From owner-cvs-src@FreeBSD.ORG  Mon Oct 22 19:01:26 2007
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BDC7116A4A0;
	Mon, 22 Oct 2007 19:01:26 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B00D13C4BE;
	Mon, 22 Oct 2007 19:01:26 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l9MJ1QjG086568;
	Mon, 22 Oct 2007 19:01:26 GMT (envelope-from jhb@repoman.freebsd.org)
Received: (from jhb@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l9MJ1QNn086567;
	Mon, 22 Oct 2007 19:01:26 GMT (envelope-from jhb)
Message-Id: <200710221901.l9MJ1QNn086567@repoman.freebsd.org>
From: John Baldwin <jhb@FreeBSD.org>
Date: Mon, 22 Oct 2007 19:01:26 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/net route.c src/sys/netinet6 nd6.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2007 19:01:26 -0000

jhb         2007-10-22 19:01:26 UTC

  FreeBSD src repository

  Modified files:
    sys/net              route.c 
    sys/netinet6         nd6.c 
  Log:
  Close a race when trying to lookup a gateway route in rt_check().
  Specifically, if two threads were doing concurrent lookups and the existing
  gateway was marked down, the the first thread would drop a reference on the
  gateway route and then unlock the "root" route while it tried to allocate
  a new route.  The second thread could then also drop a reference on the
  same gateway route resulting in a reference underflow.  Fix this by
  clearing the gateway route pointer after dropping the reference count but
  before dropping the lock.  Secondly, in this same case, the second thread
  would overwrite the gateway route pointer w/o free'ing a reference to the
  route installed by the first thread.  In practice this would probably just
  fix a lost reference that would result in a route never being freed.
  
  This fixes panics observed in rt_check() and rtexpunge().
  
  MFC after:      1 week
  PR:             kern/112490
  Insight from:   mehuljv at yahoo.com
  Reviewed by:    ru (found the "not-setting it to NULL" part)
  Tested by:      several
  
  Revision  Changes    Path
  1.121     +3 -1      src/sys/net/route.c
  1.84      +3 -1      src/sys/netinet6/nd6.c