The in6_ifattach() routine contains the following code:

        in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
        in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);

The problem here is that udbinfo.listhead and ripcbinfo.listhead are
not initialized during the device probe/attach phase of the kernel
boot process. So if, for example, a network driver calls ether_ifattach()
in its foo_attach() routine and then decides that something is wrong
and calls ether_ifdetach() to reverse the process, we will panic trying
to dereference the uninitialized list head pointers. (Though the
same sequence of events performed after the kernel has come up works
file, i.e. doing kldload if_foo from multiuser.)

Change this to:

        if (udbinfo.listhead != NULL)
                in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
        if (ripcbinfo.listhead != NULL)
                in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);

to avoid the NULL pointer dereferences.

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/netinet6/in6_ifattach.c b/sys/netinet6/in6_ifattach.c
index 5abcca1..58d09a7 100644
--- a/sys/netinet6/in6_ifattach.c
+++ b/sys/netinet6/in6_ifattach.c
@@ -958,8 +958,10 @@ in6_ifdetach(ifp)
 	}
 
 	/* leave from all multicast groups joined */
-	in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
-	in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);
+	if (udbinfo.listhead != NULL)
+		in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
+	if (ripcbinfo.listhead != NULL)
+		in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);
 	for (in6m = LIST_FIRST(&in6_multihead); in6m; in6m = in6m_next) {
 		in6m_next = LIST_NEXT(in6m, in6m_entry);
 		if (in6m->in6m_ifp != ifp)