m; d=freebsd.org; t=1780949684; a=rsa-sha256; cv=none; b=dHs10f00rYUk36tT5UWSr7FCPr1kOlbL7I4ADEyR+IYygoNH9JZ76d3C1HzBURtVRM7m2O T0LyC0gIJ3P2n9TgtPzqEXlBi1pbo1Hq86cR6XLGBAozyH/lD3gdqasN//vejhPNVlkekB HMvIW3HvE9hUmDZMCw+3EC15eS4gh1B/vYxV4WCn6JypEFBxAs5p82sabgggOaSpqV5pDY vZa38EAWjgDRmU7oqfhduotpO3SGa85ZkuJeZNK1NLIdYFGoeRaEEXizU17LQOXEvZ+mLU Eon8weMK0G66ZQ6BkokHaN2XBTg+WJj/KRYiyYyM37K5ueiMz0rEJxpfkVNh0A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780949684; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UetfvG7cz4pyXoqHtM1WtvHyAo0pT+IZmZHG2suE3Gw=; b=h7rF1Hi4o+IUxECHmuYa4RmHVntLKDjNWM0g04jb3Aumw3PlaT8Ut8Qqpxry5i3M5LxsHd uqUhP9XGiMCaDpafFjJwRw/ZiOqa/zfzmqXOnm5NdC2MKDW3FJMdbzAtEB/+os4LMm/1ks 26gas+PUE2fBqqWnO5EbHr0LZUvek70BrQVVHmG7YIBo7SvVkP8gk+eOZz4n3ABjEDSBWP cXmuQKpxv9iSgNYlR5RerYrd4VBnIB6pEVSJQL2Mdn7iWp+u/5lngdYMFvukXNV8NYSGnE UmYYV8rSMFbxOUdvW1m0awV60gb9velRr+UD+1XyWSddouD0tZApcqhM1TSINA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZ3DN3Jnjz12xY for ; Mon, 08 Jun 2026 20:14:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 42be3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 20:14:44 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: a2cfe535771d - main - exit1(9): do not deadlock if exit is called due to PT_SC_REMOTERQ List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a2cfe535771ded3ca8526bae405a5b61f71f1f33 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 20:14:44 +0000 Message-Id: <6a2722b4.42be3.6a50a1e5@gitrepo.freebsd.org> The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=a2cfe535771ded3ca8526bae405a5b61f71f1f33 commit a2cfe535771ded3ca8526bae405a5b61f71f1f33 Author: Konstantin Belousov AuthorDate: 2026-06-05 20:21:59 +0000 Commit: Konstantin Belousov CommitDate: 2026-06-08 20:14:20 +0000 exit1(9): do not deadlock if exit is called due to PT_SC_REMOTERQ The remote syscall is executed in the context where debugger owns a p_lock hold on the target. Due to this, exit1() waiting for p_lock going to zero, never happen. Postpone the exit1() call to ast then, saving the provided rval and signo in the struct proc. Mark the async-exiting proc with the new p_flag P_ASYNC_EXIT. While p_xexit can be reused, p_xsig can be only set by actual exit1(), otherwise it breaks the ptrace mechanism. Allocate a dedicated p_asig for it. Reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D57482 --- sys/compat/linux/linux_fork.c | 4 +-- sys/compat/linux/linux_misc.c | 4 +-- sys/kern/kern_exec.c | 13 +++++----- sys/kern/kern_exit.c | 57 ++++++++++++++++++++++++++++++++++++++++--- sys/kern/kern_fork.c | 3 ++- sys/kern/kern_ucoredump.c | 4 +-- sys/sys/proc.h | 4 ++- sys/sys/signalvar.h | 2 +- sys/sys/syscallsubr.h | 1 + 9 files changed, 72 insertions(+), 20 deletions(-) diff --git a/sys/compat/linux/linux_fork.c b/sys/compat/linux/linux_fork.c index 1c9189162a09..24c5d3351623 100644 --- a/sys/compat/linux/linux_fork.c +++ b/sys/compat/linux/linux_fork.c @@ -486,8 +486,8 @@ linux_exit(struct thread *td, struct linux_exit_args *args) * exit via pthread_exit() try thr_exit() first. */ kern_thr_exit(td); - exit1(td, args->rval, 0); - /* NOTREACHED */ + kern_exit(td, args->rval, 0); + return (0); } int diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index eafba4f4bd19..c863e1db8b02 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -1545,8 +1545,8 @@ linux_exit_group(struct thread *td, struct linux_exit_group_args *args) * SIGNAL_EXIT_GROUP is set. We ignore that (temporarily?) * as it doesnt occur often. */ - exit1(td, args->error_code, 0); - /* NOTREACHED */ + kern_exit(td, args->error_code, 0); + return (0); } #define _LINUX_CAPABILITY_VERSION_1 0x19980330 diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 4066682cbcc5..8ea00543989e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -341,11 +341,11 @@ post_execve(struct thread *td, int error, struct vmspace *oldvmspace) } /* - * kern_execve() has the astonishing property of not always returning to - * the caller. If sufficiently bad things happen during the call to - * do_execve(), it can end up calling exit1(); as a result, callers must - * avoid doing anything which they might need to undo (e.g., allocating - * memory). + * kern_execve() has the astonishing property of not always returning + * to the caller. If sufficiently bad things happen during the call + * to do_execve(), it can end up calling exit2(). Callers must avoid + * doing anything which they might need to undo (e.g., allocating + * memory), unless called from the ptrace(PT_SC_REMOTERQ) handler. */ int kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p, @@ -1042,8 +1042,7 @@ exec_fail: if (error && imgp->vmspace_destroyed) { /* sorry, no more process anymore. exit gracefully */ exec_cleanup(td, oldvmspace); - exit1(td, 0, SIGABRT); - /* NOT REACHED */ + kern_exit(td, 0, SIGABRT); } #ifdef KTRACE diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 18ea3a7bd29d..63e46dcf46f7 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -204,9 +204,8 @@ exit_onexit(struct proc *p) int sys__exit(struct thread *td, struct _exit_args *uap) { - - exit1(td, uap->rval, 0); - __unreachable(); + kern_exit(td, uap->rval, 0); + return (0); } void @@ -216,6 +215,48 @@ proc_set_p2_wexit(struct proc *p) p->p_flag2 |= P2_WEXIT; } +static void +ast_async_exit(struct thread *td, int asts) +{ + struct proc *p; + + p = td->td_proc; + if ((p->p_flag & P_ASYNC_EXIT) != 0) + exit1(td, p->p_xexit, p->p_asig); +} + +/* + * The variation on exit1() intended to be used in the syscall + * handlers. Unlike exit1(), it might delay the current process exit + * to ast. This is needed e.g. when _exit(2) is executed due to the + * ptrace(PT_SC_REMOTERQ), which must do more work after the syscall + * handler call. + */ +void +kern_exit(struct thread *td, int rval, int signo) +{ + struct proc *p; + + KASSERT(rval == 0 || signo == 0, + ("kern_exit rv %d sig %d", rval, signo)); + + p = td->td_proc; + if ((td->td_dbgflags & TDB_SCREMOTEREQ) != 0) { + PROC_LOCK(p); + p->p_xexit = rval; + p->p_asig = signo; + p->p_flag |= P_ASYNC_EXIT; + ast_sched(td, TDA_ASYNC_EXIT); + PROC_UNLOCK(p); + return; + } + if ((p->p_flag & P_ASYNC_EXIT) != 0) { + rval = p->p_xexit; + signo = p->p_asig; + } + exit1(td, rval, signo); +} + /* * Exit: deallocate address space and other resources, change proc state to * zombie, and unlink proc from allproc and parent's lists. Save exit status @@ -231,6 +272,7 @@ exit1(struct thread *td, int rval, int signo) mtx_assert(&Giant, MA_NOTOWNED); KASSERT(rval == 0 || signo == 0, ("exit1 rv %d sig %d", rval, signo)); + MPASS((td->td_dbgflags & TDB_SCREMOTEREQ) == 0); TSPROCEXIT(td->td_proc->p_pid); p = td->td_proc; @@ -828,7 +870,7 @@ out: sbuf_delete(sb); PROC_LOCK(p); sigexit(td, sig); - /* NOTREACHED */ + return (0); } #ifdef COMPAT_43 @@ -1627,3 +1669,10 @@ proc_reparent(struct proc *child, struct proc *parent, bool set_oppid) if (set_oppid) child->p_oppid = parent->p_pid; } + +static void +initexit(void *dummy __unused) +{ + ast_register(TDA_ASYNC_EXIT, ASTR_ASTF_REQUIRED, 0, ast_async_exit); +} +SYSINIT(exit, SI_SUB_EXEC, SI_ORDER_ANY, initexit, NULL); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 75f8413e5f36..2fb4d9d4274d 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -1258,7 +1259,7 @@ fork_return(struct thread *td, struct trapframe *frame) * If the prison was killed mid-fork, die along with it. */ if (!prison_isalive(td->td_ucred->cr_prison)) - exit1(td, 0, SIGKILL); + kern_exit(td, 0, SIGKILL); #ifdef KTRACE if (KTRPOINT(td, KTR_SYSRET)) diff --git a/sys/kern/kern_ucoredump.c b/sys/kern/kern_ucoredump.c index d425596b5f24..e08490fbf7b1 100644 --- a/sys/kern/kern_ucoredump.c +++ b/sys/kern/kern_ucoredump.c @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -197,8 +198,7 @@ sigexit(struct thread *td, int sig) err != NULL ? err : ""); } else PROC_UNLOCK(p); - exit1(td, 0, sig); - /* NOTREACHED */ + kern_exit(td, 0, sig); } diff --git a/sys/sys/proc.h b/sys/sys/proc.h index ed69a09422e2..5f017e6ece2c 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -504,6 +504,7 @@ enum { TDA_MOD3, /* .. and after */ TDA_MOD4, TDA_SCHED_PRIV, + TDA_ASYNC_EXIT, TDA_MAX, }; #define TDAI(tda) (1U << (tda)) @@ -777,6 +778,7 @@ struct proc { TAILQ_HEAD(, kq_timer_cb_data) p_kqtim_stop; /* (c) */ LIST_ENTRY(proc) p_jaillist; /* (d) Jail process linkage. */ + u_int p_asig; /* (c) ASYNCEXIT pending signal. */ }; #define p_session p_pgrp->pg_session @@ -842,7 +844,7 @@ struct proc { #define P_INEXEC 0x04000000 /* Process is in execve(). */ #define P_STATCHILD 0x08000000 /* Child process stopped or exited. */ #define P_INMEM 0x10000000 /* Loaded into memory, always set. */ -#define P_UNUSED1 0x20000000 /* --available-- */ +#define P_ASYNC_EXIT 0x20000000 /* XXX */ #define P_UNUSED2 0x40000000 /* --available-- */ #define P_PPTRACE 0x80000000 /* PT_TRACEME by vforked child. */ diff --git a/sys/sys/signalvar.h b/sys/sys/signalvar.h index 9a4009d269af..c7b3b620a459 100644 --- a/sys/sys/signalvar.h +++ b/sys/sys/signalvar.h @@ -399,7 +399,7 @@ int sigacts_shared(struct sigacts *ps); int sig_ast_checksusp(struct thread *td); int sig_ast_needsigchk(struct thread *td); void sig_drop_caught(struct proc *p); -void sigexit(struct thread *td, int sig) __dead2; +void sigexit(struct thread *td, int sig); int sigev_findtd(struct proc *p, struct sigevent *sigev, struct thread **); void sigfastblock_clear(struct thread *td); void sigfastblock_fetch(struct thread *td); diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h index 8d546428820e..0eb471cc9dde 100644 --- a/sys/sys/syscallsubr.h +++ b/sys/sys/syscallsubr.h @@ -136,6 +136,7 @@ int kern_cpuset_setid(struct thread *td, cpuwhich_t which, int kern_dup(struct thread *td, u_int mode, int flags, int old, int new); int kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p, struct vmspace *oldvmspace); +void kern_exit(struct thread *, int, int); int kern_extattr_delete_fd(struct thread *td, int fd, int attrnamespace, const char *attrname); int kern_extattr_delete_path(struct thread *td, const char *path,