| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want resettodr(9) to write the RTC until inittodr(9) has
actually run. Until inittodr(9) calls tc_setclock() the system UTC
clock will contain a meaningless value and there's no sense in
overwriting a good value with a value we know is nonsense.
This is not an uncommon problem if you're debugging a problem in early
boot, e.g. a panic that occurs prior to inittodr(9).
Currently we use the following logic in resettodr(9) to inhibit writes:
if (time_second == 1)
return;
... this is too magical.
A better way to accomplish the same thing is to introduce a dedicated
flag set from inittodr(9). Hence, "inittodr_done".
Suggested by visa@.
ok kettenis@
|
| | |
|
| |
|
|
|
|
| |
of todr_handle.
OK kettenis@
|
| |
|
|
|
| |
ok deraadt@, mpi@, visa@
ok cheloha@ as well (would have preferred in new file for this code)
|
| |
|
|
|
|
|
|
|
|
| |
While here, rename the wait channel so the tsleep_nsec(9) call will fit
onto a single line. It isn't a global channel so the name is arbitrary
anyway.
With input from visa@.
ok visa@
|
| |
|
|
|
|
|
|
|
| |
I broke adjfreq(2)'s atomic swap in kern_time.c,v1.112. By using the
"f" variable to store both the new and old frequency adjustments, the
new adjustment gets clobbered by the old adjustment if the caller asked
for a swap.
ok visa@ mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we return (1000000000 / hz) from clock_getres(2) as the
resolution for every clock. This is often untrue.
For CPUTIME clocks, if we have a separate statclock interrupt the
resolution is (1000000000 / stathz). Otherwise it is as we currently
claim: (1000000000 / hz).
For the REALTIME/MONOTONIC/UPTIME/BOOTTIME clocks the resolution is
that of the active timecounter. During tc_init() we can compute the
precision of a timecounter by examining its tc_counter_mask and store
it for lookup later in a new member, tc_precision. The resolution of
a clock backed by a timecounter "tc" is then
tc.tc_precision * (2^64 / tc.tc_frequency)
fractional seconds.
While here we can clean up sys_clock_getres() a bit.
Standards input from guenther@. Lots of input, feedback from
kettenis@.
ok kettenis@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For gettimeofday(2), always copy out an empty timezone struct. For
settimeofday(2), still copyin(9) the struct but ignore the contents.
In gettimeofday(2)'s case we have not changed the original BSD semantics:
the kernel only tracks UTC time without an offset for DST, so a zeroed
timezone struct is the correct thing to return to the caller.
Future work could move these out into libc as stubs for clock_gettime and
clock_settime(2). But, definitely a "later" thing, given that we are in
beta.
Update the manpage to de-emphasize the timezone parameters for these
syscalls.
Discussed with tedu@, deraadt@, millert@, kettenis@, yasuoka@, jca@, and
guenther@. Tested by job@. Ports input from jca@ and sthen@. Manpage
input from jca@.
ok jca@ deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Loongson runs at 128hz. 128 doesn't divide evenly into a million,
but it does divide evenly into a billion. So if we do the per-process
itimer bookkeeping with itimerspec structs we can have error-free
virtual itimers on loongson just as we do on most other platforms.
This change doesn't fix the virtual itimer error alpha, as 1024 does not
divide evenly into a billion. But this doesn't make the situation any
worse, either.
ok deraadt@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Basically just make all the bintime routines look and behave more like
the timeradd(3) macros.
Switch to three-argument forms for structure math, introduce and use
bintimecmp(9), and rename the structure conversion routines to resemble
e.g. TIMEVAL_TO_TIMESPEC(3).
Document all of this in a new bintimeadd.9 page.
Code input from mpi@, manpage input from schwarze@.
code ok mpi@, docs ok schwarze@, docs probably still ok jmc@
|
| |
|
|
|
|
|
|
|
| |
It currently creates a lock ordering problem because SCHED_LOCK() is taken
by hardclock(). That means the "priorities" of a thread should be moved
out of the SCHED_LOCK() first in order to make progress.
Reported-by: syzbot+8e4863b3dde88eb706dc@syzkaller.appspotmail.com
via anton@ as well as by kettenis@
|
| |
|
|
|
|
|
| |
Note that hardclock(9) still increments p_{u,s,i}ticks without holding a
lock.
ok visa@, cheloha@
|
| |
|
|
| |
ok mlarkin, otto (who both had the same diff)
|
| |
|
|
|
|
|
|
|
| |
clock_settime(2)/settimeofday(2) still need KERNEL_LOCK for a moment
when resetting the RTC, as that's done periodically from a task under
KERNEL_LOCK. Not quite sure how to approach that one yet.
ok visa@ mpi@, "good stuff" tedu@,
"please wait until after [tree] unlock" deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No other (known) BSD-derived adjtime(2) implementation checks for overflow
when converting delta into its final denomination of fractional seconds.
This is peculiar, as the call originates in 4.3BSD.
