in function rds_cmsg_rdma_args() at net/rds/rdma.c:L546, the variable "iovstack" is an array and the pointer variable *iovs is equal to iovstack (at Line 554). As the the return value of sock_kmalloc() (called at line 578),when "iovs" is NULL, function sock_kfree_s() will be called(at line 697) and function sock_kfree_s() will free "iovs".  
The related code snippets in function rds_cmsg_rdma_args() are as followings.
rds_cmsg_rdma_args() at net/rds/rdma.c:L546
546 int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
547                           struct cmsghdr *cmsg)
548 {
549         struct rds_rdma_args *args;
550         struct rm_rdma_op *op = &rm->rdma;
551         int nr_pages;
552         unsigned int nr_bytes;
553         struct page **pages = NULL;
554         struct rds_iovec iovstack[UIO_FASTIOV], *iovs = iovstack;
            ...
576         iov_size = args->nr_local * sizeof(struct rds_iovec);
577         if (args->nr_local > UIO_FASTIOV) {
578                 iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size, GFP_KERNEL);
579                 if (!iovs) {
580                         ret = -ENOMEM;
581                         goto out;
582                 }
583         }
            ...
695 out:
696         if (iovs != iovstack)
697                 sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
698         kfree(pages);
699         if (ret)
700                 rds_rdma_free_op(op);
701         else
702                 rds_stats_inc(s_send_rdma);
703 
704         return ret;
705 }

Thak you!

RUC_Soft_Sec, supported by China.X.Orion