* [GIT PULL] hardening updates for v6.17-rc1
@ 2025-07-29 0:01 Kees Cook
2025-07-29 0:43 ` Linus Torvalds
2025-07-29 1:12 ` pr-tracker-bot
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2025-07-29 0:01 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Shevchenko, Dan Williams, David Gow,
Gustavo A. R. Silva, Heiko Carstens, Huacai Chen, Ingo Molnar,
Jannik Glückert, Kees Cook, kernel test robot, Lee Jones,
Linux Kernel Functional Testing, Marco Elver, Nathan Chancellor,
Nicolas Schier, Nishanth Menon, Ritesh Harjani, Thorsten Blum,
Youling Tang
Hi Linus,
Please pull these hardening updates for v6.17-rc1. Some notable things
that stand out diffstat: there are many scattered changes across arch code
to clean up __init vs KCOV instrumentation. Most are landing here via
the hardening tree but 2 landed separately in their respective trees:
loongarch in v6.16 already, and platform-drivers-x86 that is queued
for merging:
https://lore.kernel.org/all/pdx86-pr-20250728141420-2408727195@linux.intel.com/
Also the stackleak feature has gained native Clang support, and got
renamed as part of the refactoring work, which ends up touching all the
arch Kconfig and Makefile files.
Thanks!
-Kees
The following changes since commit e04c78d86a9699d136910cfc0bdcf01087e3267e:
Linux 6.16-rc2 (2025-06-15 13:49:41 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.17-rc1
for you to fetch changes up to 32e42ab9fc88a884435c27527a433f61c4d2b61b:
sched/task_stack: Add missing const qualifier to end_of_stack() (2025-07-26 14:28:35 -0700)
----------------------------------------------------------------
hardening updates for v6.17-rc1
- Introduce and start using TRAILING_OVERLAP() helper for fixing
embedded flex array instances (Gustavo A. R. Silva)
- mux: Convert mux_control_ops to a flex array member in mux_chip
(Thorsten Blum)
- string: Group str_has_prefix() and strstarts() (Andy Shevchenko)
- Remove KCOV instrumentation from __init and __head (Ritesh Harjani,
Kees Cook)
- Refactor and rename stackleak feature to support Clang
- Add KUnit test for seq_buf API
- Fix KUnit fortify test under LTO
----------------------------------------------------------------
Andy Shevchenko (1):
string: Group str_has_prefix() and strstarts()
Gustavo A. R. Silva (2):
stddef: Introduce TRAILING_OVERLAP() helper macro
acpi: nfit: intel: avoid multiple -Wflex-array-member-not-at-end warnings
Kees Cook (17):
kunit/fortify: Add back "volatile" for sizeof() constants
seq_buf: Introduce KUnit tests
stackleak: Rename STACKLEAK to KSTACK_ERASE
stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth
stackleak: Split KSTACK_ERASE_CFLAGS from GCC_PLUGINS_CFLAGS
configs/hardening: Enable CONFIG_KSTACK_ERASE
configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON
mips: Handle KCOV __init vs inline mismatch
arm: Handle KCOV __init vs inline mismatches
s390: Handle KCOV __init vs inline mismatches
arm64: Handle KCOV __init vs inline mismatches
x86: Handle KCOV __init vs inline mismatches
kstack_erase: Disable kstack_erase for all of arm compressed boot code
init.h: Disable sanitizer coverage for __init and __head
kstack_erase: Add -mgeneral-regs-only to silence Clang warnings
kstack_erase: Support Clang stack depth tracking
sched/task_stack: Add missing const qualifier to end_of_stack()
Ritesh Harjani (IBM) (1):
powerpc/mm/book3s64: Move kfence and debug_pagealloc related calls to __init section
Thorsten Blum (1):
mux: Convert mux_control_ops to a flex array member in mux_chip
arch/Kconfig | 4 +-
arch/arm/Kconfig | 2 +-
arch/arm64/Kconfig | 2 +-
arch/loongarch/Kconfig | 2 +-
arch/riscv/Kconfig | 2 +-
arch/s390/Kconfig | 2 +-
arch/x86/Kconfig | 2 +-
lib/Kconfig.debug | 9 +
security/Kconfig.hardening | 45 +++--
Makefile | 1 +
arch/arm/boot/compressed/Makefile | 2 +-
arch/arm/vdso/Makefile | 2 +-
arch/arm64/kernel/pi/Makefile | 2 +-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/arm64/kvm/hyp/nvhe/Makefile | 2 +-
