* [PATCH 1/3] kbuild: add -fno-PIE
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
@ 2016-11-04 18:39 ` Sebastian Andrzej Siewior
2016-11-08 22:14 ` Michal Marek
2016-11-04 18:39 ` [PATCH 2/3] scripts/has-stack-protector: " Sebastian Andrzej Siewior
` (5 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Sebastian Andrzej Siewior @ 2016-11-04 18:39 UTC (permalink / raw)
To: linux-kernel
Cc: Michal Marek, linux-kbuild, x86, Al Viro, Ben Hutchings,
Sven Joachim, Austin S. Hemmelgarn, Borislav Petkov
Debian started to build the gcc with -fPIE by default so the kernel
build ends before it starts properly with:
|kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
Also add to KBUILD_AFLAGS due to:
|gcc -Wp,-MD,arch/x86/entry/vdso/vdso32/.note.o.d … -mfentry -DCC_USING_FENTRY … vdso/vdso32/note.S
|arch/x86/entry/vdso/vdso32/note.S:1:0: sorry, unimplemented: -mfentry isn’t supported for 32-bit in combination with -fpic
Tagging it stable so it is possible to compile recent stable kernels as
well.
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index a2650f9c6a25..d61145ebf498 100644
--- a/Makefile
+++ b/Makefile
@@ -622,6 +622,8 @@ include arch/$(SRCARCH)/Makefile
KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
+KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
KBUILD_CFLAGS += $(call cc-option,-ffunction-sections,)
--
2.10.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 1/3] kbuild: add -fno-PIE
2016-11-04 18:39 ` [PATCH 1/3] kbuild: add -fno-PIE Sebastian Andrzej Siewior
@ 2016-11-08 22:14 ` Michal Marek
2016-11-09 6:10 ` Ingo Molnar
0 siblings, 1 reply; 12+ messages in thread
From: Michal Marek @ 2016-11-08 22:14 UTC (permalink / raw)
To: Sebastian Andrzej Siewior
Cc: linux-kernel, linux-kbuild, x86, Al Viro, Ben Hutchings,
Sven Joachim, Austin S. Hemmelgarn, Borislav Petkov
On Fri, Nov 04, 2016 at 07:39:38PM +0100, Sebastian Andrzej Siewior wrote:
> Debian started to build the gcc with -fPIE by default so the kernel
> build ends before it starts properly with:
> |kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
>
> Also add to KBUILD_AFLAGS due to:
>
> |gcc -Wp,-MD,arch/x86/entry/vdso/vdso32/.note.o.d … -mfentry -DCC_USING_FENTRY … vdso/vdso32/note.S
> |arch/x86/entry/vdso/vdso32/note.S:1:0: sorry, unimplemented: -mfentry isn’t supported for 32-bit in combination with -fpic
>
> Tagging it stable so it is possible to compile recent stable kernels as
> well.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
> ---
> Makefile | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/Makefile b/Makefile
> index a2650f9c6a25..d61145ebf498 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -622,6 +622,8 @@ include arch/$(SRCARCH)/Makefile
> KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
> KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
> KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
> +KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
> +KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
Bad compiler. No pie for you.
I applied this one to kbuild.git. How about 2/3 and 3/3. Will these be
merged via tip.git or shall I apply them as well?
Thanks,
Michal
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/3] kbuild: add -fno-PIE
2016-11-08 22:14 ` Michal Marek
@ 2016-11-09 6:10 ` Ingo Molnar
2016-11-09 21:29 ` Michal Marek
0 siblings, 1 reply; 12+ messages in thread
From: Ingo Molnar @ 2016-11-09 6:10 UTC (permalink / raw)
To: Michal Marek
Cc: Sebastian Andrzej Siewior, linux-kernel, linux-kbuild, x86,
Al Viro, Ben Hutchings, Sven Joachim, Austin S. Hemmelgarn,
Borislav Petkov
* Michal Marek <mmarek@suse.com> wrote:
> On Fri, Nov 04, 2016 at 07:39:38PM +0100, Sebastian Andrzej Siewior wrote:
> > Debian started to build the gcc with -fPIE by default so the kernel
> > build ends before it starts properly with:
> > |kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
> >
> > Also add to KBUILD_AFLAGS due to:
> >
> > |gcc -Wp,-MD,arch/x86/entry/vdso/vdso32/.note.o.d … -mfentry -DCC_USING_FENTRY … vdso/vdso32/note.S
> > |arch/x86/entry/vdso/vdso32/note.S:1:0: sorry, unimplemented: -mfentry isn’t supported for 32-bit in combination with -fpic
> >
> > Tagging it stable so it is possible to compile recent stable kernels as
> > well.
