6.18-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)
diff --git a/queue-6.18/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch b/queue-6.18/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch

new file mode 100644 (file)

index 0000000..359cbbf
--- /dev/null
+++ b/queue-6.18/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
@@ -0,0 +1,41 @@
+From e174929793195e0cd6a4adb0cad731b39f9019b4 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <achender@kernel.org>
+Date: Tue, 5 May 2026 16:43:36 -0700
+Subject: net/rds: reset op_nents when zerocopy page pin fails
+
+From: Allison Henderson <achender@kernel.org>
+
+commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.
+
+When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
+the pinned pages are released with put_page(), and
+rm->data.op_mmp_znotifier is cleared.  But we fail to properly
+clear rm->data.op_nents.
+
+Later when rds_message_purge() is called from rds_sendmsg() the
+cleanup loop iterates over the incorrectly non zero number of
+op_nents and frees them again.
+
+Fix this by properly resetting op_nents when it should be in
+rds_message_zcopy_from_user().
+
+Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
+Signed-off-by: Allison Henderson <achender@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -408,6 +408,7 @@ static int rds_message_zcopy_from_user(s
+ 
+                       for (i = 0; i < rm->data.op_nents; i++)
+                               put_page(sg_page(&rm->data.op_sg[i]));
++                      rm->data.op_nents = 0;
+                       mmp = &rm->data.op_mmp_znotifier->z_mmp;
+                       mm_unaccount_pinned_pages(mmp);
+                       ret = -EFAULT;
diff --git a/queue-6.18/series b/queue-6.18/series

index 0d4cbc1ff38317bb55a2d0b83267f5a514c7d348..2d399e71e0c5eafa78638d9d140529454e1f0ed6 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -955,3 +955,4 @@ sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch
  f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch
  spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch
  spi-sifive-fix-controller-deregistration.patch
+net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 May 2026 10:51:05 +0000 (12:51 +0200)
queue-6.18/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch	[new file with mode: 0644]	patch \| blob
queue-6.18/series		patch \| blob \| blame \| history