kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() #2695
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, handle_sepolicy() holds an RCU read lock across the entire
function including calls to strncpy_from_user() which can sleep, which
is illegal in RCU semantics.
This triggers the following warning when the kernel is compiled with
CONFIG_DEBUG_ATOMIC_SLEEP enabled:
[ 8.526345] BUG: sleeping function called from invalid context at lib/strncpy_from_user.c:40
[ 8.526349] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 683, name: ksud
[ 8.526351] preempt_count: 0, expected: 0
[ 8.526352] RCU nest depth: 1, expected: 0
[ 8.526354] 1 lock held by ksud/683:
[ 8.526355] #0: ffffffe013e1b970 (rcu_read_lock){....}, at: handle_sepolicy+0xe4/0xaa0
[ 8.526365] CPU: 6 PID: 683 Comm: ksud Tainted: G W 5.4.289-Scarlet-v2.2-beta2 tiann#1
[ 8.526366] Hardware name: redwood based Qualcomm Technologies, Inc. SM7325 (DT)
[ 8.526367] Call trace:
[ 8.526371] dump_backtrace+0x0/0x1c0
[ 8.526374] dump_stack+0x90/0xcc
[ 8.526376] __might_sleep+0x1a0/0x200
[ 8.526378] __might_fault+0x28/0x40
[ 8.526381] strncpy_from_user+0xac/0x300
[ 8.526383] handle_sepolicy+0x588/0xaa0
[ 8.526385] ksu_handle_prctl+0x368/0xd60
[ 8.526386] ksu_task_prctl+0xc/0x20
[ 8.526389] security_task_prctl+0x5c/0xa0
[ 8.526391] __arm64_sys_prctl+0x58/0x7e0
[ 8.526393] do_el0_svc+0x68/0x120
[ 8.526394] el0_sync_handler+0x11c/0x1c0
[ 8.526395] el0_sync+0x140/0x180
To fix this, replace the rcu_read_lock() with the `ksu_rules` mutex_lock()
introduced with commit 9014c66 ("kernel: selinux: rules: Fix illegal RCU
lock usage in apply_kernelsu_rules()") which allows sleeping.
This mutex_lock() ensures mutual exclusion between threads invoking dynamic
policy modifications via handle_sepolicy() and those applying KernelSU rules
via apply_kernelsu_rules(), both of which access the policydb structure through
get_policydb().
Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
…icydb() get_policydb() uses rcu_dereference() to read pointers to selinux_state.policy. But in the SELinux implementation, these pointers are assigned once during initialization and never changed with rcu_assign_pointer(), rendering the rcu_dereference() call in get_policydb() completely useless. This just adds unwanted overhead and implies concurrency pattern that is not even present in the kernel. Therefore, read the pointers directly since it's safe. Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
Tashar02
changed the title
Tashar02
changed the title
aviraxp
approved these changes
Aug 13, 2025
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Aug 13, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Aug 14, 2025
… RCU lock usage in handle_sepolicy() (tiann#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Aug 16, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86
Trijal08
pushed a commit
to Trijal08/KernelSU-Next
that referenced
this pull request
Aug 24, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86
sidex15
pushed a commit
to sidex15/KernelSU
that referenced
this pull request
Aug 25, 2025
… RCU lock usage in handle_sepolicy() (tiann#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 26, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
AzyrRuthless
pushed a commit
to AzyrRuthless/KernelSU-Next
that referenced
this pull request
Aug 26, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86
AzyrRuthless
pushed a commit
to AzyrRuthless/KernelSU-Next
that referenced
this pull request
Aug 26, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Aug 27, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Aug 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Aug 30, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 30, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 30, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Aug 31, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 18, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 vfs_getattr, throne_tracker.c - add compat by using old fn signature on < 4.11 - ref: tiann#2757 Signed-off-by: backslashxx <[email protected]>
xvergilantte
pushed a commit
to xvergilantte/KernelSU-Next
that referenced
this pull request
Sep 18, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (KernelSU-Next#721) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86 Co-authored-by: Tashfin Shakeer Rhythm <[email protected]>
Flopster101
added a commit
to FlopKernel-Series/flop_s5e8825_kernel
that referenced
this pull request
Sep 20, 2025
5bdb938e845f fix 'for' loop problem (tiann/KernelSU#2745) (#772) 429ae53c5c8d Strip JNI debug logs on release build (#2732) 43c600f295a9 ksud: updated resetprop 316a679260a0 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) a540992e9b63 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) ba16e0c83ffa kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) fa5c545b4bee ksud_overlayfs: change custom sparse file name 1de68a8ed2a0 Revert "userspace: implement OSS ksuinit" e0c461322bca kernel: nest ksun switch manager support under CONFIG_KSU_SWITCH_MANAGER config default as disabled edb99a2c1a87 userspace: implement OSS ksuinit eaab98b7ecb2 ci(workflows): add artifact caching to build-manager-ci and build-manager-spoofed workflows (#702) aa37bcc3683f New Crowdin updates (#660) 107cd4add0ca Update README.md 94c4b41ea3de README: updated 0bde9047b935 manager: add -spoof string to apk output bc9927b9b66e POC: load icon app via ksu://icon/[packageName] (#674) d4f4c0a0ccad Syscall Hooks (#686) 0aaae919c08a userspace/su: add ndk compatible su from kernelnosu 3f4c23a34f4f kernel: allow only perms for /{system | vendor | product | system_ext}/bin/su path kernel: guard kernelnosu perms if not using KSU_KPROBES_HOOK d69a72c6586b src: build script for a full featured manager adbff41a2215 ksud: decide best partition to direct flash LKM 512f84504ec1 ksud: create our own new ramdisk when no compatible ramdisk found c44f48c8a410 Update README.md 5c6c3870a01c ksud_magic: fix rust fmt c6b54406829d manager | ksud: Add toggle for global mount namespace (#99) a917314e8439 manager: fixed sus_su features 948975ba35be kernel: core_hook: add support for KernelNoSU 45ad73e9dd86 kernel: guard syscall hook types 892a62afdf0b manager: bump MINIMAL_SUPPORTED_KERNEL to 12797 d61de07c2189 kernel: implement v2_signature size/hash override from userspace through kernel module parameter 4382dca515b5 ksud: do backup for vendor_boot partition 2c9078e038bc kernel: use ksu_strncpy_from_user_retry when kprobes hook sucompat pagefaults 81f4f09d0c6f ksud: Address pagefault in ksu_handle_execveat_ksud (#662) git-subtree-dir: drivers/kernelsu git-subtree-split: 5bdb938e845f2dacd37db4a3761d2b38503a708b
