freebsd-skq/sys/kern/kern_resource.c
bde 24c8af8da8 Finish the fix for overflow in calcru1().
The previous fix was unnecessarily very slow up to 105 hours where the
simple formula used previously worked, and unnecessarily slow by a factor
of about 5/3 up to 388 days, and didn't work above 388 days.  388 days is
not a long time, since it is a reasonable uptime, and for processes the
times being calculated are aggregated over all threads, so with N CPUs
running the same thread a runtime of 388 days is reachable after only
388 / N physical days.

The PRs document overflow at 388 days, but don't try to fix it.

Use the simple formula up to 76 hours.  Then use a complicated general
method that reduces to the simple formula up to a bit less than 105
hours, then reduces to the previous method without its extra work up
to almost 388 days, then does more complicated reductions, usually
many bits at a time so that this is not slow.  This works up to half
of maximum representable time (292271 years), with accumulated rounding
errors of at most 32 usec.

amd64 can do all this with no avoidable rounding errors in an inline
asm with 2 instructions, but this is too special to use.  __uint128_t
can do the same with 100's of instructions on 64-bit arches.  Long
doubles with at least 64 bits of precision are the easiest method to
use on i386 userland, but are hard to use in the kernel.

PR:		76972 and duplicates
Reviewed by:	kib
2019-02-14 19:07:08 +00:00

1536 lines
36 KiB
C

/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 1982, 1986, 1991, 1993
* The Regents of the University of California. All rights reserved.
* (c) UNIX System Laboratories, Inc.
* All or some portions of this file are derived from material licensed
* to the University of California by American Telephone and Telegraph
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
* the permission of UNIX System Laboratories, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)kern_resource.c 8.5 (Berkeley) 1/21/94
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/file.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/refcount.h>
#include <sys/racct.h>
#include <sys/resourcevar.h>
#include <sys/rwlock.h>
#include <sys/sched.h>
#include <sys/sx.h>
#include <sys/syscallsubr.h>
#include <sys/sysctl.h>
#include <sys/sysent.h>
#include <sys/time.h>
#include <sys/umtx.h>
#include <vm/vm.h>
#include <vm/vm_param.h>
#include <vm/pmap.h>
#include <vm/vm_map.h>
static MALLOC_DEFINE(M_PLIMIT, "plimit", "plimit structures");
static MALLOC_DEFINE(M_UIDINFO, "uidinfo", "uidinfo structures");
#define UIHASH(uid) (&uihashtbl[(uid) & uihash])
static struct rwlock uihashtbl_lock;
static LIST_HEAD(uihashhead, uidinfo) *uihashtbl;
static u_long uihash; /* size of hash table - 1 */
static void calcru1(struct proc *p, struct rusage_ext *ruxp,
struct timeval *up, struct timeval *sp);
static int donice(struct thread *td, struct proc *chgp, int n);
static struct uidinfo *uilookup(uid_t uid);
static void ruxagg_locked(struct rusage_ext *rux, struct thread *td);
/*
* Resource controls and accounting.
*/
#ifndef _SYS_SYSPROTO_H_
struct getpriority_args {
int which;
int who;
};
#endif
int
sys_getpriority(struct thread *td, struct getpriority_args *uap)
{
struct proc *p;
struct pgrp *pg;
int error, low;
error = 0;
low = PRIO_MAX + 1;
switch (uap->which) {
case PRIO_PROCESS:
if (uap->who == 0)
low = td->td_proc->p_nice;
else {
p = pfind(uap->who);
if (p == NULL)
break;
if (p_cansee(td, p) == 0)
low = p->p_nice;
PROC_UNLOCK(p);
}
break;
case PRIO_PGRP:
sx_slock(&proctree_lock);
if (uap->who == 0) {
pg = td->td_proc->p_pgrp;
PGRP_LOCK(pg);
} else {
pg = pgfind(uap->who);
if (pg == NULL) {
sx_sunlock(&proctree_lock);
break;
}
}
sx_sunlock(&proctree_lock);
LIST_FOREACH(p, &pg->pg_members, p_pglist) {
PROC_LOCK(p);
if (p->p_state == PRS_NORMAL &&
p_cansee(td, p) == 0) {
if (p->p_nice < low)
low = p->p_nice;
}
PROC_UNLOCK(p);
}
PGRP_UNLOCK(pg);
break;
case PRIO_USER:
if (uap->who == 0)
uap->who = td->td_ucred->cr_uid;
sx_slock(&allproc_lock);
FOREACH_PROC_IN_SYSTEM(p) {
PROC_LOCK(p);
if (p->p_state == PRS_NORMAL &&
p_cansee(td, p) == 0 &&
p->p_ucred->cr_uid == uap->who) {
if (p->p_nice < low)
low = p->p_nice;
}
PROC_UNLOCK(p);
}
sx_sunlock(&allproc_lock);
break;
default:
error = EINVAL;
break;
}
if (low == PRIO_MAX + 1 && error == 0)
error = ESRCH;
td->td_retval[0] = low;
return (error);
}
#ifndef _SYS_SYSPROTO_H_
struct setpriority_args {
int which;
int who;
int prio;
};
#endif
int
sys_setpriority(struct thread *td, struct setpriority_args *uap)
{
struct proc *curp, *p;
struct pgrp *pg;
int found = 0, error = 0;
curp = td->td_proc;
switch (uap->which) {
case PRIO_PROCESS:
if (uap->who == 0) {
PROC_LOCK(curp);
error = donice(td, curp, uap->prio);
PROC_UNLOCK(curp);
} else {
p = pfind(uap->who);
if (p == NULL)
break;
error = p_cansee(td, p);
if (error == 0)
error = donice(td, p, uap->prio);
PROC_UNLOCK(p);
}
found++;
break;
case PRIO_PGRP:
sx_slock(&proctree_lock);
if (uap->who == 0) {
pg = curp->p_pgrp;
PGRP_LOCK(pg);
} else {
pg = pgfind(uap->who);
if (pg == NULL) {
sx_sunlock(&proctree_lock);
break;
}
}
sx_sunlock(&proctree_lock);
LIST_FOREACH(p, &pg->pg_members, p_pglist) {
PROC_LOCK(p);
if (p->p_state == PRS_NORMAL &&
p_cansee(td, p) == 0) {
error = donice(td, p, uap->prio);
found++;
}
PROC_UNLOCK(p);
}
PGRP_UNLOCK(pg);
break;
case PRIO_USER:
if (uap->who == 0)
uap->who = td->td_ucred->cr_uid;
sx_slock(&allproc_lock);
FOREACH_PROC_IN_SYSTEM(p) {
PROC_LOCK(p);
if (p->p_state == PRS_NORMAL &&
p->p_ucred->cr_uid == uap->who &&
p_cansee(td, p) == 0) {
error = donice(td, p, uap->prio);
found++;
}
PROC_UNLOCK(p);
}
sx_sunlock(&allproc_lock);
break;
default:
error = EINVAL;
break;
}
if (found == 0 && error == 0)
error = ESRCH;
return (error);
}
/*
* Set "nice" for a (whole) process.
