DF-0417
Use-after-free race on nd_defrouter: defrtrlist_update returns unreferenced pointer consumed unlocked across RA prefix loop
Summary
defrtrlist_update(:661-707) returns nd_defrouter pointer with NO refcount, releases nd6_mtx before return. nd6_ra_input(:285) stores dr=defrtrlist_update(&dr0) then runs prefix loop(:291-345) and MTU/lladdr(:348-411) WITHOUT nd6_mtx, passes dr to prelist_update(:344). Concurrent RA lifetime=0 on another CPU: defrtrlist_del(dr)(:541-577) kfrees dr at :576. prelist_update re-acquires mtx(:866), pfxrtr_add(pr,dr)(:915-916) stores freed pointer into pr->ndpr_advrtrs(new->router=dr :728). pfxlist_onlink_check->find_pfxlist_reachable_router derefs router->rtaddr/router->ifp(:1148-1149) -> UAF. Attacker floods RAs same src with conflicting lifetimes. Heap grooming M_IP6NDP -> controlled corruption or panic.