Re: [PATCH -fixes] riscv: Fix ftrace syscall handling which are now prefixed with __riscv_

const char *name) > +{ > + /* > +* Since all syscall functions have __riscv_ prefix, we must skip it. > +* However, as we described above, we decided to ignore compat > +* syscalls, so we don't care about __riscv_compat_ prefix here. > +*/ > + return !strcmp(sym + 8, name); > +} Good catch, thanks for fixing this! Reviewed-by: Sami Tolvanen Sami

Re: [PATCH 02/15] objtool: Add CONFIG_CFI_CLANG support

On Tue, Apr 20, 2021 at 12:48 PM Josh Poimboeuf wrote: > > On Fri, Apr 16, 2021 at 01:38:31PM -0700, Sami Tolvanen wrote: > > +static int fix_cfi_relocs(const struct elf *elf) > > +{ > > + struct section *sec, *tmpsec; > > +

Re: [PATCH 01/15] objtool: Find a destination for jumps beyond the section end

On Tue, Apr 20, 2021 at 11:14 AM Josh Poimboeuf wrote: > > On Fri, Apr 16, 2021 at 01:38:30PM -0700, Sami Tolvanen wrote: > > With -ffunction-sections, Clang can generate a jump beyond the end of > > a section when the section ends in an unreachable instruction. > > Why?

Re: [PATCH 09/15] x86/alternatives: Use C int3 selftest but disable KASAN

On Sat, Apr 17, 2021 at 4:37 AM Peter Zijlstra wrote: > > On Fri, Apr 16, 2021 at 01:38:38PM -0700, Sami Tolvanen wrote: > > From: Kees Cook > > > > Instead of using inline asm for the int3 selftest (which confuses the > > Clang's ThinLTO pass), this restores the

Re: [PATCH 05/15] x86: Implement function_nocfi

On Sun, Apr 18, 2021 at 3:57 PM Andy Lutomirski wrote: > > On Sun, Apr 18, 2021 at 9:17 AM Thomas Gleixner wrote: > > > > On Sat, Apr 17 2021 at 17:11, Andy Lutomirski wrote: > > > On Sat, Apr 17, 2021 at 4:53 PM Thomas Gleixner > > > wrote: > > >> which works for > > >> > > >> foo =

Re: [PATCH 05/15] x86: Implement function_nocfi

On Sat, Apr 17, 2021 at 3:16 AM Thomas Gleixner wrote: > > On Sat, Apr 17 2021 at 01:02, Thomas Gleixner wrote: > > On Fri, Apr 16 2021 at 15:37, Kees Cook wrote: > > > >> On Fri, Apr 16, 2021 at 03:20:17PM -0700, Andy Lutomirski wrote: > >>> But obviously there is code that needs real function

Re: [PATCH 05/15] x86: Implement function_nocfi

On Fri, Apr 16, 2021 at 2:18 PM Borislav Petkov wrote: > > On Fri, Apr 16, 2021 at 01:38:34PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces function addresses in > > instrumented C code with jump table addresses. This change implements > > th

[PATCH 15/15] x86, build: Allow CONFIG_CFI_CLANG to be selected

Select ARCH_SUPPORTS_CFI_CLANG to allow CFI to be enabled. Signed-off-by: Sami Tolvanen --- arch/x86/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index bf69d07e46b8..81d2dc568e56 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -106,6

[PATCH 14/15] x86, kprobes: Fix optprobe_template_func type mismatch

-by: Sami Tolvanen --- arch/x86/kernel/kprobes/opt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c index 71425ebba98a..95375ef5deee 100644 --- a/arch/x86/kernel/kprobes/opt.c +++ b/arch/x86/kernel/kprobes/opt.c

[PATCH 12/15] x86, module: Ignore __typeid__ relocations

Ignore the __typeid__ relocations generated with CONFIG_CFI_CLANG when loading modules. Signed-off-by: Sami Tolvanen --- arch/x86/kernel/module.c | 4 1 file changed, 4 insertions(+) diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c index 5e9a34b5bd74..c4aeba237eef 100644

