net/rds: reset op_nents when zerocopy page pin fails

commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared.  But we fail to properly
clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().

Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Signed-off-by: Allison Henderson <achender@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/rds/message.c b/net/rds/message.c
index 921d89973b935b0169c6030d544fd2813aeab621..9824e79e057f4f3fbe73bf2c87fe439247ca2950 100644 (file)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -408,6 +408,7 @@ static int rds_message_zcopy_from_user(struct rds_message *rm, struct iov_iter *
 
                        for (i = 0; i < rm->data.op_nents; i++)
                                put_page(sg_page(&rm->data.op_sg[i]));
+                       rm->data.op_nents = 0;
                        mmp = &rm->data.op_mmp_znotifier->z_mmp;
                        mm_unaccount_pinned_pages(mmp);
                        ret = -EFAULT;