*/
static int
donice(struct thread *td, struct proc *p, int n)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
if ((error = p_cansched(td, p)))
return (error);
if (n > PRIO_MAX)
n = PRIO_MAX;
if (n < PRIO_MIN)
n = PRIO_MIN;
if (n < p->p_nice && priv_check(td, PRIV_SCHED_SETPRIORITY) != 0)
return (EACCES);
sched_nice(p, n);
return (0);
}
static int unprivileged_idprio;
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW,
&unprivileged_idprio, 0, "Allow non-root users to set an idle priority");
/*
* Set realtime priority for LWP.
*/
#ifndef _SYS_SYSPROTO_H_
struct rtprio_thread_args {
int function;
lwpid_t lwpid;
struct rtprio *rtp;
};
#endif
int
sys_rtprio_thread(struct thread *td, struct rtprio_thread_args *uap)
{
struct proc *p;
struct rtprio rtp;
struct thread *td1;
int cierror, error;
/* Perform copyin before acquiring locks if needed. */
if (uap->function == RTP_SET)
cierror = copyin(uap->rtp, &rtp, sizeof(struct rtprio));
else
cierror = 0;
if (uap->lwpid == 0 || uap->lwpid == td->td_tid) {
p = td->td_proc;
td1 = td;
PROC_LOCK(p);
} else {
/* Only look up thread in current process */
td1 = tdfind(uap->lwpid, curproc->p_pid);
if (td1 == NULL)
return (ESRCH);
p = td1->td_proc;
}
switch (uap->function) {
case RTP_LOOKUP:
if ((error = p_cansee(td, p)))
break;
pri_to_rtp(td1, &rtp);
PROC_UNLOCK(p);
return (copyout(&rtp, uap->rtp, sizeof(struct rtprio)));
case RTP_SET:
if ((error = p_cansched(td, p)) || (error = cierror))
break;
/* Disallow setting rtprio in most cases if not superuser. */
/*
* Realtime priority has to be restricted for reasons which
* should be obvious. However, for idleprio processes, there is
* a potential for system deadlock if an idleprio process gains
* a lock on a resource that other processes need (and the
* idleprio process can't run due to a CPU-bound normal
* process). Fix me! XXX
*
* This problem is not only related to idleprio process.
* A user level program can obtain a file lock and hold it
* indefinitely. Additionally, without idleprio processes it is
* still conceivable that a program with low priority will never
* get to run. In short, allowing this feature might make it
* easier to lock a resource indefinitely, but it is not the
* only thing that makes it possible.
*/
if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME ||
(RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
unprivileged_idprio == 0)) {
error = priv_check(td, PRIV_SCHED_RTPRIO);
if (error)
break;
}
error = rtp_to_pri(&rtp, td1);
break;
default:
error = EINVAL;
break;
}
PROC_UNLOCK(p);
return (error);
}
/*
* Set realtime priority.
*/
#ifndef _SYS_SYSPROTO_H_
struct rtprio_args {
int function;
pid_t pid;
struct rtprio *rtp;
};
#endif
int
sys_rtprio(struct thread *td, struct rtprio_args *uap)
{
struct proc *p;
struct thread *tdp;
struct rtprio rtp;
int cierror, error;
/* Perform copyin before acquiring locks if needed. */
if (uap->function == RTP_SET)
cierror = copyin(uap->rtp, &rtp, sizeof(struct rtprio));
else
cierror = 0;
if (uap->pid == 0) {
p = td->td_proc;
PROC_LOCK(p);
} else {
p = pfind(uap->pid);
if (p == NULL)
return (ESRCH);
}
switch (uap->function) {
case RTP_LOOKUP:
if ((error = p_cansee(td, p)))
break;
/*
* Return OUR priority if no pid specified,
* or if one is, report the highest priority
* in the process. There isn't much more you can do as
* there is only room to return a single priority.
* Note: specifying our own pid is not the same
* as leaving it zero.
