From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 03BCF1FF13F for ; Thu, 07 May 2026 10:44:28 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4F704FB00; Thu, 7 May 2026 10:44:26 +0200 (CEST) Date: Thu, 07 May 2026 10:44:16 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= Subject: applied: [PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill To: pve-devel@lists.proxmox.com, Stoiko Ivanov References: <20260428111513.1115719-1-s.ivanov@proxmox.com> In-Reply-To: <20260428111513.1115719-1-s.ivanov@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid) Message-Id: <1778143439.71thxxwf8r.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778143351359 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.004 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: M6N23X6IIAO5NVVXGYI4P7W3QVPG4TG2 X-Message-ID-Hash: M6N23X6IIAO5NVVXGYI4P7W3QVPG4TG2 X-MailFrom: f.gruenbichler@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: with patch re-numbered, thanks! On April 28, 2026 1:14 pm, Stoiko Ivanov wrote: > We had reports in our community forum of users running into this > issue: > https://forum.proxmox.com/threads/182885/ > https://forum.proxmox.com/threads/182232/ >=20 > The patch was a clean cherry-pick from upstream's master-branch: > https://github.com/openzfs/zfs/pull/18408 >=20 > I managed to reproduce the panic with the reproducer from: > https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007 > without this patch. After applying it running the reproducer 100 times > in a loop did not cause the panic to occur. >=20 > Suggested-by: Fabian Gr=C3=BCnbichler > Signed-off-by: Stoiko Ivanov > --- > ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++ > debian/patches/series | 1 + > 2 files changed, 63 insertions(+) > create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.p= atch >=20 > diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/= debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch > new file mode 100644 > index 000000000..2e074ee3e > --- /dev/null > +++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch > @@ -0,0 +1,62 @@ > +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 > +From: Tony Hutter > +Date: Thu, 23 Apr 2026 10:52:19 -0700 > +Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c' > + > +Fix a bug where an cgroup-OOM-killed process can cause a panic: > + > +usercopy: Kernel memory exposure attempt detected from vmalloc (offset > +1007584, size 217120)! > +kernel BUG at mm/usercopy.c:102! > + > +This was caused by zfs_uiomove() not correctly returning EFAULT > +for short copies. > + > +Reviewed-by: Brian Behlendorf > +Signed-off-by: Tony Hutter > +Closes #15918 > +Closes #18408 > +(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287) > +Signed-off-by: Stoiko Ivanov > +--- > + module/os/linux/zfs/zfs_uio.c | 13 ++++++++++--- > + 1 file changed, 10 insertions(+), 3 deletions(-) > + > +diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio= .c > +index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fd= cfa4600278f0934d 100644 > +--- a/module/os/linux/zfs/zfs_uio.c > ++++ b/module/os/linux/zfs/zfs_uio.c > +@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw,= zfs_uio_t *uio, > + boolean_t revert) > + { > + size_t cnt =3D MIN(n, uio->uio_resid); > ++ size_t oldcnt =3D cnt; > ++ int error =3D 0; > +=20 > + if (rw =3D=3D UIO_READ) > + cnt =3D copy_to_iter(p, cnt, uio->uio_iter); > +@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t r= w, zfs_uio_t *uio, > + return (EFAULT); > +=20 > + /* > +- * Revert advancing the uio_iter. This is set by zfs_uiocopy() > +- * to avoid consuming the uio and its iov_iter structure. > ++ * When revert is set this is a zfs_uiocopy() which should not > ++ * consume the uio and its iov_iter structure. Otherwise, it's > ++ * a zfs_uiomove() which is expected to update the uio. Partial > ++ * copies are allowed for both copy and move but EFAULT should > ++ * be returned for zfs_uiomove(). > + */ > + if (revert) > + iov_iter_revert(uio->uio_iter, cnt); > ++ else if (cnt !=3D oldcnt) > ++ error =3D EFAULT; > +=20 > + uio->uio_resid -=3D cnt; > + uio->uio_loffset +=3D cnt; > +=20 > +- return (0); > ++ return (error); > + } > +=20 > + int > diff --git a/debian/patches/series b/debian/patches/series > index a437c55e1..130039725 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -15,3 +15,4 @@ > 0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch > 0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch > 0017-Linux-7.0-compat-META.patch > +0018-Fix-kernel-BUG-at-mm-usercopy.c.patch > --=20 > 2.47.3 >=20 >=20 >=20 >=20 >=20 >=20