Date: Fri, 30 Mar 2012 09:29:22 -0400 From: Ryan Stone <rysto32@gmail.com> To: "Li, Qing" <qing.li@bluecoat.com> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: Removing an IPv6 address does not remove NDP entries on that subnet Message-ID: <CAFMmRNxWUw4XmsNZZi%2BzVjZK6i-Ukisqyub2MsOY11Nb8T9ZCQ@mail.gmail.com> In-Reply-To: <B143A8975061C446AD5E29742C531723C4C6F8@pwsvl-excmbx-05.internal.cacheflow.com> References: <CAFMmRNyK6RXb43kCRxZbZPSWmmGHYx-1cxsTgL1orVjoDcKYAg@mail.gmail.com> <B143A8975061C446AD5E29742C531723C4C6F8@pwsvl-excmbx-05.internal.cacheflow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 30, 2012 at 12:28 AM, Li, Qing <qing.li@bluecoat.com> wrote: >> * In a way this is a good thing as in6_lltable_prefix_free() is >> guaranteed to crash your kernel in two different ways, and that's not >> counting the race conditions that it's subject to. >> > > =A0 =A0 =A0 =A0Could you please elaborate with some details on the two di= fferent > =A0 =A0 =A0 =A0ways in6_lltable_prefix_free() crashes the kernel definiti= vely ? First, it calls callout_drain on lle->le_timer, but that is never initialized for a v6 llentry. Second, it never stops the ln_timer_ch callout before it frees the llentry. Third, it modifies the lltable without holding IF_AFDATA_LOCK(in.c has the third problem: see the -net discussion about kern/165863).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFMmRNxWUw4XmsNZZi%2BzVjZK6i-Ukisqyub2MsOY11Nb8T9ZCQ>