1. Patchew
  2. linux
  3. View series

[PATCH] x86/sev: Work around broken noinstr on GCC

Ard Biesheuvel posted 1 patch 6 months, 3 weeks ago
There is a newer version of this series
arch/x86/coco/sev/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] x86/sev: Work around broken noinstr on GCC
Posted by Ard Biesheuvel 6 months, 3 weeks ago 
From: Ard Biesheuvel <ardb@kernel.org>

Forcibly disable KCSAN for the sev-nmi.c source file, which only
contains functions annotated as 'noinstr' but is emitted with calls to
KCSAN instrumentation nonetheless. E.g.,

  vmlinux.o: error: objtool: __sev_es_nmi_complete+0x58: call to __kcsan_check_access() leaves .noinstr.text section
  make[2]: *** [/usr/local/google/home/ardb/linux/scripts/Makefile.vmlinux_o:72: vmlinux.o] Error 1

Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/x86/coco/sev/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile
index db3255b979bd..342d79f0ab6a 100644
--- a/arch/x86/coco/sev/Makefile
+++ b/arch/x86/coco/sev/Makefile
@@ -5,5 +5,6 @@ obj-y += core.o sev-nmi.o vc-handle.o
 # Clang 14 and older may fail to respect __no_sanitize_undefined when inlining
 UBSAN_SANITIZE_sev-nmi.o	:= n
 
-# GCC may fail to respect __no_sanitize_address when inlining
+# GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining
 KASAN_SANITIZE_sev-nmi.o	:= n
+KCSAN_SANITIZE_sev-nmi.o	:= n
-- 
2.50.0.727.gbf7dc18ff4-goog
Re: [PATCH] x86/sev: Work around broken noinstr on GCC
Posted by Randy Dunlap 6 months, 3 weeks ago 

On 7/14/25 12:34 AM, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> Forcibly disable KCSAN for the sev-nmi.c source file, which only
> contains functions annotated as 'noinstr' but is emitted with calls to
> KCSAN instrumentation nonetheless. E.g.,
> 
>   vmlinux.o: error: objtool: __sev_es_nmi_complete+0x58: call to __kcsan_check_access() leaves .noinstr.text section
>   make[2]: *** [/usr/local/google/home/ardb/linux/scripts/Makefile.vmlinux_o:72: vmlinux.o] Error 1
> 
> Reported-by: Randy Dunlap <rdunlap@infradead.org>

Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>

Thanks.

> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/x86/coco/sev/Makefile | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile
> index db3255b979bd..342d79f0ab6a 100644
> --- a/arch/x86/coco/sev/Makefile
> +++ b/arch/x86/coco/sev/Makefile
> @@ -5,5 +5,6 @@ obj-y += core.o sev-nmi.o vc-handle.o
>  # Clang 14 and older may fail to respect __no_sanitize_undefined when inlining
>  UBSAN_SANITIZE_sev-nmi.o	:= n
>  
> -# GCC may fail to respect __no_sanitize_address when inlining
> +# GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining
>  KASAN_SANITIZE_sev-nmi.o	:= n
> +KCSAN_SANITIZE_sev-nmi.o	:= n

-- 
~Randy
Re: [PATCH] x86/sev: Work around broken noinstr on GCC
Posted by Borislav Petkov 6 months, 3 weeks ago 
On Mon, Jul 14, 2025 at 09:34:03AM +0200, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> Forcibly disable KCSAN for the sev-nmi.c source file, which only
> contains functions annotated as 'noinstr' but is emitted with calls to
> KCSAN instrumentation nonetheless. E.g.,
> 
>   vmlinux.o: error: objtool: __sev_es_nmi_complete+0x58: call to __kcsan_check_access() leaves .noinstr.text section
>   make[2]: *** [/usr/local/google/home/ardb/linux/scripts/Makefile.vmlinux_o:72: vmlinux.o] Error 1
> 
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  arch/x86/coco/sev/Makefile | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile
> index db3255b979bd..342d79f0ab6a 100644
> --- a/arch/x86/coco/sev/Makefile
> +++ b/arch/x86/coco/sev/Makefile
> @@ -5,5 +5,6 @@ obj-y += core.o sev-nmi.o vc-handle.o
>  # Clang 14 and older may fail to respect __no_sanitize_undefined when inlining
>  UBSAN_SANITIZE_sev-nmi.o	:= n
>  
> -# GCC may fail to respect __no_sanitize_address when inlining
> +# GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining
>  KASAN_SANITIZE_sev-nmi.o	:= n
> +KCSAN_SANITIZE_sev-nmi.o	:= n
> -- 

Hmm, so this points to the carve out:

b66fcee1574e ("x86/sev: Move noinstr NMI handling code into separate source file")

but then we didn't do any KCSAN exclusion to SEV code before either.

