socket: Don't assume m0 != NULL in sbappendcontrol_locked()

Some callers (e.g., ktls_decrypt()) violate this assumption and thus could trigger a NULL pointer dereference in KMSAN kernels. Reported by: glebius Fixes: ec45f952a2 ("sockbuf: Add KMSAN checks to sbappend*()") MFC after: 1 week (cherry picked from commit 30f8cb812e)
2026-06-09 00:32:25 -04:00 · 2024-02-02 13:58:37 -05:00 · 2024-02-02 13:58:37 -05:00 · a9ef2c901a
commit a9ef2c901a
parent 323226829a
1 changed files with 2 additions and 1 deletions
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@ -1328,7 +1328,8 @@ sbappendcontrol_locked(struct sockbuf *sb, struct mbuf *m0,
 {
 	struct mbuf *m, *mlast;

-	kmsan_check_mbuf(m0, "sbappend");
+	if (m0 != NULL)
+		kmsan_check_mbuf(m0, "sbappend");
 	kmsan_check_mbuf(control, "sbappend");

 	sbm_clrprotoflags(m0, flags);