This is a note to let you know that I've just added the patch titled
objtool, retpolines: Integrate objtool with retpoline support more closely
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: objtool-retpolines-integrate-objtool-with-retpoline-support-more-closely.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From d5028ba8ee5a18c9d0bb926d883c28b370f89009 Mon Sep 17 00:00:00 2001
From: Peter Zijlstra peterz@infradead.org Date: Tue, 6 Feb 2018 09:46:13 +0100 Subject: objtool, retpolines: Integrate objtool with retpoline support more closely
From: Peter Zijlstra peterz@infradead.org
commit d5028ba8ee5a18c9d0bb926d883c28b370f89009 upstream.
Disable retpoline validation in objtool if your compiler sucks, and otherwise select the validation stuff for CONFIG_RETPOLINE=y (most builds would already have it set due to ORC).
Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Acked-by: Thomas Gleixner tglx@linutronix.de Cc: Andy Lutomirski luto@kernel.org Cc: Arjan van de Ven arjan@linux.intel.com Cc: Borislav Petkov bp@alien8.de Cc: Dan Williams dan.j.williams@intel.com Cc: Dave Hansen dave.hansen@linux.intel.com Cc: David Woodhouse dwmw2@infradead.org Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Josh Poimboeuf jpoimboe@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- Makefile | 5 +++++ arch/x86/Kconfig | 1 + arch/x86/Makefile | 10 +++------- scripts/Makefile.build | 2 ++ 4 files changed, 11 insertions(+), 7 deletions(-)
--- a/Makefile +++ b/Makefile @@ -494,6 +494,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) endif
+RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register +RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk +RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG))) +export RETPOLINE_CFLAGS + ifeq ($(config-targets),1) # =========================================================================== # *config targets only - make sure prerequisites are updated, and descend --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -431,6 +431,7 @@ config GOLDFISH config RETPOLINE bool "Avoid speculative indirect branches in kernel" default y + select STACK_VALIDATION if HAVE_STACK_VALIDATION help Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -232,13 +232,9 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin
# Avoid indirect branches in kernel to deal with Spectre ifdef CONFIG_RETPOLINE - RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register - RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk - - RETPOLINE_CFLAGS += $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG))) - ifneq ($(RETPOLINE_CFLAGS),) - KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE - endif +ifneq ($(RETPOLINE_CFLAGS),) + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE +endif endif
archscripts: scripts_basic --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -272,8 +272,10 @@ else objtool_args += $(call cc-ifversion, -lt, 0405, --no-unreachable) endif ifdef CONFIG_RETPOLINE +ifneq ($(RETPOLINE_CFLAGS),) objtool_args += --retpoline endif +endif
ifdef CONFIG_MODVERSIONS
Patches currently in stable-queue which might be from peterz@infradead.org are
queue-4.14/x86-kprobes-fix-kernel-crash-when-probing-.entry_trampoline-code.patch queue-4.14/objtool-fix-32-bit-build.patch queue-4.14/x86-boot-objtool-annotate-indirect-jump-in-secondary_startup_64.patch queue-4.14/objtool-add-module-specific-retpoline-rules.patch queue-4.14/x86-retpoline-support-retpoline-builds-with-clang.patch queue-4.14/x86-ldt-avoid-warning-in-32-bit-builds-with-older-gcc.patch queue-4.14/x86-entry-reduce-the-code-footprint-of-the-idtentry-macro.patch queue-4.14/objtool-retpolines-integrate-objtool-with-retpoline-support-more-closely.patch queue-4.14/revert-x86-retpoline-simplify-vmexit_fill_rsb.patch queue-4.14/nospec-include-asm-barrier.h-dependency.patch queue-4.14/x86-mm-remove-stale-comment-about-kmemcheck.patch queue-4.14/objtool-add-retpoline-validation.patch queue-4.14/x86-mm-sme-objtool-annotate-indirect-call-in-sme_encrypt_execute.patch queue-4.14/x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch queue-4.14/x86-asm-improve-how-gen_-_suffixed_rmwcc-specify-clobbers.patch queue-4.14/x86-64-realmode-add-instruction-suffix.patch queue-4.14/objtool-fix-another-switch-table-detection-issue.patch queue-4.14/x86-speculation-move-firmware_restrict_branch_speculation_-from-c-to-cpp.patch queue-4.14/x86-speculation-objtool-annotate-indirect-calls-jumps-for-objtool.patch queue-4.14/x86-paravirt-objtool-annotate-indirect-calls.patch queue-4.14/objtool-use-existing-global-variables-for-options.patch queue-4.14/x86-entry-64-use-xorl-for-faster-register-clearing.patch queue-4.14/nospec-kill-array_index_nospec_mask_check.patch queue-4.14/lib-bug.c-exclude-non-bug-warn-exceptions-from-report_bug.patch