[PATCH 13/15] x86, cpu: Use LTO for cpu.c with CFI

Allow LTO to be used for cpu.c when CONFIG_CFI_CLANG is enabled to avoid indirect call failures. CFI requires Clang >= 12, which doesn't have the stack protector inlining bug. Signed-off-by: Sami Tolvanen --- arch/x86/power/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/

[PATCH 11/15] x86, relocs: Ignore __typeid__ relocations

From: Kees Cook The __typeid__* symbols aren't actually relocations, so they can be ignored during relocation generation. Signed-off-by: Kees Cook Signed-off-by: Sami Tolvanen --- arch/x86/tools/relocs.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/tools/relocs.c b

[PATCH 10/15] x86/purgatory: Disable CFI

Disable CONFIG_CFI_CLANG for the stand-alone purgatory.ro. Signed-off-by: Sami Tolvanen --- arch/x86/purgatory/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile index 95ea17a9d20c..ed46ad780130 100644

[PATCH 08/15] x86/extable: Do not mark exception callback as CFI

Signed-off-by: Sami Tolvanen --- arch/x86/mm/extable.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index b93d6cd08a7f..a7eae1c4c59f 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -155,6 +155,7 @@ enum handler_type

[PATCH 09/15] x86/alternatives: Use C int3 selftest but disable KASAN

ecc606103837 ("x86/alternatives: Fix int3_emulate_call() selftest stack corruption") without using inline asm. Signed-off-by: Kees Cook Signed-off-by: Sami Tolvanen --- arch/x86/kernel/alternative.c | 21 - 1 file changed, 4 insertions(+), 17 deletions(-) diff --git

[PATCH 04/15] static_call: Use global functions for the self-test

renaming them. Signed-off-by: Sami Tolvanen --- kernel/static_call.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/static_call.c b/kernel/static_call.c index 723fcc9d20db..d09f500c2d2a 100644 --- a/kernel/static_call.c +++ b/kernel/static_call.c @@ -503,12 +503,12

[PATCH 03/15] objtool: Add ASM_STACK_FRAME_NON_STANDARD

-by: Sami Tolvanen --- include/linux/objtool.h | 5 + tools/include/linux/objtool.h | 5 + 2 files changed, 10 insertions(+) diff --git a/include/linux/objtool.h b/include/linux/objtool.h index 7e72d975cb76..2f29ce48ab5f 100644 --- a/include/linux/objtool.h +++ b/include/linux

[PATCH 07/15] x86/ftrace: Use function_nocfi in MCOUNT_ADDR

With CONFIG_CFI_CLANG, the compiler replaces the __fentry__ address in MCOUNT_ADDR with the address of a CFI jump table. Use function_nocfi() to get the actual function address. Signed-off-by: Sami Tolvanen --- arch/x86/include/asm/ftrace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion

[PATCH 06/15] x86: Avoid CFI jump tables in IDT and entry points

entry points. Reported-by: Sedat Dilek Signed-off-by: Sami Tolvanen Tested-by: Sedat Dilek --- arch/x86/include/asm/desc.h | 8 +++- arch/x86/kernel/Makefile | 3 +++ arch/x86/kernel/cpu/common.c | 8 arch/x86/kernel/idt.c| 2 +- arch/x86/kernel/traps.c | 2

[PATCH 05/15] x86: Implement function_nocfi

With CONFIG_CFI_CLANG, the compiler replaces function addresses in instrumented C code with jump table addresses. This change implements the function_nocfi() macro, which returns the actual function address instead. Signed-off-by: Sami Tolvanen --- arch/x86/include/asm/page.h | 14

