From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 541B25588F; Thu, 25 Jul 2024 18:35:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932508; cv=none; b=AqsdX3EP0U/GUaeo0xWR60i73k8/n3gb/ib2meZzb+Cb4AC8kbPhKrZBQnQMo3N0VYn3JD5hpPyhFXT31DvlEf5odO6VX6u+Gkm1FoE1CKMhazxpGER96s/6yo5b3XihQJdV//d7GKL1PK2FXVpQaCABbVhFx218TtBjaWx7aew= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932508; c=relaxed/simple; bh=sgFv2c8rLqTbaCNyIFrfSFEuE+PAnpzFiH2IQFlVHME=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rKzIcASS3n1yviSp43iXdo9wzfma1IQlrcCJgoShYKDt6dvX6Krdqv/SDfObPwUDZ7eXG96fFDGF9EQd2yh4v0YxEJ9usJFagtaj6GY7Mx6LwzxdAec7goD+qPP/qAnxhX7vcTXjEM/hrcHCDHn6p1/PHy3tLk+IQZXb0g/pJ+Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nyJgy333; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nyJgy333" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9493EC4AF0B; Thu, 25 Jul 2024 18:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932507; bh=sgFv2c8rLqTbaCNyIFrfSFEuE+PAnpzFiH2IQFlVHME=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nyJgy333uzUCHlAUPCjafmLc3ey7h8nKBQUHlgx03/QZwwioMvbVI6fsucYZPbihh wCEPNvPcxoOM7GAeefPPOQ03DcjhF8nAiSbhPGA4DfNCxKa5wcYiawbyrR8wFUAVnL kgxBCvKnsLefT2sWRz9I8kas98dXH/wtb+wQ+0oG7tfWIN+ZInH4k0KATIygyHMnft WGGrp4m5w23Rnnalkp/vTatLp0cob2zTNCx3TP+LyFRyrsPPpNAwIB2GHQZL00B76t 6m6nzv29yHSs18ww5NUVEiB0HjHxkXEHF28uPYt1Jh3vu3o56GP926Cn9hB/7rAuBj dll7i2iPqaf7g== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev Subject: [PATCH v3 1/6] rust: module: add static pointer to `{init,cleanup}_module()` Date: Thu, 25 Jul 2024 20:33:18 +0200 Message-ID: <20240725183325.122827-2-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add the equivalent of the `___ADDRESSABLE()` annotation in the `module_{init,exit}` macros to the Rust `module!` macro. Without this, `objtool` would complain if enabled for Rust (under IBT builds), e.g.: samples/rust/rust_print.o: warning: objtool: cleanup_module(): not an i= ndirect call target samples/rust/rust_print.o: warning: objtool: init_module(): not an indi= rect call target Tested-by: Alice Ryhl Tested-by: Benno Lossin Signed-off-by: Miguel Ojeda Reviewed-by: Gary Guo --- rust/macros/module.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rust/macros/module.rs b/rust/macros/module.rs index 411dc103d82e..571ffa2e189c 100644 --- a/rust/macros/module.rs +++ b/rust/macros/module.rs @@ -256,6 +256,12 @@ mod __module_init {{ unsafe {{ __init() }} }} =20 + #[cfg(MODULE)] + #[doc(hidden)] + #[used] + #[link_section =3D \".init.data\"] + static __UNIQUE_ID___addressable_init_module: unsafe e= xtern \"C\" fn() -> i32 =3D init_module; + #[cfg(MODULE)] #[doc(hidden)] #[no_mangle] @@ -269,6 +275,12 @@ mod __module_init {{ unsafe {{ __exit() }} }} =20 + #[cfg(MODULE)] + #[doc(hidden)] + #[used] + #[link_section =3D \".exit.data\"] + static __UNIQUE_ID___addressable_cleanup_module: exter= n \"C\" fn() =3D cleanup_module; + // Built-in modules are initialized through an initcal= l pointer // and the identifiers need to be unique. #[cfg(not(MODULE))] --=20 2.45.2 From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7594C73478; Thu, 25 Jul 2024 