From nobody@FreeBSD.org  Wed Nov  3 08:45:36 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC3C9106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Nov 2010 08:45:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id C0B918FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Nov 2010 08:45:36 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id oA38jZ0d094476
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 3 Nov 2010 08:45:35 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id oA38jZNc094475;
	Wed, 3 Nov 2010 08:45:35 GMT
	(envelope-from nobody)
Message-Id: <201011030845.oA38jZNc094475@www.freebsd.org>
Date: Wed, 3 Nov 2010 08:45:35 GMT
From: chenyl <netstar2008@126.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: nd6_ns_input:panic may happen, for RTFREE_LOCKED set rt to 0.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         151908
>Category:       kern
>Synopsis:       [netinet6] [patch] nd6_ns_input: panic may happen, for RTFREE_LOCKED set rt to 0.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 03 08:50:08 UTC 2010
>Closed-Date:    Sat Apr 09 12:16:41 UTC 2011
>Last-Modified:  Mon Apr 18 12:40:10 UTC 2011
>Originator:     chenyl
>Release:        FreeBSD 8.1-RELEASE
>Organization:
array
>Environment:
FreeBSD  8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010
>Description:
nd6_ns_input:
    256                 need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
    257                     rt->rt_gateway->sa_family == AF_LINK);
    258                 if (rt)
    259                         RTFREE_LOCKED(rt);
    260                 if (need_proxy) {
    261                         /*
    262                          * proxy NDP for single entry
    263                          */
    264                         ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
    265                                 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
    266                         if (ifa) {
    267                                 proxy = 1;
    268                                 proxydl = SDL(rt->rt_gateway);
    269                         }
    270                 }
    271         }

L259:
RTFREE_LOCKED(rt);
rt will be set to 0.
L268:
rt will be referenced. Panic may happen here.

>How-To-Repeat:

>Fix:
--- nd6_nbr.c   2010-06-14 10:09:06.000000000 +0800
+++ nd6_nbr.c.bak       2010-11-04 00:43:15.000000000 +0800
@@ -255,8 +255,6 @@ nd6_ns_input(struct mbuf *m, int off, in
 #endif
                need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
                    rt->rt_gateway->sa_family == AF_LINK);
-               if (rt)
-                       RTFREE_LOCKED(rt);
                if (need_proxy) {
                        /*
                         * proxy NDP for single entry
@@ -268,6 +266,10 @@ nd6_ns_input(struct mbuf *m, int off, in
                                proxydl = SDL(rt->rt_gateway);
                        }
                }
+               if(!proxy) {
+                       if(rt)
+                               RTFREE_LOCKED(rt);
+               }
        }
        if (ifa == NULL) {
                /*

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Nov 12 21:16:04 UTC 2010 
Responsible-Changed-Why:  
Patch against networking code. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151908 
Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Thu Nov 18 06:13:32 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151908 
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Mon Nov 22 08:45:50 UTC 2010 
State-Changed-Why:  
A new patch has been presented for testing/review. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151908 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, netstar2008@126.com
Cc:  
Subject: Re: kern/151908: [netinet6] [patch] nd6_ns_input: panic may happen,
 for RTFREE_LOCKED set rt to 0.
Date: Mon, 22 Nov 2010 08:44:48 +0000 (UTC)

 Hi,
 
 I have an updated version of the patch.  Could you please test/review
 that and report back?
 