Flopster101
added a commit
to FlopKernel-Series/flop_trinket-mi_kernel
that referenced
this pull request
Sep 20, 2025
89a0d4c53e9d kernel: sucompat: fix improper sizeof(su) dd44d4212eb2 kernel: ksud and core_hook: wrap execveat_hook checks with CONFIG_KSU_KPROBES_HOOK guard b0e9976288da Revert "kernel: core_hook: expose prctl interface for umount list (5ec1cff#16)" 427f724c1cca Revert "kernel: core_hook: expose nuke_ext4_sysfs on prctl" 8809224691fa kernel: sucompat: add missing import arch.h 4acc51af02ad ci: swtiched to min syscall hooks v1.5 028237652296 kernel: sucompat: ducplicate declaration, previous declaration is in kernel_compat 4c66d8cb5847 kernel: throne_tracker: offload to kthread (tiann#2632) e7a090322545 kernel: ksud: provide is_ksu_transition check v2 3cd88145cc89 kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels 8d8220b38b93 kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) 35a6c1d1c1cc kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) 1f95c35dc431 kernel: core_hook: expose nuke_ext4_sysfs on prctl 2d60fdb944b4 kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) e37c14b9f603 magic mount: make mount points read only 26ee31e01c6c kernel: remove KSU_SWITCH_MANAGER logic 4df1cf0f5724 New Crowdin updates (#794) 6212a6907769 Update english strings & readme (#783) 21c879d49e1d Fix rustfmt again (#788) 2c02db6323f1 ci: update workflows (#724) b01e8503cd97 deps: update (#723) 04c6bbf035cb kernel: Remove duplicate include in core_hook (#784) 8edb892792dc fix rustfmt (#722) 49ffbae2ce1d Added Crowdin localized status in README_UA (#690) 9708c953efb7 Update README_RU.md (#683) 4ff58a33bc19 docs: Update Buglarian README (#667) 91dcdebb8b85 docs: Update Polish README (#641) 17a7ad9c8ee0 Edit Security to Contribution and add Crowdin link to README (#639) dad404e7b591 fix typos in readme (#638) 44360ffa25a2 New Crowdin updates (#701) 04c128694707 Fix mount not working in android 8/9 (#741) cee92d6926eb Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) 5bdb938e845f fix 'for' loop problem (tiann/KernelSU#2745) (#772) 429ae53c5c8d Strip JNI debug logs on release build (#2732) 43c600f295a9 ksud: updated resetprop 316a679260a0 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) a540992e9b63 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) ba16e0c83ffa kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) fa5c545b4bee ksud_overlayfs: change custom sparse file name 1de68a8ed2a0 Revert "userspace: implement OSS ksuinit" e0c461322bca kernel: nest ksun switch manager support under CONFIG_KSU_SWITCH_MANAGER config default as disabled edb99a2c1a87 userspace: implement OSS ksuinit eaab98b7ecb2 ci(workflows): add artifact caching to build-manager-ci and build-manager-spoofed workflows (#702) aa37bcc3683f New Crowdin updates (#660) 107cd4add0ca Update README.md 94c4b41ea3de README: updated 0bde9047b935 manager: add -spoof string to apk output bc9927b9b66e POC: load icon app via ksu://icon/[packageName] (#674) d4f4c0a0ccad Syscall Hooks (#686) 0aaae919c08a userspace/su: add ndk compatible su from kernelnosu 3f4c23a34f4f kernel: allow only perms for /{system | vendor | product | system_ext}/bin/su path kernel: guard kernelnosu perms if not using KSU_KPROBES_HOOK d69a72c6586b src: build script for a full featured manager adbff41a2215 ksud: decide best partition to direct flash LKM 512f84504ec1 ksud: create our own new ramdisk when no compatible ramdisk found c44f48c8a410 Update README.md 5c6c3870a01c ksud_magic: fix rust fmt c6b54406829d manager | ksud: Add toggle for global mount namespace (#99) a917314e8439 manager: fixed sus_su features 948975ba35be kernel: core_hook: add support for KernelNoSU 45ad73e9dd86 kernel: guard syscall hook types 892a62afdf0b manager: bump MINIMAL_SUPPORTED_KERNEL to 12797 d61de07c2189 kernel: implement v2_signature size/hash override from userspace through kernel module parameter 4382dca515b5 ksud: do backup for vendor_boot partition 2c9078e038bc kernel: use ksu_strncpy_from_user_retry when kprobes hook sucompat pagefaults 81f4f09d0c6f ksud: Address pagefault in ksu_handle_execveat_ksud (#662) git-subtree-dir: drivers/kernelsu git-subtree-split: 89a0d4c53e9d5d8c6d53922f342d858c4c7f300c
yamaizano
pushed a commit
to yamaizano/KernelSU
that referenced
this pull request
Sep 21, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
Flopster101
added a commit
to FlopKernel-Series/flop_s5e8825_kernel
that referenced
this pull request
Sep 22, 2025
89a0d4c53e9d kernel: sucompat: fix improper sizeof(su) dd44d4212eb2 kernel: ksud and core_hook: wrap execveat_hook checks with CONFIG_KSU_KPROBES_HOOK guard b0e9976288da Revert "kernel: core_hook: expose prctl interface for umount list (5ec1cff#16)" 427f724c1cca Revert "kernel: core_hook: expose nuke_ext4_sysfs on prctl" 8809224691fa kernel: sucompat: add missing import arch.h 4acc51af02ad ci: swtiched to min syscall hooks v1.5 028237652296 kernel: sucompat: ducplicate declaration, previous declaration is in kernel_compat 4c66d8cb5847 kernel: throne_tracker: offload to kthread (tiann#2632) e7a090322545 kernel: ksud: provide is_ksu_transition check v2 3cd88145cc89 kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels 8d8220b38b93 kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) 35a6c1d1c1cc kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) 1f95c35dc431 kernel: core_hook: expose nuke_ext4_sysfs on prctl 