From nobody Sat Jun 13 01:03:55 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gcdSC5Jszz6hSd6
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sat, 13 Jun 2026 01:03:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gcdSC1W5Dz3lpj
	for <dev-commits-src-all@FreeBSD.org>; Sat, 13 Jun 2026 01:03:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781312635;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZY1/4DTZ6rXho3ayQZJ1bgcciP4BCi4hOok3ibSQbEU=;
	b=AJdi/DWxcsXY16Yr+AuxqJ3/AvlaYS2EdBflWLwCcAwe9HwOT4V7euIbua54Z21FkvlaW6
	EGR5jOiLyz1Sf3Z0mXb8PztMRgpmVJ3vUpVWNY2U29QnqC+DI6tYVD/ZjcOeTqQuWQqQ1b
	mvUymL3XlVFyrpuQ0207hJfvZRRy4R1O2vbWR+OmhDH1moxY7h2cHJttojfdMwo8a093KI
	4dkZBO+Kjsict2WnDrNFiBjxH8Ux8R+PQ/SKbKEpsjgmckxTMoslU05Ngtr6AAh+Mp6V3r
	1I/N2ikYCS/E15GfSP5BVUUGd275YIzbrSlMJ/KbVBIaFcnJdAGhzuNk5immFg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781312635; a=rsa-sha256; cv=none;
	b=NjHf99ZTePP6nE+y+uvFhWSvApWvMgLey+viCDZgRj3F60H6ggYNY1PMCI1b0xwFaTZPiR
	vSfTtPjvPwpnMK89wg0EBCZb7tJ3D0gvHkhnaKd8kstEEn3SSIS4DPY9veZMB4L8nLbec9
	2PERzwUWw/rEtbi7Hv7D9pcnwr21FQI3/qOK2+MzG26GZqR5OUfkVwj8GKBQoPnsVb58Qy
	wORmOOnGGLFG9sWucpMYhwi8NmHb9EunJImvxJ5ipYGvuDzyvj6Pfr/fVIRpKi7ONQzMrE
	6qWPaI6ev+4DmySJOV0YG1Eump8XviEC4qjrGB9gFS+4yANQgmKiocOqsAYnGw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781312635;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZY1/4DTZ6rXho3ayQZJ1bgcciP4BCi4hOok3ibSQbEU=;
	b=bFJRIAUUV+Laa045kRpilEeDQBRthtiPWiMfRQqggy1gZ54Rv6DfhauATXL4vcAwTcr9SW
	LhXBGYc6DxE2yxeIsWk4pcxfdWcvowRv2cYhHUqAuCEBZVvPu2GzRoj0ronCrzuSXtqQ5c
	IL3apA2Bf3zwewKK3tMTSGMPlQjRd8d6jcrmV7Uk+PckJGATXRQ/HLNH8CmjB4rDbLGWsw
	LmYXTqY4wrqVxkxqlrx01/3FPm0ZN+aeV04pp+vnll5zlLMGltp8dEOWB/cdlgK2stGoJs
	laxbfn/1GMbrwmi+cbqt25E11XZfPsUWtZ6yXe/Sc0B+9BZRVsCGmkyhsoimnw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gcdSC10cTz11ww
	for <dev-commits-src-all@FreeBSD.org>; Sat, 13 Jun 2026 01:03:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2052d
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sat, 13 Jun 2026 01:03:55 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: b52346b34159 - stable/15 - exit1(9): do not deadlock if exit is called due to PT_SC_REMOTERQ
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: b52346b34159eb364e52b87a6c3a5bc34d36d9e6
Auto-Submitted: auto-generated
Date: Sat, 13 Jun 2026 01:03:55 +0000
Message-Id: <6a2cac7b.2052d.1f070fc0@gitrepo.freebsd.org>

The branch stable/15 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=b52346b34159eb364e52b87a6c3a5bc34d36d9e6

commit b52346b34159eb364e52b87a6c3a5bc34d36d9e6
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2026-06-05 20:21:59 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2026-06-13 00:58:36 +0000

    exit1(9): do not deadlock if exit is called due to PT_SC_REMOTERQ
    
    (cherry picked from commit a2cfe535771ded3ca8526bae405a5b61f71f1f33)
---
 sys/compat/linux/linux_fork.c |  4 +--
 sys/compat/linux/linux_misc.c |  4 +--
 sys/kern/kern_exec.c          | 13 +++++-----
 sys/kern/kern_exit.c          | 57 ++++++++++++++++++++++++++++++++++++++++---
 sys/kern/kern_fork.c          |  3 ++-
 sys/kern/kern_ucoredump.c     |  4 +--
 sys/sys/proc.h                |  4 ++-
 sys/sys/signalvar.h           |  2 +-
 sys/sys/syscallsubr.h         |  1 +
 9 files changed, 72 insertions(+), 20 deletions(-)

