On Wed, Jul 30, 2025 at 01:00:39AM +0200, Marco Elver wrote:
> On Wed, 30 Jul 2025 at 00:43, Kees Cook <k...@kernel.org> wrote:
> >
> > In order to support Clang's stack depth tracking (for Linux's kstack_erase
> > feature), the coverage sanitizer needed to be disabled for __init (and
> > __head) section code. Doing this universally (i.e. for GCC too), created
> > a number of unexpected problems, ranging from changes to inlining logic
> > to failures to DCE code on earlier GCC versions.
> >
> > Since this change is only needed for Clang, specialize it so that GCC
> > doesn't see the change as it isn't needed there (the GCC implementation
> > of kstack_erase uses a GCC plugin that removes stack depth tracking
> > instrumentation from __init sections during a late pass in the IR).
> >
> > Successful build and boot tested with GCC 12 and Clang 22.
> >
> > Fixes: 381a38ea53d2 ("init.h: Disable sanitizer coverage for __init and
> > __head")
> > Reported-by: kernel test robot <l...@intel.com>
> > Closes:
> > https://lore.kernel.org/oe-kbuild-all/202507270258.newuixld-...@intel.com/
> > Reported-by: syzbot+5245cb609175fb6e8...@syzkaller.appspotmail.com
> > Closes:
> > https://lore.kernel.org/all/6888d004.a00a0220.26d0e1.0004....@google.com/
> > Signed-off-by: Kees Cook <k...@kernel.org>
> > ---
> > Cc: Linus Torvalds <torva...@linuxfoundation.org>
> > Cc: Thomas Gleixner <t...@linutronix.de>
> > Cc: Ingo Molnar <mi...@redhat.com>
> > Cc: Borislav Petkov <b...@alien8.de>
> > Cc: Dave Hansen <dave.han...@linux.intel.com>
> > Cc: <x...@kernel.org>
> > Cc: "H. Peter Anvin" <h...@zytor.com>
> > Cc: Ard Biesheuvel <a...@kernel.org>
> > Cc: Marco Elver <el...@google.com>
> > Cc: Hou Wenlong <houwenlong....@antgroup.com>
> > Cc: Kirill A. Shutemov <k...@kernel.org>
> > Cc: Miguel Ojeda <oj...@kernel.org>
> > Cc: Nathan Chancellor <nat...@kernel.org>
> > Cc: Przemek Kitszel <przemyslaw.kits...@intel.com>
> > Cc: Andrew Morton <a...@linux-foundation.org>
> > Cc: Masahiro Yamada <masahi...@kernel.org>
> > Cc: Peter Zijlstra <pet...@infradead.org>
> > Cc: Wei Yang <richard.weiy...@gmail.com>
> > Cc: Sami Tolvanen <samitolva...@google.com>
> > Cc: Arnd Bergmann <a...@arndb.de>
> > Cc: Christophe Leroy <christophe.le...@csgroup.eu>
> > ---
> > arch/x86/include/asm/init.h | 2 +-
> > include/linux/compiler_types.h | 7 +++++++
> > include/linux/init.h | 2 +-
> > 3 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/init.h b/arch/x86/include/asm/init.h
> > index 6bfdaeddbae8..5a68e9db6518 100644
> > --- a/arch/x86/include/asm/init.h
> > +++ b/arch/x86/include/asm/init.h
> > @@ -5,7 +5,7 @@
> > #if defined(CONFIG_CC_IS_CLANG) && CONFIG_CLANG_VERSION < 170000
> > #define __head __section(".head.text") __no_sanitize_undefined
> > __no_stack_protector
> > #else
> > -#define __head __section(".head.text") __no_sanitize_undefined
> > __no_sanitize_coverage
> > +#define __head __section(".head.text") __no_sanitize_undefined
> > __no_kstack_erase
> > #endif
> >
> > struct x86_mapping_info {
> > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> > index 2b77d12e07b2..89e2c01fc8b1 100644
> > --- a/include/linux/compiler_types.h
> > +++ b/include/linux/compiler_types.h
> > @@ -378,6 +378,13 @@ struct ftrace_likely_data {
> > # define __signed_wrap
> > #endif
> >
> > +/* GCC does not like splitting sanitizer coverage across section inlines */
> > +#ifdef CC_IS_CLANG
> > +#define __no_kstack_erase __no_sanitize_coverage
> > +#else
> > +#define __no_kstack_erase
> > +#endif
>
> I think this belongs into compiler-clang.h, we've typically refrained
> from ifdef CC_IS_CLANG/GCC in the generic headers.
> See __nocfi for an example, where compiler_types.h provides a default
> empty definition, and compiler-clang.h provides a non-empty
> definition.
Oh, good point. I will rearrange this to use the #ifndef style handling!
--
Kees Cook
