From: Vitaliy Makkoveev <mvs@openbsd.org>
Subject: Re: [EXT] Re: Kernel protection fault in fill_kproc()
To: Gerhard Roth <gerhard_roth@genua.de>, "dv@sisu.io" <dv@sisu.io>, "tech@openbsd.org" <tech@openbsd.org>, Carsten Beckmann <carsten_beckmann@genua.de>
Date: Wed, 13 Aug 2025 15:44:42 +0300

On Wed, Aug 13, 2025 at 02:36:29PM +0200, Martin Pieuchot wrote:
> On 13/08/25(Wed) 13:49, Claudio Jeker wrote:
> > On Wed, Aug 13, 2025 at 11:42:15AM +0000, Gerhard Roth wrote:
> > > On Wed, 2025-08-13 at 14:32 +0300, Vitaliy Makkoveev wrote:
> > > > Gerhard, does this diff help?
> > > 
> > > Yes, for me this fixes the problem.
> > > 
> > > OK gerhard@
> > 
> > Please don't do this. Because depending on the parent the process may
> > be zapped or not.
> 
> I agree.
> 
> > Why can't we adjust fill_kproc the way I said it should be done?
> 
> That's what my diff does.  That's what I believe we should do.
> 
> 

Your diff will not work as you expected. You set the PS_ZOMBIE bit in
the kernel locked section after unlocked uvm_exit(pr) call. Why are you
sure the fill_kproc() thread will be the winner and performed locked
if ((pr->ps_flags & (PS_ZOMBIE|PS_EXITING)) == 0) check with the
uvmspace_addref(vm) before uvm_exit(pr) thread?