[Bug 273890] accessing freed inpcb in udp6_bind

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 273890] Fatal trap 12: page fault while in kernel mode"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 19 Dec 2023 17:00:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273890

--- Comment #14 from Gleb Smirnoff <glebius@FreeBSD.org> ---
Weldon gave me access to the core. Writing up summary for Mark and other
interested parties. The panic happens at in6_pcb.c:257:

(t->inp_socket->so_options & SO_REUSEPORT) ||

The temporary inpcb t has NULL inp_socket. It also has INP_FREED flag set. The
inpcb had been found with in6_pcblookup_local() which doesn't do INP_FREED
check, neither acquires the inpcb lock. It relies on the hash lock, that we
hold. And the freed inpcb has INP_INHASHLIST flag set, which is definitely a
problem. These two flags should be a xor.

Unless me or Mark quickly find a problem in the code with our eyes, we would
need somebody, e.g. Weldon Godfrey or Dmitry Petrov to run a kernel compiled
with INVARIANTS option and probably with additional patch that would catch
creation of invalid inpcb. Please let me know if you can assist with this.

-- 
You are receiving this mail because:
You are the assignee for the bug.