Upgrade ASK kernel base to Linux 6.18.30

Move the custom ASK/NXP kernel build from lf-6.18.2-1.0.0 toward the upstream stable 6.18.y baseline, currently 6.18.30. This pulls in upstream stable fixes, including the BPF verifier fix needed by Cilium. The previous 6.18.2-based kernel triggered: verifier bug: REG INVARIANTS VIOLATION (false_reg1) reg_bounds_sanity_check() bpf_prog_load() cilium-agent The issue is no longer reproduced on 6.18.30 after fresh boot: Cilium 1.19.2 reports healthy, BPF datapath is active, all controllers are healthy, cluster health is reachable, and dmesg no longer shows the verifier warning. Refresh affected ASK upstream patch splits: - add bridge br_input patch - refresh xfrm policy/state patches - update package/kernel build inputs for 6.18.30
2026-05-16 03:38:21 +08:00
parent 3324412142
commit a2e5c2aa7a
7 changed files with 75 additions and 27 deletions
@@ -6,6 +6,15 @@ TAG=dev
 # NXP's Linux Factory
 LINUX_FACTORY=6.18.2-1.0.0
 NXP_VERSION=lf-$(LINUX_FACTORY)
 NXP_KERNEL_VERSION=6.18.30-1.0.0-dev
 # This kernel applies upstream fixes
 # If you want the original, use:
 #    https://github.com/nxp-qoriq/linux/archive/refs/tags/lf-${NXP_KERNEL_VERSION}.tar.gz
 # and change NXP_KERNEL_VERSION to match LINUX_FACTORY
 # However you may have to fix the failed patches in patches/ask/upstream/kernel/
 NXP_KERNEL_URL=https://github.com/tgckpg/linux-layerscape-stable/archive/refs/tags/lf-${NXP_KERNEL_VERSION}.tar.gz
 FMLIB_VERSION=lf-$(LINUX_FACTORY)
 FMC_VERSION=lf-$(LINUX_FACTORY)
 DPDK_VERSION=lf-$(LINUX_FACTORY)
@@ -13,7 +13,7 @@ RUN git config --global user.email "monok8s@localhost" && \
 WORKDIR /src
 ARG AARCH64_MUSL_CC_TAR
-ARG NXP_TAR
+ARG NXP_KERNEL_TAR
 ARG MONO_ASK_TAR
 ARG LIBNFNETLINK_TAR
 ARG LIBMNL_TAR
@@ -33,7 +33,7 @@ ARG LIBNFCT_VERSION
 COPY "${AARCH64_MUSL_CC_TAR}"  ./aarch64_musl_cc.tar.gz
 # Linux kernel
-COPY "${NXP_TAR}"		  ./kernel.tar.gz
+COPY "${NXP_KERNEL_TAR}"		  ./kernel.tar.gz
 # Copy the ASK deps
 COPY "${MONO_ASK_TAR}"	 ./mono-ask.tar.gz
@@ -204,13 +204,14 @@ RUN fetch-artifact \
 # ---- nxp linux ----
 FROM base AS nxp_linux
-ARG NXP_VERSION
+ARG NXP_KERNEL_VERSION
-ARG NXP_TAR
+ARG NXP_KERNEL_TAR
 ARG NXP_KERNEL_URL
 WORKDIR /out/nxp/kernel
 RUN fetch-artifact \
-        "${NXP_TAR}" \
+		"${NXP_KERNEL_TAR}" \
-        "${NXP_VERSION}.tar.gz" \
+		"${NXP_KERNEL_VERSION}.tar.gz" \
