From owner-freebsd-hackers  Sat Feb  1 15:14:47 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1894137B401
	for <freebsd-hackers@freebsd.org>; Sat,  1 Feb 2003 15:14:46 -0800 (PST)
Received: from sift.mirapoint.com (sift.mirapoint.com [63.107.133.19])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AA3ED43F75
	for <freebsd-hackers@freebsd.org>; Sat,  1 Feb 2003 15:14:45 -0800 (PST)
	(envelope-from zach@mirapoint.com)
Received: from alpo.mirapoint.com (alpo.mirapoint.com [63.107.133.20])
	by sift.mirapoint.com (Mirapoint Messaging Server MOS 3.3.2-CR)
	with ESMTP id ABL86961;
	Sat, 1 Feb 2003 15:14:40 -0800 (PST)
Received: from 12.234.116.251
	by alpo.mirapoint.com (Mirapoint Messaging Server MOS 3.3.2-CR)
	with HTTPS/1.1;
	Sat, 1 Feb 2003 15:14:39 -0800
Date: Sat, 1 Feb 2003 15:14:39 -0800
From: Zachary Amsden <zach@mirapoint.com>
Subject: [4.1] Bug in calcru?
To: freebsd-hackers@freebsd.org
X-Mailer: Webmail Mirapoint Direct 3.3.2-CR
MIME-Version: 1.0
Message-Id: <17f41996.4f9133b6.819db00@alpo.mirapoint.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

I believe that spl() protection is required here, in fact, that it should
be extended to cover the read of p->p_runtime as well.  These are all 64
bit integers, so on IA32, the worst case is two consecutive off-by one
reads during overflow - i.e reading 0xffffffff 0x00000002 instead of
0x00000000 0x00000002.  That is a rather significant difference, and since
the numbers used in computation here become part of a kassert() later, a
rather dangerous one.  Alternatively, a 64 bit atomic read could be used.

On FreeBSD-current, this entire operation is protected by a mutex, which
looks safe to me, but in 4.1, this looks like a bug:

void
calcru(p, up, sp, ip)
        struct proc *p;
        struct timeval *up;
        struct timeval *sp;
        struct timeval *ip;
{
        /* {user, system, interrupt, total} {ticks, usec}; previous tu: */
        u_int64_t ut, uu, st, su, it, iu, tt, tu, ptu;
        int s;
        struct timeval tv;

        /* XXX: why spl-protect ?  worst case is an off-by-one report */
        s = splstatclock();
        ut = p->p_uticks;
        st = p->p_sticks;
        it = p->p_iticks;
        splx(s);

        tt = ut + st + it;
        if (tt == 0) {
                st = 1;
                tt = 1;
        }

        tu = p->p_runtime;

"A plague upon all your houses" - last words of Waldo Semon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message