On Fri, Mar 30, 2012 at 12:28 AM, Li, Qing <[email protected]> wrote: >> * In a way this is a good thing as in6_lltable_prefix_free() is >> guaranteed to crash your kernel in two different ways, and that's not >> counting the race conditions that it's subject to. >> > > Could you please elaborate with some details on the two different > ways in6_lltable_prefix_free() crashes the kernel definitively ?
First, it calls callout_drain on lle->le_timer, but that is never initialized for a v6 llentry. Second, it never stops the ln_timer_ch callout before it frees the llentry. Third, it modifies the lltable without holding IF_AFDATA_LOCK(in.c has the third problem: see the -net discussion about kern/165863). _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[email protected]"
