From a8ff29f0ca1d63a215ef445102662850a912d127 Mon Sep 17 00:00:00 2001 From: Josh Poimboeuf Date: Tue, 27 Jan 2026 17:12:05 -0800 Subject: [PATCH 1/5] livepatch/klp-build: Require Clang assembler >= 20 Some special sections specify their ELF section entsize, for example: .pushsection section, "M", @progbits, 8 The entsize (8 in this example) is needed by objtool klp-diff for extracting individual entries. Clang assembler versions older than 20 silently ignore the above construct and set entsize to 0, resulting in the following error: .discard.annotate_data: missing special section entsize or annotations Add a klp-build check to prevent the use of Clang assembler versions prior to 20. Fixes: 24ebfcd65a87 ("livepatch/klp-build: Introduce klp-build script for generating livepatch modules") Reported-by: Song Liu Acked-by: Song Liu Link: https://patch.msgid.link/957fd52e375d0e2cfa3ac729160da995084a7f5e.1769562556.git.jpoimboe@kernel.org Signed-off-by: Josh Poimboeuf --- scripts/livepatch/klp-build | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/livepatch/klp-build b/scripts/livepatch/klp-build index a73515a82272..809e198a561d 100755 --- a/scripts/livepatch/klp-build +++ b/scripts/livepatch/klp-build @@ -249,6 +249,10 @@ validate_config() { [[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] && \ die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported" + [[ -v CONFIG_AS_IS_LLVM ]] && \ + [[ "$CONFIG_AS_VERSION" -lt 200000 ]] && \ + die "Clang assembler version < 20 not supported" + return 0 } From ab10815472fcbc2c772dc21a979460b7f74f0145 Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Fri, 23 Jan 2026 11:26:56 +0100 Subject: [PATCH 2/5] livepatch: Fix having __klp_objects relics in non-livepatch modules The linker script scripts/module.lds.S specifies that all input __klp_objects sections should be consolidated into an output section of the same name, and start/stop symbols should be created to enable scripts/livepatch/init.c to locate this data. This start/stop pattern is not ideal for modules because the symbols are created even if no __klp_objects input sections are present. Consequently, a dummy __klp_objects section also appears in the resulting module. This unnecessarily pollutes non-livepatch modules. Instead, since modules are relocatable files, the usual method for locating consolidated data in a module is to read its section table. This approach avoids the aforementioned problem. The klp_modinfo already stores a copy of the entire section table with the final addresses. Introduce a helper function that scripts/livepatch/init.c can call to obtain the location of the __klp_objects section from this data. Fixes: dd590d4d57eb ("objtool/klp: Introduce klp diff subcommand for diffing object files") Signed-off-by: Petr Pavlu Acked-by: Joe Lawrence Acked-by: Miroslav Benes Reviewed-by: Aaron Tomlin Link: https://patch.msgid.link/20260123102825.3521961-2-petr.pavlu@suse.com Signed-off-by: Josh Poimboeuf --- include/linux/livepatch.h | 3 +++ kernel/livepatch/core.c | 19 +++++++++++++++++++ scripts/livepatch/init.c | 20 +++++++++----------- scripts/module.lds.S | 7 +------ 4 files changed, 32 insertions(+), 17 deletions(-) diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h index 772919e8096a..ba9e3988c07c 100644 --- a/include/linux/livepatch.h +++ b/include/linux/livepatch.h @@ -175,6 +175,9 @@ int klp_enable_patch(struct klp_patch *); int klp_module_coming(struct module *mod); void klp_module_going(struct module *mod); +void *klp_find_section_by_name(const struct module *mod, const char *name, + size_t *sec_size); + void klp_copy_process(struct task_struct *child); void klp_update_patch_state(struct task_struct *task); diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index 9917756dae46..1acbad2dbfdf 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -1356,6 +1356,25 @@ void klp_module_going(struct module *mod) mutex_unlock(&klp_mutex); } +void *klp_find_section_by_name(const struct module *mod, const char *name, + size_t *sec_size) +{ + struct klp_modinfo *info = mod->klp_info; + + for (int i = 1; i < info->hdr.e_shnum; i++) { + Elf_Shdr *shdr = &info->sechdrs[i]; + + if (!strcmp(info->secstrings + shdr->sh_name, name)) { + *sec_size = shdr->sh_size; + return (void *)shdr->sh_addr; + } + } + + *sec_size = 0; + return NULL; +} +EXPORT_SYMBOL_GPL(klp_find_section_by_name); + static int __init klp_init(void) { klp_root_kobj = kobject_create_and_add("livepatch", kernel_kobj); diff --git a/scripts/livepatch/init.c b/scripts/livepatch/init.c index 2274d8f5a482..9e315fc857bd 100644 --- a/scripts/livepatch/init.c +++ b/scripts/livepatch/init.c @@ -9,19 +9,19 @@ #include #include -extern struct klp_object_ext __start_klp_objects[]; -extern struct klp_object_ext __stop_klp_objects[]; - static struct klp_patch *patch; static int __init livepatch_mod_init(void) { + struct klp_object_ext *obj_exts; + size_t obj_exts_sec_size; struct klp_object *objs; unsigned int nr_objs; int ret; - nr_objs = __stop_klp_objects - __start_klp_objects; - + obj_exts = klp_find_section_by_name(THIS_MODULE, "__klp_objects", + &obj_exts_sec_size); + nr_objs = obj_exts_sec_size / sizeof(*obj_exts); if (!nr_objs) { pr_err("nothing to patch!\n"); ret = -EINVAL; @@ -41,7 +41,7 @@ static int __init livepatch_mod_init(void) } for (int i = 0; i < nr_objs; i++) { - struct klp_object_ext *obj_ext = __start_klp_objects + i; + struct klp_object_ext *obj_ext = obj_exts + i; struct klp_func_ext *funcs_ext = obj_ext->funcs; unsigned int nr_funcs = obj_ext->nr_funcs; struct klp_func *funcs = objs[i].funcs; @@ -90,12 +90,10 @@ err: static void __exit livepatch_mod_exit(void) { - unsigned int nr_objs; + struct klp_object *obj; - nr_objs = __stop_klp_objects - __start_klp_objects; - - for (int i = 0; i < nr_objs; i++) - kfree(patch->objs[i].funcs); + klp_for_each_object_static(patch, obj) + kfree(obj->funcs); kfree(patch->objs); kfree(patch); diff --git a/scripts/module.lds.S b/scripts/module.lds.S index 3037d5e5527c..383d19beffb4 100644 --- a/scripts/module.lds.S +++ b/scripts/module.lds.S @@ -35,12 +35,7 @@ SECTIONS { __patchable_function_entries : { *(__patchable_function_entries) } __klp_funcs 0: ALIGN(8) { KEEP(*(__klp_funcs)) } - - __klp_objects 0: ALIGN(8) { - __start_klp_objects = .; - KEEP(*(__klp_objects)) - __stop_klp_objects = .; - } + __klp_objects 0: ALIGN(8) { KEEP(*(__klp_objects)) } #ifdef CONFIG_ARCH_USES_CFI_TRAPS __kcfi_traps : { KEEP(*(.kcfi_traps)) } From b525fcaf0a76507f152d58c6f9e5ef67b3ff552c Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Fri, 23 Jan 2026 11:26:57 +0100 Subject: [PATCH 3/5] livepatch: Free klp_{object,func}_ext data after initialization The klp_object_ext and klp_func_ext data, which are stored in the __klp_objects and __klp_funcs sections, respectively, are not needed after they are used to create the actual klp_object and klp_func instances. This operation is implemented by the init function in scripts/livepatch/init.c. Prefix the two sections with ".init" so they are freed after the module is initializated. Signed-off-by: Petr Pavlu Acked-by: Joe Lawrence Acked-by: Miroslav Benes Reviewed-by: Aaron Tomlin Link: https://patch.msgid.link/20260123102825.3521961-3-petr.pavlu@suse.com Signed-off-by: Josh Poimboeuf --- scripts/livepatch/init.c | 2 +- scripts/module.lds.S | 4 ++-- tools/objtool/check.c | 2 +- tools/objtool/include/objtool/klp.h | 10 +++++----- tools/objtool/klp-diff.c | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/livepatch/init.c b/scripts/livepatch/init.c index 9e315fc857bd..638c95cffe76 100644 --- a/scripts/livepatch/init.c +++ b/scripts/livepatch/init.c @@ -19,7 +19,7 @@ static int __init livepatch_mod_init(void) unsigned