K 10
svn:author
V 7
rwatson
K 8
svn:date
V 27
2013-04-14T16:25:37.704846Z
K 7
svn:log
V 1359
FreeBSD 8.0 introduced inpcb reference counting, and FreeBSD 8.1 began using
that reference count to protect inpcb stability in udp_pcblist() and other
monitoring functions, preventing the inpcb from being garbage collected
across potentially sleeping copyout() operations despite the inpcb zone
becoming shrinkable.

However, this introduced a race condition in which inp->inp_socket() might
become NULL as a result of the socket being freed, but before the inpcb we
removed from the global list of connections, allowing it to be exposed to a
third thread invoking udp_input() or udp6_input() which would try to
indirect through inp_socket without testing it for NULL.  This might occur
with particular regularity on systems that frequently run netstat, or which
use SNMP for connection monitoring.

Later FreeBSD releases use a different reference/destruction model, but
stable/8 remained affected in FreeBSD 8.2 and 8.3; the problem could be
spotted on very high-load UDP services, such as top-level name servers.

An Errata Note for 8.x branches under continuing support might be
appropriate.  Regardless, this fix should be merged to releng/8.4 prior to
8.4-RELEASE.

PR:		172963
Submitted by:	Vincent Miller <vmiller@verisign.com>
Submitted by:	Julien Charbon <jcharbon@verisign.com>
Submitted by:	Marc De La Gueronniere <mdelagueronniere@verisign.com>

END