[Top] [All Lists]

Re: 2.6.0-test9 : bridge freezes

To: Steve Hill <steve@xxxxxxxxxxxx>
Subject: Re: 2.6.0-test9 : bridge freezes
From: "David S. Miller" <davem@xxxxxxxxxx>
Date: Mon, 15 Dec 2003 17:17:32 -0800
Cc: netdev@xxxxxxxxxxx
In-reply-to: <Pine.LNX.4.44.0312151304350.8670-200000@xxxxxxxxxxxxxx>
References: <Pine.LNX.4.44.0312151304350.8670-200000@xxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
On Mon, 15 Dec 2003 13:15:44 +0000 (GMT)
Steve Hill <steve@xxxxxxxxxxxx> wrote:

> The memory that is leaking seems to be being allocated on line 299 on
> net/bridge/br_netfilter.c:
>         if ((nf_bridge = nf_bridge_alloc(skb)) == NULL)
>                 return NF_DROP;
> Only the first fragment gets freed later on.

I see.

> The patch attached fixes the problem by freeing nf_bridge when the 
> packets are defragmented, however I am sure this is not the right place 
> to do this.  Where would the skb's for the fragments usually get freed?
> Bart De Schuymer suggested that they should be freed in 
> skbuff.c::skb_release_data(), but having looked at this it seems to do 
> this already.  skb_release_data() calls skb_drop_fraglist(), which does 
> kfree_skb() on each fragment, and kfree_skb calls nf_bridge_put correctly 
> so this isn't the problem.

There must be something in particular that the IPV4 fragmentation code
is doing that makes these fragment reference drops get forgotten.  Hmmm...

I just noticed that both bridge netfilter and IPV4 fragmentation make much
use of the skb->cb[] control block, this may be the true source of the

In fact, since bridge netfilter expects pointers to be there, I'm surprised
this does not cause a crash.

<Prev in Thread] Current Thread [Next in Thread>