[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.26

[opsiff]

Update kernel base to 6.18.26.

git log --oneline v6.18.25..v6.18.26 | wc
3 16 151

Summary by Sourcery

Update Xen hypervisor interfaces and bump the kernel version to 6.18.26.

Bug Fixes:

• Fix Xen sysfs build ID exposure by enforcing PAGE_SIZE bounds and treating the build ID as binary data.
• Prevent Xen privcmd VMAs from being split to avoid a potential double free in privcmd_close().

Build:

• Bump kernel sublevel from 6.18.25 to 6.18.26.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the kernel base from 6.18.25 to 6.18.26 and incorporates upstream Xen fixes for build ID handling and privcmd VMA splitting semantics.

Sequence diagram for Xen hypervisor build ID sysfs read behavior

sequenceDiagram
    actor UserSpace
    participant Sysfs as sysfs_hypervisor_buildid
    participant Kernel as buildid_show
    participant Hypervisor as XenHypervisor

    UserSpace->>Sysfs: read /sys/hypervisor/buildid
    Sysfs->>Kernel: buildid_show(attr, buffer)
    alt permission_denied
        Kernel-->>Sysfs: "<denied>" (string)
        Sysfs-->>UserSpace: error or "<denied>"
    else permission_granted
        Kernel->>Hypervisor: HYPERVISOR_xen_version(XENVER_build_id, NULL)
        Hypervisor-->>Kernel: required_length
        alt length_gt_PAGE_SIZE
            Kernel-->>Sysfs: -ENOSPC
            Sysfs-->>UserSpace: error ENOSPC
        else length_le_PAGE_SIZE
            Kernel->>Kernel: kmalloc(sizeof(buildid) + required_length)
            Kernel->>Hypervisor: HYPERVISOR_xen_version(XENVER_build_id, buildid)
            Hypervisor-->>Kernel: buildid_bytes
            alt ret_gt_0
                Kernel->>Kernel: memcpy(buffer, buildid_buf, ret)
                Kernel-->>Sysfs: ret (binary bytes)
                Sysfs-->>UserSpace: binary build_id data
            else ret_le_0
                Kernel-->>Sysfs: ret (error)
                Sysfs-->>UserSpace: error
            end
        end
    end

Loading

Sequence diagram for Xen privcmd VMA split prevention

sequenceDiagram
    participant Process as UserProcess
    participant MM as KernelMemoryManager
    participant VMA as privcmd_vma
    participant Ops as privcmd_vm_ops

    Process->>MM: mmap privcmd device
    MM->>VMA: create VMA with vm_ops = privcmd_vm_ops

    note over MM,VMA: Later, an operation implies splitting the VMA

    MM->>Ops: may_split(privcmd_vma, split_addr)
    Ops-->>MM: -EINVAL
    alt may_split_rejects_split
        MM->>MM: do not split VMA
        note over MM,VMA: Avoids double free in privcmd_close
    else may_split_allows_split
        MM->>VMA: split into two VMAs
        MM->>Ops: close on old VMA
        note over MM,VMA: (Old behavior risked double privcmd_close)
    end

Loading

Class diagram for Xen privcmd vm_operations_struct changes

classDiagram
    class vm_area_struct {
        unsigned long vm_start
        unsigned long vm_end
        struct vm_operations_struct *vm_ops
        void *vm_private_data
    }

    class vm_operations_struct {
        +int (*open)(struct vm_area_struct *area)
        +void (*close)(struct vm_area_struct *area)
        +int (*may_split)(struct vm_area_struct *area, unsigned long addr)
        +vm_fault_t (*fault)(struct vm_fault *vmf)
    }

    class privcmd_vm_ops {
        +close(area struct vm_area_struct *)
        +may_split(area struct vm_area_struct *, addr unsigned long)
        +fault(vmf struct vm_fault *)
    }

    class vm_fault {
        struct vm_area_struct *vma
        unsigned long address
        unsigned int flags
    }

    vm_area_struct --> vm_operations_struct : has_vm_ops
    privcmd_vm_ops --|> vm_operations_struct : implements
    vm_fault --> vm_area_struct : references_vma

    class privcmd_close {
        +void privcmd_close(vma struct vm_area_struct *)
    }

    class privcmd_may_split {
        +int privcmd_may_split(area struct vm_area_struct *, addr unsigned long)
    }

    class privcmd_fault {
        +vm_fault_t privcmd_fault(vmf struct vm_fault *)
    }

    privcmd_vm_ops o--> privcmd_close : uses_as_close
    privcmd_vm_ops o--> privcmd_may_split : uses_as_may_split
    privcmd_vm_ops o--> privcmd_fault : uses_as_fault

Loading

File-Level Changes

Change	Details	Files
Correct Xen hypervisor build ID sysfs attribute handling to safely manage buffer sizes and treat the build ID as binary data.	Add an upper bound check to return -ENOSPC when the reported build ID length exceeds PAGE_SIZE before allocation and copy Allocate the build ID buffer using the returned length and use memcpy to copy the binary build ID into the sysfs buffer instead of sprintf assuming a string Retain existing handling of permission-denied cases and memory allocation failures	drivers/xen/sys-hypervisor.c
Harden Xen privcmd VMA behavior by prohibiting VMA splitting to avoid double-free in privcmd_close().	Introduce a privcmd_may_split() callback that unconditionally returns -EINVAL to forbid splitting the privcmd VMA Wire privcmd_may_split into privcmd_vm_ops via the .may_split hook alongside existing .close and .fault handlers	drivers/xen/privcmd.c
Update kernel version metadata to 6.18.26.	Bump SUBLEVEL from 25 to 26 in the top-level Makefile to reflect the new upstream kernel base	Makefile

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[Avenger-285714]

/approve

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This pull request updates the Deepin kernel base from Linux 6.18.25 to 6.18.26, pulling in the corresponding upstream stable fixes. The included changes primarily address Xen-related robustness/safety issues and bump the kernel sublevel.

Changes:

• Bump kernel sublevel from 6.18.25 to 6.18.26.
• Xen sysfs: enforce PAGE_SIZE bounds for build ID exposure and treat the build ID as binary data.
• Xen privcmd: prevent VMA splitting via vm_ops->may_split to avoid a potential double-free path in privcmd_close().

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
Makefile	Updates kernel SUBLEVEL to 26 (6.18.26).
drivers/xen/sys-hypervisor.c	Bounds-checkes build ID size and copies build ID bytes as binary into the sysfs read buffer.
drivers/xen/privcmd.c	Adds .may_split hook to forbid VMA splitting for privcmd mappings, preventing close-time double-free scenarios.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Avenger-285714

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS [Avenger-285714]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Avenger-285714

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS [Avenger-285714]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment