From: Eric Paris <eparis@redhat.com> Subject: Re: [RHEL5 PATCH] IPSec: 218591 incorrect return code in xfrm_policy_lookup Date: Wed, 17 Jan 2007 14:18:16 -0500 Bugzilla: 218591 Message-Id: <1169061496.9186.45.camel@localhost.localdomain> Changelog: IPSec: incorrect return code in xfrm_policy_lookup On Wed, 2007-01-17 at 14:07 -0500, Eric Paris wrote: > BZ 218591 > > I messed up the upstream backport of error propagation in xfrm code. In > upstream code 'no policy found' returns a 0 from xfrm_policy_lookup. > But I actually have it returning -ESRCH in that case. This turns out to > break a number of things. IPSec over IPV6 only works for a couple > packets, Enabling IPSec makes the kernel reject non-ipsec packets (since > it thinks non-ipsec packets got an error rather than 'no match') and > other things. > > The upstream patch I was trying to backport is at: > http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=134b0fc544ba062498451611cb6f3e4454221b3d > and you will see a similar thing happening in that patch only it happens > in *xfrm_policy_lookup_bytype which does not exist in RHEL5. --- linux-2.6.18.i686/net/xfrm/xfrm_policy.c.pre.xfrm 2007-01-17 13:04:06.000000000 -0500 +++ linux-2.6.18.i686/net/xfrm/xfrm_policy.c 2007-01-17 13:23:46.000000000 -0500 @@ -609,7 +609,7 @@ static int xfrm_policy_lookup(struct flo void **objp, atomic_t **obj_refp) { struct xfrm_policy *pol; - int ret = -ESRCH; + int ret = 0; read_lock_bh(&xfrm_policy_lock); for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) { @@ -626,6 +626,11 @@ static int xfrm_policy_lookup(struct flo if (!ret) { xfrm_pol_hold(pol); break; + } else if (ret == -ESRCH) + ret = 0; + else { + pol = NULL; + break; } } }