Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Feb 2023 15:25:46 GMT
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 27ee5625a829 - stable/13 - nd6: fix panic in lltable_drop_entry_queue()
Message-ID:  <202302201525.31KFPkXL078291@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=27ee5625a829acfa0db0e1fbd0b695fa91aadc6c

commit 27ee5625a829acfa0db0e1fbd0b695fa91aadc6c
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-01-15 15:10:48 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-20 15:15:30 +0000

    nd6: fix panic in lltable_drop_entry_queue()
    
    nd6_resolve_slow() can be called without mbuf. If the LLE entry
     is not reachable, nd6_resolve_slow() will add this NULL mbuf to
     the holdchain via lltable_append_entry_queue, which will "append"
     NULL to the end of the queue (effectively no-op) and bump la_numhold
     value. When this entry gets freed, the kernel will panic due to the
     inconsistency between the amount of mbufs in the queue and the value
     of la_numhold.
    
    Fix the panic by checking of mbuf is not NULL prior to inserting it
     into the holdchain.
    
    Reported by:    kib
    MFC after:      3 days
    
    (cherry picked from commit 6468b6b23e08d9bd02c8cb74ec0ff389ed74c3bb)
---
 sys/netinet6/nd6.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index be881b6291ac..de35127bd17d 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -2369,7 +2369,6 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
 	struct in6_addr *psrc, src;
 	int send_ns, ll_len;
 	char *lladdr;
-	size_t dropped;
 
 	NET_EPOCH_ASSERT();
 
@@ -2436,8 +2435,12 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
 	 * packet queue in the mbuf.  When it exceeds nd6_maxqueuelen,
 	 * the oldest packet in the queue will be removed.
 	 */
-	dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
-	ICMP6STAT_ADD(icp6s_dropped, dropped);
+	if (m != NULL) {
+		size_t dropped;
+
+		dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
+		ICMP6STAT_ADD(icp6s_dropped, dropped);
+	}
 
 	/*
 	 * If there has been no NS for the neighbor after entering the

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302201525.31KFPkXL078291>