netinet6: free in6_ifextra with epoch_call(9)HEADmain

This is expected to fix the old in6_selecthlim() panics.  The nature of
the panic is that a packet sending thread will obtain the struct ifnet
pointer locklessly and then pick the if_inet6 pointer from it and
dereference it. While the struct ifnet is freed via epoch_call(9), the
struct in6_ifextra until this change was not.  For the forwarded packets,
or locally originated non-TCP packets we were probably safe due to the old
if_dead trick.  But locally originated TCP packets may dereference
in6_ifextra via direct call into in6_selecthlim() from the tcp_output(),
before ip6_output().

NB: hypothetically a similar problem also applies to IPv4's if_inet pointer,
but there are no known panics, yet.

PR:			279653
Reviewed by:		tuexen
Differential Revision:	https://reviews.freebsd.org/D54728

0 files changed, 0 insertions, 0 deletions