3 files changed, 35 insertions, 18 deletions

diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 86fde81ac2e6..7a6c396a263b 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -85,6 +85,22 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
 void netlink_detachskb(struct sock *sk, struct sk_buff *skb);
 int netlink_sendskb(struct sock *sk, struct sk_buff *skb);
 
+static inline struct sk_buff *
+netlink_skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
+{
+        struct sk_buff *nskb;
+
+        nskb = skb_clone(skb, gfp_mask);
+        if (!nskb)
+                return NULL;
+
+        /* This is a large skb, set destructor callback to release head */
+        if (is_vmalloc_addr(skb->head))
+                nskb->destructor = skb->destructor;
+
+        return nskb;
+}
+
 /*
  *      skb should fit one page. This choice is good for headerless malloc.
  *      But we should limit to 8K so that userspace does not have to
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 05a4888dede9..b3f627ac4ed8 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -961,7 +961,7 @@ static void nl_fib_input(struct sk_buff *skb)
             nlmsg_len(nlh) < sizeof(*frn))
                 return;
 
-        skb = skb_clone(skb, GFP_KERNEL);
+        skb = netlink_skb_clone(skb, GFP_KERNEL);
         if (skb == NULL)
                 return;
         nlh = nlmsg_hdr(skb);
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6967fbcca6c5..0c61b59175dc 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -849,7 +849,10 @@ static void netlink_skb_destructor(struct sk_buff *skb)
         }
 #endif
         if (is_vmalloc_addr(skb->head)) {
-                vfree(skb->head);
+                if (!skb->cloned ||
+                    !atomic_dec_return(&(skb_shinfo(skb)->dataref)))
+                        vfree(skb->head);
+
                 skb->head = NULL;
         }
         if (skb->sk != NULL)
@@ -1532,33 +1535,31 @@ struct sock *netlink_getsockbyfilp(struct file *filp)
         return sock;
 }
 
-static struct sk_buff *netlink_alloc_large_skb(unsigned int size)
+static struct sk_buff *netlink_alloc_large_skb(unsigned int size,
+                                               int broadcast)
 {
         struct sk_buff *skb;
         void *data;
 
-        if (size <= NLMSG_GOODSIZE)
+        if (size <= NLMSG_GOODSIZE || broadcast)
                 return alloc_skb(size, GFP_KERNEL);
 
-        skb = alloc_skb_head(GFP_KERNEL);
-        if (skb == NULL)
-                return NULL;
+        size = SKB_DATA_ALIGN(size) +
+               SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
 
         data = vmalloc(size);
         if (data == NULL)
-                goto err;
+                return NULL;
 
-        skb->head       = data;
-        skb->data       = data;
-        skb_reset_tail_pointer(skb);
-        skb->end        = skb->tail + size;
-        skb->len        = 0;
-        skb->destructor = netlink_skb_destructor;
+        skb = build_skb(data, size);
+        if (skb == NULL)
+                vfree(data);
+        else {
+                skb->head_frag = 0;
+                skb->destructor = netlink_skb_destructor;
+        }
 
         return skb;
-err:
-        kfree_skb(skb);
-        return NULL;
 }
 
 /*
@@ -2244,7 +2245,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
         if (len > sk->sk_sndbuf - 32)
                 goto out;
         err = -ENOBUFS;
-        skb = netlink_alloc_large_skb(len);
+        skb = netlink_alloc_large_skb(len, dst_group);
         if (skb == NULL)
                 goto out;