I guess send this to Linus now so that it is in 6.16?

Hmm.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette
Re: [PATCH] x86/sev: Work around broken noinstr on GCC
Posted by Ard Biesheuvel 6 months, 3 weeks ago 
On Mon, 14 Jul 2025 at 20:27, Borislav Petkov <bp@alien8.de> wrote:
>
> On Mon, Jul 14, 2025 at 09:34:03AM +0200, Ard Biesheuvel wrote:
> > From: Ard Biesheuvel <ardb@kernel.org>
> >
> > Forcibly disable KCSAN for the sev-nmi.c source file, which only
> > contains functions annotated as 'noinstr' but is emitted with calls to
> > KCSAN instrumentation nonetheless. E.g.,
> >
> >   vmlinux.o: error: objtool: __sev_es_nmi_complete+0x58: call to __kcsan_check_access() leaves .noinstr.text section
> >   make[2]: *** [/usr/local/google/home/ardb/linux/scripts/Makefile.vmlinux_o:72: vmlinux.o] Error 1
> >
> > Reported-by: Randy Dunlap <rdunlap@infradead.org>
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > ---
> >  arch/x86/coco/sev/Makefile | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile
> > index db3255b979bd..342d79f0ab6a 100644
> > --- a/arch/x86/coco/sev/Makefile
> > +++ b/arch/x86/coco/sev/Makefile
> > @@ -5,5 +5,6 @@ obj-y += core.o sev-nmi.o vc-handle.o
> >  # Clang 14 and older may fail to respect __no_sanitize_undefined when inlining
> >  UBSAN_SANITIZE_sev-nmi.o     := n
> >
> > -# GCC may fail to respect __no_sanitize_address when inlining
> > +# GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining
> >  KASAN_SANITIZE_sev-nmi.o     := n
> > +KCSAN_SANITIZE_sev-nmi.o     := n
> > --
>
> Hmm, so this points to the carve out:
>
> b66fcee1574e ("x86/sev: Move noinstr NMI handling code into separate source file")
>
> but then we didn't do any KCSAN exclusion to SEV code before either.
>

This is actually an oversight on my part,

Fixes: a3cbbb4717e1 ("x86/boot: Move SEV startup code into startup/")

> I guess send this to Linus now so that it is in 6.16?
>

Yes.
[tip: x86/urgent] x86/sev: Work around broken noinstr on GCC
Posted by tip-bot2 for Ard Biesheuvel 6 months, 3 weeks ago 
The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     6b995d01683feae619aa3263d18a6aa19bface16
Gitweb:        https://git.kernel.org/tip/6b995d01683feae619aa3263d18a6aa19bface16
Author:        Ard Biesheuvel <ardb@kernel.org>
AuthorDate:    Mon, 14 Jul 2025 09:34:03 +02:00
Committer:     Borislav Petkov (AMD) <bp@alien8.de>
CommitterDate: Tue, 15 Jul 2025 10:12:25 +02:00

x86/sev: Work around broken noinstr on GCC

Forcibly disable KCSAN for the sev-nmi.c source file, which only
contains functions annotated as 'noinstr' but is emitted with calls to
KCSAN instrumentation nonetheless. E.g.,

  vmlinux.o: error: objtool: __sev_es_nmi_complete+0x58: call to __kcsan_check_access() leaves .noinstr.text section
  make[2]: *** [/usr/local/google/home/ardb/linux/scripts/Makefile.vmlinux_o:72: vmlinux.o] Error 1

Fixes: a3cbbb4717e1 ("x86/boot: Move SEV startup code into startup/")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://lore.kernel.org/20250714073402.4107091-2-ardb+git@google.com
---
 arch/x86/coco/sev/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile
index db3255b..342d79f 100644
--- a/arch/x86/coco/sev/Makefile
+++ b/arch/x86/coco/sev/Makefile
@@ -5,5 +5,6 @@ obj-y += core.o sev-nmi.o vc-handle.o
 # Clang 14 and older may fail to respect __no_sanitize_undefined when inlining
 UBSAN_SANITIZE_sev-nmi.o	:= n
 
-# GCC may fail to respect __no_sanitize_address when inlining
+# GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining
 KASAN_SANITIZE_sev-nmi.o	:= n
+KCSAN_SANITIZE_sev-nmi.o	:= n

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.