diff --git a/sys/compat/linux/linux_fork.c b/sys/compat/linux/linux_fork.c
index 1c9189162a09..24c5d3351623 100644
--- a/sys/compat/linux/linux_fork.c
+++ b/sys/compat/linux/linux_fork.c
@@ -486,8 +486,8 @@ linux_exit(struct thread *td, struct linux_exit_args *args)
 	 * exit via pthread_exit() try thr_exit() first.
 	 */
 	kern_thr_exit(td);
-	exit1(td, args->rval, 0);
-		/* NOTREACHED */
+	kern_exit(td, args->rval, 0);
+	return (0);
 }
 
 int
diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index 937b010c8435..8eaa6e7831c3 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -1544,8 +1544,8 @@ linux_exit_group(struct thread *td, struct linux_exit_group_args *args)
 	 * SIGNAL_EXIT_GROUP is set. We ignore that (temporarily?)
 	 * as it doesnt occur often.
 	 */
-	exit1(td, args->error_code, 0);
-		/* NOTREACHED */
+	kern_exit(td, args->error_code, 0);
+	return (0);
 }
 
 #define _LINUX_CAPABILITY_VERSION_1  0x19980330
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 417c7da19449..e7552bab6005 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -341,11 +341,11 @@ post_execve(struct thread *td, int error, struct vmspace *oldvmspace)
 }
 
 /*
- * kern_execve() has the astonishing property of not always returning to
- * the caller.  If sufficiently bad things happen during the call to
- * do_execve(), it can end up calling exit1(); as a result, callers must
- * avoid doing anything which they might need to undo (e.g., allocating
- * memory).
+ * kern_execve() has the astonishing property of not always returning
+ * to the caller.  If sufficiently bad things happen during the call
+ * to do_execve(), it can end up calling exit2(). Callers must avoid
+ * doing anything which they might need to undo (e.g., allocating
+ * memory), unless called from the ptrace(PT_SC_REMOTERQ) handler.
  */
 int
 kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p,
@@ -1042,8 +1042,7 @@ exec_fail:
 	if (error && imgp->vmspace_destroyed) {
 		/* sorry, no more process anymore. exit gracefully */
 		exec_cleanup(td, oldvmspace);
-		exit1(td, 0, SIGABRT);
-		/* NOT REACHED */
+		kern_exit(td, 0, SIGABRT);
 	}
 
 #ifdef KTRACE
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 18ea3a7bd29d..63e46dcf46f7 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -204,9 +204,8 @@ exit_onexit(struct proc *p)
 int
 sys__exit(struct thread *td, struct _exit_args *uap)
 {
-
-	exit1(td, uap->rval, 0);
-	__unreachable();
+	kern_exit(td, uap->rval, 0);
+	return (0);
 }
 
 void
@@ -216,6 +215,48 @@ proc_set_p2_wexit(struct proc *p)
 	p->p_flag2 |= P2_WEXIT;
 }
 
+static void
+ast_async_exit(struct thread *td, int asts)
+{
+	struct proc *p;
+
+	p = td->td_proc;
+	if ((p->p_flag & P_ASYNC_EXIT) != 0)
+		exit1(td, p->p_xexit, p->p_asig);
+}
+
+/*
+ * The variation on exit1() intended to be used in the syscall
+ * handlers.  Unlike exit1(), it might delay the current process exit
+ * to ast.  This is needed e.g. when _exit(2) is executed due to the
+ * ptrace(PT_SC_REMOTERQ), which must do more work after the syscall
+ * handler call.
+ */
+void
+kern_exit(struct thread *td, int rval, int signo)
+{
+	struct proc *p;
+
+	KASSERT(rval == 0 || signo == 0,
+	    ("kern_exit rv %d sig %d", rval, signo));
+
+	p = td->td_proc;
+	if ((td->td_dbgflags & TDB_SCREMOTEREQ) != 0) {
+		PROC_LOCK(p);
+		p->p_xexit = rval;
+		p->p_asig = signo;
+		p->p_flag |= P_ASYNC_EXIT;
+		ast_sched(td, TDA_ASYNC_EXIT);
+		PROC_UNLOCK(p);
+		return;
+	}
+	if ((p->p_flag & P_ASYNC_EXIT) != 0) {
+		rval = p->p_xexit;
+		signo = p->p_asig;
+	}
+	exit1(td, rval, signo);
+}
+
 /*
  * Exit: deallocate address space and other resources, change proc state to
  * zombie, and unlink proc from allproc and parent's lists.  Save exit status
@@ -231,6 +272,7 @@ exit1(struct thread *td, int rval, int signo)
 
 	mtx_assert(&Giant, MA_NOTOWNED);
 	KASSERT(rval == 0 || signo == 0, ("exit1 rv %d sig %d", rval, signo));
+	MPASS((td->td_dbgflags & TDB_SCREMOTEREQ) == 0);
 	TSPROCEXIT(td->td_proc->p_pid);
 
 	p = td->td_proc;
@@ -828,7 +870,7 @@ out:
 	sbuf_delete(sb);
 	PROC_LOCK(p);
 	sigexit(td, sig);
-	/* NOTREACHED */
+	return (0);
 }
 