*/
if (uap->pid == 0) {
pri_to_rtp(td, &rtp);
} else {
struct rtprio rtp2;
rtp.type = RTP_PRIO_IDLE;
rtp.prio = RTP_PRIO_MAX;
FOREACH_THREAD_IN_PROC(p, tdp) {
pri_to_rtp(tdp, &rtp2);
if (rtp2.type < rtp.type ||
(rtp2.type == rtp.type &&
rtp2.prio < rtp.prio)) {
rtp.type = rtp2.type;
rtp.prio = rtp2.prio;
}
}
}
PROC_UNLOCK(p);
return (copyout(&rtp, uap->rtp, sizeof(struct rtprio)));
case RTP_SET:
if ((error = p_cansched(td, p)) || (error = cierror))
break;
/*
* Disallow setting rtprio in most cases if not superuser.
* See the comment in sys_rtprio_thread about idprio
* threads holding a lock.
*/
if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME ||
(RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
!unprivileged_idprio)) {
error = priv_check(td, PRIV_SCHED_RTPRIO);
if (error)
break;
}
/*
* If we are setting our own priority, set just our
* thread but if we are doing another process,
* do all the threads on that process. If we
* specify our own pid we do the latter.
*/
if (uap->pid == 0) {
error = rtp_to_pri(&rtp, td);
} else {
FOREACH_THREAD_IN_PROC(p, td) {
if ((error = rtp_to_pri(&rtp, td)) != 0)
break;
}
}
break;
default:
error = EINVAL;
break;
}
PROC_UNLOCK(p);
return (error);
}
int
rtp_to_pri(struct rtprio *rtp, struct thread *td)
{
u_char newpri, oldclass, oldpri;
switch (RTP_PRIO_BASE(rtp->type)) {
case RTP_PRIO_REALTIME:
if (rtp->prio > RTP_PRIO_MAX)
return (EINVAL);
newpri = PRI_MIN_REALTIME + rtp->prio;
break;
case RTP_PRIO_NORMAL:
if (rtp->prio > (PRI_MAX_TIMESHARE - PRI_MIN_TIMESHARE))
return (EINVAL);
newpri = PRI_MIN_TIMESHARE + rtp->prio;
break;
case RTP_PRIO_IDLE:
if (rtp->prio > RTP_PRIO_MAX)
return (EINVAL);
newpri = PRI_MIN_IDLE + rtp->prio;
break;
default:
return (EINVAL);
}
thread_lock(td);
oldclass = td->td_pri_class;
sched_class(td, rtp->type); /* XXX fix */
oldpri = td->td_user_pri;
sched_user_prio(td, newpri);
if (td->td_user_pri != oldpri && (oldclass != RTP_PRIO_NORMAL ||
td->td_pri_class != RTP_PRIO_NORMAL))
sched_prio(td, td->td_user_pri);
if (TD_ON_UPILOCK(td) && oldpri != newpri) {
critical_enter();
thread_unlock(td);
umtx_pi_adjust(td, oldpri);
critical_exit();
} else
thread_unlock(td);
return (0);
}
void
pri_to_rtp(struct thread *td, struct rtprio *rtp)
{
thread_lock(td);
switch (PRI_BASE(td->td_pri_class)) {
case PRI_REALTIME:
rtp->prio = td->td_base_user_pri - PRI_MIN_REALTIME;
break;
case PRI_TIMESHARE:
rtp->prio = td->td_base_user_pri - PRI_MIN_TIMESHARE;
break;
case PRI_IDLE:
rtp->prio = td->td_base_user_pri - PRI_MIN_IDLE;
break;
default:
break;
}
rtp->type = td->td_pri_class;
thread_unlock(td);
}
#if defined(COMPAT_43)
#ifndef _SYS_SYSPROTO_H_
struct osetrlimit_args {
u_int which;
struct orlimit *rlp;
};
#endif
int
osetrlimit(struct thread *td, struct osetrlimit_args *uap)
{
struct orlimit olim;
struct rlimit lim;
int error;
if ((error = copyin(uap->rlp, &olim, sizeof(struct orlimit))))
return (error);
lim.rlim_cur = olim.rlim_cur;
lim.rlim_max = olim.rlim_max;
error = kern_setrlimit(td, uap->which, &lim);
return (error);
}
#ifndef _SYS_SYSPROTO_H_
struct ogetrlimit_args {
u_int which;
struct orlimit *rlp;
};
#endif
int
ogetrlimit(struct thread *td, struct ogetrlimit_args *uap)
{
struct orlimit olim;
struct rlimit rl;
int error;
if (uap->which >= RLIM_NLIMITS)
return (EINVAL);
lim_rlimit(td, uap->which, &rl);
/*
* XXX would be more correct to convert only RLIM_INFINITY to the
* old RLIM_INFINITY and fail with EOVERFLOW for other larger
* values. Most 64->32 and 32->16 conversions, including not
* unimportant ones of uids are even more broken than what we
* do here (they blindly truncate). We don't do this correctly
* here since we have little experience with EOVERFLOW yet.
* Elsewhere, getuid() can't fail...
*/
olim.rlim_cur = rl.rlim_cur > 0x7fffffff ? 0x7fffffff : rl.rlim_cur;
olim.rlim_max = rl.rlim_max > 0x7fffffff ? 0x7fffffff : rl.rlim_max;
error = copyout(&olim, uap->rlp, sizeof(olim));
return (error);
}
#endif /* COMPAT_43 */
#ifndef _SYS_SYSPROTO_H_
struct __setrlimit_args {
u_int which;
struct rlimit *rlp;
};
#endif
int
sys_setrlimit(struct thread *td, struct __setrlimit_args *uap)
{
struct rlimit alim;
int error;
if ((error = copyin(uap->rlp, &alim, sizeof(struct rlimit))))
return (error);
error = kern_setrlimit(td, uap->which, &alim);
return (error);
}
static void
lim_cb(void *arg)
{
struct rlimit rlim;
struct thread *td;
struct proc *p;
p = arg;
PROC_LOCK_ASSERT(p, MA_OWNED);
/*
* Check if the process exceeds its cpu resource allocation. If
* it reaches the max, arrange to kill the process in ast().
