Venkatesh Srinivas <vsrinivas@dragonflybsd.org> added the comment: Hi, I just saw a patch, 49aa3df0ca3e226c0a0d7097863a2426ee6fd534, go in to fix this issue; it adds: + + /* + * Temporary refs may still have been acquired while + * we removed the process, make sure they are all + * gone before kfree()ing. Now that the process has + * been removed from all lists and all references to + * it have gone away, no new refs can occur. + */ + while (p->p_lock) + tsleep(p, 0, "reap4", hz); kfree(p, M_PROC); First, is anything required to ensure that p->p_lock is really loaded each loop iteration? Is the compiler allowed to optimize away the load after the first loop? Second, I don't understand how this is safe; the problem here is that another code path obtained a reference to this process and was using it when the kfree() happened. What prevents this? A B .... vm_waitproc(p) while(p->p_lock) tsleep(...) /* get reference to process */ PHOLD(p) kfree(p) /* HEY! */ Thanks, -- vs _____________________________________________________ DragonFly issue tracker <bugs@lists.dragonflybsd.org> <http://bugs.dragonflybsd.org/issue1996> _____________________________________________________