From 1e15ca9f1392d5a3134d02a78d6448f1d22487bd Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 19:09:03 +0000 Subject: [PATCH 1/6] feat(guestos): build patched kernel with folio_split() race fix Build a custom linux-hwe-6.17 kernel in the GuestOS base image that includes upstream commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0 ("mm/huge_memory: fix a folio_split() race condition with folio_try_get()"). The fix is present in mainline v7.0-rc4+ and in linux-6.18.y but has not yet reached Ubuntu's linux-hwe-6.17 package on noble (24.04). Changes: * Add a new 'kernel-build' stage to Dockerfile.base that apt-get sources linux-hwe-6.17, applies every *.patch file under kernel-patches/ in lexicographic order, bumps the Debian changelog with a +dfinity local version, and builds only the amd64 'generic' flavor .deb packages (skipdbg=true skipretpoline=true). * The main stage no longer installs the kernel via linux-image-virtual-hwe-24.04 + apt-cache depends; it copies the locally built .debs and installs them directly, keeping linux-image / linux-modules / linux-modules-extra in sync. * Add kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch carrying the fix, and a README describing conventions for adding and removing patches. To drop the custom kernel build once Ubuntu ships the fix, remove the patch file(s) under kernel-patches/; no Dockerfile change is then required. --- ic-os/guestos/context/Dockerfile.base | 106 ++++++++++++++++-- ...emory-fix-folio_split-race-condition.patch | 56 +++++++++ .../guestos/context/kernel-patches/README.md | 25 +++++ 3 files changed, 180 insertions(+), 7 deletions(-) create mode 100644 ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch create mode 100644 ic-os/guestos/context/kernel-patches/README.md diff --git a/ic-os/guestos/context/Dockerfile.base b/ic-os/guestos/context/Dockerfile.base index 390641c0d473..a0a6844203e0 100644 --- a/ic-os/guestos/context/Dockerfile.base +++ b/ic-os/guestos/context/Dockerfile.base @@ -35,6 +35,95 @@ RUN cd /tmp/ && \ echo "c46e5b6f53948477ff3a19d97c58307394a29fe64a01905646f026ddc32cb65b node_exporter-1.10.2.linux-amd64.tar.gz" > node_exporter.sha256 && \ sha256sum -c node_exporter.sha256 +# +# Kernel build stage: +# - Fetch Ubuntu's linux-hwe-6.17 source package +# - Apply local patches from kernel-patches/ (lexicographic order) +# - Build the "generic" flavor binary .deb packages +# +# The resulting .debs are consumed by the final image stage below, replacing +# the stock kernel that would otherwise be pulled in via apt. +# +FROM ubuntu:24.04 as kernel-build + +USER root:root + +ENV TZ=UTC +ENV DEBIAN_FRONTEND=noninteractive +ENV SOURCE_DATE_EPOCH=0 +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone + +# Source package to patch and rebuild. Must match (or be ABI-compatible with) +# the kernel metapackage installed in the final stage. +ARG _KERNEL_SOURCE_PACKAGE=linux-hwe-6.17 + +# Enable deb-src for Ubuntu's deb822 sources file and install build deps. +RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources && \ + apt-get -y update && \ + apt-get -y --no-install-recommends install \ + ca-certificates \ + build-essential \ + fakeroot \ + devscripts \ + dpkg-dev \ + kmod \ + cpio \ + rsync \ + bc \ + bison \ + flex \ + libelf-dev \ + libssl-dev \ + libncurses-dev \ + dwarves \ + zstd \ + python3 \ + python3-debian \ + patch && \ + apt-get -y build-dep ${_KERNEL_SOURCE_PACKAGE} + +WORKDIR /build +RUN apt-get -y source ${_KERNEL_SOURCE_PACKAGE} + +COPY kernel-patches /tmp/kernel-patches + +# Apply all *.patch files in lexicographic order. Tolerate a missing/empty +# directory so that removing the patches (once upstream ships the fix) only +# requires deleting files under kernel-patches/. +RUN set -eux; \ + srcdir="$(find /build -maxdepth 1 -mindepth 1 -type d -name 'linux-*' | head -n1)"; \ + test -n "$srcdir"; \ + cd "$srcdir"; \ + shopt -s nullglob; \ + for p in /tmp/kernel-patches/*.patch; do \ + echo "Applying $p"; \ + patch -p1 --no-backup-if-mismatch < "$p"; \ + done; \ + # Bump the Debian changelog so the produced .debs have a distinguishable + # version string (e.g. "...+dfinity1"). Non-interactive. + EDITOR=true DEBFULLNAME="IC GuestOS build" DEBEMAIL="devnull@dfinity.org" \ + debchange --local=+dfinity "Apply DFINITY custom kernel patches." + +# Build only the amd64 "generic" flavor, skipping debug and retpoline extras +# to cut build time. Signed image packages are not produced (and not needed +# for GuestOS, which signs kernels as part of the IC image build). +RUN set -eux; \ + srcdir="$(find /build -maxdepth 1 -mindepth 1 -type d -name 'linux-*' | head -n1)"; \ + cd "$srcdir"; \ + fakeroot debian/rules clean; \ + fakeroot debian/rules binary-generic skipdbg=true skipretpoline=true + +# Collect exactly the .debs needed to boot the final image: +# linux-image-unsigned--generic (vmlinuz + core modules) +# linux-modules--generic +# linux-modules-extra--generic +RUN set -eux; \ + mkdir /debs; \ + cp /build/linux-image-unsigned-*-generic_*_amd64.deb /debs/; \ + cp /build/linux-modules-*-generic_*_amd64.deb /debs/; \ + cp /build/linux-modules-extra-*-generic_*_amd64.deb /debs/; \ + ls -la /debs + # # Second build stage: # - Download and cache minimal Ubuntu Server 24.04 LTS Docker image @@ -53,18 +142,21 @@ ENV TZ=UTC # For the dev image, use both "packages.common" and "packages.dev" -- this can # be set via docker build args (see above). ARG PACKAGE_FILES=packages.common -# The kernel is installed here to keep the extra modules in sync. -# Unfortunately, there is no metapackage to track the extra modules that does -# not also include firmware. -ARG _KERNEL_PACKAGE=linux-image-virtual-hwe-24.04 +# The kernel is installed from locally built .deb packages produced by the +# kernel-build stage above, so that we can carry patches on top of Ubuntu's +# linux-hwe-6.17. The linux-image, linux-modules and linux-modules-extra +# packages are installed together to keep the extra modules in sync with the +# kernel ABI. RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone COPY packages.* /tmp/ +COPY --from=kernel-build /debs /tmp/kernel-debs RUN apt-get -y update && \ apt-get -y upgrade && \ apt-get -y --no-install-recommends install $(for P in ${PACKAGE_FILES}; do cat /tmp/$P | sed -e "s/#.*//" ; done) \ - ${_KERNEL_PACKAGE} \ - linux-modules-extra-$(apt-cache depends ${_KERNEL_PACKAGE} | sed -n -e 's/ Depends: linux-image-\(.*\)-generic/\1/p')-generic && \ - rm /tmp/packages.* + /tmp/kernel-debs/linux-image-unsigned-*-generic_*_amd64.deb \ + /tmp/kernel-debs/linux-modules-*-generic_*_amd64.deb \ + /tmp/kernel-debs/linux-modules-extra-*-generic_*_amd64.deb && \ + rm -rf /tmp/packages.* /tmp/kernel-debs # Install node_exporter COPY --from=download /tmp/node_exporter-1.10.2.linux-amd64.tar.gz /tmp/node_exporter-1.10.2.linux-amd64.tar.gz diff --git a/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch new file mode 100644 index 000000000000..5a167c2d7e35 --- /dev/null +++ b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch @@ -0,0 +1,56 @@ +From 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Fri, 27 Feb 2026 14:11:36 -0500 +Subject: [PATCH] mm/huge_memory: fix folio_split() race condition with + folio_try_get() + +During a pagecache folio split, the values in the related xarray should not +be changed from the original folio at xarray split time until all +after-split folios are ready and stored in the xarray. Otherwise, a +parallel folio_try_get() can see stale values in the xarray and a stale +value