By default kernel 6.12 dropped some deprecated features around cgroupv2 support. This affects openjdk 21 and older, see https://bugs.openjdk.org/browse/JDK-8347811 https://bugs.debian.org/1107967 This is fatal: Using cgroupv2 openjdk 21 doesn't recognize the container limits by default anymore, the Java GC is not run since there seems to be plenty of memory, and the Java app runs into the container's memory limit and is killed with OOM. openjdk 25 has been fixed, AFAICT. Workaround is to configure the kernel with CONFIG_CPUSETS_V1=y CONFIG_MEMCG_V1=y to bring back the deprecated features. I would like to suggest to re-enable the deprecated features in the kernel. It is pretty much unlikely that openjdk 21 is fixed in time for Trixie. Not to mention the kernel backport to Bookworm. Regards Harri
cgroupv2 container Thank you for bringing this to our attention. I don't think it makes sense for us to re-enable cgroups v1, given that it has been deprecated for so long and OpenJDK itself can use v2. I will look into whether we can instead provide only a /proc/cgroups file, which seems to be all that OpenJDK actually needed. Ben.
For reference, I think this is the status of the OpenJDK versions in the
archive:
| Debian release | cgroups |
| 11 | 12 | 13 | sid | support |
-----------+----+----+----+-----+---------+
openjdk-8 | | | | X | no |
openjdk-11 | X | | | X | yes * |
openjdk-17 | X | X | | X | yes * |
openjdk-21 | | | X | X | yes * |
openjdk-22 | | | | X | yes * |
openjdk-23 | | | | X | yes * |
openjdk-24 | | | | X | yes * |
openjdk-25 | | | X | X | yes + |
* CgroupSubsystemFactory depends on /proc/cgroups even if using v2
+ C++ implementation of CgroupSubsystemFactory does not depend on
/proc/cgroups if using v2, but Java implementation still does
Ben.
On Thu, 2025-06-26 at 18:24 +0200, Ben Hutchings wrote:
[...]
commit af000ce85293b8e608f696f0c6c280bc3a75887f
Author: Michal Koutný <mkoutny@suse.com>
Date: Mon Sep 9 18:32:23 2024 +0200
cgroup: Do not report unavailable v1 controllers in /proc/cgroups
but I have not yet tested that.
Ben.
Did you think about backporting those changes? Bastian
Ben Hutchings wrote: You are right, it's been deprecated for quite some time, and this is clearly a bug in openjdk, but currently there is no better version of JDK21. I am not sure what you mean by "OpenJDK itself can use v2". How is this supposed to work? Since we are talking about the host system here you cannot know how /proc was mounted in the container, which Container framework is involved, or whether the container is based on Debian at all.
OpenJDK (from v11 onwards) appears to use v2 of the cgroups API if available, and only mistakenly relied on /proc/cgroups for detection of which controllers are enabled. We have to assume that /proc/cgroups and cgroupfs are exposed to the container, otherwise none of this detection could have worked before... Ben.
Control: tag -1 patch Yes, this seems to work. I compiled the following class:--- BEGIN --- import java.lang.System; class Main { public static void main(String[] args) { int count = Integer.parseInt(args[0]); char[] one_mb; int i; for (i = 0; i != count; i++) { one_mb = new char[0x100000]; System.out.println(one_mb[0] | one_mb[0xfffff]); } } }; --- END --- and ran it with an argument of "1000". I used a podman container of Debian limited to 50 MiB. With the current kernel from trixie, it OOMs. With that commit reverted, it runs to completion. I will open an MR tomorrow. Ben.
On Wed, 2025-07-09 at 00:46 +0200, Ben Hutchings wrote: [...] Opened <https://salsa.debian.org/kernel-team/linux/-/merge_requests/1572>. Ben.
This change can cause problems for the OpenJDK JVM, as reported in
<https://bugs.debian.org/1108294>.
Since OpenJDK version 11, the JVM can detect and adapt to cpuset and
memory limits. It supports both the cgroups v1 and v2 API, but before
version 25 it always relied on /proc/cgroups to detect whether those
controllers were enabled.
The result of this patch is that if CONFIG_MEMCG_V1 is disabled the JVM
can easily trigger OOM when otherwise it would trim its memory usage
through garbage collection. (For cpusets, I'm not sure of the impact
but I think it might make bad decisions about the size of thread pools.)
Although the fix in OpenJDK 25 can probably be backported to older
versions, this issue primarily affects container workloads so fixing
this in distribution packages would not be sufficient.
The obvious compatibility fix for this at the kernel level is to enable
CONFIG_{CPUSETS,MEMCG}_V1. But since the v1 API has long been
deprecated and is not actually needed by OpenJDK, I would prefer not to
do that.