 You can also temporary fetch it from
 http://people.freebsd.org/~bz/20101122-01-nd6_nbr-pr151908.diff
 
 
 !
 ! Make sure the locally cache value of rt->rt_gateway stays stable,
 ! even after dropping the reference and unlocking.  Previously we
 ! have dereferenced a NULL pointer (after r121765).
 ! Simply unlocking after the block does not work either because of
 ! lock ordering (see r121765) and in addition we would still hold
 ! a pointer to something that might be gone by the time we access it.
 ! Thus take a copy of the values rather than just the pointer.
 !
 ! PR:		kern/151908
 ! Submitted by:	chenyl (netstar2008 126.com) (initial version)
 ! Reviewed by: 
 ! Tested by: 
 ! MFC After: 
 !
 Index: sys/netinet6/nd6_nbr.c
 ===================================================================
 --- sys/netinet6/nd6_nbr.c	(revision 215641)
 +++ sys/netinet6/nd6_nbr.c	(working copy)
 @@ -113,7 +113,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len
   	int anycast = 0, proxy = 0, tentative = 0;
   	int tlladdr;
   	union nd_opts ndopts;
 -	struct sockaddr_dl *proxydl = NULL;
 +	struct sockaddr_dl proxydl;
   	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
 
   #ifndef PULLDOWN_TEST
 @@ -248,18 +248,25 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len
   #endif
   		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
   		    rt->rt_gateway->sa_family == AF_LINK);
 -		if (rt)
 +		if (rt != NULL) {
 +			/*
 +			 * Make a copy while we can be sure that rt_gateway
 +			 * is still stable before unlocking to avoid lock
 +			 * order problems.  proxydl will only be used if
 +			 * proxy will be set in the next block.
 +			 */
 +			if (need_proxy)
 +				proxydl = *SDL(rt->rt_gateway);
   			RTFREE_LOCKED(rt);
 +		}
   		if (need_proxy) {
   			/*
   			 * proxy NDP for single entry
   			 */
   			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
   				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
 -			if (ifa) {
 +			if (ifa)
   				proxy = 1;
 -				proxydl = SDL(rt->rt_gateway);
 -			}
   		}
   	}
   	if (ifa == NULL) {
 @@ -333,7 +340,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len
   		nd6_na_output(ifp, &in6_all, &taddr6,
   		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
   		    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)proxydl);
 +		    tlladdr, (struct sockaddr *)&proxydl);
   		goto freeit;
   	}
 
 @@ -343,7 +350,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len
   	nd6_na_output(ifp, &saddr6, &taddr6,
   	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
   	    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)proxydl);
 +	    tlladdr, (struct sockaddr *)&proxydl);
    freeit:
   	if (ifa != NULL)
   		ifa_free(ifa);
State-Changed-From-To: feedback->patched 
State-Changed-By: bz 
State-Changed-When: Sat Mar 12 09:42:26 UTC 2011 
State-Changed-Why:  
Feedback timeout; just committed the patch; mfc timer set. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151908 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Sat, 12 Mar 2011 09:41:35 +0000 (UTC)

 Author: bz
 Date: Sat Mar 12 09:41:25 2011
 New Revision: 219562
 URL: http://svn.freebsd.org/changeset/base/219562
 
 Log:
   Make sure the locally cached value of rt->rt_gateway stays stable,
   even after dropping the reference and unlocking. Previously we
   have dereferenced a NULL pointer (after r121765).
   Simply unlocking after the block does not work either because of
   lock ordering (see r121765) and in addition we would still hold
   a pointer to something that might be gone by the time we access it.
   Thus take a copy of the value rather than just caching the pointer.
   
   PR:		kern/151908
   Submitted by:	chenyl (netstar2008 126.com) (initial version)
   MFC after:	2 weeks
 
 Modified:
   head/sys/netinet6/nd6_nbr.c
 
 Modified: head/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- head/sys/netinet6/nd6_nbr.c	Sat Mar 12 09:09:25 2011	(r219561)
 +++ head/sys/netinet6/nd6_nbr.c	Sat Mar 12 09:41:25 2011	(r219562)
 @@ -113,7 +113,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	int anycast = 0, proxy = 0, tentative = 0;
  	int tlladdr;
  	union nd_opts ndopts;
 -	struct sockaddr_dl *proxydl = NULL;
 +	struct sockaddr_dl proxydl;
  	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
  
