From 7782c0027577ce2a3566128042faeccb40a4fb8f Mon Sep 17 00:00:00 2001
From: fc5b87cf <90097027+rsuntk@users.noreply.github.com>
Date: Mon, 17 Nov 2025 22:20:18 +0700
Subject: [PATCH] kernel: handle seccomp_filter_release compat (#203)

* It's actually very excessive that we provide this thing
- Stale: https://github.com/rsuntk/KernelSU/pull/199

Signed-off-by: TwinbornPlate75 <3342733415@qq.com>
Signed-off-by: fc5b87cf <rissu.ntk@gmail.com>
Co-authored-by: TwinbornPlate75 <3342733415@qq.com>
---
 kernel/Makefile      |  9 ++++++++-
 kernel/app_profile.c | 17 +++++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index 52391a13..0dcaa992 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -145,7 +145,14 @@ endif
 ifeq ($(shell grep -q "task_security_struct\s\+\*selinux_cred" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
 ccflags-y += -DKSU_OPTIONAL_SELINUX_CRED
 endif
-
+# seccomp_types.h were added on 6.7
+ifeq ($(shell grep -q "atomic_t\s\+filter_count" $(srctree)/include/linux/seccomp.h $(srctree)/include/linux/seccomp_types.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_CNT
+endif
+# some old kernel backport this, let's check if put_seccomp_filter still exist
+ifneq ($(shell grep -wq "put_seccomp_filter" $(srctree)/kernel/seccomp.c $(srctree)/include/linux/seccomp.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_RELEASE
+endif
 ifeq ($(shell grep -q "anon_inode_getfd_secure" $(srctree)/fs/anon_inodes.c; echo $$?),0)
 ccflags-y += -DKSU_HAS_GETFD_SECURE
 endif
diff --git a/kernel/app_profile.c b/kernel/app_profile.c
index c7d02592..6ab128ce 100644
--- a/kernel/app_profile.c
+++ b/kernel/app_profile.c
@@ -222,16 +222,25 @@ void disable_seccomp(struct task_struct *tsk)
 #ifdef CONFIG_SECCOMP
 	tsk->seccomp.mode = 0;
 	if (tsk->seccomp.filter) {
-		// 5.9+ have filter_count and use seccomp_filter_release
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
-		seccomp_filter_release(tsk);
+		// 5.9+ have filter_count, but optional.
+#ifdef KSU_OPTIONAL_SECCOMP_FILTER_CNT
 		atomic_set(&tsk->seccomp.filter_count, 0);
+#endif
+		// some old kernel backport seccomp_filter_release..
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) &&                            \
+	defined(KSU_OPTIONAL_SECCOMP_FILTER_RELEASE)
+		seccomp_filter_release(tsk);
+#else
+		// never, ever call seccomp_filter_release on 6.10+ (no effect)
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) &&                          \
+     LINUX_VERSION_CODE < KERNEL_VERSION(6, 10, 0))
+		seccomp_filter_release(tsk);
 #else
-		// for 6.11+ kernel support?
 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 		put_seccomp_filter(tsk);
 #endif
 		tsk->seccomp.filter = NULL;
+#endif
 #endif
 	}
 #endif