From: Ard Biesheuvel <ardb@kernel.org>

BSS might be uninitialized when entering the startup code, so forbid the
use of any variables that live after __bss_start in the linker map.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm64/kernel/image-vars.h  | 66 +++++++++++---------
 arch/arm64/kernel/vmlinux.lds.S |  2 +
 2 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h
index a0977f7cd3ec..a70244d1aa2a 100644
--- a/arch/arm64/kernel/image-vars.h
+++ b/arch/arm64/kernel/image-vars.h
@@ -10,6 +10,12 @@
 #error This file should only be included in vmlinux.lds.S
 #endif
 
+#define PI_EXPORT_SYM(sym)		\
+	__PI_EXPORT_SYM(sym, __pi_ ## sym, Cannot export BSS symbol sym to startup code)
+#define __PI_EXPORT_SYM(sym, pisym, msg)\
+	PROVIDE(pisym = sym);		\
+	ASSERT(sym < __bss_start, #msg)
+
 PROVIDE(__efistub_primary_entry		= primary_entry);
 
 /*
@@ -36,39 +42,37 @@ PROVIDE(__pi___memcpy			= __pi_memcpy);
 PROVIDE(__pi___memmove			= __pi_memmove);
 PROVIDE(__pi___memset			= __pi_memset);
 
-PROVIDE(__pi_id_aa64isar1_override	= id_aa64isar1_override);
-PROVIDE(__pi_id_aa64isar2_override	= id_aa64isar2_override);
-PROVIDE(__pi_id_aa64mmfr0_override	= id_aa64mmfr0_override);
-PROVIDE(__pi_id_aa64mmfr1_override	= id_aa64mmfr1_override);
-PROVIDE(__pi_id_aa64mmfr2_override	= id_aa64mmfr2_override);
-PROVIDE(__pi_id_aa64pfr0_override	= id_aa64pfr0_override);
-PROVIDE(__pi_id_aa64pfr1_override	= id_aa64pfr1_override);
-PROVIDE(__pi_id_aa64smfr0_override	= id_aa64smfr0_override);
-PROVIDE(__pi_id_aa64zfr0_override	= id_aa64zfr0_override);
-PROVIDE(__pi_arm64_sw_feature_override	= arm64_sw_feature_override);
-PROVIDE(__pi_arm64_use_ng_mappings	= arm64_use_ng_mappings);
+PI_EXPORT_SYM(id_aa64isar1_override);
+PI_EXPORT_SYM(id_aa64isar2_override);
+PI_EXPORT_SYM(id_aa64mmfr0_override);
+PI_EXPORT_SYM(id_aa64mmfr1_override);
+PI_EXPORT_SYM(id_aa64mmfr2_override);
+PI_EXPORT_SYM(id_aa64pfr0_override);
+PI_EXPORT_SYM(id_aa64pfr1_override);
+PI_EXPORT_SYM(id_aa64smfr0_override);
+PI_EXPORT_SYM(id_aa64zfr0_override);
+PI_EXPORT_SYM(arm64_sw_feature_override);
+PI_EXPORT_SYM(arm64_use_ng_mappings);
 #ifdef CONFIG_CAVIUM_ERRATUM_27456
-PROVIDE(__pi_cavium_erratum_27456_cpus	= cavium_erratum_27456_cpus);
-PROVIDE(__pi_is_midr_in_range_list	= is_midr_in_range_list);
+PI_EXPORT_SYM(cavium_erratum_27456_cpus);
+PI_EXPORT_SYM(is_midr_in_range_list);
 #endif
-PROVIDE(__pi__ctype			= _ctype);
-PROVIDE(__pi_memstart_offset_seed	= memstart_offset_seed);
-
-PROVIDE(__pi_init_idmap_pg_dir		= init_idmap_pg_dir);
-PROVIDE(__pi_init_idmap_pg_end		= init_idmap_pg_end);
-PROVIDE(__pi_swapper_pg_dir		= swapper_pg_dir);
-
-PROVIDE(__pi__text			= _text);
-PROVIDE(__pi__stext               	= _stext);
-PROVIDE(__pi__etext               	= _etext);
-PROVIDE(__pi___start_rodata       	= __start_rodata);
-PROVIDE(__pi___inittext_begin     	= __inittext_begin);
-PROVIDE(__pi___inittext_end       	= __inittext_end);
-PROVIDE(__pi___initdata_begin     	= __initdata_begin);
-PROVIDE(__pi___initdata_end       	= __initdata_end);
-PROVIDE(__pi__data                	= _data);
-PROVIDE(__pi___bss_start		= __bss_start);
-PROVIDE(__pi__end			= _end);
+PI_EXPORT_SYM(_ctype);
+PI_EXPORT_SYM(memstart_offset_seed);
+
+PI_EXPORT_SYM(init_idmap_pg_dir);
+PI_EXPORT_SYM(init_idmap_pg_end);
+PI_EXPORT_SYM(swapper_pg_dir);
+
+PI_EXPORT_SYM(_text);
+PI_EXPORT_SYM(_stext);
+PI_EXPORT_SYM(_etext);
+PI_EXPORT_SYM(__start_rodata);
+PI_EXPORT_SYM(__inittext_begin);
+PI_EXPORT_SYM(__inittext_end);
+PI_EXPORT_SYM(__initdata_begin);
+PI_EXPORT_SYM(__initdata_end);
+PI_EXPORT_SYM(_data);
 
