* Richard Patel: > VDSO should expose ENDBR instructions now that usermode IBT is > available. > > Signed-off-by: Richard Patel <[email protected]> > --- > arch/x86/entry/vdso/common/Makefile.include | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/arch/x86/entry/vdso/common/Makefile.include > b/arch/x86/entry/vdso/common/Makefile.include > index 687b3d89b40d..a0dc69b7a330 100644 > --- a/arch/x86/entry/vdso/common/Makefile.include > +++ b/arch/x86/entry/vdso/common/Makefile.include > @@ -46,8 +46,7 @@ flags-y += -fasynchronous-unwind-tables > # Reset cf protections enabled by compiler default > flags-y += $(call cc-option, -fcf-protection=none) > flags-$(X86_USER_SHADOW_STACK) += $(call cc-option, -fcf-protection=return) > -# When user space IBT is supported, enable this. > -# flags-$(CONFIG_USER_IBT) += $(call cc-option, -fcf-protection=branch) > +flags-$(CONFIG_X86_USER_IBT) += $(call cc-option, -fcf-protection=branch) > > flags-$(CONFIG_MITIGATION_RETPOLINE) += $(RETPOLINE_VDSO_CFLAGS)
Surprisingly, the option is cumulative in GCC. I didn't expect that. So this in fact works with GCC. However, it's not cumulative in Clang, and -fcf-protection=branch overrides the earlier -fcf-protection=return. Thanks, Florian
