From owner-freebsd-net@FreeBSD.ORG  Tue Jun 12 02:43:26 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D682316A46D
	for <freebsd-net@FreeBSD.org>; Tue, 12 Jun 2007 02:43:26 +0000 (UTC)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp
	[202.249.10.124])
	by mx1.freebsd.org (Postfix) with ESMTP id A8FA113C45A
	for <freebsd-net@FreeBSD.org>; Tue, 12 Jun 2007 02:43:26 +0000 (UTC)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from nm-pptp229.isl.rdc.toshiba.co.jp (unknown
	[IPv6:2001:200:1b1:1010:217:f2ff:fe26:34a0])
	by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 4EC7473021;
	Tue, 12 Jun 2007 11:43:25 +0900 (JST)
Date: Tue, 12 Jun 2007 11:42:00 +0900
Message-ID: <m1myz5vqpz.wl%jinmei@isl.rdc.toshiba.co.jp>
From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=
	<jinmei@isl.rdc.toshiba.co.jp>
To: "Bruce M. Simpson" <bms@icsi.berkeley.edu>
In-Reply-To: <46523DDA.30300@icsi.berkeley.edu>
References: <200705131837.l4DIbFNw022595@freefall.freebsd.org>
	<46523DDA.30300@icsi.berkeley.edu>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.0 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: freebsd-net@FreeBSD.org
Subject: Re: kern/108197: [ipv6] IPv6-related crash if if_delmulti
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2007 02:43:26 -0000

At Tue, 22 May 2007 01:48:26 +0100,
"Bruce M. Simpson" <bms@icsi.berkeley.edu> wrote:

> > Responsible-Changed-From-To: freebsd-net->bms
> > Responsible-Changed-By: andre
> > Responsible-Changed-When: Sun May 13 18:36:25 UTC 2007
> > Responsible-Changed-Why: 
> > Send over to BMS.  He's active in that area and may have fixed the bug already.
> >
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=108197
> 
> Sorry, but I have no time to look at this at the moment. Is someone else 
> free to look at it?
> The fix probably needs to be borrowed from the IPv4 code which adds an 
> address to an interface.

Recent changes to the head and [56] STABLE *may* fix the problem.
These just fix memory leak while the symptom rather seems to indicate
use-after-free, so I'm not sure if these really solve the problem;
however, the fix indeed affects (either good or bad) the same code
path that caused the problem shown in the PR, so it may happen to fix
this problem via some non trivial side effect.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp