[Bug 2151248] [NEW] skbuff slab memory leak (~28GB) when Docker bridge networking (br_netfilter) is active

Tue, 05 May 2026 14:45:37 -0700 

Public bug reported:

== Summary ==                                                                   
                                                   
When Docker containers are running with bridge networking, the kernel's         
                                                   
skbuff slab caches (skbuff_small_head + skbuff_head_cache) grow unboundedly     
                                                   
until all RAM is exhausted, triggering the OOM killer and crashing the session. 
                                                   
The memory is classified as SUnreclaim (unreclaimable) and is NOT freed by      
                                                   
session logout — only by stopping the Docker containers.                        
                                                   
                                                                                
                                                   
== Reproduction ==                                                              
                                                   
1. Start Docker containers using bridge networking (e.g. DDEV local dev stack:  
                                                   
   Traefik router + web server + MySQL + Redis)                                 
                                                   
2. Monitor: watch -n 5 'grep SUnreclaim /proc/meminfo'                          
                                                   
3. SUnreclaim grows at ~2-3 GB/min, reaching 28+ GB within minutes              
                                                   
4. OOM killer fires; desktop session crashes                                    
                                                   
                                                                                
                                                   
== Evidence from kernel OOM dump ==                                             
                                                   
Unreclaimable slab at time of crash:                                            
                                                   
  skbuff_small_head   21,873,103 KB  (~20.8 GB)                                 
                                                   
  skbuff_head_cache    7,954,404 KB  (~7.6 GB)                                  
                                                   
  Total slab_unreclaimable: ~29.6 GB                                            
                                                   
                                                                                
                                                   
The values grow continuously across multiple OOM events and survive             
                                                   
user session restarts (kernel-level leak).                                      
                                                   
                                                                                
                                                   
Stopping the containers: SUnreclaim drops from ~28 GB back to ~450 MB.          
                                                   
                                                                                
                                                   
== Loaded modules ==                                                            
                                                   
br_netfilter, nf_conntrack, xt_conntrack, xt_MASQUERADE
                                                                                
                                                   
== Workaround ==
  sudo sysctl -w net.bridge.bridge-nf-call-iptables=0                           
                                                   
  sudo sysctl -w net.bridge.bridge-nf-call-ip6tables=0                          
                                                   
  (disabling netfilter on the bridge slows/stops the leak)
                                                                                
                                                   
== Kernel ==    
Linux 7.0.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC                           
                                                   
Ubuntu 26.04 LTS (Resolute)

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "skbuff-oom-report.txt"
   
https://bugs.launchpad.net/bugs/2151248/+attachment/5968267/+files/skbuff-oom-report.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151248

Title:
  skbuff slab memory leak (~28GB) when Docker bridge networking
  (br_netfilter) is active

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2151248/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to