From 53607383510fc2ac93864a114a899800ab0a0aeb Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 11:17:31 -0500 Subject: [PATCH 1/7] wolfssl/internal.h: don't gate in prototype for sockAddrEqual() if defined(WOLFSSL_NO_SOCK). --- wolfssl/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index cc9ae816a..212986e9a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6806,7 +6806,7 @@ WOLFSSL_LOCAL word32 MacSize(const WOLFSSL* ssl); WOLFSSL_LOCAL int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz, byte isFirstCHFrag, byte* tls13); #endif /* !defined(NO_WOLFSSL_SERVER) */ -#if !defined(WOLFCRYPT_ONLY) && \ +#if !defined(WOLFCRYPT_ONLY) && !defined(WOLFSSL_NO_SOCK) && \ (defined(USE_WOLFSSL_IO) || defined(WOLFSSL_USER_IO)) WOLFSSL_LOCAL int sockAddrEqual(SOCKADDR_S *a, XSOCKLENT aLen, SOCKADDR_S *b, XSOCKLENT bLen); From 8d7009e9de511f26433c36925f4b8776cc6490d5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 12:02:07 -0500 Subject: [PATCH 2/7] src/tls.c: in TLSX_KeyShare_GenPqcKeyClient(), add smallstack coverage to !WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ code paths. --- src/tls.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index b2964ad95..e676e18f4 100644 --- a/src/tls.c +++ b/src/tls.c @@ -8537,7 +8537,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) int ret = 0; int type = 0; #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ - KyberKey kem[1]; + #ifdef WOLFSSL_SMALL_STACK + KyberKey *kem = NULL; + #else + KyberKey kem[1]; + #endif byte* privKey = NULL; word32 privSz = 0; #else @@ -8559,6 +8563,18 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) } #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ + + #ifdef WOLFSSL_SMALL_STACK + if (ret == 0) { + kem = (KyberKey *)XMALLOC(sizeof(*kem), ssl->heap, + DYNAMIC_TYPE_PRIVATE_KEY); + if (kem == NULL) { + WOLFSSL_MSG("KEM memory allocation failure"); + ret = MEMORY_ERROR; + } + } + #endif /* WOLFSSL_SMALL_STACK */ + if (ret == 0) { ret = wc_KyberKey_Init(type, kem, ssl->heap, ssl->devId); if (ret != 0) { @@ -8638,6 +8654,9 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); kse->pubKey = NULL; #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ + #ifdef WOLFSSL_SMALL_STACK + XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); + #endif if (privKey) { ForceZero(privKey, privSz); XFREE(privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); @@ -8658,6 +8677,11 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) #endif } + #if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \ + defined(WOLFSSL_SMALL_STACK) + XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); + #endif + return ret; } From a447a991b0db66f817209eb0d9c9337195977d81 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 14:31:52 -0500 Subject: [PATCH 3/7] linuxkm/Kbuild: add KERNEL_EXTRA_CFLAGS_REMOVE; linuxkm/linuxkm_wc_port.h: fix version threshold for HAVE_KVREALLOC (6.12.0, not 6.11.0), and add manual overrides. --- .wolfssl_known_macro_extras | 4 ++++ linuxkm/Kbuild | 4 ++++ linuxkm/linuxkm_wc_port.h | 32 +++++++++++++++++++++----------- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 236de6627..3e039f6fc 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -193,6 +193,10 @@ DILITHIUM_MUL_QINV_SLOW DILITHIUM_MUL_Q_SLOW DILITHIUM_MUL_SLOW DILITHIUM_USE_HINT_CT +DONT_HAVE_KVMALLOC +DONT_HAVE_KVREALLOC +DONT_USE_KVMALLOC +DONT_USE_KVREALLOC DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER ECCSI_ORDER_MORE_BITS_THAN_PRIME ECC_DUMP_OID diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 5e15ce1d4..ab0399131 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -129,6 +129,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes" $(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS) endif +ifdef KERNEL_EXTRA_CFLAGS_REMOVE + ccflags-remove-y += KERNEL_EXTRA_CFLAGS_REMOVE +endif + $(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H $(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 1d15bbedd..0caedae70 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -81,28 +81,38 @@ * kvrealloc() added in de2860f463, merged for 5.15, backported to 5.10.137. * moved to ultimate home (slab.h) in 8587ca6f34, merged for 5.16. * - * however, until 6.11, it took an extra argument, oldsize, that makes it - * incompatible with traditional libc usage patterns, so we don't try to use it. + * however, until 6.12 (commit 590b9d576c), it took an extra argument, + * oldsize, that makes it incompatible with traditional libc usage patterns, + * so we don't try to use it. */ - #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) + #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) && \ + !defined(DONT_HAVE_KVMALLOC) && !defined(HAVE_KVMALLOC) #define HAVE_KVMALLOC #endif - #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) && \ + !defined(DONT_HAVE_KVREALLOC) && !defined(HAVE_KVREALLOC) #define HAVE_KVREALLOC #endif #ifdef WOLFCRYPT_ONLY - #ifdef HAVE_KVMALLOC + #if defined(HAVE_KVMALLOC) && \ + !defined(DONT_USE_KVMALLOC) && !defined(USE_KVMALLOC) #define USE_KVMALLOC #endif - #ifdef HAVE_KVREALLOC + #ifdef HAVE_KVREALLOC && \ + !defined(DONT_USE_KVREALLOC) && !defined(USE_KVREALLOC) #define USE_KVREALLOC #endif #else /* functioning realloc() is needed for the TLS stack. */ - #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) - #define USE_KVMALLOC - #define USE_KVREALLOC + #if defined(HAVE_KVMALLOC) && defined(HAVE_KVREALLOC) && \ + !defined(DONT_USE_KVMALLOC) && !defined(DONT_USE_KVREALLOC) + #ifndef USE_KVMALLOC + #define USE_KVMALLOC + #endif + #ifndef USE_KVREALLOC + #define USE_KVREALLOC + #endif #endif #endif @@ -680,7 +690,7 @@ const unsigned char *_ctype; -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; typeof(kzalloc_noprof) *kzalloc_noprof; @@ -953,7 +963,7 @@ #define _ctype WC_LKM_INDIRECT_SYM(_ctype) -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) #define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof) From 53de4a582e92e45e0a4b10c35a57ee12081a9bd8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 14:43:33 -0500 Subject: [PATCH 4/7] add .github/workflows/linuxkm.yml; linuxkm/Makefile: add support for FORCE_NO_MODULE_SIG. --- .github/workflows/linuxkm.yml | 47 +++++++++++++++++++++++++++++++++++ linuxkm/Makefile | 4 +++ 2 files changed, 51 insertions(+) create mode 100644 .github/workflows/linuxkm.yml diff --git a/.github/workflows/linuxkm.yml b/.github/workflows/linuxkm.yml new file mode 100644 index 000000000..8ea51b234 --- /dev/null +++ b/.github/workflows/linuxkm.yml @@ -0,0 +1,47 @@ +name: Kernel Module Build + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_library: + strategy: + matrix: + config: [ + 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests --enable-reproducible-build CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384' + ] + name: build module + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + name: Checkout wolfSSL + + - name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings + run: | + echo "updating linux-headers" + sudo apt-get update || $(exit 2) + sudo apt-get install linux-headers-$(uname -r) -y || $(exit 3) + echo "preparing target kernel $(uname -r)" + pushd "/lib/modules/$(uname -r)/build" || $(exit 4) + if [ -f /proc/config.gz ]; then gzip -dc /proc/config.gz > /tmp/.config && sudo mv /tmp/.config . || $(exit 5); elif [ -f "/boot/config-$(uname -r)" ]; then sudo cp -p "/boot/config-$(uname -r)" .config || $(exit 6); fi + sudo make -j 4 oldconfig || $(exit 7) + sudo make M="$(pwd)" modules_prepare || $(exit 8) + popd >/dev/null + ./autogen.sh || $(exit 9) + echo "running ./configure ... ${{ matrix.config }}" + ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }} || $(exit 10) + # try to remove profiling (-pg) because it leads to "_mcleanup: gmon.out: Permission denied" + make -j 4 KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1 || $(exit 11) + ls -l linuxkm/libwolfssl.ko || $(exit 12) + echo "Successful linuxkm build." diff --git a/linuxkm/Makefile b/linuxkm/Makefile index 98198f35c..7fb380cea 100644 --- a/linuxkm/Makefile +++ b/linuxkm/Makefile @@ -98,6 +98,9 @@ else endif libwolfssl.ko.signed: libwolfssl.ko +ifdef FORCE_NO_MODULE_SIG + @echo 'Skipping module signature operation because FORCE_NO_MODULE_SIG.' +else @cd '$(KERNEL_ROOT)' || exit $$?; \ while read configline; do \ case "$$configline" in \ @@ -127,6 +130,7 @@ libwolfssl.ko.signed: libwolfssl.ko echo " Module $@ signed by $${CONFIG_MODULE_SIG_KEY}."; \ fi \ fi +endif .PHONY: install modules_install From b7b0ab6dbfaaf33647b2f48ee3a31a2262900f0d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 16:18:22 -0500 Subject: [PATCH 5/7] src/tls.c: fix double free just added to TLSX_KeyShare_GenPqcKeyClient(). --- src/tls.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/tls.c b/src/tls.c index e676e18f4..2f13d558b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -8654,9 +8654,6 @@ static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); kse->pubKey = NULL; #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ - #ifdef WOLFSSL_SMALL_STACK - XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); - #endif if (privKey) { ForceZero(privKey, privSz); XFREE(privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); From ca6a12769f24892457f27f88096e30deed126799 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 16:57:24 -0500 Subject: [PATCH 6/7] linuxkm/linuxkm_wc_port.h: additional fixes for version gates; .github/workflows/linuxkm.yml: add a second scenario with --enable-linuxkm-pie. --- .github/workflows/linuxkm.yml | 13 ++++++++++--- linuxkm/linuxkm_wc_port.h | 18 ++++++++++++------ linuxkm/module_hooks.c | 4 ++++ 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/workflows/linuxkm.yml b/.github/workflows/linuxkm.yml index 8ea51b234..931e2d4c7 100644 --- a/.github/workflows/linuxkm.yml +++ b/.github/workflows/linuxkm.yml @@ -17,7 +17,8 @@ jobs: strategy: matrix: config: [ - 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests --enable-reproducible-build CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384' + 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384', + 'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --enable-sp-asm --enable-crypttests CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096" --with-max-rsa-bits=16384' ] name: build module if: github.repository_owner == 'wolfssl' @@ -27,7 +28,7 @@ jobs: - uses: actions/checkout@v4 name: Checkout wolfSSL - - name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings + - name: Prepare target kernel for module builds run: | echo "updating linux-headers" sudo apt-get update || $(exit 2) @@ -38,8 +39,14 @@ jobs: sudo make -j 4 oldconfig || $(exit 7) sudo make M="$(pwd)" modules_prepare || $(exit 8) popd >/dev/null + + - name: autogen.sh + run: | ./autogen.sh || $(exit 9) - echo "running ./configure ... ${{ matrix.config }}" + + - name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings + run: | + echo "running ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }}" ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }} || $(exit 10) # try to remove profiling (-pg) because it leads to "_mcleanup: gmon.out: Permission denied" make -j 4 KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1 || $(exit 11) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 0caedae70..96e3be3a1 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -99,7 +99,7 @@ !defined(DONT_USE_KVMALLOC) && !defined(USE_KVMALLOC) #define USE_KVMALLOC #endif - #ifdef