Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
kbuild: remove cc-option test of -fno-stack-protector
Some Makefiles already pass -fno-stack-protector unconditionally.
For example, arch/arm64/kernel/vdso/Makefile, arch/x86/xen/Makefile.
No problem report so far about hard-coding this option. So, we can
assume all supported compilers know -fno-stack-protector.
GCC 4.8 and Clang support this option (https://godbolt.org/z/_HDGzN)
Get rid of cc-option from -fno-stack-protector.
Remove CONFIG_CC_HAS_STACKPROTECTOR_NONE, which is always 'y'.
Note:
arch/mips/vdso/Makefile adds -fno-stack-protector twice, first
unconditionally, and second conditionally. I removed the second one.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+29
-40
+2
-2
Documentation/kbuild/kconfig-language.rst
+2
-2
Documentation/kbuild/kconfig-language.rst
···
540
540
If you need to expose a compiler capability to makefiles and/or C source files,
541
541
`CC_HAS_` is the recommended prefix for the config option::
542
542
543
-
config CC_HAS_STACKPROTECTOR_NONE
544
-
def_bool $(cc-option,-fno-stack-protector)
543
+
config CC_HAS_ASM_GOTO
544
+
def_bool $(success,$(srctree)/scripts/gcc-goto.sh $(CC))
545
545
546
546
Build as module only
547
547
~~~~~~~~~~~~~~~~~~~~
+1
-1
Makefile
+1
-1
Makefile
···
762
762
KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
763
763
endif
764
764
765
-
stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
765
+
stackp-flags-y := -fno-stack-protector
766
766
stackp-flags-$(CONFIG_STACKPROTECTOR) := -fstack-protector
767
767
stackp-flags-$(CONFIG_STACKPROTECTOR_STRONG) := -fstack-protector-strong
768
768
-3
arch/Kconfig
-3
arch/Kconfig
···
478
478
An arch should select this symbol if:
479
479
- it has implemented a stack canary (e.g. __stack_chk_guard)
480
480
481
-
config CC_HAS_STACKPROTECTOR_NONE
482
-
def_bool $(cc-option,-fno-stack-protector)
483
-
484
481
config STACKPROTECTOR
485
482
bool "Stack Protector buffer overflow detection"
486
483
depends on HAVE_STACKPROTECTOR
+1
-2
arch/arm/boot/compressed/Makefile
+1
-2
arch/arm/boot/compressed/Makefile
···
84
84
85
85
# -fstack-protector-strong triggers protection checks in this code,
86
86
# but it is being used too early to link to meaningful stack_chk logic.
87
-
nossp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
88
87
$(foreach o, $(libfdt_objs) atags_to_fdt.o, \
89
-
$(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt $(nossp-flags-y)))
88
+
$(eval CFLAGS_$(o) := -I $(srctree)/scripts/dtc/libfdt -fno-stack-protector))
90
89
91
90
# These were previously generated C files. When you are building the kernel
92
91
# with O=, make sure to remove the stale files in the output tree. Otherwise,
+1
-2
arch/mips/vdso/Makefile
+1
-2
arch/mips/vdso/Makefile
···
35
35
-O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \
36
36
-mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \
37
37
-fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
38
-
$(call cc-option, -fno-asynchronous-unwind-tables) \
39
-
$(call cc-option, -fno-stack-protector)
38
+
$(call cc-option, -fno-asynchronous-unwind-tables)
40
39
aflags-vdso := $(ccflags-vdso) \
41
40
-D__ASSEMBLY__ -Wa,-gdwarf-2
42
41
+1
-1
arch/powerpc/kernel/Makefile
+1
-1
arch/powerpc/kernel/Makefile
···
16
16
CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
17
17
CFLAGS_prom.o += $(DISABLE_LATENT_ENTROPY_PLUGIN)
18
18
19
-
CFLAGS_prom_init.o += $(call cc-option, -fno-stack-protector)
