Insufficent Locking in XNU leading to Use-After-Free

We discussed this vulnerability during Episode 110 on 11 January 2022

This is one of those issues that is an obvious code-smell once you’re aware of it, inp_join_group will release a lock, so that is can call another function that requires the same lock, and then take the lock back after the function has executed creating a window where another function can obtain the lock and free the pointer from under it.