18:35:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932514; cv=none; b=Z87Ukz5a3TEJG8nhbGYCA5RvxkqF5/6v7Y0uxUL7I5nL3hA6yyE/vEL9CVLOo3KgHOLaWN4n+ryENlOnBR7Ucw85B4UK3C+jOWKjdLAL+wWwmsNXVNo7/b30nMzwQXYZyUsia0dPHBnweXXXpfqxcompE5PWWTeroWXb6Yz76LA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932514; c=relaxed/simple; bh=dSWCyYyzkx429yicgg/SAKJNnklsw1RNsTIXUnX8BB4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K0qdvx6ayVh2RS/A0RAlZon+ZNPAO4YI03w89lsY3y8VOfL2zSi2oFcXmcG7pJQA3DEGeLST8hCBHiN51j8aA5q4la+NxoAygluQk9pT29kSsql04ny55LIvWqs2ZpaACBYY5VNzDJKoRiDrszk37d4khtJdWwKEZmYWvQ9dUYU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bIqW9pUW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bIqW9pUW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 820FDC32786; Thu, 25 Jul 2024 18:35:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932514; bh=dSWCyYyzkx429yicgg/SAKJNnklsw1RNsTIXUnX8BB4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bIqW9pUWVV5bE32KE5n8PY2khhPjkz8bVAVqYJ/zMTxOqTg2i9jxX0t776lXMaRU8 IQIKScIBwhJT6z3fb6qicX/iSy5ukw2Ix0DubwxE3sPgwN66+WWQ7eMYbWaubXNvSR 4HcFTCjsNcqfKY35KTrgQyYT1kOQilfOnpXtvWYb9xlrs+b/6aRfhGsQRFSLvFahnT ozqi8cfagsW2xk09yiosfz9u7qd0NNzwuBo1N8j8sk+dR5+KRrF9okrA3i6CqqI7n1 7esb7rByc8egUsoZgkIPistc79i1kU/S49mMPNRg/Uyb9OMTgKDrcK/W73kH7TDHon X7txiUZKH3XuA== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev, Daniel Borkmann Subject: [PATCH v3 2/6] x86/rust: support MITIGATION_RETPOLINE Date: Thu, 25 Jul 2024 20:33:19 +0200 Message-ID: <20240725183325.122827-3-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Support `MITIGATION_RETPOLINE` by enabling the target features that Clang does. The existing target feature being enabled was a leftover from our old `rust` branch, and it is not enough: the target feature `retpoline-external-thunk` only implies `retpoline-indirect-calls`, but not `retpoline-indirect-branches` (see LLVM's `X86.td`), unlike Clang's flag of the same name `-mretpoline-external-thunk` which does imply both (see Clang's `lib/Driver/ToolChains/Arch/X86.cpp`). Without this, `objtool` would complain if enabled for Rust, e.g.: rust/core.o: warning: objtool: _R...escape_default+0x13: indirect jump found in RETPOLINE build In addition, change the comment to note that LLVM is the one disabling jump tables when retpoline is enabled, thus we do not need to use `-Zno-jump-tables` for Rust here -- see commit c58f2166ab39 ("Introduce the "retpoline" x86 mitigation technique ...") [1]: The goal is simple: avoid generating code which contains an indirect branch that could have its prediction poisoned by an attacker. In many cases, the compiler can simply use directed conditional branches and a small search tree. LLVM already has support for lowering switches in this way and the first step of this patch is to disable jump-table lowering of switches and introduce a pass to rewrite explicit indirectbr sequences into a switch over integers. As well as a live example at [2]. These should be eventually enabled via `-Ctarget-feature` when `rustc` starts recognizing them (or via a new dedicated flag) [3]. Cc: Daniel Borkmann Link: https://github.com/llvm/llvm-project/commit/c58f2166ab3987f37cb0d7815= b561bff5a20a69a [1] Link: https://godbolt.org/z/G4YPr58qG [2] Link: https://github.com/rust-lang/rust/issues/116852 [3] Reviewed-by: Gary Guo Tested-by: Alice Ryhl Tested-by: Benno Lossin Signed-off-by: Miguel Ojeda --- arch/x86/Makefile | 2 +- scripts/generate_rust_target.rs | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 801fd85c3ef6..e8214bff1aeb 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -220,7 +220,7 @@ ifdef CONFIG_MITIGATION_RETPOLINE KBUILD_CFLAGS +=3D $(RETPOLINE_CFLAGS) # Additionally, avoid generating expensive indirect jumps which # are subject to retpolines for small number of switch cases. - # clang turns off jump table generation by default when under + # LLVM turns off jump table generation by default when under # retpoline builds, however, gcc does not for x86. This has # only been fixed starting from gcc stable version 8.4.0 and # onwards, but not for older ones. See gcc bug #86952. diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target= .rs index 641b713a033a..44952f0a3aac 100644 --- a/scripts/generate_rust_target.rs +++ b/scripts/generate_rust_target.rs @@ -164,7 +164,14 @@ fn main() { ); let mut features =3D "-3dnow,-3dnowa,-mmx,+soft-float".to_string(); if cfg.has("MITIGATION_RETPOLINE") { + // The kernel uses `-mretpoline-external-thunk` (for Clang), w= hich Clang maps to the + // target feature of the same name plus the other two target f= eatures in + // `clang/lib/Driver/ToolChains/Arch/X86.cpp`. These should be= eventually enabled via + // `-Ctarget-feature` when `rustc` starts recognizing them (or= via a new dedicated + // flag); see https://github.com/rust-lang/rust/issues/116852. features +=3D ",+retpoline-external-thunk"; + features +=3D ",+retpoline-indirect-branches"; + features +=3D ",+retpoline-indirect-calls"; } ts.push("features", features); ts.push("llvm-target", "x86_64-linux-gnu"); --=20 2.45.2 From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5911A3EA86; Thu, 25 Jul 2024 18:35:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932521; cv=none; b=ZCP5Dwlli8joPIUjOKlMZLWC4KAywXiVfkbHiDUS8xyl+coFIJpk/Y9SJpDZM/lNpPBfN427PE4wTp9gJjkOZk0x9oS2/e4uAKoURBeIFL8tO/x7nh6TelxcmaUcsnyzkwvko0HNaRExC/6ZjvE3/K4pOK7K9Kw9+ollNsJPox4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932521; c=relaxed/simple; bh=qduhv8XVc+iOI/qx1A9RUIlPuceRdUvIFdUbsHoZ2V4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DmwNvZykSWQJNXkTBa3ACp2SS62BWcA2OJwin8qywnXXvMCKK0ITWgW4ZdPPoCdtloq4IS2RBN3TRlRlCqjT1v0BNHdCrOvzL4U3rnu0DiWle6TXT2GJkIf4Kx2O54Xb7mMmtM3KTv+gIFhb06gLAUDi0KvvhZmMF33U+NlM5UE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=N9mcplrU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="N9mcplrU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D5B2C116B1; Thu, 25 Jul 2024 18:35:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932519; bh=qduhv8XVc+iOI/qx1A9RUIlPuceRdUvIFdUbsHoZ2V4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N9mcplrU8i0A1hkMa1gjCzkyRLckzwtt6GLMeel8ZYmuSeTfCbZBsgdsGUicYRsW4 kqIcSY1htPEEtFB6WrospNvjX8SQzMJG0wCiqMIHxFKH6LgKpcmuDOt3SQogsLaUdV App9MqCA1O7ZkuPQjK9F+tzmTyoS+9AnZ55sTDuXhn0GoTtMd236RMSgIrePiLG8zd Z/MuhEQpynSDKs/n45YQGL0/8omBgl9+ZiZ020hf93OVGnj0hXL2DIfzcdrsVa+1OL e+XY5aC6yA+HLvP7751NylxB22hQqmPQTqJFPMTpgOnghy7y4Fb7Ea/rNBhkv/sMLE YVhawqa/c++BA== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev Subject: [PATCH v3 3/6] x86/rust: support MITIGATION_RETHUNK Date: Thu, 25 Jul 2024 20:33:20 +0200 Message-ID: <20240725183325.122827-4-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The