* [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang
@ 2025-07-29 22:43 Kees Cook
2025-07-29 23:00 ` Marco Elver
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2025-07-29 22:43 UTC (permalink / raw)
To: Linus Torvalds
Cc: Kees Cook, kernel test robot, syzbot+5245cb609175fb6e8122,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Ard Biesheuvel, Marco Elver, Hou Wenlong,
Kirill A . Shutemov, Miguel Ojeda, Nathan Chancellor,
Przemek Kitszel, Andrew Morton, Masahiro Yamada, Peter Zijlstra,
Wei Yang, Sami Tolvanen, Arnd Bergmann, Christophe Leroy,
Nick Desaulniers, Bill Wendling, Justin Stitt, Michael Kelley,
Marc Herbert, Yafang Shao, Uros Bizjak, Jan Hendrik Farr,
linux-kernel, llvm, linux-hardening
In order to support Clang's stack depth tracking (for Linux's kstack_erase
feature), the coverage sanitizer needed to be disabled for __init (and
__head) section code. Doing this universally (i.e. for GCC too), created
a number of unexpected problems, ranging from changes to inlining logic
to failures to DCE code on earlier GCC versions.
Since this change is only needed for Clang, specialize it so that GCC
doesn't see the change as it isn't needed there (the GCC implementation
of kstack_erase uses a GCC plugin that removes stack depth tracking
instrumentation from __init sections during a late pass in the IR).
Successful build and boot tested with GCC 12 and Clang 22.
Fixes: 381a38ea53d2 ("init.h: Disable sanitizer coverage for __init and __head")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507270258.neWuiXLd-lkp@intel.com/
Reported-by: syzbot+5245cb609175fb6e8122@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6888d004.a00a0220.26d0e1.0004.GAE@google.com/
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: <x86@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
Cc: Kirill A. Shutemov <kas@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Wei Yang <richard.weiyang@gmail.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
---
arch/x86/include/asm/init.h | 2 +-
include/linux/compiler_types.h | 7 +++++++
include/linux/init.h | 2 +-
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
index 6bfdaeddbae8..5a68e9db6518 100644
--- a/arch/x86/include/asm/init.h
+++ b/arch/x86/include/asm/init.h
@@ -5,7 +5,7 @@
#if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
#define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector
#else
-#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
+#define __head __section(".head.text") __no_sanitize_undefined __no_kstack_erase
#endif
struct x86_mapping_info {
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 2b77d12e07b2..89e2c01fc8b1 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -378,6 +378,13 @@ struct ftrace_likely_data {
# define __signed_wrap
#endif
+/* GCC does not like splitting sanitizer coverage across section inlines */
+#ifdef CC_IS_CLANG
+#define __no_kstack_erase __no_sanitize_coverage
+#else
+#define __no_kstack_erase
+#endif
+
/* Section for code which can't be instrumented at all */
#define __noinstr_section(section) \
noinline notrace __attribute((__section__(section))) \
diff --git a/include/linux/init.h b/include/linux/init.h
index c65a050d52a7..a60d32d227ee 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -51,7 +51,7 @@
discard it in modules) */
#define __init __section(".init.text") __cold __latent_entropy \
__noinitretpoline \
- __no_sanitize_coverage
+ __no_kstack_erase
#define __initdata __section(".init.data")
#define __initconst __section(".init.rodata")
#define __exitdata __section(".exit.data")
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang
2025-07-29 22:43 [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang Kees Cook
@ 2025-07-29 23:00 ` Marco Elver
2025-07-29 23:15 ` Linus Torvalds
2025-07-29 23:19 ` Kees Cook
0 siblings, 2 replies; 4+ messages in thread
From: Marco Elver @ 2025-07-29 23:00 UTC (permalink / raw)
To: Kees Cook
Cc: Linus Torvalds, kernel test robot, syzbot+5245cb609175fb6e8122,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Ard Biesheuvel, Hou Wenlong, Kirill A . Shutemov,
Miguel Ojeda, Nathan Chancellor, Przemek Kitszel, Andrew Morton,
Masahiro Yamada, Peter Zijlstra, Wei Yang, Sami Tolvanen,
Arnd Bergmann, Christophe Leroy, Nick Desaulniers, Bill Wendling,
Justin Stitt, Michael Kelley, Marc Herbert, Yafang Shao,
Uros Bizjak, Jan Hendrik Farr, linux-kernel, llvm,
linux-hardening
On Wed, 30 Jul 2025 at 00:43, Kees Cook <kees@kernel.org> wrote:
>
> In order to support Clang's stack depth tracking (for Linux's kstack_erase
> feature), the coverage sanitizer needed to be disabled for __init (and
> __head) section code. Doing this universally (i.e. for GCC too), created
> a number of unexpected problems, ranging from changes to inlining logic
> to failures to DCE code on earlier GCC versions.
