[Bug 272151] panic: use-after-free tty race condition

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272151

--- Comment #4 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=acd5638e268a6706f6b7ad84947a8425e8d51ef7

commit acd5638e268a6706f6b7ad84947a8425e8d51ef7
Author:     Robert Wing <rew@FreeBSD.org>
AuthorDate: 2023-12-19 00:40:46 +0000
Commit:     Robert Wing <rew@FreeBSD.org>
CommitDate: 2023-12-19 00:40:46 +0000

    tty: delete knotes when TTY is revoked

    Do not clear knotes from the TTY until it gets dealloc'ed, unless the
    TTY is being revoked, in that case delete the knotes when closed is
    called on the TTY.

    When knotes are cleared from a knlist, those knotes become detached from
    the knlist. And when an event is triggered on a detached knote there
    isn't an associated knlist and therefore no lock will be taken when the
    event is triggered.

    This becomes a problem when a detached knote is triggered on a TTY since
    the mutex for a TTY is also used as the lock for its knlists. This
    scenario ends up calling the TTY event handlers without the TTY lock
    being held and tripping on asserts in the event handlers.

    PR:             272151
    Reviewed by:    kib, markj
    Differential Revision:  https://reviews.freebsd.org/D41605

 sys/kern/tty.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.