Would you consider reverting this change for the sake of compatibility?
Ben.
We believe that the bug you reported is fixed in the latest version of linux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1108294@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Fri, 11 Jul 2025 06:09:48 +0200 Source: linux Architecture: source Version: 6.12.37-1 Distribution: unstable Urgency: medium Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1103397 1107135 1108294 1108965 Changes: linux (6.12.37-1) unstable; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.36 - cifs: Correctly set SMB1 SessionKey field in Session Setup Request - cifs: Fix cifs_query_path_info() for Windows NT servers - cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in non-UNICODE mode - NFSv4: Always set NLINK even if the server doesn't support it - NFSv4.2: fix listxattr to return selinux security label - NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when timestamps are delegated - mailbox: Not protect module_put with spin_lock_irqsave - sunrpc: don't immediately retransmit on seqno miss - dm vdo indexer: don't read request structure after enqueuing - leds: multicolor: Fix intensity setting while SW blinking - fuse: fix race between concurrent setattrs from multiple nodes - cxl/region: Add a dev_err() on missing target list entries - NFSv4: xattr handlers should check for absent nfs filehandles - ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension - ksmbd: provide zero as a unique ID to the Mac client - [amd64] dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane - [arm64,armhf] PCI: imx6: Add workaround for errata ERR051624 - nvme-tcp: fix I/O stalls on congested sockets - nvme-tcp: sanitize request list handling - md/md-bitmap: fix dm-raid max_write_behind setting - amd/amdkfd: fix a kfd_process ref leak - bcache: fix NULL pointer in cache_set_flush() - drm/amdgpu: seq64 memory unmap uses uninterruptible lock - drm/scheduler: signal scheduled fence when kill job - iio: pressure: zpa2326: Use aligned_s64 for the timestamp - [arm64,armhf] coresight: Only check bottom two claim bits - [arm*] usb: dwc2: also exit clock_gating when stopping udc while suspended - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos - usb: potential integer overflow in usbg_make_tpg() - usb: common: usb-conn-gpio: use a unique name for usb connector device - usb: Add checks for snprintf() calls in usb_alloc_dev() - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s - usb: gadget: f_hid: wake up readers on disable/unbind - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set - [riscv64] add a data fence for CMODX in the kernel mode - ALSA: hda: Ignore unsol events for cards being shut down - ALSA: hda: Add new pci id for AMD GPU display HD audio controller - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock - [amd64] ASoC: rt1320: fix speaker noise when volume bar is 100% - ceph: fix possible integer overflow in ceph_zero_objects() - scsi: ufs: core: Don't perform UFS clkscaling during host async scan - ovl: Check for NULL d_inode() in ovl_dentry_upper() - btrfs: handle csum tree error with rescue=ibadroots correctly - [amd64] drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 - [amd64] Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" - btrfs: factor out nocow ordered extent and extent map generation into a helper - btrfs: use unsigned types for constants defined as bit shifts - btrfs: fix qgroup reservation leak on failure to allocate ordered extent - fs/jfs: consolidate sanity checking in dbMount - jfs: validate AG parameters in dbMount() to prevent crashes - [arm64] ASoC: codec: wcd9335: Convert to GPIO descriptors - [arm64] ASoC: codecs: wcd9335: Fix missing free of regulator supplies - f2fs: don't over-report free space or inodes in statvfs - [amd64] accel/ivpu: Do not fail on cmdq if failed to allocate preemption buffers - [amd64] accel/ivpu: Remove copy engine support - [amd64] accel/ivpu: Make command queue ID allocated on XArray - [amd64] accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation - [amd64] accel/ivpu: Add debugfs interface for setting HWS priority bands - [amd64] accel/ivpu: Trigger device recovery on engine reset/resume failure - af_unix: Don't leave consecutive consumed OOB skbs. - i2c: tiny-usb: disable zero-length read messages - i2c: robotfuzz-osif: disable zero-length