svn commit: r329542 - head/sys/kern

[Mateusz Guzik]

Author: mjg
Date: Mon Feb 19 00:54:08 2018
New Revision: 329542
URL: https://svnweb.freebsd.org/changeset/base/329542

Log:
  Fix process exit vs reap race introduced in r329449
  
  The race manifested itself mostly in terms of crashes with "spin lock
  held too long".
  
  Relevant parts of respective code paths:
  
  exit:				reap:
  PROC_LOCK(p);
  PROC_SLOCK(p);
  p->p_state == PRS_ZOMBIE
  PROC_UNLOCK(p);
  				PROC_LOCK(p);
  /* exit work */
  				if (p->p_state == PRS_ZOMBIE) /* true */
  					proc_reap()
  					free proc
  /* more exit work */
  PROC_SUNLOCK(p);
  
  Thus a still exiting process is reaped.
  
  Prior to the change the zombie check was followed by slock/sunlock trip
  which prevented the problem.
  
  Even code prior to this commit has a bug: the proc is still accessed for
  statistic collection purposes. However, the severity is rather small and
  the bug may be fixed in a future commit.
  
  Reported by:	many
  Tested by:	allanjude

Modified:
  head/sys/kern/kern_exit.c

Modified: head/sys/kern/kern_exit.c
==============================================================================
--- head/sys/kern/kern_exit.c	Mon Feb 19 00:47:03 2018	(r329541)
+++ head/sys/kern/kern_exit.c	Mon Feb 19 00:54:08 2018	(r329542)
@@ -819,6 +819,8 @@ proc_reap(struct thread *td, struct proc *p, int *stat
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 	KASSERT(p->p_state == PRS_ZOMBIE, ("proc_reap: !PRS_ZOMBIE"));
 
+	mtx_spin_wait_unlocked(&p->p_slock);
+
 	q = td->td_proc;
 
 	if (status)