From owner-svn-src-all@FreeBSD.ORG  Thu Sep 15 08:42:06 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 830FD106566B;
	Thu, 15 Sep 2011 08:42:06 +0000 (UTC)
	(envelope-from adrian@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 721108FC14;
	Thu, 15 Sep 2011 08:42:06 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p8F8g6od064369;
	Thu, 15 Sep 2011 08:42:06 GMT (envelope-from adrian@svn.freebsd.org)
Received: (from adrian@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p8F8g6Jm064366;
	Thu, 15 Sep 2011 08:42:06 GMT (envelope-from adrian@svn.freebsd.org)
Message-Id: <201109150842.p8F8g6Jm064366@svn.freebsd.org>
From: Adrian Chadd <adrian@FreeBSD.org>
Date: Thu, 15 Sep 2011 08:42:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r225570 - in head: share/man/man9 sys/kern
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 08:42:06 -0000

Author: adrian
Date: Thu Sep 15 08:42:06 2011
New Revision: 225570
URL: http://svn.freebsd.org/changeset/base/225570

Log:
  Ensure that ta_pending doesn't overflow u_short by capping its value at USHRT_MAX.
  
  If it overflows before the taskqueue can run, the task will be
  re-added to the taskqueue and cause a loop in the task list.
  
  Reported by:	Arnaud Lacombe <lacombar@gmail.com>
  Submitted by:	Ryan Stone <rysto32@gmail.com>
  Reviewed by:	jhb
  Approved by:	re (kib)
  MFC after:	1 day

Modified:
  head/share/man/man9/taskqueue.9
  head/sys/kern/subr_taskqueue.c

Modified: head/share/man/man9/taskqueue.9
==============================================================================
--- head/share/man/man9/taskqueue.9	Thu Sep 15 06:42:06 2011	(r225569)
+++ head/share/man/man9/taskqueue.9	Thu Sep 15 08:42:06 2011	(r225570)
@@ -133,7 +133,7 @@ If the task's
 .Va ta_pending
 field is non-zero,
 then it is simply incremented to reflect the number of times the task
-was enqueued.
+was enqueued, up to a cap of USHRT_MAX.
 Otherwise,
 the task is added to the list before the first task which has a lower
 .Va ta_priority

Modified: head/sys/kern/subr_taskqueue.c
==============================================================================
--- head/sys/kern/subr_taskqueue.c	Thu Sep 15 06:42:06 2011	(r225569)
+++ head/sys/kern/subr_taskqueue.c	Thu Sep 15 08:42:06 2011	(r225570)
@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/interrupt.h>
 #include <sys/kernel.h>
 #include <sys/kthread.h>
+#include <sys/limits.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/mutex.h>
@@ -173,7 +174,8 @@ taskqueue_enqueue_locked(struct taskqueu
 	 * Count multiple enqueues.
 	 */
 	if (task->ta_pending) {
-		task->ta_pending++;
+		if (task->ta_pending < USHRT_MAX)
+			task->ta_pending++;
 		return (0);
 	}