From: Christian Ludwig <cludwig@genua.de>
Subject: Traverse list of children safely
To: <tech@openbsd.org>
Date: Sat, 2 Aug 2025 11:56:13 +0200

Zombie processes get taken off the list in proc_finish_wait(), either
by reparenting or to zap them. So we need to obtain the next list
element before that.

ok?

---
 sys/kern/kern_exit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index cd37a0d29aa3..aca87688a28e 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -530,7 +530,7 @@ dowait6(struct proc *q, idtype_t idtype, id_t id, int *statusp, int options,
     struct rusage *rusage, siginfo_t *info, register_t *retval)
 {
 	int nfound;
-	struct process *pr;
+	struct process *pr, *npr;
 	int error;
 
 	if (info != NULL)
@@ -539,7 +539,7 @@ dowait6(struct proc *q, idtype_t idtype, id_t id, int *statusp, int options,
 loop:
 	atomic_clearbits_int(&q->p_p->ps_flags, PS_WAITEVENT);
 	nfound = 0;
-	LIST_FOREACH(pr, &q->p_p->ps_children, ps_sibling) {
+	LIST_FOREACH_SAFE(pr, &q->p_p->ps_children, ps_sibling, npr) {
 		mtx_enter(&pr->ps_mtx);
 		if ((pr->ps_flags & PS_NOZOMBIE) ||
 		    (idtype == P_PID && id != pr->ps_pid) ||
-- 
2.34.1