Re: [PATCH v2 4/5] x86/entry/vdso: build with IBT support

Next message: Sean Christopherson: "Re: [PATCH v3 23/40] KVM: x86: Move kvm_{load,put}_guest_fpu() to fpu.h"
Previous message: Lukas Schmid: "[PATCH v2 1/3] dt-bindings: arm: sunxi: Add NetCube Systems OpenNMC (dobermann)"
In reply to: Richard Patel: "[PATCH v2 4/5] x86/entry/vdso: build with IBT support"
Next in thread: Richard Patel: "[PATCH v2 5/5] selftests/x86: test usermode IBT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Weimer

Date: Fri Jun 05 2026 - 15:15:44 EST

* Richard Patel:

> VDSO should expose ENDBR instructions now that usermode IBT is
> available.
>
> Signed-off-by: Richard Patel <ripatel@xxxxxxx>
> ---
> arch/x86/entry/vdso/common/Makefile.include | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/arch/x86/entry/vdso/common/Makefile.include b/arch/x86/entry/vdso/common/Makefile.include
> index 687b3d89b40d..a0dc69b7a330 100644
> --- a/arch/x86/entry/vdso/common/Makefile.include
> +++ b/arch/x86/entry/vdso/common/Makefile.include
> @@ -46,8 +46,7 @@ flags-y += -fasynchronous-unwind-tables
> # Reset cf protections enabled by compiler default
> flags-y += $(call cc-option, -fcf-protection=none)
> flags-$(X86_USER_SHADOW_STACK) += $(call cc-option, -fcf-protection=return)
> -# When user space IBT is supported, enable this.
> -# flags-$(CONFIG_USER_IBT) += $(call cc-option, -fcf-protection=branch)
> +flags-$(CONFIG_X86_USER_IBT) += $(call cc-option, -fcf-protection=branch)
>
> flags-$(CONFIG_MITIGATION_RETPOLINE) += $(RETPOLINE_VDSO_CFLAGS)

Surprisingly, the option is cumulative in GCC. I didn't expect that.
So this in fact works with GCC.

However, it's not cumulative in Clang, and -fcf-protection=branch
overrides the earlier -fcf-protection=return.

Thanks,
Florian