 #ifdef CONFIG_KVM
 
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 73fa57f341b0..bd7626b8c7a3 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -319,6 +319,7 @@ SECTIONS
 
 	/* start of zero-init region */
 	BSS_SECTION(SBSS_ALIGN, 0, 0)
+	__pi___bss_start = __bss_start;
 
 	. = ALIGN(PAGE_SIZE);
 	__pi_init_pg_dir = .;
@@ -332,6 +333,7 @@ SECTIONS
 	. = ALIGN(SEGMENT_ALIGN);
 	__pecoff_data_size = ABSOLUTE(. - __initdata_begin);
 	_end = .;
+	__pi__end = .;
 
 	STABS_DEBUG
 	DWARF_DEBUG
-- 
2.49.0.906.g1f30a19c02-goog

On Sat, 3 May 2025 at 13:22, Ard Biesheuvel <ardb+git@google.com> wrote:
>
> From: Ard Biesheuvel <ardb@kernel.org>
>
> BSS might be uninitialized when entering the startup code, so forbid the
> use of any variables that live after __bss_start in the linker map.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/arm64/kernel/image-vars.h  | 66 +++++++++++---------
>  arch/arm64/kernel/vmlinux.lds.S |  2 +
>  2 files changed, 37 insertions(+), 31 deletions(-)
>
> diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h
> index a0977f7cd3ec..a70244d1aa2a 100644
> --- a/arch/arm64/kernel/image-vars.h
> +++ b/arch/arm64/kernel/image-vars.h
> @@ -10,6 +10,12 @@
>  #error This file should only be included in vmlinux.lds.S
>  #endif
>
> +#define PI_EXPORT_SYM(sym)             \
> +       __PI_EXPORT_SYM(sym, __pi_ ## sym, Cannot export BSS symbol sym to startup code)
> +#define __PI_EXPORT_SYM(sym, pisym, msg)\
> +       PROVIDE(pisym = sym);           \
> +       ASSERT(sym < __bss_start, #msg)

LLD doesn't seem to love this. I'll replace this with

ASSERT((sym - KIMAGE_VADDR) < (__bss_start - KIMAGE_VADDR), #msg)

