From owner-svn-src-user@FreeBSD.ORG  Wed Dec 10 04:06:55 2008
Return-Path: <owner-svn-src-user@FreeBSD.ORG>
Delivered-To: svn-src-user@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 56103106564A;
	Wed, 10 Dec 2008 04:06:55 +0000 (UTC)
	(envelope-from kmacy@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 422C18FC08;
	Wed, 10 Dec 2008 04:06:55 +0000 (UTC)
	(envelope-from kmacy@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id mBA46tH7014444;
	Wed, 10 Dec 2008 04:06:55 GMT (envelope-from kmacy@svn.freebsd.org)
Received: (from kmacy@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id mBA46tx6014443;
	Wed, 10 Dec 2008 04:06:55 GMT (envelope-from kmacy@svn.freebsd.org)
Message-Id: <200812100406.mBA46tx6014443@svn.freebsd.org>
From: Kip Macy <kmacy@FreeBSD.org>
Date: Wed, 10 Dec 2008 04:06:55 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-user@freebsd.org
X-SVN-Group: user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r185834 - user/kmacy/head_arpv2/sys/netinet6
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
	src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
	<mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
	<mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2008 04:06:55 -0000

Author: kmacy
Date: Wed Dec 10 04:06:54 2008
New Revision: 185834
URL: http://svn.freebsd.org/changeset/base/185834

Log:
  - acquire the IF_AFDATA_LOCK ind nd6_storelladdr
  - drop the lle lock before return

Modified:
  user/kmacy/head_arpv2/sys/netinet6/nd6.c

Modified: user/kmacy/head_arpv2/sys/netinet6/nd6.c
==============================================================================
--- user/kmacy/head_arpv2/sys/netinet6/nd6.c	Wed Dec 10 04:05:46 2008	(r185833)
+++ user/kmacy/head_arpv2/sys/netinet6/nd6.c	Wed Dec 10 04:06:54 2008	(r185834)
@@ -1872,7 +1872,8 @@ nd6_need_cache(struct ifnet *ifp)
 }
 
 /*
- * the caller of this function needs to lock the interface table
+ * the callers of this function need to be re-worked to drop
+ * the lle lock, drop here for now
  */
 int
 nd6_storelladdr(struct ifnet *ifp, struct rtentry *rt0, struct mbuf *m,
@@ -1919,8 +1920,12 @@ nd6_storelladdr(struct ifnet *ifp, struc
 	/*
 	 * the entry should have been created in nd6_store_lladdr
 	 */
+	IF_AFDATA_LOCK(ifp);
 	ln = lla_lookup(LLTABLE6(ifp), 0, dst);
+	IF_AFDATA_LOCK(ifp);
 	if ((ln == NULL) || !(ln->la_flags & LLE_VALID)) {
+		if (ln)
+			LLE_RUNLOCK(ln);
 		/* this could happen, if we could not allocate memory */
 		m_freem(m);
 		return (1);
@@ -1928,6 +1933,10 @@ nd6_storelladdr(struct ifnet *ifp, struc
 
 	bcopy(&ln->ll_addr, desten, ifp->if_addrlen);
 	*lle = ln;
+	LLE_RUNLOCK(ln);
+	/*
+	 * A *small* use after free race exists here
+	 */
 	return (0);
 }