can be a unfrozen after-split folio. This leads to a wrong folio +returned to userspace. + +Backport of upstream commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0 +(merged in mainline v7.0-rc4, 2026-03; also applied to linux-6.18.y as +08b2b65c63bb26dbb2a4e2adc2ce96e2929b8b60 on 2026-03-25). + +As of 2026-04-20, the fix has NOT yet reached Ubuntu's linux-hwe-6.17 +package on noble (24.04). Reported against the IC GuestOS by +Bas van Dijk ; reproducer at +https://github.com/dfinity/thp-madv-remove-test. + +Signed-off-by: Zi Yan +--- + mm/huge_memory.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index d4ca8cfd7f9d..3d5bf3bb8a3e 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -3628,6 +3628,7 @@ static int __split_unmapped_folio(struct folio *folio, int new_order, + const bool is_anon = folio_test_anon(folio); + int old_order = folio_order(folio); + int start_order = split_type == SPLIT_TYPE_UNIFORM ? new_order : old_order - 1; ++ struct folio *origin_folio = folio; + int split_order; + + /* +@@ -3653,7 +3654,13 @@ static int __split_unmapped_folio(struct folio *folio, int new_order, + xas_split(xas, folio, old_order); + else { + xas_set_order(xas, folio->index, split_order); +- xas_try_split(xas, folio, old_order); ++ /* ++ * use the original folio, so that a parallel ++ * folio_try_get() waits on it until xarray is ++ * updated with after-split folios and ++ * the original one is unfreezed ++ */ ++ xas_try_split(xas, origin_folio, old_order); + if (xas_error(xas)) + return xas_error(xas); + } +-- +2.51.0 diff --git a/ic-os/guestos/context/kernel-patches/README.md b/ic-os/guestos/context/kernel-patches/README.md new file mode 100644 index 000000000000..e1b77b9ea839 --- /dev/null +++ b/ic-os/guestos/context/kernel-patches/README.md @@ -0,0 +1,25 @@ +# GuestOS kernel patches + +Patches in this directory are applied (in lexicographic order) to Ubuntu's +`linux-hwe-6.17` source package in the `kernel-build` stage of +`Dockerfile.base`. The resulting `.deb` packages replace the stock kernel in +the final GuestOS base image. + +## Conventions + +- Name patches `NNNN-short-description.patch` so they apply in a deterministic + order. +- Each patch file must be a single-commit `git format-patch` output and apply + with `patch -p1` from the root of the kernel source tree. +- Include in the commit message: the upstream mainline commit SHA, the + upstream stable branch it has (or has not) landed on, and the reason for + carrying the patch locally. +- Remove a patch once it is no longer necessary (i.e. the Ubuntu package in + use already contains the fix). + +## Current patches + +- `0001-mm-huge_memory-fix-folio_split-race-condition.patch` — backport of + upstream `577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0` ("mm/huge_memory: fix a + folio_split() race condition with folio_try_get()"). Drop once the Ubuntu + kernel in use (`linux-hwe-6.17` or a newer HWE track) ships this fix. From d064a9fc79a66a3d4b022cdec4d18b85961ec7fa Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 19:14:18 +0000 Subject: [PATCH 2/6] fix(guestos): use dash-compatible patch loop in kernel-build stage The base image's /bin/sh is dash, which does not support 'shopt -s nullglob'. Replace it with an explicit '[ -e "$p" ] || continue' guard so the loop tolerates an empty kernel-patches/ directory without relying on bash. Also remove inline '#' comments from inside the RUN command. Because Docker's backslash continuation collapses the RUN body into a single shell line, those '#' comments were silently commenting out everything that followed, including the 'debchange' invocation. --- ic-os/guestos/context/Dockerfile.base | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ic-os/guestos/context/Dockerfile.base