From nobody Wed Mar 23 16:47:12 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A6CC31A2EF97;
	Wed, 23 Mar 2022 16:47:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KNvQm4KXDz3Bqb;
	Wed, 23 Mar 2022 16:47:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1648054032;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WrkQ/PYUNwaMWY4SWns/IgiBKHZiGVFTDDH5LuqvVWY=;
	b=x61jEtZTnfVRMHvdBNaXLd/qrr7lpOcfFOyTCVk1hB2TxFC3Ile5kAk/mXbxwxmoeuE4sF
	1zOLmSt/FFAquwl4kqRmOiqjLUmyREYn7s2/1xZKzXtW0FseY3zP0MMMw+I4WEVmkO08Ah
	BJM6EahhgxTJ/m6L1Kq1eLlc3GP1qJajtF8roNd4NZoKU/E4u+bx0cTQyXSI6Kp4qbTWZz
	P8nTfq94ZQnrD4mmPbV/Zgk8SPryx6naafpIe9IWK4pC87fZ16JYK4ktNLoYolVlzrVD9q
	L/8pxvegvrmbyPuzKa6D14lFSdYOvG1WhO3f/mUShnHcd3wcc8sahN3m8CHu7A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6986827345;
	Wed, 23 Mar 2022 16:47:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22NGlCgl063918;
	Wed, 23 Mar 2022 16:47:12 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22NGlCT9063917;
	Wed, 23 Mar 2022 16:47:12 GMT
	(envelope-from git)
Date: Wed, 23 Mar 2022 16:47:12 GMT
Message-Id: <202203231647.22NGlCT9063917@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: b31917186146 - main - setitimer: Fix exit race
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b319171861464f6c445905e7649cb43bf9bc78be
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1648054032;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WrkQ/PYUNwaMWY4SWns/IgiBKHZiGVFTDDH5LuqvVWY=;
	b=vbflHS2UhliPFJKqNho34B4JGDSYtc7lV96I9lQhKLkfA//lwq9uWF7GPWmZ2VUuxXLVYi
	kwUnYskwskhi6O9c+eK4L08HCjmcyi9/bYEjbRCkd4tSKMVauKKotDOvBI+q6TplwFj4ai
	WDS6B+9VduNx0soyb6525USvs1UfOqfP4kLvKi65UTVHRxL2a+DXurAVEdLLcVNFs+2R9d
	nPzbPYaNn0ASWJS3ywQ11mXmT5Q2C6TM6lNZ9dN7cS2W6YFYSktwtoU9KyCJheLZkphgYd
	jybWNhERTOlbyx+o4IEZ4+nkxA1+6jCkeVQTwQVWsdhkG6AGABrOzQ+MoAbfsA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648054032; a=rsa-sha256; cv=none;
	b=OI0ekGkrSCsB/cqfX9c09NEfZdlrrRsdleoRqTlX2B/gj7SLaPL6+Bggv8JHi4OeWiI3Xz
	zcyZcx5agBXp/BaBiiD5Wkgl5BiWaowUnkfgXSNIcClXDshpUirn2E4qBKQr0Ocdngoufh
	/+SJLH3Zp+cSKXlyhs+DQD7VWThZPwJB/p6ahzIAnzzOxYNkNjlzTY/JZ+9hgxDWxBncQl
	OnuSOm5Kp4qbByFF97XSR6hqkbhRseUfs4ibgquRiDqZFz215SSgUOqs0M/Q8MUaU1JvAK
	hO+bTke32NaFrO8Z/GfJE+TXytPjGWjaaQT6PG6/SGHX84kxrBEisuPI2/SuDg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=b319171861464f6c445905e7649cb43bf9bc78be

commit b319171861464f6c445905e7649cb43bf9bc78be
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-03-23 16:36:12 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-23 16:36:12 +0000

    setitimer: Fix exit race
    
    We use the p_itcallout callout, interlocked by the proc lock, to
    schedule timeouts for the setitimer(2) system call.  When a process
    exits, the callout must be stopped before the process struct is
    recycled.
    
    Currently we attempt to stop the callout in exit1() with the call
    _callout_stop_safe(&p->p_itcallout, CS_EXECUTING).  If this call returns
    0, then we sleep in order to drain the callout.  However, this happens
    only if the callout is not scheduled at all.  If the callout thread is
    blocked on the proc lock, then exit1() will not block and the callout
    may execute after the process has fully exited, typically resulting in a
    panic.
    
    I cannot see a reason to use the CS_EXECUTING flag here.  Instead, use
    the regular callout_stop()/callout_drain() dance to halt the callout.
    
    Reported by:    ler
    Tested by:      ler, pho
    MFC after:      1 month
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34625
---
 sys/kern/kern_exit.c | 11 +++++------
 sys/kern/kern_time.c |  2 --
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 6d1cd5705f30..7215aed60c83 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -369,15 +369,14 @@ exit1(struct thread *td, int rval, int signo)
 	 * executing, prevent it from rearming itself and let it finish.
 	 */
 	if (timevalisset(&p->p_realtimer.it_value) &&
-	    _callout_stop_safe(&p->p_itcallout, CS_EXECUTING, NULL) == 0) {
+	    callout_stop(&p->p_itcallout) == 0) {
 		timevalclear(&p->p_realtimer.it_interval);
-		msleep(&p->p_itcallout, &p->p_mtx, PWAIT, "ritwait", 0);
-		KASSERT(!timevalisset(&p->p_realtimer.it_value),
-		    ("realtime timer is still armed"));
+		PROC_UNLOCK(p);
+		callout_drain(&p->p_itcallout);
+	} else {
+		PROC_UNLOCK(p);
 	}
 
-	PROC_UNLOCK(p);
-
 	if (p->p_sysent->sv_onexit != NULL)
 		p->p_sysent->sv_onexit(p);
 	seltdfini(td);
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 194a23fdc9e8..f052c4b6d698 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -950,8 +950,6 @@ realitexpire(void *arg)
 	kern_psignal(p, SIGALRM);
 	if (!timevalisset(&p->p_realtimer.it_interval)) {
 		timevalclear(&p->p_realtimer.it_value);
-		if (p->p_flag & P_WEXIT)
-			wakeup(&p->p_itcallout);
 		return;
 	}