read messages - ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk - smb: client: remove \t from TP_printk statements - mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write - [amd64] ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 - [s390x] pkey: Prevent overflow in size calculation for memdup_user() - fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() - [riscv64] Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" - [riscv64] Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" - drm/xe/display: Add check for alloc_ordered_workqueue() - HID: wacom: fix crash in wacom_aes_battery_handler() - atm: clip: prevent NULL deref in clip_push() - Bluetooth: hci_core: Fix use-after-free in vhci_flush() - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() - attach_recursive_mnt(): do not lock the covering tree when sliding something under it - libbpf: Fix null pointer dereference in btf_dump__free on allocation failure - ethernet: ionic: Fix DMA mapping tests - wifi: mac80211: fix beacon interval calculation overflow - af_unix: Don't set -ECONNRESET for consumed OOB skb. - wifi: mac80211: Add link iteration macro for link data - wifi: mac80211: Create separate links for VLAN interfaces - wifi: mac80211: finish link init before RCU publish - vsock/uapi: fix linux/vm_sockets.h userspace compilation errors - bnxt: properly flush XDP redirect lists - libbpf: Fix possible use-after-free for externs - netlink: specs: tc: replace underscores with dashes in names - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). - net: selftests: fix TCP packet checksum - drm/amdgpu/discovery: optionally use fw based ip discovery - drm/amd: Adjust output for discovery error handling - [amd64] drm/i915: fix build error some more - [arm64] drm/bridge: ti-sn65dsi86: make use of debugfs_init callback - [arm64] drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type - drm/xe: Process deferred GGTT node removals on device unwind - smb: client: fix potential deadlock when reconnecting channels - smb: smbdirect: add smbdirect_pdu.h with protocol definitions - smb: client: make use of common smbdirect_pdu.h - smb: smbdirect: add smbdirect.h with public structures - smb: smbdirect: add smbdirect_socket.h - smb: client: make use of common smbdirect_socket - smb: smbdirect: introduce smbdirect_socket_parameters - smb: client: make use of common smbdirect_socket_parameters - cifs: Fix the smbd_response slab to allow usercopy - cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code - [amd64] EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs - [amd64] x86/traps: Initialize DR6 by writing its architectural reset value - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() - dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive - serial: core: restore of_node information in sysfs - serial: imx: Restore original RXTL for console to fix data loss - Bluetooth: L2CAP: Fix L2CAP MTU negotiation - dm-raid: fix variable in journal device check - btrfs: fix a race between renames and directory logging - btrfs: update superblock's device bytes_used when dropping chunk - spi: spi-cadence-quadspi: Fix pm runtime unbalance - net: libwx: fix the creation of page_pool - maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() - mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" - f2fs: fix to zero post-eof page - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only - HID: wacom: fix memory leak on kobject creation failure - HID: wacom: fix memory leak on sysfs attribute creation failure - HID: wacom: fix kobject reference count leak - scsi: megaraid_sas: Fix invalid node index - scsi: ufs: core: Fix clk scaling to be conditional in reset and restore - drm/ast: Fix comment on modeset lock - drm/cirrus-qemu: Fix pitch programming - [arm64,armhf] drm/etnaviv: Protect the scheduler's pending list with its lock - [arm64,armhf] drm/tegra: Assign plane type before registration - [arm64,armhf] drm/tegra: Fix a possible null pointer dereference - drm/udl: Unregister device before cleaning up on disconnect - [arm64] drm/msm/gpu: Fix crash when throttling GPU immediately during boot - drm/amdkfd: Fix race in GWS queue scheduling - drm/amd/display: Add null pointer check for get_first_active_display() - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram - drm/amd/display: Correct non-OLED pre_T11_delay. - drm/xe/vm: