From 6a9c81fb69130330cfb552e49d6f64d0db3f7b57 Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Date: Mon, 22 Sep 2025 17:47:04 +0300
Subject: [PATCH 47/73] Fix panic due to uninitialized ia6_ndpr

---
 sys/netinet/ip_carp.c | 56 ++++++++++++++++++++++---------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
index b02ab8487e3f..e441324e3e78 100644
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -1534,21 +1534,9 @@ static void
 carp_addroute(struct carp_softc *sc)
 {
 	struct ifaddr *ifa;
-#ifdef INET6
-	bool pfx_check = false;
-#endif
 
-	CARP_FOREACH_IFA(sc, ifa) {
-#ifdef INET6
-		if (ifa->ifa_addr->sa_family == AF_INET6)
-			pfx_check = true;
-#endif
+	CARP_FOREACH_IFA(sc, ifa)
 		carp_ifa_addroute(ifa);
-	}
-#ifdef INET6
-	if (pfx_check)
-		pfxlist_onlink_check();
-#endif
 }
 
 static void
@@ -1564,15 +1552,21 @@ carp_ifa_addroute(struct ifaddr *ifa)
 		break;
 #endif
 #ifdef INET6
-	case AF_INET6:
+	case AF_INET6: {
+		struct in6_ifaddr *ia6 = ifatoia6(ifa);
+		struct nd_prefix *pr = ia6->ia6_ndpr;
+
 		ifa_add_loopback_route(ifa,
-		    (struct sockaddr *)&ifatoia6(ifa)->ia_addr);
-		nd6_add_ifa_lle(ifatoia6(ifa));
-		ND6_ONLINK_LOCK();
-		ifatoia6(ifa)->ia6_ndpr->ndpr_stateflags |= NDPRF_CARP_MASTER;
-		nd6_prefix_onlink(ifatoia6(ifa)->ia6_ndpr);
-		ND6_ONLINK_UNLOCK();
+		    (struct sockaddr *)&ia6->ia_addr);
+		nd6_add_ifa_lle(ia6);
+		if (pr != NULL) {
+			ND6_ONLINK_LOCK();
+			pr->ndpr_stateflags |= NDPRF_CARP_MASTER;
+			nd6_prefix_onlink(pr);
+			ND6_ONLINK_UNLOCK();
+		}
 		break;
+	    }
 #endif
 	}
 }
@@ -1611,15 +1605,23 @@ carp_ifa_delroute(struct ifaddr *ifa)
 		break;
 #endif
 #ifdef INET6
-	case AF_INET6:
+	case AF_INET6: {
+		struct in6_ifaddr *ia6 = ifatoia6(ifa);
+		struct nd_prefix *pr = ia6->ia6_ndpr;
+
 		ifa_del_loopback_route(ifa,
-		    (struct sockaddr *)&ifatoia6(ifa)->ia_addr);
-		nd6_rem_ifa_lle(ifatoia6(ifa), 1);
-		ND6_ONLINK_LOCK();
-		ifatoia6(ifa)->ia6_ndpr->ndpr_stateflags &= ~NDPRF_CARP_MASTER;
-		nd6_prefix_offlink(ifatoia6(ifa)->ia6_ndpr);
-		ND6_ONLINK_UNLOCK();
+		    (struct sockaddr *)&ia6->ia_addr);
+		nd6_rem_ifa_lle(ia6, 1);
+
+		/* XXXAE: initialize ia6_ndpr prior to carp_attach */
+		if (pr != NULL) {
+			ND6_ONLINK_LOCK();
+			pr->ndpr_stateflags &= ~NDPRF_CARP_MASTER;
+			nd6_prefix_offlink(pr);
+			ND6_ONLINK_UNLOCK();
+		}
 		break;
+	    }
 #endif
 	}
 }
-- 
2.50.1 (Apple Git-155)