int nr_objs; int ret; - obj_exts = klp_find_section_by_name(THIS_MODULE, "__klp_objects", + obj_exts = klp_find_section_by_name(THIS_MODULE, ".init.klp_objects", &obj_exts_sec_size); nr_objs = obj_exts_sec_size / sizeof(*obj_exts); if (!nr_objs) { diff --git a/scripts/module.lds.S b/scripts/module.lds.S index 383d19beffb4..054ef99e8288 100644 --- a/scripts/module.lds.S +++ b/scripts/module.lds.S @@ -34,8 +34,8 @@ SECTIONS { __patchable_function_entries : { *(__patchable_function_entries) } - __klp_funcs 0: ALIGN(8) { KEEP(*(__klp_funcs)) } - __klp_objects 0: ALIGN(8) { KEEP(*(__klp_objects)) } + .init.klp_funcs 0 : ALIGN(8) { KEEP(*(.init.klp_funcs)) } + .init.klp_objects 0 : ALIGN(8) { KEEP(*(.init.klp_objects)) } #ifdef CONFIG_ARCH_USES_CFI_TRAPS __kcfi_traps : { KEEP(*(.kcfi_traps)) } diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 3f7999317f4d..933868ee3beb 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -4761,7 +4761,7 @@ static int validate_ibt(struct objtool_file *file) !strcmp(sec->name, "__bug_table") || !strcmp(sec->name, "__ex_table") || !strcmp(sec->name, "__jump_table") || - !strcmp(sec->name, "__klp_funcs") || + !strcmp(sec->name, ".init.klp_funcs") || !strcmp(sec->name, "__mcount_loc") || !strcmp(sec->name, ".llvm.call-graph-profile") || !strcmp(sec->name, ".llvm_bb_addr_map") || diff --git a/tools/objtool/include/objtool/klp.h b/tools/objtool/include/objtool/klp.h index ad830a7ce55b..e32e5e8bc631 100644 --- a/tools/objtool/include/objtool/klp.h +++ b/tools/objtool/include/objtool/klp.h @@ -6,12 +6,12 @@ #define SHN_LIVEPATCH 0xff20 /* - * __klp_objects and __klp_funcs are created by klp diff and used by the patch - * module init code to build the klp_patch, klp_object and klp_func structs - * needed by the livepatch API. + * .init.klp_objects and .init.klp_funcs are created by klp diff and used by the + * patch module init code to build the klp_patch, klp_object and klp_func + * structs needed by the livepatch API. */ -#define KLP_OBJECTS_SEC "__klp_objects" -#define KLP_FUNCS_SEC "__klp_funcs" +#define KLP_OBJECTS_SEC ".init.klp_objects" +#define KLP_FUNCS_SEC ".init.klp_funcs" /* * __klp_relocs is an intermediate section which are created by klp diff and diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c index d94531e3f64e..1e649a3eb4cd 100644 --- a/tools/objtool/klp-diff.c +++ b/tools/objtool/klp-diff.c @@ -1436,7 +1436,7 @@ static int clone_special_sections(struct elfs *e) } /* - * Create __klp_objects and __klp_funcs sections which are intermediate + * Create .init.klp_objects and .init.klp_funcs sections which are intermediate * sections provided as input to the patch module's init code for building the * klp_patch, klp_object and klp_func structs for the livepatch API. */ From 18328546dd59b6adc111cf84a0ee4cdd3a867611 Mon Sep 17 00:00:00 2001 From: Josh Poimboeuf Date: Mon, 2 Feb 2026 10:01:08 -0800 Subject: [PATCH 4/5] objtool/klp: Fix symbol correlation for orphaned local symbols When compiling with CONFIG_LTO_CLANG_THIN, vmlinux.o has __irf_[start|end] before the first FILE entry: $ readelf -sW vmlinux.o Symbol table '.symtab' contains 597706 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000000 0 NOTYPE LOCAL DEFAULT 18 __irf_start 2: 0000000000000200 0 NOTYPE LOCAL DEFAULT 18 __irf_end 3: 0000000000000000 0 SECTION LOCAL DEFAULT 17 .text 4: 0000000000000000 0 SECTION LOCAL DEFAULT 18 .init.ramfs This causes klp-build warnings like: vmlinux.o: warning: objtool: no correlation: __irf_start vmlinux.o: warning: objtool: no correlation: __irf_end The problem is that Clang LTO is stripping the initramfs_data.o FILE symbol, causing those two symbols to be orphaned and not noticed by klp-diff's correlation logic. Add a loop to correlate any symbols found before the first FILE symbol. Fixes: dd590d4d57eb ("objtool/klp: Introduce