Ubuntu 16.10 - Linux Kernel build fails - GCC related

Ubuntu 16.10 - Linux Kernel build fails - GCC related

[Shuah Khan]

After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
the following patch is applied to the kernel Makefile. A word of
caution for anybody that is planning to update their development
systems.

https://patchwork.ozlabs.org/patch/616621/

Please refer to the Ubuntu 16.10 release notes for more details.

https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC

Ubuntu is recommended applying this patch for building Linux kernels.
I am not sure this is the right way to go. I am hoping this is
work-around and patching the kernel Makefile will not be the solution
going forward.

I haven't seen any patch sent upstream to make this change, so I still
hope this is a temporary work-around. Maybe be there is patch that
came through and you are aware of this problem?

thanks,
-- Shuah

Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related

[Greg KH]

On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
> the following patch is applied to the kernel Makefile. A word of
> caution for anybody that is planning to update their development
> systems.
> 
> https://patchwork.ozlabs.org/patch/616621/
> 
> Please refer to the Ubuntu 16.10 release notes for more details.
> 
> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
> 
> Ubuntu is recommended applying this patch for building Linux kernels.
> I am not sure this is the right way to go. I am hoping this is
> work-around and patching the kernel Makefile will not be the solution
> going forward.
> 
> I haven't seen any patch sent upstream to make this change, so I still
> hope this is a temporary work-around. Maybe be there is patch that
> came through and you are aware of this problem?

Does commit 6d92bc9d483a solve this issue for you?  That should have
resolved a -pie issue, back in 4.6, or is this something else?

thanks,

greg k-h

Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related

[Shuah Khan]

On Tue, Oct 18, 2016 at 9:37 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
>> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
>> the following patch is applied to the kernel Makefile. A word of
>> caution for anybody that is planning to update their development
>> systems.
>>
>> https://patchwork.ozlabs.org/patch/616621/
>>
>> Please refer to the Ubuntu 16.10 release notes for more details.
>>
>> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
>>
>> Ubuntu is recommended applying this patch for building Linux kernels.
>> I am not sure this is the right way to go. I am hoping this is
>> work-around and patching the kernel Makefile will not be the solution
>> going forward.
>>
>> I haven't seen any patch sent upstream to make this change, so I still
>> hope this is a temporary work-around. Maybe be there is patch that
>> came through and you are aware of this problem?
>
> Does commit 6d92bc9d483a solve this issue for you?  That should have
> resolved a -pie issue, back in 4.6, or is this something else?
>

This is a new problem because of a change Ubuntu made in their gcc
version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) it appears.

The Ubuntu 16.10 release notes says:

"We have modified GCC to by-default compile programs with position
independent executable support to improve the security benefits
provided by
Address Space Layout Randomization.

This may cause difficulty when trying to compile Linux kernels that
still need this patch applied.
Other programs may experience other problems; some debugging
guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE"

The above clearly states a patch needs to applied to the Linux Kernel
makefile. This patch forces no-pie for distro compilers that enable
pie by default

The error I am seeing on 4.9-rc1 is:

 CHK     include/config/kernel.release
Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong
not supported by compiler
Makefile:1058: recipe for target 'prepare-compiler-check' failed
make: *** [prepare-compiler-check] Error 1

I think CONFIG_CC_STACKPROTECTOR_STRONG is enabled in most distro
configs. So I am not why this should fail now.

Here is the Ubuntu recommended patch for easy reference: (note cut and
paste - probably won't apply) -
https://patchwork.ozlabs.org/patch/616621/

diff --git a/Makefile b/Makefile
index e27da43..e4e8331 100644
--- a/Makefile
+++ b/Makefile
@@ -640,6 +640,11 @@  ifneq ($(CONFIG_FRAME_WARN),0)
 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
 endif

+# force no-pie for distro compilers that enable pie by default
+KBUILD_CFLAGS += $(call cc-option, -fno-pie)
+KBUILD_CFLAGS += $(call cc-option, -no-pie)
+KBUILD_AFLAGS += $(call cc-option, -fno-pie)
+
 # Handle stack protector mode.
 #
 # Since kbuild can potentially perform two passes (first with the old
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 4086abc..84d1cc8 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -27,6 +27,7 @@  REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \
    -mno-mmx -mno-sse \
    $(call cc-option, -ffreestanding) \
    $(call cc-option, -fno-stack-protector) \
+   $(call cc-option, -fno-pie) \
    $(call cc-option, -mpreferred-stack-boundary=2)
 export REALMODE_CFLAGS

@@ -129,7 +130,7 @@  endif
 # Make sure compiler does not have buggy stack-protector support.
 ifdef CONFIG_CC_STACKPROTECTOR
  cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
-        ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC)
$(KBUILD_CPPFLAGS) $(biarch)),y)
+        ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) -fno-pie
$(KBUILD_CPPFLAGS) $(biarch)),y)
                 $(warning stack-protector enabled but compiler support broken)
         endif
 endif
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 265c0ed..9677975 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -44,6 +44,7 @@  export CPPFLAGS_vdso.lds += -P -C
 VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \
  -Wl,--no-undefined \
  -Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096 \
+ $(call ld-option, -no-pie) \
  $(DISABLE_LTO)

 $(obj)/vdso64.so.dbg: $(src)/vdso.lds $(vobjs) FORCE
@@ -67,6 +68,7 @@  $(obj)/vdso-image-%.c: $(obj)/vdso%.so.dbg
$(obj)/vdso%.so $(obj)/vdso2c FORCE
 CFL := $(PROFILING) -mcmodel=small -fPIC -O2
-fasynchronous-unwind-tables -m64 \
        $(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
        -fno-omit-frame-pointer -foptimize-sibling-calls \
+       $(call cc-option, -fno-pie) \
        -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO

