[PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill

[PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill

[Stoiko Ivanov]

We had reports in our community forum of users running into this
issue:
https://forum.proxmox.com/threads/182885/
https://forum.proxmox.com/threads/182232/

The patch was a clean cherry-pick from upstream's master-branch:
https://github.com/openzfs/zfs/pull/18408

I managed to reproduce the panic with the reproducer from:
https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007
without this patch. After applying it running the reproducer 100 times
in a loop did not cause the panic to occur.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch

diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
new file mode 100644
index 000000000..2e074ee3e
--- /dev/null
+++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Hutter <hutter2@llnl.gov>
+Date: Thu, 23 Apr 2026 10:52:19 -0700
+Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c'
+
+Fix a bug where an cgroup-OOM-killed process can cause a panic:
+
+usercopy: Kernel memory exposure attempt detected from vmalloc (offset
+1007584, size 217120)!
+kernel BUG at mm/usercopy.c:102!
+
+This was caused by zfs_uiomove() not correctly returning EFAULT
+for short copies.
+
+Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
+Signed-off-by: Tony Hutter <hutter2@llnl.gov>
+Closes #15918
+Closes #18408
+(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ module/os/linux/zfs/zfs_uio.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
+index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fdcfa4600278f0934d 100644
+--- a/module/os/linux/zfs/zfs_uio.c
++++ b/module/os/linux/zfs/zfs_uio.c
+@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
+     boolean_t revert)
+ {
+ 	size_t cnt = MIN(n, uio->uio_resid);
++	size_t oldcnt = cnt;
++	int error = 0;
+ 
+ 	if (rw == UIO_READ)
+ 		cnt = copy_to_iter(p, cnt, uio->uio_iter);
+@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
+ 		return (EFAULT);
+ 
+ 	/*
+-	 * Revert advancing the uio_iter.  This is set by zfs_uiocopy()
+-	 * to avoid consuming the uio and its iov_iter structure.
++	 * When revert is set this is a zfs_uiocopy() which should not
++	 * consume the uio and its iov_iter structure.  Otherwise, it's
++	 * a zfs_uiomove() which is expected to update the uio.  Partial
++	 * copies are allowed for both copy and move but EFAULT should
++	 * be returned for zfs_uiomove().
+ 	 */
+ 	if (revert)
+ 		iov_iter_revert(uio->uio_iter, cnt);
++	else if (cnt != oldcnt)
++		error = EFAULT;
+ 
+ 	uio->uio_resid -= cnt;
+ 	uio->uio_loffset += cnt;
+ 
+-	return (0);
++	return (error);
+ }
+ 
+ int
diff --git a/debian/patches/series b/debian/patches/series
index a437c55e1..130039725 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch
 0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch
 0017-Linux-7.0-compat-META.patch
+0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
-- 
2.47.3

applied: [PATCH zfsonlinux] add patch kernel panic on cgroup-OOM kill

[Fabian Grünbichler]

with patch re-numbered, thanks!

On April 28, 2026 1:14 pm, Stoiko Ivanov wrote:
> We had reports in our community forum of users running into this
> issue:
> https://forum.proxmox.com/threads/182885/
> https://forum.proxmox.com/threads/182232/
> 
> The patch was a clean cherry-pick from upstream's master-branch:
> https://github.com/openzfs/zfs/pull/18408
> 
> I managed to reproduce the panic with the reproducer from:
> https://github.com/openzfs/zfs/issues/15918#issuecomment-4180950007
> without this patch. After applying it running the reproducer 100 times
> in a loop did not cause the panic to occur.
> 
> Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  ...0018-Fix-kernel-BUG-at-mm-usercopy.c.patch | 62 +++++++++++++++++++
>  debian/patches/series                         |  1 +
>  2 files changed, 63 insertions(+)
>  create mode 100644 debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> 
> diff --git a/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> new file mode 100644
> index 000000000..2e074ee3e
> --- /dev/null
> +++ b/debian/patches/0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> @@ -0,0 +1,62 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Tony Hutter <hutter2@llnl.gov>
> +Date: Thu, 23 Apr 2026 10:52:19 -0700
> +Subject: [PATCH] Fix 'kernel BUG at mm/usercopy.c'
> +
> +Fix a bug where an cgroup-OOM-killed process can cause a panic:
> +
> +usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> +1007584, size 217120)!
> +kernel BUG at mm/usercopy.c:102!
> +
> +This was caused by zfs_uiomove() not correctly returning EFAULT
> +for short copies.
> +
> +Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
> +Signed-off-by: Tony Hutter <hutter2@llnl.gov>
> +Closes #15918
> +Closes #18408
> +(cherry picked from commit fc6aa4369ef79bde105a359019575d9103541287)
> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> +---
> + module/os/linux/zfs/zfs_uio.c | 13 ++++++++++---
> + 1 file changed, 10 insertions(+), 3 deletions(-)
> +
> +diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
> +index 8f9b161995f4e1d8cbbe457683879e0c343b2731..bfce9e6b52022f989f8108fdcfa4600278f0934d 100644
> +--- a/module/os/linux/zfs/zfs_uio.c
> ++++ b/module/os/linux/zfs/zfs_uio.c
> +@@ -234,6 +234,8 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> +     boolean_t revert)
> + {
> + 	size_t cnt = MIN(n, uio->uio_resid);
> ++	size_t oldcnt = cnt;
> ++	int error = 0;
> + 
> + 	if (rw == UIO_READ)
> + 		cnt = copy_to_iter(p, cnt, uio->uio_iter);
> +@@ -249,16 +251,21 @@ zfs_uiomove_iter(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio,
> + 		return (EFAULT);
> + 
> + 	/*
> +-	 * Revert advancing the uio_iter.  This is set by zfs_uiocopy()
> +-	 * to avoid consuming the uio and its iov_iter structure.
> ++	 * When revert is set this is a zfs_uiocopy() which should not
> ++	 * consume the uio and its iov_iter structure.  Otherwise, it's
> ++	 * a zfs_uiomove() which is expected to update the uio.  Partial
> ++	 * copies are allowed for both copy and move but EFAULT should
> ++	 * be returned for zfs_uiomove().
> + 	 */
> + 	if (revert)
> + 		iov_iter_revert(uio->uio_iter, cnt);
> ++	else if (cnt != oldcnt)
> ++		error = EFAULT;
> + 
> + 	uio->uio_resid -= cnt;
> + 	uio->uio_loffset += cnt;
> + 
> +-	return (0);
> ++	return (error);
> + }
> + 
> + int
> diff --git a/debian/patches/series b/debian/patches/series
> index a437c55e1..130039725 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -15,3 +15,4 @@
>  0015-Linux-7.0-autoconf-Remove-copy-from-user-inatomic-AP.patch
>  0016-Linux-7.0-ensure-LSMs-get-to-process-mount-options.patch
>  0017-Linux-7.0-compat-META.patch
> +0018-Fix-kernel-BUG-at-mm-usercopy.c.patch
> -- 
> 2.47.3
> 
> 
> 
> 
> 
>