From owner-freebsd-net@FreeBSD.ORG  Sun Sep  2 02:22:36 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9F1DC16A418
	for <freebsd-net@freebsd.org>; Sun,  2 Sep 2007 02:22:36 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from mrout2-b.corp.dcn.yahoo.com (mrout2-b.corp.dcn.yahoo.com
	[216.109.112.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 575C813C461
	for <freebsd-net@freebsd.org>; Sun,  2 Sep 2007 02:22:36 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from em60-254-201-51.pool.emnet.ne.jp.neville-neil.com
	(proxy8.corp.yahoo.com [216.145.48.13])
	by mrout2-b.corp.dcn.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id
	l822LlwV092823; Sat, 1 Sep 2007 19:21:48 -0700 (PDT)
Date: Sun, 02 Sep 2007 11:21:37 +0900
Message-ID: <m2r6lhg632.wl%gnn@neville-neil.com>
From: gnn@freebsd.org
To: "Bruce M. Simpson" <bms@freebsd.org>
In-Reply-To: <46D51F4A.1050004@FreeBSD.org>
References: <20070828165333.GA14159@sub.vaned.net>
	<46D48A3D.6080901@FreeBSD.org> <46D51F4A.1050004@FreeBSD.org>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1
	(i386-apple-darwin8.9.1) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-net@freebsd.org, "Christian S.J. Peron" <csjp@freebsd.org>
Subject: Re: [csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Sep 2007 02:22:36 -0000

At Wed, 29 Aug 2007 08:24:58 +0100,
Bruce M. Simpson wrote:
>=20
> BTW: Casual inspection with kscope suggests there is a similar=20
> free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and=20
> in_arpinput() (netinet/if_ether.c).
>=20
> nd6_ns_input() references rt-=BBrt_gateway after rtfree(), a potential=20
> race not to mention a use-after-free.
>=20
> I haven't checked Coverity for this, but it just doesn't look right.

At least in the ND6 case I think that the correct logic is:

=3D=3D=3D=3D //depot/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c#1 - /s=
ources/p4/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c =3D=3D=3D=3D
@@ -215,8 +215,6 @@
 		rt =3D rtalloc1((struct sockaddr *)&tsin6, 0, 0);
 		need_proxy =3D (rt && (rt->rt_flags & RTF_ANNOUNCE) !=3D 0 &&
 		    rt->rt_gateway->sa_family =3D=3D AF_LINK);
-		if (rt)
-			rtfree(rt);
 		if (need_proxy) {
 			/*
 			 * proxy NDP for single entry
@@ -228,6 +226,9 @@
 				proxydl =3D SDL(rt->rt_gateway);
 			}
 		}
+		if (!need_proxy || ifa =3D=3D NULL)
+			if (rt)
+				rtfree(rt);
 	}
 	if (ifa =3D=3D NULL) {
 		/*

Thoughts?

Best,
George