From owner-svn-src-stable@FreeBSD.ORG  Sat Apr  9 12:15:41 2011
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 53BE7106564A;
	Sat,  9 Apr 2011 12:15:41 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 3487A8FC0C;
	Sat,  9 Apr 2011 12:15:41 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p39CFfxW013471;
	Sat, 9 Apr 2011 12:15:41 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id p39CFfd5013469;
	Sat, 9 Apr 2011 12:15:41 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <201104091215.p39CFfd5013469@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Sat, 9 Apr 2011 12:15:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r220488 - stable/7/sys/netinet6
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2011 12:15:41 -0000

Author: bz
Date: Sat Apr  9 12:15:40 2011
New Revision: 220488
URL: http://svn.freebsd.org/changeset/base/220488

Log:
  MFC r219562:
  
    Make sure the locally cached value of rt->rt_gateway stays stable,
    even after dropping the reference and unlocking. Previously we
    have dereferenced a NULL pointer (after r121765).
    Simply unlocking after the block does not work either because of
    lock ordering (see r121765) and in addition we would still hold
    a pointer to something that might be gone by the time we access it.
    Thus take a copy of the value rather than just caching the pointer.
  
    Submitted by:	chenyl (netstar2008 126.com) (initial version)
  PR:		kern/151908

Modified:
  stable/7/sys/netinet6/nd6_nbr.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/netinet6/nd6_nbr.c
==============================================================================
--- stable/7/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:11:19 2011	(r220487)
+++ stable/7/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:15:40 2011	(r220488)
@@ -106,7 +106,7 @@ nd6_ns_input(struct mbuf *m, int off, in
 	int anycast = 0, proxy = 0, tentative = 0;
 	int tlladdr;
 	union nd_opts ndopts;
-	struct sockaddr_dl *proxydl = NULL;
+	struct sockaddr_dl proxydl;
 	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
 
 #ifndef PULLDOWN_TEST
@@ -235,18 +235,25 @@ nd6_ns_input(struct mbuf *m, int off, in
 		rt = rtalloc1((struct sockaddr *)&tsin6, 0, 0);
 		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 		    rt->rt_gateway->sa_family == AF_LINK);
-		if (rt)
+		if (rt != NULL) {
+			/*
+			 * Make a copy while we can be sure that rt_gateway
+			 * is still stable before unlocking to avoid lock
+			 * order problems.  proxydl will only be used if
+			 * proxy will be set in the next block.
+			 */
+			if (need_proxy)
+				proxydl = *SDL(rt->rt_gateway);
 			RTFREE_LOCKED(rt);
+		}
 		if (need_proxy) {
 			/*
 			 * proxy NDP for single entry
 			 */
 			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
 				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
-			if (ifa) {
+			if (ifa)
 				proxy = 1;
-				proxydl = SDL(rt->rt_gateway);
-			}
 		}
 	}
 	if (ifa == NULL) {
@@ -320,7 +327,7 @@ nd6_ns_input(struct mbuf *m, int off, in
 		nd6_na_output(ifp, &in6_all, &taddr6,
 		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
 		    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
-		    tlladdr, (struct sockaddr *)proxydl);
+		    tlladdr, (struct sockaddr *)&proxydl);
 		goto freeit;
 	}
 
@@ -330,7 +337,7 @@ nd6_ns_input(struct mbuf *m, int off, in
 	nd6_na_output(ifp, &saddr6, &taddr6,
 	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
 	    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
-	    tlladdr, (struct sockaddr *)proxydl);
+	    tlladdr, (struct sockaddr *)&proxydl);
  freeit:
 	m_freem(m);
 	return;