From nobody Tue Apr 14 10:33:53 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fw0xY44GVz6ZZlC for ; Tue, 14 Apr 2026 10:33:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fw0xY3Xglz3VL4 for ; Tue, 14 Apr 2026 10:33:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776162833; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=13BECXfu3YVG+KZyNN2TFwW7eSaDebtN0tvXKN5IkyM=; b=bDNpaJ6icq2+yAmA2EBgLHR8REHGPGAllCQZwcRdUoRVdvnqtWUaREV0BwvqFAK2oMNRKm cVbbr+BFAnCa7w8XGMSlYKAa2vskMPUp/sl3R1Q9agYnwUCEsS6xCeFTc6DZJq90xZV0R7 o2pFl6/ehl9x5PDU4XuuLyAkWxinkQeCEfqbvHdaPp1LhlyEuVXs3FgUYiXoOVYC/4MJMA PZnVRjdbZtPzg73EHybzm9DGVUSexcc1sr60BQqPu7zHu78XsymrNo1FhsE1WeVUvmqm95 gjeJR5RtGphCFMkEoENi3g6+ifRCEZVngFLjqWeaOsGRExbOHL2stNwCYZ8nHw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776162833; a=rsa-sha256; cv=none; b=JSVdtf41PrurnQ1GAJ4Cb+zaM7uQBiWeMNzL84nHmBxBhRXUvtw1vSohuYlmgNWqEZt5a2 w373FJlYrmNK8zJK4+QybtxJVnLDadxA8OVoaoyAfM7xa/gByOlxNOGtKeFkmEFJOHhfUm LeEFvkgn1JVqflYiqx3Fv2D645Jsir09Zm3Rs+bX08MUp8lvSPn8U9vszxbslrr8Uo/PkI 5nhgjmVnpRj7F5WJ/lyLmnetiXkSAkNsoc8Ssa4YRdaUC7YF9LLprabf/5pcp3PY4FQhoT wD76+Bg2U+RXh0DTvSsOwCdpvXzbziGyiJwYnen1siZYCv9Uu6qc49iwADFWYg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776162833; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=13BECXfu3YVG+KZyNN2TFwW7eSaDebtN0tvXKN5IkyM=; b=wPFGEHrPsqe6SGZ8W2p8vuFKQUZikY4TMyUh/c4zTb5T1DVcdOv4SkYsQwCg7yT6Fn2FjY JVxRu5lEx0bxPQlPS7ffTIIcBxcfi/O+eCXXxmCvYzv/8zVvAa92CQ1YSE2r9kjyMpI8ca gY2WYs/Cc7Ar8PanFoyibMinWN5brlrKKCiu4R7PfUF3Q+rPKlDxbLLIOPIUHqfbtuBhZ0 pZrLf/kqs9jO6fwX8BE0JDEnTne8+yVJ2CCRGF0/RqVB6N2FOMxjg48XDbUfuzW05Ht9lW GQ6wiwaGt0UNK/yQrwae5plWMwpFDzDII9QnYeJBZsYwD5hujmpjg9EFmOkFSQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fw0xY35xJzmg6 for ; Tue, 14 Apr 2026 10:33:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 277db by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 14 Apr 2026 10:33:53 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pouria Mousavizadeh Tehrani Subject: git: 7d38eb720a8d - main - routing: Fix use-after-free in finalize_nhop List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: pouria X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7d38eb720a8d8345949986d779e785984ae19ae0 Auto-Submitted: auto-generated Date: Tue, 14 Apr 2026 10:33:53 +0000 Message-Id: <69de1811.277db.36218e50@gitrepo.freebsd.org> The branch main has been updated by pouria: URL: https://cgit.FreeBSD.org/src/commit/?id=7d38eb720a8d8345949986d779e785984ae19ae0 commit 7d38eb720a8d8345949986d779e785984ae19ae0 Author: Pouria Mousavizadeh Tehrani AuthorDate: 2026-04-14 09:36:53 +0000 Commit: Pouria Mousavizadeh Tehrani CommitDate: 2026-04-14 10:32:56 +0000 routing: Fix use-after-free in finalize_nhop FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read `nh->nh_priv->nh_upper_family` for failure logging. Call FIB_NH_LOG before freeing nh so failures are logged without causing a panic. MFC after: 3 days --- sys/net/route/nhop_ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c index 6c03e621ed82..52e7b0fefcd2 100644 --- a/sys/net/route/nhop_ctl.c +++ b/sys/net/route/nhop_ctl.c @@ -491,17 +491,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link) /* Allocate per-cpu packet counter */ nh->nh_pksent = counter_u64_alloc(M_NOWAIT); if (nh->nh_pksent == NULL) { + FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); return (ENOMEM); } if (!reference_nhop_deps(nh)) { + FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); counter_u64_free(nh->nh_pksent); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); return (EAGAIN); }