tc: Fix unitialized kernel memory leak

[safe/jmp/linux-2.6] / net / ipv4 / udp.c

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 4bd178a..80e3812 100644 (file)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -328,7 +328,7 @@ static inline struct sock *__udp4_lib_lookup_skb(struct sk_buff *skb,
        if (unlikely(sk = skb_steal_sock(skb)))
                return sk;
        else
-               return __udp4_lib_lookup(dev_net(skb->dst->dev), iph->saddr, sport,
+               return __udp4_lib_lookup(dev_net(skb_dst(skb)->dev), iph->saddr, sport,
                                         iph->daddr, dport, inet_iif(skb),
                                         udptable);
 }
@@ -840,7 +840,8 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg)
        switch (cmd) {
        case SIOCOUTQ:
        {
-               int amount = atomic_read(&sk->sk_wmem_alloc);
+               int amount = sk_wmem_alloc_get(sk);
+
                return put_user(amount, (int __user *)arg);
        }
 
@@ -1184,7 +1185,7 @@ static int __udp4_lib_mcast_deliver(struct net *net, struct sk_buff *skb,
                        sk = sknext;
                } while (sknext);
        } else
-               kfree_skb(skb);
+               consume_skb(skb);
        spin_unlock(&hslot->lock);
        return 0;
 }
@@ -1237,7 +1238,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
        struct sock *sk;
        struct udphdr *uh;
        unsigned short ulen;
-       struct rtable *rt = (struct rtable*)skb->dst;
+       struct rtable *rt = skb_rtable(skb);
        __be32 saddr, daddr;
        struct net *net = dev_net(skb->dev);
 
@@ -1618,7 +1619,8 @@ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
        } while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
 
        if (!sk) {
-               spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
+               if (state->bucket < UDP_HTABLE_SIZE)
+                       spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
                return udp_get_first(seq, state->bucket + 1);
        }
        return sk;
@@ -1636,6 +1638,9 @@ static struct sock *udp_get_idx(struct seq_file *seq, loff_t pos)
 
 static void *udp_seq_start(struct seq_file *seq, loff_t *pos)
 {
+       struct udp_iter_state *state = seq->private;
+       state->bucket = UDP_HTABLE_SIZE;
+
        return *pos ? udp_get_idx(seq, *pos-1) : SEQ_START_TOKEN;
 }
 
@@ -1717,8 +1722,8 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
        seq_printf(f, "%4d: %08X:%04X %08X:%04X"
                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n",
                bucket, src, srcp, dest, destp, sp->sk_state,
-               atomic_read(&sp->sk_wmem_alloc),
-               atomic_read(&sp->sk_rmem_alloc),
+               sk_wmem_alloc_get(sp),
+               sk_rmem_alloc_get(sp),
                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
                atomic_read(&sp->sk_refcnt), sp,
                atomic_read(&sp->sk_drops), len);