  #ifndef PULLDOWN_TEST
 @@ -248,18 +248,25 @@ nd6_ns_input(struct mbuf *m, int off, in
  #endif
  		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
  		    rt->rt_gateway->sa_family == AF_LINK);
 -		if (rt)
 +		if (rt != NULL) {
 +			/*
 +			 * Make a copy while we can be sure that rt_gateway
 +			 * is still stable before unlocking to avoid lock
 +			 * order problems.  proxydl will only be used if
 +			 * proxy will be set in the next block.
 +			 */
 +			if (need_proxy)
 +				proxydl = *SDL(rt->rt_gateway);
  			RTFREE_LOCKED(rt);
 +		}
  		if (need_proxy) {
  			/*
  			 * proxy NDP for single entry
  			 */
  			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
  				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
 -			if (ifa) {
 +			if (ifa)
  				proxy = 1;
 -				proxydl = SDL(rt->rt_gateway);
 -			}
  		}
  	}
  	if (ifa == NULL) {
 @@ -333,7 +340,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)proxydl);
 +		    tlladdr, (struct sockaddr *)&proxydl);
  		goto freeit;
  	}
  
 @@ -343,7 +350,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)proxydl);
 +	    tlladdr, (struct sockaddr *)&proxydl);
   freeit:
  	if (ifa != NULL)
  		ifa_free(ifa);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Sat Apr 9 12:16:07 UTC 2011 
State-Changed-Why:  
CHnages merged to stable/8 and 7.  Thanks for reporting. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151908 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Sat,  9 Apr 2011 12:11:33 +0000 (UTC)

 Author: bz
 Date: Sat Apr  9 12:11:19 2011
 New Revision: 220487
 URL: http://svn.freebsd.org/changeset/base/220487
 
 Log:
   MFC r219562:
   
     Make sure the locally cached value of rt->rt_gateway stays stable,
     even after dropping the reference and unlocking. Previously we
     have dereferenced a NULL pointer (after r121765).
     Simply unlocking after the block does not work either because of
     lock ordering (see r121765) and in addition we would still hold
     a pointer to something that might be gone by the time we access it.
     Thus take a copy of the value rather than just caching the pointer.
   
     Submitted by:	chenyl (netstar2008 126.com) (initial version)
   PR:		kern/151908
 
 Modified:
   stable/8/sys/netinet6/nd6_nbr.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- stable/8/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:04:35 2011	(r220486)
 +++ stable/8/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:11:19 2011	(r220487)
 @@ -112,7 +112,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	int anycast = 0, proxy = 0, tentative = 0;
  	int tlladdr;
  	union nd_opts ndopts;
 -	struct sockaddr_dl *proxydl = NULL;
 +	struct sockaddr_dl proxydl;
  	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
  
  #ifndef PULLDOWN_TEST
 @@ -247,18 +247,25 @@ nd6_ns_input(struct mbuf *m, int off, in
  #endif
  		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
  		    rt->rt_gateway->sa_family == AF_LINK);
 -		if (rt)
 +		if (rt != NULL) {
 +			/*
 +			 * Make a copy while we can be sure that rt_gateway
 +			 * is still stable before unlocking to avoid lock
 +			 * order problems.  proxydl will only be used if
 +			 * proxy will be set in the next block.
 +			 */
 +			if (need_proxy)
 +				proxydl = *SDL(rt->rt_gateway);
  			RTFREE_LOCKED(rt);
 +		}
  		if (need_proxy) {
  			/*
  			 * proxy NDP for single entry
  			 */
  			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
  				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
 -			if (ifa) {
 +			if (ifa)
  				proxy = 1;
 -				proxydl = SDL(rt->rt_gateway);
 -			}
  		}
  	}
  	if (ifa == NULL) {
 @@ -332,7 +339,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)proxydl);
 +		    tlladdr, (struct sockaddr *)&proxydl);
  		goto freeit;
  	}
  