move rebind_work init earlier - drm/xe/sched: stop re-submitting signalled jobs - drm/xe/guc_submit: add back fix - drm/amd/display: Fix RMCM programming seq errors - drm/amdgpu: Add kicker device detection - drm/amd/display: Check dce_hwseq before dereferencing it - drm/xe: Fix memset on iomem - drm/xe: Fix taking invalid lock on wedge - drm/xe: Fix early wedge on GuC load failure - drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL - drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences - drm/amdgpu: switch job hw_fence to amdgpu_fence - drm/amd/display: Fix mpv playback corruption on weston - media: uvcvideo: Rollback non processed entities on error - [amd64] x86/fpu: Refactor xfeature bitmask update code for sigframe XSAVE - [amd64] x86/pkeys: Simplify PKRU update in signal frame (Closes: #1103397) - net: libwx: fix Tx L4 checksum (CVE-2025-22101) - io_uring: fix potential page leak in io_sqe_buffer_register() - io_uring/rsrc: fix folio unpinning - io_uring/rsrc: don't rely on user vaddr alignment - io_uring/net: improve recv bundles - io_uring/net: only retry recv bundle for a full transfer - io_uring/net: only consider msg_inq if larger than 1 - io_uring/net: always use current transfer count for buffer put - io_uring/net: mark iov as dynamically allocated even for single segments - io_uring/kbuf: flag partial buffer mappings - mm/vma: reset VMA iterator on commit_merge() OOM failure - r8169: add support for RTL8125D (Closes: #1107135) - net: phy: realtek: merge the drivers for internal NBase-T PHY's - net: phy: realtek: add RTL8125D-internal PHY - btrfs: do proper folio cleanup when cow_file_range() failed - drm/xe: Carve out wopcm portion from the stolen memory - usb: typec: tcpm: PSSourceOffTimer timeout in PR_Swap enters ERROR_RECOVERY - [arm64] drm/msm/dp: account for widebus and yuv420 during mode validation - drm/fbdev-dma: Add shadow buffering for deferred I/O (CVE-2024-58091) - btrfs: skip inodes without loaded extent maps when shrinking extent maps - btrfs: make the extent map shrinker run asynchronously as a work queue job - btrfs: do regular iput instead of delayed iput during extent map shrinking - [riscv64] atomic: Do proper sign extension also for unsigned in arch_cmpxchg - [arm64] dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi - ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA - drm/amdkfd: remove gfx 12 trap handler page size cap - drm/amdkfd: Fix instruction hazard in gfx12 trap handler - net: stmmac: Fix accessing freed irq affinity_hint (CVE-2025-23155) - spi: fsl-qspi: use devm function instead of driver remove (CVE-2025-37842) - btrfs: zoned: fix extent range end unlock in cow_file_range() - btrfs: fix use-after-free on inode when scanning root during em shrinking - spi: fsl-qspi: Fix double cleanup in probe error path https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.37 - [arm64] rtc: pcf2127: add missing semicolon after statement - [arm64] rtc: pcf2127: fix SPI command byte for PCF2131 - rtc: cmos: use spin_lock_irqsave in cmos_interrupt - virtio-net: xsk: rx: fix the frame's length check - virtio-net: ensure the received length does not exceed allocated size - [s390x] pci: Fix stale function handles in error handling - [s390x] pci: Do not try re-enabling load/store if device is disabled - vsock/vmci: Clear the vmci transport packet properly when initializing it - mmc: sdhci: Add a helper function for dump register in dynamic debug mode - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier - Bluetooth: HCI: Set extended advertising data synchronously - Bluetooth: hci_sync: revert some mesh modifications - Bluetooth: MGMT: set_mesh: update LE scan interval and window - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising - [arm64,armhf] regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods - usb: typec: altmodes/displayport: do not index invalid pin_assignments - [arm64] mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data - [arm64] mtk-sd: Prevent memory corruption from DMA map failure - [arm64] mtk-sd: reset host->mrq on prepare_data() error - [arm64] drm/v3d: Disable interrupts before resetting the GPU - RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() - scsi: sd: Fix VPD page 0xb7 length check - scsi: ufs: core: Fix spelling of a sysfs attribute name - RDMA/mlx5: Fix HW counters query for