b/ic-os/guestos/context/Dockerfile.base index a0a6844203e0..bad0dccd938c 100644 --- a/ic-os/guestos/context/Dockerfile.base +++ b/ic-os/guestos/context/Dockerfile.base @@ -90,17 +90,18 @@ COPY kernel-patches /tmp/kernel-patches # Apply all *.patch files in lexicographic order. Tolerate a missing/empty # directory so that removing the patches (once upstream ships the fix) only # requires deleting files under kernel-patches/. +# +# Note: /bin/sh in the base image is dash, which does not support "shopt", so +# we iterate explicitly and skip the loop when no *.patch files exist. RUN set -eux; \ srcdir="$(find /build -maxdepth 1 -mindepth 1 -type d -name 'linux-*' | head -n1)"; \ test -n "$srcdir"; \ cd "$srcdir"; \ - shopt -s nullglob; \ for p in /tmp/kernel-patches/*.patch; do \ + [ -e "$p" ] || continue; \ echo "Applying $p"; \ patch -p1 --no-backup-if-mismatch < "$p"; \ done; \ - # Bump the Debian changelog so the produced .debs have a distinguishable - # version string (e.g. "...+dfinity1"). Non-interactive. EDITOR=true DEBFULLNAME="IC GuestOS build" DEBEMAIL="devnull@dfinity.org" \ debchange --local=+dfinity "Apply DFINITY custom kernel patches." From dd4f8024da5d6adba572ecd41b598a01e7d743fb Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 19:22:08 +0000 Subject: [PATCH 3/6] fix(guestos): adapt folio_split patch to Ubuntu linux-hwe-6.17 tree The upstream patch (Zi Yan) was generated against mainline 6.17.13, which already contains the __split_unmapped_folio() refactor with SPLIT_TYPE_UNIFORM / folio_split_supported(). Ubuntu's linux-hwe-6.17 6.17.0-22.22~24.04.1 predates that refactor and still uses the 'bool uniform_split' signature, so the original hunks did not apply. Regenerate the hunks against Ubuntu's actual mm/huge_memory.c. The semantic change is identical: introduce 'origin_folio = folio' at the top of __split_unmapped_folio() and pass it to xas_try_split() so that a concurrent folio_try_get() waits on the original folio until the xarray has been fully updated with the after-split folios. --- ...emory-fix-folio_split-race-condition.patch | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch index 5a167c2d7e35..5d89fb9d49c9 100644 --- a/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch +++ b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch @@ -1,4 +1,4 @@ -From 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001 +]633;E;cat <<'HEADER'\x0aFrom 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001\x0aFrom: Zi Yan \x0aDate: Fri, 27 Feb 2026 14:11:36 -0500\x0aSubject: [PATCH] mm/huge_memory: fix folio_split() race condition with\x0a folio_try_get()\x0a\x0aDuring a pagecache folio split, the values in the related xarray should not\x0abe changed from the original folio at xarray split time until all\x0aafter-split folios are ready and stored in the xarray. Otherwise, a\x0aparallel folio_try_get() can see stale values in the xarray and a stale\x0avalue can be a unfrozen after-split folio. This leads to a wrong folio\x0areturned to userspace.\x0a\x0aBackport of upstream commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0\x0a(merged in mainline v7.0-rc4, 2026-03\x3b also applied to linux-6.18.y as\x0a08b2b65c63bb26dbb2a4e2adc2ce96e2929b8b60 on 2026-03-25). Adapted to\x0aUbuntu's linux-hwe-6.17 6.17.0-22.22~24.04.1 tree, which predates the\x0aupstream __split_unmapped_folio() refactor that introduced SPLIT_TYPE_*\x0aand folio_split_supported()\x3b the fix itself is identical in effect.\x0a\x0aAs of 2026-04-20, the fix has NOT yet reached Ubuntu's linux-hwe-6.17\x0apackage on noble (24.04). Reported against the IC GuestOS by\x0aBas van Dijk \x3b reproducer at\x0ahttps://github.com/dfinity/thp-madv-remove-test.