xref: /linux/scripts/livepatch/klp-build (revision 8eebd573113362ef3a3c75f166a83ee060dae11b)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Build a livepatch module
5
6# shellcheck disable=SC1090,SC2155,SC2164
7
8if (( BASH_VERSINFO[0]  < 4 || \
9     (BASH_VERSINFO[0] == 4 && BASH_VERSINFO[1] < 4) )); then
10		echo "error: this script requires bash 4.4+" >&2
11	exit 1
12fi
13
14set -o errtrace
15set -o pipefail
16set -o nounset
17
18# Allow doing 'cmd | mapfile -t array' instead of 'mapfile -t array < <(cmd)'.
19# This helps keep execution in pipes so pipefail+ERR trap can catch errors.
20shopt -s lastpipe
21
22unset DEBUG_CLONE DIFF_CHECKSUM SKIP_CLEANUP VERBOSE XTRACE
23
24REPLACE=1
25SHORT_CIRCUIT=0
26JOBS="$(getconf _NPROCESSORS_ONLN)"
27shopt -o xtrace | grep -q 'on' && XTRACE=1
28
29# Avoid removing the previous $TMP_DIR until args have been fully processed.
30KEEP_TMP=1
31
32SCRIPT="$(basename "$0")"
33SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
34FIX_PATCH_LINES="$SCRIPT_DIR/fix-patch-lines"
35
36OBJTOOL="$PWD/tools/objtool/objtool"
37CONFIG="$PWD/.config"
38TMP_DIR="$PWD/klp-tmp"
39
40ORIG_DIR="$TMP_DIR/orig"
41PATCHED_DIR="$TMP_DIR/patched"
42DIFF_DIR="$TMP_DIR/diff"
43KMOD_DIR="$TMP_DIR/kmod"
44
45STASH_DIR="$TMP_DIR/stash"
46TIMESTAMP="$TMP_DIR/timestamp"
47PATCH_TMP_DIR="$TMP_DIR/tmp"
48
49KLP_DIFF_LOG="$DIFF_DIR/diff.log"
50
51# Terminal output colors
52read -r COLOR_RESET COLOR_BOLD COLOR_ERROR COLOR_WARN <<< ""
53if [[ -t 1 && -t 2 ]]; then
54	COLOR_RESET="\033[0m"
55	COLOR_BOLD="\033[1m"
56	COLOR_ERROR="\033[0;31m"
57	COLOR_WARN="\033[0;33m"
58fi
59
60grep0() {
61	# shellcheck disable=SC2317
62	command grep "$@" || true
63}
64
65# Because pipefail is enabled, the grep0 helper should be used instead of
66# grep, otherwise a failed match can propagate to an error.
67grep() {
68	echo "error: $SCRIPT: use grep0 or 'command grep' instead of bare grep" >&2
69	exit 1
70}
71
72status() {
73	echo -e "${COLOR_BOLD}$*${COLOR_RESET}"
74}
75
76warn() {
77	echo -e "${COLOR_WARN}warning${COLOR_RESET}: $SCRIPT: $*" >&2
78}
79
80die() {
81	echo -e "${COLOR_ERROR}error${COLOR_RESET}: $SCRIPT: $*" >&2
82	exit 1
83}
84
85declare -a STASHED_FILES
86
87stash_file() {
88	local file="$1"
89	local rel_file="${file#"$PWD"/}"
90
91	[[ ! -e "$file" ]] && die "no file to stash: $file"
92
93	mkdir -p "$STASH_DIR/$(dirname "$rel_file")"
94	cp -f "$file" "$STASH_DIR/$rel_file"
95
96	STASHED_FILES+=("$rel_file")
97}
98
99restore_files() {
100	local file
101
102	for file in "${STASHED_FILES[@]}"; do
103		mv -f "$STASH_DIR/$file" "$PWD/$file" || warn "can't restore file: $file"
104	done
105
106	STASHED_FILES=()
107}
108
109cleanup() {
110	set +o nounset
111	revert_patches
112	restore_files
113	[[ "$KEEP_TMP" -eq 0 ]] && rm -rf "$TMP_DIR"
114	return 0
115}
116
117trap_err() {
118	die "line ${BASH_LINENO[0]}: '$BASH_COMMAND'"
119}
120
121trap cleanup  EXIT INT TERM HUP
122trap trap_err ERR
123
124__usage() {
125	cat <<EOF
126Usage: $SCRIPT [OPTIONS] PATCH_FILE(s)
127Generate a livepatch module.
