 @@ -1,14 +1,14 @@
-/*	$NetBSD: in6.c,v 1.245.2.10 2018/04/08 06:09:12 snj Exp $	*/
+/*	$NetBSD: in6.c,v 1.245.2.11 2018/06/07 17:48:31 martin Exp $	*/
 /*	$KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)in.c	8.2 (Berkeley) 11/15/93
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.10 2018/04/08 06:09:12 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.11 2018/06/07 17:48:31 martin Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/errno.h>
 #include <sys/malloc.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 @@ -1397,29 +1397,31 @@ in6_purgeaddr(struct ifaddr *ifa)
 	/* Delete any network route. */
 	in6_ifremprefix(ia);
 	/* Remove ownaddr's loopback rtentry, if it exists. */
 	in6_ifremlocal(&(ia->ia_ifa));
 	/*
 	 * leave from multicast groups we have joined for the interface
 	 */
     again:
 	mutex_enter(&in6_ifaddr_lock);
 	while ((imm = LIST_FIRST(&ia->ia6_memberships)) != NULL) {
 		struct in6_multi *in6m __diagused = imm->i6mm_maddr;
 		KASSERT(in6m == NULL || in6m->in6m_ifp == ifp);
 		LIST_REMOVE(imm, i6mm_chain);
 		mutex_exit(&in6_ifaddr_lock);
 		KASSERT(imm->i6mm_maddr->in6m_ifp == ifp);
 		in6_leavegroup(imm);
 		goto again;
+	}
 	mutex_exit(&in6_ifaddr_lock);
 	in6_unlink_ifa(ia, ifp);
+}
 static void
 in6_unlink_ifa(struct in6_ifaddr *ia, struct ifnet *ifp)
+{
 	int	s = splsoftnet();

 @@ -1,14 +1,14 @@
-/*	$NetBSD: in6_var.h,v 1.97 2017/03/02 09:48:20 ozaki-r Exp $	*/
+/*	$NetBSD: in6_var.h,v 1.97.6.1 2018/06/07 17:48:31 martin Exp $	*/
 /*	$KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -681,26 +681,29 @@ do {									\
 void	in6_init(void);
 void	in6_multi_lock(int);
 void	in6_multi_unlock(void);
 bool	in6_multi_locked(int);
 struct in6_multi *
 	in6_lookup_multi(const struct in6_addr *, const struct ifnet *);
 bool	in6_multi_group(const struct in6_addr *, const struct ifnet *);
 void	in6_purge_multi(struct ifnet *);
 struct	in6_multi *in6_addmulti(struct in6_addr *, struct ifnet *,
 	int *, int);
 void	in6_delmulti(struct in6_multi *);
 void	in6_delmulti_locked(struct in6_multi *);
 void	in6_lookup_and_delete_multi(const struct in6_addr *,
 	    const struct ifnet *);
 struct in6_multi_mship *in6_joingroup(struct ifnet *, struct in6_addr *,
 	int *, int);
 int	in6_leavegroup(struct in6_multi_mship *);
 int	in6_mask2len(struct in6_addr *, u_char *);
 int	in6_control(struct socket *, u_long, void *, struct ifnet *);
 int	in6_update_ifa(struct ifnet *, struct in6_aliasreq *, int);
 void	in6_purgeaddr(struct ifaddr *);
 void	in6_purgeif(struct ifnet *);
 void	in6_setmaxmtu  (void);
 int	in6_if2idlen  (struct ifnet *);
 void	*in6_domifattach(struct ifnet *);
 void	in6_domifdetach(struct ifnet *, void *);
 void	in6_ifremlocal(struct ifaddr *);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: mld6.c,v 1.89.2.1 2018/01/02 10:20:34 snj Exp $	*/
+/*	$NetBSD: mld6.c,v 1.89.2.2 2018/06/07 17:48:31 martin Exp $	*/
 /*	$KAME: mld6.c,v 1.25 2001/01/16 14:14:18 itojun Exp $	*/
 /*
  * Copyright (C) 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -92,27 +92,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)igmp.c	8.1 (Berkeley) 7/19/93
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.89.2.1 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.89.2.2 2018/06/07 17:48:31 martin Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 @@ -215,62 +215,59 @@ mld_starttimer(struct in6_multi *in6m)
  * The caller must ensure in6m won't be freed while releasing the lock.
