kernel: fix root_groups defs#3028
Merged
Merged
Conversation
Collaborator
|
we never use gcc |
Contributor
Author
Will actually it's a change in kernel 6.7 but it can compile when using clang |
|
IMO
typedef struct {
int counter;
} atomic_t;
struct refcount_struct {
atomic_t refs;
} refcount_t;
// REFCOUNT_INIT(0) do
refcount_t x = { .refs = 0 };
// ATOMIC_INIT(0) do
refcount_t x = { 0 };
// Two forms above is equal.
|
larpedd
pushed a commit
to larpedd/KernelSU
that referenced
this pull request
Dec 20, 2025
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 5, 2026
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 5, 2026
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 8, 2026
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 13, 2026
RapliVx
pushed a commit
to RapliVx/KernelSU
that referenced
this pull request
Jan 26, 2026
RapliVx
pushed a commit
to RapliVx/KernelSU
that referenced
this pull request
Jan 26, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Feb 23, 2026
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Feb 23, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Feb 23, 2026
- See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Feb 25, 2026
- See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Mar 4, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' 'kernel: use rcu to access allowlist, refactor get allowlist api' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix various bugs and overall improvement for SUS_PATH and SUS_MOUNT Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Feb 22 02:59:13 2026 +0800 ## SUS_MOUNT ## - In the end, the mnt_id is not guaranteed to allocated sequentially for a namespace, this happens even on newer stock locked devices, and mnt_group_id gap is the only one we really need to care for, real world apps should not rely on mnt_id gaps for root detections. - Re-use the mnt_id_ida to assign fake mnt_id with the minimum mnt_id set to DEFAULT_UNSHARE_KSU_MNT_ID (default 600000) for mounts unshared by ksu process and DEFAULT_KSU_MNT_ID (default 500000) for mounts created or single cloned by ksu process, so we no longer need to hook mnt_free_id(). - Spoof sus mount in vfs_statfs and proc fdinfo only when current proc is marked umounted and current uid >= 10000. ## SUS_PATH ## - There should be no dput() after __d_lookup_rcu() if sus dentry is found, since __d_lookup_rcu() does not take the dentry->d_lockref.count. - Also we need to check if dentry is being looked up after d_alloc_parallel(), if so we need to call d_lookup_done() on it to clear its waitqueue head and flag DCACHE_PAR_LOOKUP. - susfs_run_sus_path_loop() should be run with ksu_cred so that it can reach all the paths without selinux issues, run it right after kernel umount is finished. - Remove the rcu protect for susfs_add_sus_path_loop() since it triggers the voluntary context switch bug, and without rcu it is still safe from using spin_lock and empty path check since it only supports adding entry for now, and it has way less overheads. For better implemenations, we may hand it to userspace to use like inotify to monitor the parent dir of the sus path and add the target path via add_sus_path only when inotified parent dir receive event changes, this can cut off more unnecessary loops on each process spwaned by zygote. ## Others ## - Add susfs_is_current_proc_umounted_app(), used to check if current proc is marked umounted and current uid >= 10000. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fix original flow not executing for ksu_handle_sys_reboot() -if magigc2 does not matched with the magic of KSU or susfs; Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Mar 4 17:04:33 2026 +0800 ## Bug fix ## - One of the user reported that the ksu_handle_sys_reboot() can cause reboot with KSU Next but not with official KSU, and the related fix commmit is here: Evolution-X-Devices/kernel_xiaomi_sm8450@0eeab5a, tho I do not know why it causes the issue with some KSU Next users but indeed there are some bugs with the returned value as it may not resume the original flow and return directly. If magic2 does not match with SUSFS_MAGIC or KSU_INSTALL_MAGIC2, or magic2 matches with SUSFS_MAGIC but none of the susfs cmd is matched, then we should return a non-zero value like -EINVAL so that it can continue with the original flow. ## Upstream ## - See tiann@28fedfa -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Mar 4, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' 'kernel: use rcu to access allowlist, refactor get allowlist api' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix various bugs and overall improvement for SUS_PATH and SUS_MOUNT Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Feb 22 02:59:13 2026 +0800 ## SUS_MOUNT ## - In the end, the mnt_id is not guaranteed to allocated sequentially for a namespace, this happens even on newer