From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54AC035A397 for ; Mon, 13 Apr 2026 08:46:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776069977; cv=none; b=MPaktWsxN+dE1a+IZrSAI6dsjtupdl+ejjbBU0aFx4ykvA7myUDwlxyS2dRvUlhDNlpVAaEx4Qz2O0KhV5ygoOLmYjDfYichLg1khALMx8jF4goplL5k9npWxD1GIna0xaoFbfwCZPwYy16n4lBBrup67af59pa3amW51q7aFc4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776069977; c=relaxed/simple; bh=GmnjbGflMBWDxjEtHIFXgRz1TxxPkLEe/a5xxNFgs8k=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=TsKYi/jvFhEHi8lsxpuye22KeidD+p+HN8VVBe2KSF7crUdMXFB9ugP8GzUTfUjolfh8FKTC9JZILeFmElsOkJCfZntBFF+wFTH2KjSW3lCUAlrJGB92XBYyTqlpRghY+8kjBUatKgyMEUg58lKSAjNkWfX/QO9WcRonfZ2uUBQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q/lvf609; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q/lvf609" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-35d99bae2ebso3644512a91.3 for ; Mon, 13 Apr 2026 01:46:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776069975; x=1776674775; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fwrub6IAUK7fbf/KIL4RIUjCioeQIHLj6YmidJS4fts=; b=Q/lvf609t7SWWOB0cy9BS/0eFC44ybLMl2f4g9OUoE++trt1+zngYxeUninpVG8jwC ffziSJyF9jJ97tSNBYRTMu0JD+Uv5kFoDKsa3ccCiYWXhsOpvHMU/w5WpQIUaze2RzFV C93zeyySmEHk2cYPWzaXli8yidmWZi6nKyyodoq1pc3MN38AmpdlbTJXS4O6FHyWjcnu jRlyundlWSzppiFzx8oOfFpQ+hBcrKKdzSRG5tvdHpG+YI4hvpuDMZbCYlLCtQXnZqh0 R3O/GVsHF/5PpjllmeQtbFm+ngBMVvTps7vQvMIPBA2IBRnwFRy8lTH5ac7ESplfUjdl d/Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776069975; x=1776674775; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fwrub6IAUK7fbf/KIL4RIUjCioeQIHLj6YmidJS4fts=; b=lf42zXwX9p/J4JBdpoVpPE//RnD0/yEsP29MbUqne2bUkkPAHykNNdPoP3XwT8jH0Z brczJpXiuf4vYaMsvBVE1oEB4xsRPAYvyhGAsIMFW7zzZhsg7wIhNbjY/8FTfpz5IRCv L8VLJPJJUn+KH1U5ndS0El7hFpA3bhKG5/yO2cii1xcqnXX9gne1TyfhfzLE2v/+mWt6 ry0wkoPeFJXhATzz6iyas/cRa9TksJN3kzDs0Q+9uVd4c9RNL0k/m7Hbfa8tQ/NrWcuf T4MUyee6U4fe0D9DnZlE2nUq/tksr/Qsb3I+11Jfo0qW33xz/bvvqmVRm72/CmhMC+qn ECrg== X-Gm-Message-State: AOJu0YxoXg23kz/WMdgOqHZXG/474kz3jovwbsShGHZ5xxSWkzdiEljT PAO4ggEfLZOg21unIJat2lkgD7bXj45g1sXHTlg6Pc8z8FfyvdGNVq5WUti3iQ== X-Gm-Gg: AeBDiesAHJssyLqBqgL2/x96+RhJjSIzt/DCKnkWq1OsiNUZat58b3HSUgq9A/+dw+j 5Z4K5X2tsqXPVy85iZwz5X2QRS5qLw6PWThUinBSYIycpgcPk+HChmaI3dgmJQU2O/rUuH+te0Y iwW8EMSoNOfMOgwOYGW1JyKGBK6xUhDGcSzK58gTetoUiksfOEPqSu6ig7GuT6JKcp9vuIziQYO TdH9TMA9ximpq2D/d919TQhB8Iitt9dPdDEMnSaOFxmUlqrYmvrrWq70Fym1KjMLLUma1sgC8zf fyEAxoX+JxobKfXaY5B5D3zIyKTnj5DRyUqqwkXTU/cSBWLubVtwlFOSx1MisJqKcvPP4kFCUOT GYV9RzQ+uSwvHrg4JzZWKCVSN6LV+BbCnQ68BkfoKXUIZ4OhhA3YX7FK/febdQd3WSMq6PsNrAF 7ax4c9NjVTdO4UaYhphPV1xtQgRqA68MqogjU59y/BTLzP5h5e07368EmbHL3wLFhx X-Received: by 2002:a17:90b:1804:b0:356:2c7b:c026 with SMTP id 98e67ed59e1d1-35e42853374mr14071037a91.23.1776069975450; Mon, 13 Apr 2026 01:46:15 -0700 (PDT) Received: from gmail.com (69-172-89-235.static.imsbiz.com. [69.172.89.235]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35e5aebb15esm4133903a91.4.2026.04.13.01.46.13 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 13 Apr 2026 01:46:14 -0700 (PDT) From: Dudu Lu To: netdev@vger.kernel.org Cc: jhs@mojatatu.com, jiri@resnulli.us, Dudu Lu Subject: [PATCH] net/sched: act_ct: fix skb leak on fragment check failure Date: Mon, 13 Apr 2026 16:46:09 +0800 Message-Id: <20260413084609.69560-1-phx0fer@gmail.com> X-Mailer: git-send-email 2.39.3 (Apple Git-145) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit tcf_ct_handle_fragments() returns TC_ACT_CONSUMED when tcf_ct_ipv4/6_is_fragment() fails. This causes the caller to believe the skb was consumed, but it was not freed. Each malformed fragment leaks one skb, leading to OOM DoS under sustained traffic. Change the return value to TC_ACT_SHOT so the skb is properly freed by the caller. Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") Signed-off-by: Dudu Lu --- net/sched/act_ct.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 7d5e50c921a0..870655f682bd 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -1107,8 +1107,10 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, return retval; out_frag: - if (err != -EINPROGRESS) + if (err != -EINPROGRESS) { tcf_action_inc_drop_qstats(&c->common); + return TC_ACT_SHOT; + } return TC_ACT_CONSUMED; drop: -- 2.39.3 (Apple Git-145)