From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com, Stoiko Ivanov <s.ivanov@proxmox.com>
Subject: applied: [PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill
Date: Thu, 07 May 2026 10:44:16 +0200 [thread overview]
Message-ID: <1778143439.71thxxwf8r.astroid@yuna.none> (raw)
In-Reply-To: <20260428111513.1115719-1-s.ivanov@proxmox.com>
with patch re-numbered, thanks!
On April 28, 2026 1:14 pm, Stoiko Ivanov wrote:
> We had reports in our community forum of users running into this
> issue:
> https://forum.proxmox.com/threads/182885/
> https://forum.proxmox.com/threads/182232/
>
> The patch was a clean cherry-pick from upstream's master-branch:
> https://github.com/openzfs/zfs/pull/18408
>
> I managed to reproduce the panic with the reproducer from:
> https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007
> without this patch. After applying it running the reproducer 100 times
> in a loop did not cause the panic to occur.
>
> Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++
> debian/patches/series | 1 +
> 2 files changed, 63 insertions(+)
> create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
>
> diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> new file mode 100644
> index 000000000..2e074ee3e
> --- /dev/null
> +++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> @@ -0,0 +1,62 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Tony Hutter <hutter2@llnl.gov>
> +Date: Thu, 23 Apr 2026 10:52:19 -0700
> +Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c'
> +
> +Fix a bug where an cgroup-OOM-killed process can cause a panic:
> +
> +usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> +1007584, size 217120)!
> +kernel BUG at mm/usercopy.c:102!
> +
> +This was caused by zfs_uiomove() not correctly returning EFAULT
> +for short copies.
> +
> +Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
> +Signed-off-by: Tony Hutter <hutter2@llnl.gov>
> +Closes #15918
> +Closes #18408
> +(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287)
> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> +---
> + module/os/linux/zfs/zfs_uio.c | 13 ++++++++++---
> + 1 file changed, 10 insertions(+), 3 deletions(-)
> +
> +diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
> +index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fdcfa4600278f0934d 100644
> +--- a/module/os/linux/zfs/zfs_uio.c
> ++++ b/module/os/linux/zfs/zfs_uio.c
> +@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> + boolean_t revert)
> + {
> + size_t cnt = MIN(n, uio->uio_resid);
> ++ size_t oldcnt = cnt;
> ++ int error = 0;
> +
> + if (rw == UIO_READ)
> + cnt = copy_to_iter(p, cnt, uio->uio_iter);
> +@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> + return (EFAULT);
> +
> + /*
> +- * Revert advancing the uio_iter. This is set by zfs_uiocopy()
> +- * to avoid consuming the uio and its iov_iter structure.
> ++ * When revert is set this is a zfs_uiocopy() which should not
> ++ * consume the uio and its iov_iter structure. Otherwise, it's
> ++ * a zfs_uiomove() which is expected to update the uio. Partial
> ++ * copies are allowed for both copy and move but EFAULT should
> ++ * be returned for zfs_uiomove().
> + */
> + if (revert)
> + iov_iter_revert(uio->uio_iter, cnt);
> ++ else if (cnt != oldcnt)
> ++ error = EFAULT;
> +
> + uio->uio_resid -= cnt;
> + uio->uio_loffset += cnt;
> +
> +- return (0);
> ++ return (error);
> + }
> +
> + int
> diff --git a/debian/patches/series b/debian/patches/series
> index a437c55e1..130039725 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -15,3 +15,4 @@
> 0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch
> 0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch
> 0017-Linux-7.0-compat-META.patch
> +0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> --
> 2.47.3
>
>
>
>
>
>
prev parent reply other threads:[~2026-05-07 8:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 11:14 [PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill Stoiko Ivanov
2026-05-07 8:44 ` Fabian Grünbichler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1778143439.71thxxwf8r.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.ivanov@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.