DragonFlyBSD Kernel Audit
← dashboard
DF-0248

Lockless SLIST traversal in accept_filt_get races with crit_enter-only add/del -> UAF

Summary

accept_filt_get(:99-109) traverses SLIST with NO lock/crit. accept_filt_add/del modify under crit_enter only (per-CPU, no cross-CPU serialization). Unpriv setsockopt(SO_ACCEPTFILTER) on CPU A races kldunload->del on CPU B. Dev-acknowledged no-refcount(:127-133). NULL callback or unmapped module -> panic/UAF.