svn commit: r185834 - user/kmacy/head_arpv2/sys/netinet6

[Kip Macy]

Author: kmacy
Date: Wed Dec 10 04:06:54 2008
New Revision: 185834
URL: http://svn.freebsd.org/changeset/base/185834

Log:
  - acquire the IF_AFDATA_LOCK ind nd6_storelladdr
  - drop the lle lock before return

Modified:
  user/kmacy/head_arpv2/sys/netinet6/nd6.c

Modified: user/kmacy/head_arpv2/sys/netinet6/nd6.c
==============================================================================
--- user/kmacy/head_arpv2/sys/netinet6/nd6.c	Wed Dec 10 04:05:46 2008	(r185833)
+++ user/kmacy/head_arpv2/sys/netinet6/nd6.c	Wed Dec 10 04:06:54 2008	(r185834)
@@ -1872,7 +1872,8 @@ nd6_need_cache(struct ifnet *ifp)
 }
 
 /*
- * the caller of this function needs to lock the interface table
+ * the callers of this function need to be re-worked to drop
+ * the lle lock, drop here for now
  */
 int
 nd6_storelladdr(struct ifnet *ifp, struct rtentry *rt0, struct mbuf *m,
@@ -1919,8 +1920,12 @@ nd6_storelladdr(struct ifnet *ifp, struc
 	/*
 	 * the entry should have been created in nd6_store_lladdr
 	 */
+	IF_AFDATA_LOCK(ifp);
 	ln = lla_lookup(LLTABLE6(ifp), 0, dst);
+	IF_AFDATA_LOCK(ifp);
 	if ((ln == NULL) || !(ln->la_flags & LLE_VALID)) {
+		if (ln)
+			LLE_RUNLOCK(ln);
 		/* this could happen, if we could not allocate memory */
 		m_freem(m);
 		return (1);
@@ -1928,6 +1933,10 @@ nd6_storelladdr(struct ifnet *ifp, struc
 
 	bcopy(&ln->ll_addr, desten, ifp->if_addrlen);
 	*lle = ln;
+	LLE_RUNLOCK(ln);
+	/*
+	 * A *small* use after free race exists here
+	 */
 	return (0);
 }