From: Eric Paris <eparis@redhat.com> Subject: [RHEL 5.1 PATCH] stop leak in flow cache code Date: Wed, 04 Apr 2007 17:56:26 -0400 Bugzilla: 229528 Message-Id: <1175723786.20396.171.camel@localhost.localdomain> Changelog: [net] stop leak in flow cache code In the middle of a discussion about another issue upstream noticed a bug in which if the resolver returned an err and the fle was not at the head of the list all previous entries were simply leaked since we move the head past the fle in question. The upstream solution was to simply leave everything alone if the resolver returned an error and so do a full lookup again the next time. This patch has been in the LSPP kernel for quite some time with no negative effects. Although admittedly no method was determined to reasonably get into the situation in question at will for explicit testing purposes. see: http://marc.info/?l=linux-netdev&m=116845095029169&w=2 with patch from: http://marc.info/?l=linux-netdev&m=116847167008802&w=2 -Eric --- linux-2.6.18.i386/net/core/flow.c.pre.229528 2007-02-22 10:43:18.000000000 -0500 +++ linux-2.6.18.i386/net/core/flow.c 2007-02-22 10:46:16.000000000 -0500 @@ -231,22 +231,16 @@ nocache: err = resolver(key, family, dir, &obj, &obj_ref); - if (fle) { - if (err) { - /* Force security policy check on next lookup */ - *head = fle->next; - flow_entry_kill(cpu, fle); - } else { - fle->genid = atomic_read(&flow_cache_genid); - - if (fle->object) - atomic_dec(fle->object_ref); - - fle->object = obj; - fle->object_ref = obj_ref; - if (obj) - atomic_inc(fle->object_ref); - } + if (fle && !err) { + fle->genid = atomic_read(&flow_cache_genid); + + if (fle->object) + atomic_dec(fle->object_ref); + + fle->object = obj; + fle->object_ref = obj_ref; + if (obj) + atomic_inc(fle->object_ref); } local_bh_enable();