[PATCH 02/15] objtool: Add CONFIG_CFI_CLANG support

://lore.kernel.org/r/d743f4b36e120c06506567a9f87a062ae03da47f.1611263462.git.jpoim...@redhat.com/ Reported-by: Sedat Dilek Suggested-by: Josh Poimboeuf Signed-off-by: Sami Tolvanen --- tools/objtool/elf.c | 48 + tools/objtool/include/objtool/elf.h | 2 +- 2

[PATCH 01/15] objtool: Find a destination for jumps beyond the section end

With -ffunction-sections, Clang can generate a jump beyond the end of a section when the section ends in an unreachable instruction. If the offset matches the section length, use the last instruction as the jump destination. Signed-off-by: Sami Tolvanen --- tools/objtool/check.c | 4 1

[PATCH 00/15] x86: Add support for Clang CFI

/alternatives: Use C int3 selftest but disable KASAN x86, relocs: Ignore __typeid__ relocations Sami Tolvanen (12): objtool: Find a destination for jumps beyond the section end objtool: Add CONFIG_CFI_CLANG support objtool: Add ASM_STACK_FRAME_NON_STANDARD static_call: Use global functions

Re: [PATCH] arm64: alternatives: Move length validation in alternative_{insn,endif}

On Thu, Apr 15, 2021 at 7:02 AM Catalin Marinas wrote: > > On Thu, Apr 15, 2021 at 06:25:57AM -0700, Nathan Chancellor wrote: > > On Thu, Apr 15, 2021 at 10:17:43AM +0100, Catalin Marinas wrote: > > > On Tue, Apr 13, 2021 at 05:08:04PM -0700, Nathan Chancellor wrote: > > > > After commit

Re: [PATCH] arm64: alternatives: Move length validation in alternative_{insn,endif}

.org. - (664b-663b) + (662b-661b) > + .org. - (662b-661b) + (664b-663b) > .if .Lasm_alt_mode==0 > .previous > .endif > - .org. - (664b-663b) + (662b-661b) > - .org. - (662b-661b) + (664b-663b) > .endm > > /* Thank

[PATCH v6 17/18] KVM: arm64: Disable CFI for nVHE

Disable CFI for the nVHE code to avoid address space confusion. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- arch/arm64/kvm/hyp/nvhe/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b

[PATCH v6 18/18] arm64: allow CONFIG_CFI_CLANG to be selected

Select ARCH_SUPPORTS_CFI_CLANG to allow CFI to be enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index e4e1b6550115..d7395772b6b8

[PATCH v6 15/18] arm64: add __nocfi to __apply_alternatives

around the issue. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- arch/arm64/kernel/alternative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 1184c44ea2c7

[PATCH v6 16/18] arm64: ftrace: use function_nocfi for ftrace_call

Signed-off-by: Sami Tolvanen Acked-by: Mark Rutland Tested-by: Nathan Chancellor --- arch/arm64/kernel/ftrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c index 86a5cf9bc19a..b5d3ddaf69d9 100644 --- a/arch/arm64

[PATCH v6 14/18] arm64: add __nocfi to functions that jump to a physical address

Disable CFI checking for functions that switch to linear mapping and make an indirect call to a physical address, since the compiler only understands virtual addresses and the CFI check for such indirect calls would always fail. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested

[PATCH v6 13/18] arm64: use function_nocfi with __pa_symbol

to the function's virtual address. Therefore, use the function_nocfi() macro to ensure we are always taking the address of the actual function instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Mark Rutland Tested-by: Nathan Chancellor --- arch/arm64/include/asm/mmu_context.h

[PATCH v6 12/18] arm64: implement function_nocfi

With CONFIG_CFI_CLANG, the compiler replaces function addresses in instrumented C code with jump table addresses. This change implements the function_nocfi() macro, which returns the actual function address instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Mark Rutland

[PATCH v6 11/18] psci: use function_nocfi for cpu_resume

function_nocfi to get the actual address of cpu_resume. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Mark Rutland Tested-by: Nathan Chancellor --- drivers/firmware/psci/psci.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/psci/psci.c b