non-representor devices - RDMA/mlx5: Fix CC counters query for MPV - RDMA/mlx5: Fix vport loopback for MPV device - Bluetooth: Prevent unintended pause by checking if advertising is active - btrfs: fix missing error handling when searching for inode refs during log replay - btrfs: fix iteration of extrefs during log replay - btrfs: return a btrfs_inode from btrfs_iget_logging() - btrfs: return a btrfs_inode from read_one_inode() - btrfs: fix invalid inode pointer dereferences during log replay - btrfs: fix inode lookup error handling during log replay - btrfs: record new subvolume in parent dir earlier to avoid dir logging races - btrfs: propagate last_unlink_trans earlier when doing a rmdir - btrfs: use btrfs_record_snapshot_destroy() during rmdir - ethernet: atl1: Add missing DMA mapping error checks and count errors - [arm64] dpaa2-eth: fix xdp_rxq_info leak - [armhf] drm/exynos: fimd: Guard display clock control with runtime PM calls - [arm64] spi: spi-fsl-dspi: Clear completion counter before initiating transfer - nvme: Fix incorrect cdw15 value in passthru error logging - nvmet: fix memory leak of bio integrity - [x86] platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks - [x86] platform/x86: hp-bioscfg: Directly use firmware_attributes_class - [x86] platform/x86: hp-bioscfg: Fix class device unregistration - [x86] platform/x86: firmware_attributes_class: Move include linux/device/class.h - [x86] platform/x86: firmware_attributes_class: Simplify API - [x86] platform/x86: think-lmi: Directly use firmware_attributes_class - [x86] platform/x86: think-lmi: Fix class device unregistration - [x86] platform/x86: dell-sysman: Directly use firmware_attributes_class - [x86] platform/x86: dell-wmi-sysman: Fix class device unregistration - [arm64] drm/bridge: aux-hpd-bridge: fix assignment of the of_node - smb: client: fix warning when reconnecting channel - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect - [amd64] drm/i915/gt: Fix timeline left held on VMA alloc error - [amd64] drm/i915/gsc: mei interrupt top half should be in irq disabled context - [amd64,arm64] idpf: return 0 size for RSS key if not supported - [amd64,arm64] idpf: convert control queue mutex to a spinlock - igc: disable L1.2 PCI-E link substate to avoid performance issue - smb: client: set missing retry flag in smb2_writev_callback() - smb: client: set missing retry flag in cifs_readv_callback() - smb: client: set missing retry flag in cifs_writev_callback() - netfs: Fix i_size updating - [amd64,arm64] amd-xgbe: align CL37 AN sequence as per databook - enic: fix incorrect MTU comparison in enic_change_mtu() - rose: fix dangling neighbour pointers in rose_rt_device_down() - nui: Fix dma_mapping_error() check - net/sched: Always pass notifications when child class becomes empty - [amd64,arm64] amd-xgbe: do not double read link status - smb: client: fix race condition in negotiate timeout by using more precise timing - [arm64] dts: rockchip: fix internal USB hub instability on RK3399 Puma - [amd64] crypto: iaa - Remove dst_null support - [amd64] crypto: iaa - Do not clobber req->base.data - spinlock: extend guard with spinlock_bh variants - gfs2: Initialize gl_no_formal_ino earlier - gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE - gfs2: Rename dinode_demise to evict_behavior - gfs2: Prevent inode creation race - gfs2: Decode missing glock flags in tracepoints - gfs2: Add GLF_PENDING_REPLY flag - gfs2: Replace GIF_DEFER_DELETE with GLF_DEFER_DELETE - gfs2: Move gfs2_dinode_dealloc - gfs2: Move GIF_ALLOC_FAILED check out of gfs2_ea_dealloc - gfs2: deallocate inodes in gfs2_create_inode - btrfs: prepare btrfs_page_mkwrite() for large folios - btrfs: fix wrong start offset for delalloc space release during mmap write - sched/fair: Rename h_nr_running into h_nr_queued - sched/fair: Add new cfs_rq.h_nr_runnable - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE - gfs2: Move gfs2_trans_add_databufs - gfs2: Don't start unnecessary transactions during log flush - ACPI: thermal: Fix stale comment regarding trip points - ACPI: thermal: Execute _SCP before reading trip points - bonding: Mark active offloaded xfrm_states - wifi: ath12k: fix skb_ext_desc leak in ath12k_dp_tx() error path - wifi: ath12k: Handle error cases during extended skb allocation - wifi: ath12k: fix wrong handling of CCMP256 and GCMP ciphers - RDMA/rxe: Fix "trying to register non-static key in rxe_qp_do_cleanup" bug - f2fs: decrease spare area for pinned files for zoned devices - f2fs: zone: introduce first_zoned_segno in f2fs_sb_info - f2fs: zone: fix to calculate first_zoned_segno correctly - scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure - scsi: lpfc: Change lpfc_nodelist nlp_flag member into a bitmask - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (CVE-2025-38289) - bpf: use common instruction history across all states - bpf: Do not include stack ptr register in precision backtracking bookkeeping (CVE-2025-38279) - [arm64] remoteproc: k3: Call of_node_put(rmem_np) only once in three functions - [arm64] remoteproc: k3-r5: Add devm action to release reserved memory - [arm64] remoteproc: k3-r5: Use devm_kcalloc() helper - [arm64] remoteproc: k3-r5: Use devm_ioremap_wc() helper - [arm64] remoteproc: k3-r5: Use devm_rproc_add() helper - [arm64] remoteproc: k3-r5: Refactor sequential core power up/down operations - netfs: Fix oops in write-retry from mis-resetting the subreq iterator (CVE-2025-38139) - mfd: exynos-lpass: Fix another error handling path in exynos_lpass_probe() - drm/xe: Fix DSB buffer coherency - drm/xe: Move DSB l2 flush to a more sensible place - drm/xe: add interface to request physical alignment for buffer objects - drm/xe: Allow bo mapping on multiple ggtts - drm/xe: move DPT l2 flush to a more sensible place - drm/xe: Replace double space with single space after comma - drm/xe/guc: Dead CT helper - drm/xe/guc: Explicitly exit CT safe mode on unwind - selinux: change security_compute_sid to return the ssid or tsid on match - drm/amdgpu: VCN v5_0_1 to prevent FW checking RB during DPG pause - [amd64] drm/i915/dp_mst: Work around Thunderbolt sink disconnect after SINK_COUNT_ESI read - drm/amdgpu: add kicker fws loading for gfx11/smu13/psp13 - drm/amd/display: Add more checks for DSC / HUBP ONO guarantees - [arm64] dts: qcom: x1e80100-crd: mark l12b and l15b always-on - drm/amdgpu/mes: add missing locking in helper functions - sched_ext: Make scx_group_set_weight() always update tg->scx.weight - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag - [arm64] drm/msm: Fix a fence leak in submit error path - [arm64] drm/msm: Fix another leak in the submit error path - ALSA: sb: Don't allow changing the DMA mode during operations - ALSA: sb: Force to disable DMAs once when DMA mode is changed - ata: libata-acpi: Do not assume 40 wire cable if no devices are enabled - [amd64] ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic - [amd64] platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list - genirq/irq_sim: Initialize work context pointers properly - [powerpc*] Fix struct termio related ioctl macros - [amd64] ASoC: amd: yc: update quirk data for HP Victus - [arm64,armhf] regulator: fan53555: add enable_time support and soft-start times - scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() - aoe: defer rexmit timer downdev work to workqueue - wifi: mac80211: drop invalid source address OCB frames - wifi: ath6kl: remove WARN on bad firmware input - ACPICA: Refuse to evaluate a method if arguments are missing - [arm64] mtd: spinand: fix memory leak of ECC engine conf - rcu: Return early if callback is not specified - add a string-to-qstr constructor - module: Provide EXPORT_SYMBOL_GPL_FOR_MODULES() helper - fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass - RDMA/mlx5: Fix cache entry update on dereg error - IB/mlx5: Fix potential deadlock in MR deregistration - drm/xe/bmg: Update Wa_22019338487 - drm/xe: Allow dropping kunit dependency as built-in - NFSv4/flexfiles: Fix handling of NFS level errors in I/O - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed - Revert "usb: xhci: Implement xhci_handshake_check_state() helper" - usb: xhci: quirk for data loss in ISOC transfers - xhci: dbctty: disable ECHO flag by default - xhci: dbc: Flush queued requests before stopping dbc - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS - Input: xpad - support Acer NGR 200 Controller - Input: iqs7222 - explicitly define number of external channels - [arm*] usb: dwc3: Abort suspend on soft disconnect failure - [arm64,armhf] usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume - usb: acpi: fix device link removal - smb: client: fix readdir returning wrong type with POSIX extensions - cifs: all