diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -761,7 +761,13 @@ n = PGRP_HASH(pgid); prg = &procglob[n]; if ((np = pfindn(savepid)) == NULL || np != p) { - lwkt_reltoken(&prg->proc_token); + /* + * prg->proc_token is NOT held here: pfindn() never + * returns with the token held (curproc shortcut at + * :554 or hash-path releases at :568/:572), and + * enterpgrp() acquires it only on the success path + * at :770 below. Do not release it. + */ error = ESRCH; kfree(pgrp, M_PGRP); goto fatal; }