arch/riscv/kernel/pi/Makefile | 2 +-
arch/riscv/purgatory/Makefile | 2 +-
arch/sparc/vdso/Makefile | 3 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/purgatory/Makefile | 2 +-
drivers/firmware/efi/libstub/Makefile | 8 +-
drivers/misc/lkdtm/Makefile | 2 +-
kernel/Makefile | 11 +-
lib/Makefile | 2 +-
lib/tests/Makefile | 1 +
scripts/Makefile.gcc-plugins | 16 +-
scripts/Makefile.kstack_erase | 21 +++
scripts/gcc-plugins/stackleak_plugin.c | 52 +++---
Documentation/admin-guide/sysctl/kernel.rst | 4 +-
Documentation/arch/x86/x86_64/mm.rst | 2 +-
Documentation/security/self-protection.rst | 2 +-
.../zh_CN/security/self-protection.rst | 2 +-
arch/arm64/include/asm/acpi.h | 2 +-
arch/mips/include/asm/time.h | 2 +-
arch/s390/hypfs/hypfs.h | 2 +-
arch/s390/hypfs/hypfs_diag.h | 2 +-
arch/x86/entry/calling.h | 4 +-
arch/x86/include/asm/acpi.h | 4 +-
arch/x86/include/asm/init.h | 2 +-
arch/x86/include/asm/realmode.h | 2 +-
include/linux/acpi.h | 4 +-
include/linux/bootconfig.h | 2 +-
include/linux/efi.h | 2 +-
include/linux/init.h | 4 +-
include/linux/{stackleak.h => kstack_erase.h} | 20 +-
include/linux/memblock.h | 2 +-
include/linux/mfd/dbx500-prcmu.h | 2 +-
include/linux/mux/driver.h | 4 +-
include/linux/sched.h | 4 +-
include/linux/sched/task_stack.h | 2 +-
include/linux/smp.h | 2 +-
include/linux/stddef.h | 20 ++
include/linux/string.h | 20 +-
arch/arm/kernel/entry-common.S | 2 +-
arch/arm64/kernel/entry.S | 2 +-
arch/riscv/kernel/entry.S | 2 +-
arch/s390/kernel/entry.S | 2 +-
arch/arm/mm/cache-feroceon-l2.c | 2 +-
arch/arm/mm/cache-tauros2.c | 2 +-
arch/powerpc/mm/book3s64/hash_utils.c | 6 +-
arch/powerpc/mm/book3s64/radix_pgtable.c | 4 +-
arch/s390/mm/init.c | 2 +-
arch/x86/kernel/kvm.c | 2 +-
arch/x86/mm/init_64.c | 2 +-
drivers/acpi/nfit/intel.c | 119 ++++++------
drivers/clocksource/timer-orion.c | 2 +-
drivers/misc/lkdtm/{stackleak.c => kstack_erase.c} | 26 +--
drivers/mux/core.c | 7 +-
drivers/soc/ti/pm33xx.c | 2 +-
fs/proc/base.c | 6 +-
kernel/fork.c | 2 +-
kernel/kexec_handover.c | 4 +-
kernel/{stackleak.c => kstack_erase.c} | 22 +--
lib/tests/fortify_kunit.c | 4 +-
lib/tests/seq_buf_kunit.c | 208 +++++++++++++++++++++
tools/objtool/check.c | 4 +-
tools/testing/selftests/lkdtm/config | 2 +-
MAINTAINERS | 6 +-
kernel/configs/hardening.config | 6 +
79 files changed, 514 insertions(+), 259 deletions(-)
create mode 100644 scripts/Makefile.kstack_erase
rename include/linux/{stackleak.h => kstack_erase.h} (81%)
rename drivers/misc/lkdtm/{stackleak.c => kstack_erase.c} (89%)
rename kernel/{stackleak.c => kstack_erase.c} (87%)
create mode 100644 lib/tests/seq_buf_kunit.c
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] hardening updates for v6.17-rc1
2025-07-29 0:01 [GIT PULL] hardening updates for v6.17-rc1 Kees Cook
@ 2025-07-29 0:43 ` Linus Torvalds
2025-07-29 6:10 ` Kees Cook
2025-07-29 1:12 ` pr-tracker-bot
1 sibling, 1 reply; 4+ messages in thread
From: Linus Torvalds @ 2025-07-29 0:43 UTC (permalink / raw)
To: Kees Cook
Cc: linux-kernel, Andy Shevchenko, Dan Williams, David Gow,
Gustavo A. R. Silva, Heiko Carstens, Huacai Chen, Ingo Molnar,
Jannik Glückert, kernel test robot, Lee Jones,
Linux Kernel Functional Testing, Marco Elver, Nathan Chancellor,
Nicolas Schier, Nishanth Menon, Ritesh Harjani, Thorsten Blum,
Youling Tang
On Mon, 28 Jul 2025 at 17:01, Kees Cook <kees@kernel.org> wrote:
>
> Please pull these hardening updates for v6.17-rc1. Some notable things
> that stand out diffstat: there are many scattered changes across arch code
> to clean up __init vs KCOV instrumentation. Most are landing here via
> the hardening tree but 2 landed separately in their respective trees:
> loongarch in v6.16 already, and platform-drivers-x86 that is queued
> for merging:
Is this the cause of the new
section mismatch in reference: volume_set_software_mute+0x6f
(section: .text.unlikely) -> tpacpi_is_lenovo (section: .init.text)
warning?
