Re: [PATCH] crypto: ecc - Unbreak the build on arm with CONFIG_KASAN_STACK=y

[Lukas Wunner]

On Tue, May 05, 2026 at 04:40:25PM +0800, Herbert Xu wrote:
> On Wed, Apr 08, 2026 at 08:15:49AM +0200, Lukas Wunner wrote:
> > Andrew reports the following build breakage of arm allmodconfig,
> > reproducible with gcc 14.2.0 and 15.2.0:
> > 
> >   crypto/ecc.c: In function 'ecc_point_mult':
> >   crypto/ecc.c:1380:1: error: the frame size of 1360 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
> > 
> > gcc excessively inlines functions called by ecc_point_mult() (without
> > there being any explicit inline declarations) and doesn't seem smart
> > enough to stay below CONFIG_FRAME_WARN.
> > 
> > clang does not exhibit the issue.
> > 
> > The issue only occurs with CONFIG_KASAN_STACK=y because it enlarges the
> > frame size.  This has been a controversial topic a couple of times:
> > 
> > https://lore.kernel.org/r/CAK8P3a3_Tdc-XVPXrJ69j3S9048uzmVJGrNcvi0T6yr6OrHkPw@xxxxxxxxxxxxxx/
> > 
> > Prevent gcc from going overboard with inlining to unbreak the build.
> > The maximum inline limit to avoid the error is 101.  Use 100 to get a
> > nice round number per Andrew's preference.
> > 
> > Reported-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> # off-list
> > Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> > ---
> >  crypto/Makefile | 5 +++++
> >  1 file changed, 5 insertions(+)
> 
> Patch applied.  Thanks.

My apologies Herbert, I was working on a v2 for this patch
but unfortunately didn't finish it until today:

https://lore.kernel.org/r/7e3d64a53efb28740b32d1f934e78c10086208ab.1778073318.git.lukas@xxxxxxxxx/

Would it be possible for you to replace the patch you've already applied
with the new one?  I am very sorry for the hassle.

Since submitting v1, I've opened a gcc bug to get feedback from gcc
maintainers.  They're acknowledging a missing optimization here but
believe that a warning switch such as -Werror=frame-larger-than=1280
should never affect code generation, even if it is promoted to an
error.  Basically if the user is asking to be warned but gcc inlines
beyond the limit, the user gets to keep the pieces:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=124949

I took a closer look at the ECC point multiplication algorithm used,
it's relatively memory intensive because it uses co-Z addition as a
speedup:

https://eprint.iacr.org/2011/338.pdf

The algorithm is susceptible to timing attacks.  Newer constant time
Montgomery ladder algorithms are not, use less memory (thus likely
avoiding the high stack usage warning) but are not as fast.  I think
that's the proper longterm solution for this problem:

https://eprint.iacr.org/2020/956.pdf

In v2, I've amended the commit message with all that extra information
and I've also taken Nathan's review comments into account.

Thanks,

Lukas