On Wed 03 Jan 2024 at 17:49, Jakub Kicinski [off-list ref] wrote:

On Thu, 28 Dec 2023 16:14:57 +0800 Tao Liu wrote:

quoted

act_ct adds skb->users before defragmentation. If frags arrive in order,
the last frag's reference is reset in:

  inet_frag_reasm_prepare
    skb_morph

which is not straightforward.

However when frags arrive out of order, nobody unref the last frag, and
all frags are leaked. The situation is even worse, as initiating packet
capture can lead to a crash[0] when skb has been cloned and shared at the
same time.

Fix the issue by removing skb_get() before defragmentation. act_ct
returns TC_ACT_CONSUMED when defrag failed or in progress.

Vlad, Xin Long, does this look good to you?

Hi, sorry for the late response. LGTM, will report tomorrow if this
triggers anything in our regression runs.