> >
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
> > ---
> > Makefile | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/Makefile b/Makefile
> > index a2650f9c6a25..d61145ebf498 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -622,6 +622,8 @@ include arch/$(SRCARCH)/Makefile
> > KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
> > KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
> > KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
> > +KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
> > +KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
>
> Bad compiler. No pie for you.
>
> I applied this one to kbuild.git. How about 2/3 and 3/3. Will these be
> merged via tip.git or shall I apply them as well?
I'd suggest applying them to the kbuild tree, as they are related.
Thanks,
Ingo
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/3] kbuild: add -fno-PIE
2016-11-09 6:10 ` Ingo Molnar
@ 2016-11-09 21:29 ` Michal Marek
2016-11-10 9:25 ` Ingo Molnar
0 siblings, 1 reply; 12+ messages in thread
From: Michal Marek @ 2016-11-09 21:29 UTC (permalink / raw)
To: Ingo Molnar
Cc: Sebastian Andrzej Siewior, linux-kernel, linux-kbuild, x86,
Al Viro, Ben Hutchings, Sven Joachim, Austin S. Hemmelgarn,
Borislav Petkov
Dne 9.11.2016 v 07:10 Ingo Molnar napsal(a):
>
> * Michal Marek <mmarek@suse.com> wrote:
>
>> On Fri, Nov 04, 2016 at 07:39:38PM +0100, Sebastian Andrzej Siewior wrote:
>>> Debian started to build the gcc with -fPIE by default so the kernel
>>> build ends before it starts properly with:
>>> |kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
>>>
>>> Also add to KBUILD_AFLAGS due to:
>>>
>>> |gcc -Wp,-MD,arch/x86/entry/vdso/vdso32/.note.o.d … -mfentry -DCC_USING_FENTRY … vdso/vdso32/note.S
>>> |arch/x86/entry/vdso/vdso32/note.S:1:0: sorry, unimplemented: -mfentry isn’t supported for 32-bit in combination with -fpic
>>>
>>> Tagging it stable so it is possible to compile recent stable kernels as
>>> well.
>>>
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
>>> ---
>>> Makefile | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/Makefile b/Makefile
>>> index a2650f9c6a25..d61145ebf498 100644
>>> --- a/Makefile
>>> +++ b/Makefile
>>> @@ -622,6 +622,8 @@ include arch/$(SRCARCH)/Makefile
>>> KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
>>> KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
>>> KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
>>> +KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
>>> +KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
>>
>> Bad compiler. No pie for you.
>>
>> I applied this one to kbuild.git. How about 2/3 and 3/3. Will these be
>> merged via tip.git or shall I apply them as well?
>
> I'd suggest applying them to the kbuild tree, as they are related.
OK, done.
Michal
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/3] kbuild: add -fno-PIE
2016-11-09 21:29 ` Michal Marek
@ 2016-11-10 9:25 ` Ingo Molnar
0 siblings, 0 replies; 12+ messages in thread
From: Ingo Molnar @ 2016-11-10 9:25 UTC (permalink / raw)
To: Michal Marek
Cc: Sebastian Andrzej Siewior, linux-kernel, linux-kbuild, x86,
Al Viro, Ben Hutchings, Sven Joachim, Austin S. Hemmelgarn,
Borislav Petkov
* Michal Marek <mmarek@suse.com> wrote:
> >>> +++ b/Makefile
> >>> @@ -622,6 +622,8 @@ include arch/$(SRCARCH)/Makefile
> >>> KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
> >>> KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
> >>> KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
> >>> +KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
> >>> +KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
> >>
> >> Bad compiler. No pie for you.
> >>
> >> I applied this one to kbuild.git. How about 2/3 and 3/3. Will these be
> >> merged via tip.git or shall I apply them as well?
> >
> > I'd suggest applying them to the kbuild tree, as they are related.
>
> OK, done.
Thanks!
Ingo
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 2/3] scripts/has-stack-protector: add -fno-PIE
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
2016-11-04 18:39 ` [PATCH 1/3] kbuild: add -fno-PIE Sebastian Andrzej Siewior
@ 2016-11-04 18:39 ` Sebastian Andrzej Siewior
2016-11-04 18:39 ` [PATCH 3/3] x86/kexec: " Sebastian Andrzej Siewior
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Sebastian Andrzej Siewior @ 2016-11-04 18:39 UTC (permalink / raw)
To: linux-kernel
Cc: Michal Marek, linux-kbuild, x86, Al Viro, Ben Hutchings,
Sven Joachim, Austin S. Hemmelgarn, Borislav Petkov
Adding -no-PIE to the fstack protector check. -no-PIE was introduced
before -fstack-protector so there is no need for a runtime check.