It does seem to be a preexisting bug, with volume_set_software_mute()
(not init) calling tpacpi_is_lenovo (which is marked __init for some
unknown crazy reason).
I'm just not seeing what changed to *not* inline that trivial
single-instruction thing. So something really bad is happening to the
compiler because of this hardening change.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] hardening updates for v6.17-rc1
2025-07-29 0:01 [GIT PULL] hardening updates for v6.17-rc1 Kees Cook
2025-07-29 0:43 ` Linus Torvalds
@ 2025-07-29 1:12 ` pr-tracker-bot
1 sibling, 0 replies; 4+ messages in thread
From: pr-tracker-bot @ 2025-07-29 1:12 UTC (permalink / raw)
To: Kees Cook
Cc: Linus Torvalds, linux-kernel, Andy Shevchenko, Dan Williams,
David Gow, Gustavo A. R. Silva, Heiko Carstens, Huacai Chen,
Ingo Molnar, Jannik Glückert, Kees Cook, kernel test robot,
Lee Jones, Linux Kernel Functional Testing, Marco Elver,
Nathan Chancellor, Nicolas Schier, Nishanth Menon, Ritesh Harjani,
Thorsten Blum, Youling Tang
The pull request you sent on Mon, 28 Jul 2025 17:01:33 -0700:
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/hardening-v6.17-rc1
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/8e736a2eeaf261213b4557778e015699da1e1c8c
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] hardening updates for v6.17-rc1
2025-07-29 0:43 ` Linus Torvalds
@ 2025-07-29 6:10 ` Kees Cook
0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2025-07-29 6:10 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-kernel, Andy Shevchenko, Dan Williams, David Gow,
Gustavo A. R. Silva, Heiko Carstens, Huacai Chen, Ingo Molnar,
Jannik Glückert, kernel test robot, Lee Jones,
Linux Kernel Functional Testing, Marco Elver, Nathan Chancellor,
Nicolas Schier, Nishanth Menon, Ritesh Harjani, Thorsten Blum,
Youling Tang
On July 28, 2025 5:43:08 PM PDT, Linus Torvalds <torvalds@linux-foundation.org> wrote:
>On Mon, 28 Jul 2025 at 17:01, Kees Cook <kees@kernel.org> wrote:
>>
>> Please pull these hardening updates for v6.17-rc1. Some notable things
>> that stand out diffstat: there are many scattered changes across arch code
>> to clean up __init vs KCOV instrumentation. Most are landing here via
>> the hardening tree but 2 landed separately in their respective trees:
>> loongarch in v6.16 already, and platform-drivers-x86 that is queued
>> for merging:
>
>Is this the cause of the new
>
> section mismatch in reference: volume_set_software_mute+0x6f
>(section: .text.unlikely) -> tpacpi_is_lenovo (section: .init.text)
>
>warning?
>
>It does seem to be a preexisting bug, with volume_set_software_mute()
>(not init) calling tpacpi_is_lenovo (which is marked __init for some
>unknown crazy reason).
>
>I'm just not seeing what changed to *not* inline that trivial
>single-instruction thing. So something really bad is happening to the
>compiler because of this hardening change.
The change is actually *removing* sanitizer instrumentation from __init functions, and this seems to cause GCC to play weird games with inline vs section markings vs coverage sanitizer options. I scratched my head over it for a while but since GCC has had this kind of "unstable" inlining behavior before, it looked like the fix in similar situations was to switch it to __always_inline. In other cases the use of __init was adjusted.
The fix is part of the platform-drivers-x86 PR, specifically:
https://lore.kernel.org/lkml/20250529181831.work.439-kees@kernel.org/
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-29 6:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-29 0:01 [GIT PULL] hardening updates for v6.17-rc1 Kees Cook
2025-07-29 0:43 ` Linus Torvalds
2025-07-29 6:10 ` Kees Cook
2025-07-29 1:12 ` pr-tracker-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).