\x0a\x0aSigned-off-by: Zi Yan \x0a---\x0a mm/huge_memory.c | 9 ++++++++-\x0a 1 file changed, 8 insertions(+), 1 deletion(-)\x0a\x0adiff --git a/mm/huge_memory.c b/mm/huge_memory.c\x0a--- a/mm/huge_memory.c\x0a+++ b/mm/huge_memory.c\x0aHEADER\x0a;8240f2f2-5632-44e0-a1a2-5d0a94045861]633;CFrom 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001 From: Zi Yan Date: Fri, 27 Feb 2026 14:11:36 -0500 Subject: [PATCH] mm/huge_memory: fix folio_split() race condition with @@ -13,7 +13,10 @@ returned to userspace. Backport of upstream commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0 (merged in mainline v7.0-rc4, 2026-03; also applied to linux-6.18.y as -08b2b65c63bb26dbb2a4e2adc2ce96e2929b8b60 on 2026-03-25). +08b2b65c63bb26dbb2a4e2adc2ce96e2929b8b60 on 2026-03-25). Adapted to +Ubuntu's linux-hwe-6.17 6.17.0-22.22~24.04.1 tree, which predates the +upstream __split_unmapped_folio() refactor that introduced SPLIT_TYPE_* +and folio_split_supported(); the fix itself is identical in effect. As of 2026-04-20, the fix has NOT yet reached Ubuntu's linux-hwe-6.17 package on noble (24.04). Reported against the IC GuestOS by @@ -26,31 +29,30 @@ Signed-off-by: Zi Yan 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index d4ca8cfd7f9d..3d5bf3bb8a3e 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c -@@ -3628,6 +3628,7 @@ static int __split_unmapped_folio(struct folio *folio, int new_order, - const bool is_anon = folio_test_anon(folio); - int old_order = folio_order(folio); - int start_order = split_type == SPLIT_TYPE_UNIFORM ? new_order : old_order - 1; +@@ -3422,6 +3422,7 @@ + { + int order = folio_order(folio); + int start_order = uniform_split ? new_order : order - 1; + struct folio *origin_folio = folio; + bool stop_split = false; + struct folio *next; int split_order; - - /* -@@ -3653,7 +3654,13 @@ static int __split_unmapped_folio(struct folio *folio, int new_order, +@@ -3459,7 +3460,13 @@ xas_split(xas, folio, old_order); else { xas_set_order(xas, folio->index, split_order); - xas_try_split(xas, folio, old_order); + /* -+ * use the original folio, so that a parallel -+ * folio_try_get() waits on it until xarray is -+ * updated with after-split folios and -+ * the original one is unfreezed ++ * use the original folio, so that a ++ * parallel folio_try_get() waits on it ++ * until xarray is updated with after-split ++ * folios and the original one is unfreezed + */ + xas_try_split(xas, origin_folio, old_order); - if (xas_error(xas)) - return xas_error(xas); - } + if (xas_error(xas)) { + ret = xas_error(xas); + stop_split = true; -- 2.51.0 From 24701c5fed473a557aea48521838fe619f94257d Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 19:24:05 +0000 Subject: [PATCH 4/6] fix(guestos): strip stray terminal escape sequence from patch header The previous commit accidentally embedded a shell-integration OSC 633 escape sequence at the start of the patch file (captured from the terminal when a heredoc was redirected to the file). GNU patch happens to ignore leading junk before the first 'From ' / 'diff --git' marker, but the file was not a clean git-format-patch output. Replace the garbled first line with a proper 'From Mon Sep 17 ...' header so the file is a valid mailbox-style patch. --- .../0001-mm-huge_memory-fix-folio_split-race-condition.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch index 5d89fb9d49c9..091b905c0555 100644 --- a/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch +++ b/ic-os/guestos/context/kernel-patches/0001-mm-huge_memory-fix-folio_split-race-condition.patch @@ -1,4 +1,4 @@ -]633;E;cat <<'HEADER'\x0aFrom 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001\x0aFrom: Zi Yan \x0aDate: Fri, 27 Feb 2026 14:11:36 -0500\x0aSubject: [PATCH] mm/huge_memory: fix folio_split() race condition with\x0a folio_try_get()\x0a\x0aDuring a pagecache folio split, the values in the related xarray should not\x0abe changed from the original folio at xarray split time until all\x0aafter-split folios are ready and stored in the xarray. Otherwise, a\x0aparallel folio_try_get() can see stale values in the xarray and a stale\x0avalue can be a unfrozen after-split folio. This leads to a wrong folio\x0areturned to userspace.