128
129Options:
130   -f, --show-first-changed	Show address of first changed instruction
131   -j, --jobs=<jobs>		Build jobs to run simultaneously [default: $JOBS]
132   -o, --output=<file.ko>	Output file [default: livepatch-<patch-name>.ko]
133       --no-replace		Disable livepatch atomic replace
134   -v, --verbose		Pass V=1 to kernel/module builds
135
136Advanced Options:
137   -d, --debug			Show symbol/reloc cloning decisions
138   -S, --short-circuit=STEP	Start at build step (requires prior --keep-tmp)
139				   1|orig	Build original kernel (default)
140				   2|patched	Build patched kernel
141				   3|diff	Diff objects
142				   4|kmod	Build patch module
143   -T, --keep-tmp		Preserve tmp dir on exit
144
145EOF
146}
147
148usage() {
149	__usage >&2
150}
151
152process_args() {
153	local keep_tmp=0
154	local short
155	local long
156	local args
157	local patch
158
159	short="hfj:o:vdS:T"
160	long="help,show-first-changed,jobs:,output:,no-replace,verbose,debug,short-circuit:,keep-tmp"
161
162	args=$(getopt --options "$short" --longoptions "$long" -- "$@") || {
163		echo; usage; exit
164	}
165	eval set -- "$args"
166
167	while true; do
168		case "$1" in
169			-h | --help)
170				usage
171				exit 0
172				;;
173			-f | --show-first-changed)
174				DIFF_CHECKSUM=1
175				shift
176				;;
177			-j | --jobs)
178				JOBS="$2"
179				shift 2
180				;;
181			-o | --output)
182				[[ "$2" != *.ko ]] && die "output filename should end with .ko"
183				OUTFILE="$2"
184				NAME="$(basename "$OUTFILE")"
185				NAME="${NAME%.ko}"
186				NAME="$(module_name_string "$NAME")"
187				shift 2
188				;;
189			--no-replace)
190				REPLACE=0
191				shift
192				;;
193			-v | --verbose)
194				VERBOSE=1
195				shift
196				;;
197			-d | --debug)
198				DEBUG_CLONE=1
199				keep_tmp=1
200				shift
201				;;
202			-S | --short-circuit)
203				[[ ! -d "$TMP_DIR" ]] && die "--short-circuit requires preserved klp-tmp dir"
204				keep_tmp=1
205				case "$2" in
206					1 | orig)	SHORT_CIRCUIT=1; ;;
207					2 | patched)	SHORT_CIRCUIT=2; ;;
208					3 | diff)	SHORT_CIRCUIT=3; ;;
209					4 | mod)	SHORT_CIRCUIT=4; ;;
210					*)		die "invalid short-circuit step '$2'" ;;
211				esac
212				shift 2
213				;;
214			-T | --keep-tmp)
215				keep_tmp=1
216				shift
217				;;
218			--)
219				shift
220				break
221				;;
222			*)
223				usage
224				exit 1
225				;;
226		esac
227	done
228
229	if [[ $# -eq 0 ]] && (( SHORT_CIRCUIT <= 2 )); then
230		usage
231		exit 1
232	fi
233
234	KEEP_TMP="$keep_tmp"
235	PATCHES=("$@")
236
237	for patch in "${PATCHES[@]}"; do
238		[[ -f "$patch" ]] || die "$patch doesn't exist"
239	done
240}
241
242# temporarily disable xtrace for especially verbose code
243xtrace_save() {
244	[[ -v XTRACE ]] && set +x
245	return 0
246}
247
248xtrace_restore() {
249	[[ -v XTRACE ]] && set -x
250	return 0
251}
252
253validate_config() {
254	xtrace_save "reading .config"
255	source "$CONFIG" || die "no .config file in $(dirname "$CONFIG")"
256	xtrace_restore
257
258	[[ -v CONFIG_LIVEPATCH ]] ||			\
259		die "CONFIG_LIVEPATCH not enabled"
260
261	[[ -v CONFIG_KLP_BUILD ]] ||			\
262		die "CONFIG_KLP_BUILD not enabled"
263
264	[[ -v CONFIG_GCC_PLUGIN_LATENT_ENTROPY ]] &&	\
265		die "kernel option 'CONFIG_GCC_PLUGIN_LATENT_ENTROPY' not supported"
266
267	[[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] &&	\
268		die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported"
269
270	[[ -v CONFIG_AS_IS_LLVM ]] &&				\
271		[[ "$CONFIG_AS_VERSION" -lt 200000 ]] &&	\
272		die "Clang assembler version < 20 not supported"
273
274	return 0
275}
276
277# Only allow alphanumerics and '_' and '-' in the module name.  Everything else
278# is replaced with '-'.  Also truncate to 55 chars so the full name + NUL
279# terminator fits in the kernel's 56-byte module name array.
