddenly compiled with or without stack protector
> checks or frame pointers, even though the opposite option is set at
> the compilation unit level.
Not that disabling GCSE makes much sense anyway (there are other passes
that do many of the same things, for example). So why was this added?
To avoid some bug on some older compiler version?
> I am not disputing that __attribute__((optimize)) is highly useful in
> some cases, I am just arguing that such cases don't exist in a Linux
> kernel running on a production system.
And I am saying that before you can remove something, you probably
should look at why it was added in the first place, and see if you need
a replacement for that, etc. Just destroying stuff you do not agree
with is iconoclasm.
Segher
next prev parent reply other threads:[~2020-11-26 20:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201109144425.270789-22-alexandre.chartre@oracle.com>
[not found] ` <202011131552.4kvOb9Id-lkp@intel.com>
2020-11-13 18:59 ` [RFC][PATCH 21/24] x86/entry: Disable stack-protector for IST entry C handlers Nick Desaulniers
2020-11-13 19:39 ` Alexandre Chartre
2020-11-13 19:45 ` Nick Desaulniers
2020-11-13 23:47 ` Segher Boessenkool
2020-11-14 0:01 ` Miguel Ojeda
2020-11-14 0:26 ` Segher Boessenkool
2020-11-14 1:58 ` Miguel Ojeda
2020-11-14 10:20 ` Ard Biesheuvel
2020-11-25 19:56 ` Kees Cook
2020-11-25 23:00 ` Segher Boessenkool
2020-11-26 6:40 ` Ard Biesheuvel
2020-11-26 20:22 ` Segher Boessenkool [this message]
2020-11-26 21:05 ` Arvind Sankar
2020-11-26 22:00 ` Ard Biesheuvel
2020-11-14 0:11 ` Nick Desaulniers
2020-11-14 0:43 ` Segher Boessenkool
2020-11-14 0:48 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201126202207.GE2672@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=alexandre.chartre@oracle.com \
--cc=ardb@kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=kbuild-all@lists.01.org \
--cc=keescook@chromium.org \
--cc=linux-toolchains@vger.kernel.org \
--cc=lkp@intel.com \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=ndesaulniers@google.com \
--cc=nivedita@alum.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).