CVE-2026-22979

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix memory leak in skb_segment_list for GRO packets<br /> <br /> When skb_segment_list() is called during packet forwarding, it handles<br /> packets that were aggregated by the GRO engine.<br /> <br /> Historically, the segmentation logic in skb_segment_list assumes that<br /> individual segments are split from a parent SKB and may need to carry<br /> their own socket memory accounting. Accordingly, the code transfers<br /> truesize from the parent to the newly created segments.<br /> <br /> Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this<br /> truesize subtraction in skb_segment_list() was valid because fragments<br /> still carry a reference to the original socket.<br /> <br /> However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed<br /> this behavior by ensuring that fraglist entries are explicitly<br /> orphaned (skb-&gt;sk = NULL) to prevent illegal orphaning later in the<br /> stack. This change meant that the entire socket memory charge remained<br /> with the head SKB, but the corresponding accounting logic in<br /> skb_segment_list() was never updated.<br /> <br /> As a result, the current code unconditionally adds each fragment&amp;#39;s<br /> truesize to delta_truesize and subtracts it from the parent SKB. Since<br /> the fragments are no longer charged to the socket, this subtraction<br /> results in an effective under-count of memory when the head is freed.<br /> This causes sk_wmem_alloc to remain non-zero, preventing socket<br /> destruction and leading to a persistent memory leak.<br /> <br /> The leak can be observed via KMEMLEAK when tearing down the networking<br /> environment:<br /> <br /> unreferenced object 0xffff8881e6eb9100 (size 2048):<br /> comm "ping", pid 6720, jiffies 4295492526<br /> backtrace:<br /> kmem_cache_alloc_noprof+0x5c6/0x800<br /> sk_prot_alloc+0x5b/0x220<br /> sk_alloc+0x35/0xa00<br /> inet6_create.part.0+0x303/0x10d0<br /> __sock_create+0x248/0x640<br /> __sys_socket+0x11b/0x1d0<br /> <br /> Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST<br /> packets constructed by GRO, the truesize adjustment is removed.<br /> <br /> The call to skb_release_head_state() must be preserved. As documented in<br /> commit cf673ed0e057 ("net: fix fraglist segmentation reference count<br /> leak"), it is still required to correctly drop references to SKB<br /> extensions that may be overwritten during __copy_skb_header().