From: Jon Maloy <jon.ma...@ericsson.com> Date: Wed, 14 Feb 2018 13:50:31 +0100
> diff --git a/net/tipc/msg.c b/net/tipc/msg.c > index 4e1c6f6..a368fa8 100644 > --- a/net/tipc/msg.c > +++ b/net/tipc/msg.c > @@ -434,6 +434,9 @@ bool tipc_msg_extract(struct sk_buff *skb, struct sk_buff > **iskb, int *pos) > skb_pull(*iskb, offset); > imsz = msg_size(buf_msg(*iskb)); > skb_trim(*iskb, imsz); > + > + /* Scale extracted buffer's truesize to avoid double accounting */ > + (*iskb)->truesize = SKB_TRUESIZE(imsz); > if (unlikely(!tipc_msg_validate(iskb))) > goto none; > *pos += align(imsz); As Eric said, you have to be really careful here. If you clone a 10K SKB 10 times, you really have to account for the full truesize 10 times. That is unless you explicitly trim off frags in the new clone, then adjust the truesize by explicitly decreasing it by the amount of memory backing the frags you trimmed off completely (not partially). Finally, you can only do this on an SKB that has never entered a socket SKB queue, otherwise you corrupt memory accounting.