โฌข DragonFlyBSD Kernel Audit
โ† dashboard
DF-0565

Callout lifetime: ng_uncallout non-synchronizing + nglmi_shutdown omits ng_uncallout โ€” ng7 twin of DF-0557

Summary

ng7 twin of DF-0557 (slightly worse). (1) nglmi_disconnect(:1079) ng_uncallout -> callout_stop(ng_base.c:3281) non-synchronizing. LMI_ticker self-reschedules(:270/:279) -> new callout after uncallout -> ng_rmnode_self(:1083) -> nglmi_shutdown frees sc(:1060) -> ticker derefs freed/NULL NG_NODE_PRIVATE. (2) nglmi_shutdown(:1053-1062) does NOT call ng_uncallout at all โ€” unconditionally frees sc with NO timer cleanup. NGM_SHUTDOWN or forced rmnode bypasses disconnect -> timer still armed -> fires into freed memory. Fix: ng_uncallout at top of shutdown before private=NULL+kfree; consider callout_stop_sync in ng_uncallout.