 $(vobjs): KBUILD_CFLAGS += $(CFL)
@@ -140,6 +142,7 @@  KBUILD_CFLAGS_32 := $(filter-out
-mcmodel=kernel,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic
+KBUILD_CFLAGS_32 += $(call cc-option, -no-pie)
 KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector)
 KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls)
 KBUILD_CFLAGS_32 += -fno-omit-frame-pointer

thanks,
-- Shuah

Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related

[Greg KH]

On Tue, Oct 18, 2016 at 09:48:17AM -0600, Shuah Khan wrote:
> On Tue, Oct 18, 2016 at 9:37 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> > On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
> >> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
> >> the following patch is applied to the kernel Makefile. A word of
> >> caution for anybody that is planning to update their development
> >> systems.
> >>
> >> https://patchwork.ozlabs.org/patch/616621/
> >>
> >> Please refer to the Ubuntu 16.10 release notes for more details.
> >>
> >> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
> >>
> >> Ubuntu is recommended applying this patch for building Linux kernels.
> >> I am not sure this is the right way to go. I am hoping this is
> >> work-around and patching the kernel Makefile will not be the solution
> >> going forward.
> >>
> >> I haven't seen any patch sent upstream to make this change, so I still
> >> hope this is a temporary work-around. Maybe be there is patch that
> >> came through and you are aware of this problem?
> >
> > Does commit 6d92bc9d483a solve this issue for you?  That should have
> > resolved a -pie issue, back in 4.6, or is this something else?
> >
> 
> This is a new problem because of a change Ubuntu made in their gcc
> version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) it appears.
> 
> The Ubuntu 16.10 release notes says:
> 
> "We have modified GCC to by-default compile programs with position
> independent executable support to improve the security benefits
> provided by
> Address Space Layout Randomization.
> 
> This may cause difficulty when trying to compile Linux kernels that
> still need this patch applied.
> Other programs may experience other problems; some debugging
> guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE"
> 
> The above clearly states a patch needs to applied to the Linux Kernel
> makefile. This patch forces no-pie for distro compilers that enable
> pie by default
> 
> The error I am seeing on 4.9-rc1 is:
> 
>  CHK     include/config/kernel.release
> Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong
> not supported by compiler
> Makefile:1058: recipe for target 'prepare-compiler-check' failed
> make: *** [prepare-compiler-check] Error 1
> 
> I think CONFIG_CC_STACKPROTECTOR_STRONG is enabled in most distro
> configs. So I am not why this should fail now.
> 
> Here is the Ubuntu recommended patch for easy reference: (note cut and
> paste - probably won't apply) -
> https://patchwork.ozlabs.org/patch/616621/

Did you follow up with Steve about this?  Seems odd that no one ever
followed up on it.

thanks,

greg k-h

Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related

[Shuah Khan]

On Tue, Oct 18, 2016 at 9:56 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> On Tue, Oct 18, 2016 at 09:48:17AM -0600, Shuah Khan wrote:
>> On Tue, Oct 18, 2016 at 9:37 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
>> > On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
>> >> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
>> >> the following patch is applied to the kernel Makefile. A word of
>> >> caution for anybody that is planning to update their development
>> >> systems.
>> >>
>> >> https://patchwork.ozlabs.org/patch/616621/
>> >>
>> >> Please refer to the Ubuntu 16.10 release notes for more details.
>> >>
>> >> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
>> >>
>> >> Ubuntu is recommended applying this patch for building Linux kernels.
>> >> I am not sure this is the right way to go. I am hoping this is
>> >> work-around and patching the kernel Makefile will not be the solution
>> >> going forward.
>> >>
>> >> I haven't seen any patch sent upstream to make this change, so I still
>> >> hope this is a temporary work-around. Maybe be there is patch that
>> >> came through and you are aware of this problem?
>> >
>> > Does commit 6d92bc9d483a solve this issue for you?  That should have
>> > resolved a -pie issue, back in 4.6, or is this something else?
>> >
>>
>> This is a new problem because of a change Ubuntu made in their gcc
>> version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) it appears.
>>
>> The Ubuntu 16.10 release notes says:
>>
>> "We have modified GCC to by-default compile programs with position
>> independent executable support to improve the security benefits
>> provided by
>> Address Space Layout Randomization.
>>
>> This may cause difficulty when trying to compile Linux kernels that
>> still need this patch applied.
>> Other programs may experience other problems; some debugging
>> guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE"
>>
>> The above clearly states a patch needs to applied to the Linux Kernel
>> makefile. This patch forces no-pie for distro compilers that enable
>> pie by default
>>
>> The error I am seeing on 4.9-rc1 is:
>>
>>  CHK     include/config/kernel.release
>> Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong
>> not supported by compiler
>> Makefile:1058: recipe for target 'prepare-compiler-check' failed
>> make: *** [prepare-compiler-check] Error 1
>>
>> I think CONFIG_CC_STACKPROTECTOR_STRONG is enabled in most distro
>> configs. So I am not why this should fail now.
>>
>> Here is the Ubuntu recommended patch for easy reference: (note cut and
>> paste - probably won't apply) -
>> https://patchwork.ozlabs.org/patch/616621/
>
> Did you follow up with Steve about this?  Seems odd that no one ever
> followed up on it.
>

I ran into this just yesterday and found the patch this morning. I can
contact Steve and get more information on this.

thanks,
-- Shuah