2d60fdb944b4 kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) e37c14b9f603 magic mount: make mount points read only 26ee31e01c6c kernel: remove KSU_SWITCH_MANAGER logic 4df1cf0f5724 New Crowdin updates (#794) 6212a6907769 Update english strings & readme (#783) 21c879d49e1d Fix rustfmt again (#788) 2c02db6323f1 ci: update workflows (#724) b01e8503cd97 deps: update (#723) 04c6bbf035cb kernel: Remove duplicate include in core_hook (#784) 8edb892792dc fix rustfmt (#722) 49ffbae2ce1d Added Crowdin localized status in README_UA (#690) 9708c953efb7 Update README_RU.md (#683) 4ff58a33bc19 docs: Update Buglarian README (#667) 91dcdebb8b85 docs: Update Polish README (#641) 17a7ad9c8ee0 Edit Security to Contribution and add Crowdin link to README (#639) dad404e7b591 fix typos in readme (#638) 44360ffa25a2 New Crowdin updates (#701) 04c128694707 Fix mount not working in android 8/9 (#741) cee92d6926eb Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) 5bdb938e845f fix 'for' loop problem (tiann/KernelSU#2745) (#772) 429ae53c5c8d Strip JNI debug logs on release build (#2732) 43c600f295a9 ksud: updated resetprop 316a679260a0 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) a540992e9b63 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) ba16e0c83ffa kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) fa5c545b4bee ksud_overlayfs: change custom sparse file name 1de68a8ed2a0 Revert "userspace: implement OSS ksuinit" e0c461322bca kernel: nest ksun switch manager support under CONFIG_KSU_SWITCH_MANAGER config default as disabled edb99a2c1a87 userspace: implement OSS ksuinit eaab98b7ecb2 ci(workflows): add artifact caching to build-manager-ci and build-manager-spoofed workflows (#702) aa37bcc3683f New Crowdin updates (#660) 107cd4add0ca Update README.md 94c4b41ea3de README: updated 0bde9047b935 manager: add -spoof string to apk output bc9927b9b66e POC: load icon app via ksu://icon/[packageName] (#674) d4f4c0a0ccad Syscall Hooks (#686) 0aaae919c08a userspace/su: add ndk compatible su from kernelnosu 3f4c23a34f4f kernel: allow only perms for /{system | vendor | product | system_ext}/bin/su path kernel: guard kernelnosu perms if not using KSU_KPROBES_HOOK d69a72c6586b src: build script for a full featured manager adbff41a2215 ksud: decide best partition to direct flash LKM 512f84504ec1 ksud: create our own new ramdisk when no compatible ramdisk found c44f48c8a410 Update README.md 5c6c3870a01c ksud_magic: fix rust fmt c6b54406829d manager | ksud: Add toggle for global mount namespace (#99) a917314e8439 manager: fixed sus_su features 948975ba35be kernel: core_hook: add support for KernelNoSU 45ad73e9dd86 kernel: guard syscall hook types 892a62afdf0b manager: bump MINIMAL_SUPPORTED_KERNEL to 12797 d61de07c2189 kernel: implement v2_signature size/hash override from userspace through kernel module parameter 4382dca515b5 ksud: do backup for vendor_boot partition 2c9078e038bc kernel: use ksu_strncpy_from_user_retry when kprobes hook sucompat pagefaults 81f4f09d0c6f ksud: Address pagefault in ksu_handle_execveat_ksud (#662) git-subtree-dir: drivers/kernelsu git-subtree-split: 89a0d4c53e9d5d8c6d53922f342d858c4c7f300c
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 24, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
TR-76
pushed a commit
to TR-76/android_kernel_xiaomi_redwood
that referenced
this pull request
Sep 24, 2025
https://github.com/KernelSU-Next/KernelSU-Next git rev-list --count HEAD ksud: Address pagefault in ksu_handle_execveat_ksud (#662) kernel: use ksu_strncpy_from_user_retry when kprobes hook sucompat pagefaults kernel: implement v2_signature size/hash override from userspace through kernel module parameter kernel: guard syscall hook types kernel: core_hook: add support for KernelNoSU reorder ksu_handle_prctl checks a bit to allow non-manager to use CMD 15 this allows us to piggyback a small su to KernelSU's permission system after disabling kernel sucompat kernel: allow only perms for /{system | vendor | product | system_ext}/bin/su path kernel: guard kernelnosu perms if not using KSU_KPROBES_HOOK kernel: nest ksun switch manager support under CONFIG_KSU_SWITCH_MANAGER config default as disabled kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) fix 'for' loop problem (tiann/KernelSU#2745) (#772) Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) kernel: Remove duplicate include in core_hook (#784) kernel: remove KSU_SWITCH_MANAGER logic kernel: auto patch struct seccomp to include filter_count
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 25, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Sep 26, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Sep 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Sep 29, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 30, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 30, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
xvergilantte
pushed a commit
to xvergilantte/KernelSU-Next
that referenced
this pull request
Oct 2, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (KernelSU-Next#721) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86 Co-authored-by: Tashfin Shakeer Rhythm <[email protected]>
ramabondanp
pushed a commit
to ramabondanp/KernelSU-Next
that referenced
this pull request
Oct 2, 2025
… RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (KernelSU-Next#721) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]> -Update the other side of the conditional. KernelSU-Next#721 (comment) Atom-X-Devs/scarlet_xiaomi_sm7325@06ac6d6#diff-8cea866f9b1ae8607ee66566fc7a63c950c64952a753e3691edc2b69622a7d86 Co-authored-by: Tashfin Shakeer Rhythm <[email protected]>
onettboots
added a commit
to onettboots/bool-x_xiaomi_raphael
that referenced
this pull request
Oct 4, 2025
