CVS commit: src/sys/kern

[Andrew Doran]

Module Name:    src
Committed By:   ad
Date:           Sat Feb 22 21:07:46 UTC 2020

Modified Files:
        src/sys/kern: kern_exit.c

Log Message:
exit1(): remove from the radix tree before setting zombie status, as
radix_tree_remove_node() can block on locks when freeing.

Reported-by: syzbot+02bf066c30f812b14...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.283 -r1.284 src/sys/kern/kern_exit.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/kern_exit.c
diff -u src/sys/kern/kern_exit.c:1.283 src/sys/kern/kern_exit.c:1.284
--- src/sys/kern/kern_exit.c:1.283	Sat Feb 15 18:12:15 2020
+++ src/sys/kern/kern_exit.c	Sat Feb 22 21:07:46 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_exit.c,v 1.283 2020/02/15 18:12:15 ad Exp $	*/
+/*	$NetBSD: kern_exit.c,v 1.284 2020/02/22 21:07:46 ad Exp $	*/
 
 /*-
  * Copyright (c) 1998, 1999, 2006, 2007, 2008, 2020 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.283 2020/02/15 18:12:15 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exit.c,v 1.284 2020/02/22 21:07:46 ad Exp $");
 
 #include "opt_ktrace.h"
 #include "opt_dtrace.h"
@@ -551,6 +551,11 @@ exit1(struct lwp *l, int exitcode, int s
 	pcu_discard_all(l);
 
 	mutex_enter(p->p_lock);
+	/* Don't bother with p_treelock as no other LWPs remain. */
+	l2 = radix_tree_remove_node(&p->p_lwptree, (uint64_t)(l->l_lid - 1));
+	KASSERT(l2 == l);
+	KASSERT(radix_tree_empty_tree_p(&p->p_lwptree));
+	radix_tree_fini_tree(&p->p_lwptree);
 	/* Free the linux lwp id */
 	if ((l->l_pflag & LP_PIDLID) != 0 && l->l_lid != p->p_pid)
 		proc_free_pid(l->l_lid);
@@ -566,11 +571,6 @@ exit1(struct lwp *l, int exitcode, int s
 	p->p_nrlwps--;
 	p->p_nzlwps++;
 	p->p_ndlwps = 0;
-	/* Don't bother with p_treelock as no other LWPs remain. */
-	l2 = radix_tree_remove_node(&p->p_lwptree, (uint64_t)(l->l_lid - 1));
-	KASSERT(l2 == l);
-	KASSERT(radix_tree_empty_tree_p(&p->p_lwptree));
-	radix_tree_fini_tree(&p->p_lwptree);
 	mutex_exit(p->p_lock);
 
 	/*