From owner-svn-src-all@FreeBSD.ORG  Thu Sep 26 10:06:51 2013
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 4B4E6E33;
 Thu, 26 Sep 2013 10:06:51 +0000 (UTC)
 (envelope-from davide@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3761B2FAD;
 Thu, 26 Sep 2013 10:06:51 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8QA6pKK071286;
 Thu, 26 Sep 2013 10:06:51 GMT (envelope-from davide@svn.freebsd.org)
Received: (from davide@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8QA6poc071285;
 Thu, 26 Sep 2013 10:06:51 GMT (envelope-from davide@svn.freebsd.org)
Message-Id: <201309261006.r8QA6poc071285@svn.freebsd.org>
From: Davide Italiano <davide@FreeBSD.org>
Date: Thu, 26 Sep 2013 10:06:51 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r255877 - head/sys/kern
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 10:06:51 -0000

Author: davide
Date: Thu Sep 26 10:06:50 2013
New Revision: 255877
URL: http://svnweb.freebsd.org/changeset/base/255877

Log:
  Make the callout arithmetic more robust adding checks for overflow.
  Without these, if the timeout value passed is "large enough", the
  value of the sum of it and other factors (e.g. current time as
  returned by sbinuptime() or 'precision' argument) might result in a
  negative number. This negative number is then passed to
  eventtimers(4), which causes et_start() routine to load et_min_period
  into eventtimer, making the CPU where the thread is stuck forever in
  timer interrupt handler routine. This is now avoided rounding to
  INT64_MAX the timeout period in case of overflow.
  
  Reported by:	kib, pho
  Discussed with:	kib, mav
  Tested by:	pho (stress2 suite, kevent7.sh scenario)
  Approved by:	re (kib)

Modified:
  head/sys/kern/kern_timeout.c

Modified: head/sys/kern/kern_timeout.c
==============================================================================
--- head/sys/kern/kern_timeout.c	Thu Sep 26 09:16:57 2013	(r255876)
+++ head/sys/kern/kern_timeout.c	Thu Sep 26 10:06:50 2013	(r255877)
@@ -572,6 +572,8 @@ callout_cc_add(struct callout *c, struct
 	 * Inform the eventtimers(4) subsystem there's a new callout
 	 * that has been inserted, but only if really required.
 	 */
+	if (INT64_MAX - c->c_time < c->c_precision)
+		c->c_precision = INT64_MAX - c->c_time;
 	sbt = c->c_time + c->c_precision;
 	if (sbt < cc->cc_firstevent) {
 		cc->cc_firstevent = sbt;
@@ -949,7 +951,10 @@ callout_reset_sbt_on(struct callout *c, 
 				to_sbt += tick_sbt;
 		} else
 			to_sbt = sbinuptime();
-		to_sbt += sbt;
+		if (INT64_MAX - to_sbt < sbt)
+			to_sbt = INT64_MAX;
+		else
+			to_sbt += sbt;
 		pr = ((C_PRELGET(flags) < 0) ? sbt >> tc_precexp :
 		    sbt >> C_PRELGET(flags));
 		if (pr > precision)