02f944e9422f apk_sign: Add KernelSU RSUNTK Manager 80a1b5622c84 kernel: implement susfs v1.5.9 c8e1d8479e5f New Crowdin updates (#794) 649ab0435360 Update english strings & readme (#783) 02b6050f6555 Fix rustfmt again (#788) 6b2dc45954ee ci: update workflows (#724) 75ce7e6236cf deps: update (#723) f00aaab7c964 kernel: Remove duplicate include in core_hook (#784) 1ef3deb4484c fix rustfmt (#722) 0e2970a89265 Added Crowdin localized status in README_UA (#690) 3359873885c6 Update README_RU.md (#683) caea2af46f78 docs: Update Buglarian README (#667) 879979b11042 docs: Update Polish README (#641) 5549fa918ac8 Edit Security to Contribution and add Crowdin link to README (#639) 127fa344c5d1 fix typos in readme (#638) 2dd907651896 New Crowdin updates (#701) 16c429aaa1cf Fix mount not working in android 8/9 (#741) 4a8afa4190df Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) a3b7a9bc4e74 fix 'for' loop problem (tiann/KernelSU#2745) (#772) 12d46941e4bc Strip JNI debug logs on release build (#2732) 556d9c8e1a45 ksud: updated resetprop 250c9d1477e9 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) 7a2aeb504209 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) 27eca6f2764d kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) 35ffc601c69e ksud_overlayfs: change custom sparse file name bfdbd597eae1 Revert "kernel: implement susfs v1.5.9" git-subtree-dir: drivers/kernelsu git-subtree-split: 02f944e9422f4e90589dca8b7959bd9ab8bc0f33
onettboots
added a commit
to onettboots/bool-x_xiaomi_raphael
that referenced
this pull request
Oct 7, 2025
06c355b87f24 KernelSU: Attempted to fix new prctl side channel detection 02f944e9422f apk_sign: Add KernelSU RSUNTK Manager 80a1b5622c84 kernel: implement susfs v1.5.9 c8e1d8479e5f New Crowdin updates (#794) 649ab0435360 Update english strings & readme (#783) 02b6050f6555 Fix rustfmt again (#788) 6b2dc45954ee ci: update workflows (#724) 75ce7e6236cf deps: update (#723) f00aaab7c964 kernel: Remove duplicate include in core_hook (#784) 1ef3deb4484c fix rustfmt (#722) 0e2970a89265 Added Crowdin localized status in README_UA (#690) 3359873885c6 Update README_RU.md (#683) caea2af46f78 docs: Update Buglarian README (#667) 879979b11042 docs: Update Polish README (#641) 5549fa918ac8 Edit Security to Contribution and add Crowdin link to README (#639) 127fa344c5d1 fix typos in readme (#638) 2dd907651896 New Crowdin updates (#701) 16c429aaa1cf Fix mount not working in android 8/9 (#741) 4a8afa4190df Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) a3b7a9bc4e74 fix 'for' loop problem (tiann/KernelSU#2745) (#772) 12d46941e4bc Strip JNI debug logs on release build (#2732) 556d9c8e1a45 ksud: updated resetprop 250c9d1477e9 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) 7a2aeb504209 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) 27eca6f2764d kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) 35ffc601c69e ksud_overlayfs: change custom sparse file name bfdbd597eae1 Revert "kernel: implement susfs v1.5.9" 8e69005cb0d6 kernel: use sidex15's fork for setup.sh 6bf2b9758273 kernel: implement susfs v1.5.9 b9389f4c1022 Revert "kernel: implement susfs v1.5.9" c38135d8d57e kernel: add TheWildJames Fork Manager 8763c7e9bcf3 kernel: implement susfs v1.5.9 REVERT: 69be375db10a Revert "kernel: harden prctl check" REVERT: 11643ee685cb Revert "kernel: align prctl harden commit from backslashxx/KernelSU" REVERT: 478394a6e1ce kernel: align prctl harden commit from backslashxx/KernelSU SQUASHED: * kernel: harden barriers for arm/arm64 * kernel: core_hook: harden prctl handler REVERT: f40fe9b9e1e6 manager: add version tag to update card REVERT: f1c97b507efe kernel: harden prctl check REVERT: 300a13f65775 kernel: handle throned UID change if manager is reinstall or changed REVERT: d4b7ffbbe19d kernel: scan /data/user_de/0 for actual UID (#155) REVERT: 693ac0be5579 Revert "Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776)" REVERT: bab8669988dd manager: move settings button to topbar REVERT: 3d98ed7f83b5 manager: improvements and ui overhaul v2 REVERT: f41fe20d9942 manager: fix zygisk implementation module path REVERT: dbd6accea8ea New Crowdin updates (#816) REVERT: 363e80821a85 kernel: manager: get kernel driver version tag REVERT: e76ef97d4b91 manager: get zygisk implementation and version info REVERT: 2f408a2b6570 manager: improve bottom bar destination animations REVERT: 1293848c2307 manager: improve topbar icon animation REVERT: 261ac2ea47e8 manager: update icons and improve ABI string in Home screen REVERT: 4e2d30ca9ad7 manager: webui: allow download file REVERT: 2a0f19a3ab4c manager: webui: allow file upload REVERT: ea3825b56fae manager: enhance navigation transitions for detail and tab screens REVERT: ab360c26ee3f manager: downgrade navigation lib version due to buggy transition for module install intent REVERT: 2033d502a1c1 ci: add linux build target for ksud on ci manager workflows REVERT: d7b24fbbe13a manager: add new file management apis (listFile, readFile, writeFile, removeFile, moveFile, copyFile) REVERT: b65369717278 manager: improve manager variant update mechanism REVERT: 0576b5736a7c manager: make module and superuser count card more compact REVERT: bb8402e8e804 manager: minor improvements to update card REVERT: b86e3821a0b9 ksud: add linux support REVERT: 9d3309558b0d manager: implement insets for webui-next REVERT: 0d6bdc6364cb New Crowdin updates (#806) REVERT: d9239343e697 kernel: auto patch struct seccomp to include filter_count REVERT: 84a8eef2d217 manager: modify warning message for root grant failure and add tap to restart option REVERT: e37c14b9f603 magic mount: make mount points read only REVERT: 26ee31e01c6c kernel: remove KSU_SWITCH_MANAGER logic REVERT: 4df1cf0f5724 New Crowdin updates (#794) REVERT: 6212a6907769 Update english strings & readme (#783) REVERT: 21c879d49e1d Fix rustfmt again (#788) REVERT: 2c02db6323f1 ci: update workflows (#724) REVERT: b01e8503cd97 deps: update (#723) REVERT: 04c6bbf035cb kernel: Remove duplicate include in core_hook (#784) REVERT: 8edb892792dc fix rustfmt (#722) REVERT: 49ffbae2ce1d Added Crowdin localized status in README_UA (#690) REVERT: 9708c953efb7 Update README_RU.md (#683) REVERT: 4ff58a33bc19 docs: Update Buglarian README (#667) REVERT: 91dcdebb8b85 docs: Update Polish README (#641) REVERT: 17a7ad9c8ee0 Edit Security to Contribution