From nobody Fri Apr 22 15:25:02 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id ADD7C1999776;
	Fri, 22 Apr 2022 15:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KlJB64NWQz4S6k;
	Fri, 22 Apr 2022 15:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1650641102;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=owM2fVmgLViBFvTqWvO6SHovEYgIKl+5UsF+mT9CkCo=;
	b=MPebw1AEGJahQ94DHGI6sy9QXk8fwvMNEe8JkYM+Apj9OxLQf6niCMjvRYzk6DNOb1hDfi
	4CRWJ7zMgF+JrC2EdpppEHwtRQ4mQ00AyXORpQfMw8OsCIGX+OW/O6uCTm4/FQ8H+jMOWw
	L9JOD7KnpnB2Bgl7ygmkzWL5DGszXxWlVlw5+aT+K0HtZLPgq06KOXW8fwxC89i49PEnDH
	Z5TKGd+gBMhJKmX8shNjGf55U92ecSSO828TJRXSeCPd/nFuz6AXFcM8aZ5581FVdQWgG+
	8vauaqJkJAb+o5vbBWDM/tstrrkUYM5Hoy5hChtk4+CjkCidpNACO7j04CteAQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 764401FC26;
	Fri, 22 Apr 2022 15:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23MFP2ik081967;
	Fri, 22 Apr 2022 15:25:02 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23MFP23N081966;
	Fri, 22 Apr 2022 15:25:02 GMT
	(envelope-from git)
Date: Fri, 22 Apr 2022 15:25:02 GMT
Message-Id: <202204221525.23MFP23N081966@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 8394a99386fe - stable/13 - setitimer: Fix exit race
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 8394a99386fe5ff98b50fedde480ec35fb397717
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1650641102;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=owM2fVmgLViBFvTqWvO6SHovEYgIKl+5UsF+mT9CkCo=;
	b=L27jqI5ys5fqUyxdktJY3fPKmfk+2sUbYOr+dgTfMsC5R1c9yMwQ2U9aC4ZwO6nTpjH/IQ
	ZCTg2AGSBdED4IIewFIWTm3fCEuO0tIOQ5DvfQnONciZzzTnGRPR7tCehcLsL4BAt71s0O
	kc6+ociQLbRHa1DrDMIoGnrHriOJYyuYWAuxfztVL5xDBXnzctheXOMn9DQh9QQTCutxbq
	s+fR/cYQyM84cNSpO6JYnTimMpZs3MjY4keYFZvAtVh2ZIDArqJrwB1q9wuNLFBmmRZtPz
	VLmXUsKMAgREc7B0h4oJc4FDDa81sD8+A9cUv2fuuxaLqG+mCzmHp3ab7Yb+Lw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650641102; a=rsa-sha256; cv=none;
	b=ALFMb3S1TNgMPlloatAwe4lUVyF9OmfG5H54bZaX4nE0UCqb7hvr0GbvgvfI6uwb0otlTY
	MqSBrkcJUdgY47pHud/EMlurD8o1DtsXHEhY+5xOmWwLuf12K90QGHtu2VI9Th+l0EwmXD
	8ui6TkhxZuGqr0ql1+S6nZ6sAeXhDbhQg3BlMh3HQT3j6YWQTSUUav9WxP6abrdpvpphY+
	bPG5l5jFrmS+2eNECX+rUigS1Ustlx7EIl7ldCd7sf0dqtmvNvTnEsuQOazv1YxGpTNtuG
	5kcS2t1hUsvasZ4WeOtIPo/dVAVpFy8G8Z4aB+NIGbHL/gnIh7uZj9xKuFzE7Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8394a99386fe5ff98b50fedde480ec35fb397717

commit 8394a99386fe5ff98b50fedde480ec35fb397717
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-03-23 16:36:12 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-04-22 14:35:42 +0000

    setitimer: Fix exit race
    
    We use the p_itcallout callout, interlocked by the proc lock, to
    schedule timeouts for the setitimer(2) system call.  When a process
    exits, the callout must be stopped before the process struct is
    recycled.
    
    Currently we attempt to stop the callout in exit1() with the call
    _callout_stop_safe(&p->p_itcallout, CS_EXECUTING).  If this call returns
    0, then we sleep in order to drain the callout.  However, this happens
    only if the callout is not scheduled at all.  If the callout thread is
    blocked on the proc lock, then exit1() will not block and the callout
    may execute after the process has fully exited, typically resulting in a
    panic.
    
    I cannot see a reason to use the CS_EXECUTING flag here.  Instead, use
    the regular callout_stop()/callout_drain() dance to halt the callout.
    
    Reported by:    ler
    Tested by:      ler, pho
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit b319171861464f6c445905e7649cb43bf9bc78be)
---
 sys/kern/kern_exit.c | 11 +++++------
 sys/kern/kern_time.c |  2 --
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 226cd5991261..e89139edc825 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -369,15 +369,14 @@ exit1(struct thread *td, int rval, int signo)
 	 * executing, prevent it from rearming itself and let it finish.
 	 */
 	if (timevalisset(&p->p_realtimer.it_value) &&
-	    _callout_stop_safe(&p->p_itcallout, CS_EXECUTING, NULL) == 0) {
+	    callout_stop(&p->p_itcallout) == 0) {
 		timevalclear(&p->p_realtimer.it_interval);
-		msleep(&p->p_itcallout, &p->p_mtx, PWAIT, "ritwait", 0);
-		KASSERT(!timevalisset(&p->p_realtimer.it_value),
-		    ("realtime timer is still armed"));
+		PROC_UNLOCK(p);
+		callout_drain(&p->p_itcallout);
+	} else {
+		PROC_UNLOCK(p);
 	}
 
-	PROC_UNLOCK(p);
-
 	if (p->p_sysent->sv_onexit != NULL)
 		p->p_sysent->sv_onexit(p);
 	seltdfini(td);
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 0bab05c65ffc..b02b6a2021e0 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -952,8 +952,6 @@ realitexpire(void *arg)
 	kern_psignal(p, SIGALRM);
 	if (!timevalisset(&p->p_realtimer.it_interval)) {
 		timevalclear(&p->p_realtimer.it_value);
-		if (p->p_flag & P_WEXIT)
-			wakeup(&p->p_itcallout);
 		return;
 	}