[PATCH v6 10/18] lkdtm: use function_nocfi

To ensure we take the actual address of a function in kernel text, use function_nocfi. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces the address with a pointer to the CFI jump table, which is actually in the module when compiled with CONFIG_LKDTM=m. Signed-off-by: Sami Tolvanen Acked

[PATCH v6 09/18] treewide: Change list_sort to use const pointers

the list_cmp_func_t type and changes the comparison function types of all list_sort() callers to use const pointers, thus avoiding type mismatches. Suggested-by: Nick Desaulniers Signed-off-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Reviewed-by: Christoph Hellwig Reviewed-by: Kees Cook Tested

[PATCH v6 08/18] bpf: disable CFI in dispatcher functions

BPF dispatcher functions are patched at runtime to perform direct instead of indirect calls. Disable CFI for the dispatcher functions to avoid conflicts. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- include/linux/bpf.h | 4 ++-- 1 file changed, 2

[PATCH v6 07/18] kallsyms: strip ThinLTO hashes from static functions

With CONFIG_CFI_CLANG and ThinLTO, Clang appends a hash to the names of all static functions not marked __used. This can break userspace tools that don't expect the function name to change, so strip out the hash from the output. Suggested-by: Jack Pham Signed-off-by: Sami Tolvanen Reviewed

[PATCH v6 06/18] kthread: use WARN_ON_FUNCTION_MISMATCH

ion != ktead_delayed_work_timer_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- kernel/kthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ker

[PATCH v6 05/18] workqueue: use WARN_ON_FUNCTION_MISMATCH

_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- kernel/workqueue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/workqueue.

[PATCH v6 04/18] module: ensure __cfi_check alignment

and alignment. It also discards the .eh_frame section, which Clang can generate with certain sanitizers, such as CFI. Link: https://bugs.llvm.org/show_bug.cgi?id=46293 Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Jessica Yu Tested-by: Nathan Chancellor --- scripts/module.lds.S | 19

[PATCH v6 03/18] mm: add generic function_nocfi macro

compiler instrumentation. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Mark Rutland Tested-by: Nathan Chancellor --- include/linux/mm.h | 10 ++ 1 file changed, 10 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 8ba434287387..22cce9c7dd05 100644

[PATCH v6 02/18] cfi: add __cficanonical

taken in assembly, or other non-instrumented code always points to the jump table and therefore, can be used for indirect calls in instrumented code without tripping CFI checks. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Bjorn Helgaas# pci.h Tested-by: Nathan Chancellor

[PATCH v6 01/18] add support for Clang CFI

, where the kernel prints out a rate-limited warning instead, and allows execution to continue. This option is helpful for locating type mismatches, but should only be enabled during development. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Tested-by: Nathan Chancellor --- Makefile

[PATCH v6 00/18] Add support for Clang CFI

/workqueue.c to use the macro instead. Sami Tolvanen (18): add support for Clang CFI cfi: add __cficanonical mm: add generic function_nocfi macro module: ensure __cfi_check alignment workqueue: use WARN_ON_FUNCTION_MISMATCH kthread: use WARN_ON_FUNCTION_MISMATCH kallsyms: strip ThinLTO hashes

Re: [PATCH v5 14/18] arm64: add __nocfi to functions that jump to a physical address

On Tue, Apr 6, 2021 at 4:54 AM Mark Rutland wrote: > > [adding Ard for EFI runtime services bits] > > On Thu, Apr 01, 2021 at 04:32:12PM -0700, Sami Tolvanen wrote: > > Disable CFI checking for functions that switch to linear mapping and > > make an indirect call to a

Re: [PATCH v5 12/18] arm64: implement function_nocfi

On Tue, Apr 6, 2021 at 4:37 AM Mark Rutland wrote: > > On Thu, Apr 01, 2021 at 04:32:10PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces function addresses in > > instrumented C code with jump table addresses. This change implements > > th