Rust compiler added support for `-Zfunction-return=3Dthunk-extern` [1] in 1.76.0 [2], i.e. the equivalent of `-mfunction-return=3Dthunk-extern`. Thus add support for `MITIGATION_RETHUNK`. Without this, `objtool` would warn if enabled for Rust and already warns under IBT builds, e.g.: samples/rust/rust_print.o: warning: objtool: _R...init+0xa5c: 'naked' return found in RETHUNK build Link: https://github.com/rust-lang/rust/issues/116853 [1] Link: https://github.com/rust-lang/rust/pull/116892 [2] Reviewed-by: Gary Guo Tested-by: Alice Ryhl Tested-by: Benno Lossin Signed-off-by: Miguel Ojeda Reviewed-by: Thomas Gleixner --- arch/x86/Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index e8214bff1aeb..a1883a30a5d8 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -24,11 +24,15 @@ RETPOLINE_CFLAGS +=3D $(call cc-option,-mindirect-branc= h-cs-prefix) =20 ifdef CONFIG_MITIGATION_RETHUNK RETHUNK_CFLAGS :=3D -mfunction-return=3Dthunk-extern +RETHUNK_RUSTFLAGS :=3D -Zfunction-return=3Dthunk-extern RETPOLINE_CFLAGS +=3D $(RETHUNK_CFLAGS) +RETPOLINE_RUSTFLAGS +=3D $(RETHUNK_RUSTFLAGS) endif =20 export RETHUNK_CFLAGS +export RETHUNK_RUSTFLAGS export RETPOLINE_CFLAGS +export RETPOLINE_RUSTFLAGS export RETPOLINE_VDSO_CFLAGS =20 # For gcc stack alignment is specified with -mpreferred-stack-boundary, @@ -218,6 +222,7 @@ KBUILD_CFLAGS +=3D -fno-asynchronous-unwind-tables # Avoid indirect branches in kernel to deal with Spectre ifdef CONFIG_MITIGATION_RETPOLINE KBUILD_CFLAGS +=3D $(RETPOLINE_CFLAGS) + KBUILD_RUSTFLAGS +=3D $(RETPOLINE_RUSTFLAGS) # Additionally, avoid generating expensive indirect jumps which # are subject to retpolines for small number of switch cases. # LLVM turns off jump table generation by default when under --=20 2.45.2 From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC60613B5B7; Thu, 25 Jul 2024 18:35:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932526; cv=none; b=F/cc3EdRcDigPtet7cI4SOh5/R3fzX1qF23KogwmW+ruW+LPYCz3gEbUufngHjEvDNNKVb2g5yHSzqrGnC3WweQT/9EC1ufh2U//VfPf3ckOWcscmT6g0yuTKtkn1R3CiFYXrfr+JbMpzUfkAh8t5on02lKmQnpgzB3AJ/00zfU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932526; c=relaxed/simple; bh=X/CrvOwKkJQPjUg7k87bmhOZ9O/PNGGYuPcG1DD02wc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J9vqiButPrWM50K26zwJWcxneNsGWuEwIK1RreJxgNeKqSK6Tp2XMCu57mBLWax0LTTpeib+1I6r6QEQSjoxPlAdOdiGdeuccYBwIabx2FLaA5OxHffSOunQx61jqzEx13QgItOz3njcV4I1v8pBuOUWtkLVsfGv/9pxd4GStvw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nr3/LVEb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nr3/LVEb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 80487C32786; Thu, 25 Jul 2024 18:35:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932525; bh=X/CrvOwKkJQPjUg7k87bmhOZ9O/PNGGYuPcG1DD02wc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nr3/LVEby6a+yuOo/vjA/x87nIp9a8RRKG2EwFBe6w/6QYWjSQPLErwWQTtd+Tawe cvQgBL04BNcQe6nH7wrnNCI27V/9tBsW7XbbkHPJzMTX7yO3NMHb29CRh503EaEp0M gOvO5H2X9UJwFfqTwdKzPzaBxeWOuxF/VA9oOAIMUy5t0ah8NjWDvNHgqaCS6PRWBj O0Lc9jKKiFalADuM3TAPdPnmkHzzIXNvZKGYyVz4DJZbtpGL/oMvcgoR9JtHdgeAgX K4uLs8mOhFOHP+h33ERNp4n1DmQn+xPS/4Ja44XPubT6QexFkB6MEYkIXeMvTJBAb1 /U4QZhF2YzU+Q== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev Subject: [PATCH v3 4/6] x86/rust: support MITIGATION_SLS Date: Thu, 25 Jul 2024 20:33:21 +0200 Message-ID: <20240725183325.122827-5-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Support `MITIGATION_SLS` by enabling the target features that Clang does. Without this, `objtool` would complain if enabled for Rust, e.g.: rust/core.o: warning: objtool: _R...next_up+0x44: missing int3 after ret These should be eventually enabled via `-Ctarget-feature` when `rustc` starts recognizing them (or via a new dedicated flag) [1]. Link: https://github.com/rust-lang/rust/issues/116851 [1] Reviewed-by: Gary Guo Tested-by: Alice Ryhl Tested-by: Benno Lossin Signed-off-by: Miguel Ojeda --- scripts/generate_rust_target.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target= .rs index 44952f0a3aac..ba1bd455e160 100644 --- a/scripts/generate_rust_target.rs +++ b/scripts/generate_rust_target.rs @@ -173,6 +173,14 @@ fn main() { features +=3D ",+retpoline-indirect-branches"; features +=3D ",+retpoline-indirect-calls"; } + if cfg.has("MITIGATION_SLS") { + // The kernel uses `-mharden-sls=3Dall`, which Clang maps to b= oth these target features in + // `clang/lib/Driver/ToolChains/Arch/X86.cpp`. These should be= eventually enabled via + // `-Ctarget-feature` when `rustc` starts recognizing them (or= via a new dedicated + // flag); see https://github.com/rust-lang/rust/issues/116851. + features +=3D ",+harden-sls-ijmp"; + features +=3D ",+harden-sls-ret"; + } ts.push("features", features); ts.push("llvm-target", "x86_64-linux-gnu"); ts.push("target-pointer-width", "64"); --=20 2.45.2 From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3651B13D51B; Thu, 25 Jul 2024 18:35:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932532; cv=none; b=AHDqozLcp/PqwCpb4aVLH3p7X58thJpVFobdubZzj8eAnadpzLp82BHvUMWr6jaJObMF1ptC9MTPYhNKoLRDQAg+QCyhU2FDN/zzF2B8NHa1KC4LRB9D9xomnMUbSe8ToEvTJ33DFC727Y/QMCuOqAxhAGoBom2y7SYzsN+gN44= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932532; c=relaxed/simple; bh=GLtC3wYk2GEvmZ/aRZo96oaKNYBG3w8k9VJ+Yew0iPU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h+uzw55ECZGB3/JxxkDQIMimCeB6YYZfbh3jBtTUyCPnqDmYV9VsQxUXgDJkOuPfDnSFehgz7nIYuEJsh8xTMqQObBfgMlBXEslBncwjvWZX8FcM9u8w15y7WDqJMYCFJlaHYIcdfhFcmjdgTAQB9k3dciuTSqX0u7XWQSq1mNU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=C0XM/mBc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="C0XM/mBc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E4E8C4AF0E; Thu, 25 Jul 2024 18:35:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932531; bh=GLtC3wYk2GEvmZ/aRZo96oaKNYBG3w8k9VJ+Yew0iPU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C0XM/mBc6pGWaY3brJpPfsLGz8qkt8h2fr9B6QyAaDPjGTQkyzTNY7JNyqXpkZVzG ujzfoey6Rs9iZrKwOTI5uG0NVI2f2dg+qItXULkVxWun6MO6WRgDizEEnKvhdwPczI 4NntDCZp92CrsZATy/G7JiiTt1l+6oiHXFL7ga12yhCTAhPB5FvSFSTmagEf5QCmvq R3QM8qwPnzkr6rL9MV2byBzlPU2R3kcsCGTL/kpkb6FxBVrzM4LAkjN49tfKrH+cgt DX7O2QrFQ2PJLkKy6hKHlg5mJoy4iw1UDpTVDeNX0bKhfDMuWH3+xX56TREdVI99kg E1O5SmhnQbaDQ== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev Subject: [PATCH v3 5/6] objtool/rust: list `noreturn` Rust functions Date: Thu, 25 Jul 2024 20:33:22 +0200 Message-ID: <20240725183325.122827-6-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Rust functions may be `noreturn` (i.e. diverging) by returning the "never" type, `!