Date: Thu, 22 Jun 2023 16:30:42 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272151] panic: use-after-free tty race condition Message-ID: <bug-272151-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272151 Bug ID: 272151 Summary: panic: use-after-free tty race condition Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jake@technologyfriends.net There appears to be a race condition during shutdown where the tty is no lo= nger owned by the current thread, resulting in an assertion panic. I was unable = to dump for more information, but this panic has happened to me several times,= so I will update the report with the dump info next time that it happens. Here is what I was able to record: Jun 20 22:11:22 freebsd shutdown[80834]: reboot by root: Stopping cron. Waiting for PIDS: 808. Stopping sshd. Waiting for PIDS: 804. Stopping devd. Waiting for PIDS: 491. Writing entropy file: . Writing early boot entropy file: . . Jun 20 22:11:22 freebsd syslogd: exiting on signal 15 panic: mutex ttymtx not owned at /usr/src/sys/kern/tty.c:720 cpuid =3D 1 time =3D 1687317082 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe018d934= 860 vpanic() at vpanic+0x150/frame 0xfffffe018d9348b0 panic() at panic+0x43/frame 0xfffffe018d934910 __mtx_assert() at __mtx_assert+0x9c/frame 0xfffffe018d934920 tty_kqops_read_event() at tty_kqops_read_event+0x2b/frame 0xfffffe018d934940 kqueue_register() at kqueue_register+0x8ee/frame 0xfffffe018d9349c0 kqueue_kevent() at kqueue_kevent+0x109/frame 0xfffffe018d934c90 kern_kevent_fp() at kern_kevent_fp+0x95/frame 0xfffffe018d934ce0 kern_kevent() at kern_kevent+0x80/frame 0xfffffe018d934d40 kern_kevent_generic() at kern_kevent_generic+0x6f/frame 0xfffffe018d934da0 sys_kevent() at sys_kevent+0x61/frame 0xfffffe018d934e00 amd64_syscall() at amd64_syscall+0x130/frame 0xfffffe018d934f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe018d934f30 --- syscall (560, FreeBSD ELF64, kevent), rip =3D 0x824b57b4a, rsp =3D 0x82= 1235e38, rbp =3D 0x821235e80 --- KDB: enter: panic [ thread pid 2920 tid 100767 ] Stopped at kdb_enter+0x32: movq $0,0xde1c73(%rip) db> dump Dump failed. Partition too small (about 2697MB were needed this time). Cannot dump: unknown error (error=3D7). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272151-227>