From d2849f27bc03b66f81f31aa571c8db997bad8fcb Mon Sep 17 00:00:00 2001 From: Adrian Chadd Date: Thu, 15 Sep 2011 08:42:06 +0000 Subject: [PATCH] Ensure that ta_pending doesn't overflow u_short by capping its value at USHRT_MAX. If it overflows before the taskqueue can run, the task will be re-added to the taskqueue and cause a loop in the task list. Reported by: Arnaud Lacombe Submitted by: Ryan Stone Reviewed by: jhb Approved by: re (kib) MFC after: 1 day --- share/man/man9/taskqueue.9 | 2 +- sys/kern/subr_taskqueue.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/share/man/man9/taskqueue.9 b/share/man/man9/taskqueue.9 index f45a149e189b..40d64af39639 100644 --- a/share/man/man9/taskqueue.9 +++ b/share/man/man9/taskqueue.9 @@ -133,7 +133,7 @@ If the task's .Va ta_pending field is non-zero, then it is simply incremented to reflect the number of times the task -was enqueued. +was enqueued, up to a cap of USHRT_MAX. Otherwise, the task is added to the list before the first task which has a lower .Va ta_priority diff --git a/sys/kern/subr_taskqueue.c b/sys/kern/subr_taskqueue.c index 4c4589901557..31ea52d1d876 100644 --- a/sys/kern/subr_taskqueue.c +++ b/sys/kern/subr_taskqueue.c @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -173,7 +174,8 @@ taskqueue_enqueue_locked(struct taskqueue *queue, struct task *task) * Count multiple enqueues. */ if (task->ta_pending) { - task->ta_pending++; + if (task->ta_pending < USHRT_MAX) + task->ta_pending++; return (0); }