19
+
CFLAGS_prom_init.o += -fno-stack-protector
20
20
CFLAGS_prom_init.o += -DDISABLE_BRANCH_PROFILING
21
21
CFLAGS_prom_init.o += -ffreestanding
22
22
+1
-1
arch/powerpc/platforms/powermac/Makefile
+1
-1
arch/powerpc/platforms/powermac/Makefile
+2
-2
arch/sparc/vdso/Makefile
+2
-2
arch/sparc/vdso/Makefile
···
54
54
# optimize sibling calls.
55
55
#
56
56
CFL := $(PROFILING) -mcmodel=medlow -fPIC -O2 -fasynchronous-unwind-tables -m64 \
57
-
$(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
57
+
$(filter -g%,$(KBUILD_CFLAGS)) -fno-stack-protector \
58
58
-fno-omit-frame-pointer -foptimize-sibling-calls \
59
59
-DDISABLE_BRANCH_PROFILING -DBUILD_VDSO
60
60
···
93
93
KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32))
94
94
KBUILD_CFLAGS_32 := $(filter-out $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS_32))
95
95
KBUILD_CFLAGS_32 += -m32 -msoft-float -fpic
96
-
KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector)
96
+
KBUILD_CFLAGS_32 += -fno-stack-protector
97
97
KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls)
98
98
KBUILD_CFLAGS_32 += -fno-omit-frame-pointer
99
99
KBUILD_CFLAGS_32 += -DDISABLE_BRANCH_PROFILING
+1
-2
arch/um/Makefile
+1
-2
arch/um/Makefile
···
121
121
LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib $(call cc-option, -no-pie)
122
122
123
123
CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \
124
-
$(call cc-option, -fno-stack-protector,) \
125
-
$(call cc-option, -fno-stack-protector-all,)
124
+
-fno-stack-protector $(call cc-option, -fno-stack-protector-all)
126
125
127
126
# Options used by linker script
128
127
export LDS_START := $(START)
+1
-1
arch/x86/Makefile
+1
-1
arch/x86/Makefile
···
37
37
-mno-mmx -mno-sse
38
38
39
39
REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding)
40
-
REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
40
+
REALMODE_CFLAGS += -fno-stack-protector
41
41
REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
42
42
REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
43
43
export REALMODE_CFLAGS
+1
-1
arch/x86/boot/compressed/Makefile
+1
-1
arch/x86/boot/compressed/Makefile
···
36
36
KBUILD_CFLAGS += $(cflags-y)
37
37
KBUILD_CFLAGS += -mno-mmx -mno-sse
38
38
KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
39
-
KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
39
+
KBUILD_CFLAGS += -fno-stack-protector
40
40
KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
41
41
KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
42
42
KBUILD_CFLAGS += -Wno-pointer-sign
+2
-2
arch/x86/entry/vdso/Makefile
+2
-2
arch/x86/entry/vdso/Makefile
···
82
82
# optimize sibling calls.
83
83
#
84
84
CFL := $(PROFILING) -mcmodel=small -fPIC -O2 -fasynchronous-unwind-tables -m64 \
85
-
$(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
85
+
$(filter -g%,$(KBUILD_CFLAGS)) -fno-stack-protector \
86
86
-fno-omit-frame-pointer -foptimize-sibling-calls \
87
87
-DDISABLE_BRANCH_PROFILING -DBUILD_VDSO
88
88
···
151
151
KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32))
152
152
KBUILD_CFLAGS_32 := $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32))
153
153
KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic
154
-
KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector)
154
+
KBUILD_CFLAGS_32 += -fno-stack-protector
155
155
KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls)
156
156
KBUILD_CFLAGS_32 += -fno-omit-frame-pointer
157
157
KBUILD_CFLAGS_32 += -DDISABLE_BRANCH_PROFILING
+1
-2
arch/x86/kernel/cpu/Makefile
+1
-2
arch/x86/kernel/cpu/Makefile
···
17
17
KCSAN_SANITIZE_common.o := n
18
18
19
19
# Make sure load_percpu_segment has no stackprotector
20
-
nostackp := $(call cc-option, -fno-stack-protector)
21
-
CFLAGS_common.o := $(nostackp)
20
+
CFLAGS_common.o := -fno-stack-protector