-        "https://github.com/nxp-qoriq/linux/archive/refs/tags/${NXP_VERSION}.tar.gz"
+		"${NXP_KERNEL_URL}"
 # ---- crio ----
 FROM base AS crio
@@ -7,13 +7,13 @@ TAG ?= dev
 PACKAGES_DIR := packages
 OUT_DIR      := out
-E2FSPROGS_TAR := $(PACKAGES_DIR)/e2fsprogs-v$(E2FSPROGS_VERSION).tar.gz
+E2FSPROGS_TAR  := $(PACKAGES_DIR)/e2fsprogs-v$(E2FSPROGS_VERSION).tar.gz
-BUSYBOX_TAR   := $(PACKAGES_DIR)/busybox-$(BUSYBOX_VERSION).tar.gz
+BUSYBOX_TAR    := $(PACKAGES_DIR)/busybox-$(BUSYBOX_VERSION).tar.gz
-ALPINE_TAR    := $(PACKAGES_DIR)/alpine-minirootfs-$(ALPINE_VER)-$(ALPINE_ARCH).tar.gz
+ALPINE_TAR     := $(PACKAGES_DIR)/alpine-minirootfs-$(ALPINE_VER)-$(ALPINE_ARCH).tar.gz
-NXP_TAR       := $(PACKAGES_DIR)/nxp/kernel/$(NXP_VERSION).tar.gz
+NXP_KERNEL_TAR := $(PACKAGES_DIR)/nxp/kernel/$(NXP_KERNEL_VERSION).tar.gz
-VPP_TAR       := $(PACKAGES_DIR)/nxp/vpp/$(VPP_VERSION).tar.gz
+VPP_TAR        := $(PACKAGES_DIR)/nxp/vpp/$(VPP_VERSION).tar.gz
-DPDK_TAR      := $(PACKAGES_DIR)/nxp/dpdk/$(DPDK_VERSION).tar.gz
+DPDK_TAR       := $(PACKAGES_DIR)/nxp/dpdk/$(DPDK_VERSION).tar.gz
-CRIO_TAR      := $(PACKAGES_DIR)/$(CRIO_VERSION).tar.gz
+CRIO_TAR       := $(PACKAGES_DIR)/$(CRIO_VERSION).tar.gz
 AARCH64_MUSL_CC_TAR := $(PACKAGES_DIR)/aarch64-linux-musl-cross.tgz
@@ -166,7 +166,9 @@ $(DOWNLOAD_PACKAGES_STAMP): docker/download-packages.Dockerfile build.env makefi
 		--build-arg LIBPCAP_TAR=$(LIBPCAP_TAR) \
 		--build-arg TCLAP_TAR=$(TCLAP_TAR) \
 		--build-arg ALPINE_TAR=$(ALPINE_TAR) \
-		--build-arg NXP_TAR=$(NXP_TAR) \
+		--build-arg NXP_KERNEL_VERSION=$(NXP_KERNEL_VERSION) \
 		--build-arg NXP_KERNEL_TAR=$(NXP_KERNEL_TAR) \
 		--build-arg NXP_KERNEL_URL=$(NXP_KERNEL_URL) \
 		--build-arg CRIO_TAR=$(CRIO_TAR) \
 		--output type=local,dest=./$(PACKAGES_DIR) .
 	@touch $@
@@ -233,7 +235,7 @@ ASK: $(ASK_TAR) $(LIBNFCT_TAR) $(LIBNFNETLINK_TAR) $(TCLAP_TAR) $(LIBXML2_TAR) |
 		--build-arg BUILD_BASE_TAG=$$build_base_tag \
 		--build-arg MONO_ASK_TAR=$(MONO_ASK_TAR) \
 		--build-arg AARCH64_MUSL_CC_TAR=$(AARCH64_MUSL_CC_TAR) \
-		--build-arg NXP_TAR=$(NXP_TAR) \
+		--build-arg NXP_KERNEL_TAR=$(NXP_KERNEL_TAR) \
 		--build-arg FMLIB_TAR=$(FMLIB_TAR) \
 		--build-arg FMC_TAR=$(FMC_TAR) \
 		--build-arg LIBNFNETLINK_TAR=$(LIBNFNETLINK_TAR) \
@@ -260,7 +262,7 @@ push-cmm-image: cmm-image
 	docker tag -t localhost/monok8s/cmm:$(TAG) $(IMAGE_REPOSITORY)/cmm:$(KUBE_VERSION)-$(TAG) .
