The napi->rx_list is used to hold the GRO_NORMAL skbs before passing
them to the stack, these skbs only passed to stack at the flush time or
when the list's weight matches the predefined condition. In case the
rx_list contains pending skbs when we remove the napi context, we need
to clean out this list, otherwise, a memory leak will happen.
Signed-off-by: Nguyen Dinh Phi <phind.uet@xxxxxxxxx>
Reported-by: syzbot+989efe781c74de1ddb54@xxxxxxxxxxxxxxxxxxxxxxxxx
---
net/core/dev.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/dev.c b/net/core/dev.c
index b51e41d0a7fe..319fffc62ce6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7038,6 +7038,13 @@ void __netif_napi_del(struct napi_struct *napi)
list_del_rcu(&napi->dev_list);
napi_free_frags(napi);
+ if (napi->rx_count) {
+ struct sk_buff *skb, *n;
+
+ list_for_each_entry_safe(skb, n, &napi->rx_list, list)
+ kfree_skb(skb);
+ }
+
flush_gro_hash(napi);
napi->gro_bitmask = 0;
--
2.25.1