>
> Since this change is only needed for Clang, specialize it so that GCC
> doesn't see the change as it isn't needed there (the GCC implementation
> of kstack_erase uses a GCC plugin that removes stack depth tracking
> instrumentation from __init sections during a late pass in the IR).
>
> Successful build and boot tested with GCC 12 and Clang 22.
>
> Fixes: 381a38ea53d2 ("init.h: Disable sanitizer coverage for __init and __head")
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202507270258.neWuiXLd-lkp@intel.com/
> Reported-by: syzbot+5245cb609175fb6e8122@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/6888d004.a00a0220.26d0e1.0004.GAE@google.com/
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Linus Torvalds <torvalds@linuxfoundation.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Borislav Petkov <bp@alien8.de>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: <x86@kernel.org>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Cc: Marco Elver <elver@google.com>
> Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
> Cc: Kirill A. Shutemov <kas@kernel.org>
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Masahiro Yamada <masahiroy@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Wei Yang <richard.weiyang@gmail.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> arch/x86/include/asm/init.h | 2 +-
> include/linux/compiler_types.h | 7 +++++++
> include/linux/init.h | 2 +-
> 3 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
> index 6bfdaeddbae8..5a68e9db6518 100644
> --- a/arch/x86/include/asm/init.h
> +++ b/arch/x86/include/asm/init.h
> @@ -5,7 +5,7 @@
> #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
> #define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector
> #else
> -#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
> +#define __head __section(".head.text") __no_sanitize_undefined __no_kstack_erase
> #endif
>
> struct x86_mapping_info {
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 2b77d12e07b2..89e2c01fc8b1 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -378,6 +378,13 @@ struct ftrace_likely_data {
> # define __signed_wrap
> #endif
>
> +/* GCC does not like splitting sanitizer coverage across section inlines */
> +#ifdef CC_IS_CLANG
> +#define __no_kstack_erase __no_sanitize_coverage
> +#else
> +#define __no_kstack_erase
> +#endif
I think this belongs into compiler-clang.h, we've typically refrained
from ifdef CC_IS_CLANG/GCC in the generic headers.
See __nocfi for an example, where compiler_types.h provides a default
empty definition, and compiler-clang.h provides a non-empty
definition.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang
2025-07-29 23:00 ` Marco Elver
@ 2025-07-29 23:15 ` Linus Torvalds
2025-07-29 23:19 ` Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: Linus Torvalds @ 2025-07-29 23:15 UTC (permalink / raw)
To: Marco Elver
Cc: Kees Cook, kernel test robot, syzbot+5245cb609175fb6e8122,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Ard Biesheuvel, Hou Wenlong, Kirill A . Shutemov,
Miguel Ojeda, Nathan Chancellor, Przemek Kitszel, Andrew Morton,
Masahiro Yamada, Peter Zijlstra, Wei Yang, Sami Tolvanen,
Arnd Bergmann, Christophe Leroy, Nick Desaulniers, Bill Wendling,
Justin Stitt, Michael Kelley, Marc Herbert, Yafang Shao,
Uros Bizjak, Jan Hendrik Farr, linux-kernel, llvm,
linux-hardening
On Tue, 29 Jul 2025 at 16:01, Marco Elver <elver@google.com> wrote:
>
> I think this belongs into compiler-clang.h, we've typically refrained
> from ifdef CC_IS_CLANG/GCC in the generic headers.
> See __nocfi for an example, where compiler_types.h provides a default
> empty definition, and compiler-clang.h provides a non-empty
> definition.
Yeah, I think that would be a lot cleaner and matches the other things
like this.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang
2025-07-29 23:00 ` Marco Elver
2025-07-29 23:15 ` Linus Torvalds
@ 2025-07-29 23:19 ` Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: Kees Cook @ 2025-07-29 23:19 UTC (permalink / raw)
To: Marco Elver
Cc: Linus Torvalds, kernel test robot, syzbot+5245cb609175fb6e8122,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Ard Biesheuvel, Hou Wenlong, Kirill A . Shutemov,
Miguel Ojeda, Nathan Chancellor, Przemek Kitszel, Andrew Morton,
Masahiro Yamada, Peter Zijlstra, Wei Yang, Sami Tolvanen,
Arnd Bergmann, Christophe Leroy, Nick Desaulniers, Bill Wendling,
Justin Stitt, Michael Kelley, Marc Herbert, Yafang Shao,
Uros Bizjak, Jan Hendrik Farr, linux-kernel, llvm,
linux-hardening
On Wed, Jul 30, 2025 at 01:00:39AM +0200, Marco Elver wrote:
> On Wed, 30 Jul 2025 at 00:43, Kees Cook <kees@kernel.org> wrote:
> >
> > In order to support Clang's stack depth tracking (for Linux's kstack_erase
> > feature), the coverage sanitizer needed to be disabled for __init (and
> > __head) section code. Doing this universally (i.e. for GCC too), created
> > a number of unexpected problems, ranging from changes to inlining logic
> > to failures to DCE code on earlier GCC versions.