*/
if (p->p_cpulimit == RLIM_INFINITY)
return;
PROC_STATLOCK(p);
FOREACH_THREAD_IN_PROC(p, td) {
ruxagg(p, td);
}
PROC_STATUNLOCK(p);
if (p->p_rux.rux_runtime > p->p_cpulimit * cpu_tickrate()) {
lim_rlimit_proc(p, RLIMIT_CPU, &rlim);
if (p->p_rux.rux_runtime >= rlim.rlim_max * cpu_tickrate()) {
killproc(p, "exceeded maximum CPU limit");
} else {
if (p->p_cpulimit < rlim.rlim_max)
p->p_cpulimit += 5;
kern_psignal(p, SIGXCPU);
}
}
if ((p->p_flag & P_WEXIT) == 0)
callout_reset_sbt(&p->p_limco, SBT_1S, 0,
lim_cb, p, C_PREL(1));
}
int
kern_setrlimit(struct thread *td, u_int which, struct rlimit *limp)
{
return (kern_proc_setrlimit(td, td->td_proc, which, limp));
}
int
kern_proc_setrlimit(struct thread *td, struct proc *p, u_int which,
struct rlimit *limp)
{
struct plimit *newlim, *oldlim;
struct rlimit *alimp;
struct rlimit oldssiz;
int error;
if (which >= RLIM_NLIMITS)
return (EINVAL);
/*
* Preserve historical bugs by treating negative limits as unsigned.
*/
if (limp->rlim_cur < 0)
limp->rlim_cur = RLIM_INFINITY;
if (limp->rlim_max < 0)
limp->rlim_max = RLIM_INFINITY;
oldssiz.rlim_cur = 0;
newlim = lim_alloc();
PROC_LOCK(p);
oldlim = p->p_limit;
alimp = &oldlim->pl_rlimit[which];
if (limp->rlim_cur > alimp->rlim_max ||
limp->rlim_max > alimp->rlim_max)
if ((error = priv_check(td, PRIV_PROC_SETRLIMIT))) {
PROC_UNLOCK(p);
lim_free(newlim);
return (error);
}
if (limp->rlim_cur > limp->rlim_max)
limp->rlim_cur = limp->rlim_max;
lim_copy(newlim, oldlim);
alimp = &newlim->pl_rlimit[which];
switch (which) {
case RLIMIT_CPU:
if (limp->rlim_cur != RLIM_INFINITY &&
p->p_cpulimit == RLIM_INFINITY)
callout_reset_sbt(&p->p_limco, SBT_1S, 0,
lim_cb, p, C_PREL(1));
p->p_cpulimit = limp->rlim_cur;
break;
case RLIMIT_DATA:
if (limp->rlim_cur > maxdsiz)
limp->rlim_cur = maxdsiz;
if (limp->rlim_max > maxdsiz)
limp->rlim_max = maxdsiz;
break;
case RLIMIT_STACK:
if (limp->rlim_cur > maxssiz)
limp->rlim_cur = maxssiz;
if (limp->rlim_max > maxssiz)
limp->rlim_max = maxssiz;
oldssiz = *alimp;
if (p->p_sysent->sv_fixlimit != NULL)
p->p_sysent->sv_fixlimit(&oldssiz,
RLIMIT_STACK);
break;
case RLIMIT_NOFILE:
if (limp->rlim_cur > maxfilesperproc)
limp->rlim_cur = maxfilesperproc;
if (limp->rlim_max > maxfilesperproc)
limp->rlim_max = maxfilesperproc;
break;
case RLIMIT_NPROC:
if (limp->rlim_cur > maxprocperuid)
limp->rlim_cur = maxprocperuid;
if (limp->rlim_max > maxprocperuid)
limp->rlim_max = maxprocperuid;
if (limp->rlim_cur < 1)
limp->rlim_cur = 1;
if (limp->rlim_max < 1)
limp->rlim_max = 1;
break;
}
if (p->p_sysent->sv_fixlimit != NULL)
p->p_sysent->sv_fixlimit(limp, which);
*alimp = *limp;
p->p_limit = newlim;
PROC_UPDATE_COW(p);
PROC_UNLOCK(p);
lim_free(oldlim);
if (which == RLIMIT_STACK &&
/*
* Skip calls from exec_new_vmspace(), done when stack is
* not mapped yet.
*/
(td != curthread || (p->p_flag & P_INEXEC) == 0)) {
/*
* Stack is allocated to the max at exec time with only
* "rlim_cur" bytes accessible. If stack limit is going
* up make more accessible, if going down make inaccessible.
*/
if (limp->rlim_cur != oldssiz.rlim_cur) {
vm_offset_t addr;
vm_size_t size;
vm_prot_t prot;
if (limp->rlim_cur > oldssiz.rlim_cur) {
prot = p->p_sysent->sv_stackprot;
size = limp->rlim_cur - oldssiz.rlim_cur;
addr = p->p_sysent->sv_usrstack -
limp->rlim_cur;
} else {
prot = VM_PROT_NONE;
size = oldssiz.rlim_cur - limp->rlim_cur;
addr = p->p_sysent->sv_usrstack -
oldssiz.rlim_cur;
}
addr = trunc_page(addr);
size = round_page(size);
(void)vm_map_protect(&p->p_vmspace->vm_map,
addr, addr + size, prot, FALSE);
}
}
return (0);
}
#ifndef _SYS_SYSPROTO_H_
struct __getrlimit_args {
u_int which;
struct rlimit *rlp;
};
#endif
/* ARGSUSED */
int
sys_getrlimit(struct thread *td, struct __getrlimit_args *uap)
{
struct rlimit rlim;
int error;
if (uap->which >= RLIM_NLIMITS)
return (EINVAL);
lim_rlimit(td, uap->which, &rlim);
error = copyout(&rlim, uap->rlp, sizeof(struct rlimit));
return (error);
}
/*
* Transform the running time and tick information for children of proc p
* into user and system time usage.
