applied: [PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

with patch re-numbered, thanks!

On April 28, 2026 1:14 pm, Stoiko Ivanov wrote:
> We had reports in our community forum of users running into this
> issue:
> https://forum.proxmox.com/threads/182885/
> https://forum.proxmox.com/threads/182232/
> 
> The patch was a clean cherry-pick from upstream's master-branch:
> https://github.com/openzfs/zfs/pull/18408
> 
> I managed to reproduce the panic with the reproducer from:
> https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007
> without this patch. After applying it running the reproducer 100 times
> in a loop did not cause the panic to occur.
> 
> Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++
>  debian/patches/series                         |  1 +
>  2 files changed, 63 insertions(+)
>  create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> 
> diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> new file mode 100644
> index 000000000..2e074ee3e
> --- /dev/null
> +++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> @@ -0,0 +1,62 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Tony Hutter <hutter2@llnl.gov>
> +Date: Thu, 23 Apr 2026 10:52:19 -0700
> +Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c'
> +
> +Fix a bug where an cgroup-OOM-killed process can cause a panic:
> +
> +usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> +1007584, size 217120)!
> +kernel BUG at mm/usercopy.c:102!
> +
> +This was caused by zfs_uiomove() not correctly returning EFAULT
> +for short copies.
> +
> +Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
> +Signed-off-by: Tony Hutter <hutter2@llnl.gov>
> +Closes #15918
> +Closes #18408
> +(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287)
> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> +---
> + module/os/linux/zfs/zfs_uio.c | 13 ++++++++++---
> + 1 file changed, 10 insertions(+), 3 deletions(-)
> +
> +diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
> +index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fdcfa4600278f0934d 100644
> +--- a/module/os/linux/zfs/zfs_uio.c
> ++++ b/module/os/linux/zfs/zfs_uio.c
> +@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> +     boolean_t revert)
> + {
> + 	size_t cnt = MIN(n, uio->uio_resid);
> ++	size_t oldcnt = cnt;
> ++	int error = 0;
> + 
> + 	if (rw == UIO_READ)
> + 		cnt = copy_to_iter(p, cnt, uio->uio_iter);
> +@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> + 		return (EFAULT);
> + 
> + 	/*
> +-	 * Revert advancing the uio_iter.  This is set by zfs_uiocopy()
> +-	 * to avoid consuming the uio and its iov_iter structure.
> ++	 * When revert is set this is a zfs_uiocopy() which should not
> ++	 * consume the uio and its iov_iter structure.  Otherwise, it's
> ++	 * a zfs_uiomove() which is expected to update the uio.  Partial
> ++	 * copies are allowed for both copy and move but EFAULT should
> ++	 * be returned for zfs_uiomove().
> + 	 */
> + 	if (revert)
> + 		iov_iter_revert(uio->uio_iter, cnt);
> ++	else if (cnt != oldcnt)
> ++		error = EFAULT;
> + 
> + 	uio->uio_resid -= cnt;
> + 	uio->uio_loffset += cnt;
> + 
> +-	return (0);
> ++	return (error);
> + }
> + 
> + int
> diff --git a/debian/patches/series b/debian/patches/series
> index a437c55e1..130039725 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -15,3 +15,4 @@
>  0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch
>  0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch
>  0017-Linux-7.0-compat-META.patch
> +0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> -- 
> 2.47.3
> 
> 
> 
> 
> 
>