Bug 141377 (IT#55725) - [PATCH] memory leak in ipv6 ip6_{push,flush}_pending_frames()
Summary: [PATCH] memory leak in ipv6 ip6_{push,flush}_pending_frames()
Keywords:
Status: CLOSED ERRATA
Alias: IT#55725
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Miller
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-30 19:33 UTC by Steve Conklin
Modified: 2010-10-22 02:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-18 13:28:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch fix for the bug. (525 bytes, patch)
2005-02-09 01:14 UTC, David Miller 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:294 0 normal SHIPPED_LIVE Moderate: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 5 2005-05-18 04:00:00 UTC

Description Steve Conklin 2004-11-30 19:33:11 UTC 
From IT# 55725:

This bug was reported for the U4 beta, but it's in U3 as well.

Description of problem:

 The ipv6 ping packet can be transmitted only up to 1024 times or less
by repeatedly executing the "interface up/down" processing and the
transmission of the ipv6 ping packet according to the following procedure.
 This cause is leak of the dst_entry structure.

Version-Release number of selected component (if applicable):
2.4.21-20.EL

How reproducible:
Always

Steps to Reproduce:
1.Connect two hosts:
      |host1|-(eth0)-------(LAN)---------|host2|
       3ffe:501:ffff::1        3ffe:501:ffff::2
      (RHEL3 is installed in the host1.)

2. Execute the following processing more than 1024 times repeatedly at
host1.

       # ifconfig eth0 down
       # ifconfig eth0 up
       # sleep 3
       # ifconfig eth0 add 3ffe:501:ffff::1/64
       # sleep 3
       # ping6 -c1 3ffe:501:ffff::2

3. 
    

Actual Results:  The ping6 command fails after 1025 times though it
succeeds 1024 times.

Expected Results:  The ping6 command should succeed more than 1024 times.

  note: The value 1024 is the value of
        /proc/sys/net/ipv6/neigh/default/gc_thresh3.

Additional info:

There are editing mistakes in functions
 ip6_{push,flush}_pending_frames()

 This problem can be solved by applying the undermentioned patch.

--- ip6_output.c.ORIG   2004-11-29 18:51:58.000000000 +0900
+++ ip6_output.c        2004-11-29 18:53:08.000000000 +0900
@@ -1475,6 +1475,7 @@
               np->cork.opt = NULL;
       }
       if (np->cork.rt) {
+               dst_release(&np->cork.rt->u.dst);
               np->cork.rt = NULL;
       }
       if (np->cork.fl) {
@@ -1502,7 +1503,6 @@
       }
       if (np->cork.rt) {
               dst_release(&np->cork.rt->u.dst);
-               dst_release(&np->cork.rt->u.dst);
               np->cork.rt = NULL;
       }
       if (np->cork.fl) {
Comment 3 David Miller 2005-02-09 01:14:49 UTC 
Created attachment 110840 [details]
Patch fix for the bug.

Just putting this here as a proper attachment instead of
inline.
Comment 4 Ernie Petrides 2005-02-16 12:32:31 UTC 
A fix for this problem has just been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.14.EL).
Comment 5 Tim Powers 2005-05-18 13:28:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html
Note You need to log in before you can comment on or make changes to this bug.