From 29fa1568598b146c3cbb28bbff19a8b8e411b9b6 Mon Sep 17 00:00:00 2001 From: Pouria Mousavizadeh Tehrani Date: Tue, 14 Apr 2026 13:06:53 +0330 Subject: [PATCH] routing: Fix use-after-free in finalize_nhop FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read `nh->nh_priv->nh_upper_family` for failure logging. Call FIB_NH_LOG before freeing nh so failures are logged without causing a panic. MFC after: 3 days (cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0) --- sys/net/route/nhop_ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c index 0c028c7ae87..30c73188600 100644 --- a/sys/net/route/nhop_ctl.c +++ b/sys/net/route/nhop_ctl.c @@ -492,17 +492,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link) /* Allocate per-cpu packet counter */ nh->nh_pksent = counter_u64_alloc(M_NOWAIT); if (nh->nh_pksent == NULL) { + FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); return (ENOMEM); } if (!reference_nhop_deps(nh)) { + FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); counter_u64_free(nh->nh_pksent); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); return (EAGAIN); }