Re: [PATCH] kbuild: merge module sections under CONFIG_LD_DEAD_CODE_DATA_ELIMINATION too

On Fri, Apr 2, 2021 at 5:40 AM Alexander Lobakin wrote: > > When building with CONFIG_LD_DEAD_CODE_DATA_ELIMINATION, > -fdata-sections and -ffunction-sections are being enabled by the > top-level Makefile, and module section merging is also needed. > Expand the ifdef (and the comment block) to

[PATCH v5 15/18] arm64: add __nocfi to __apply_alternatives

around the issue. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kernel/alternative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 1184c44ea2c7..abc84636af07 100644 --- a/arch

[PATCH v5 16/18] arm64: ftrace: use function_nocfi for ftrace_call

Signed-off-by: Sami Tolvanen --- arch/arm64/kernel/ftrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c index 86a5cf9bc19a..b5d3ddaf69d9 100644 --- a/arch/arm64/kernel/ftrace.c +++ b/arch/arm64/kernel/ftrace.c @@ -55,7

[PATCH v5 17/18] KVM: arm64: Disable CFI for nVHE

Disable CFI for the nVHE code to avoid address space confusion. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kvm/hyp/nvhe/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b/arch/arm64/kvm/hyp/nvhe/Makefile

[PATCH v5 18/18] arm64: allow CONFIG_CFI_CLANG to be selected

Select ARCH_SUPPORTS_CFI_CLANG to allow CFI to be enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index e4e1b6550115..d7395772b6b8 100644 --- a/arch/arm64/Kconfig

[PATCH v5 13/18] arm64: use function_nocfi with __pa_symbol

to the function's virtual address. Therefore, use the function_nocfi() macro to ensure we are always taking the address of the actual function instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/kernel/acpi_parking_protocol.c | 3

[PATCH v5 12/18] arm64: implement function_nocfi

With CONFIG_CFI_CLANG, the compiler replaces function addresses in instrumented C code with jump table addresses. This change implements the function_nocfi() macro, which returns the actual function address instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm

[PATCH v5 14/18] arm64: add __nocfi to functions that jump to a physical address

Disable CFI checking for functions that switch to linear mapping and make an indirect call to a physical address, since the compiler only understands virtual addresses and the CFI check for such indirect calls would always fail. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch

[PATCH v5 11/18] psci: use function_nocfi for cpu_resume

function_nocfi to get the actual address of cpu_resume. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- drivers/firmware/psci/psci.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c index f5fc429cae3f

[PATCH v5 10/18] lkdtm: use function_nocfi

To ensure we take the actual address of a function in kernel text, use function_nocfi. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces the address with a pointer to the CFI jump table, which is actually in the module when compiled with CONFIG_LKDTM=m. Signed-off-by: Sami Tolvanen Acked

[PATCH v5 07/18] kallsyms: strip ThinLTO hashes from static functions

With CONFIG_CFI_CLANG and ThinLTO, Clang appends a hash to the names of all static functions not marked __used. This can break userspace tools that don't expect the function name to change, so strip out the hash from the output. Suggested-by: Jack Pham Signed-off-by: Sami Tolvanen Reviewed

[PATCH v5 09/18] treewide: Change list_sort to use const pointers

the list_cmp_func_t type and changes the comparison function types of all list_sort() callers to use const pointers, thus avoiding type mismatches. Suggested-by: Nick Desaulniers Signed-off-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Reviewed-by: Christoph Hellwig

[PATCH v5 08/18] bpf: disable CFI in dispatcher functions

BPF dispatcher functions are patched at runtime to perform direct instead of indirect calls. Disable CFI for the dispatcher functions to avoid conflicts. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- include/linux/bpf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff

[PATCH v5 05/18] workqueue: use WARN_ON_FUNCTION_MISMATCH

_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- kernel/workqueue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/workqueue.c b/kernel/workqueue.c in