280module_name_string() {
281	echo "${1//[^a-zA-Z0-9_-]/-}" | cut -c 1-55
282}
283
284# If the module name wasn't specified on the cmdline with --output, give it a
285# name based on the patch name.
286set_module_name() {
287	[[ -v NAME ]] && return 0
288
289	if [[ "${#PATCHES[@]}" -eq 1 ]]; then
290		NAME="$(basename "${PATCHES[0]}")"
291		NAME="${NAME%.*}"
292	else
293		NAME="patch"
294	fi
295
296	NAME="livepatch-$NAME"
297	NAME="$(module_name_string "$NAME")"
298
299	OUTFILE="$NAME.ko"
300}
301
302# Hardcode the value printed by the localversion script to prevent patch
303# application from appending it with '+' due to a dirty working tree.
304set_kernelversion() {
305	local file="$PWD/scripts/setlocalversion"
306	local kernelrelease
307
308	stash_file "$file"
309
310	if [[ -n "$(make -s listnewconfig 2>/dev/null)" ]]; then
311		die ".config mismatch, check your .config or run 'make olddefconfig'"
312	fi
313	make syncconfig &>/dev/null || die "make syncconfig failed"
314
315	kernelrelease="$(make -s kernelrelease)"
316	[[ -z "$kernelrelease" ]] && die "failed to get kernel version"
317
318	sed -i "2i echo $kernelrelease; exit 0" scripts/setlocalversion
319}
320
321get_patch_input_files() {
322	local patch="$1"
323
324	grep0 -E '^--- ' "$patch"				\
325		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
326		| gawk '{print $2}'				\
327		| sed 's|^[^/]*/||'				\
328		| sort -u
329}
330
331get_patch_output_files() {
332	local patch="$1"
333
334	grep0 -E '^\+\+\+ ' "$patch"				\
335		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
336		| gawk '{print $2}'				\
337		| sed 's|^[^/]*/||'				\
338		| sort -u
339}
340
341get_patch_files() {
342	local patch="$1"
343
344	{ get_patch_input_files "$patch"; get_patch_output_files "$patch"; } \
345		| sort -u
346}
347
348check_unsupported_patches() {
349	local patch
350
351	for patch in "${PATCHES[@]}"; do
352		local files=()
353
354		get_patch_files "$patch" | mapfile -t files
355
356		for file in "${files[@]}"; do
357			case "$file" in
358				lib/*|*/vdso/*|*/realmode/rm/*|*.S)
359					die "${patch}: unsupported patch to $file"
360					;;
361			esac
362		done
363	done
364}
365
366apply_patch() {
367	local patch="$1"
368	shift
369	local extra_args=("$@")
370	local drift_regex="with fuzz|offset [0-9]+ line"
371	local output
372	local status
373
374	[[ ! -f "$patch" ]] && die "$patch doesn't exist"
375	status=0
376	output=$(patch -p1 --dry-run --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" < "$patch" 2>&1) || status=$?
