From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
syzbot <syzbot+4393c47753b7808dac7d@syzkaller.appspotmail.com>,
coreteam@netfilter.org, davem@davemloft.net, horms@kernel.org,
kadlec@netfilter.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
pabeni@redhat.com, pablo@netfilter.org, phil@nwl.cc,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [netfilter?] WARNING in nf_conntrack_cleanup_net_list
Date: Sat, 13 Dec 2025 19:54:42 +0100 [thread overview]
Message-ID: <aT22cheoCSd1JfIM@strlen.de> (raw)
In-Reply-To: <CANn89iKDFe83G4_bmzPVkKwVwNcxTX1pyjBqoHwrt+rk3A9=dQ@mail.gmail.com>
Eric Dumazet <edumazet@google.com> wrote:
> > UDP, but I can't say yet if thats an udp specific issue or not.
> > (the packets are generated via ip_defrag.c).
>
> skb_release_head_state() does not follow the fraglist. Oh well.
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index a00808f7be6a1b86c595183f8b131996e3d0afcc..f597769d8c206dc063b53938a18edbe9620101d9
> 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -1497,7 +1497,9 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
>
> DEBUG_NET_WARN_ON_ONCE(!in_softirq());
>
> - if (skb->alloc_cpu != smp_processor_id() && !skb_shared(skb)) {
> + if (skb->alloc_cpu != smp_processor_id() &&
> + !skb_shared(skb) &&
> + !skb_has_frag_list(skb)) {
> skb_release_head_state(skb);
> return skb_attempt_defer_free(skb);
There is also:
skb_attempt_defer_free -> skb_attempt_defer_free
Alternatively we could export skb_defer_free_flush or
kick_defer_list_purge() and call that from nf_conntrack
net exit path.
I will investigate more closely on monday, I still don't
understand why fragments are conntracked in the first place.
prev parent reply other threads:[~2025-12-13 18:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 18:38 [syzbot] [netfilter?] WARNING in nf_conntrack_cleanup_net_list syzbot
2025-12-12 23:07 ` Jakub Kicinski
2025-12-13 13:27 ` Florian Westphal
2025-12-13 13:30 ` Eric Dumazet
2025-12-13 13:40 ` Florian Westphal
2025-12-13 13:58 ` Eric Dumazet
2025-12-13 18:54 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aT22cheoCSd1JfIM@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=syzbot+4393c47753b7808dac7d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.