[Bug 272151] panic: use-after-free tty race condition

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 272151] panic: use-after-free tty race condition"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 25 Jun 2023 23:39:13 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272151

Robert Wing <rew@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rew@FreeBSD.org

--- Comment #2 from Robert Wing <rew@FreeBSD.org> ---
The issue seems to be caused by knlist_clear() with the way it sets up the
knote with EV_ONESHOT. The event for the knote is triggered after the TTY is
revoked and the thread no longer holds the TTY lock when the knote event is
called.

I'd halfway assume that knotes shouldn't be triggered if the TTY was revoked,
which might look something like:
https://people.freebsd.org/~rew/tf-revoke.patch

or maybe it makes sense to delete the knotes when the TTY is not opened?
something like: https://people.freebsd.org/~rew/tty-knote.patch

or...some other behavior is expected? either way, both of the patches above
prevented the panic from occurring.

To reproduce, spin up a vm and execute the following:

- launch nvim
- suspend nvim (ctrl-z)
- poweroff (panic)

-- 
You are receiving this mail because:
You are the assignee for the bug.