Date: Tue, 19 Dec 2023 17:00:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273890] accessing freed inpcb in udp6_bind Message-ID: <bug-273890-227-TH1N2TKzAa@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-273890-227@https.bugs.freebsd.org/bugzilla/> References: <bug-273890-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273890 --- Comment #14 from Gleb Smirnoff <glebius@FreeBSD.org> --- Weldon gave me access to the core. Writing up summary for Mark and other interested parties. The panic happens at in6_pcb.c:257: (t->inp_socket->so_options & SO_REUSEPORT) || The temporary inpcb t has NULL inp_socket. It also has INP_FREED flag set. = The inpcb had been found with in6_pcblookup_local() which doesn't do INP_FREED check, neither acquires the inpcb lock. It relies on the hash lock, that we hold. And the freed inpcb has INP_INHASHLIST flag set, which is definitely a problem. These two flags should be a xor. Unless me or Mark quickly find a problem in the code with our eyes, we would need somebody, e.g. Weldon Godfrey or Dmitry Petrov to run a kernel compiled with INVARIANTS option and probably with additional patch that would catch creation of invalid inpcb. Please let me know if you can assist with this. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273890-227-TH1N2TKzAa>