[Bug 272151] panic: use-after-free tty race condition

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 25 Jun 2023 23:39:13 UTC

Robert Wing <rew@FreeBSD.org> changed:

           What    |Removed                     |Added
                 CC|                            |rew@FreeBSD.org

--- Comment #2 from Robert Wing <rew@FreeBSD.org> ---
The issue seems to be caused by knlist_clear() with the way it sets up the
knote with EV_ONESHOT. The event for the knote is triggered after the TTY is
revoked and the thread no longer holds the TTY lock when the knote event is

I'd halfway assume that knotes shouldn't be triggered if the TTY was revoked,
which might look something like:

or maybe it makes sense to delete the knotes when the TTY is not opened?
something like: https://people.freebsd.org/~rew/tty-knote.patch

or...some other behavior is expected? either way, both of the patches above
prevented the panic from occurring.

To reproduce, spin up a vm and execute the following:

- launch nvim
- suspend nvim (ctrl-z)
- poweroff (panic)

You are receiving this mail because:
You are the assignee for the bug.