[csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs]

[Bruce M. Simpson]

BTW: Casual inspection with kscope suggests there is a similar 
free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and 
in_arpinput() (netinet/if_ether.c).

nd6_ns_input() references rt-»rt_gateway after rtfree(), a potential 
race not to mention a use-after-free.

I haven't checked Coverity for this, but it just doesn't look right.

BMS