 #ifdef COMPAT_43
@@ -1627,3 +1669,10 @@ proc_reparent(struct proc *child, struct proc *parent, bool set_oppid)
 	if (set_oppid)
 		child->p_oppid = parent->p_pid;
 }
+
+static void
+initexit(void *dummy __unused)
+{
+	ast_register(TDA_ASYNC_EXIT, ASTR_ASTF_REQUIRED, 0, ast_async_exit);
+}
+SYSINIT(exit, SI_SUB_EXEC, SI_ORDER_ANY, initexit, NULL);
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index a453af959bb1..edbb61e0e68b 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -66,6 +66,7 @@
 #include <sys/signalvar.h>
 #include <sys/sx.h>
 #include <sys/syscall.h>
+#include <sys/syscallsubr.h>
 #include <sys/sysent.h>
 #include <sys/sysproto.h>
 #include <sys/vmmeter.h>
@@ -1265,7 +1266,7 @@ fork_return(struct thread *td, struct trapframe *frame)
 	 * If the prison was killed mid-fork, die along with it.
 	 */
 	if (!prison_isalive(td->td_ucred->cr_prison))
-		exit1(td, 0, SIGKILL);
+		kern_exit(td, 0, SIGKILL);
 
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSRET))
diff --git a/sys/kern/kern_ucoredump.c b/sys/kern/kern_ucoredump.c
index d425596b5f24..e08490fbf7b1 100644
--- a/sys/kern/kern_ucoredump.c
+++ b/sys/kern/kern_ucoredump.c
@@ -46,6 +46,7 @@
 #include <sys/racct.h>
 #include <sys/resourcevar.h>
 #include <sys/rmlock.h>
+#include <sys/syscallsubr.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/ucoredump.h>
@@ -197,8 +198,7 @@ sigexit(struct thread *td, int sig)
 			    err != NULL ? err : "");
 	} else
 		PROC_UNLOCK(p);
-	exit1(td, 0, sig);
-	/* NOTREACHED */
+	kern_exit(td, 0, sig);
 }
 
 
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 7c4431ab0819..4ad22d46b5bb 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -504,6 +504,7 @@ enum {
 	TDA_MOD3,		/* .. and after */
 	TDA_MOD4,
 	TDA_SCHED_PRIV,
+	TDA_ASYNC_EXIT,
 	TDA_MAX,
 };
 #define	TDAI(tda)		(1U << (tda))
@@ -777,6 +778,7 @@ struct proc {
 
 	TAILQ_HEAD(, kq_timer_cb_data)	p_kqtim_stop;	/* (c) */
 	LIST_ENTRY(proc) p_jaillist;	/* (d) Jail process linkage. */
+	u_int		p_asig;		/* (c) ASYNCEXIT pending signal. */
 };
 
 #define	p_session	p_pgrp->pg_session
@@ -842,7 +844,7 @@ struct proc {
 #define	P_INEXEC	0x04000000	/* Process is in execve(). */
 #define	P_STATCHILD	0x08000000	/* Child process stopped or exited. */
 #define	P_INMEM		0x10000000	/* Loaded into memory, always set. */
-#define	P_UNUSED1	0x20000000	/* --available-- */
+#define	P_ASYNC_EXIT	0x20000000	/* XXX */
 #define	P_UNUSED2	0x40000000	/* --available-- */
 #define	P_PPTRACE	0x80000000	/* PT_TRACEME by vforked child. */
 
diff --git a/sys/sys/signalvar.h b/sys/sys/signalvar.h
index 8f181b7beee6..96bb77fc5fc8 100644
--- a/sys/sys/signalvar.h
+++ b/sys/sys/signalvar.h
@@ -398,7 +398,7 @@ int	sigacts_shared(struct sigacts *ps);
 int	sig_ast_checksusp(struct thread *td);
 int	sig_ast_needsigchk(struct thread *td);
 void	sig_drop_caught(struct proc *p);
-void	sigexit(struct thread *td, int sig) __dead2;
+void	sigexit(struct thread *td, int sig);
 int	sigev_findtd(struct proc *p, struct sigevent *sigev, struct thread **);
 void	sigfastblock_clear(struct thread *td);
 void	sigfastblock_fetch(struct thread *td);
diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h
index 1154e73a6fd3..23fa6a74f16f 100644
--- a/sys/sys/syscallsubr.h
+++ b/sys/sys/syscallsubr.h
@@ -142,6 +142,7 @@ int	kern_cpuset_setid(struct thread *td, cpuwhich_t which,
 int	kern_dup(struct thread *td, u_int mode, int flags, int old, int new);
 int	kern_execve(struct thread *td, struct image_args *args,
 	    struct mac *mac_p, struct vmspace *oldvmspace);
+void	kern_exit(struct thread *, int, int);
 int	kern_extattr_delete_fd(struct thread *td, int fd, int attrnamespace,
 	    const char *attrname);
 int	kern_extattr_delete_path(struct thread *td, const char *path,