svn commit: r255882 - head/sys/kern

[Konstantin Belousov]

Author: kib
Date: Thu Sep 26 13:17:31 2013
New Revision: 255882
URL: http://svnweb.freebsd.org/changeset/base/255882

Log:
  Do not allow negative timeouts for kqueue timers, check for the
  negative timeout both before and after the conversion to sbintime_t.
  
  For periodic kqueue timer, convert zero timeout into 1ms, to avoid
  interrupt storm on fast event timers.
  
  Reported and tested by:	pho
  Discussed with:	mav
  Reviewed by:	davide
  Sponsored by:	The FreeBSD Foundation
  Approved by:	re (marius)

Modified:
  head/sys/kern/kern_event.c

Modified: head/sys/kern/kern_event.c
==============================================================================
--- head/sys/kern/kern_event.c	Thu Sep 26 13:15:33 2013	(r255881)
+++ head/sys/kern/kern_event.c	Thu Sep 26 13:17:31 2013	(r255882)
@@ -554,8 +554,17 @@ static int
 filt_timerattach(struct knote *kn)
 {
 	struct callout *calloutp;
+	sbintime_t to;
 	unsigned int ncallouts;
 
+	if ((intptr_t)kn->kn_sdata < 0)
+		return (EINVAL);
+	if ((intptr_t)kn->kn_sdata == 0 && (kn->kn_flags & EV_ONESHOT) == 0)
+		kn->kn_sdata = 1;
+	to = timer2sbintime(kn->kn_sdata);
+	if (to < 0)
+		return (EINVAL);
+
 	ncallouts = atomic_load_explicit(&kq_ncallouts, memory_order_relaxed);
 	do {
 		if (ncallouts >= kq_calloutmax)
@@ -569,8 +578,7 @@ filt_timerattach(struct knote *kn)
 	calloutp = malloc(sizeof(*calloutp), M_KQUEUE, M_WAITOK);
 	callout_init(calloutp, CALLOUT_MPSAFE);
 	kn->kn_hook = calloutp;
-	callout_reset_sbt_on(calloutp,
-	    timer2sbintime(kn->kn_sdata), 0 /* 1ms? */,
+	callout_reset_sbt_on(calloutp, to, 0 /* 1ms? */,
 	    filt_timerexpire, kn, PCPU_GET(cpuid), 0);
 
 	return (0);