and add Crowdin link to README (#639) REVERT: dad404e7b591 fix typos in readme (#638) REVERT: 44360ffa25a2 New Crowdin updates (#701) REVERT: 04c128694707 Fix mount not working in android 8/9 (#741) REVERT: cee92d6926eb Unmount isolated process which forks from zygote unconditionally (tiann/KernelSU#2747) (#776) REVERT: 5bdb938e845f fix 'for' loop problem (tiann/KernelSU#2745) (#772) REVERT: 429ae53c5c8d Strip JNI debug logs on release build (#2732) REVERT: 43c600f295a9 ksud: updated resetprop REVERT: 316a679260a0 manager: Optimized import, optimized all libsu shell calls, and fixed WebUI memory leaks (#754) REVERT: a540992e9b63 Reset seccomp filter count when escaping to root (tiann/KernelSU#2708) (#743) REVERT: ba16e0c83ffa kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann/KernelSU#2695) (#721) REVERT: fa5c545b4bee ksud_overlayfs: change custom sparse file name git-subtree-dir: drivers/kernelsu git-subtree-split: 06c355b87f24b0ac264be19f61770de3e6c06533
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 16, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 19, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 19, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 19, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 20, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
anzarfarooq
pushed a commit
to anzarfarooq/KernelSU
that referenced
this pull request
Oct 20, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
anzarfarooq
pushed a commit
to anzarfarooq/KernelSU
that referenced
this pull request
Oct 20, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 22, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Oct 22, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
selfmusing
pushed a commit
to selfmusing/USlenreK
that referenced
this pull request
Oct 23, 2025
This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Oct 30, 2025
kernel: drop LKM and kprobes support Since upstream has kprobes default, and now a requirement, cleaning up support for LKM and kprobes is kind of a must. This simplifies porting small changes, debloat, and makes it easier to maintain downstream, e.g. avoiding excessive use of conditionals (ifdef hell). what breaks: current_user_stack_pointer, sucompat.c - mitigate this by including linux/ptrace.h fatal_signal_pending, ksud.c - mitigate this by including linux/sched/signal.h other changes: Kconfig, CONFIG_KSU, tristate to bool ksud.c, stop_input_hook(), short-circuit redundant logic left by this change. Signed-off-by: backslashxx <[email protected]> Revert "kernel: transition devpts in kernel" Reverts 98757bc Signed-off-by: backslashxx <[email protected]> kernel: restore compat code required for old kernels This commit restores compatibility code needed that was removed at tiann/KernelSU@898e9d4 . where upstream dropped all pre-5.10 support Reverts `kernel:Add Huawei hisi check (tiann#1545)` - upstream tiann/KernelSU@4f05fe2 - superceded by `kernel: expose allowlist workaround as Kconfig option` on next commit Reverts packages.list fsnotify watcher - rename hook is way simpler and we have full access to LSM hooks on this kernel - revert: cf031b4 - kernel: replace renameat hook with fsnotify - revert: 5ac010d - kernel: fix compile - revert: 3138651 - kernel: fix compile below 6.0 Restores LSM hooks: - inode_rename - task_fix_setuid - key permission other changes and cleanups sucompat: ksu_handle_stat(), remove dead ifdef. - just use `ksu_handle_stat(&dfd, &filename->name, &flags);` if you want to hook vfs_statx on 6.1 LINUX_VERSION_CODE / KERNEL_VERSION, ksu.c - reported by Sinclair19 - fix by including version.h fatal_signal_pending, ksud.c - add compat by including sched.h or sched/signal.h conditionally - ref: torvalds/linux@2a1f062 selinux_state.ss, core_hook.c - remove rcu_dereference use - ref: tiann#2695 seccomp.filter_count, core_hook.c - reset this only for 5.9 and up as it only exists there - ref: tiann#2708, gregkh/linux@c818c03 Signed-off-by: backslashxx <[email protected]> kernel: selinux: force sepol_data.sepol to be u64 if we properly align our struct members as such. we wont need all this compat_ptr bullshit. Signed-off-by: backslashxx <[email protected]> kernel: expose allowlist workaround as Kconfig option Useful for situations where the SU allowlist is not kept after a reboot. As per upstream this is only used for < 4.10 and Huawei HiSilicon devices. but theres user reports having issues even on 4.14/4.19 samsung kernels. Expose this option so users affected can opt-in. This supercedes ` kernel:Add Huawei hisi check (tiann#1545) ` References: tiann@f57d351 tiann@b61cb30 Reviewed-by: Alex <[email protected]> Signed-off-by: backslashxx <[email protected]> kernel: core_hook: screw path_umount backport, call sys_umount directly I am repasting here what I posted on the source code originally: /* * turns out path_umount backport is completely unneeded * we copy the trick used on strncpy_from_unsafe_user / strncpy_from_user_nofault * https://elixir.bootlin.com/linux/v4.4.302/source/mm/maccess.c#L184 * basically * * mm_segment_t old_fs = get_fs(); // remember original fs segment * set_fs(USER_DS); // or KERNEL_DS * * do_whatever_in_userspace(); * set_fs(old_fs); // restore fs segment * * * kernel -> user, KERNEL_DS, user -> kernel, USER_DS * * so yes, we can try to straight up call a syscall from kernel space * * NOTE: on newer kernels you can use force_uaccess_begin + force_uaccess_end * ref: https://elixir.bootlin.com/linux/v5.10.237/source/mm/maccess.c#L250 * */ path_umount backport now optional — neat trick, werks, what can I say. Backports? Nah, we’re good. EDITS: - rename path_umount_handler for clarity + proper guards - add a fix for 4.17~5.8 `fs: add ksys_umount() helper; remove in-kernel call to sys_umount()` torvalds/linux@3a18ef5 - which adds a ksys_umount helper, basically turning sys_umount `syscalls/core: Introduce CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y` torvalds/linux@1bd21c6 - which undefines in-kernel calls of syscalls, which is enabled on 