PR/53075 CVS commit: [netbsd-8] src/sys

["Martin Husemann" <martin%netbsd.org@localhost>]

The following reply was made to PR kern/53075; it has been noted by GNATS.

From: "Martin Husemann" <martin%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/53075 CVS commit: [netbsd-8] src/sys
Date: Mon, 2 Apr 2018 08:54:35 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Mon Apr  2 08:54:35 UTC 2018
 
 Modified Files:
 	src/sys/netinet [netbsd-8]: if_arp.c
 	src/sys/netinet6 [netbsd-8]: nd6_nbr.c
 
 Log Message:
 Pull up following revision(s) (requested by ozaki-r in ticket #686):
 
 	sys/netinet/if_arp.c: revision 1.271
 	sys/netinet6/nd6_nbr.c: revision 1.151,1.152
 
 Avoid passing NULL to nd6_dad_duplicated
 Fix PR kern/53075
 
 Fix a race condition on DAD destructions (again)
 
 The previous fix to DAD timers was wrong; it avoided a use-after-free but
 instead introduced a memory leak.  The destruction method had delegated
 a destruction of a DAD timer to the timer itself and told that by setting NULL
 to dp->dad_ifa.  However, the previous fix made DAD timers do nothing on
 the sign.
 
 Fixing the issue with using callout_stop isn't easy.  One approach is to have
 a refcount on dp but it introduces extra complexity that we want to avoid.
 The new fix falls back to using callout_halt, which was abandoned because of
 softnet_lock.  Fortunately now the network stack is protected by KERNEL_LOCK
 so we can remove softnet_lock from DAD timers (callout) and use callout_halt
 safely.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.250.2.7 -r1.250.2.8 src/sys/netinet/if_arp.c
 cvs rdiff -u -r1.138.6.5 -r1.138.6.6 src/sys/netinet6/nd6_nbr.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.