`, e.g. fn f() -> ! { loop {} } Thus list the known `noreturn` functions to avoid such warnings. Without this, `objtool` would complain if enabled for Rust, e.g.: rust/core.o: warning: objtool: _R...9panic_fmt() falls through to next function _R...18panic_nounwind_= fmt() rust/alloc.o: warning: objtool: .text: unexpected end of section In order to do so, we cannot match symbols' names exactly, for two reasons: - Rust mangling scheme [1] contains disambiguators [2] which we cannot predict (e.g. they may vary depending on the compiler version). One possibility to solve this would be to parse v0 and ignore/zero those before comparison. - Some of the diverging functions come from `core`, i.e. the Rust standard library, which may change with each compiler version since they are implementation details (e.g. `panic_internals`). Thus, to workaround both issues, only part of the symbols are matched, instead of using the `NORETURN` macro in `noreturns.h`. Ideally, just like for the C side, we should have a better solution. For instance, the compiler could give us the list via something like: $ rustc --emit=3Dnoreturns ... Link: https://rust-lang.github.io/rfcs/2603-rust-symbol-name-mangling-v0.ht= ml [1] Link: https://doc.rust-lang.org/rustc/symbol-mangling/v0.html#disambiguator= [2] Signed-off-by: Miguel Ojeda Acked-by: Peter Zijlstra (Intel) Reviewed-by: Kees Cook Tested-by: Alice Ryhl Tested-by: Benno Lossin --- tools/objtool/check.c | 48 ++++++++++++++++++++++++++++++++++++++- tools/objtool/noreturns.h | 2 ++ 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 0a33d9195b7a..deace6fca2ed 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -177,6 +177,48 @@ static bool is_sibling_call(struct instruction *insn) return (is_static_jump(insn) && insn_call_dest(insn)); } =20 +/* + * Checks if a string ends with another. + */ +static bool str_ends_with(const char *s, const char *sub) +{ + const int slen =3D strlen(s); + const int sublen =3D strlen(sub); + + if (sublen > slen) + return 0; + + return !memcmp(s + slen - sublen, sub, sublen); +} + +/* + * Checks if a function is a Rust "noreturn" one. + */ +static bool is_rust_noreturn(const struct symbol *func) +{ + /* + * If it does not start with "_R", then it is not a Rust symbol. + */ + if (strncmp(func->name, "_R", 2)) + return false; + + /* + * These are just heuristics -- we do not control the precise symbol + * name, due to the crate disambiguators (which depend on the compiler) + * as well as changes to the source code itself between versions (since + * these come from the Rust standard library). + */ + return str_ends_with(func->name, "_4core6option13unwrap_failed") || + str_ends_with(func->name, "_4core6result13unwrap_failed") || + str_ends_with(func->name, "_4core9panicking5panic") || + str_ends_with(func->name, "_4core9panicking9panic_fmt") || + str_ends_with(func->name, "_4core9panicking14panic_explicit") || + str_ends_with(func->name, "_4core9panicking18panic_bounds_check") = || + strstr(func->name, "_4core9panicking11panic_const24panic_const_") = || + (strstr(func->name, "_4core5slice5index24slice_") && + str_ends_with(func->name, "_fail")); +} + /* * This checks to see if the given function is a "noreturn" function. * @@ -202,10 +244,14 @@ static bool __dead_end_function(struct objtool_file *= file, struct symbol *func, if (!func) return false; =20 - if (func->bind =3D=3D STB_GLOBAL || func->bind =3D=3D STB_WEAK) + if (func->bind =3D=3D STB_GLOBAL || func->bind =3D=3D STB_WEAK) { + if (is_rust_noreturn(func)) + return true; + for (i =3D 0; i < ARRAY_SIZE(global_noreturns); i++) if (!strcmp(func->name, global_noreturns[i])) return true; + } =20 if (func->bind =3D=3D STB_WEAK) return false; diff --git a/tools/objtool/noreturns.h b/tools/objtool/noreturns.h index 7ebf29c91184..82a001ac433b 100644 --- a/tools/objtool/noreturns.h +++ b/tools/objtool/noreturns.h @@ -35,6 +35,8 @@ NORETURN(panic) NORETURN(panic_smp_self_stop) NORETURN(rest_init) NORETURN(rewind_stack_and_make_dead) +NORETURN(rust_begin_unwind) +NORETURN(rust_helper_BUG) NORETURN(sev_es_terminate) NORETURN(snp_abort) NORETURN(start_kernel) --=20 2.45.2 From nobody Mon Sep 16 19:26:33 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CA6A143738; Thu, 25 Jul 2024 18:35:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932538; cv=none; b=D4hzzRiZFX3uVf/OMPmZ2ZITOOfXBm5QeO0eaZUqxOpGu2lHKisCPtN5jAy9L4vaYqsDwFZxl9wQv1DiOFlZ1cq+AxOB6co4lHzlYGyVV+R0wh1Sv9ijDHcfb6YlSebHSFKeHoBXW3Anu1OcyBr0yLSZE9sw2BLaF/BvD7lfzzc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721932538; c=relaxed/simple; bh=1V2SGN37vLr5gMJa3dfaVAiysIrCfOIQXazWxhqrSKo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YvFi87hbPDMEOFqDcEHxfWb41pV+lvkRqUeHyuf0D2wVpFRaV8UirCq/Dp4dTVaYZlE92DDyTmJrrxbza/Rrj0d6wHu5C4fSmrwi5YV+H75r0BlFqLePWH+rKwfCCxxWaaTWVjnMpWM9RysEa8R2wlmFQyqlyuBBY1n02ZpZl6I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=c3FKWyHs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="c3FKWyHs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 79326C4AF07; Thu, 25 Jul 2024 18:35:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1721932538; bh=1V2SGN37vLr5gMJa3dfaVAiysIrCfOIQXazWxhqrSKo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c3FKWyHsUFq4kCnQcHIQRL3fr4kcSGZcPBLUo/30bZjjaUILROluTpAPhwbT63xYx 20YGr8CxU1lINVPXt4CW7qY2M306rG8MypvJh+P8ZkpELdvWF2KUR6HFpvahPb4cVR B9GYnOLQxXNKQ1dzj+bG11/Pnmx7Ub5bsAOu5c0gOqoSEXv8uXpGrIlJ4HBxzjtMdQ bitljVnZyfkHk18OhjVQYIFpbnidrEtaRUbc7stuxbpYMKkaYL3fZM4aXZtqtS0ErZ rzwKAGy8kmrgroG12cmQyCfUQ/EwxB3nH0wJ9at7c0mFtc7eHA0wV3wojzs9MCo7Ri dm7QDWB55L+Yg== From: Miguel Ojeda To: Josh Poimboeuf , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Masahiro Yamada Cc: x86@kernel.org, "H. Peter Anvin" , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev, linux-kbuild@vger.kernel.org Subject: [PATCH v3 6/6] objtool/kbuild/rust: enable objtool for Rust Date: Thu, 25 Jul 2024 20:33:23 +0200 Message-ID: <20240725183325.122827-7-ojeda@kernel.org> In-Reply-To: <20240725183325.122827-1-ojeda@kernel.org> References: <20240725183325.122827-1-ojeda@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that we should be `objtool`-warning free, enable `objtool` for Rust too. Before this patch series, we were already getting warnings under e.g. IBT builds, since those would see Rust code via `vmlinux.o`. Tested-by: Alice Ryhl Tested-by: Benno Lossin Signed-off-by: Miguel Ojeda --- rust/Makefile | 22 ++++++++++++++-------- scripts/Makefile.build | 9 +++++++-- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/rust/Makefile