On Tue, May 27, 2025 at 1:39 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
6.14-stable review patch. If anyone has any objections, please let me know.
From: Brian Gerst brgerst@gmail.com
[ Upstream commit a9a76b38aaf577887103e3ebb41d70e6aa5a4b19 ]
On 64-bit, this will prevent crashes when the canary access is changed from %gs:40 to %gs:__stack_chk_guard(%rip). RIP-relative addresses from the identity-mapped early boot code will target the wrong address with zero-based percpu. KASLR could then shift that address to an unmapped page causing a crash on boot.
This early boot code runs well before user-space is active and does not need stack protector enabled.
Signed-off-by: Brian Gerst brgerst@gmail.com Signed-off-by: Ingo Molnar mingo@kernel.org Reviewed-by: Ard Biesheuvel ardb@kernel.org Cc: Linus Torvalds torvalds@linux-foundation.org Link: https://lore.kernel.org/r/20250123190747.745588-4-brgerst@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org
arch/x86/kernel/Makefile | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index b43eb7e384eba..84cfa179802c3 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -44,6 +44,8 @@ KCOV_INSTRUMENT_unwind_orc.o := n KCOV_INSTRUMENT_unwind_frame.o := n KCOV_INSTRUMENT_unwind_guess.o := n
+CFLAGS_head32.o := -fno-stack-protector +CFLAGS_head64.o := -fno-stack-protector CFLAGS_irq.o := -I $(src)/../include/asm/trace
obj-y += head_$(BITS).o
2.39.5
This doesn't need to be backported. It's harmless, but not necessary without the rest of the stack protector changes.
Brian Gerst