5.10-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)
diff --git a/queue-5.10/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch b/queue-5.10/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch

new file mode 100644 (file)

index 0000000..30a3d4b
--- /dev/null
+++ b/queue-5.10/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
@@ -0,0 +1,41 @@
+From e174929793195e0cd6a4adb0cad731b39f9019b4 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <achender@kernel.org>
+Date: Tue, 5 May 2026 16:43:36 -0700
+Subject: net/rds: reset op_nents when zerocopy page pin fails
+
+From: Allison Henderson <achender@kernel.org>
+
+commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.
+
+When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
+the pinned pages are released with put_page(), and
+rm->data.op_mmp_znotifier is cleared.  But we fail to properly
+clear rm->data.op_nents.
+
+Later when rds_message_purge() is called from rds_sendmsg() the
+cleanup loop iterates over the incorrectly non zero number of
+op_nents and frees them again.
+
+Fix this by properly resetting op_nents when it should be in
+rds_message_zcopy_from_user().
+
+Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
+Signed-off-by: Allison Henderson <achender@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -409,6 +409,7 @@ static int rds_message_zcopy_from_user(s
+ 
+                       for (i = 0; i < rm->data.op_nents; i++)
+                               put_page(sg_page(&rm->data.op_sg[i]));
++                      rm->data.op_nents = 0;
+                       mmp = &rm->data.op_mmp_znotifier->z_mmp;
+                       mm_unaccount_pinned_pages(mmp);
+                       ret = -EFAULT;
diff --git a/queue-5.10/series b/queue-5.10/series

index ff0b5432a99df5bc241c1259892b8e62e3818d98..428ad743776843cecdcdea56d08d0b81728d3e20 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -527,3 +527,4 @@ iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch
  drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch
  drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
  io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
+net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 21 May 2026 10:50:26 +0000 (12:50 +0200)
queue-5.10/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch	[new file with mode: 0644]	patch \| blob
queue-5.10/series		patch \| blob \| blame \| history