b/rust/Makefile index bf05e65365da..1756238b641d 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -344,7 +344,8 @@ quiet_cmd_rustc_library =3D $(if $(skip_clippy),RUSTC,$= (RUSTC_OR_CLIPPY_QUIET)) L --crate-type rlib -L$(objtree)/$(obj) \ --crate-name $(patsubst %.o,%,$(notdir $@)) $< \ --sysroot=3D/dev/null \ - $(if $(rustc_objcopy),;$(OBJCOPY) $(rustc_objcopy) $@) + $(if $(rustc_objcopy),;$(OBJCOPY) $(rustc_objcopy) $@) \ + $(cmd_objtool) =20 rust-analyzer: $(Q)$(srctree)/scripts/generate_rust_analyzer.py \ @@ -366,44 +367,49 @@ ifneq ($(or $(CONFIG_ARM64),$(and $(CONFIG_RISCV),$(C= ONFIG_64BIT))),) __ashlti3 __lshrti3 endif =20 +define rule_rustc_library + $(call cmd_and_fixdep,rustc_library) + $(call cmd,gen_objtooldep) +endef + $(obj)/core.o: private skip_clippy =3D 1 $(obj)/core.o: private skip_flags =3D -Wunreachable_pub $(obj)/core.o: private rustc_objcopy =3D $(foreach sym,$(redirect-intrinsi= cs),--redefine-sym $(sym)=3D__rust$(sym)) $(obj)/core.o: private rustc_target_flags =3D $(core-cfgs) $(obj)/core.o: $(RUST_LIB_SRC)/core/src/lib.rs FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) ifdef CONFIG_X86_64 $(obj)/core.o: scripts/target.json endif =20 $(obj)/compiler_builtins.o: private rustc_objcopy =3D -w -W '__*' $(obj)/compiler_builtins.o: $(src)/compiler_builtins.rs $(obj)/core.o FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 $(obj)/alloc.o: private skip_clippy =3D 1 $(obj)/alloc.o: private skip_flags =3D -Wunreachable_pub $(obj)/alloc.o: private rustc_target_flags =3D $(alloc-cfgs) $(obj)/alloc.o: $(RUST_LIB_SRC)/alloc/src/lib.rs $(obj)/compiler_builtins.= o FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 $(obj)/build_error.o: $(src)/build_error.rs $(obj)/compiler_builtins.o FOR= CE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 $(obj)/bindings.o: $(src)/bindings/lib.rs \ $(obj)/compiler_builtins.o \ $(obj)/bindings/bindings_generated.rs \ $(obj)/bindings/bindings_helpers_generated.rs FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 $(obj)/uapi.o: $(src)/uapi/lib.rs \ $(obj)/compiler_builtins.o \ $(obj)/uapi/uapi_generated.rs FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 $(obj)/kernel.o: private rustc_target_flags =3D --extern alloc \ --extern build_error --extern macros --extern bindings --extern uapi $(obj)/kernel.o: $(src)/kernel/lib.rs $(obj)/alloc.o $(obj)/build_error.o \ $(obj)/libmacros.so $(obj)/bindings.o $(obj)/uapi.o FORCE - +$(call if_changed_dep,rustc_library) + +$(call if_changed_rule,rustc_library) =20 endif # CONFIG_RUST diff --git a/scripts/Makefile.build b/scripts/Makefile.build index efacca63c897..72b1232b1f7d 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -288,10 +288,15 @@ rust_common_cmd =3D \ # would not match each other. =20 quiet_cmd_rustc_o_rs =3D $(RUSTC_OR_CLIPPY_QUIET) $(quiet_modtag) $@ - cmd_rustc_o_rs =3D $(rust_common_cmd) --emit=3Dobj=3D$@ $< + cmd_rustc_o_rs =3D $(rust_common_cmd) --emit=3Dobj=3D$@ $< $(cmd_obj= tool) + +define rule_rustc_o_rs + $(call cmd_and_fixdep,rustc_o_rs) + $(call cmd,gen_objtooldep) +endef =20 $(obj)/%.o: $(obj)/%.rs FORCE - +$(call if_changed_dep,rustc_o_rs) + +$(call if_changed_rule,rustc_o_rs) =20 quiet_cmd_rustc_rsi_rs =3D $(RUSTC_OR_CLIPPY_QUIET) $(quiet_modtag) $@ cmd_rustc_rsi_rs =3D \ --=20 2.45.2