From 292afcdc20e300a9138f9105e86a2c2f30dded0e Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Wed, 11 Mar 2026 13:04:38 +0100
Subject: [PATCH] Fix module linker flags

Related: RHEL-153237

Upstream PR: https://github.com/valkey-io/valkey/pull/3344
---
 valkey-bindnow.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++
 valkey.spec          |  5 +++++
 2 files changed, 56 insertions(+)
 create mode 100644 valkey-bindnow.patch

diff --git a/valkey-bindnow.patch b/valkey-bindnow.patch
new file mode 100644
index 0000000..ba4bdd5
--- /dev/null
+++ b/valkey-bindnow.patch
@@ -0,0 +1,51 @@
+Adapted for 8.1/9.0 from
+
+
+From 8051de740dd38172476b04e892e5517630e3eaed Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 11 Mar 2026 11:40:15 +0100
+Subject: [PATCH] Inherit LDFLAGS for TLS and RDMA modules (#3344)
+
+With current Makefile, `LDFLAGS` are not used for modules.
+
+This results in security options not applied.
+
+```
+$ annocheck /usr/lib64/valkey/modules/rdma.so
+annocheck: Version 12.99.
+Hardened: rdma.so: FAIL: bind-now test because not linked with -Wl,-z,now
+Hardened: Rerun annocheck with --verbose to see more information on the tests.
+Hardened: rdma.so: Overall: FAIL.
+```
+
+With this patch
+
+```
+$ annocheck /usr/lib64/valkey/modules/rdma.so
+annocheck: Version 12.99.
+Hardened: rdma.so: PASS.
+```
+
+Signed-off-by: Remi Collet <remi@remirepo.net>
+---
+ src/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index eb4a6e939a..5d3814d019 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -524,11 +524,11 @@ $(ENGINE_CHECK_AOF_NAME): $(SERVER_NAME)
+ 
+ # valkey-tls.so
+ $(TLS_MODULE_NAME): $(SERVER_NAME)
+-	$(QUIET_CC)$(CC) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS)
++	$(QUIET_CC)$(CC) $(LDFLAGS) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS)
+ 
+ # valkey-rdma.so
+ $(RDMA_MODULE_NAME): $(SERVER_NAME)
+-	$(QUIET_CC)$(CC) -o $@ rdma.c -shared -fPIC $(RDMA_MODULE_CFLAGS)
++	$(QUIET_CC)$(CC) $(LDFLAGS) -o $@ rdma.c -shared -fPIC $(RDMA_MODULE_CFLAGS)
+ 
+ # valkey-cli
+ $(ENGINE_CLI_NAME): $(ENGINE_CLI_OBJ)
diff --git a/valkey.spec b/valkey.spec
index 0ae371e..cda9a84 100644
--- a/valkey.spec
+++ b/valkey.spec
@@ -25,6 +25,8 @@ Patch1:            valkey-cve-2025-27151.patch
 Patch2:            %{name}-conf.patch
 # Workaround to https://github.com/valkey-io/valkey/issues/2678
 Patch3:		   %{name}-loadmod.patch
+#Fix linker flags: https://github.com/valkey-io/valkey/pull/3344
+Patch4:		   %{name}-bindnow.patch
 
 BuildRequires:     make
 BuildRequires:     gcc
@@ -124,6 +126,7 @@ BuildArch:         noarch
 %patch -P1 -p1
 %patch -P2 -p1 -b.rpm
 %patch -P3 -p1 -b .loadmod
+%patch -P4 -p1 -b .bindnow
 
 mv deps/lua/COPYRIGHT             COPYRIGHT-lua
 mv deps/jemalloc/COPYING          COPYING-jemalloc
@@ -306,6 +309,8 @@ taskset -c 1 ./runtest --clients 50 --skiptest "Active defrag - AOF loading"
 - use patch for configuration changes
 - add /etc/valkey/modules drop-in directory for module configuration files
 - add %%valkey_version and %%valkey_modules_cfg macros
+- fix module linker flags using patch from
+  https://github.com/valkey-io/valkey/pull/3344
 
 * Mon Mar 02 2026 Lukas Javorsky <ljavorsk@redhat.com> - 8.0.7-1
 - Rebase to 8.0.7 for CVE-2026-21863 CVE-2025-67733