377	if [[ "$status" -ne 0 ]]; then
378		echo "$output" >&2
379		die "$patch did not apply"
380	elif [[ "$output" =~ $drift_regex ]]; then
381		[[ -v VERBOSE ]] && echo "$output" >&2
382		warn "${patch} applied with fuzz"
383	fi
384
385	APPLIED_PATCHES+=("$patch")
386	patch -p1 --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" --silent < "$patch"
387}
388
389revert_patch() {
390	local patch="$1"
391	local tmp=()
392
393	patch -p1 -R --force --no-backup-if-mismatch -r /dev/null &> /dev/null < "$patch" || true
394
395	for p in "${APPLIED_PATCHES[@]}"; do
396		[[ "$p" == "$patch" ]] && continue
397		tmp+=("$p")
398	done
399
400	APPLIED_PATCHES=("${tmp[@]}")
401}
402
403apply_patches() {
404	local extra_args=("$@")
405	local patch
406
407	for patch in "${PATCHES[@]}"; do
408		apply_patch "$patch" "${extra_args[@]}"
409	done
410}
411
412revert_patches() {
413	local patches=("${APPLIED_PATCHES[@]}")
414
415	for (( i=${#patches[@]}-1 ; i>=0 ; i-- )) ; do
416		revert_patch "${patches[$i]}"
417	done
418
419	APPLIED_PATCHES=()
420}
421
422validate_patches() {
423	check_unsupported_patches
424	apply_patches
425	revert_patches
426}
427
428do_init() {
429	# We're not yet smart enough to handle anything other than in-tree
430	# builds in pwd.
431	[[ ! "$PWD" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
432
433	(( SHORT_CIRCUIT <= 1 )) && rm -rf "$TMP_DIR"
434	mkdir -p "$TMP_DIR"
435
436	APPLIED_PATCHES=()
437
438	[[ -x "$FIX_PATCH_LINES" ]] || die "can't find fix-patch-lines"
439	command -v recountdiff &>/dev/null || die "recountdiff not found (install patchutils)"
440
441	validate_config
442	set_module_name
443	set_kernelversion
444}
445
446# Refresh the patch hunk headers, specifically the line numbers and counts.
447refresh_patch() {
448	local patch="$1"
449	local tmpdir="$PATCH_TMP_DIR"
450	local input_files=()
451	local output_files=()
452
453	rm -rf "$tmpdir"
454	mkdir -p "$tmpdir/a"
455	mkdir -p "$tmpdir/b"
456
457	# Get all source files affected by the patch
458	get_patch_input_files "$patch" | mapfile -t input_files
459	get_patch_output_files "$patch" | mapfile -t output_files
460
461	# Copy orig source files to 'a'
462	echo "${input_files[@]}" | xargs cp --parents --target-directory="$tmpdir/a"
463
464	# Copy patched source files to 'b'
465	apply_patch "$patch" "--silent"
466	echo "${output_files[@]}" | xargs cp --parents --target-directory="$tmpdir/b"
467	revert_patch "$patch"
468
469	# Diff 'a' and 'b' to make a clean patch
470	( cd "$tmpdir" && diff -Nupr a b > "$patch" ) || true
471}
472
473# Copy the patches to a temporary directory, fix their lines so as not to
474# affect the __LINE__ macro for otherwise unchanged functions further down the
475# file, and update $PATCHES to point to the fixed patches.
476fix_patches() {
477	local idx
478	local i
479
480	rm -f "$TMP_DIR"/*.patch
481
482	idx=0001
483	for i in "${!PATCHES[@]}"; do
484		local old_patch="${PATCHES[$i]}"
485		local tmp_patch="$TMP_DIR/tmp.patch"
486		local patch="${PATCHES[$i]}"
487		local new_patch
488
489		new_patch="$TMP_DIR/$idx-fixed-$(basename "$patch")"
490
491		cp -f "$old_patch" "$tmp_patch"
492		refresh_patch "$tmp_patch"
493		"$FIX_PATCH_LINES" "$tmp_patch" | recountdiff > "$new_patch"
494
495		PATCHES[i]="$new_patch"
496
497		rm -f "$tmp_patch"
498		idx=$(printf "%04d" $(( 10#$idx + 1 )))
499	done
500}
501
502clean_kernel() {
503	local cmd=()
504
505	cmd=("make")
506	cmd+=("--silent")
507	cmd+=("-j$JOBS")
508	cmd+=("clean")
509
510	"${cmd[@]}"
511}
512
513build_kernel() {
514	local build="$1"
515	local log="$TMP_DIR/build.log"
516	local objtool_args=()
517	local cmd=()
518
519	objtool_args=("--checksum")
520
521	cmd=("make")
522
523	# When a patch to a kernel module references a newly created unexported
524	# symbol which lives in vmlinux or another kernel module, the patched
525	# kernel build fails with the following error:
526	#
527	#   ERROR: modpost: "klp_string" [fs/xfs/xfs.ko] undefined!
