From nobody Fri Apr 17 06:32:56 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fxlS9134hz6Z7Vr for ; Fri, 17 Apr 2026 06:32:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fxlS90TQYz3KDg for ; Fri, 17 Apr 2026 06:32:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776407577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=huvkMoquZmnQUuHeApJfgEptL6/gOh+NN46t8l93Kj4=; b=DlxRzn91s1gBEoQKREdQYaOyl8yMhoNwqN5aFNaXX16+dRdr41QCRzPIe9ZRBvsHNdwdrh MKr1dDXudhYdXeZGvRIAacVF1ArxD8fCJMdXmoNFSOskY5cLtdYUQc2DKrUw9LI6I5o7p3 7ljuyyg5ZkPmEqb8b2WCxhBK5tiNRQ1BMzDMFihGQv5Zv+noamCBINbzcja9wEWVBFB9QS vlKCeGLdHt3yjDpYOZRzQeetuYjaYDYq6p7IcEInxbvxOAi2SoZlzUPXgsnXf71LN4n1UB /9UPArKZRscYef15jFr12EWdOJy3xI/KXcvMYiK7JMUO8iB0seby58+IlAYhfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776407577; a=rsa-sha256; cv=none; b=uBRDSQXvfbLoo/zW9xRLQJfP3bhZ1Tn0y1SrjdiHd+VRCUIla3MohFhNytr0ociKyheIw9 xzH9bjZHRTt2aOAa1cLG8zx4W50sA1oH8Qb0735lONWGsnTjmxXfE50eSFTt7bYiwUCz7m wshs4D60s8qhVd6UO6PH0xgeACLwJZ71ipQP4qn1dzRTPYDM9w123GAbUSEle14KS6zdqj h+OEc83ZZVTDp0ZAbmIdyPrGXMGerQAxhPR5Nt2WX/x8Av5yggDbNgV6JlXxmu81h7cnzt iUJt3q+0UO4HQd9ntKK/5DLHI6fqDNNt2yGHdg/thCl78O1uTVvUoTUAmW9pdQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776407577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=huvkMoquZmnQUuHeApJfgEptL6/gOh+NN46t8l93Kj4=; b=gpoc6AAvjvN0An192OFVq6g0PhoZAW0BF/jOA7VZcsmudVX9oHGNwn9XtWqkJKLRIdFW1c WcTQV0jef79DApPe5gssBL1YQNoX0qv7fWiYvNbAcjkwGUyiH8YenqmsLTAp3qMVqWdldm dxlZ0ZTmJTDMXLV37OyudwRRdNz2sPspSzJq+BEstl9ZwaGnaOULo/9FJhGm9UmSCBdZ4B 1+WmivaR/x4Htz0pGTi9IyENPPp+1TaDQ+rh7FzZ8K1DmfZOlmXdk+1piupkBan/kuyOUB 3Fjma1HHDHDIj0P4evE8j6eoXrlylth6Oj39bSoHCEtsgV7eg87EH4p3VUHbbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fxlS875hwzjmh for ; Fri, 17 Apr 2026 06:32:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 400b9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 17 Apr 2026 06:32:56 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Pouria Mousavizadeh Tehrani Subject: git: c775ed207fcd - stable/15 - routing: Fix use-after-free in finalize_nhop List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: pouria X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: c775ed207fcd2036754b8f17a67cae61cf1977cd Auto-Submitted: auto-generated Date: Fri, 17 Apr 2026 06:32:56 +0000 Message-Id: <69e1d418.400b9.4b42bacb@gitrepo.freebsd.org> The branch stable/15 has been updated by pouria: URL: https://cgit.FreeBSD.org/src/commit/?id=c775ed207fcd2036754b8f17a67cae61cf1977cd commit c775ed207fcd2036754b8f17a67cae61cf1977cd Author: Pouria Mousavizadeh Tehrani AuthorDate: 2026-04-14 09:36:53 +0000 Commit: Pouria Mousavizadeh Tehrani CommitDate: 2026-04-17 06:31:35 +0000 routing: Fix use-after-free in finalize_nhop FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read `nh->nh_priv->nh_upper_family` for failure logging. Call FIB_NH_LOG before freeing nh so failures are logged without causing a panic. MFC after: 3 days (cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0) --- sys/net/route/nhop_ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c index 0c028c7ae877..30c73188600d 100644 --- a/sys/net/route/nhop_ctl.c +++ b/sys/net/route/nhop_ctl.c @@ -492,17 +492,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link) /* Allocate per-cpu packet counter */ nh->nh_pksent = counter_u64_alloc(M_NOWAIT); if (nh->nh_pksent == NULL) { + FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); return (ENOMEM); } if (!reference_nhop_deps(nh)) { + FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); counter_u64_free(nh->nh_pksent); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); return (EAGAIN); }