Here's a new diff to convert carp_input() to use ether_input_mbuf() instead of ether_input(). This is a necessary step to be able to convert other pseudo-drivers to if_input() but it is just needed for the transition.
This version only call M_PREPEND(9) on mbufs that will be passed to ether_input_mbuf(9). This fix the cases where vlan_input() returns 1 and ether_input() continue its processing believing the mbuf hasn't been modified. This version also returns 0 in case M_PREPEND(9) fails, preventing a use after free. Does it work for you, ok? Index: netinet/ip_carp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.252 diff -u -p -r1.252 ip_carp.c --- netinet/ip_carp.c 21 Apr 2015 09:35:32 -0000 1.252 +++ netinet/ip_carp.c 21 Apr 2015 10:22:10 -0000 @@ -1416,15 +1416,15 @@ carp_our_mcastaddr(struct ifnet *ifp, u_ int carp_input(struct ifnet *ifp0, struct ether_header *eh0, struct mbuf *m) { - struct ether_header eh; + struct ether_header *eh; struct carp_if *cif = (struct carp_if *)ifp0->if_carp; struct ifnet *ifp; - memcpy(&eh, eh0, sizeof(eh)); + ifp = carp_ourether(cif, eh0->ether_dhost); + if (ifp == NULL && (m->m_flags & (M_BCAST|M_MCAST)) == 0) + return (1); - if ((ifp = carp_ourether(cif, eh0->ether_dhost))) - ; - else if (m->m_flags & (M_BCAST|M_MCAST)) { + if (ifp == NULL) { struct carp_softc *vh; struct mbuf *m0; @@ -1438,30 +1438,39 @@ carp_input(struct ifnet *ifp0, struct et m0 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); if (m0 == NULL) continue; + M_PREPEND(m0, sizeof(*eh), M_DONTWAIT); + if (m0 == NULL) + continue; + eh = mtod(m0, struct ether_header *); + memmove(eh, eh0, sizeof(*eh)); + m0->m_pkthdr.rcvif = &vh->sc_if; #if NBPFILTER > 0 if (vh->sc_if.if_bpf) - bpf_mtap_hdr(vh->sc_if.if_bpf, (char *)&eh, - ETHER_HDR_LEN, m0, BPF_DIRECTION_IN, NULL); + bpf_mtap_ether(vh->sc_if.if_bpf, m0, + BPF_DIRECTION_IN); #endif vh->sc_if.if_ipackets++; - ether_input(m0, &eh); + ether_input_mbuf(&vh->sc_if, m0); } + return (1); } - if (ifp == NULL) - return (1); + M_PREPEND(m, sizeof(*eh), M_DONTWAIT); + if (m == NULL) + return (0); + eh = mtod(m, struct ether_header *); + memmove(eh, eh0, sizeof(*eh)); m->m_pkthdr.rcvif = ifp; #if NBPFILTER > 0 if (ifp->if_bpf) - bpf_mtap_hdr(ifp->if_bpf, (char *)&eh, ETHER_HDR_LEN, m, - BPF_DIRECTION_IN, NULL); + bpf_mtap_ether(ifp->if_bpf, m, BPF_DIRECTION_IN); #endif ifp->if_ipackets++; - ether_input(m, &eh); + ether_input_mbuf(ifp, m); return (0); }