  */
 static void
 mld_stoptimer(struct in6_multi *in6m)
+{
 	KASSERT(rw_write_held(&in6_multilock));
 	if (in6m->in6m_timer == IN6M_TIMER_UNDEF)
 		return;
 	rw_exit(&in6_multilock);
-	if (mutex_owned(softnet_lock))
+	callout_halt(&in6m->in6m_timer_ch, NULL);
 		callout_halt(&in6m->in6m_timer_ch, softnet_lock);
 	else
 		callout_halt(&in6m->in6m_timer_ch, NULL);
 	rw_enter(&in6_multilock, RW_WRITER);
 	in6m->in6m_timer = IN6M_TIMER_UNDEF;
+}
 static void
 mld_timeo(void *arg)
+{
 	struct in6_multi *in6m = arg;
 	KASSERT(in6m->in6m_refcount > 0);
-	SOFTNET_KERNEL_LOCK_UNLESS_NET_MPSAFE();
+	KERNEL_LOCK_UNLESS_NET_MPSAFE();
 	rw_enter(&in6_multilock, RW_WRITER);
 	if (in6m->in6m_timer == IN6M_TIMER_UNDEF)
 		goto out;
 	in6m->in6m_timer = IN6M_TIMER_UNDEF;
 	switch (in6m->in6m_state) {
 	case MLD_REPORTPENDING:
 		mld_start_listening(in6m);
 		break;
 	default:
 		mld_sendpkt(in6m, MLD_LISTENER_REPORT, NULL);
 		break;
+	}
 out:
 	rw_exit(&in6_multilock);
-	SOFTNET_KERNEL_UNLOCK_UNLESS_NET_MPSAFE();
+	KERNEL_UNLOCK_UNLESS_NET_MPSAFE();
+}
 static u_long
 mld_timerresid(struct in6_multi *in6m)
+{
 	struct timeval now, diff;
 	microtime(&now);
 	if (now.tv_sec > in6m->in6m_timer_expire.tv_sec ||
 	    (now.tv_sec == in6m->in6m_timer_expire.tv_sec &&
 	    now.tv_usec > in6m->in6m_timer_expire.tv_usec)) {
 		return (0);
 @@ -776,129 +773,154 @@ out:
 	rw_exit(&in6_multilock);
 	return in6m;
+}
 static void
 in6m_destroy(struct in6_multi *in6m)
+{
 	struct sockaddr_in6 sin6;
 	KASSERT(rw_write_held(&in6_multilock));
 	KASSERT(in6m->in6m_refcount == 0);
 	/*
-	 * No remaining claims to this record; let MLD6 know
+	 * Unlink from list if it's listed.  This must be done before
-	 * that we are leaving the multicast group.
+	 * mld_stop_listening because it releases in6_multilock and that allows
 	 * someone to look up the removing in6m from the list and add a
 	 * reference to the entry unexpectedly.
 	 */
-	mld_stop_listening(in6m);
+	if (in6_lookup_multi(&in6m->in6m_addr, in6m->in6m_ifp) != NULL)
 		LIST_REMOVE(in6m, in6m_entry);
 	/*
-	 * Unlink from list.
+	 * No remaining claims to this record; let MLD6 know
 	 * that we are leaving the multicast group.
 	 */
-	LIST_REMOVE(in6m, in6m_entry);
+	mld_stop_listening(in6m);
 	/*
 	 * Delete all references of this multicasting group from
 	 * the membership arrays
 	 */
 	in6_purge_mcast_references(in6m);
 	/*
 	 * Notify the network driver to update its multicast
 	 * reception filter.
 	 */
 	sockaddr_in6_init(&sin6, &in6m->in6m_addr, 0, 0, 0);
 	if_mcast_op(in6m->in6m_ifp, SIOCDELMULTI, sin6tosa(&sin6));
 	/* Tell mld_timeo we're halting the timer */
 	in6m->in6m_timer = IN6M_TIMER_UNDEF;
 	if (mutex_owned(softnet_lock))
-		callout_halt(&in6m->in6m_timer_ch, softnet_lock);
+	rw_exit(&in6_multilock);
-	else
+	callout_halt(&in6m->in6m_timer_ch, NULL);
 		callout_halt(&in6m->in6m_timer_ch, NULL);
 	callout_destroy(&in6m->in6m_timer_ch);
 	free(in6m, M_IPMADDR);
 	rw_enter(&in6_multilock, RW_WRITER);
+}
 /*
  * Delete a multicast address record.
  */
 void
-in6_delmulti(struct in6_multi *in6m)
+in6_delmulti_locked(struct in6_multi *in6m)
+{
 	KASSERT(rw_write_held(&in6_multilock));
 	KASSERT(in6m->in6m_refcount > 0);
 	rw_enter(&in6_multilock, RW_WRITER);
 	/*
 	 * The caller should have a reference to in6m. So we don't need to care
 	 * of releasing the lock in mld_stoptimer.
 	 */
 	mld_stoptimer(in6m);
 	if (--in6m->in6m_refcount == 0)
 		in6m_destroy(in6m);
+}
 void
 in6_delmulti(struct in6_multi *in6m)
+{
 	rw_enter(&in6_multilock, RW_WRITER);
 	in6_delmulti_locked(in6m);
 	rw_exit(&in6_multilock);
+}
 /*
  * Look up the in6_multi record for a given IP6 multicast address
  * on a given interface. If no matching record is found, "in6m"
  * returns NULL.