[PATCH v5 06/18] kthread: use WARN_ON_FUNCTION_MISMATCH

ion != ktead_delayed_work_timer_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- kernel/kthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/kthread.c b/kernel/kthrea

[PATCH v5 04/18] module: ensure __cfi_check alignment

and alignment. It also discards the .eh_frame section, which Clang can generate with certain sanitizers, such as CFI. Link: https://bugs.llvm.org/show_bug.cgi?id=46293 Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Jessica Yu --- scripts/module.lds.S | 19 ++- 1 file changed

[PATCH v5 03/18] mm: add generic function_nocfi macro

compiler instrumentation. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- include/linux/mm.h | 10 ++ 1 file changed, 10 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 8ba434287387..22cce9c7dd05 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h

[PATCH v5 02/18] cfi: add __cficanonical

taken in assembly, or other non-instrumented code always points to the jump table and therefore, can be used for indirect calls in instrumented code without tripping CFI checks. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Bjorn Helgaas# pci.h --- include/linux/compiler

[PATCH v5 01/18] add support for Clang CFI

, where the kernel prints out a rate-limited warning instead, and allows execution to continue. This option is helpful for locating type mismatches, but should only be enabled during development. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- Makefile | 17 ++ arch

[PATCH v5 00/18] Add support for Clang CFI

to synchronize_rcu() in update_shadow(). Changes in v2: - Fixed .text merging in module.lds.S. - Added WARN_ON_FUNCTION_MISMATCH() and changed kernel/thread.c and kernel/workqueue.c to use the macro instead. Sami Tolvanen (18): add support for Clang CFI cfi: add __cficanonical mm: add generic

[PATCH v4 16/17] KVM: arm64: Disable CFI for nVHE

Disable CFI for the nVHE code to avoid address space confusion. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kvm/hyp/nvhe/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b/arch/arm64/kvm/hyp/nvhe/Makefile

[PATCH v4 15/17] arm64: add __nocfi to __apply_alternatives

around the issue. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kernel/alternative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 1184c44ea2c7..abc84636af07 100644 --- a/arch

[PATCH v4 17/17] arm64: allow CONFIG_CFI_CLANG to be selected

Select ARCH_SUPPORTS_CFI_CLANG to allow CFI to be enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index e4e1b6550115..d7395772b6b8 100644 --- a/arch/arm64/Kconfig

[PATCH v4 10/17] lkdtm: use function_nocfi

To ensure we take the actual address of a function in kernel text, use function_nocfi. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces the address with a pointer to the CFI jump table, which is actually in the module when compiled with CONFIG_LKDTM=m. Signed-off-by: Sami Tolvanen Acked

[PATCH v4 14/17] arm64: add __nocfi to functions that jump to a physical address

Disable CFI checking for functions that switch to linear mapping and make an indirect call to a physical address, since the compiler only understands virtual addresses and the CFI check for such indirect calls would always fail. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch

[PATCH v4 12/17] arm64: implement function_nocfi

With CONFIG_CFI_CLANG, the compiler replaces function addresses in instrumented C code with jump table addresses. This change implements the function_nocfi() macro, which returns the actual function address instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm

[PATCH v4 11/17] psci: use function_nocfi for cpu_resume

function_nocfi to get the actual address of cpu_resume. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- drivers/firmware/psci/psci.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c index f5fc429cae3f

[PATCH v4 13/17] arm64: use function_nocfi with __pa_symbol

to the function's virtual address. Therefore, use the function_nocfi() macro to ensure we are always taking the address of the actual function instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/kernel/acpi_parking_protocol.c | 3

[PATCH v4 07/17] kallsyms: strip ThinLTO hashes from static functions

With CONFIG_CFI_CLANG and ThinLTO, Clang appends a hash to the names of all static functions not marked __used. This can break userspace tools that don't expect the function name to change, so strip out the hash from the output. Suggested-by: Jack Pham Signed-off-by: Sami Tolvanen Reviewed

