--- /dev/null
+From e174929793195e0cd6a4adb0cad731b39f9019b4 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <achender@kernel.org>
+Date: Tue, 5 May 2026 16:43:36 -0700
+Subject: net/rds: reset op_nents when zerocopy page pin fails
+
+From: Allison Henderson <achender@kernel.org>
+
+commit e174929793195e0cd6a4adb0cad731b39f9019b4 upstream.
+
+When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
+the pinned pages are released with put_page(), and
+rm->data.op_mmp_znotifier is cleared. But we fail to properly
+clear rm->data.op_nents.
+
+Later when rds_message_purge() is called from rds_sendmsg() the
+cleanup loop iterates over the incorrectly non zero number of
+op_nents and frees them again.
+
+Fix this by properly resetting op_nents when it should be in
+rds_message_zcopy_from_user().
+
+Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
+Signed-off-by: Allison Henderson <achender@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -408,6 +408,7 @@ static int rds_message_zcopy_from_user(s
+
+ for (i = 0; i < rm->data.op_nents; i++)
+ put_page(sg_page(&rm->data.op_sg[i]));
++ rm->data.op_nents = 0;
+ mmp = &rm->data.op_mmp_znotifier->z_mmp;
+ mm_unaccount_pinned_pages(mmp);
+ ret = -EFAULT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
