Close a race when trying to lookup a gateway route in rt_check().

Specifically, if two threads were doing concurrent lookups and the existing
gateway was marked down, the the first thread would drop a reference on the
gateway route and then unlock the "root" route while it tried to allocate
a new route.  The second thread could then also drop a reference on the
same gateway route resulting in a reference underflow.  Fix this by
clearing the gateway route pointer after dropping the reference count but
before dropping the lock.  Secondly, in this same case, the second thread
would overwrite the gateway route pointer w/o free'ing a reference to the
route installed by the first thread.  In practice this would probably just
fix a lost reference that would result in a route never being freed.

This fixes panics observed in rt_check() and rtexpunge().

MFC after:	1 week
PR:		kern/112490
Insight from:	mehuljv at yahoo.com
Reviewed by:	ru (found the "not-setting it to NULL" part)
Tested by:	several

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 04d1f13..6fce084 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -1978,16 +1978,18 @@ again:
 			if ((rt->rt_flags & RTF_UP) == 0) {
 				RTFREE_LOCKED(rt);	/* unlock gwroute */
 				rt = rt0;
+				rt0->rt_gwroute = NULL;
 			lookup:
 				RT_UNLOCK(rt0);
 				rt = rtalloc1(rt->rt_gateway, 1, 0UL);
 				if (rt == rt0) {
-					rt0->rt_gwroute = NULL;
 					RT_REMREF(rt0);
 					RT_UNLOCK(rt0);
 					senderr(EHOSTUNREACH);
 				}
 				RT_LOCK(rt0);
+				if (rt0->rt_gwroute != NULL)
+					RTFREE(rt0->rt_gwroute);
 				rt0->rt_gwroute = rt;
 				if (rt == NULL) {
 					RT_UNLOCK(rt0);