[PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill

[Stoiko Ivanov <s.ivanov@proxmox.com>]

We had reports in our community forum of users running into this
issue:
https://forum.proxmox.com/threads/182885/
https://forum.proxmox.com/threads/182232/

The patch was a clean cherry-pick from upstream's master-branch:
https://github.com/openzfs/zfs/pull/18408

I managed to reproduce the panic with the reproducer from:
https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007
without this patch. After applying it running the reproducer 100 times
in a loop did not cause the panic to occur.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch

diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
new file mode 100644
index 000000000..2e074ee3e
--- /dev/null
+++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Hutter <hutter2@llnl.gov>
+Date: Thu, 23 Apr 2026 10:52:19 -0700
+Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c'
+
+Fix a bug where an cgroup-OOM-killed process can cause a panic:
+
+usercopy: Kernel memory exposure attempt detected from vmalloc (offset
+1007584, size 217120)!
+kernel BUG at mm/usercopy.c:102!
+
+This was caused by zfs_uiomove() not correctly returning EFAULT
+for short copies.
+
+Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
+Signed-off-by: Tony Hutter <hutter2@llnl.gov>
+Closes #15918
+Closes #18408
+(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ module/os/linux/zfs/zfs_uio.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
+index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fdcfa4600278f0934d 100644
+--- a/module/os/linux/zfs/zfs_uio.c
++++ b/module/os/linux/zfs/zfs_uio.c
+@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
+     boolean_t revert)
+ {
+ 	size_t cnt = MIN(n, uio->uio_resid);
++	size_t oldcnt = cnt;
++	int error = 0;
+ 
+ 	if (rw == UIO_READ)
+ 		cnt = copy_to_iter(p, cnt, uio->uio_iter);
+@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
+ 		return (EFAULT);
+ 
+ 	/*
+-	 * Revert advancing the uio_iter.  This is set by zfs_uiocopy()
+-	 * to avoid consuming the uio and its iov_iter structure.
++	 * When revert is set this is a zfs_uiocopy() which should not
++	 * consume the uio and its iov_iter structure.  Otherwise, it's
++	 * a zfs_uiomove() which is expected to update the uio.  Partial
++	 * copies are allowed for both copy and move but EFAULT should
++	 * be returned for zfs_uiomove().
+ 	 */
+ 	if (revert)
+ 		iov_iter_revert(uio->uio_iter, cnt);
++	else if (cnt != oldcnt)
++		error = EFAULT;
+ 
+ 	uio->uio_resid -= cnt;
+ 	uio->uio_loffset += cnt;
+ 
+-	return (0);
++	return (error);
+ }
+ 
+ int
diff --git a/debian/patches/series b/debian/patches/series
index a437c55e1..130039725 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch
 0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch
 0017-Linux-7.0-compat-META.patch
+0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
-- 
2.47.3