Without it the build stops:
|Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong available but compiler is broken
due to -mcmodel=kernel + -fPIE if -fPIE is enabled by default.
Tagging it stable so it is possible to compile recent stable kernels as
well.
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
scripts/gcc-x86_64-has-stack-protector.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/gcc-x86_64-has-stack-protector.sh b/scripts/gcc-x86_64-has-stack-protector.sh
index 973e8c141567..17867e723a51 100755
--- a/scripts/gcc-x86_64-has-stack-protector.sh
+++ b/scripts/gcc-x86_64-has-stack-protector.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -mcmodel=kernel -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
+echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
if [ "$?" -eq "0" ] ; then
echo y
else
--
2.10.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/3] x86/kexec: add -fno-PIE
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
2016-11-04 18:39 ` [PATCH 1/3] kbuild: add -fno-PIE Sebastian Andrzej Siewior
2016-11-04 18:39 ` [PATCH 2/3] scripts/has-stack-protector: " Sebastian Andrzej Siewior
@ 2016-11-04 18:39 ` Sebastian Andrzej Siewior
2016-11-07 6:30 ` -fno-PIE, take #3 Theodore Ts'o
` (3 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Sebastian Andrzej Siewior @ 2016-11-04 18:39 UTC (permalink / raw)
To: linux-kernel
Cc: Michal Marek, linux-kbuild, x86, Al Viro, Ben Hutchings,
Sven Joachim, Austin S. Hemmelgarn, Borislav Petkov
If the gcc is configured to do -fPIE by default then the build aborts
later with:
| Unsupported relocation type: unknown type rel type name (29)
Tagging it stable so it is possible to compile recent stable kernels as
well.
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
arch/x86/purgatory/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
index ac58c1616408..555b9fa0ad43 100644
--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -16,6 +16,7 @@ KCOV_INSTRUMENT := n
KBUILD_CFLAGS := -fno-strict-aliasing -Wall -Wstrict-prototypes -fno-zero-initialized-in-bss -fno-builtin -ffreestanding -c -MD -Os -mcmodel=large
KBUILD_CFLAGS += -m$(BITS)
+KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
$(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE
$(call if_changed,ld)
--
2.10.2
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: -fno-PIE, take #3
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
` (2 preceding siblings ...)
2016-11-04 18:39 ` [PATCH 3/3] x86/kexec: " Sebastian Andrzej Siewior
@ 2016-11-07 6:30 ` Theodore Ts'o
2016-11-07 22:31 ` H. Peter Anvin
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Theodore Ts'o @ 2016-11-07 6:30 UTC (permalink / raw)
To: Sebastian Andrzej Siewior
Cc: linux-kernel, Michal Marek, linux-kbuild, x86, Al Viro,
Ben Hutchings, Sven Joachim, Austin S. Hemmelgarn,
Borislav Petkov
On Fri, Nov 04, 2016 at 07:39:37PM +0100, Sebastian Andrzej Siewior wrote:
> Debian gcc's is nowdays compiled with --enable-default-pie which means it does
> -fPIE by default. This breaks atleast x86-64 compiles.
> This is the third attempt to fix it, this time by using runtime detection of
> the -fno-PIE compiler switch (it was introduced in gcc 3.4, min required gcc is
> currently 3.2) so it can be backported to the stable kernels.
> As noted by Al this won't fix `git bisect' of stable kernels prio this commit.
> However using always a wrapper around gcc which adds -fno-PIE is not sollution
> I want to rely in future.
A wrapper around gcc which adds -fno-PIE doesn't work for the HOSTCC
builds, anyway:
% gcc -fno-PIE -o /tmp/hello /tmp/hello.c
/usr/bin/ld: /tmp/cckzDf9X.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Alas, the only workaround I've found which doesn't involve bisecting
the kernel is to add "CC=gcc-5" to the Makefile invocation (assuming
gcc-5 is installed of course).
- Ted
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: -fno-PIE, take #3
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
` (3 preceding siblings ...)
