On Fri, Aug 19, 2022 at 10:14:51AM -0700, Nick Desaulniers wrote:
On Fri, Aug 19, 2022 at 8:46 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
From: Nick Desaulniers ndesaulniers@google.com
commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream.
Users of GNU ld (BFD) from binutils 2.39+ will observe multiple instances of a new warning when linking kernels in the form:
ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: vmlinux has a LOAD segment with RWX permissions
Generally, we would like to avoid the stack being executable. Because there could be a need for the stack to be executable, assembler sources have to opt-in to this security feature via explicit creation of the .note.GNU-stack feature (which compilers create by default) or command line flag --noexecstack. Or we can simply tell the linker the production of such sections is irrelevant and to link the stack as --noexecstack.
LLVM's LLD linker defaults to -z noexecstack, so this flag isn't strictly necessary when linking with LLD, only BFD, but it doesn't hurt to be explicit here for all linkers IMO. --no-warn-rwx-segments is currently BFD specific and only available in the current latest release, so it's wrapped in an ld-option check.
While the kernel makes extensive usage of ELF sections, it doesn't use permissions from ELF segments.
Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@ker... Link: https://sourceware.org/git/?p=binutils-gdb.git%3Ba=commit%3Bh=ba951afb99912d... Link: https://github.com/llvm/llvm-project/issues/57009 Reported-and-tested-by: Jens Axboe axboe@kernel.dk Suggested-by: Fangrui Song maskray@google.com Signed-off-by: Nick Desaulniers ndesaulniers@google.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Makefile | 5 +++++ 1 file changed, 5 insertions(+)
--- a/Makefile +++ b/Makefile @@ -983,6 +983,11 @@ KBUILD_CFLAGS += $(KCFLAGS) KBUILD_LDFLAGS_MODULE += --build-id=sha1 LDFLAGS_vmlinux += --build-id=sha1
+KBUILD_LDFLAGS += -z noexecstack +ifeq ($(CONFIG_LD_IS_BFD),y) +KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments) +endif
5.10.y is missing CONFIG_LD_IS_BFD. Specifically
commit 02aff8592204 ("kbuild: check the minimum linker version in Kconfig") which first landed in v5.12-rc1. I'd recommend simply dropping the `ifeq` guards; the ld-option guard will still work. Otherwise GNU BFD 2.39 users will observe linker warnings related to rwx-segments.
Greg, do you mind dropping this patch and I'll supply a v2, or is it too late and I should send a patch on top?
I've fixed it up, thanks!
greg k-h