DragonFlyBSD Kernel Audit
← dashboard
DF-0233

Lockless SLIST traversal of domains list races with crit_enter-only writer

Summary

net_add_domain(:137) guards SLIST_INSERT_HEAD with crit_enter only (local CPU, not cross-CPU). Readers pffindtype/pffindproto/kpfctlinput(:158,:179,:202) traverse with NO sync. Reachable: netgraph kldload on CPU A races unpriv socket() on CPU B. x86 aligned stores atomic -> stale-but-valid dom_next benign; weaker order -> panic.