2016-11-07 6:30 ` -fno-PIE, take #3 Theodore Ts'o
@ 2016-11-07 22:31 ` H. Peter Anvin
2016-11-08 13:42 ` Borislav Petkov
2016-11-08 22:51 ` Ben Hutchings
6 siblings, 0 replies; 12+ messages in thread
From: H. Peter Anvin @ 2016-11-07 22:31 UTC (permalink / raw)
To: Sebastian Andrzej Siewior, linux-kernel
Cc: Michal Marek, linux-kbuild, x86, Al Viro, Ben Hutchings,
Sven Joachim, Austin S. Hemmelgarn, Borislav Petkov
On 11/04/16 11:39, Sebastian Andrzej Siewior wrote:
> Debian gcc's is nowdays compiled with --enable-default-pie which means it does
> -fPIE by default. This breaks atleast x86-64 compiles.
> This is the third attempt to fix it, this time by using runtime detection of
> the -fno-PIE compiler switch (it was introduced in gcc 3.4, min required gcc is
> currently 3.2) so it can be backported to the stable kernels.
> As noted by Al this won't fix `git bisect' of stable kernels prio this commit.
> However using always a wrapper around gcc which adds -fno-PIE is not sollution
> I want to rely in future.
>
> Sebastian
>
We don't support gcc < 3.4 on x86 platforms; I'm pretty sure it is broken.
-hpa
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: -fno-PIE, take #3
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
` (4 preceding siblings ...)
2016-11-07 22:31 ` H. Peter Anvin
@ 2016-11-08 13:42 ` Borislav Petkov
2016-11-08 22:51 ` Ben Hutchings
6 siblings, 0 replies; 12+ messages in thread
From: Borislav Petkov @ 2016-11-08 13:42 UTC (permalink / raw)
To: Sebastian Andrzej Siewior
Cc: linux-kernel, Michal Marek, linux-kbuild, x86, Al Viro,
Ben Hutchings, Sven Joachim, Austin S. Hemmelgarn
On Fri, Nov 04, 2016 at 07:39:37PM +0100, Sebastian Andrzej Siewior wrote:
> Debian gcc's is nowdays compiled with --enable-default-pie which means it does
Ho humm, there it is:
$ gcc -### /usr/include/stdlib.h 2>&1 | grep -o -- "--enable-default-pie"
--enable-default-pie
For all three:
Tested-by: Borislav Petkov <bp@suse.de>
That is, if that "fun" of building gcc with it doesn't get undone...
Thanks.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: -fno-PIE, take #3
2016-11-04 18:39 -fno-PIE, take #3 Sebastian Andrzej Siewior
` (5 preceding siblings ...)
2016-11-08 13:42 ` Borislav Petkov
@ 2016-11-08 22:51 ` Ben Hutchings
6 siblings, 0 replies; 12+ messages in thread
From: Ben Hutchings @ 2016-11-08 22:51 UTC (permalink / raw)
To: Sebastian Andrzej Siewior, linux-kernel
Cc: Michal Marek, linux-kbuild, x86, Al Viro, Sven Joachim,
Austin S. Hemmelgarn, Borislav Petkov
[-- Attachment #1: Type: text/plain, Size: 1848 bytes --]
On Fri, 2016-11-04 at 19:39 +0100, Sebastian Andrzej Siewior wrote:
> Debian gcc's is nowdays compiled with --enable-default-pie which means it does
> -fPIE by default. This breaks atleast x86-64 compiles.
> This is the third attempt to fix it, this time by using runtime detection of
> the -fno-PIE compiler switch (it was introduced in gcc 3.4, min required gcc is
> currently 3.2) so it can be backported to the stable kernels.
> As noted by Al this won't fix `git bisect' of stable kernels prio this commit.
> However using always a wrapper around gcc which adds -fno-PIE is not sollution
> I want to rely in future.
I applied the previous version of "kbuild: add -fno-PIE" plus
"scripts/has-stack-protector: add -fno-PIE" to the Debian kernel
package of v4.9-rc3 and built with gcc-6, and the results of auto-
building so far are (from
<https://buildd.debian.org/status/package.php?p=linux&suite=experimental>):
Debian Description Result
name
----------------------------------------------
amd64 x86_64 OK
arm64 ARMv8 OK
armel ARMv5 pending
armhf ARMv7 pending
i386 i686 OK
mips MIPS{32,64}r2 big-endian OK
mipsel MIPS{32,64}r2 little-endian pending
mips64el MIPS64r2, little-endian pending
ppc64el POWER8, little-endian OK
s390x s390x OK
PIE has not been enabled by default on other Debian architectures. The
build failures on hppa and sparc64 are unrelated.
We do enable CONFIG_KEXEC_FILE on amd64 so I don't know how why that
build succeeded without "x86/kexec: add -fno-PIE".
Ben.
--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread