All of
 help / color / mirror / Atom feed
From: Nick Desaulniers <>
To: Masahiro Yamada <>,
	Thomas Gleixner <>,
	 Ingo Molnar <>, Borislav Petkov <>,
	 Dave Hansen <>
Cc: Fangrui Song <>,
	Linus Torvalds <>,
	 Nick Clifton <>,,,,,,,,,,,,,
	Nick Desaulniers <>,
	 Michal Marek <>,
Subject: [PATCH v2 1/2] Makefile: link with -z noexecstack --no-warn-rwx-segments
Date: Wed, 10 Aug 2022 15:24:40 -0700	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
instances of a new warning when linking kernels in the form:

  ld: warning: vmlinux: missing .note.GNU-stack
  section implies executable stack
  ld: NOTE: This behaviour is deprecated and will be removed in a future
  version of the linker
  ld: warning: vmlinux has a LOAD segment with RWX permissions

Generally, we would like to avoid the stack being executable. Because
there could be a need for the stack to be executable, assembler sources
have to opt-in to this security feature via explicit creation of the
.note.GNU-stack feature (which compilers create by default) or command
line flag --noexecstack. Or we can simply tell the linker the production
of such sections is irrelevant and to link the stack as --noexecstack.

LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
strictly necessary when linking with LLD, only BFD, but it doesn't hurt
to be explicit here for all linkers IMO. --no-warn-rwx-segments is
currently BFD specific and only available in the current latest release,
so it's wrapped in an ld-option check.

While the kernel makes extensive usage of ELF sections, it doesn't use
permissions from ELF segments.

Reported-by: Jens Axboe <>
Suggested-by: Fangrui Song <>
Signed-off-by: Nick Desaulniers <>
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index dc6295f91263..230e6e7679f9 100644
--- a/Makefile
+++ b/Makefile
@@ -1033,6 +1033,11 @@ KBUILD_CFLAGS   += $(KCFLAGS)
 KBUILD_LDFLAGS_MODULE += --build-id=sha1
 LDFLAGS_vmlinux += --build-id=sha1
+KBUILD_LDFLAGS	+= -z noexecstack
+ifeq ($(CONFIG_LD_IS_BFD),y)
+KBUILD_LDFLAGS	+= $(call ld-option,--no-warn-rwx-segments)
 LDFLAGS_vmlinux	+= $(call ld-option, -X,)

  reply	other threads:[~2022-08-10 22:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-08 19:23 [PATCH] x86: assemble with -Wa,--noexecstack to avoid BFD 2.39 warning Nick Desaulniers
2022-08-08 19:31 ` Nathan Chancellor
2022-08-08 20:31   ` Nick Desaulniers
2022-08-08 21:08     ` Linus Torvalds
2022-08-09  1:36       ` Fangrui Song
2022-08-10 22:24         ` Nick Desaulniers [this message]
2022-08-10 22:24           ` [PATCH v2 2/2] x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Nick Desaulniers
2022-08-10 22:24           ` [PATCH v2 0/2] link " Nick Desaulniers
2022-08-11  1:06             ` Jens Axboe
2022-08-11  1:34             ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.