nd6: fix panic in lltable_drop_entry_queue()

nd6_resolve_slow() can be called without mbuf. If the LLE entry
 is not reachable, nd6_resolve_slow() will add this NULL mbuf to
 the holdchain via lltable_append_entry_queue, which will "append"
 NULL to the end of the queue (effectively no-op) and bump la_numhold
 value. When this entry gets freed, the kernel will panic due to the
 inconsistency between the amount of mbufs in the queue and the value
 of la_numhold.

Fix the panic by checking of mbuf is not NULL prior to inserting it
 into the holdchain.

Reported by:	kib
MFC after:	3 days

(cherry picked from commit 6468b6b23e08d9bd02c8cb74ec0ff389ed74c3bb)

1 files changed, 6 insertions, 3 deletions

diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index be881b6291ac..de35127bd17d 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -2369,7 +2369,6 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
 	struct in6_addr *psrc, src;
 	int send_ns, ll_len;
 	char *lladdr;
-	size_t dropped;
 
 	NET_EPOCH_ASSERT();
 
@@ -2436,8 +2435,12 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
 	 * packet queue in the mbuf.  When it exceeds nd6_maxqueuelen,
 	 * the oldest packet in the queue will be removed.
 	 */
-	dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
-	ICMP6STAT_ADD(icp6s_dropped, dropped);
+	if (m != NULL) {
+		size_t dropped;
+
+		dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
+		ICMP6STAT_ADD(icp6s_dropped, dropped);
+	}
 
 	/*
 	 * If there has been no NS for the neighbor after entering the