> >
> > Since this change is only needed for Clang, specialize it so that GCC
> > doesn't see the change as it isn't needed there (the GCC implementation
> > of kstack_erase uses a GCC plugin that removes stack depth tracking
> > instrumentation from __init sections during a late pass in the IR).
> >
> > Successful build and boot tested with GCC 12 and Clang 22.
> >
> > Fixes: 381a38ea53d2 ("init.h: Disable sanitizer coverage for __init and __head")
> > Reported-by: kernel test robot <lkp@intel.com>
> > Closes: https://lore.kernel.org/oe-kbuild-all/202507270258.neWuiXLd-lkp@intel.com/
> > Reported-by: syzbot+5245cb609175fb6e8122@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/6888d004.a00a0220.26d0e1.0004.GAE@google.com/
> > Signed-off-by: Kees Cook <kees@kernel.org>
> > ---
> > Cc: Linus Torvalds <torvalds@linuxfoundation.org>
> > Cc: Thomas Gleixner <tglx@linutronix.de>
> > Cc: Ingo Molnar <mingo@redhat.com>
> > Cc: Borislav Petkov <bp@alien8.de>
> > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > Cc: <x86@kernel.org>
> > Cc: "H. Peter Anvin" <hpa@zytor.com>
> > Cc: Ard Biesheuvel <ardb@kernel.org>
> > Cc: Marco Elver <elver@google.com>
> > Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
> > Cc: Kirill A. Shutemov <kas@kernel.org>
> > Cc: Miguel Ojeda <ojeda@kernel.org>
> > Cc: Nathan Chancellor <nathan@kernel.org>
> > Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Masahiro Yamada <masahiroy@kernel.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Wei Yang <richard.weiyang@gmail.com>
> > Cc: Sami Tolvanen <samitolvanen@google.com>
> > Cc: Arnd Bergmann <arnd@arndb.de>
> > Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
> > ---
> > arch/x86/include/asm/init.h | 2 +-
> > include/linux/compiler_types.h | 7 +++++++
> > include/linux/init.h | 2 +-
> > 3 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
> > index 6bfdaeddbae8..5a68e9db6518 100644
> > --- a/arch/x86/include/asm/init.h
> > +++ b/arch/x86/include/asm/init.h
> > @@ -5,7 +5,7 @@
> > #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
> > #define __head __section(".head.text") __no_sanitize_undefined __no_stack_protector
> > #else
> > -#define __head __section(".head.text") __no_sanitize_undefined __no_sanitize_coverage
> > +#define __head __section(".head.text") __no_sanitize_undefined __no_kstack_erase
> > #endif
> >
> > struct x86_mapping_info {
> > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> > index 2b77d12e07b2..89e2c01fc8b1 100644
> > --- a/include/linux/compiler_types.h
> > +++ b/include/linux/compiler_types.h
> > @@ -378,6 +378,13 @@ struct ftrace_likely_data {
> > # define __signed_wrap
> > #endif
> >
> > +/* GCC does not like splitting sanitizer coverage across section inlines */
> > +#ifdef CC_IS_CLANG
> > +#define __no_kstack_erase __no_sanitize_coverage
> > +#else
> > +#define __no_kstack_erase
> > +#endif
>
> I think this belongs into compiler-clang.h, we've typically refrained
> from ifdef CC_IS_CLANG/GCC in the generic headers.
> See __nocfi for an example, where compiler_types.h provides a default
> empty definition, and compiler-clang.h provides a non-empty
> definition.
Oh, good point. I will rearrange this to use the #ifndef style handling!
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-29 23:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-29 22:43 [PATCH] compiler_types: Provide __no_kstack_erase to disable coverage only on Clang Kees Cook
2025-07-29 23:00 ` Marco Elver
2025-07-29 23:15 ` Linus Torvalds
2025-07-29 23:19 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).