From: James Morris <[EMAIL PROTECTED]> Date: Mon, 2 Oct 2006 10:27:13 -0400 (EDT)
> Updated version of the patch, which return directly after a flow cache > lookup error in xfrm_lookup rather than returing via the cleanup path > (which was causing a spurious dst_release). > > This works for me, although I never saw the oops with the old patch. > > Evgeniy, let me know if this fixes the oops you're seeing. > > Signed-off-by: James Morris <[EMAIL PROTECTED]> As I review this patch I realize there is a question of semantics and prioritization here. For example, socket policies are handled such that if the security layer gives an error we behave as if the socket policy did not match. Whereas we handle sub vs. primary global policies differently. If we hit a sub-policy match, and we get a security layer error, we signal a full lookup failure instead of trying to see if there is a primary policy that the security layer likes. I'm not saying either is wrong, I'm just pointing it out to make sure this is intentional. The socket policy behavior deserves some scrutiny. I say this because if a matching socket policy is avoided due to security layer error, this could potentially make key manager problems very hard to diagnose. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
