net/rds: reset op_nents when zerocopy page pin fails

When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared.  But we fail to properly
clear rm->data.op_nents.

Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.

Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().

Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Signed-off-by: Allison Henderson <achender@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/rds/message.c b/net/rds/message.c
index 25fedcb3cd00ec4593a397a341d23d112bbe7e27..7feb0eb6537db8a90c27c0c74162b0f8637366b2 100644 (file)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -448,6 +448,7 @@ static int rds_message_zcopy_from_user(struct rds_message *rm, struct iov_iter *
 
                        for (i = 0; i < rm->data.op_nents; i++)
                                put_page(sg_page(&rm->data.op_sg[i]));
+                       rm->data.op_nents = 0;
                        mmp = &rm->data.op_mmp_znotifier->z_mmp;
                        mm_unaccount_pinned_pages(mmp);
                        ret = -EFAULT;