Comment 24 for bug 1021471

Repeating the comment in the upstream bug I just made:

I added debugging to dev_hold and dev_put as Eric suggested and used the reproducer attached to this bug. What I saw was creation and destruction would be balanced. However on the connect call, there were another two dev_hold() calls that seem to be exactly those references not been returned.

system_call_fastpath+0x1a/0x1f
  sys_connect+0xeb/0x110
    inet_stream_connect+0x11c/0x310
      tcp_v4_connect+0x13c/0x510
        ip_route_connect+???/???
          __ip_route_output_key+0x39a/0xb10
            ip_route_output_slow
              __mkroute_output
                rt_dst_alloc+0x3e/0x40
                  dst_alloc+0xc5/0x1c0
                    +1 = 8
                  rt_set_nexthop.isra.45+0x131/0x2d0 ?
                    rt_intern_hash+0x133/0x670
                      rt_bind_neighbour+0x1d/0x40
                        ipv4_neigh_lookup+0xe7/0x120
                          neigh_create+0x1bd/0x5d0
                            +9

Unfortunately the stack traces miss the details about going into ip_route_connect, but with more printks I know that ip_route_output_flow() is the one failing with -EINVAL.
Comparing functions between 3.5 and current linux-HEAD I was not very successful in spotting the important difference.