stock locked devices, and mnt_group_id gap is the only one we really need to care for, real world apps should not rely on mnt_id gaps for root detections. - Re-use the mnt_id_ida to assign fake mnt_id with the minimum mnt_id set to DEFAULT_UNSHARE_KSU_MNT_ID (default 600000) for mounts unshared by ksu process and DEFAULT_KSU_MNT_ID (default 500000) for mounts created or single cloned by ksu process, so we no longer need to hook mnt_free_id(). - Spoof sus mount in vfs_statfs and proc fdinfo only when current proc is marked umounted and current uid >= 10000. ## SUS_PATH ## - There should be no dput() after __d_lookup_rcu() if sus dentry is found, since __d_lookup_rcu() does not take the dentry->d_lockref.count. - Also we need to check if dentry is being looked up after d_alloc_parallel(), if so we need to call d_lookup_done() on it to clear its waitqueue head and flag DCACHE_PAR_LOOKUP. - susfs_run_sus_path_loop() should be run with ksu_cred so that it can reach all the paths without selinux issues, run it right after kernel umount is finished. - Remove the rcu protect for susfs_add_sus_path_loop() since it triggers the voluntary context switch bug, and without rcu it is still safe from using spin_lock and empty path check since it only supports adding entry for now, and it has way less overheads. For better implemenations, we may hand it to userspace to use like inotify to monitor the parent dir of the sus path and add the target path via add_sus_path only when inotified parent dir receive event changes, this can cut off more unnecessary loops on each process spwaned by zygote. ## Others ## - Add susfs_is_current_proc_umounted_app(), used to check if current proc is marked umounted and current uid >= 10000. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fix original flow not executing for ksu_handle_sys_reboot() -if magigc2 does not matched with the magic of KSU or susfs; Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Mar 4 17:04:33 2026 +0800 ## Bug fix ## - One of the user reported that the ksu_handle_sys_reboot() can cause reboot with KSU Next but not with official KSU, and the related fix commmit is here: Evolution-X-Devices/kernel_xiaomi_sm8450@0eeab5a, tho I do not know why it causes the issue with some KSU Next users but indeed there are some bugs with the returned value as it may not resume the original flow and return directly. If magic2 does not match with SUSFS_MAGIC or KSU_INSTALL_MAGIC2, or magic2 matches with SUSFS_MAGIC but none of the susfs cmd is matched, then we should return a non-zero value like -EINVAL so that it can continue with the original flow. ## Upstream ## - See tiann@28fedfa -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Mar 6, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' 'kernel: use rcu to access allowlist, refactor get allowlist api' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix various bugs and overall improvement for SUS_PATH and SUS_MOUNT Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Feb 22 02:59:13 2026 +0800 ## SUS_MOUNT ## - In the end, the mnt_id is not guaranteed to allocated sequentially for a namespace, this happens even on newer stock locked devices, and mnt_group_id gap is the only one we really need to care for, real world apps should not rely on mnt_id gaps for root detections. - Re-use the mnt_id_ida to assign fake mnt_id with the minimum mnt_id set to DEFAULT_UNSHARE_KSU_MNT_ID (default 600000) for mounts unshared by ksu process and DEFAULT_KSU_MNT_ID (default 500000) for mounts created or single cloned by ksu process, so we no longer need to hook mnt_free_id(). - Spoof sus mount in vfs_statfs and proc fdinfo only when current proc is marked umounted and current uid >= 10000. ## SUS_PATH ## - There should be no dput() after __d_lookup_rcu() if sus dentry is found, since __d_lookup_rcu() does not take the dentry->d_lockref.count. - Also we need to check if dentry is being looked up after d_alloc_parallel(), if so we need to call d_lookup_done() on it to clear its waitqueue head and flag DCACHE_PAR_LOOKUP. - susfs_run_sus_path_loop() should be run with ksu_cred so that it can reach all the paths without selinux issues, run it right after kernel umount is finished. - Remove the rcu protect for susfs_add_sus_path_loop() since it triggers the voluntary context switch bug, and without rcu it is still safe from using spin_lock and empty path check since it only supports adding entry for now, and it has way less overheads. For better implemenations, we may hand it to userspace to use like inotify to monitor the parent dir of the sus path and add the target path via add_sus_path only when inotified parent dir receive event changes, this can cut off more unnecessary loops on each process spwaned by zygote. ## Others ## - Add susfs_is_current_proc_umounted_app(), used to check if current proc is marked umounted and current uid >= 10000. