KPM load failure on Pixel Android 16 kernel 6.6.102: unknown symbol hotpatch_nosync

[Lycidias93]

Title: KPM load failure on Pixel Android 16 kernel 6.6.102: unknown symbol hotpatch_nosync

KPM load failure on Pixel / Android 16 / kernel 6.6.102: unknown symbol: hotpatch_nosync

Summary

I am testing KPatch-Next on a Pixel device running Android 16 with kernel 6.6.102.

KPatch-Next itself boots and reports as active, but newer selinux_hook KPM builds fail to load because the symbol hotpatch_nosync is missing.

Older KPM builds that do not reference hotpatch_nosync can load successfully, so this looks like a KPM/KPatch API compatibility issue rather than a general KPatch boot failure.

Environment

• Device: Google Pixel / codename mustang
• Android: 16
• Build fingerprint: google/mustang/mustang:16/CP1A.260505.005/15081906:user/release-keys
• Kernel: Linux version 6.6.102-android15-8-g6eb5b2a8c46b-ab14739656-4k
• Active slot: _a
• Boot device: /dev/block/sda11
• KPatch-Next app/kernel patch status:
  • KPatch-Next: active
  • kpimg: 0.13.5
  • SELinux: Enforcing
  • Magisk built-in Zygisk disabled
  • ReZygisk active

KPatch-Next status

After boot, KPatch-Next reports:

Status: active 😊 | kpmodule: 0 💉 | rehook: enabled 🪝

KPM page shows:

No module found

What I tested

I tested several versions of selinux_hook KPMs.

Symbol scan result:

selinux_hook_1.0.4.kpm  requires_hotpatch_nosync=no
selinux_hook_1.0.5.kpm  requires_hotpatch_nosync=no
selinux_hook_1.0.6.kpm  requires_hotpatch_nosync=no
selinux_hook_1.0.8.kpm  requires_hotpatch_nosync=yes
selinux_hook_1.0.9.kpm  requires_hotpatch_nosync=yes
selinux_hook_1.1.0.kpm  requires_hotpatch_nosync=yes

Failure with selinux_hook_1.1.0.kpm

Dynamic load attempt:

[ 1751.593544] [+] KP D load_module_path: /data/adb/modules/KPatch-Next/tmp/selinux_hook_1.1.0.kpm
[ 1751.593562] [+] KP D load_module_path: module size: 10070
[ 1751.593617] [+] KP D loading module:
[ 1751.593618] [+] KP D     name: selinux_magisk_access_filter
[ 1751.593619] [+] KP D     version: 1.1.0
[ 1751.593620] [+] KP D     license: All rights reserved.
[ 1751.593621] [+] KP D     author: Admire
[ 1751.593621] [+] KP D     description: Audit and reject Magisk /sys/fs/selinux/access probes
[ 1751.593641] [+] KP D final section addresses:
[ 1751.593642] [+] KP D     .text fffffffac5400008 5714
[ 1751.593643] [+] KP D     .rodata.str1.8 fffffffac5406008 2792
[ 1751.593645] [+] KP D     .kpm.info fffffffac540879a 9d
[ 1751.593646] [+] KP D     .data fffffffac5409008 0
[ 1751.593647] [+] KP D     .kpm.ctl0 fffffffac5409008 8
[ 1751.593647] [+] KP D     .kpm.exit fffffffac5409010 8
[ 1751.593648] [+] KP D     .kpm.init fffffffac5409018 8
[ 1751.593649] [+] KP D     .bss fffffffac5409028 2558
[ 1751.593652] [+] KP D     .symtab fffffffac540c008 fa8
[ 1751.593653] [+] KP D     .strtab fffffffac540da87 d55
[ 1751.593657] [-] KP E unknown symbol: hotpatch_nosync

Result:

KPM load failed
kpmodule: 0

Successful load with older selinux_hook_1.0.6.kpm

Dynamic load of selinux_hook_1.0.6.kpm works:

[ 1994.167809] [+] KP D load_module_path: /data/adb/modules/KPatch-Next/tmp/selinux_hook_1.0.6 (2).kpm
[ 1994.167841] [+] KP D load_module_path: module size: 6b40
[ 1994.167897] [+] KP D loading module:
[ 1994.167899] [+] KP D     name: selinux_magisk_access_filter
[ 1994.167902] [+] KP D     version: 1.0.6
[ 1994.167904] [+] KP D     license: BSL
[ 1994.167905] [+] KP D     author: Admire
[ 1994.167908] [+] KP D     description: Audit and reject Magisk /sys/fs/selinux/access probes
[ 1994.190120] [+] KP I load_module: [selinux_magisk_access_filter] succeed with [(null)]
[ 1994.274848] [+] KP D get_module_nums: 1
[ 1994.433391] [+] KP D get_module_info: name=selinux_magisk_access_filter

Result:

KPM load succeeded
kpmodule: 1

The module then produces runtime logs such as:

