[rtems-libbsd commit] Critical bug fix for callouts
Sebastian Huber
sebh at rtems.org
Thu Jul 26 12:17:16 UTC 2018
Module: rtems-libbsd
Branch: master
Commit: 6d9d7b195621ffda676eda0154ebb8ee24dc3186
Changeset: http://git.rtems.org/rtems-libbsd/commit/?id=6d9d7b195621ffda676eda0154ebb8ee24dc3186
Author: Sebastian Huber <sebastian.huber at embedded-brains.de>
Date: Thu Jul 26 14:12:46 2018 +0200
Critical bug fix for callouts
FreeBSD has two callout executors, one in software and one in hardware
interrupt context. In libbsd, all callouts are executed by the timer
server. Entirely remove the different execution contexts for libbsd.
Previously, this was not properly done which could result an invalid
callout_drain() sequence leading to system memory corruption.
---
freebsd/sys/kern/kern_timeout.c | 32 +++++++++++++++++++++++++++++++-
freebsd/sys/sys/callout.h | 2 ++
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/freebsd/sys/kern/kern_timeout.c b/freebsd/sys/kern/kern_timeout.c
index 813580f..2b08d5c 100644
--- a/freebsd/sys/kern/kern_timeout.c
+++ b/freebsd/sys/kern/kern_timeout.c
@@ -164,7 +164,11 @@ struct cc_exec {
*/
struct callout_cpu {
struct mtx_padalign cc_lock;
+#ifndef __rtems__
struct cc_exec cc_exec_entity[2];
+#else /* __rtems__ */
+ struct cc_exec cc_exec_entity;
+#endif /* __rtems__ */
struct callout *cc_next;
struct callout *cc_callout;
struct callout_list *cc_callwheel;
@@ -182,11 +186,21 @@ struct callout_cpu {
#define callout_migrating(c) ((c)->c_iflags & CALLOUT_DFRMIGRATION)
+#ifndef __rtems__
#define cc_exec_curr(cc, dir) cc->cc_exec_entity[dir].cc_curr
#define cc_exec_drain(cc, dir) cc->cc_exec_entity[dir].cc_drain
+#else /* __rtems__ */
+#define cc_exec_curr(cc, dir) cc->cc_exec_entity.cc_curr
+#define cc_exec_drain(cc, dir) cc->cc_exec_entity.cc_drain
+#endif /* __rtems__ */
#define cc_exec_next(cc) cc->cc_next
+#ifndef __rtems__
#define cc_exec_cancel(cc, dir) cc->cc_exec_entity[dir].cc_cancel
#define cc_exec_waiting(cc, dir) cc->cc_exec_entity[dir].cc_waiting
+#else /* __rtems__ */
+#define cc_exec_cancel(cc, dir) cc->cc_exec_entity.cc_cancel
+#define cc_exec_waiting(cc, dir) cc->cc_exec_entity.cc_waiting
+#endif /* __rtems__ */
#ifdef SMP
#define cc_migration_func(cc, dir) cc->cc_exec_entity[dir].ce_migration_func
#define cc_migration_arg(cc, dir) cc->cc_exec_entity[dir].ce_migration_arg
@@ -497,7 +511,11 @@ callout_get_bucket(sbintime_t sbt)
void
callout_process(sbintime_t now)
{
+#ifndef __rtems__
struct callout *tmp, *tmpn;
+#else /* __rtems__ */
+ struct callout *tmp;
+#endif /* __rtems__ */
struct callout_cpu *cc;
struct callout_list *sc;
sbintime_t first, last, max, tmp_max;
@@ -665,8 +683,10 @@ callout_cc_add(struct callout *c, struct callout_cpu *cc,
c->c_iflags |= CALLOUT_PENDING;
c->c_iflags &= ~CALLOUT_PROCESSED;
c->c_flags |= CALLOUT_ACTIVE;
+#ifndef __rtems__
if (flags & C_DIRECT_EXEC)
c->c_iflags |= CALLOUT_DIRECT;
+#endif /* __rtems__ */
c->c_func = func;
c->c_time = sbt;
c->c_precision = precision;
@@ -1097,7 +1117,11 @@ callout_reset_sbt_on(struct callout *c, sbintime_t sbt, sbintime_t prec,
{
sbintime_t to_sbt, precision;
struct callout_cpu *cc;
+#ifndef __rtems__
int cancelled, direct;
+#else /* __rtems__ */
+ int cancelled;
+#endif /* __rtems__ */
int ignore_cpu=0;
cancelled = 0;
@@ -1110,6 +1134,7 @@ callout_reset_sbt_on(struct callout *c, sbintime_t sbt, sbintime_t prec,
}
callout_when(sbt, prec, flags, &to_sbt, &precision);
+#ifndef __rtems__
/*
* This flag used to be added by callout_cc_add, but the
* first time you call this we could end up with the
@@ -1122,6 +1147,7 @@ callout_reset_sbt_on(struct callout *c, sbintime_t sbt, sbintime_t prec,
}
KASSERT(!direct || c->c_lock == NULL,
("%s: direct callout %p has lock", __func__, c));
+#endif /* __rtems__ */
cc = callout_lock(c);
/*
* Don't allow migration of pre-allocated callouts lest they
@@ -1260,7 +1286,11 @@ _callout_stop_safe(struct callout *c, int flags, void (*drain)(void *))
{
struct callout_cpu *cc, *old_cc;
struct lock_class *class;
+#ifndef __rtems__
int direct, sq_locked, use_lock;
+#else /* __rtems__ */
+ int sq_locked, use_lock;
+#endif /* __rtems__ */
int cancelled, not_on_a_list;
#ifdef __rtems__
(void)old_cc;
@@ -1285,13 +1315,13 @@ _callout_stop_safe(struct callout *c, int flags, void (*drain)(void *))
}
} else
use_lock = 0;
+#ifndef __rtems__
if (c->c_iflags & CALLOUT_DIRECT) {
direct = 1;
} else {
direct = 0;
}
-#ifndef __rtems__
sq_locked = 0;
old_cc = NULL;
again:
diff --git a/freebsd/sys/sys/callout.h b/freebsd/sys/sys/callout.h
index b219052..eee6884 100644
--- a/freebsd/sys/sys/callout.h
+++ b/freebsd/sys/sys/callout.h
@@ -48,7 +48,9 @@
#define CALLOUT_SHAREDLOCK 0x0020 /* callout lock held in shared mode */
#define CALLOUT_DFRMIGRATION 0x0040 /* callout in deferred migration mode */
#define CALLOUT_PROCESSED 0x0080 /* callout in wheel or processing list? */
+#ifndef __rtems__
#define CALLOUT_DIRECT 0x0100 /* allow exec from hw int context */
+#endif /* __rtems__ */
#define C_DIRECT_EXEC 0x0001 /* direct execution of callout */
#define C_PRELBITS 7
More information about the vc
mailing list