Message ID | 1350932620.8609.1142.camel@edumazet-glaptop |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Mon, 22 Oct 2012 21:03:40 +0200 > From: Eric Dumazet <edumazet@google.com> > > Mike Kazantsev found 3.5 kernels and beyond were leaking memory, > and tracked the faulty commit to a1c7fff7e18f59e (net: > netdev_alloc_skb() use build_skb() > > While this commit seems fine, it uncovered a bug introduced > in commit bad43ca8325 (net: introduce skb_try_coalesce()), in function > kfree_skb_partial() : > > If head is stolen, we free the sk_buff, > without removing references on secpath (skb->sp). > > So IPsec + IP defrag/reassembly (using skb coalescing), or > TCP coalescing could leak secpath objects. > > Fix this bug by calling skb_release_head_state(skb) to properly > release all possible references to linked objects. > > Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> > Signed-off-by: Eric Dumazet <edumazet@google.com> > Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> > Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Applied and queued up for -stable, thanks! > It seems TCP stack could immediately release secpath references instead > of waiting skb are eaten by consumer, thats will be a followup patch. Indeed. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 6e04b1f..4007c14 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3379,10 +3379,12 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding); void kfree_skb_partial(struct sk_buff *skb, bool head_stolen) { - if (head_stolen) + if (head_stolen) { + skb_release_head_state(skb); kmem_cache_free(skbuff_head_cache, skb); - else + } else { __kfree_skb(skb); + } } EXPORT_SYMBOL(kfree_skb_partial);