Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o for GCC unconditionally because clang-min-version will always evaluate to nothing for GCC. Add a check for CONFIG_CC_IS_GCC to avoid the workaround, which is only needed for clang-17 and older.
Additionally, invert the 'ifeq (...,)' into 'ifneq (...,y)', as it is a little easier to read and understand the intention ("if not GCC or at least clang-18, disable KASAN").
Cc: stable@vger.kernel.org Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") Signed-off-by: Nathan Chancellor nathan@kernel.org --- lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bded351aeace..372b7a12b371 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -90,7 +90,7 @@ else libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o endif # clang versions prior to 18 may blow out the stack with KASAN -ifeq ($(call clang-min-version, 180000),) +ifneq ($(CONFIG_CC_IS_GCC)$(call clang-min-version, 180000),y) KASAN_SANITIZE_curve25519-hacl64.o := n endif
--- base-commit: 6146a0f1dfae5d37442a9ddcba012add260bceb0 change-id: 20251102-curve25519-hacl64-fix-kasan-workaround-75fdb8c098fd
Best regards, -- Nathan Chancellor nathan@kernel.org
On Sun, Nov 02, 2025 at 09:35:03PM -0500, Nathan Chancellor wrote:
Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o for GCC unconditionally because clang-min-version will always evaluate to nothing for GCC. Add a check for CONFIG_CC_IS_GCC to avoid the workaround, which is only needed for clang-17 and older.
Additionally, invert the 'ifeq (...,)' into 'ifneq (...,y)', as it is a little easier to read and understand the intention ("if not GCC or at least clang-18, disable KASAN").
Cc: stable@vger.kernel.org Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") Signed-off-by: Nathan Chancellor nathan@kernel.org
lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bded351aeace..372b7a12b371 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -90,7 +90,7 @@ else libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o endif # clang versions prior to 18 may blow out the stack with KASAN -ifeq ($(call clang-min-version, 180000),) +ifneq ($(CONFIG_CC_IS_GCC)$(call clang-min-version, 180000),y) KASAN_SANITIZE_curve25519-hacl64.o := n endif
Thanks for catching this!
Using CONFIG_CC_IS_GCC == "" to check for clang seems a bit odd when there's already a CONFIG_CC_IS_CLANG available.
How about we do it like this?
ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_)
- Eric
On Mon, Nov 03, 2025 at 09:00:36AM -0800, Eric Biggers wrote:
On Sun, Nov 02, 2025 at 09:35:03PM -0500, Nathan Chancellor wrote:
Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o for GCC unconditionally because clang-min-version will always evaluate to nothing for GCC. Add a check for CONFIG_CC_IS_GCC to avoid the workaround, which is only needed for clang-17 and older.
Additionally, invert the 'ifeq (...,)' into 'ifneq (...,y)', as it is a little easier to read and understand the intention ("if not GCC or at least clang-18, disable KASAN").
Cc: stable@vger.kernel.org Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") Signed-off-by: Nathan Chancellor nathan@kernel.org
lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bded351aeace..372b7a12b371 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -90,7 +90,7 @@ else libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o endif # clang versions prior to 18 may blow out the stack with KASAN -ifeq ($(call clang-min-version, 180000),) +ifneq ($(CONFIG_CC_IS_GCC)$(call clang-min-version, 180000),y) KASAN_SANITIZE_curve25519-hacl64.o := n endif
Thanks for catching this!
Using CONFIG_CC_IS_GCC == "" to check for clang seems a bit odd when there's already a CONFIG_CC_IS_CLANG available.
How about we do it like this?
ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_)
Yeah, I am not really sure why I was being so cryptic with the original way it was written :) I think it made a little more sense when it was 'ifeq'. Technically we could do without the _ but would you prefer that I keep it? I can send a v2 with whatever you prefer and an updated commit message.
Cheers, Nathan
On Mon, Nov 03, 2025 at 11:48:46AM -0700, Nathan Chancellor wrote:
On Mon, Nov 03, 2025 at 09:00:36AM -0800, Eric Biggers wrote:
On Sun, Nov 02, 2025 at 09:35:03PM -0500, Nathan Chancellor wrote:
Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o for GCC unconditionally because clang-min-version will always evaluate to nothing for GCC. Add a check for CONFIG_CC_IS_GCC to avoid the workaround, which is only needed for clang-17 and older.
Additionally, invert the 'ifeq (...,)' into 'ifneq (...,y)', as it is a little easier to read and understand the intention ("if not GCC or at least clang-18, disable KASAN").
Cc: stable@vger.kernel.org Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") Signed-off-by: Nathan Chancellor nathan@kernel.org
lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bded351aeace..372b7a12b371 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -90,7 +90,7 @@ else libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o endif # clang versions prior to 18 may blow out the stack with KASAN -ifeq ($(call clang-min-version, 180000),) +ifneq ($(CONFIG_CC_IS_GCC)$(call clang-min-version, 180000),y) KASAN_SANITIZE_curve25519-hacl64.o := n endif
Thanks for catching this!
Using CONFIG_CC_IS_GCC == "" to check for clang seems a bit odd when there's already a CONFIG_CC_IS_CLANG available.
How about we do it like this?
ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_)Yeah, I am not really sure why I was being so cryptic with the original way it was written :) I think it made a little more sense when it was 'ifeq'. Technically we could do without the _ but would you prefer that I keep it? I can send a v2 with whatever you prefer and an updated commit message.
While it shouldn't be possible to have a y just from the second part, I think I'd prefer still having the separator so that it's clear which part the y is coming from.
- Eric
linux-stable-mirror@lists.linaro.org
-
Eric Biggers -
Nathan Chancellor