kern/43100: 'pr->ndpr_refcnt' should be inclemented in in6_ifattach_linklocal()@sys/netinet6/in6_ifattach.c

[shigeru%iij.ad.jp@localhost]

>Number:         43100
>Category:       kern
>Synopsis:       'pr->ndpr_refcnt' should be inclemented in 
>in6_ifattach_linklocal()@sys/netinet6/in6_ifattach.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 02 03:55:00 +0000 2010
>Originator:     YAMAMOTO, Shigeru
>Release:        NetBSD 5.0.2
>Organization:
Internet Initiative Japan Inc.
>Environment:
NetBSD triton.iij.ad.jp 5.0.2 NetBSD 5.0.2 (GENERIC) #0: Sat Feb  6 17:53:27 
UTC 2010  
builds%b7.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-2-RELEASE/i386/201002061851Z-obj/home/builds/ab/netbsd-5-0-2-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386

>Description:
We have 2 way to set IPv6 linklocal address.
One is 'in6_control1()@sys/netinet6/in6.c' which is called by ioctl().
Another is 'in6_ifattach_linklocal()@sys/netinet6/in6_ifattach.c' which is 
called by in6_ifattach()@sys/netinet6/in6_ifattach.c.

when comparing in6_controll() and in6_ifattach_linklocal(), there is a 
difference about inclementing 'pr->ndpr_refcnt'.

in6_controll() inclements 'pr->ndpr_refcnt'.
but, in6_ifattach_linklocal() does not inclement 'pr->ndpr_refcnt'.

I think, this difference causes reference count mismatch.


>How-To-Repeat:
1) use IPv6 enabled kernel
2) enable IPv6 on interface
 # ifconfig <if> inet6 up
3) add new IPv6 linklocal address
 # ifconfig <if> inet6 fe80::1
4) check 'fe80::%<if>/64' in routing table
 # netstat -rn -f inet6
5) delete IPv6 linklocal address which is added at step '3)'.
 # ifconfig <if> inet6 delete fe80::1
6) check 'fe80::%<if>/64' in routing table
 # netstat -rn -f inet6

at step '6)', we can see that 'fe80::%<if>/64" is deleted from routing table.

In *BSD, in6_ifattach_linklocal() is same code.
So I think *BSD have same problem.

>Fix:
need fix in6_ifattach_linklocal().

this is a patch.

-------------------------------------------------------------------
--- sys/netinet6/in6_ifattach.c.orig    2008-04-24 20:38:38.000000000 +0900
+++ sys/netinet6/in6_ifattach.c 2010-04-02 11:25:11.000000000 +0900
@@ -534,6 +534,7 @@
        struct in6_ifaddr *ia;
        struct in6_aliasreq ifra;
        struct nd_prefixctl pr0;
+       struct nd_prefix *pr = NULL;
        int i, error;
 
        /*
@@ -631,9 +632,21 @@
         * address, and then reconfigure another one, the prefix is still
         * valid with referring to the old link-local address.
         */
-       if (nd6_prefix_lookup(&pr0) == NULL) {
-               if ((error = nd6_prelist_add(&pr0, NULL, NULL)) != 0)
-                       return error;
+       if ((pr = nd6_prefix_lookup(&pr0)) == NULL) {
+               if ((error = nd6_prelist_add(&pr0, NULL, &pr)) != 0)
+                       return (error);
+#ifdef DIAGNOSTIC
+               if (pr == NULL) {
+                       panic("pr == NULL in in6_ifattach_linklocal");
+                       /* NOTREACHED */
+               }
+#endif
+       }
+
+       /* relate the address to the prefix */
+       if (ia->ia6_ndpr == NULL) {
+               ia->ia6_ndpr = pr;
+               pr->ndpr_refcnt++;
        }
 
        return 0;
-------------------------------------------------------------------