From d00c20882f88877884b73fa9ec86b3cafeda4e42 Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Wed, 30 Nov 2022 14:38:51 -0800
Subject: [PATCH] udp[6]_multi_input: Don't unlock freed inp.

If udp[6]_append() returns non-zero, it is because the inp has gone
away (inpcbrele_rlocked returned 1 after running the tunnel function).

Reviewed by:	ae
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37511
---
 sys/netinet/udp_usrreq.c   | 1 -
 sys/netinet6/udp6_usrreq.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 8e8547a4292..719b39985a0 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -446,7 +446,6 @@ udp_multi_input(struct mbuf *m, int proto, struct sockaddr_in *udp_in)
 			else
 				UDP_PROBE(receive, NULL, inp, ip, inp, uh);
 			if (udp_append(inp, ip, n, sizeof(struct ip), udp_in)) {
-				INP_RUNLOCK(inp);
 				break;
 			} else
 				appends++;
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index b6390f800d9..b491a41a7a4 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -312,7 +312,6 @@ udp6_multi_input(struct mbuf *m, int off, int proto,
 				UDP_PROBE(receive, NULL, inp, ctx.ip6, inp,
 				    ctx.uh);
 			if (udp6_append(inp, n, off, fromsa)) {
-				INP_RUNLOCK(inp);
 				break;
 			} else
 				appends++;