lltable: Fix use-after-free race in llentry_free()

When callout_stop() returns 0, the timer callback is currently executing
on another CPU.  The original code proceeded to free the llentry anyway,
causing a use-after-free when the timer callback (e.g., arptimer) accessed
the freed memory.

Fix by checking the callout_stop() return value:
- If >0: timer was pending and successfully cancelled, drop timer's ref
- If 0 and refcnt>1: another thread racing with timer, drop ref and bail;
  timer's llentry_free() will free the entry
- If 0 and refcnt==1: we ARE the timer, proceed to free
- If <0: timer was not scheduled, proceed normally

PR:     285813
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>

Author: TeddyEngel

sys/net/if_llatbl.c

@@ -649,16 +649,38 @@ size_t
 llentry_free(struct llentry *lle)
 {
 	size_t pkts_dropped;
+	int ret;
 
 	LLE_WLOCK_ASSERT(lle);
 
 	KASSERT((lle->la_flags & LLE_LINKED) == 0, ("freeing linked lle"));
 
 	pkts_dropped = lltable_drop_entry_queue(lle);
 
-	/* cancel timer */
-	if (callout_stop(&lle->lle_timer) > 0)
+	/*
+	 * Cancel timer.  Handle races with timer callback.
+	 */
+	ret = callout_stop(&lle->lle_timer);
+	if (ret > 0) {
 		LLE_REMREF(lle);
+	} else if (ret == 0) {
+		/*
+		 * Timer callback is executing.  Two cases:
+		 *
+		 * refcnt > 1: Another thread is calling us while the timer
+		 * is running.  The entry is already unlinked (KASSERT above),
+		 * so timer will skip its LLE_REMREF.  Drop one ref and bail;
+		 * timer's llentry_free() will free the entry.
+		 *
+		 * refcnt == 1: We are the timer callback and already dropped
+		 * our ref before calling llentry_free().  Proceed to free.
+		 */
+		if (lle->lle_refcnt > 1) {
+			LLE_REMREF(lle);
+			LLE_WUNLOCK(lle);
+			return (pkts_dropped);
+		}
+	}
 	LLE_FREE_LOCKED(lle);
 
 	return (pkts_dropped);