 @@ -342,7 +349,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)proxydl);
 +	    tlladdr, (struct sockaddr *)&proxydl);
   freeit:
  	if (ifa != NULL)
  		ifa_free(ifa);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Sat,  9 Apr 2011 12:15:50 +0000 (UTC)

 Author: bz
 Date: Sat Apr  9 12:15:40 2011
 New Revision: 220488
 URL: http://svn.freebsd.org/changeset/base/220488
 
 Log:
   MFC r219562:
   
     Make sure the locally cached value of rt->rt_gateway stays stable,
     even after dropping the reference and unlocking. Previously we
     have dereferenced a NULL pointer (after r121765).
     Simply unlocking after the block does not work either because of
     lock ordering (see r121765) and in addition we would still hold
     a pointer to something that might be gone by the time we access it.
     Thus take a copy of the value rather than just caching the pointer.
   
     Submitted by:	chenyl (netstar2008 126.com) (initial version)
   PR:		kern/151908
 
 Modified:
   stable/7/sys/netinet6/nd6_nbr.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- stable/7/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:11:19 2011	(r220487)
 +++ stable/7/sys/netinet6/nd6_nbr.c	Sat Apr  9 12:15:40 2011	(r220488)
 @@ -106,7 +106,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	int anycast = 0, proxy = 0, tentative = 0;
  	int tlladdr;
  	union nd_opts ndopts;
 -	struct sockaddr_dl *proxydl = NULL;
 +	struct sockaddr_dl proxydl;
  	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
  
  #ifndef PULLDOWN_TEST
 @@ -235,18 +235,25 @@ nd6_ns_input(struct mbuf *m, int off, in
  		rt = rtalloc1((struct sockaddr *)&tsin6, 0, 0);
  		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
  		    rt->rt_gateway->sa_family == AF_LINK);
 -		if (rt)
 +		if (rt != NULL) {
 +			/*
 +			 * Make a copy while we can be sure that rt_gateway
 +			 * is still stable before unlocking to avoid lock
 +			 * order problems.  proxydl will only be used if
 +			 * proxy will be set in the next block.
 +			 */
 +			if (need_proxy)
 +				proxydl = *SDL(rt->rt_gateway);
  			RTFREE_LOCKED(rt);
 +		}
  		if (need_proxy) {
  			/*
  			 * proxy NDP for single entry
  			 */
  			ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp,
  				IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
 -			if (ifa) {
 +			if (ifa)
  				proxy = 1;
 -				proxydl = SDL(rt->rt_gateway);
 -			}
  		}
  	}
  	if (ifa == NULL) {
 @@ -320,7 +327,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)proxydl);
 +		    tlladdr, (struct sockaddr *)&proxydl);
  		goto freeit;
  	}
  
 @@ -330,7 +337,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)proxydl);
 +	    tlladdr, (struct sockaddr *)&proxydl);
   freeit:
  	m_freem(m);
  	return;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Sun, 17 Apr 2011 16:07:23 +0000 (UTC)

 Author: bz
 Date: Sun Apr 17 16:07:08 2011
 New Revision: 220743
 URL: http://svn.freebsd.org/changeset/base/220743
 
 Log:
   Fix IPv6 ND.  After r219562 we in nd6_ns_input() were erroneously always
   passing the cached proxydl reference (sockaddr_dl initialized or not) to
   nd6_na_output().  nd6_na_output() will thus assume a proxy NA.  Revert to
   conditionally passing either &proxydl or NULL if no proxy case desired.
   
