Ensure that ta_pending doesn't overflow u_short by capping its value at USHRT_MAX.

If it overflows before the taskqueue can run, the task will be
re-added to the taskqueue and cause a loop in the task list.

Reported by:	Arnaud Lacombe <lacombar@gmail.com>
Submitted by:	Ryan Stone <rysto32@gmail.com>
Reviewed by:	jhb
Approved by:	re (kib)
MFC after:	1 day
This commit is contained in:
Adrian Chadd 2011-09-15 08:42:06 +00:00
parent 3ea459713b
commit d2849f27bc
2 changed files with 4 additions and 2 deletions

View File

@ -133,7 +133,7 @@ If the task's
.Va ta_pending
field is non-zero,
then it is simply incremented to reflect the number of times the task
was enqueued.
was enqueued, up to a cap of USHRT_MAX.
Otherwise,
the task is added to the list before the first task which has a lower
.Va ta_priority

View File

@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
#include <sys/interrupt.h>
#include <sys/kernel.h>
#include <sys/kthread.h>
#include <sys/limits.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
@ -173,7 +174,8 @@ taskqueue_enqueue_locked(struct taskqueue *queue, struct task *task)
* Count multiple enqueues.
*/
if (task->ta_pending) {
task->ta_pending++;
if (task->ta_pending < USHRT_MAX)
task->ta_pending++;
return (0);
}