From owner-freebsd-net@FreeBSD.ORG  Wed Aug 29 07:25:06 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 46B6E16A417;
	Wed, 29 Aug 2007 07:25:06 +0000 (UTC) (envelope-from bms@FreeBSD.org)
Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com
	[66.111.4.26])
	by mx1.freebsd.org (Postfix) with ESMTP id 2409A13C48D;
	Wed, 29 Aug 2007 07:25:06 +0000 (UTC) (envelope-from bms@FreeBSD.org)
Received: from compute1.internal (compute1.internal [10.202.2.41])
	by out1.messagingengine.com (Postfix) with ESMTP id 88304272E9;
	Wed, 29 Aug 2007 03:25:00 -0400 (EDT)
Received: from heartbeat1.messagingengine.com ([10.202.2.160])
	by compute1.internal (MEProxy); Wed, 29 Aug 2007 03:25:00 -0400
X-Sasl-enc: ZDt3woj/brX/E5+kJlta7RYL0fCLJ05v3eIHM2vWwNhD 1188372300
Received: from empiric.lon.incunabulum.net
	(82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254])
	by mail.messagingengine.com (Postfix) with ESMTP id C886F48C2;
	Wed, 29 Aug 2007 03:24:59 -0400 (EDT)
Message-ID: <46D51F4A.1050004@FreeBSD.org>
Date: Wed, 29 Aug 2007 08:24:58 +0100
From: "Bruce M. Simpson" <bms@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.4 (X11/20070630)
MIME-Version: 1.0
To: "Christian S.J. Peron" <csjp@FreeBSD.org>
References: <20070828165333.GA14159@sub.vaned.net>
	<46D48A3D.6080901@FreeBSD.org>
In-Reply-To: <46D48A3D.6080901@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-net@freebsd.org
Subject: Re: [csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2007 07:25:06 -0000

BTW: Casual inspection with kscope suggests there is a similar=20
free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and=20
in_arpinput() (netinet/if_ether.c).

nd6_ns_input() references rt-=BBrt_gateway after rtfree(), a potential=20
race not to mention a use-after-free.

I haven't checked Coverity for this, but it just doesn't look right.

BMS