Date: Sun, 25 Jun 2023 23:39:13 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272151] panic: use-after-free tty race condition Message-ID: <bug-272151-227-zRK86qJhNo@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272151-227@https.bugs.freebsd.org/bugzilla/> References: <bug-272151-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272151 Robert Wing <rew@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rew@FreeBSD.org --- Comment #2 from Robert Wing <rew@FreeBSD.org> --- The issue seems to be caused by knlist_clear() with the way it sets up the knote with EV_ONESHOT. The event for the knote is triggered after the TTY is revoked and the thread no longer holds the TTY lock when the knote event is called. I'd halfway assume that knotes shouldn't be triggered if the TTY was revoke= d, which might look something like: https://people.freebsd.org/~rew/tf-revoke.patch or maybe it makes sense to delete the knotes when the TTY is not opened? something like: https://people.freebsd.org/~rew/tty-knote.patch or...some other behavior is expected? either way, both of the patches above prevented the panic from occurring. To reproduce, spin up a vm and execute the following: - launch nvim - suspend nvim (ctrl-z) - poweroff (panic) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272151-227-zRK86qJhNo>