From owner-freebsd-net@FreeBSD.ORG  Fri Mar 30 13:29:24 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5F0FC1065677
	for <freebsd-net@freebsd.org>; Fri, 30 Mar 2012 13:29:24 +0000 (UTC)
	(envelope-from rysto32@gmail.com)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com
	[209.85.212.172])
	by mx1.freebsd.org (Postfix) with ESMTP id E50018FC08
	for <freebsd-net@freebsd.org>; Fri, 30 Mar 2012 13:29:23 +0000 (UTC)
Received: by wibhj6 with SMTP id hj6so476007wib.13
	for <freebsd-net@freebsd.org>; Fri, 30 Mar 2012 06:29:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	bh=gxiA2KThcyAy3d3zsi2Fj0UC8/RHVyjl4zqPSqd0Z2k=;
	b=R2e2IINmUPCdGL+q1DyCwe2XThGzsSV643DWi+xDHJokNxcu7U+Ak4kfFQbjFxPaRw
	rcpK2Iq9gkZM8rkX49PF2LdLnnVRyxiu/H/jCpzQBqKkszGpWM5erlsYO/XdS08VBIv1
	gDRPBLDQCDHVcMme46SemZ8OjEdlM5wCBag5wAeCykRK3TEbpCE+b9S2a4eH++FVPFWA
	ygjw9YwwldhupLNJ3ad4k7ca7kDwfD1AMi1Abs9LcEPlhDpLfk6B5PL8jFm2uMSJID7F
	ZdzSu2SffO9+/EUtdglkUjJFV0WFuvbwkUpDmKTCAdM6/LU7eSxOnMdwvwqUTgYdbusi
	7Cfw==
MIME-Version: 1.0
Received: by 10.180.101.230 with SMTP id fj6mr6497936wib.13.1333114162622;
	Fri, 30 Mar 2012 06:29:22 -0700 (PDT)
Received: by 10.180.79.137 with HTTP; Fri, 30 Mar 2012 06:29:22 -0700 (PDT)
In-Reply-To: <B143A8975061C446AD5E29742C531723C4C6F8@pwsvl-excmbx-05.internal.cacheflow.com>
References: <CAFMmRNyK6RXb43kCRxZbZPSWmmGHYx-1cxsTgL1orVjoDcKYAg@mail.gmail.com>
	<B143A8975061C446AD5E29742C531723C4C6F8@pwsvl-excmbx-05.internal.cacheflow.com>
Date: Fri, 30 Mar 2012 09:29:22 -0400
Message-ID: <CAFMmRNxWUw4XmsNZZi+zVjZK6i-Ukisqyub2MsOY11Nb8T9ZCQ@mail.gmail.com>
From: Ryan Stone <rysto32@gmail.com>
To: "Li, Qing" <qing.li@bluecoat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-net <freebsd-net@freebsd.org>
Subject: Re: Removing an IPv6 address does not remove NDP entries on that
	subnet
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 13:29:24 -0000

On Fri, Mar 30, 2012 at 12:28 AM, Li, Qing <qing.li@bluecoat.com> wrote:
>> * In a way this is a good thing as in6_lltable_prefix_free() is
>> guaranteed to crash your kernel in two different ways, and that's not
>> counting the race conditions that it's subject to.
>>
>
> =A0 =A0 =A0 =A0Could you please elaborate with some details on the two di=
fferent
> =A0 =A0 =A0 =A0ways in6_lltable_prefix_free() crashes the kernel definiti=
vely ?

First, it calls callout_drain on lle->le_timer, but that is never
initialized for a v6 llentry.  Second, it never stops the ln_timer_ch
callout before it frees the llentry.  Third, it modifies the lltable
without holding IF_AFDATA_LOCK(in.c has the third problem: see the
-net discussion about kern/165863).