Style:

if (has_ptrace_fork) {
...
}

I am not sure about usefulness of __prefict_false() there. I agree that has_ptrace_fork is almost always false, but it is not clear if the hint makes any change.

Again style. Also compact the conditions into single if:

if ((p2->p_pptr->p_ptevents & PTRACE_FORK)  != 0 &&
    (td2->td_dbgflags & TDB_STOPATFORK) != 0) {

bool ?

Remove spaces after '(' and before ')',

I do wonder if we couldn't collapse the logic a bit so that it was all in one place instead of splitting it up. I think we can't move this logic up, but not sure if we couldn't move the earlier logic down into here?

Can you do 's/p2->p_pptr/p1/' here?

I would move the KTR_PTRACE for "attaching to forked child" here since this is now when the attach happens. (Would have to change the function name to no longer be fork_return)

this is after,
_PRELE(p1);
PROC_UNLOCK(p1);

so I am not sure if p1 is still valid / parent. Don't know the locking semantics

If it is not, the proc_reparent call is probably wrong
proc_reparent(p2, p1->p_pptr);

In fact p1 is used just after the unlock, so it is probably valid, I just don't know why. And I am not sure that the use guarantees it is still p2's parent.

Any thoughts?

p1 is just a different name for curproc.

And td2 still cannot execute because it is unknown to the scheduler. sched_add() is done later, so it cannot exit and be reparented. Since p1 is curproc and we are executing in its context, p1 cannot exit and p2 cannot be re-childed (silly pun) from p1.

Yep, fork1 is called with the current thread or thread0 only, so yes p1 is safe.

Use the same style != 0 as at line 751.

After looking at your variant of code, I do not see why the recheck is useful. You do not lock p1 there, so the race with unlocked read of p1->p_ptevents is the same as without the re-read.

My reasoning:

From my last comment: p1->p_ptevents is protected for PTRACE_FORK & PTRACE_LWP by both p1's lock and proctree_lock in kern_ptrace. And all other (unlocked) modifications to p_ptevents preserve those flags.

We need to check that p1 is still traced else p1->p_pptr might not be a debugger. Both p1->p_flag P_TRACED and p1->p_ptevents PTRACE_FORK are proctected by proctree_lock, so PTRACE_FORK implies P_TRACED and that p->p_pptr is a tracer.

Thus the recheck.

You changed from the declared locking model to the de-facto occuring locking model then, this cannot happen in ad-hoc mode. At least, you need to add a note to the proc.h both to the locking annotation for p_ptevents and to the PTRACE_FORK symbol itself, and perhaps add a comment there too, explaining why p1 lock is not taken, but the recheck under proctree is enough.

I am a little confused. I can't figure out the difference in the locking before and after the patch, so maybe there is another thing I am missing.

The old code in fork_return:
sx_xlock(&proctree_lock);
PROC_LOCK(p)
if (p->p_pptr->p_ptevents & PTRACE_FORK) {
....

p->p_pptr lock is not taken, same as the:

new code in do_fork

+ sx_xlock(&proctree_lock);
+ PROC_LOCK(p2);
+ if ((p1->p_ptevents & PTRACE_FORK) != 0) {
+ /*

Will look into the annotation and adding a comment, but if the old code depended on the same guarantees probably a separate commit ?

I am not sure where to put the blame, on the old code, on the existing annotation, or both. But it is clear that according to the rules from proc.h, the read of PTRACE_FORK in the old code should be considered unlocked:

	u_int		p_ptevents;	/* (c) ptrace() event mask. */
 *      c - locked by proc mtx

I think it is fine to update the locking annotation first. Your commit should add an explicit comment into the new code still, IMO.

Thanks. My question was if I have involuntary changed something in the locking that I have totally missed.

I went through the code again and the whole p_ptevents is always protected by proctree_lock with two exceptions - cleared in exit1 and in ptracestop if process is killed. Both will not affect the code in do_fork, but what would be proper annotation - "(c + e) unless process is exiting" ?

I think just c+e is enough there.