Do this test and the one at line 816 look correct still? Or should they test both vflag and the address family? I think the worst case is if laddr is used when it is INADDR_ANY but shouldn't be used.

Can you print fsa and lsa pointers and sa_families (if xsa is not NULL) in the message so they'll be on the console; so much easier to debug with users then.

Hmm, this is a bit tricky since we might not have an address family to check here, and the PCB doesn't tell us the address format it's using for its laddr and faddr.

I note that when binding or connecting to a v4-mapped v6 address, protocol layers (e.g., udp6_bind()) will clear INP_IPV6 before updating the inpcb. TCP will also do this for an implicit connect(), but UDP does not, which seems like a bug. Maybe that's the real bug here - I think this patch is not needed if protocols ensure that only one of INP_IPV4/V6 is set before calling this function.

Hmm, that might be intentional after all since a UDP socket can be connected and disconnected multiple times in its life cycle. But I don't understand how that works in the face of in_pcbinshash() and in_pcbrehash(), which use the vflag to select whether to use a v4 or a v6 hash table. For v4-mapped addresses, don't we want to use the v4 hash table?

It seems like udp_send() should indeed clear INP_IPV6 when connecting to a v4-mapped address, and udp6_disconnect() should re-set INP_IPV6.

I think it might be worth going back to FreeBSD 11/10 or so and see there how it once worked and where we changed from v6->v4 (sock)addr there. I have a suspicious feeling that this was half-done with a lot of updates but never looked at the full picture in a while.