528	#
529	# The undefined symbols are working as designed in that case.  They get
530	# resolved later when the livepatch module build link pulls all the
531	# disparate objects together into the same kernel module.
532	#
533	# It would be good to have a way to tell modpost to skip checking for
534	# undefined symbols altogether.  For now, just convert the error to a
535	# warning with KBUILD_MODPOST_WARN, and grep out the warning to avoid
536	# confusing the user.
537	#
538	cmd+=("KBUILD_MODPOST_WARN=1")
539
540	if [[ -v VERBOSE ]]; then
541		cmd+=("V=1")
542	else
543		cmd+=("-s")
544	fi
545	cmd+=("-j$JOBS")
546	cmd+=("KCFLAGS=-ffunction-sections -fdata-sections")
547	cmd+=("OBJTOOL_ARGS=${objtool_args[*]}")
548	cmd+=("vmlinux")
549	cmd+=("modules")
550
551	"${cmd[@]}"							\
552		1> >(tee -a "$log")					\
553		2> >(tee -a "$log" | grep0 -v "modpost.*undefined!" >&2) \
554		|| die "$build kernel build failed"
555}
556
557find_objects() {
558	local opts=("$@")
559
560	# Find root-level vmlinux.o and non-root-level .ko files,
561	# excluding klp-tmp/ and .git/
562	find "$PWD" \( -path "$TMP_DIR" -o -path "$PWD/.git" -o -regex "$PWD/[^/][^/]*\.ko" \) -prune -o \
563		    -type f "${opts[@]}"				\
564		    \( -name "*.ko" -o -path "$PWD/vmlinux.o" \)	\
565		    -printf '%P\n'
566}
567
568# Copy all .o archives to $ORIG_DIR
569copy_orig_objects() {
570	local files=()
571
572	rm -rf "$ORIG_DIR"
573	mkdir -p "$ORIG_DIR"
574
575	find_objects | mapfile -t files
576
577	xtrace_save "copying orig objects"
578	for _file in "${files[@]}"; do
579		local rel_file="${_file/.ko/.o}"
580		local file="$PWD/$rel_file"
581		local orig_file="$ORIG_DIR/$rel_file"
582		local orig_dir="$(dirname "$orig_file")"
583
584		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
585
586		mkdir -p "$orig_dir"
587		cp -f "$file" "$orig_dir"
588	done
589	xtrace_restore
590
591	mv -f "$TMP_DIR/build.log" "$ORIG_DIR"
592	touch "$TIMESTAMP"
593}
594
595# Copy all changed objects to $PATCHED_DIR
596copy_patched_objects() {
597	local files=()
598	local opts=()
599	local found=0
600
601	rm -rf "$PATCHED_DIR"
602	mkdir -p "$PATCHED_DIR"
603
604	# Note this doesn't work with some configs, thus the 'cmp' below.