22
21
23
22
obj-y := cacheinfo.o scattered.o topology.o
24
23
obj-y += common.o
+1
-1
arch/x86/lib/Makefile
+1
-1
arch/x86/lib/Makefile
+3
-4
arch/x86/mm/Makefile
+3
-4
arch/x86/mm/Makefile
···
22
22
obj-y += pat/
23
23
24
24
# Make sure __phys_addr has no stackprotector
25
-
nostackp := $(call cc-option, -fno-stack-protector)
26
-
CFLAGS_physaddr.o := $(nostackp)
27
-
CFLAGS_setup_nx.o := $(nostackp)
28
-
CFLAGS_mem_encrypt_identity.o := $(nostackp)
25
+
CFLAGS_physaddr.o := -fno-stack-protector
26
+
CFLAGS_setup_nx.o := -fno-stack-protector
27
+
CFLAGS_mem_encrypt_identity.o := -fno-stack-protector
29
28
30
29
CFLAGS_fault.o := -I $(srctree)/$(src)/../include/asm/trace
31
30
+1
-2
arch/x86/power/Makefile
+1
-2
arch/x86/power/Makefile
···
3
3
4
4
# __restore_processor_state() restores %gs after S3 resume and so should not
5
5
# itself be stack-protected
6
-
nostackp := $(call cc-option, -fno-stack-protector)
7
-
CFLAGS_cpu.o := $(nostackp)
6
+
CFLAGS_cpu.o := -fno-stack-protector
8
7
9
8
obj-$(CONFIG_PM_SLEEP) += cpu.o
10
9
obj-$(CONFIG_HIBERNATION) += hibernate_$(BITS).o hibernate_asm_$(BITS).o hibernate.o
+1
-1
arch/x86/purgatory/Makefile
+1
-1
arch/x86/purgatory/Makefile
···
34
34
PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel
35
35
PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss
36
36
PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING
37
-
PURGATORY_CFLAGS += $(call cc-option,-fno-stack-protector)
37
+
PURGATORY_CFLAGS += -fno-stack-protector
38
38
39
39
# Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That
40
40
# in turn leaves some undefined symbols like __fentry__ in purgatory and not
+1
-1
arch/x86/um/vdso/Makefile
+1
-1
arch/x86/um/vdso/Makefile
···
42
42
# optimize sibling calls.
43
43
#
44
44
CFL := $(PROFILING) -mcmodel=small -fPIC -O2 -fasynchronous-unwind-tables -m64 \
45
-
$(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
45
+
$(filter -g%,$(KBUILD_CFLAGS)) -fno-stack-protector \
46
46
-fno-omit-frame-pointer -foptimize-sibling-calls
47
47
48
48
$(vobjs): KBUILD_CFLAGS += $(CFL)
+2
-3
arch/x86/xen/Makefile
+2
-3
arch/x86/xen/Makefile
···
9
9
endif
10
10
11
11
# Make sure early boot has no stackprotector
12
-
nostackp := $(call cc-option, -fno-stack-protector)
13
-
CFLAGS_enlighten_pv.o := $(nostackp)
14
-
CFLAGS_mmu_pv.o := $(nostackp)
12
+
CFLAGS_enlighten_pv.o := -fno-stack-protector
13
+
CFLAGS_mmu_pv.o := -fno-stack-protector
15
14
16
15
obj-y += enlighten.o
17
16
obj-y += mmu.o
+1
-1
drivers/firmware/efi/libstub/Makefile
+1
-1
drivers/firmware/efi/libstub/Makefile
+1
-2
drivers/xen/Makefile
+1
-2
drivers/xen/Makefile
+2
-2
lib/Makefile
+2
-2
lib/Makefile
···
22
22
ifdef CONFIG_AMD_MEM_ENCRYPT
23
23
KASAN_SANITIZE_string.o := n
24
24
25
-
CFLAGS_string.o := $(call cc-option, -fno-stack-protector)
25
+
CFLAGS_string.o := -fno-stack-protector
26
26
endif
27
27
28
28
# Used by KCSAN while enabled, avoid recursion.
···
300
300
UBSAN_SANITIZE_ubsan.o := n
301
301
KASAN_SANITIZE_ubsan.o := n
302
302
KCSAN_SANITIZE_ubsan.o := n
303
-
CFLAGS_ubsan.o := $(call cc-option, -fno-stack-protector) $(DISABLE_STACKLEAK_PLUGIN)
303
+
CFLAGS_ubsan.o := -fno-stack-protector $(DISABLE_STACKLEAK_PLUGIN)
304
304
305
305
obj-$(CONFIG_SBITMAP) += sbitmap.o
306
306
+1
-1
mm/kasan/Makefile
+1
-1
mm/kasan/Makefile
···
16
16
# Function splitter causes unnecessary splits in __asan_load1/__asan_store1
17
17
# see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63533
18
18
CC_FLAGS_KASAN_RUNTIME := $(call cc-option, -fno-conserve-stack)
19
-
CC_FLAGS_KASAN_RUNTIME += $(call cc-option, -fno-stack-protector)
19
+
CC_FLAGS_KASAN_RUNTIME += -fno-stack-protector
20
20
# Disable branch tracing to avoid recursion.
21
21
CC_FLAGS_KASAN_RUNTIME += -DDISABLE_BRANCH_PROFILING
22
22