Michal reported and bisected an issue after recent adoption of skb_attempt_defer_free() in UDP. The issue here is that skb_release_head_state() is called twice per skb, one time from skb_consume_udp(), then a second time from skb_defer_free_flush() and napi_consume_skb(). As Sabrina suggested, remove skb_release_head_state() call from skb_consume_udp() before calling skb_attempt_defer_free(). Add three DEBUG_NET_WARN_ON_ONCE() to check that dst, destructor and skb_nfct() are not set at this point. Many thanks to Michal, Sabrina and Paolo for their help. Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()") Reported-and-bisected-by: Michal Kubecek Closes: https://lore.kernel.org/netdev/gpjh4lrotyephiqpuldtxxizrsg6job7cvhiqrw72saz2ubs3h@g6fgbvexgl3r/ Signed-off-by: Eric Dumazet Tested-by: Michal Kubecek Cc: Sabrina Dubroca --- v2: Adopted Sabrina suggestion. v1: https://lore.kernel.org/netdev/aO3_hBg5expKNv6v@krikkit/T/#m8a88669b801d85f57b73710cdb0c8ee63854af11 net/ipv4/udp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 95241093b7f0..d66f273f9070 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1851,8 +1851,13 @@ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len) sk_peek_offset_bwd(sk, len); if (!skb_shared(skb)) { - if (unlikely(udp_skb_has_head_state(skb))) - skb_release_head_state(skb); + /* Make sure that this skb has no dst, destructor + * or conntracking parts, because it might stay + * in a remote cpu list for a very long time. + */ + DEBUG_NET_WARN_ON_ONCE(skb_dst(skb)); + DEBUG_NET_WARN_ON_ONCE(skb->destructor); + DEBUG_NET_WARN_ON_ONCE(skb_nfct(skb)); skb_attempt_defer_free(skb); return; } -- 2.51.0.788.g6d19910ace-goog