605	opts=("-newer")
606	opts+=("$TIMESTAMP")
607
608	find_objects "${opts[@]}" | mapfile -t files
609
610	xtrace_save "copying changed objects"
611	for _file in "${files[@]}"; do
612		local rel_file="${_file/.ko/.o}"
613		local file="$PWD/$rel_file"
614		local orig_file="$ORIG_DIR/$rel_file"
615		local patched_file="$PATCHED_DIR/$rel_file"
616		local patched_dir="$(dirname "$patched_file")"
617
618		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
619
620		cmp -s "$orig_file" "$file" && continue
621
622		mkdir -p "$patched_dir"
623		cp -f "$file" "$patched_dir"
624		found=1
625	done
626	xtrace_restore
627
628	(( found == 0 )) && die "no changes detected"
629
630	mv -f "$TMP_DIR/build.log" "$PATCHED_DIR"
631}
632
633# Diff changed objects, writing output object to $DIFF_DIR
634diff_objects() {
635	local log="$KLP_DIFF_LOG"
636	local files=()
637	local opts=()
638
639	rm -rf "$DIFF_DIR"
640	mkdir -p "$DIFF_DIR"
641
642	find "$PATCHED_DIR" -type f -name "*.o" | mapfile -t files
643	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
644
645	[[ -v DEBUG_CLONE ]] && opts=("--debug")
646
647	# Diff all changed objects
648	for file in "${files[@]}"; do
649		local rel_file="${file#"$PATCHED_DIR"/}"
650		local orig_file="$rel_file"
651		local patched_file="$PATCHED_DIR/$rel_file"
652		local out_file="$DIFF_DIR/$rel_file"
653		local filter=()
654		local cmd=()
655
656		mkdir -p "$(dirname "$out_file")"
657
658		cmd=("$OBJTOOL")
659		cmd+=("klp")
660		cmd+=("diff")
661		(( ${#opts[@]} > 0 )) && cmd+=("${opts[@]}")
662		cmd+=("$orig_file")
663		cmd+=("$patched_file")
664		cmd+=("$out_file")
665
666		if [[ -v DIFF_CHECKSUM ]]; then
667			filter=("grep0")
668			filter+=("-Ev")
669			filter+=("DEBUG: .*checksum: ")
670		else
671			filter=("cat")
672		fi
673
674		(
675			cd "$ORIG_DIR"
676			[[ -v VERBOSE ]] && echo "cd $ORIG_DIR && ${cmd[*]}"
677			"${cmd[@]}"							\
678				1> >(tee -a "$log")					\
679				2> >(tee -a "$log" | "${filter[@]}" >&2) ||		\
680				die "objtool klp diff failed"
681		)
682	done
683}
684
685# For each changed object, run objtool with --debug-checksum to get the
686# per-instruction checksums, and then diff those to find the first changed
687# instruction for each function.
688diff_checksums() {
689	local orig_log="$ORIG_DIR/checksum.log"
690	local patched_log="$PATCHED_DIR/checksum.log"
691	local -A funcs
692	local cmd=()
693	local line
694	local file
695	local func
696
697	gawk '/\.o: changed function: / {
698		sub(/:$/, "", $1)
699		print $1, $NF
700	}' "$KLP_DIFF_LOG" | mapfile -t lines
701
702	for line in "${lines[@]}"; do
703		read -r file func <<< "$line"
704		if [[ ! -v funcs["$file"] ]]; then
705			funcs["$file"]="$func"
706		else
707			funcs["$file"]+=" $func"
708		fi
709	done
710
711	cmd=("$OBJTOOL")
712	cmd+=("--checksum")
713	cmd+=("--link")
714	cmd+=("--dry-run")
715
716	for file in "${!funcs[@]}"; do
717		local opt="--debug-checksum=${funcs[$file]// /,}"
718
719		(
720			cd "$ORIG_DIR"
721			"${cmd[@]}" "$opt" "$file" &> "$orig_log" || \
722				( cat "$orig_log" >&2; die "objtool --debug-checksum failed" )
723
724			cd "$PATCHED_DIR"
725			"${cmd[@]}" "$opt" "$file" &> "$patched_log" ||	\
726				( cat "$patched_log" >&2; die "objtool --debug-checksum failed" )
727		)
728
729		for func in ${funcs[$file]}; do
730			local -a orig patched
731			paste <(grep0 -E "^DEBUG: .*checksum: $func " "$orig_log") \
732			      <(grep0 -E "^DEBUG: .*checksum: $func " "$patched_log") |
733			while IFS= read -r line; do
734				read -ra orig <<< "${line%%$'\t'*}"
735				read -ra patched <<< "${line#*$'\t'}"
736
737				if [[ ${#patched[@]} -eq 0 ]]; then
738					printf "%s: %s: %s (removed)\n" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}"