[PATCH v4 09/17] treewide: Change list_sort to use const pointers

the list_cmp_func_t type and changes the comparison function types of all list_sort() callers to use const pointers, thus avoiding type mismatches. Suggested-by: Nick Desaulniers Signed-off-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Reviewed-by: Christoph Hellwig

[PATCH v4 08/17] bpf: disable CFI in dispatcher functions

BPF dispatcher functions are patched at runtime to perform direct instead of indirect calls. Disable CFI for the dispatcher functions to avoid conflicts. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- include/linux/bpf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff

[PATCH v4 06/17] kthread: use WARN_ON_FUNCTION_MISMATCH

ion != ktead_delayed_work_timer_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- kernel/kthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/kthread.c b/kernel/kthrea

[PATCH v4 04/17] module: ensure __cfi_check alignment

and alignment. It also discards the .eh_frame section, which Clang can generate with certain sanitizers, such as CFI. Link: https://bugs.llvm.org/show_bug.cgi?id=46293 Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Jessica Yu --- scripts/module.lds.S | 20 +++- 1 file changed

[PATCH v4 03/17] mm: add generic function_nocfi macro

compiler instrumentation. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- include/linux/mm.h | 10 ++ 1 file changed, 10 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index 8ba434287387..22cce9c7dd05 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h

[PATCH v4 05/17] workqueue: use WARN_ON_FUNCTION_MISMATCH

_fn); Use WARN_ON_FUNCTION_MISMATCH() instead to disable the warning when CFI and modules are both enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- kernel/workqueue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/workqueue.c b/kernel/workqueue.c in

[PATCH v4 02/17] cfi: add __cficanonical

taken in assembly, or other non-instrumented code always points to the jump table and therefore, can be used for indirect calls in instrumented code without tripping CFI checks. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook Acked-by: Bjorn Helgaas# pci.h --- include/linux/compiler

[PATCH v4 01/17] add support for Clang CFI

, where the kernel prints out a rate-limited warning instead, and allows execution to continue. This option is helpful for locating type mismatches, but should only be enabled during development. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- Makefile | 17 ++ arch

[PATCH v4 00/17] Add support for Clang CFI

/workqueue.c to use the macro instead. Sami Tolvanen (17): add support for Clang CFI cfi: add __cficanonical mm: add generic function_nocfi macro module: ensure __cfi_check alignment workqueue: use WARN_ON_FUNCTION_MISMATCH kthread: use WARN_ON_FUNCTION_MISMATCH kallsyms: strip

Re: [PATCH v3 12/17] arm64: implement __va_function

On Thu, Mar 25, 2021 at 3:38 AM Mark Rutland wrote: > > On Tue, Mar 23, 2021 at 01:39:41PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces function addresses in > > instrumented C code with jump table addresses. This change implements > > t

Re: [PATCH v3 03/17] mm: add generic __va_function and __pa_function macros

On Thu, Mar 25, 2021 at 3:17 AM Mark Rutland wrote: > > On Wed, Mar 24, 2021 at 08:54:18AM -0700, Sami Tolvanen wrote: > > On Wed, Mar 24, 2021 at 12:14 AM Christoph Hellwig > > wrote: > > > > > > On Tue, Mar 23, 2021 at 01:39:32PM -0700, Sami Tolvanen

Re: [PATCH] static_call: fix function type mismatch

On Wed, Mar 24, 2021 at 3:53 PM Rasmus Villemoes wrote: > > On 24/03/2021 23.34, Sami Tolvanen wrote: > > On Wed, Mar 24, 2021 at 2:51 PM Rasmus Villemoes > > wrote: > >> > >> On 24/03/2021 18.33, Peter Zijlstra wrote: > >>> On Wed, Mar 24,

