From d9bc8e760e7da2db2cc9772c05c3912450a6f534 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 May 2026 12:50:35 +0200
Subject: [PATCH] 5.15-stable patches

added patches:
	net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
---
 ...p_nents-when-zerocopy-page-pin-fails.patch | 41 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-5.15/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch

diff --git a/queue-5.15/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch b/queue-5.15/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
new file mode 100644
index 0000000000..30a3d4bc4d
--- /dev/null
+++ b/queue-5.15/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
@@ -0,0 +1,41 @@
+From e174929793195e0cd6a4adb0cad731b39f9019b4 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <achender@kernel.org>
+Date: Tue, 5 May 2026 16:43:36 -0700
+Subject: net/rds: reset op_nents when zerocopy page pin fails
+
+From: Allison Henderson <achender@kernel.org>
+
+commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.
+
+When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
+the pinned pages are released with put_page(), and
+rm->data.op_mmp_znotifier is cleared.  But we fail to properly
+clear rm->data.op_nents.
+
+Later when rds_message_purge() is called from rds_sendmsg() the
+cleanup loop iterates over the incorrectly non zero number of
+op_nents and frees them again.
+
+Fix this by properly resetting op_nents when it should be in
+rds_message_zcopy_from_user().
+
+Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
+Signed-off-by: Allison Henderson <achender@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -409,6 +409,7 @@ static int rds_message_zcopy_from_user(s
+ 
+ 			for (i = 0; i < rm->data.op_nents; i++)
+ 				put_page(sg_page(&rm->data.op_sg[i]));
++			rm->data.op_nents = 0;
+ 			mmp = &rm->data.op_mmp_znotifier->z_mmp;
+ 			mm_unaccount_pinned_pages(mmp);
+ 			ret = -EFAULT;
diff --git a/queue-5.15/series b/queue-5.15/series
index 2b65bc7839..5aeb9eea68 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -674,3 +674,4 @@ drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch
 drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch
 drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
 io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
+net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
-- 
2.47.3