Patchwork [3.5.yuz,extended,stable] Patch "net: fix secpath kmemleak" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Nov. 14, 2012, 12:59 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/198894/
State New
Headers show


Herton Ronaldo Krzesinski - Nov. 14, 2012, 12:59 p.m.
This is a note to let you know that I have just added a patch titled

    net: fix secpath kmemleak

to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.yuz tree, see



From 33033733f1fdb3c777103334f9d7831b22230827 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <>
Date: Mon, 22 Oct 2012 09:03:40 +0000
Subject: [PATCH] net: fix secpath kmemleak

commit 3d861f661006606bf159fd6bd973e83dbf21d0f9 upstream.

Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")

While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function

If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).

So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.

Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.

Reported-by: Mike Kazantsev <>
Signed-off-by: Eric Dumazet <>
Bisected-by: Mike Kazantsev <>
Tested-by: Mike Kazantsev <>
Signed-off-by: David S. Miller <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 net/core/skbuff.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)



diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d124306..015f3a7 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3350,10 +3350,12 @@  EXPORT_SYMBOL(__skb_warn_lro_forwarding);

 void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
-	if (head_stolen)
+	if (head_stolen) {
+		skb_release_head_state(skb);
 		kmem_cache_free(skbuff_head_cache, skb);
-	else
+	} else {
+	}