*/
void
calccru(struct proc *p, struct timeval *up, struct timeval *sp)
{
PROC_LOCK_ASSERT(p, MA_OWNED);
calcru1(p, &p->p_crux, up, sp);
}
/*
* Transform the running time and tick information in proc p into user
* and system time usage. If appropriate, include the current time slice
* on this CPU.
*/
void
calcru(struct proc *p, struct timeval *up, struct timeval *sp)
{
struct thread *td;
uint64_t runtime, u;
PROC_LOCK_ASSERT(p, MA_OWNED);
PROC_STATLOCK_ASSERT(p, MA_OWNED);
/*
* If we are getting stats for the current process, then add in the
* stats that this thread has accumulated in its current time slice.
* We reset the thread and CPU state as if we had performed a context
* switch right here.
*/
td = curthread;
if (td->td_proc == p) {
u = cpu_ticks();
runtime = u - PCPU_GET(switchtime);
td->td_runtime += runtime;
td->td_incruntime += runtime;
PCPU_SET(switchtime, u);
}
/* Make sure the per-thread stats are current. */
FOREACH_THREAD_IN_PROC(p, td) {
if (td->td_incruntime == 0)
continue;
ruxagg(p, td);
}
calcru1(p, &p->p_rux, up, sp);
}
/* Collect resource usage for a single thread. */
void
rufetchtd(struct thread *td, struct rusage *ru)
{
struct proc *p;
uint64_t runtime, u;
p = td->td_proc;
PROC_STATLOCK_ASSERT(p, MA_OWNED);
THREAD_LOCK_ASSERT(td, MA_OWNED);
/*
* If we are getting stats for the current thread, then add in the
* stats that this thread has accumulated in its current time slice.
* We reset the thread and CPU state as if we had performed a context
* switch right here.
*/
if (td == curthread) {
u = cpu_ticks();
runtime = u - PCPU_GET(switchtime);
td->td_runtime += runtime;
td->td_incruntime += runtime;
PCPU_SET(switchtime, u);
}
ruxagg(p, td);
*ru = td->td_ru;
calcru1(p, &td->td_rux, &ru->ru_utime, &ru->ru_stime);
}
/* XXX: the MI version is too slow to use: */
#ifndef __HAVE_INLINE_FLSLL
#define flsll(x) (fls((x) >> 32) != 0 ? fls((x) >> 32) + 32 : fls(x))
#endif
static uint64_t
mul64_by_fraction(uint64_t a, uint64_t b, uint64_t c)
{
uint64_t acc, bh, bl;
int i, s, sa, sb;
/*
* Calculate (a * b) / c accurately enough without overflowing. c
* must be nonzero, and its top bit must be 0. a or b must be
* <= c, and the implementation is tuned for b <= c.
*
* The comments about times are for use in calcru1() with units of
* microseconds for 'a' and stathz ticks at 128 Hz for b and c.
*
* Let n be the number of top zero bits in c. Each iteration
* either returns, or reduces b by right shifting it by at least n.
* The number of iterations is at most 1 + 64 / n, and the error is
* at most the number of iterations.
*
* It is very unusual to need even 2 iterations. Previous
* implementations overflowed essentially by returning early in the
* first iteration, with n = 38 giving overflow at 105+ hours and
* n = 32 giving overlow at at 388+ days despite a more careful
* calculation. 388 days is a reasonable uptime, and the calculation
* needs to work for the uptime times the number of CPUs since 'a'
* is per-process.
*/
if (a >= (uint64_t)1 << 63)
return (0); /* Unsupported arg -- can't happen. */
acc = 0;
for (i = 0; i < 128; i++) {
sa = flsll(a);
sb = flsll(b);
if (sa + sb <= 64)
/* Up to 105 hours on first iteration. */
return (acc + (a * b) / c);
if (a >= c) {
/*
* This reduction is based on a = q * c + r, with the
* remainder r < c. 'a' may be large to start, and
* moving bits from b into 'a' at the end of the loop
* sets the top bit of 'a', so the reduction makes
* significant progress.
*/
acc += (a / c) * b;
a %= c;
sa = flsll(a);
if (sa + sb <= 64)
/* Up to 388 days on first iteration. */
return (acc + (a * b) / c);
}
/*
* This step writes a * b as a * ((bh << s) + bl) =
* a * (bh << s) + a * bl = (a << s) * bh + a * bl. The 2
* additive terms are handled separately. Splitting in
* this way is linear except for rounding errors.
*
* s = 64 - sa is the maximum such that a << s fits in 64
* bits. Since a < c and c has at least 1 zero top bit,
* sa < 64 and s > 0. Thus this step makes progress by
* reducing b (it increases 'a', but taking remainders on
* the next iteration completes the reduction).
*
* Finally, the choice for s is just what is needed to keep
* a * bl from overflowing, so we don't need complications
* like a recursive call mul64_by_fraction(a, bl, c) to
* handle the second additive term.
