[SRU][Q/R][PATCH 0/1] net/rds: reset op_nents when zerocopy page pin fails
Benjamin Wheeler
benjamin.wheeler at canonical.com
Fri May 22 01:08:41 UTC 2026
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2153962
SRU Justification:
[Impact]
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
[Fix]
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
[Test Plan]
Compiled, boot tested, and ran reproducer (found at
https://github.com/v12-security/pocs/tree/main/pintheft).
[Where problems could occur]
The fix is a single line change to the rds_message_zcopy_from_user()
function, which is only called from rds_sendmsg() when the caller has
requested zero-copy send. If there are any issues with this patch, they
would likely be limited to zero-copy send operations in RDS.
Allison Henderson (1):
net/rds: reset op_nents when zerocopy page pin fails
net/rds/message.c | 1 +
1 file changed, 1 insertion(+)
--
2.43.0
More information about the kernel-team
mailing list