Subject: CVS commit: src/sys/netinet6
To: None <source-changes@NetBSD.org>
From: David Young <dyoung@netbsd.org>
List: source-changes
Date: 12/02/2006 20:40:59
Module Name: src
Committed By: dyoung
Date: Sat Dec 2 20:40:59 UTC 2006
Modified Files:
src/sys/netinet6: in6.c
Log Message:
Synchronize access to the ifaddr list by in6_update_ifa() and
in6_control() with splnet()/splx(). I was being a bit paranoid
here. Following a cursory analysis of the code, this still looked
necessary. We don't spend a lot of time in these calls, so it
should not be too harmful to suspend network interrupts.
In in6_unlink_ifa(), call in6_delmulti() just once on each multicast
address (in6_multi). Previously, in6_unlink_ifa() called in6_delmulti()
on each in6_multi until in6_delmulti() removed the in6_multi from
the list and freed its memory. That's not justified: the multicast
list holds *one* reference. All other references belong to other
entities. We must wait to free the memory until the other entities
release their references, to protect against dereferencing a freed
in6_multi.
XXX I need to revisit in6_delmulti(), in6_unlink_ifa(), and friends,
XXX to pry apart the conditions where an in6_multi is removed from
XXX its list and where it is freed. Following my change, above,
XXX we still risk dereferencing a freed in6_multi.
Prevent in6_update_ifa() and in6_addremloop() from creating dangling
pointers to interfaces in the routing table. Previously, my NetBSD
tunnel concentrator, which adds and deletes a lot of P2P interfaces
with the same local address, crashed in 8 hours or less when it
dereferenced a dangling pointer to a deleted ifnet. Now, its uptime
is greater than 3 days.
To generate a diff of this commit:
cvs rdiff -r1.120 -r1.121 src/sys/netinet6/in6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.