*/
s = 64 - sa;
bh = b >> s;
bl = b - (bh << s);
acc += (a * bl) / c;
a <<= s;
b = bh;
}
return (0); /* Algorithm failure -- can't happen. */
}
static void
calcru1(struct proc *p, struct rusage_ext *ruxp, struct timeval *up,
struct timeval *sp)
{
/* {user, system, interrupt, total} {ticks, usec}: */
uint64_t ut, uu, st, su, it, tt, tu;
ut = ruxp->rux_uticks;
st = ruxp->rux_sticks;
it = ruxp->rux_iticks;
tt = ut + st + it;
if (tt == 0) {
/* Avoid divide by zero */
st = 1;
tt = 1;
}
tu = cputick2usec(ruxp->rux_runtime);
if ((int64_t)tu < 0) {
/* XXX: this should be an assert /phk */
printf("calcru: negative runtime of %jd usec for pid %d (%s)\n",
(intmax_t)tu, p->p_pid, p->p_comm);
tu = ruxp->rux_tu;
}
/* Subdivide tu. Avoid overflow in the multiplications. */
if (__predict_true(tu <= ((uint64_t)1 << 38) && tt <= (1 << 26))) {
/* Up to 76 hours when stathz is 128. */
uu = (tu * ut) / tt;
su = (tu * st) / tt;
} else {
uu = mul64_by_fraction(tu, ut, tt);
su = mul64_by_fraction(tu, ut, st);
}
if (tu >= ruxp->rux_tu) {
/*
* The normal case, time increased.
* Enforce monotonicity of bucketed numbers.
*/
if (uu < ruxp->rux_uu)
uu = ruxp->rux_uu;
if (su < ruxp->rux_su)
su = ruxp->rux_su;
} else if (tu + 3 > ruxp->rux_tu || 101 * tu > 100 * ruxp->rux_tu) {
/*
* When we calibrate the cputicker, it is not uncommon to
* see the presumably fixed frequency increase slightly over
* time as a result of thermal stabilization and NTP
* discipline (of the reference clock). We therefore ignore
* a bit of backwards slop because we expect to catch up
* shortly. We use a 3 microsecond limit to catch low
* counts and a 1% limit for high counts.
*/
uu = ruxp->rux_uu;
su = ruxp->rux_su;
tu = ruxp->rux_tu;
} else { /* tu < ruxp->rux_tu */
/*
* What happened here was likely that a laptop, which ran at
* a reduced clock frequency at boot, kicked into high gear.
* The wisdom of spamming this message in that case is
* dubious, but it might also be indicative of something
* serious, so lets keep it and hope laptops can be made
* more truthful about their CPU speed via ACPI.
*/
printf("calcru: runtime went backwards from %ju usec "
"to %ju usec for pid %d (%s)\n",
(uintmax_t)ruxp->rux_tu, (uintmax_t)tu,
p->p_pid, p->p_comm);
}
ruxp->rux_uu = uu;
ruxp->rux_su = su;
ruxp->rux_tu = tu;
up->tv_sec = uu / 1000000;
up->tv_usec = uu % 1000000;
sp->tv_sec = su / 1000000;
sp->tv_usec = su % 1000000;
}
#ifndef _SYS_SYSPROTO_H_
struct getrusage_args {
int who;
struct rusage *rusage;
};
#endif
int
sys_getrusage(struct thread *td, struct getrusage_args *uap)
{
struct rusage ru;
int error;
error = kern_getrusage(td, uap->who, &ru);
if (error == 0)
error = copyout(&ru, uap->rusage, sizeof(struct rusage));
return (error);
}
int
kern_getrusage(struct thread *td, int who, struct rusage *rup)
{
struct proc *p;
int error;
error = 0;
p = td->td_proc;
PROC_LOCK(p);
switch (who) {
case RUSAGE_SELF:
rufetchcalc(p, rup, &rup->ru_utime,
&rup->ru_stime);
break;
case RUSAGE_CHILDREN:
*rup = p->p_stats->p_cru;
calccru(p, &rup->ru_utime, &rup->ru_stime);
break;
case RUSAGE_THREAD:
PROC_STATLOCK(p);
thread_lock(td);
rufetchtd(td, rup);
thread_unlock(td);
PROC_STATUNLOCK(p);
break;
default:
error = EINVAL;
}
PROC_UNLOCK(p);
return (error);
}
void
rucollect(struct rusage *ru, struct rusage *ru2)
{
long *ip, *ip2;
int i;
if (ru->ru_maxrss < ru2->ru_maxrss)
ru->ru_maxrss = ru2->ru_maxrss;
ip = &ru->ru_first;
ip2 = &ru2->ru_first;
for (i = &ru->ru_last - &ru->ru_first; i >= 0; i--)
*ip++ += *ip2++;
}
void
ruadd(struct rusage *ru, struct rusage_ext *rux, struct rusage *ru2,
struct rusage_ext *rux2)
{
rux->rux_runtime += rux2->rux_runtime;
rux->rux_uticks += rux2->rux_uticks;
rux->rux_sticks += rux2->rux_sticks;
rux->rux_iticks += rux2->rux_iticks;
rux->rux_uu += rux2->rux_uu;
rux->rux_su += rux2->rux_su;
rux->rux_tu += rux2->rux_tu;
rucollect(ru, ru2);
}
/*
* Aggregate tick counts into the proc's rusage_ext.
