Removing an IPv6 address does not remove NDP entries on that
subnet
Li, Qing
qing.li at bluecoat.com
Mon Apr 2 17:53:39 UTC 2012
>
> On Fri, Mar 30, 2012 at 12:28 AM, Li, Qing <qing.li at bluecoat.com> wrote:
> >> * In a way this is a good thing as in6_lltable_prefix_free() is
> >> guaranteed to crash your kernel in two different ways, and that's
> not
> >> counting the race conditions that it's subject to.
> >>
> >
> > Could you please elaborate with some details on the two
> different
> > ways in6_lltable_prefix_free() crashes the kernel
> definitively ?
>
> First, it calls callout_drain on lle->le_timer, but that is never
> initialized for a v6 llentry. Second, it never stops the ln_timer_ch
> callout before it frees the llentry. Third, it modifies the lltable
> without holding IF_AFDATA_LOCK(in.c has the third problem: see the
> -net discussion about kern/165863).
1. The reference to &lle->la_timer instead of ln_timer_ch is fine
because lle_timer is defined as a union.
2. The manpage of "callout_drain()" reads
"The function callout_drain() is identical to callout_stop() except
that it will wait for the callout to be completed if it is already
in progress."
3. wrt IF_AFDATA_LOCK() I will check again.
--Qing
More information about the freebsd-net
mailing list