[SKBUFF]: Free old skb properly in skb_morph

The skb_morph function only freed the data part of the dst skb, but leaked the auxiliary data such as the netfilter fields. This patch fixes this by moving the relevant parts from __kfree_skb to skb_release_all and calling it in skb_morph. It also makes kfree_skbmem static since it's no longer called anywhere else and it now no longer does skb_release_data. Thanks to Yasuyuki KOZAKAI for finding this problem and posting a patch for it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Herbert Xu <herbert@gondor.apana.org.au> 2007-11-26 10:11:19 -0500
committer: Herbert Xu <herbert@gondor.apana.org.au> 2007-11-26 10:11:19 -0500
commit: 2d4baff8da06f424a6fca10e26434c4926a7c3df (patch)
tree: c0f537d5cf0aca544ba77d11b529f146f5ba5bc8
parent: 218ad12f42e0b6207105cde8fd13017d1ed449e4 (diff)
2 files changed, 18 insertions, 14 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 91140fe8c119..bddd50bd6878 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -356,7 +356,6 @@ static inline struct sk_buff *alloc_skb_fclone(unsigned int size,
        return __alloc_skb(size, priority, 1, -1);
 }
-extern void            kfree_skbmem(struct sk_buff *skb);
 extern struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src);
 extern struct sk_buff *skb_clone(struct sk_buff *skb,
                                 gfp_t priority);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 32d5826b7177..5b4ce9b4dd20 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -275,12 +275,11 @@ static void skb_release_data(struct sk_buff *skb)
 /*
 *      Free an skbuff by memory without cleaning the state.
 */
-void kfree_skbmem(struct sk_buff *skb)
+static void kfree_skbmem(struct sk_buff *skb)
 {
        struct sk_buff *other;
        atomic_t *fclone_ref;
-        skb_release_data(skb);
        switch (skb->fclone) {
        case SKB_FCLONE_UNAVAILABLE:
                kmem_cache_free(skbuff_head_cache, skb);
@@ -307,16 +306,8 @@ void kfree_skbmem(struct sk_buff *skb)
        }
 }
-/**
+/* Free everything but the sk_buff shell. */
- *      __kfree_skb - private function
+static void skb_release_all(struct sk_buff *skb)
- *      @skb: buffer
- *
- *      Free an sk_buff. Release anything attached to the buffer.
- *      Clean the state. This is an internal helper function. Users should
- *      always call kfree_skb
- */
-void __kfree_skb(struct sk_buff *skb)
 {
        dst_release(skb->dst);
 #ifdef CONFIG_XFRM
@@ -340,7 +331,21 @@ void __kfree_skb(struct sk_buff *skb)
        skb->tc_verd = 0;
 #endif
 #endif
+        skb_release_data(skb);
+}
+/**
+ *      __kfree_skb - private function
+ *      @skb: buffer
+ *
+ *      Free an sk_buff. Release anything attached to the buffer.
+ *      Clean the state. This is an internal helper function. Users should
+ *      always call kfree_skb
+ */
+void __kfree_skb(struct sk_buff *skb)
+{
+        skb_release_all(skb);
        kfree_skbmem(skb);
 }
@@ -441,7 +446,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
 */
 struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src)
 {
-        skb_release_data(dst);
+        skb_release_all(dst);
        return __skb_clone(dst, src);
 }
 EXPORT_SYMBOL_GPL(skb_morph);
author	Herbert Xu <herbert@gondor.apana.org.au>	2007-11-26 10:11:19 -0500
committer	Herbert Xu <herbert@gondor.apana.org.au>	2007-11-26 10:11:19 -0500
commit	2d4baff8da06f424a6fca10e26434c4926a7c3df (patch)
tree	c0f537d5cf0aca544ba77d11b529f146f5ba5bc8
parent	218ad12f42e0b6207105cde8fd13017d1ed449e4 (diff)