--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 3 Apr 2024 10:36:25 -0400
+Subject: [PATCH] SUNRPC: Fix a slow server-side memory leak with RPC-over-TCP
+
+Jan Schunk reports that his small NFS servers suffer from memory
+exhaustion after just a few days. A bisect shows that commit
+e18e157bb5c8 ("SUNRPC: Send RPC message on TCP with a single
+sock_sendmsg() call") is the first bad commit.
+
+That commit assumed that sock_sendmsg() releases all the pages in
+the underlying bio_vec array, but the reality is that it doesn't.
+svc_xprt_release() releases the rqst's response pages, but the
+record marker page fragment isn't one of those, so it is never
+released.
+
+This is a narrow fix that can be applied to stable kernels. A
+more extensive fix is in the works.
+
+Reported-by: Jan Schunk <scpcom@gmx.de>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218671
+Fixes: e18e157bb5c8 ("SUNRPC: Send RPC message on TCP with a single sock_sendmsg() call")
+Cc: Alexander Duyck <alexander.duyck@gmail.com>
+Cc: Jakub Kacinski <kuba@kernel.org>
+Cc: David Howells <dhowells@redhat.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+(cherry picked from commit 05258a0a69b3c5d2c003f818702c0a52b6fea861)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ net/sunrpc/svcsock.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 545017a3daa4..6b3f01beb294 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1206,15 +1206,6 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
+ * MSG_SPLICE_PAGES is used exclusively to reduce the number of
+ * copy operations in this path. Therefore the caller must ensure
+ * that the pages backing @xdr are unchanging.
+- *
+- * Note that the send is non-blocking. The caller has incremented
+- * the reference count on each page backing the RPC message, and
+- * the network layer will "put" these pages when transmission is
+- * complete.
+- *
+- * This is safe for our RPC services because the memory backing
+- * the head and tail components is never kmalloc'd. These always
+- * come from pages in the svc_rqst::rq_pages array.
+ */
+ static int svc_tcp_sendmsg(struct svc_sock *svsk, struct svc_rqst *rqstp,
+ rpc_fraghdr marker, unsigned int *sentp)
+@@ -1244,6 +1235,7 @@ static int svc_tcp_sendmsg(struct svc_sock *svsk, struct svc_rqst *rqstp,
+ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, rqstp->rq_bvec,
+ 1 + count, sizeof(marker) + rqstp->rq_res.len);
+ ret = sock_sendmsg(svsk->sk_sock, &msg);
++ page_frag_free(buf);
+ if (ret < 0)
+ return ret;
+ *sentp += ret;