[src/trunk]: src/sys/netinet6 Prevent ia6 from being freed in in6_ifinit

[ozaki-r <ozaki-r%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5e039b2c9fd8
branches:  trunk
changeset: 351819:5e039b2c9fd8
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Tue Feb 28 02:56:49 2017 +0000

description:
Prevent ia6 from being freed in in6_ifinit

It fixes a panic (diagnostic assertion "entry->ple_prevp != NULL" failed)
on:
  ifconfig lo1 create
  ifconfig lo1 127.0.0.2
reported by ryo@

diffstat:

 sys/netinet6/in6.c |  14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diffs (47 lines):

diff -r 5873f58a75e4 -r 5e039b2c9fd8 sys/netinet6/in6.c
--- a/sys/netinet6/in6.c        Tue Feb 28 00:33:36 2017 +0000
+++ b/sys/netinet6/in6.c        Tue Feb 28 02:56:49 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6.c,v 1.238 2017/02/23 07:57:10 ozaki-r Exp $        */
+/*     $NetBSD: in6.c,v 1.239 2017/02/28 02:56:49 ozaki-r Exp $        */
 /*     $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $   */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.238 2017/02/23 07:57:10 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.239 2017/02/28 02:56:49 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1043,6 +1043,13 @@
                ia->ia6_lifetime.ia6t_preferred = time_uptime;
        }
 
+       if (hostIsNew) {
+               /*
+                * We need a reference to ia before calling in6_ifinit.
+                * Otherwise ia can be freed in in6_ifinit accidentally.
+                */
+               ifaref(&ia->ia_ifa);
+       }
        /* reset the interface and routing table appropriately. */
        error = in6_ifinit(ifp, ia, &ifra->ifra_addr, hostIsNew);
        if (error != 0) {
@@ -1059,13 +1066,12 @@
 
        /*
         * Insert ia to the global list and ifa to the interface's list.
+        * A reference to it is already gained above.
         */
        mutex_enter(&in6_ifaddr_lock);
        IN6_ADDRLIST_WRITER_INSERT_TAIL(ia);
        mutex_exit(&in6_ifaddr_lock);
 
-       /* gain a refcnt for the link from in6_ifaddr */
-       ifaref(&ia->ia_ifa);
        ifa_insert(ifp, &ia->ia_ifa);
 
        /*