klp diff subcommand for diffing object files") Reported-by: Song Liu Acked-by: Song Liu Link: https://patch.msgid.link/e21ec1141fc749b5f538d7329b531c1ab63a6d1a.1770055235.git.jpoimboe@kernel.org Signed-off-by: Josh Poimboeuf --- tools/objtool/klp-diff.c | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c index 1e649a3eb4cd..9f1f4011eb9c 100644 --- a/tools/objtool/klp-diff.c +++ b/tools/objtool/klp-diff.c @@ -364,11 +364,40 @@ static int correlate_symbols(struct elfs *e) struct symbol *file1_sym, *file2_sym; struct symbol *sym1, *sym2; - /* Correlate locals */ - for (file1_sym = first_file_symbol(e->orig), - file2_sym = first_file_symbol(e->patched); ; - file1_sym = next_file_symbol(e->orig, file1_sym), - file2_sym = next_file_symbol(e->patched, file2_sym)) { + file1_sym = first_file_symbol(e->orig); + file2_sym = first_file_symbol(e->patched); + + /* + * Correlate any locals before the first FILE symbol. This has been + * seen when LTO inexplicably strips the initramfs_data.o FILE symbol + * due to the file only containing data and no code. + */ + for_each_sym(e->orig, sym1) { + if (sym1 == file1_sym || !is_local_sym(sym1)) + break; + + if (dont_correlate(sym1)) + continue; + + for_each_sym(e->patched, sym2) { + if (sym2 == file2_sym || !is_local_sym(sym2)) + break; + + if (sym2->twin || dont_correlate(sym2)) + continue; + + if (strcmp(sym1->demangled_name, sym2->demangled_name)) + continue; + + sym1->twin = sym2; + sym2->twin = sym1; + break; + } + } + + /* Correlate locals after the first FILE symbol */ + for (; ; file1_sym = next_file_symbol(e->orig, file1_sym), + file2_sym = next_file_symbol(e->patched, file2_sym)) { if (!file1_sym && file2_sym) { ERROR("FILE symbol mismatch: NULL != %s", file2_sym->name); From f495054bd12e2abe5068e243bdf344b704c303c6 Mon Sep 17 00:00:00 2001 From: Josh Poimboeuf Date: Mon, 2 Feb 2026 11:00:17 -0800 Subject: [PATCH 5/5] objtool/klp: Fix unexported static call key access for manually built livepatch modules Enabling CONFIG_MEM_ALLOC_PROFILING_DEBUG with CONFIG_SAMPLE_LIVEPATCH results in the following error: samples/livepatch/livepatch-shadow-fix1.o: error: objtool: static_call: can't find static_call_key symbol: __SCK__WARN_trap This is caused an extra file->klp sanity check which was added by commit 164c9201e1da ("objtool: Add base objtool support for livepatch modules"). That check was intended to ensure that livepatch modules built with klp-build always have full access to their static call keys. However, it failed to account for the fact that manually built livepatch modules (i.e., not built with klp-build) might need access to unexported static call keys, for which read-only access is typically allowed for modules. While the livepatch-shadow-fix1 module doesn't explicitly use any static calls, it does have a memory allocation, which can cause CONFIG_MEM_ALLOC_PROFILING_DEBUG to insert a WARN() call. And WARN() is now an unexported static call as of commit 860238af7a33 ("x86_64/bug: Inline the UD1"). Fix it by removing the overzealous file->klp check, restoring the original behavior for manually built livepatch modules. Fixes: 164c9201e1da ("objtool: Add base objtool support for livepatch modules") Reported-by: Arnd Bergmann Acked-by: Song Liu Tested-by: Arnd Bergmann Link: https://patch.msgid.link/0bd3ae9a53c3d743417fe842b740a7720e2bcd1c.1770058775.git.jpoimboe@kernel.org Signed-off-by: Josh Poimboeuf --- tools/objtool/check.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 933868ee3beb..ef451cd6277c 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -682,7 +682,7 @@ static int create_static_call_sections(struct objtool_file *file) key_sym = find_symbol_by_name(file->elf, tmp); if (!key_sym) { - if (!opts.module || file->klp) { + if (!opts.module) { ERROR("static_call: can't find static_call_key symbol: %s", tmp); return -1; }