\x0a\x0aBackport of upstream commit 577a1f495fd78d8fb61b67ac3d3b595b01f6fcb0\x0a(merged in mainline v7.0-rc4, 2026-03\x3b also applied to linux-6.18.y as\x0a08b2b65c63bb26dbb2a4e2adc2ce96e2929b8b60 on 2026-03-25). Adapted to\x0aUbuntu's linux-hwe-6.17 6.17.0-22.22~24.04.1 tree, which predates the\x0aupstream __split_unmapped_folio() refactor that introduced SPLIT_TYPE_*\x0aand folio_split_supported()\x3b the fix itself is identical in effect.\x0a\x0aAs of 2026-04-20, the fix has NOT yet reached Ubuntu's linux-hwe-6.17\x0apackage on noble (24.04). Reported against the IC GuestOS by\x0aBas van Dijk \x3b reproducer at\x0ahttps://github.com/dfinity/thp-madv-remove-test.\x0a\x0aSigned-off-by: Zi Yan \x0a---\x0a mm/huge_memory.c | 9 ++++++++-\x0a 1 file changed, 8 insertions(+), 1 deletion(-)\x0a\x0adiff --git a/mm/huge_memory.c b/mm/huge_memory.c\x0a--- a/mm/huge_memory.c\x0a+++ b/mm/huge_memory.c\x0aHEADER\x0a;8240f2f2-5632-44e0-a1a2-5d0a94045861]633;CFrom 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001 +From 03b75f017ffe6cf556fefbd44f44655bf4a9af48 Mon Sep 17 00:00:00 2001 From: Zi Yan Date: Fri, 27 Feb 2026 14:11:36 -0500 Subject: [PATCH] mm/huge_memory: fix folio_split() race condition with From 6dc569fac6348889c1182b1b978785d9421b1257 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 21:05:23 +0000 Subject: [PATCH 5/6] build(guestos): parallelize custom kernel compilation Set DEB_BUILD_OPTIONS=parallel=$(nproc) so Ubuntu's debian/rules fans the kernel build out across all available CPUs. Without this the build runs serially and on a 2-vCPU GitHub-hosted runner exceeds the container-base-images job timeout. --- ic-os/guestos/context/Dockerfile.base | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ic-os/guestos/context/Dockerfile.base b/ic-os/guestos/context/Dockerfile.base index bad0dccd938c..0a862d2eb6de 100644 --- a/ic-os/guestos/context/Dockerfile.base +++ b/ic-os/guestos/context/Dockerfile.base @@ -108,9 +108,11 @@ RUN set -eux; \ # Build only the amd64 "generic" flavor, skipping debug and retpoline extras # to cut build time. Signed image packages are not produced (and not needed # for GuestOS, which signs kernels as part of the IC image build). +# DEB_BUILD_OPTIONS=parallel=N makes debian/rules fan out to $(nproc) jobs. RUN set -eux; \ srcdir="$(find /build -maxdepth 1 -mindepth 1 -type d -name 'linux-*' | head -n1)"; \ cd "$srcdir"; \ + export DEB_BUILD_OPTIONS="parallel=$(nproc)"; \ fakeroot debian/rules clean; \ fakeroot debian/rules binary-generic skipdbg=true skipretpoline=true From cda093c702d185879a3cd22ba3ff7359ca134809 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Mon, 20 Apr 2026 21:06:11 +0000 Subject: [PATCH 6/6] bump timeout --- .github/workflows/container-base-images.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-base-images.yml b/.github/workflows/container-base-images.yml index 51b8c5d03be3..cb2e97edb0fb 100644 --- a/.github/workflows/container-base-images.yml +++ b/.github/workflows/container-base-images.yml @@ -22,7 +22,10 @@ jobs: build-base-image: name: Build Base Container Image runs-on: ubuntu-latest - timeout-minutes: 45 + # The guestos-base images build a custom kernel from Ubuntu sources + # (see ic-os/guestos/context/Dockerfile.base), which on a 2-vCPU + # GitHub-hosted runner can take well over an hour. + timeout-minutes: 180 permissions: packages: write contents: write