  */
 struct in6_multi *
 in6_lookup_multi(const struct in6_addr *addr, const struct ifnet *ifp)
+{
 	struct in6_multi *in6m;
 	KASSERT(rw_lock_held(&in6_multilock));
 	LIST_FOREACH(in6m, &ifp->if_multiaddrs, in6m_entry) {
 		if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, addr))
 			break;
+	}
 	return in6m;
+}
 void
 in6_lookup_and_delete_multi(const struct in6_addr *addr,
     const struct ifnet *ifp)
+{
 	struct in6_multi *in6m;
 	rw_enter(&in6_multilock, RW_WRITER);
 	in6m = in6_lookup_multi(addr, ifp);
 	if (in6m != NULL)
 		in6_delmulti_locked(in6m);
 	rw_exit(&in6_multilock);
+}
 bool
 in6_multi_group(const struct in6_addr *addr, const struct ifnet *ifp)
+{
 	bool ingroup;
 	rw_enter(&in6_multilock, RW_READER);
 	ingroup = in6_lookup_multi(addr, ifp) != NULL;
 	rw_exit(&in6_multilock);
 	return ingroup;
+}
 /*
  * Purge in6_multi records associated to the interface.
  */
 void
 in6_purge_multi(struct ifnet *ifp)
+{
 	struct in6_multi *in6m, *next;
 	rw_enter(&in6_multilock, RW_WRITER);
 	LIST_FOREACH_SAFE(in6m, &ifp->if_multiaddrs, in6m_entry, next) {
 		LIST_REMOVE(in6m, in6m_entry);
 		/*
 		 * Normally multicast addresses are already purged at this
 		 * point. Remaining references aren't accessible via ifp,
 		 * so what we can do here is to prevent ifp from being
 		 * accessed via in6m by removing it from the list of ifp.
 		 */
 		mld_stoptimer(in6m);
 		LIST_REMOVE(in6m, in6m_entry);
+	}
 	rw_exit(&in6_multilock);
+}
 void
 in6_multi_lock(int op)
+{
 	rw_enter(&in6_multilock, op);
+}
 void
 in6_multi_unlock(void)
 @@ -937,32 +959,33 @@ in6_joingroup(struct ifnet *ifp, struct
 	if (!imm->i6mm_maddr) {
 		/* *errorp is already set */
 		free(imm, M_IPMADDR);
 		return NULL;
+	}
 	return imm;
+}
 int
 in6_leavegroup(struct in6_multi_mship *imm)
+{
 	struct in6_multi *in6m;
-	rw_enter(&in6_multilock, RW_READER);
+	rw_enter(&in6_multilock, RW_WRITER);
 	in6m = imm->i6mm_maddr;
-	rw_exit(&in6_multilock);
+	imm->i6mm_maddr = NULL;
 	if (in6m != NULL) {
-		in6_delmulti(in6m);
+		in6_delmulti_locked(in6m);
+	}
 	rw_exit(&in6_multilock);
 	free(imm, M_IPMADDR);
 	return 0;
+}
 /*
  * DEPRECATED: keep it just to avoid breaking old sysctl users.
  */
 static int
 in6_mkludge_sysctl(SYSCTLFN_ARGS)
+{
 	if (namelen != 1)
 		return EINVAL;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: nd6.c,v 1.232.2.7 2018/03/13 13:27:10 martin Exp $	*/
+/*	$NetBSD: nd6.c,v 1.232.2.8 2018/06/07 17:48:31 martin Exp $	*/
 /*	$KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -21,27 +21,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.7 2018/03/13 13:27:10 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.8 2018/06/07 17:48:31 martin Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
 #endif
 #include "bridge.h"
 #include "carp.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/callout.h>
 #include <sys/kmem.h>
 #include <sys/mbuf.h>
 @@ -1597,38 +1597,34 @@ nd6_rtrequest(int req, struct rtentry *r
 		 * If we have too many cache entries, initiate immediate
 		 * purging for some entries.
 		 */
 		if (rt->rt_ifp != NULL)
 			nd6_gc_neighbors(LLTABLE6(rt->rt_ifp), NULL);
 		break;
+	    }
 	case RTM_DELETE:
 		/* leave from solicited node multicast for proxy ND */
 		if ((rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 		    (ifp->if_flags & IFF_MULTICAST) != 0) {
 			struct in6_addr llsol;
 			struct in6_multi *in6m;
 			llsol = satocsin6(rt_getkey(rt))->sin6_addr;
 			llsol.s6_addr32[0] = htonl(0xff020000);
 			llsol.s6_addr32[1] = 0;
 			llsol.s6_addr32[2] = htonl(1);
 			llsol.s6_addr8[12] = 0xff;
-			if (in6_setscope(&llsol, ifp, NULL) == 0) {
+			if (in6_setscope(&llsol, ifp, NULL) == 0)
-				in6m = in6_lookup_multi(&llsol, ifp);
+				in6_lookup_and_delete_multi(&llsol, ifp);
 				if (in6m)
 					in6_delmulti(in6m);
+		}
 		break;
+	}
+}
 int
 nd6_ioctl(u_long cmd, void *data, struct ifnet *ifp)
+{
 	struct in6_drlist *drl = (struct in6_drlist *)data;
 	struct in6_oprlist *oprl = (struct in6_oprlist *)data;
 	struct in6_ndireq *ndi = (struct in6_ndireq *)data;
 	struct in6_nbrinfo *nbi = (struct in6_nbrinfo *)data;
 	struct in6_ndifreq *ndif = (struct in6_ndifreq *)data;