   Tested by:	ipv6gw and ref9-i386
   Reported by:	Pete French (petefrench ingresso.co.uk on stable)
   Reported by:	bz, simon on Y! cluster
   Reported by:	kib
   PR:		kern/151908
   MFC after:	3 days
 
 Modified:
   head/sys/netinet6/nd6_nbr.c
 
 Modified: head/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- head/sys/netinet6/nd6_nbr.c	Sun Apr 17 16:04:39 2011	(r220742)
 +++ head/sys/netinet6/nd6_nbr.c	Sun Apr 17 16:07:08 2011	(r220743)
 @@ -340,7 +340,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)&proxydl);
 +		    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
  		goto freeit;
  	}
  
 @@ -350,7 +350,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)&proxydl);
 +	    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
   freeit:
  	if (ifa != NULL)
  		ifa_free(ifa);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Mon, 18 Apr 2011 12:18:38 +0000 (UTC)

 Author: bz
 Date: Mon Apr 18 12:18:27 2011
 New Revision: 220773
 URL: http://svn.freebsd.org/changeset/base/220773
 
 Log:
   MFC r220743:
   
     Fix IPv6 ND.  After r219562 we in nd6_ns_input() were erroneously always
     passing the cached proxydl reference (sockaddr_dl initialized or not) to
     nd6_na_output().  nd6_na_output() will thus assume a proxy NA.  Revert to
     conditionally passing either &proxydl or NULL if no proxy case desired.
   
     Tested by:	ipv6gw and ref9-i386
     Tested by:	Pete French (petefrench ingresso.co.uk on stable)
     Reported by:	Pete French (petefrench ingresso.co.uk on stable)
     Reported by:	bz, simon on Y! cluster
     Reported by:	kib
   PR:		kern/151908
   X-Early-MFC:	yes
 
 Modified:
   stable/8/sys/netinet6/nd6_nbr.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- stable/8/sys/netinet6/nd6_nbr.c	Mon Apr 18 12:15:43 2011	(r220772)
 +++ stable/8/sys/netinet6/nd6_nbr.c	Mon Apr 18 12:18:27 2011	(r220773)
 @@ -339,7 +339,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)&proxydl);
 +		    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
  		goto freeit;
  	}
  
 @@ -349,7 +349,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)&proxydl);
 +	    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
   freeit:
  	if (ifa != NULL)
  		ifa_free(ifa);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/151908: commit references a PR
Date: Mon, 18 Apr 2011 12:32:20 +0000 (UTC)

 Author: bz
 Date: Mon Apr 18 12:32:06 2011
 New Revision: 220775
 URL: http://svn.freebsd.org/changeset/base/220775
 
 Log:
   MFC r220743:
   
     Fix IPv6 ND.  After r219562 we in nd6_ns_input() were erroneously always
     passing the cached proxydl reference (sockaddr_dl initialized or not) to
     nd6_na_output().  nd6_na_output() will thus assume a proxy NA.  Revert to
     conditionally passing either &proxydl or NULL if no proxy case desired.
   
     Tested by:	ipv6gw and ref9-i386
     Tested by:	Pete French (petefrench ingresso.co.uk)
     Reported by:	Pete French (petefrench ingresso.co.uk on stable)
     Reported by:	bz, simon on Y! cluster
     Reported by:	kib
   PR:		kern/151908
   X-Early-MFC:	yes
 
 Modified:
   stable/7/sys/netinet6/nd6_nbr.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- stable/7/sys/netinet6/nd6_nbr.c	Mon Apr 18 12:27:57 2011	(r220774)
 +++ stable/7/sys/netinet6/nd6_nbr.c	Mon Apr 18 12:32:06 2011	(r220775)
 @@ -327,7 +327,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  		nd6_na_output(ifp, &in6_all, &taddr6,
  		    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  		    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0),
 -		    tlladdr, (struct sockaddr *)&proxydl);
 +		    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
  		goto freeit;
  	}
  
 @@ -337,7 +337,7 @@ nd6_ns_input(struct mbuf *m, int off, in
  	nd6_na_output(ifp, &saddr6, &taddr6,
  	    ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
  	    (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
 -	    tlladdr, (struct sockaddr *)&proxydl);
 +	    tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
   freeit:
  	m_freem(m);
  	return;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