[selinux_hook] AUDIT /proc/self/attr/current #8 hook=security_setprocattr ... action=block forced_ret=-22 query="u:r:adbroot:s0"
[selinux_hook] AUDIT /proc/self/attr/current #9 hook=security_setprocattr ... action=block forced_ret=-22 query="u:r:ksu:s0"
[selinux_hook] AUDIT /proc/self/attr/current #10 hook=security_setprocattr ... action=block forced_ret=-22 query="u:object_r:ksu_file:s0"
[selinux_hook] AUDIT /proc/self/attr/current #11 hook=security_setprocattr ... action=block forced_ret=-22 query="u:object_r:lsposed_file:s0"

Expected behavior

Either:

1. KPatch-Next 0.13.5 / kpimg d05 exports hotpatch_nosync, so KPMs requiring it can load.

or:

2. The KPM loader reports clearly that this KPM requires a newer/incompatible KPatch API.

or:

3. Documentation states which KPatch-Next/kpimg versions support KPMs requiring hotpatch_nosync.

Actual behavior

Newer KPMs that reference hotpatch_nosync fail with:

[-] KP E unknown symbol: hotpatch_nosync

Older KPMs without this symbol load successfully.

Question

Is hotpatch_nosync expected to be available in KPatch-Next 0.13.5 / kpimg d05?

If not, which KPatch-Next / kpimg version should be used for KPMs that require hotpatch_nosync?

Alternatively, should the affected KPMs be rebuilt against the older KPatch API without hotpatch_nosync?

Notes

I did not keep the newer KPM embedded after the failure. The successful 1.0.6 load was tested temporarily/dynamically only.

[Lycidias93]

Device: Pixel / mustang
Android: 16, build CP1A.260505.005
Kernel: 6.6.102-android15-8-g6eb5b2a8c46b-ab14739656-4k
KPatch-Next / kpimg: 0.13.5
SELinux: Enforcing

Issue:
Newer selinux_hook KPMs do not load on my device. KPatch reports missing symbol hotpatch_nosync.

KPM symbol scan:
selinux_hook_1.0.4.kpm requires_hotpatch_nosync=no
selinux_hook_1.0.5.kpm requires_hotpatch_nosync=no
selinux_hook_1.0.6.kpm requires_hotpatch_nosync=no
selinux_hook_1.0.8.kpm requires_hotpatch_nosync=yes
selinux_hook_1.0.9.kpm requires_hotpatch_nosync=yes
selinux_hook_1.1.0.kpm requires_hotpatch_nosync=yes

Dynamic load failure with selinux_hook_1.1.0:

[ 1751.593544] [+] KP D load_module_path: /data/adb/modules/KPatch-Next/tmp/selinux_hook_1.1.0.kpm
[ 1751.593562] [+] KP D load_module_path: module size: 10070
[ 1751.593617] [+] KP D loading module:
[ 1751.593618] [+] KP D name: selinux_magisk_access_filter
[ 1751.593619] [+] KP D version: 1.1.0
[ 1751.593621] [+] KP D author: Admire
[ 1751.593621] [+] KP D description: Audit and reject Magisk /sys/fs/selinux/access probes
[ 1751.593657] [-] KP E unknown symbol: hotpatch_nosync

Result:
KPM load failed
kpmodule: 0

Older selinux_hook_1.0.6 loads successfully:

[ 1994.167809] [+] KP D load_module_path: /data/adb/modules/KPatch-Next/tmp/selinux_hook_1.0.6 (2).kpm
[ 1994.167841] [+] KP D load_module_path: module size: 6b40
[ 1994.167897] [+] KP D loading module:
[ 1994.167899] [+] KP D name: selinux_magisk_access_filter
[ 1994.167902] [+] KP D version: 1.0.6
[ 1994.167908] [+] KP D description: Audit and reject Magisk /sys/fs/selinux/access probes
[ 1994.190120] [+] KP I load_module: [selinux_magisk_access_filter] succeed with [(null)]
[ 1994.274848] [+] KP D get_module_nums: 1
[ 1994.433391] [+] KP D get_module_info: name=selinux_magisk_access_filter

Runtime logs from 1.0.6:

[ 2047.277535] [selinux_hook] AUDIT /proc/self/attr/current #8 hook=security_setprocattr uid=10561 comm=sepolicy_zygote action=block forced_ret=-22 query="u:r:adbroot:s0"
[ 2047.277933] [selinux_hook] AUDIT /proc/self/attr/current #9 hook=security_setprocattr uid=10561 comm=sepolicy_zygote action=block forced_ret=-22 query="u:r:ksu:s0"
[ 2047.278285] [selinux_hook] AUDIT /proc/self/attr/current #10 hook=security_setprocattr uid=10561 comm=sepolicy_zygote action=block forced_ret=-22 query="u:object_r:ksu_file:s0"
[ 2047.278835] [selinux_hook] AUDIT /proc/self/attr/current #11 hook=security_setprocattr uid=10561 comm=sepolicy_zygote action=block forced_ret=-22 query="u:object_r:lsposed_file:s0"

After embedding newer KPM:
KPatch-Next showed active, but kpmodule stayed 0 and KPM page showed "No module found".