From owner-svn-src-head@FreeBSD.ORG  Tue Dec  4 20:49:40 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 70B727FC;
 Tue,  4 Dec 2012 20:49:40 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 5489B8FC19;
 Tue,  4 Dec 2012 20:49:40 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
 by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qB4KnebQ053723;
 Tue, 4 Dec 2012 20:49:40 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
 by svn.freebsd.org (8.14.5/8.14.5/Submit) id qB4Kneri053720;
 Tue, 4 Dec 2012 20:49:40 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201212042049.qB4Kneri053720@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 4 Dec 2012 20:49:40 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r243869 - head/sys/kern
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2012 20:49:40 -0000

Author: kib
Date: Tue Dec  4 20:49:39 2012
New Revision: 243869
URL: http://svnweb.freebsd.org/changeset/base/243869

Log:
  Fix a race between kern_setitimer() and realitexpire(), where the
  callout is started before kern_setitimer() acquires process mutex, but
  looses a race and kern_setitimer() gets the process mutex before the
  callout.  Then, assuming that new specified struct itimerval has
  it_interval zero, but it_value non-zero, the callout, after it starts
  executing again, clears p->p_realtimer.it_value, but kern_setitimer()
  already rescheduled the callout.
  
  As the result of the race, both p_realtimer is zero, and the callout
  is rescheduled. Then, in the exit1(), the exit code sees that it_value
  is zero and does not even try to stop the callout. This allows the
  struct proc to be reused and eventually the armed callout is
  re-initialized.  The consequence is the corrupted callwheel tailq.
  
  Use process mutex to interlock the callout start, which fixes the race.
  
  Reported and tested by:	pho
  Reviewed by:	jhb
  MFC after:	2 weeks

Modified:
  head/sys/kern/init_main.c
  head/sys/kern/kern_fork.c
  head/sys/kern/kern_time.c

Modified: head/sys/kern/init_main.c
==============================================================================
--- head/sys/kern/init_main.c	Tue Dec  4 20:49:04 2012	(r243868)
+++ head/sys/kern/init_main.c	Tue Dec  4 20:49:39 2012	(r243869)
@@ -498,7 +498,7 @@ proc0_init(void *dummy __unused)
 	strncpy(p->p_comm, "kernel", sizeof (p->p_comm));
 	strncpy(td->td_name, "swapper", sizeof (td->td_name));
 
-	callout_init(&p->p_itcallout, CALLOUT_MPSAFE);
+	callout_init_mtx(&p->p_itcallout, &p->p_mtx, 0);
 	callout_init_mtx(&p->p_limco, &p->p_mtx, 0);
 	callout_init(&td->td_slpcallout, CALLOUT_MPSAFE);
 

Modified: head/sys/kern/kern_fork.c
==============================================================================
--- head/sys/kern/kern_fork.c	Tue Dec  4 20:49:04 2012	(r243868)
+++ head/sys/kern/kern_fork.c	Tue Dec  4 20:49:39 2012	(r243869)
@@ -591,7 +591,7 @@ do_fork(struct thread *td, int flags, st
 	LIST_INIT(&p2->p_children);
 	LIST_INIT(&p2->p_orphans);
 
-	callout_init(&p2->p_itcallout, CALLOUT_MPSAFE);
+	callout_init_mtx(&p2->p_itcallout, &p2->p_mtx, 0);
 
 	/*
 	 * If PF_FORK is set, the child process inherits the

Modified: head/sys/kern/kern_time.c
==============================================================================
--- head/sys/kern/kern_time.c	Tue Dec  4 20:49:04 2012	(r243868)
+++ head/sys/kern/kern_time.c	Tue Dec  4 20:49:39 2012	(r243869)
@@ -788,13 +788,11 @@ realitexpire(void *arg)
 	struct timeval ctv, ntv;
 
 	p = (struct proc *)arg;
-	PROC_LOCK(p);
 	kern_psignal(p, SIGALRM);
 	if (!timevalisset(&p->p_realtimer.it_interval)) {
 		timevalclear(&p->p_realtimer.it_value);
 		if (p->p_flag & P_WEXIT)
 			wakeup(&p->p_itcallout);
-		PROC_UNLOCK(p);
 		return;
 	}
 	for (;;) {
@@ -806,7 +804,6 @@ realitexpire(void *arg)
 			timevalsub(&ntv, &ctv);
 			callout_reset(&p->p_itcallout, tvtohz(&ntv) - 1,
 			    realitexpire, p);
-			PROC_UNLOCK(p);
 			return;
 		}
 	}