From 07d260329accf8a3f24fb96d1c9b7b981fd53f1b Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Tue, 22 Oct 2024 11:54:04 +0000
Subject: [PATCH] Protect the ps_pgrp pointer by either the KERNEL_LOCK or the
 ps_mtx.

This should be enough to be on the safe side when unlocking ptsignal
where a pr->ps_pgrp->pg_jobc == 0 check happens.
OK mpi@ kettenis@
---
 sys/kern/kern_proc.c | 6 +++++-
 sys/kern/kern_sig.c  | 8 ++++++--
 sys/sys/proc.h       | 4 ++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index f061b06cffe..7abbab5fd48 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_proc.c,v 1.100 2024/10/15 13:49:26 claudio Exp $	*/
+/*	$OpenBSD: kern_proc.c,v 1.101 2024/10/22 11:54:04 claudio Exp $	*/
 /*	$NetBSD: kern_proc.c,v 1.14 1996/02/09 18:59:41 christos Exp $	*/
 
 /*
@@ -319,7 +319,9 @@ enterthispgrp(struct process *pr, struct pgrp *pgrp)
 	fixjobc(pr, savepgrp, 0);
 
 	LIST_REMOVE(pr, ps_pglist);
+	mtx_enter(&pr->ps_mtx);
 	pr->ps_pgrp = pgrp;
+	mtx_leave(&pr->ps_mtx);
 	LIST_INSERT_HEAD(&pgrp->pg_members, pr, ps_pglist);
 	if (LIST_EMPTY(&savepgrp->pg_members))
 		pgdelete(savepgrp);
@@ -337,7 +339,9 @@ leavepgrp(struct process *pr)
 	LIST_REMOVE(pr, ps_pglist);
 	if (LIST_EMPTY(&pr->ps_pgrp->pg_members))
 		pgdelete(pr->ps_pgrp);
+	mtx_enter(&pr->ps_mtx);
 	pr->ps_pgrp = NULL;
+	mtx_leave(&pr->ps_mtx);
 }
 
 /*
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 98edd7378d5..6d3800ccdb0 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.343 2024/10/17 09:11:35 claudio Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.344 2024/10/22 11:54:04 claudio Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1436,10 +1436,14 @@ cursig(struct proc *p, struct sigctx *sctx, int deep)
 			 * process group, ignore tty stop signals.
 			 */
 			if (prop & SA_STOP) {
+				mtx_enter(&pr->ps_mtx);
 				if (pr->ps_flags & PS_TRACED ||
 		    		    (pr->ps_pgrp->pg_jobc == 0 &&
-				    prop & SA_TTYSTOP))
+				    prop & SA_TTYSTOP)) {
+					mtx_leave(&pr->ps_mtx);
 					break;	/* == ignore */
+				}
+				mtx_leave(&pr->ps_mtx);
 				pr->ps_xsig = signum;
 				SCHED_LOCK();
 				proc_stop(p, 1);
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 4667ddb9d62..b76f2bb1cc9 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: proc.h,v 1.375 2024/10/15 13:49:26 claudio Exp $	*/
+/*	$OpenBSD: proc.h,v 1.376 2024/10/22 11:54:05 claudio Exp $	*/
 /*	$NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $	*/
 
 /*-
@@ -227,7 +227,7 @@ struct process {
 /* The following fields are all copied upon creation in process_new. */
 #define	ps_startcopy	ps_limit
 	struct	plimit *ps_limit;	/* [m,R] Process limits. */
-	struct	pgrp *ps_pgrp;		/* Pointer to process group. */
+	struct	pgrp *ps_pgrp;		/* [K|m] Pointer to process group. */
 
 	char	ps_comm[_MAXCOMLEN];	/* command name, incl NUL */
 
-- 
2.20.1