[SRU][J/N][PATCH 1/1] net/rds: reset op_nents when zerocopy page pin fails
Benjamin Wheeler
benjamin.wheeler at canonical.com
Fri May 22 12:09:19 UTC 2026
From: Allison Henderson <achender at kernel.org>
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
Signed-off-by: Allison Henderson <achender at kernel.org>
Reviewed-by: Simon Horman <horms at kernel.org>
Link: https://patch.msgid.link/20260505234336.2132721-1-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(cherry picked from commit e174929793195e0cd6a4adb0cad731b39f9019b4)
Signed-off-by: Benjamin Wheeler <benjamin.wheeler at canonical.com>
---
net/rds/message.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/rds/message.c b/net/rds/message.c
index eaa6f22601a4..47800ec5f38f 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -438,6 +438,7 @@ static int rds_message_zcopy_from_user(struct rds_message *rm, struct iov_iter *
for (i = 0; i < rm->data.op_nents; i++)
put_page(sg_page(&rm->data.op_sg[i]));
+ rm->data.op_nents = 0;
mmp = &rm->data.op_mmp_znotifier->z_mmp;
mm_unaccount_pinned_pages(mmp);
ret = -EFAULT;
--
2.43.0
More information about the kernel-team
mailing list