4.19's arch/arm64/Kconfig Ref: - https://github.com/torvalds/linux/commits/v4.17/include/linux/syscalls.h - rsuntk@d20f15e Reported-by: rsuntk <[email protected]> Signed-off-by: backslashxx <[email protected]> kernel: throne_tracker: offload to kthread (tiann#2632) Run throne_tracker() in kthread instead of blocking the caller. Prevents full lockup during installation and removing the manager. By default, first run remains synchronous for compatibility purposes (FDE, FBEv1, FBEv2) Features: - looks and waits for manager UID in /data/system/packages.list - run track_throne() in a kthread after the first synchronous run - prevent duplicate thread creation with a single-instance check - spinlock-on-d_lock based polling adressing possible race conditions. Race conditions adressed - single instance kthread lock, smp_mb() - track_throne_function, packages.list, spinlock-on-d_lock based polling - is_manager_apk, apk, spinlock-on-d_lock based polling This is a squash of: tiann#2632 Original skeleton based on: `kernelsu: move throne_tracker() to kthread` `kernelsu: check locking before accessing files and dirs during searching manager` `kernelsu: look for manager UID in /data/system/packages.list, not /data/system/packages.list.tmp` acroreiser/android_kernel_lge_hammerhead@0b05e92...8783bad Signed-off-by: backslashxx <[email protected]> kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) This migrates ksud execution decision-making to bprm_check_security. This requires passing proper argv and envp to a modified _ksud handler aptly named 'ksu_handle_bprm_ksud'. Introduces: int ksu_handle_bprm_ksud(const char *filename, const char *argv1, const char *envp, size_t envp_len) which is adapted from: int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, struct user_arg_ptr *argv, struct user_arg_ptr *envp, int *flags) ksu_handle_bprm_ksud handles all the decision making, it decides when it is time to apply_kernelsu_rules depending if it sees "second_stage". For LSM hook, turns out we can pull out argv and envp from mm_struct. The code in here explains itself on how to do it. whole blob exists on arg_start to arg_end, so we just pull it out and grab next array after the first null terminator. as for envp, we pass the pointer then hunt for it when needed My reasoning on adding a fallback on usercopy is that on some devices a fault happens, and it copies garbled data. On my creation of this, I actually had to lock that _nofault copy on a spinlock as a way to mimic preempt_disable/enable without actually doing it. As per user reports, no failed _nofault copies anyway but we have-to-have a fallback for resilience. References: - old version1 6efcd81 - old version2 37d5938 - bad usercopy #21 This now provides a small helper function, ksu_copy_from_user_retry, which explains itself. First we attempt a _nofault copy, if that fails, we try plain. With that, It also provides an inlined copy_from_user_nofault for < 5.8. While using strncpy_from_user_nofault was considered, this wont do, this will only copy up to the first \0. devlog: ximi-libra-test/android_kernel_xiaomi_libra@16e5dce...16c1f5f ximi-mojito-test/mojito_krenol@28642e6...728de0c References: https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/mm_types.h#L429 https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/lsm_hooks.h Stale: tiann#2653 Signed-off-by: backslashxx <[email protected]> kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) On plain ARMv8.0 devices (A53,A57,A73), strncpy_from_user_nofault() sometimes fails to copy `filename_user` string correctly. This breaks su ofc, breaking some apps like Termux (Play Store ver), ZArchiver and Root Explorer. This does NOT seem to affect newer ARMv8.2+ CPUs (A75/A76 and newer) My speculation? ARMv8.0 has weak speculation :) here we replace `ksu_strncpy_from_user_nofault` with ksu_strncpy_from_user_retry: - ksu_strncpy_from_user_nofault as fast-path copy - fallback to access_ok to validate the pointer + strncpy_from_user - manual null-termination just in case, as strncpy_from_user_nofault also does it - remove that memset, seems useless as it is an strncpy, not strncat basically, we retry on pagefualt for usercopies, its not like were doing memset(dest, 0, sizeof(dest)); strncat(dest, var, bytes); that memset seems unneeded. instead we use strncpy itself to do proper error and oob check and null term it after. as for optimizations - just return early if unauthorized - commonized logic - reduced duplication - migrate from strncpy_from_user to copy_from_user Tested on: - ARMv8.0 A73.a53, A57.a53, A53.a53 - ARMv8.2 A76.a55 Stale: tiann#2656 Signed-off-by: backslashxx <[email protected]> kernel: sucompat: sucompat toggle support for non-kp (tiann#2506) This is done like how vfs_read_hook, input_hook and execve_hook is disabled. While this is not exactly the same thing, this CAN achieve the same results. The complete disabling of all KernelSU hooks. While this is likely unneeded, It keeps feature parity to non-kprobe builds. adapted from upstream: kernel: Allow to re-enable sucompat - tiann@4593ae8 Rejected: tiann#2506 Signed-off-by: backslashxx <[email protected]> kernel: ksud: provide dummy handlers for old hooks prevents breaking old builds. kernel: core_hook: earlier escape_to_root already-root check micro-opt Signed-off-by: backslashxx <[email protected]> kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig disabling this removes the need for LSM_HOOK_INIT, security_add_hooks and such,. furthermore, this will also allow easier integration on pre-4.1 kernels. Expose this and make it a configurable option. Signed-off-by: backslashxx <[email protected]> kernel: sucompat: provide do_execve_common handler for < 3.14 usage on do_execve_common: ksu_legacy_execve_sucompat(&filename, NULL, NULL); Signed-off-by: backslashxx <[email protected]> kernel: sucompat: provide getname_flags (user) ultimatum hook I'm providing this as an option if you want an ultimatum. Usage: ksu_getname_flags_user(&filename, flags); on entry of getname_flags on namei.c This