initializations for tcon should happen in tcon_info_alloc - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 - i2c/designware: Fix an initialization issue - Logitech C-270 even more broken - [arm64] optee: ffa: fix sleep in atomic context - [arm64,armhf] iommu/rockchip: prevent iommus dead loop when two masters share one IOMMU - [amd64] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed - [riscv64] cpu_ops_sbi: Use static array for boot_data - [x86] platform/x86: think-lmi: Create ksets consecutively - [x86] platform/x86: think-lmi: Fix kobject cleanup - [x86] platform/x86: think-lmi: Fix sysfs group cleanup - usb: typec: displayport: Fix potential deadlock - [powerpc*] kernel: Fix ppc_save_regs inclusion in build - mm/vmalloc: fix data race in show_numa_info() - mm: userfaultfd: fix race of userfaultfd_move and swap cache (CVE-2025-38242) - [amd64] Mitigations Transitive Scheduler Attacks (TSA) (CVE-2024-36350, CVE-2024-36357) + x86/bugs: Rename MDS machinery to something more generic + x86/bugs: Add a Transient Scheduler Attacks mitigation + KVM: SVM: Advertise TSA CPUID bits to guests + x86/microcode/AMD: Add TSA microcode SHAs + x86/process: Move the buffer clearing before MONITOR . [ Ben Hutchings ] * Revert "cgroup: Do not report unavailable v1 controllers in /proc/cgroups" (Closes: #1108294) * rtw89: Enable RTW89_8851BE, RTW89_8852BTE as modules (Closes: #1108965) Checksums-Sha1: 7dff804308a608cc43a40e4f3cf1d0e2f96b868d 219407 linux_6.12.37-1.dsc 435ec8eb976740c900a2552cde0be64bea635b15 151123860 linux_6.12.37.orig.tar.xz 463812967354425abd38867111cc44077e268ccd 1665916 linux_6.12.37-1.debian.tar.xz d1a8c2d1f6e52700d0eea202c5ef8fd685779d9e 6617 linux_6.12.37-1_source.buildinfo Checksums-Sha256: e41b1911e873948bbbbd5d58779373e3f37878d484958d8e507b153d2df769e4 219407 linux_6.12.37-1.dsc 736f9d49470b34c7b87da5a5d4cd7cb1fb77f64b44dc2fcde90dad6ce5df983a 151123860 linux_6.12.37.orig.tar.xz b9f6fc07389fcd8d41601c429eef45ca74e636ade6bffddf5d0b4dbe891c3a32 1665916 linux_6.12.37-1.debian.tar.xz 92c2314a6d7695aae33a158a088d0cdfd4ce945d53f9e9a699326efd178c998f 6617 linux_6.12.37-1_source.buildinfo Files: aed40779543b139e1f7b0529b3bc4475 219407 kernel optional linux_6.12.37-1.dsc 40b2c640cce898ce2db4bffb79a495f6 151123860 kernel optional linux_6.12.37.orig.tar.xz d6129c1e878059635d5c9e446b4506a6 1665916 kernel optional linux_6.12.37-1.debian.tar.xz 3b4a3f0bb9d26c14498660576425b9e5 6617 kernel optional linux_6.12.37-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhwjyVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWyEP/3GYBZEqxLldZ884CVrJAyPpj/gph9/f 5ShX/zmya8a1/z0NDicnvBkT2c2uqukHtNRHhyx3cMfwAiWT++XM1RMfhjNz0NJt sbeVqjxA1BgaWRK5eFlPpXq4VKdpuhY0cANj83GuqGlLpnK3TQ9MRs+W6rU0vgaa V2RdDp1/Wz+lCXVeNAzMHh61aiLivcKyecttiHSozJcS1qhuDflvjjcXuI8dS/Ls UawfEFJPEanNWBE26SeJ2F3vQZrR/Pln73ohVTqO7ljTvrmcEAnIfjQPllJoCFVZ vixs18U6BY1uDorum+pKuDlDdU3f2hxHmx/L/5gTjDFWLWqwgV4sJ4fY0pTKz46D a7/a91ikriDZTrwnceQf9awPJRYM1jTTCCv6JS7zK1WH31h5x8GzXPdrFtkSEn7l pWmBSCUgvr0o202AqiUkdIXZ4jy06aloe82v4GPWPZXkd1gBF+Ch6pcVZRQL9+oM cij1AmAnPC3LU7oIGPF7XSG8GNkbg+2riQJCwp34lwr41X6LpZrWD9hUJAt3uSur 3HYxDKZjoRFg2PhAw9ENipCwAedMrrFSXOgCFSDa41GKYbNR8Pxa84sC6vKhdv5O QnTtY8Azk6+qDQF9+oeyAPyPgxC4ClOXU84PliSYkZbZtBUHkiqwQwAJaAMy0bnl 6ZCDysNkV0Wl =szZn -----END PGP SIGNATURE-----
Hello Ben. As you write, it's not fatally broken and it may be "just" an issue of container images that got no fresh rebuild. (And I think it should be generally discouraged running containers with stale deps in them.) The original patch would mainly serve legacy userspace (host) setups on top of contemporary kernel (besides API purity reasons). Admittedly, these should be rare and eventually extinct in contrast with your example where it's a containerized userspace (which typically could do no cgroup setup) that may still have some user demand. So, I'd be more confident with the revert if such an adjustment was carried downstream by some distro and proven its viability first. Do you know of any in the wild? I appreciate your report, Michal
I think we still want to deprecate /proc/cgroups but given that there are impacted users maybe we can bring it back under a boottime param w/ warning? Thanks.
The revert has just gone into Debian unstable, targetting the upcoming stable release. So at this point I can't confidently state that it won't also cause regressions. Ben.