 	docker push $(IMAGE_REPOSITORY)/cmm:$(KUBE_VERSION)-$(TAG)
-vpp: $(BUILD_BASE_STAMP) $(VPP_TAR) $(DPDK_TAR) $(FMLIB_TAR) $(FMC_TAR) $(NXP_TAR)
+vpp: $(BUILD_BASE_STAMP) $(VPP_TAR) $(DPDK_TAR) $(FMLIB_TAR) $(FMC_TAR) $(NXP_KERNEL_TAR)
 	@build_base_tag=$$(docker image inspect \
 		--format '{{.Id}}' \
 		$(DOCKER_IMAGE_ROOT)/build-base:$(TAG) \
@@ -0,0 +1,36 @@
 diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
 --- a/net/bridge/br_input.c
 +++ b/net/bridge/br_input.c
@@ -65,6 +65,10 @@ static int br_pass_frame_up(struct sk_buff *skb, bool promisc)
 	br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
 			   BR_MCAST_DIR_TX);
 +#if defined(CONFIG_CPE_FAST_PATH)
 +	skb->underlying_iif = indev->ifindex;
 +#endif
 +
 	BR_INPUT_SKB_CB(skb)->promisc = promisc;
 	return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
@@ -166,6 +170,10 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
 	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
 	BR_INPUT_SKB_CB(skb)->src_port_isolated = !!(p->flags & BR_ISOLATED);
 +#if defined(CONFIG_CPE_FAST_PATH)
 +	skb->abm_ff = 0;
 +#endif
 +
 	if (IS_ENABLED(CONFIG_INET) &&
 	    (skb->protocol == htons(ETH_P_ARP) ||
 	     skb->protocol == htons(ETH_P_RARP))) {
@@ -223,6 +231,10 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
 		if (now != READ_ONCE(dst->used))
 			WRITE_ONCE(dst->used, now);
 +#if defined(CONFIG_CPE_FAST_PATH)
 +		/* Used by ABM module */
 +		skb->abm_ff = 1;
 +#endif
 		br_forward(dst->dst, skb, local_rcv, false);
 	} else {
 		if (!mcast_hit)
@@ -1,5 +1,5 @@
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 62486f8..3cbe4f8 100644
+index 29c94ee..f9c222f 100644
 --- a/net/xfrm/xfrm_policy.c
 +++ b/net/xfrm/xfrm_policy.c
@@ -48,6 +48,11 @@
@@ -86,7 +86,7 @@ index 62486f8..3cbe4f8 100644
 ok:
 	xfrm_pols_put(pols, drop_pols);
 	if (dst->xfrm &&
-@@ -3853,6 +3909,34 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+@@ -3859,6 +3915,34 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 			goto reject;
 		}
@@ -118,10 +118,10 @@ index 62486f8..3cbe4f8 100644
 +#endif
 +#endif
 +
 out:
 		xfrm_pols_put(pols, npols);
 		sp->verified_cnt = k;
- 
+@@ -4339,6 +4423,14 @@ static int __net_init xfrm_net_init(struct net *net)
@@ -4328,6 +4412,14 @@ static int __net_init xfrm_net_init(struct net *net)
 	if (rv < 0)
 		goto out_sysctl;
@@ -136,7 +136,7 @@ index 62486f8..3cbe4f8 100644
 	rv = xfrm_nat_keepalive_net_init(net);
 	if (rv < 0)
 		goto out_nat_keepalive;
-@@ -4335,6 +4427,12 @@ static int __net_init xfrm_net_init(struct net *net)
+@@ -4346,6 +4438,12 @@ static int __net_init xfrm_net_init(struct net *net)
 	return 0;
 out_nat_keepalive:
@@ -149,7 +149,7 @@ index 62486f8..3cbe4f8 100644
 	xfrm_sysctl_fini(net);
 out_sysctl:
 	xfrm_policy_fini(net);
-@@ -4349,6 +4447,11 @@ out_statistics:
+@@ -4360,6 +4458,11 @@ out_statistics:
 static void __net_exit xfrm_net_exit(struct net *net)
 {
 	xfrm_nat_keepalive_net_fini(net);
@@ -126,13 +126,13 @@ index 9e14e45..d685ed7 100644
 		x->pcpu_num = UINT_MAX;
 		spin_lock_init(&x->lock);
 		x->mode_data = NULL;
-@@ -829,6 +878,12 @@ int __xfrm_state_delete(struct xfrm_state *x)
+@@ -850,6 +899,12 @@ int __xfrm_state_delete(struct xfrm_state *x)
- 		if (x->id.spi)
+ 		if (!hlist_unhashed(&x->byspi))
- 			hlist_del_rcu(&x->byspi);
+ 			hlist_del_init_rcu(&x->byspi);
 +#if defined(CONFIG_INET_IPSEC_OFFLOAD) || defined(CONFIG_INET6_IPSEC_OFFLOAD)
 +		if (x->handle && x->in_byh_hash) {
-+			hlist_del_rcu(&x->byh);
+			hlist_del_init_rcu(&x->byh);
 +			x->in_byh_hash = 0;
 +		}
 +#endif