which appears to work for both LLD and ld.bfd



> +
>  PROVIDE(__efistub_primary_entry                = primary_entry);
>
>  /*
> @@ -36,39 +42,37 @@ PROVIDE(__pi___memcpy                       = __pi_memcpy);
>  PROVIDE(__pi___memmove                 = __pi_memmove);
>  PROVIDE(__pi___memset                  = __pi_memset);
>
> -PROVIDE(__pi_id_aa64isar1_override     = id_aa64isar1_override);
> -PROVIDE(__pi_id_aa64isar2_override     = id_aa64isar2_override);
> -PROVIDE(__pi_id_aa64mmfr0_override     = id_aa64mmfr0_override);
> -PROVIDE(__pi_id_aa64mmfr1_override     = id_aa64mmfr1_override);
> -PROVIDE(__pi_id_aa64mmfr2_override     = id_aa64mmfr2_override);
> -PROVIDE(__pi_id_aa64pfr0_override      = id_aa64pfr0_override);
> -PROVIDE(__pi_id_aa64pfr1_override      = id_aa64pfr1_override);
> -PROVIDE(__pi_id_aa64smfr0_override     = id_aa64smfr0_override);
> -PROVIDE(__pi_id_aa64zfr0_override      = id_aa64zfr0_override);
> -PROVIDE(__pi_arm64_sw_feature_override = arm64_sw_feature_override);
> -PROVIDE(__pi_arm64_use_ng_mappings     = arm64_use_ng_mappings);
> +PI_EXPORT_SYM(id_aa64isar1_override);
> +PI_EXPORT_SYM(id_aa64isar2_override);
> +PI_EXPORT_SYM(id_aa64mmfr0_override);
> +PI_EXPORT_SYM(id_aa64mmfr1_override);
> +PI_EXPORT_SYM(id_aa64mmfr2_override);
> +PI_EXPORT_SYM(id_aa64pfr0_override);
> +PI_EXPORT_SYM(id_aa64pfr1_override);
> +PI_EXPORT_SYM(id_aa64smfr0_override);
> +PI_EXPORT_SYM(id_aa64zfr0_override);
> +PI_EXPORT_SYM(arm64_sw_feature_override);
> +PI_EXPORT_SYM(arm64_use_ng_mappings);
>  #ifdef CONFIG_CAVIUM_ERRATUM_27456
> -PROVIDE(__pi_cavium_erratum_27456_cpus = cavium_erratum_27456_cpus);
> -PROVIDE(__pi_is_midr_in_range_list     = is_midr_in_range_list);
> +PI_EXPORT_SYM(cavium_erratum_27456_cpus);
> +PI_EXPORT_SYM(is_midr_in_range_list);
>  #endif
> -PROVIDE(__pi__ctype                    = _ctype);
> -PROVIDE(__pi_memstart_offset_seed      = memstart_offset_seed);
> -
> -PROVIDE(__pi_init_idmap_pg_dir         = init_idmap_pg_dir);
> -PROVIDE(__pi_init_idmap_pg_end         = init_idmap_pg_end);
> -PROVIDE(__pi_swapper_pg_dir            = swapper_pg_dir);
> -
> -PROVIDE(__pi__text                     = _text);
> -PROVIDE(__pi__stext                    = _stext);
> -PROVIDE(__pi__etext                    = _etext);
> -PROVIDE(__pi___start_rodata            = __start_rodata);
> -PROVIDE(__pi___inittext_begin          = __inittext_begin);
> -PROVIDE(__pi___inittext_end            = __inittext_end);
> -PROVIDE(__pi___initdata_begin          = __initdata_begin);
> -PROVIDE(__pi___initdata_end            = __initdata_end);
> -PROVIDE(__pi__data                     = _data);
> -PROVIDE(__pi___bss_start               = __bss_start);
> -PROVIDE(__pi__end                      = _end);
> +PI_EXPORT_SYM(_ctype);
> +PI_EXPORT_SYM(memstart_offset_seed);
> +
> +PI_EXPORT_SYM(init_idmap_pg_dir);
> +PI_EXPORT_SYM(init_idmap_pg_end);
> +PI_EXPORT_SYM(swapper_pg_dir);
> +
> +PI_EXPORT_SYM(_text);
> +PI_EXPORT_SYM(_stext);
> +PI_EXPORT_SYM(_etext);
> +PI_EXPORT_SYM(__start_rodata);
> +PI_EXPORT_SYM(__inittext_begin);
> +PI_EXPORT_SYM(__inittext_end);
> +PI_EXPORT_SYM(__initdata_begin);
> +PI_EXPORT_SYM(__initdata_end);
> +PI_EXPORT_SYM(_data);
>
>  #ifdef CONFIG_KVM
>
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index 73fa57f341b0..bd7626b8c7a3 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -319,6 +319,7 @@ SECTIONS
>
>         /* start of zero-init region */
>         BSS_SECTION(SBSS_ALIGN, 0, 0)
> +       __pi___bss_start = __bss_start;
>
>         . = ALIGN(PAGE_SIZE);
>         __pi_init_pg_dir = .;
> @@ -332,6 +333,7 @@ SECTIONS
>         . = ALIGN(SEGMENT_ALIGN);
>         __pecoff_data_size = ABSOLUTE(. - __initdata_begin);
>         _end = .;
> +       __pi__end = .;
>
>         STABS_DEBUG
>         DWARF_DEBUG
> --
> 2.49.0.906.g1f30a19c02-goog
>