Re: [PATCH] static_call: fix function type mismatch

On Wed, Mar 24, 2021 at 2:51 PM Rasmus Villemoes wrote: > > On 24/03/2021 18.33, Peter Zijlstra wrote: > > On Wed, Mar 24, 2021 at 05:45:52PM +0100, Rasmus Villemoes wrote: > >> Sorry, I think I misread the code. The static calls are indeed > >> initialized with a function with the right

Re: [PATCH v3 02/17] cfi: add __cficanonical

On Wed, Mar 24, 2021 at 8:31 AM Rasmus Villemoes wrote: > > On 23/03/2021 21.39, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces a function address taken > > in C code with the address of a local jump table entry, which passes > > runtime indir

Re: [PATCH] static_call: fix function type mismatch

On Wed, Mar 24, 2021 at 5:46 AM Rasmus Villemoes wrote: > > On 23/03/2021 08.47, Peter Zijlstra wrote: > > On Mon, Mar 22, 2021 at 05:29:21PM -0400, Steven Rostedt wrote: > >> On Mon, 22 Mar 2021 22:18:17 +0100 > >> Arnd Bergmann wrote: > >> > >>> I think the code works correctly on all

Re: [PATCH v3 03/17] mm: add generic __va_function and __pa_function macros

On Wed, Mar 24, 2021 at 12:14 AM Christoph Hellwig wrote: > > On Tue, Mar 23, 2021 at 01:39:32PM -0700, Sami Tolvanen wrote: > > With CONFIG_CFI_CLANG, the compiler replaces function addresses > > in instrumented C code with jump table addresses. This means that > > __pa_

[PATCH v3 11/17] psci: use __pa_function for cpu_resume

__pa_function instead to get the address to cpu_resume. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- drivers/firmware/psci/psci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c index f5fc429cae3f

[PATCH v3 12/17] arm64: implement __va_function

With CONFIG_CFI_CLANG, the compiler replaces function addresses in instrumented C code with jump table addresses. This change implements the __va_function() macro, which returns the actual function address instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm

[PATCH v3 07/17] kallsyms: strip ThinLTO hashes from static functions

With CONFIG_CFI_CLANG and ThinLTO, Clang appends a hash to the names of all static functions not marked __used. This can break userspace tools that don't expect the function name to change, so strip out the hash from the output. Suggested-by: Jack Pham Signed-off-by: Sami Tolvanen Reviewed

[PATCH v3 13/17] arm64: use __pa_function

to the function's virtual address. Therefore, use the __pa_function() macro to ensure we are always taking the address of the actual function instead. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/kernel/acpi_parking_protocol.c | 2

[PATCH v3 16/17] KVM: arm64: Disable CFI for nVHE

Disable CFI for the nVHE code to avoid address space confusion. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kvm/hyp/nvhe/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b/arch/arm64/kvm/hyp/nvhe/Makefile

[PATCH v3 17/17] arm64: allow CONFIG_CFI_CLANG to be selected

Select ARCH_SUPPORTS_CFI_CLANG to allow CFI to be enabled. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 5656e7aacd69..2eefdbc3e3c9 100644 --- a/arch/arm64/Kconfig

[PATCH v3 14/17] arm64: add __nocfi to functions that jump to a physical address

Disable CFI checking for functions that switch to linear mapping and make an indirect call to a physical address, since the compiler only understands virtual addresses and the CFI check for such indirect calls would always fail. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch

[PATCH v3 15/17] arm64: add __nocfi to __apply_alternatives

around the issue. Signed-off-by: Sami Tolvanen Reviewed-by: Kees Cook --- arch/arm64/kernel/alternative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 1184c44ea2c7..abc84636af07 100644 --- a/arch

[PATCH v3 10/17] lkdtm: use __va_function

To ensure we take the actual address of a function in kernel text, use __va_function. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces the address with a pointer to the CFI jump table, which is actually in the module when compiled with CONFIG_LKDTM=m. Signed-off-by: Sami Tolvanen Acked

  1   2   3   4   5   6   7   8   9   10   >