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fix original flow not executing for ksu_handle_sys_reboot() -if magigc2 does not matched with the magic of KSU or susfs; Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Mar 4 17:04:33 2026 +0800 ## Bug fix ## - One of the user reported that the ksu_handle_sys_reboot() can cause reboot with KSU Next but not with official KSU, and the related fix commmit is here: Evolution-X-Devices/kernel_xiaomi_sm8450@0eeab5a, tho I do not know why it causes the issue with some KSU Next users but indeed there are some bugs with the returned value as it may not resume the original flow and return directly. If magic2 does not match with SUSFS_MAGIC or KSU_INSTALL_MAGIC2, or magic2 matches with SUSFS_MAGIC but none of the susfs cmd is matched, then we should return a non-zero value like -EINVAL so that it can continue with the original flow. ## Upstream ## - See tiann@28fedfa -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel / manager: Amend hook mode for susfs Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Thu Mar 5 16:05:50 2026 -0500
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Mar 6, 2026
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' 'kernel: use rcu to access allowlist, refactor get allowlist api' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <simonpunk2016@gmail.com> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <simonpunk2016@gmail.com> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <simonpunk2016@gmail.com> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix various bugs and overall improvement for SUS_PATH and SUS_MOUNT Author: simonpunk <simonpunk2016@gmail.com> Date: Sun Feb 22 02:59:13 2026 +0800 ## SUS_MOUNT ## - In the end, the mnt_id is not guaranteed to allocated sequentially for a namespace, this happens even on newer stock locked devices, and mnt_group_id gap is the only one we really need to care for, real world apps should not rely on mnt_id gaps for root detections. - Re-use the mnt_id_ida to assign fake mnt_id with the minimum mnt_id set to DEFAULT_UNSHARE_KSU_MNT_ID (default 600000) for mounts unshared by ksu process and DEFAULT_KSU_MNT_ID (default 500000) for mounts created or single cloned by ksu process, so we no longer need to hook mnt_free_id(). - Spoof sus mount in vfs_statfs and proc fdinfo only when current proc is marked umounted and current uid >= 10000. ## SUS_PATH ## - There should be no dput() after __d_lookup_rcu() if sus dentry is found, since __d_lookup_rcu() does not take the dentry->d_lockref.count. - Also we need to check if dentry is being looked up after d_alloc_parallel(), if so we need to call d_lookup_done() on it to clear its waitqueue head and flag DCACHE_PAR_LOOKUP. - susfs_run_sus_path_loop() should be run with ksu_cred so that it can reach all the paths without selinux issues, run it right after kernel umount is finished. - Remove the rcu protect for susfs_add_sus_path_loop() since it triggers the voluntary context switch bug, and without rcu it is still safe from using spin_lock and empty path check since it only supports adding entry for now, and it has way less overheads. For better implemenations, we may hand it to userspace to use like inotify to monitor the parent dir of the sus path and add the target path via add_sus_path only when inotified parent dir receive event changes, this can cut off more unnecessary loops on each process spwaned by zygote. ## Others ## - Add susfs_is_current_proc_umounted_app(), used to check if current proc is marked umounted and current uid >= 10000. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fix original flow not executing for ksu_handle_sys_reboot() -if magigc2 does not matched with the magic of KSU or susfs; Synced with official KernelSU main repo Author: simonpunk <simonpunk2016@gmail.com> Date: Wed Mar 4 17:04:33 2026 +0800 ## Bug fix ## - One of the user reported that the ksu_handle_sys_reboot() can cause reboot with KSU Next but not with official KSU, and the related fix commmit is here: Evolution-X-Devices/kernel_xiaomi_sm8450@0eeab5a, tho I do not know why it causes the issue with some KSU Next users but indeed there are some bugs with the returned value as it may not resume the original flow and return directly. If magic2 does not match with SUSFS_MAGIC or KSU_INSTALL_MAGIC2, or magic2 matches with SUSFS_MAGIC but none of the susfs cmd is matched, then we should return a non-zero value like -EINVAL so that it can continue with the original flow. ## Upstream ## - See tiann@28fedfa -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel / manager: Amend hook mode for susfs Author: pershoot <190600+pershoot@users.noreply.github.com> Date: Thu Mar 5 16:05:50 2026 -0500
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://elixir.bootlin.com/linux/v6.7-rc1/source/include/linux/cred.h