From nobody Tue Apr 14 10:33:53 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fw0xf4hKKz6ZZcJ for ; Tue, 14 Apr 2026 10:33:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fw0xf3rL6z3VWZ for ; Tue, 14 Apr 2026 10:33:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776162838; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=13BECXfu3YVG+KZyNN2TFwW7eSaDebtN0tvXKN5IkyM=; b=QcoX7BbPVk5lv/usbwcPAUwOEUqB+sK20KxVpeThdQjcRZT/qAizSb7guSMQADfC39jjUi MlJhcnoqAJnWEyFWA3ySBnb7NOzyCa4pvDLswLY27VBrt3xOMlxjYb9uhznj5L3c3vWHLU 0eaQtsOwiJmYVcQx3yas6sLsDXn3cgTO60nnIftrIsJ6uOZjwPeVAlM6QZjf+VpWSFNMwC DgfbbJTJlgWe0Nd3qtLmBtKDq7StsaiaaVyoTKKnJ2eG8ids6Nfh/5PbJSIFgbEvGBN16o i7nlcjsCKS5EhjCtsIGmHP2/gW6Q7Zzh4DJA18hsRInnyrU9VPdUdTB1IlEE4w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776162838; a=rsa-sha256; cv=none; b=cz7yHXxYuYrM03vkUtE6tIIKjb7rVW4f8BHiL0+GT3ff1LSbAekuxkEBZZbevrgbj4xc3i wjgYSXUMIwyruY4pmwOukCtDP4oPEEuXoE+H7Yr7HRyaholPV1e8qO8ySzU5qB74A3Bc+o FZi/8SCGHibiIBurpPXodVDqcsrsUBVMzYp9R6z8k4BkWztA8pyxgCrAeBzFPKFLC+P61O h0/URGqv1WorywStWY6IKWzBFoTuPqvp2hiJkti5ZdolKauZgkti6MfAEeL47Ji6ye5Tke 4UNhdx98NGi/0a3bdxE3K4CDDC5eZnv0FGHx/GMSw+oa6QAHFuEXpwjFb3tFeg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776162838; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=13BECXfu3YVG+KZyNN2TFwW7eSaDebtN0tvXKN5IkyM=; b=e0sw1bEDUvlakt1Vvm0y2dQ4++VzT5miVtoi7lBLHpupKFK1O0m5RbTNWkyucWKg/djL9L ubTtuza/f0jrC+KEWkFoaXkj7SjMe6SV4McailF6sy+VN/yJ7hRcVUgwHQk72uo4No9I7S 9eKNmhT/TO8zDiMBHsM5UHF5PH0xRcvEbxfGvXq8nXTWsBtocsfjUB7mZizpTbwaNpWGtO 8u1M4IikDJbKI3e2O+ONHRCq4e28ENPQiXrW9fF6bKYYnZH7c/YSI72LPvFRLmr8WgxY7z xftssZvPGg+759uK+1hVs8joUMnSk0yNBReBkjl37fdHYk14QrQOj2gYCLgqxw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fw0xf3L2yzn0C for ; Tue, 14 Apr 2026 10:33:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 277db by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 14 Apr 2026 10:33:53 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Pouria Mousavizadeh Tehrani Subject: git: 7d38eb720a8d - main - routing: Fix use-after-free in finalize_nhop List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: pouria X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7d38eb720a8d8345949986d779e785984ae19ae0 Auto-Submitted: auto-generated Date: Tue, 14 Apr 2026 10:33:53 +0000 Message-Id: <69de1811.277db.36218e50@gitrepo.freebsd.org> The branch main has been updated by pouria: URL: https://cgit.FreeBSD.org/src/commit/?id=7d38eb720a8d8345949986d779e785984ae19ae0 commit 7d38eb720a8d8345949986d779e785984ae19ae0 Author: Pouria Mousavizadeh Tehrani AuthorDate: 2026-04-14 09:36:53 +0000 Commit: Pouria Mousavizadeh Tehrani CommitDate: 2026-04-14 10:32:56 +0000 routing: Fix use-after-free in finalize_nhop FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read `nh->nh_priv->nh_upper_family` for failure logging. Call FIB_NH_LOG before freeing nh so failures are logged without causing a panic. MFC after: 3 days --- sys/net/route/nhop_ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c index 6c03e621ed82..52e7b0fefcd2 100644 --- a/sys/net/route/nhop_ctl.c +++ b/sys/net/route/nhop_ctl.c @@ -491,17 +491,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link) /* Allocate per-cpu packet counter */ nh->nh_pksent = counter_u64_alloc(M_NOWAIT); if (nh->nh_pksent == NULL) { + FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); return (ENOMEM); } if (!reference_nhop_deps(nh)) { + FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); counter_u64_free(nh->nh_pksent); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); return (EAGAIN); }