From: Eric Dumazet <eric.dumazet@xxxxxxxxx> Date: Mon, 22 Oct 2012 21:03:40 +0200 > From: Eric Dumazet <edumazet@xxxxxxxxxx> > > Mike Kazantsev found 3.5 kernels and beyond were leaking memory, > and tracked the faulty commit to a1c7fff7e18f59e (net: > netdev_alloc_skb() use build_skb() > > While this commit seems fine, it uncovered a bug introduced > in commit bad43ca8325 (net: introduce skb_try_coalesce()), in function > kfree_skb_partial() : > > If head is stolen, we free the sk_buff, > without removing references on secpath (skb->sp). > > So IPsec + IP defrag/reassembly (using skb coalescing), or > TCP coalescing could leak secpath objects. > > Fix this bug by calling skb_release_head_state(skb) to properly > release all possible references to linked objects. > > Reported-by: Mike Kazantsev <mk.fraggod@xxxxxxxxx> > Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> > Bisected-by: Mike Kazantsev <mk.fraggod@xxxxxxxxx> > Tested-by: Mike Kazantsev <mk.fraggod@xxxxxxxxx> Applied and queued up for -stable, thanks! > It seems TCP stack could immediately release secpath references instead > of waiting skb are eaten by consumer, thats will be a followup patch. Indeed. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>