739					break
740				elif [[ ${#orig[@]} -eq 0 ]]; then
741					printf "%s: %s: %s (added)\n" "${patched[1]%:}" "${patched[3]}" "${patched[-2]}"
742					break
743				fi
744
745				[[ "${orig[-1]}" == "${patched[-1]}" ]] && continue
746
747				printf "%s: %s: %s" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}"
748				[[ "${orig[-2]}" != "${patched[-2]}" ]] && \
749					printf " (patched: %s)" "${patched[-2]}"
750				printf "\n"
751				break
752			done || true
753		done
754	done
755}
756
757# Build and post-process livepatch module in $KMOD_DIR
758build_patch_module() {
759	local makefile="$KMOD_DIR/Kbuild"
760	local log="$KMOD_DIR/build.log"
761	local kmod_file
762	local cflags=()
763	local files=()
764	local cmd=()
765
766	rm -rf "$KMOD_DIR"
767	mkdir -p "$KMOD_DIR"
768
769	cp -f "$SCRIPT_DIR/init.c" "$KMOD_DIR"
770
771	echo "obj-m := $NAME.o" > "$makefile"
772	echo -n "$NAME-y := init.o" >> "$makefile"
773
774	find "$DIFF_DIR" -type f -name "*.o" | mapfile -t files
775	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
776
777	for file in "${files[@]}"; do
778		local rel_file="${file#"$DIFF_DIR"/}"
779		local orig_file="$ORIG_DIR/$rel_file"
780		local orig_dir="$(dirname "$orig_file")"
781		local kmod_file="$KMOD_DIR/$rel_file"
782		local kmod_dir="$(dirname "$kmod_file")"
783		local cmd_file="$kmod_dir/.$(basename "$file").cmd"
784
785		mkdir -p "$kmod_dir"
786		cp -f "$file" "$kmod_dir"
787
788		# Tell kbuild this is a prebuilt object
789		cp -f "$file" "${kmod_file}_shipped"
790
791		# Make modpost happy
792		touch "$cmd_file"
793
794		echo -n " $rel_file" >> "$makefile"
795	done
796
797	echo >> "$makefile"
798
799	cflags=("-ffunction-sections")
800	cflags+=("-fdata-sections")
801	[[ $REPLACE -eq 0 ]] && cflags+=("-DKLP_NO_REPLACE")
802
803	cmd=("make")
804	if [[ -v VERBOSE ]]; then
805		cmd+=("V=1")
806	else
807		cmd+=("-s")
808	fi
809	cmd+=("-j$JOBS")
810	cmd+=("--directory=.")
811	cmd+=("M=$KMOD_DIR")
812	cmd+=("KCFLAGS=${cflags[*]}")
813
814	# Build a "normal" kernel module with init.c and the diffed objects
815	"${cmd[@]}"							\
816		1> >(tee -a "$log")					\
817		2> >(tee -a "$log" >&2)
818
819	kmod_file="$KMOD_DIR/$NAME.ko"
820
821	# Save off the intermediate binary for debugging
822	cp -f "$kmod_file" "$kmod_file.orig"
823
824	# Work around issue where slight .config change makes corrupt BTF
825	objcopy --remove-section=.BTF "$kmod_file"
826
827	# Fix (and work around) linker wreckage for klp syms / relocs
828	"$OBJTOOL" klp post-link "$kmod_file" || die "objtool klp post-link failed"
829
830	cp -f "$kmod_file" "$OUTFILE"
831}
832
833
834################################################################################
835
836process_args "$@"
837do_init
838
839if (( SHORT_CIRCUIT <= 2 )); then
840	status "Validating patch(es)"
841	validate_patches
842fi
843
844if (( SHORT_CIRCUIT <= 1 )); then
845	status "Building original kernel"
846	clean_kernel
847	build_kernel "original"
848	status "Copying original object files"
849	copy_orig_objects
850fi
851
852if (( SHORT_CIRCUIT <= 2 )); then
853	status "Fixing patch(es)"
854	fix_patches
855	apply_patches "--silent"
856	status "Building patched kernel"
857	build_kernel "patched"
858	revert_patches
859	status "Copying patched object files"
860	copy_patched_objects
861fi
862
863if (( SHORT_CIRCUIT <= 3 )); then
864	status "Diffing objects"
865	diff_objects
866	if [[ -v DIFF_CHECKSUM ]]; then
867		status "Finding first changed instructions"
868		diff_checksums
869	fi
870fi
871
872if (( SHORT_CIRCUIT <= 4 )); then
873	status "Building patch module: $OUTFILE"
874	build_patch_module
875fi
876
877status "SUCCESS"
878