HAVE_KVREALLOC && \ + #if defined(HAVE_KVREALLOC) && \ !defined(DONT_USE_KVREALLOC) && !defined(USE_KVREALLOC) #define USE_KVREALLOC #endif @@ -690,13 +690,15 @@ const unsigned char *_ctype; -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; typeof(kzalloc_noprof) *kzalloc_noprof; typeof(__kvmalloc_node_noprof) *__kvmalloc_node_noprof; typeof(__kmalloc_cache_noprof) *__kmalloc_cache_noprof; - typeof(kvrealloc_noprof) *kvrealloc_noprof; + #ifdef HAVE_KVREALLOC + typeof(kvrealloc_noprof) *kvrealloc_noprof; + #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) typeof(kmalloc_noprof) *kmalloc_noprof; typeof(krealloc_noprof) *krealloc_noprof; @@ -963,14 +965,16 @@ #define _ctype WC_LKM_INDIRECT_SYM(_ctype) -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) #define krealloc_noprof WC_LKM_INDIRECT_SYM(krealloc_noprof) #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define __kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(__kvmalloc_node_noprof) #define __kmalloc_cache_noprof WC_LKM_INDIRECT_SYM(__kmalloc_cache_noprof) - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #ifdef HAVE_KVREALLOC + #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) /* see include/linux/alloc_tag.h and include/linux/slab.h */ #define kmalloc_noprof WC_LKM_INDIRECT_SYM(kmalloc_noprof) @@ -978,7 +982,9 @@ #define kzalloc_noprof WC_LKM_INDIRECT_SYM(kzalloc_noprof) #define kvmalloc_node_noprof WC_LKM_INDIRECT_SYM(kvmalloc_node_noprof) #define kmalloc_trace_noprof WC_LKM_INDIRECT_SYM(kmalloc_trace_noprof) - #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #ifdef HAVE_KVREALLOC + #define kvrealloc_noprof WC_LKM_INDIRECT_SYM(kvrealloc_noprof) + #endif #else /* <6.10.0 */ #define kmalloc WC_LKM_INDIRECT_SYM(kmalloc) #define krealloc WC_LKM_INDIRECT_SYM(krealloc) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 389ff1f59..3d002e5d9 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -556,14 +556,18 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.__kvmalloc_node_noprof = __kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.__kmalloc_cache_noprof = __kmalloc_cache_noprof; +#ifdef HAVE_KVREALLOC wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; +#endif #elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0) wolfssl_linuxkm_pie_redirect_table.kmalloc_noprof = kmalloc_noprof; wolfssl_linuxkm_pie_redirect_table.krealloc_noprof = krealloc_noprof; wolfssl_linuxkm_pie_redirect_table.kzalloc_noprof = kzalloc_noprof; wolfssl_linuxkm_pie_redirect_table.kvmalloc_node_noprof = kvmalloc_node_noprof; wolfssl_linuxkm_pie_redirect_table.kmalloc_trace_noprof = kmalloc_trace_noprof; +#ifdef HAVE_KVREALLOC wolfssl_linuxkm_pie_redirect_table.kvrealloc_noprof = kvrealloc_noprof; +#endif #else wolfssl_linuxkm_pie_redirect_table.kmalloc = kmalloc; wolfssl_linuxkm_pie_redirect_table.krealloc = krealloc; From 5e57ec5c9390b5b4db71fba1f5212a23a9c2b3b8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 23 Jul 2025 17:30:14 -0500 Subject: [PATCH 7/7] linuxkm/Kbuild: if ENABLED_LINUXKM_PIE, disable KASAN and UBSAN, to avoid external references (__ubsan_handle_out_of_bounds() etc.). --- linuxkm/Kbuild | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index ab0399131..93c332fe9 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -105,6 +105,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes" # "__stack_chk_fail" from the wolfCrypt container. PIE_FLAGS := -fPIE -fno-stack-protector -fno-toplevel-reorder PIE_SUPPORT_FLAGS := -DUSE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE + # the kernel sanitizers generate external references to + # __ubsan_handle_out_of_bounds(), __ubsan_handle_shift_out_of_bounds(), etc. + KASAN_SANITIZE := n + UBSAN_SANITIZE := n ifeq "$(KERNEL_ARCH_X86)" "yes" PIE_FLAGS += -mcmodel=small ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"