ACK: [SRU][J/N][PATCH 0/1] net/rds: reset op_nents when zerocopy page pin fails
Alessio Faina
alessio.faina at canonical.com
Fri May 22 13:02:06 UTC 2026
On Fri, May 22, 2026 at 08:09:18AM -0400, Benjamin Wheeler wrote:
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2153962
>
> SRU Justification:
>
> [Impact]
>
> When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
> the pinned pages are released with put_page(), and
> rm->data.op_mmp_znotifier is cleared. But we fail to properly
> clear rm->data.op_nents.
>
> Later when rds_message_purge() is called from rds_sendmsg() the
> cleanup loop iterates over the incorrectly non zero number of
> op_nents and frees them again.
>
>
> [Fix]
>
> Fix this by properly resetting op_nents when it should be in
> rds_message_zcopy_from_user().
>
> [Test Plan]
>
> Compiled, boot tested, and ran reproducer (found at
> https://github.com/v12-security/pocs/tree/main/pintheft).
>
>
> [Where problems could occur]
>
> The fix is a single line change to the rds_message_zcopy_from_user()
> function, which is only called from rds_sendmsg() when the caller has
> requested zero-copy send. If there are any issues with this patch, they
> would likely be limited to zero-copy send operations in RDS.
>
>
> Allison Henderson (1):
> net/rds: reset op_nents when zerocopy page pin fails
>
> net/rds/message.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Alessio Faina <alessio.faina at canonical.com>
More information about the kernel-team
mailing list