I booted the new kernel this morning. Using cgroupv2 I got % docker run -it --rm -m 4g --cpus=3 debian:trixie root@b46ebbb70b04:/# apt update Get:1 http://deb.debian.org/debian trixie InRelease [168 kB] Get:2 http://deb.debian.org/debian trixie-updates InRelease [45.1 kB] Get:3 http://deb.debian.org/debian-security trixie-security InRelease [43.4 kB] Get:4 http://deb.debian.org/debian trixie/main amd64 Packages [9672 kB] Get:5 http://deb.debian.org/debian-security trixie-security/main amd64 Packages [5304 B] Fetched 9934 kB in 1s (9313 kB/s) 13 packages can be upgraded. Run 'apt list --upgradable' to see them. root@b46ebbb70b04:/# apt -y install default-jdk : : root@b46ebbb70b04:/# java -Xlog:os+container=trace --version [0.001s][trace][os,container] OSContainer::init: Initializing Container Support [0.001s][debug][os,container] Detected optional cpuset controller entry in /proc/cgroups [0.001s][debug][os,container] Detected optional pids controller entry in /proc/cgroups [0.002s][debug][os,container] Detected cgroups v2 unified hierarchy [0.002s][trace][os,container] Path to /cpu.max is /sys/fs/cgroup/cpu.max [0.002s][trace][os,container] Raw value for CPU quota is: 300000 [0.002s][trace][os,container] CPU Quota is: 300000 [0.002s][trace][os,container] Path to /cpu.max is /sys/fs/cgroup/cpu.max [0.002s][trace][os,container] CPU Period is: 100000 [0.002s][trace][os,container] CPU Quota count based on quota/period: 3 [0.002s][trace][os,container] OSContainer::active_processor_count: 3 [0.002s][trace][os,container] CgroupSubsystem::active_processor_count (cached): 3 [0.002s][trace][os,container] total physical memory: 67099267072 [0.002s][trace][os,container] Path to /memory.max is /sys/fs/cgroup/memory.max [0.002s][trace][os,container] Raw value for memory limit is: 4294967296 [0.002s][trace][os,container] Memory Limit is: 4294967296 [0.004s][trace][os,container] CgroupSubsystem::active_processor_count (cached): 3 [0.027s][trace][os,container] Path to /cpu.max is /sys/fs/cgroup/cpu.max [0.027s][trace][os,container] Raw value for CPU quota is: 300000 [0.027s][trace][os,container] CPU Quota is: 300000 [0.027s][trace][os,container] Path to /cpu.max is /sys/fs/cgroup/cpu.max [0.027s][trace][os,container] CPU Period is: 100000 [0.027s][trace][os,container] CPU Quota count based on quota/period: 3 [0.027s][trace][os,container] OSContainer::active_processor_count: 3 openjdk 21.0.7 2025-04-15 OpenJDK Runtime Environment (build 21.0.7+6-Debian-1) OpenJDK 64-Bit Server VM (build 21.0.7+6-Debian-1, mixed mode, sharing) This looks as expected. CPU and memory limits are correct. Now I have to wait for a backport for Bookworm to roll out the new kernel to our developers and to our Kubernetes nodes. Thank you very much. I highly appreciate your contribution to Debian. Harri
Something like below? (I don't change the log level.) Ben, the affected Java users could modify it at boot time. I saw your revert is in v6.12, so you may also want backport of a0ab1453226d8 to give the users a message. (I realize current->comm in the message would be even more instructive.)
Applied to cgroup/for-6.17. Thanks.
I would recommend to follow upstream for kernels beyond
Trixie in this aspect. Debian needs a workaround for kernel
6.12 in Trixie, because there are no JDKs fully compatible
with cgroupv2 yet, including the brand-new
OpenJDK 11.0.28
OpenJDK 17.0.16
OpenJDK 21.0.8
released a few days ago. I expect the JDKs will be fixed for
Forky.
Just my $0.02 of course. Regards
Harri
Hi, This would be my "personal" (in terms of keeping deltas in the packaging) preference: - make sure the patches get backported down to 6.12.y - drop our local revert - make uses affected made aware of the kernel parameter to use (maybe via a NEWS entry?) I had a short discussion on IRC with Ben about that, and as the upstream changes are not yet down to 6.12.y the situation is rather clear that we have the revert. If the changes goes down to 6.12.y though I would love to rediscuss if we could consider the above instread. I though realize it is too early to at all consider, given it's not yet applied upsream. Regards, Salvatore
*你好!* 据TVBS的报道,洪永祥根据统计表示,约70%的猝死事件发生在家中,尤其是卧室和浴室 肾脏科医生洪永祥指出,心肌梗塞引发的心律不整是冬季猝死的常见原因之一 洪永祥特别提醒,民众应避免10大可能引发寒冬猝死的危险行为,以降低风险 这些信息十分珍贵,请务必查看完整内容! https://simpleurl.link/dongtian-xizao-hen-weixian 祝你和你的家人好运!--- 愿光明与真相同行
*你好!* 众所周知,脾肺部分是人体最为重要的部位,想要身体变得更加健康,就一定得做好脾肺的养护工作,也可以通过食疗的方式来进行。 其中最好的食材就是苹果。 苹果当中不仅含有丰富的果胶以及矿物质维生素等成分,还可以起到健脾益胃、生津止咳的效果. ... 那么具体的做法又是怎么样的呢? 我们可以把苹果跟这种食材搭配起来煮一下,功效直接翻10 倍,还可以让身体免疫力得到提升。 点击查看更多,不要错过任何重要信息! https://simpleurl.link/pingguo-jia-ta-yiqi-zhu 感谢你阅读这篇文章!--- 世界因善良而温暖,因真相而清醒