[Bug 272151] panic: use-after-free tty race condition

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 22 Jun 2023 16:30:42 UTC

            Bug ID: 272151
           Summary: panic: use-after-free tty race condition
           Product: Base System
           Version: CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: jake@technologyfriends.net

There appears to be a race condition during shutdown where the tty is no longer
owned by the current thread, resulting in an assertion panic. I was unable to
dump for more information, but this panic has happened to me several times, so
I will update the report with the dump info next time that it happens.

Here is what I was able to record:
Jun 20 22:11:22 freebsd shutdown[80834]: reboot by root:
Stopping cron.
Waiting for PIDS: 808.
Stopping sshd.
Waiting for PIDS: 804.
Stopping devd.
Waiting for PIDS: 491.
Writing entropy file: .
Writing early boot entropy file: .
Jun 20 22:11:22 freebsd syslogd: exiting on signal 15
panic: mutex ttymtx not owned at /usr/src/sys/kern/tty.c:720
cpuid = 1
time = 1687317082
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe018d934860
vpanic() at vpanic+0x150/frame 0xfffffe018d9348b0
panic() at panic+0x43/frame 0xfffffe018d934910
__mtx_assert() at __mtx_assert+0x9c/frame 0xfffffe018d934920
tty_kqops_read_event() at tty_kqops_read_event+0x2b/frame 0xfffffe018d934940
kqueue_register() at kqueue_register+0x8ee/frame 0xfffffe018d9349c0
kqueue_kevent() at kqueue_kevent+0x109/frame 0xfffffe018d934c90
kern_kevent_fp() at kern_kevent_fp+0x95/frame 0xfffffe018d934ce0
kern_kevent() at kern_kevent+0x80/frame 0xfffffe018d934d40
kern_kevent_generic() at kern_kevent_generic+0x6f/frame 0xfffffe018d934da0
sys_kevent() at sys_kevent+0x61/frame 0xfffffe018d934e00
amd64_syscall() at amd64_syscall+0x130/frame 0xfffffe018d934f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe018d934f30
--- syscall (560, FreeBSD ELF64, kevent), rip = 0x824b57b4a, rsp = 0x821235e38,
rbp = 0x821235e80 ---
KDB: enter: panic
[ thread pid 2920 tid 100767 ]
Stopped at      kdb_enter+0x32: movq    $0,0xde1c73(%rip)
db> dump

Dump failed. Partition too small (about 2697MB were needed this time).
Cannot dump: unknown error (error=7).

You are receiving this mail because:
You are the assignee for the bug.