*/
static void
ruxagg_locked(struct rusage_ext *rux, struct thread *td)
{
THREAD_LOCK_ASSERT(td, MA_OWNED);
PROC_STATLOCK_ASSERT(td->td_proc, MA_OWNED);
rux->rux_runtime += td->td_incruntime;
rux->rux_uticks += td->td_uticks;
rux->rux_sticks += td->td_sticks;
rux->rux_iticks += td->td_iticks;
}
void
ruxagg(struct proc *p, struct thread *td)
{
thread_lock(td);
ruxagg_locked(&p->p_rux, td);
ruxagg_locked(&td->td_rux, td);
td->td_incruntime = 0;
td->td_uticks = 0;
td->td_iticks = 0;
td->td_sticks = 0;
thread_unlock(td);
}
/*
* Update the rusage_ext structure and fetch a valid aggregate rusage
* for proc p if storage for one is supplied.
*/
void
rufetch(struct proc *p, struct rusage *ru)
{
struct thread *td;
PROC_STATLOCK_ASSERT(p, MA_OWNED);
*ru = p->p_ru;
if (p->p_numthreads > 0) {
FOREACH_THREAD_IN_PROC(p, td) {
ruxagg(p, td);
rucollect(ru, &td->td_ru);
}
}
}
/*
* Atomically perform a rufetch and a calcru together.
* Consumers, can safely assume the calcru is executed only once
* rufetch is completed.
*/
void
rufetchcalc(struct proc *p, struct rusage *ru, struct timeval *up,
struct timeval *sp)
{
PROC_STATLOCK(p);
rufetch(p, ru);
calcru(p, up, sp);
PROC_STATUNLOCK(p);
}
/*
* Allocate a new resource limits structure and initialize its
* reference count and mutex pointer.
*/
struct plimit *
lim_alloc()
{
struct plimit *limp;
limp = malloc(sizeof(struct plimit), M_PLIMIT, M_WAITOK);
refcount_init(&limp->pl_refcnt, 1);
return (limp);
}
struct plimit *
lim_hold(struct plimit *limp)
{
refcount_acquire(&limp->pl_refcnt);
return (limp);
}
void
lim_fork(struct proc *p1, struct proc *p2)
{
PROC_LOCK_ASSERT(p1, MA_OWNED);
PROC_LOCK_ASSERT(p2, MA_OWNED);
p2->p_limit = lim_hold(p1->p_limit);
callout_init_mtx(&p2->p_limco, &p2->p_mtx, 0);
if (p1->p_cpulimit != RLIM_INFINITY)
callout_reset_sbt(&p2->p_limco, SBT_1S, 0,
lim_cb, p2, C_PREL(1));
}
void
lim_free(struct plimit *limp)
{
if (refcount_release(&limp->pl_refcnt))
free((void *)limp, M_PLIMIT);
}
/*
* Make a copy of the plimit structure.
* We share these structures copy-on-write after fork.
*/
void
lim_copy(struct plimit *dst, struct plimit *src)
{
KASSERT(dst->pl_refcnt <= 1, ("lim_copy to shared limit"));
bcopy(src->pl_rlimit, dst->pl_rlimit, sizeof(src->pl_rlimit));
}
/*
* Return the hard limit for a particular system resource. The
* which parameter specifies the index into the rlimit array.
*/
rlim_t
lim_max(struct thread *td, int which)
{
struct rlimit rl;
lim_rlimit(td, which, &rl);
return (rl.rlim_max);
}
rlim_t
lim_max_proc(struct proc *p, int which)
{
struct rlimit rl;
lim_rlimit_proc(p, which, &rl);
return (rl.rlim_max);
}
/*
* Return the current (soft) limit for a particular system resource.
* The which parameter which specifies the index into the rlimit array
*/
rlim_t
(lim_cur)(struct thread *td, int which)
{
struct rlimit rl;
lim_rlimit(td, which, &rl);
return (rl.rlim_cur);
}
rlim_t
lim_cur_proc(struct proc *p, int which)
{
struct rlimit rl;
lim_rlimit_proc(p, which, &rl);
return (rl.rlim_cur);
}
/*
* Return a copy of the entire rlimit structure for the system limit
* specified by 'which' in the rlimit structure pointed to by 'rlp'.
*/
void
lim_rlimit(struct thread *td, int which, struct rlimit *rlp)
{
struct proc *p = td->td_proc;
MPASS(td == curthread);
KASSERT(which >= 0 && which < RLIM_NLIMITS,
("request for invalid resource limit"));
*rlp = td->td_limit->pl_rlimit[which];
if (p->p_sysent->sv_fixlimit != NULL)
p->p_sysent->sv_fixlimit(rlp, which);
}
void
lim_rlimit_proc(struct proc *p, int which, struct rlimit *rlp)
{
PROC_LOCK_ASSERT(p, MA_OWNED);
KASSERT(which >= 0 && which < RLIM_NLIMITS,
("request for invalid resource limit"));
*rlp = p->p_limit->pl_rlimit[which];
if (p->p_sysent->sv_fixlimit != NULL)
p->p_sysent->sv_fixlimit(rlp, which);
}
void
uihashinit()
{
uihashtbl = hashinit(maxproc / 16, M_UIDINFO, &uihash);
rw_init(&uihashtbl_lock, "uidinfo hash");
}
/*
* Look up a uidinfo struct for the parameter uid.
* uihashtbl_lock must be locked.
* Increase refcount on uidinfo struct returned.
*/
static struct uidinfo *
uilookup(uid_t uid)
{
struct uihashhead *uipp;
struct uidinfo *uip;
rw_assert(&uihashtbl_lock, RA_LOCKED);
uipp = UIHASH(uid);
LIST_FOREACH(uip, uipp, ui_hash)
if (uip->ui_uid == uid) {
uihold(uip);
break;
}
return (uip);
}
/*
* Find or allocate a struct uidinfo for a particular uid.
* Returns with uidinfo struct referenced.
* uifree() should be called on a struct uidinfo when released.
