Re: kern/51467 detaching USB network interface panics

[Michael van Elst <mlelstv%serpens.de@localhost>]

The following reply was made to PR kern/51467; it has been noted by GNATS.

From: Michael van Elst <mlelstv%serpens.de@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/51467 detaching USB network interface panics
Date: Sun, 27 Nov 2016 10:45:27 +0100

 nd6_purge() contains a hack:
 
                         /*
                          * Because if_detach() does *not* release prefixes
                          * while purging addresses the reference count will
                          * still be above zero. We therefore reset it to
                          * make sure that the prefix really gets purged.
                          */
                         pr->ndpr_refcnt = 0;
 
 followed by a call to prelist_remove(pr). This will free the prefix list
 although it is still referenced by the interface.
 
 It will also finally call pfxlist_onlink_check().
 
         /*
          * Changes on the prefix status might affect address status as well.
          * Make sure that all addresses derived from an attached prefix are
          * attached, and that all addresses derived from a detached prefix are
          * detached.  Note, however, that a manually configured address should
          * always be attached.
          * The precise detection logic is same as the one for prefixes.
          */
 
 Here pfxlist_onlink_check uses the stale ia->ia6_ndpr reference
 when calling find_pfxlist_reachable_router().
 
 If the kernel is compiled with DEBUG (implies KMEM_POISON), this
 leads to an immediate crash.
 
 
 
 
 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv%serpens.de@localhost
                                 "A potential Snark may lurk in every tree."