can replace exec, faccessat and stat hooks. I don't recommend it, but its an option. Signed-off-by: backslashxx <[email protected]> kernel: sucompat: provide getname_flags (kernel) ultimatum hook put me right after strncpy_from user on getname_flags on namei.c ksu_getname_flags_kernel(&kname, flags); This can replace exec, faccessat and stat hooks. I don't recommend it, but its an option. Signed-off-by: backslashxx <[email protected]> kernel: sucompat: provide vfs_statx hook handler >= 5.18 just put ksu_handle_vfs_statx((void *)&dfd, &filename, (void *)&flags, (void **)&stat, (void *)&request_mask); on vfs_statx's entry while this hooks all stat syscalls, this skips usercopy Signed-off-by: backslashxx <[email protected]> kernel: kp_ksud: restore kprobes for early-boot and used-once hooks since kprobes offer dynamic hooking and shit, this is going to be better on something that we only need temporarily. this still keeps whole sucompat onto manual hooks as those are performance sensitive, needed to be permanent and "timeable". as for these hooks that got hooked here they are only used either only at boot or on some, used only once. symbols hooked: vfs_read - needed only at boot for read proxy-ing atrace.rc input_event - needed only up to like boot_complete, for 3-button-press safemode feature security_key_permission - needed for a keygrab on allowlist workaround for kernels below 4.10 and some sys_execve - a substitute for security_bprm_check LSM. for reference purposes. -- as for unregistration, we defer this once boot is completed and then have a kthread unregister everything. credits: some of these are just straight up copied from upstream. Tests: ximi mi a2 lite, arm64, Linux 4.9 samsung galaxy s3, arm, Linux 3.0 #26 Signed-off-by: backslashxx <[email protected]> kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) - torvalds/linux@af63f41 - SELinux domain transitions under NNP/nosuid environment was introduced in 4.14 by the above commit, for older kernels, we need to make sure our domain transitions are allowed when calling ksud at boot from the init - Adapted from tiann#270 (comment) tiann@0950fbb - tiann#1704 tiann@d664fe3 Difference to tiann's version: - use a kretprobe to force a 0 return - grab sids outside of kprobe context to avoid stuckups / hangups Logs: daisy:/ # dmesg | grep -E "transition|grab_sids" [ 5.977810] KernelSU: ksud_grab_sids: got init sid: 62 [ 5.977907] KernelSU: ksud_grab_sids: got su sid: 537 [ 5.980497] KernelSU: kp_ksud: register kretprobe: security_bounded_transition ret: 0 [ 32.008560] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537) [ 32.008663] type=1401 audit(2247197.199:61): op=security_bounded_transition seresult=denied oldcontext=u:r:init:s0 newcontext=u:r:su:s0 [ 36.946527] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537) [ 61.202278] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537) [ 61.202395] type=1401 audit(1761288080.219:1045): op=security_bounded_transition seresult=denied oldcontext=u:r:init:s0 newcontext=u:r:su:s0 daisy:/ # uname -a Linux localhost 4.9.337+64-daikura/db23b17 tiann#634 SMP PREEMPT Fri Oct 24 14:37:19 PST 2025 aarch64 Toybox Signed-off-by: backslashxx <[email protected]> kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat This introduces a kretprobe on getname_flags that improves the stealth and reliability of sucompat feature. Changes: - CONFIG_KSU_KRETPROBES_SUCOMPAT option to enable this hooking method - Hooks getname_flags() via kretprobe to intercept and modify filename->name on the return - prevent timing-based detections since it avoids individual syscall hijacking (newfstat vs newfstatat timing detections) - prevents doing usercopies, which in turn increases reliability on pagefaulty moments This allows sucompat to operate against anti-root detection techniques known as - Delayed syscall - KSU (ND) - sucompat SCA (Discolusre) - Abnormal Environment (NT) This is still very experimental, so default n, but yeah, it works. Related: - #5 (comment) Signed-off-by: backslashxx <[email protected]> kernel: extras: base implementation of avc log spoofing this exposes a new handler int ksu_handle_slow_avc_audit(u32 *tsid) which will check if su_sid is going to be printed on the audit log. Usage: ksu_handle_slow_avc_audit(&tsid); on slow_avc_audit() on security/selinux/avc.c This way, we replace sid right before that struct is created. This can also be implemented in kprobes which will be on enxt commit. Signed-off-by: backslashxx <[email protected]> kernel: extras/avc_spoof: add kprobe support I'll just paste code comments. I've already done this standalone on https://github.com/backslashxx/selinux_avc_spoof_lkm -- just pass both arg2 and arg3 to original handler this removes all the headache. for < 4.17 int slow_avc_audit(u32 ssid, u32 tsid for >= 4.17 int slow_avc_audit(struct selinux_state *state, u32 ssid, u32 tsid for >= 6.4 int slow_avc_audit(u32 ssid, u32 tsid not to mention theres also DKSU_HAS_SELINUX_STATE since its hard to make sure this selinux state thing cross crossing with 4.17 ~ 6.4's where slow_avc_audit changes abi (tsid in arg2 vs arg3) lets just pass both to the handler Signed-off-by: backslashxx <[email protected]> kernel: ksud: provide is_ksu_transition check v2 context: this is known by many as `selinux hook`, `4.9 hook` add is_ksu_transition check which allows ksud execution under nosuid. it also eases up integration on 3.X kernels that does not have check_nnp_nosuid. Usage: if (is_ksu_transition(old_tsec, new_tsec)) return 0; on either check_nnp_nosuid or selinux_bprm_set_creds (after execve sid reset) reference: https://github.com/backslashxx/msm8953-kernel/commits/dfe003c9fdfa394a2bffe74668987a19a0d2f546 taken from: `allow init exec ksud under nosuid` - LineageOS/android_kernel_oneplus_msm8998@3df9df4 - tiann#166 (comment) 250611-edit: - remove ksu_execveat_hook entry check - turns out some devices needs the transition for multiple times Reported-by: edenadversary <[email protected]> Signed-off-by: backslashxx <[email protected]> kernel: apk_sign: casting to char for strcmp -> memcmp style thing Signed-off-by: backslashxx <[email protected]> kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek seems it has the same abi anyway and this is what syscalls use this is to handle shitty backports common on 3.x vfs_llseek falls back to generic anyway depending on filesystem's f_op https://elixir.bootlin.com/linux/v3.10.108/source/fs/read_write.c#L225 Signed-off-by: backslashxx <[email protected]> kernel: core_hook: no ext4_unregister_sysfs, no problem If ext4_unregister_sysfs ain't there, we don't care. This is mostly for UL builds. Signed-off-by: backslashxx <[email protected]> kernel: ksud: d_is_reg to S_ISREG d_is_reg requires 4.0 - torvalds/linux@e36cb0b S_ISREG is still there on 6.15 so I do NOT see any issues forcing it for all. Signed-off-by: backslashxx <[email protected]> kernel: Makefile: remove overlayfs requirement as title Signed-off-by: backslashxx <[email protected]> kernel: throne_tracker: resolve s_magic for < 3.9 throne_tracker, cross-fs avoidance: f_inode is f_path.dentry->d_inode so file->f_inode->i_sb->s_magic is file->f_path.dentry->d_inode->i_sb->s_magic Signed-off-by: backslashxx <[email protected]> kernel: ksud: handle conditional read_iter requirement for < 3.16 nothing uses this on old kernels, so even backporting this to file_operations is not really needed though if it is found, we probably need to proxy it https://elixir.bootlin.com/linux/v3.16/source/include/linux/fs.h#L1463 Signed-off-by: backslashxx <[email protected]> kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 Clang splats the following: drivers/kernelsu/throne_tracker.c:237:47: error: incompatible function pointer types initializing 'const filldir_t' (aka 'int (*const)(void *, const char *, int, long long, unsigned long long, unsigned int)') with an expression of type 'int (struct dir_context *, const char *, int, loff_t, u64, unsigned int)' (aka 'int (struct dir_context *, const char *, int, long long, unsigned long long, unsigned int)') [-Wincompatible-function-pointer-types] 237 | struct my_dir_context ctx = { .ctx.actor = my_actor, | ^~~~~~~~ 1 error generated. reference: - 3.18: https://elixir.bootlin.com/linux/v3.18/source/include/linux/fs.h#L1469 - 3.19: https://elixir.bootlin.com/linux/v3.19/source/include/linux/fs.h#L1489 so just pass as void, then cast it back ximi-libra-test/android_kernel_xiaomi_libra@036c532 Signed-off-by: backslashxx <[email protected]> kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 I'll just copy what I put in comments originally: 7a87f5c this is backported on msm-3.10 though SO YEAH WE STILL USE IT IF ITS THERE !! (ref: Makefile) but we have to try to follow what upstream linux is, and it is only added on 3.11 need to inline struct dir_context since this doesnt exist pre-iterate_dir era! ref: torvalds/linux@5c0ba4e analysis: int kernel_iterate_dir(struct file *file, struct dir_context *ctx) -> res = readdir(file, ctx, ctx->actor); ++++ file, struct -> file, struct, struct->member int vfs_readdir(struct file *file, filldir_t filler, void *buf) -> res = readdir(file, buf, filler); file, ??, ?? +++ 1 3 2 Signed-off-by: backslashxx <[email protected]> kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 I'll just put original inlined comments: 939f0fb hunt from start_stack we start 32 bytes deep and double on every iteration coming from start_stack downwards we normally get one on the first iteration anyway so the loop is just for resilience -- this removes the need for backporting current_user_stack_pointer for sub 3.8 kernels. while it looks like a bad meme, this works so yeah. Signed-off-by: backslashxx <[email protected]> kernel: apk_sign: provide bin2hex compat for < 3.18 from 3.18-rc1: - Provide a binary to hex conversion function - torvalds/linux@53d91c5 for this one, also use pack_hex_byte instead of hex_byte_pack for 3.0 its there just marked deprecated on 3.3 to 3.16 and since nobody has 3.17 on android, its fine to miss that doesnt have bin2hex and no more pack_hex_byte either. since UL is only like, 3.0, 3.4, 3.10, 3.18 Signed-off-by: backslashxx <[email protected]> kernel: throne_tracker: add strscpy pseudo-compat for < 4.3 strscpy requires 4.3 strscpy on this usage can be replaced with strncpy + null term. and since this call doesnt really care about the return value, we only need a terminated copy, so this is good enough Signed-off-by: backslashxx <[email protected]> kernel: apk_sign: fix return check for ksu_sha256 upstream used IS_ERR to check for negative return and that is int, so correct it. This is one headache for old compilers. Signed-off-by: backslashxx <[email protected]> kernel: handle backports It is a common thing on the scene to backport things, so this breaks kernel versioning assumptions. As for those, we have to scan and check kernel source. The following are commonly backported: - path_umount: context: tiann#1464 (comment) apply: xiaomi-sdm678/android_kernel_xiaomi_mojito@2d51422 - probe_user_read / copy_from_user_nofault gregkh/linux@3d70818 gregkh/linux@c0ee37e - kernel_read / kernel_write < 4.14, backport chain, tested on 4.9 torvalds/linux@e13ec93 torvalds/linux@bdd1d2d torvalds/linux@c41fbad torvalds/linux@ac452ac - hint, `curl $url.patch | git am` Signed-off-by: backslashxx <[email protected]> kernel: apk_sign: add more size/hash pairs this will make it support - this repo's manager - official manager, but I guess up to 1.0.1 for non-gki - 5ec1cff's MKSU - KernelSU NEXT - kowx712's MKSU - rsuntk's MKSU - SukiSU-Ultra kernel: ksu: printout quirks / backports / etc on init Signed-off-by: backslashxx <[email protected]> not implemented Co-Authored-By: ExtremeXT <[email protected]> Co-Authored-By: backslashxx <[email protected]> Co-Authored-By: Yaroslav Zviezda <[email protected]>
Prslc
pushed a commit
to Prslc/KernelSU
that referenced
this pull request
Oct 31, 2025
… RCU lock usage in handle_sepolicy() (tiann#2695) Signed-off-by: Tashfin Shakeer Rhythm <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.