*/
struct uidinfo *
uifind(uid_t uid)
{
struct uidinfo *new_uip, *uip;
struct ucred *cred;
cred = curthread->td_ucred;
if (cred->cr_uidinfo->ui_uid == uid) {
uip = cred->cr_uidinfo;
uihold(uip);
return (uip);
} else if (cred->cr_ruidinfo->ui_uid == uid) {
uip = cred->cr_ruidinfo;
uihold(uip);
return (uip);
}
rw_rlock(&uihashtbl_lock);
uip = uilookup(uid);
rw_runlock(&uihashtbl_lock);
if (uip != NULL)
return (uip);
new_uip = malloc(sizeof(*new_uip), M_UIDINFO, M_WAITOK | M_ZERO);
racct_create(&new_uip->ui_racct);
refcount_init(&new_uip->ui_ref, 1);
new_uip->ui_uid = uid;
rw_wlock(&uihashtbl_lock);
/*
* There's a chance someone created our uidinfo while we
* were in malloc and not holding the lock, so we have to
* make sure we don't insert a duplicate uidinfo.
*/
if ((uip = uilookup(uid)) == NULL) {
LIST_INSERT_HEAD(UIHASH(uid), new_uip, ui_hash);
rw_wunlock(&uihashtbl_lock);
uip = new_uip;
} else {
rw_wunlock(&uihashtbl_lock);
racct_destroy(&new_uip->ui_racct);
free(new_uip, M_UIDINFO);
}
return (uip);
}
/*
* Place another refcount on a uidinfo struct.
*/
void
uihold(struct uidinfo *uip)
{
refcount_acquire(&uip->ui_ref);
}
/*-
* Since uidinfo structs have a long lifetime, we use an
* opportunistic refcounting scheme to avoid locking the lookup hash
* for each release.
*
* If the refcount hits 0, we need to free the structure,
* which means we need to lock the hash.
* Optimal case:
* After locking the struct and lowering the refcount, if we find
* that we don't need to free, simply unlock and return.
* Suboptimal case:
* If refcount lowering results in need to free, bump the count
* back up, lose the lock and acquire the locks in the proper
* order to try again.
*/
void
uifree(struct uidinfo *uip)
{
if (refcount_release_if_not_last(&uip->ui_ref))
return;
rw_wlock(&uihashtbl_lock);
if (refcount_release(&uip->ui_ref) == 0) {
rw_wunlock(&uihashtbl_lock);
return;
}
racct_destroy(&uip->ui_racct);
LIST_REMOVE(uip, ui_hash);
rw_wunlock(&uihashtbl_lock);
if (uip->ui_sbsize != 0)
printf("freeing uidinfo: uid = %d, sbsize = %ld\n",
uip->ui_uid, uip->ui_sbsize);
if (uip->ui_proccnt != 0)
printf("freeing uidinfo: uid = %d, proccnt = %ld\n",
uip->ui_uid, uip->ui_proccnt);
if (uip->ui_vmsize != 0)
printf("freeing uidinfo: uid = %d, swapuse = %lld\n",
uip->ui_uid, (unsigned long long)uip->ui_vmsize);
free(uip, M_UIDINFO);
}
#ifdef RACCT
void
ui_racct_foreach(void (*callback)(struct racct *racct,
void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
void *arg2, void *arg3)
{
struct uidinfo *uip;
struct uihashhead *uih;
rw_rlock(&uihashtbl_lock);
if (pre != NULL)
(pre)();
for (uih = &uihashtbl[uihash]; uih >= uihashtbl; uih--) {
LIST_FOREACH(uip, uih, ui_hash) {
(callback)(uip->ui_racct, arg2, arg3);
}
}
if (post != NULL)
(post)();
rw_runlock(&uihashtbl_lock);
}
#endif
static inline int
chglimit(struct uidinfo *uip, long *limit, int diff, rlim_t max, const char *name)
{
long new;
/* Don't allow them to exceed max, but allow subtraction. */
new = atomic_fetchadd_long(limit, (long)diff) + diff;
if (diff > 0 && max != 0) {
if (new < 0 || new > max) {
atomic_subtract_long(limit, (long)diff);
return (0);
}
} else if (new < 0)
printf("negative %s for uid = %d\n", name, uip->ui_uid);
return (1);
}
/*
* Change the count associated with number of processes
* a given user is using. When 'max' is 0, don't enforce a limit
*/
int
chgproccnt(struct uidinfo *uip, int diff, rlim_t max)
{
return (chglimit(uip, &uip->ui_proccnt, diff, max, "proccnt"));
}
/*
* Change the total socket buffer size a user has used.
*/
int
chgsbsize(struct uidinfo *uip, u_int *hiwat, u_int to, rlim_t max)
{
int diff, rv;
diff = to - *hiwat;
if (diff > 0 && max == 0) {
rv = 0;
} else {
rv = chglimit(uip, &uip->ui_sbsize, diff, max, "sbsize");
if (rv != 0)
*hiwat = to;
}
return (rv);
}
/*
* Change the count associated with number of pseudo-terminals
* a given user is using. When 'max' is 0, don't enforce a limit
*/
int
chgptscnt(struct uidinfo *uip, int diff, rlim_t max)
{
return (chglimit(uip, &uip->ui_ptscnt, diff, max, "ptscnt"));
}
int
chgkqcnt(struct uidinfo *uip, int diff, rlim_t max)
{
return (chglimit(uip, &uip->ui_kqcnt, diff, max, "kqcnt"));
}
int
chgumtxcnt(struct uidinfo *uip, int diff, rlim_t max)
{
return (chglimit(uip, &uip->ui_umtxcnt, diff, max, "umtxcnt"));
}