[PATCH] arm64/scs: Fix handling of advance_loc4

[PATCH] arm64/scs: Fix handling of advance_loc4

[Pepper Gray]

DW_CFA_advance_loc4 is defined but no handler is implemented. Its
CFA opcode defaults to EDYNSCS_INVALID_CFA_OPCODE triggering an
error which wrongfully prevents modules from loading.

Signed-off-by: Pepper Gray <hello@peppergray.xyz>
---
 arch/arm64/kernel/pi/patch-scs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/arm64/kernel/pi/patch-scs.c b/arch/arm64/kernel/pi/patch-scs.c
index bbe7d30ed12b32..dac568e4a54f23 100644
--- a/arch/arm64/kernel/pi/patch-scs.c
+++ b/arch/arm64/kernel/pi/patch-scs.c
@@ -192,6 +192,14 @@ static int scs_handle_fde_frame(const struct
eh_frame *frame,
  size -= 2;
  break;

+ case DW_CFA_advance_loc4:
+ loc += *opcode++ * code_alignment_factor;
+ loc += (*opcode++ << 8) * code_alignment_factor;
+ loc += (*opcode++ << 16) * code_alignment_factor;
+ loc += (*opcode++ << 24) * code_alignment_factor;
+ size -= 4;
+ break;
+
  case DW_CFA_def_cfa:
  case DW_CFA_offset_extended:
  size = skip_xleb128(&opcode, size);

Re: [PATCH] arm64/scs: Fix handling of advance_loc4

[Will Deacon]

[+Ard]

On Tue, Mar 10, 2026 at 03:15:56PM +0100, Pepper Gray wrote:
> DW_CFA_advance_loc4 is defined but no handler is implemented. Its
> CFA opcode defaults to EDYNSCS_INVALID_CFA_OPCODE triggering an
> error which wrongfully prevents modules from loading.

Can you provide some instructions for reproducing this, please? For
example, which toolchain you are using and which module are you building?

> Signed-off-by: Pepper Gray <hello@peppergray.xyz>
> ---
>  arch/arm64/kernel/pi/patch-scs.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/arm64/kernel/pi/patch-scs.c b/arch/arm64/kernel/pi/patch-scs.c
> index bbe7d30ed12b32..dac568e4a54f23 100644
> --- a/arch/arm64/kernel/pi/patch-scs.c
> +++ b/arch/arm64/kernel/pi/patch-scs.c
> @@ -192,6 +192,14 @@ static int scs_handle_fde_frame(const struct
> eh_frame *frame,
>   size -= 2;
>   break;
> 
> + case DW_CFA_advance_loc4:
> + loc += *opcode++ * code_alignment_factor;
> + loc += (*opcode++ << 8) * code_alignment_factor;
> + loc += (*opcode++ << 16) * code_alignment_factor;
> + loc += (*opcode++ << 24) * code_alignment_factor;
> + size -= 4;
> + break;

This looks like it's whitespace-mangled to me.

Will

Re: [PATCH] arm64/scs: Fix handling of advance_loc4

[Ard Biesheuvel]

On Thu, 12 Mar 2026, at 14:59, Will Deacon wrote:
> [+Ard]
>
> On Tue, Mar 10, 2026 at 03:15:56PM +0100, Pepper Gray wrote:
>> DW_CFA_advance_loc4 is defined but no handler is implemented. Its
>> CFA opcode defaults to EDYNSCS_INVALID_CFA_OPCODE triggering an
>> error which wrongfully prevents modules from loading.
>
> Can you provide some instructions for reproducing this, please? For
> example, which toolchain you are using and which module are you building?
>
>> Signed-off-by: Pepper Gray <hello@peppergray.xyz>
>> ---
>>  arch/arm64/kernel/pi/patch-scs.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>> 
>> diff --git a/arch/arm64/kernel/pi/patch-scs.c b/arch/arm64/kernel/pi/patch-scs.c
>> index bbe7d30ed12b32..dac568e4a54f23 100644
>> --- a/arch/arm64/kernel/pi/patch-scs.c
>> +++ b/arch/arm64/kernel/pi/patch-scs.c
>> @@ -192,6 +192,14 @@ static int scs_handle_fde_frame(const struct
>> eh_frame *frame,
>>   size -= 2;
>>   break;
>> 
>> + case DW_CFA_advance_loc4:
>> + loc += *opcode++ * code_alignment_factor;
>> + loc += (*opcode++ << 8) * code_alignment_factor;
>> + loc += (*opcode++ << 16) * code_alignment_factor;
>> + loc += (*opcode++ << 24) * code_alignment_factor;
>> + size -= 4;
>> + break;

The logic looks sound to me, although I'd also be interested in understanding under which circumstances these are emitted.

Re: [PATCH] arm64/scs: Fix handling of advance_loc4

[Will Deacon]

On Fri, Mar 13, 2026 at 08:13:01AM +0100, Pepper Gray wrote:
>    This is my system:
>    6.19.6-gentoo-dist-hardened
>    LLVM-22, aarch64-unknown-linux-musl, clang version 22.1.0+libcxx
>    Ampere Altra (ARM64, Neoverse N1)
>    Some patches are needed which I linked
>    here: [1]https://bugs.gentoo.org/971060
>    I'm working on a script to reproduce the error, will share it asap!

Thanks.

In the meantime, I've picked up your fix:

https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/fixes&id=d499e9627d70b1269020d59b95ed3e18bee6b8cd

Will

Re: [PATCH] arm64/scs: Fix handling of advance_loc4

[Ard Biesheuvel]

On Tue, 17 Mar 2026, at 03:36, Pepper Gray wrote:
> I have created a script that configures, builds and runs a rootfs to 
> reproduce the error:
> https://github.com/peppergrayxyz/arm64-scs
>
> I also attached the kernel, amdgpu module and build log as release.
>

Thanks, that is really helpful. I suppose amdgpu.ko ends up with some huge functions after inlining where the distance between instructions that are relevant in terms of unwind data is large enough to require the 32-bit advance opcode.

I should note, though, that the SCS patching logic is really only useful for distro kernels that might run on a wide range of hardware. In the case of Gentoo, I'd expect the shadow call stack to be either enabled or disabled unconditionally, depending on whether the user wants to rely on pointer authentication (PAC) or SCS (or neither). The dynamic behaviour was added mainly to avoid the overhead of running with PAC and SCS enabled at the same time.