However, glibc, uclibc, and (to an extent) musl /do/ check the input and set
EINVAL if it exceeds a certain bound, so we'll just use the errno that they
use to be consistent with extant practice.
Prompted by the comment kettenis@ left when we switched to storing the
adjustment in an int64_t like ~5 years ago (kern_time.c,v 1.87).
Positive feedback from deraadt@, manpage bits ok jmc@,
no code complaints from otto@ or tedu@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tc_lock allows adjfreq(2) and the kern.timecounter.hardware sysctl(2)
to read/write the active timecounter pointer and the .tc_adj_freq
member of the active timecounter safely. This eliminates any possibility
of a torn read/write for the .tc_adj_freq member when we drop the
KERNEL_LOCK from the timecounting layer. It also ensures the active
timecounter does not change in the midst of an adjfreq(2) call.
Because these are not high-traffic paths, we can get away with using
tc_lock in write-mode to ensure combination read/write adjtime(2) calls
are relatively atomic (a) to other writer adjtime(2) calls, and (b) to
settimeofday(2)/clock_settime(2) calls, which cancel ongoing adjtime(2)
adjustment.
When the KERNEL_LOCK is dropped, an unprivileged user will be able to
create some tc_lock contention via adjfreq(2); it is very unlikely to
ever be a problem. If it ever is actually a problem a lockless read
could be added to address it.
While here, reorganize sys_adjfreq()/sys_adjtime() to minimize code
under the lock. Also while here, make tc_adjfreq() void, as it cannot
fail under any circumstance. Also also while here, annotate various
globals/struct members with lock ordering details.
With lots of input from mpi@ and visa@.
ok visa@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will simplify upcoming MP-safety diffs for the timecounting layer.
adjtimedelta is now accessed nowhere outside of kern_tc.c, so we can
remove its extern declaration from kernel.h. Zeroing adjtimedelta
within timecounter_mtx before we jump the real-time clock is also a
bit safer than what we do now, as we are not racing a simultaneous
tc_windup() call from hardclock(), which itself can modify adjtimedelta
via ntp_update_second().
Discussed with visa@ and mpi@.
ok visa@
|
| |
|
|
|
| |
add locking in clock_gettime where needed.
ok cheloha matthew
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add documentation for the new EINVAL cases for adjtime(2) and
settimeofday(2).
adjtime.2 docs ok schwarze@,
settimeofday(2)/clock_settime(2) stuff ok tedu@,
"stop waiting" deraadt@
|
| |
|
|
| |
ok jca@ visa@ guenther@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
tsleep(9)'s maximum timeout shrinks as HZ grows, so this ensures we do
not return early from longer timeouts on alpha or on custom kernels.
POSIX says you cannot return early unless a signal is delivered, so
this makes us more compliant with the standard.
While here, remove the 100 million second upper bound. It is an
artifact from itimerfix() and it serves no discernible purpose.
ok tedu@ visa@
|
| | |
|
| |
|
|
| |
ok tb@ kettenis@
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of converting timespec -> timeval and truncating the input,
check with timespecfix and use tstohz(9) for the tsleep.
All other contemporary systems check this correctly.
Also add a regression test for this case.
ok tb@
|
| |
|
|
|
|
|
| |
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and put it to use in userspace in lieu of the kern.boottime
sysctl.
Its absolute value is the time that has elapsed since the
system booted, i.e., the system uptime.
Use in top(1), w(1), and snmpd(8) eliminates a race with
settimeofday(2), adjtime(2), etc. inherent to deriving the
system uptime via the kern.boottime sysctl.
Product of a great deal of discussion/revision with jca@, tb@,
and guenther@.
ok tb@ jca@ guenther@ dlg@ mlarkin@ tom@
|
| |
|
|
|
|
| |
While here document prfind(9.
with and ok guenther@
|
| |
|
|
|
|
|
| |
This fixes the problem that long-running machines which were not
shut down properly would reboot with a badly offset system time.
hints and ok kettenis@
|
| |
|
|
|
| |
oversized timespecs should be clamped, not rejected.
ok millert
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.
- makes pledge_fail call the responsability to the _check function. remove it
from caller.
- make proper use of (potential) returned error of _check() functions.
- adds pledge_kill() and pledge_protexec()
with and OK deraadt@
|
| |
|
|
|
|
| |
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
| |
|
|
| |
ok deraadt@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.
Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther
|
| |
|
|
|
|
| |
operating model". This is the kernel component; various changes should
proceed in-tree for a while before userland programs start using it.
ok miod, discussions and help from many
|
| |
|
|
|
|
|
|
|
|
|
| |
from hardclock() which runs without grabbing the kernel lock. This means
that two threads could concurrently update the struct which could lead to
corruption of the value which in turn could stop the timer. It could also
result in getitimer(2) returning a non-normalized value.
With help from guenther@.
ok deraadt@, guenther@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
microsecond in a 64-bit integer. Fixes the issue where ntpd loses sync
because the struct timeval currently used to hold the adjustment is not
properly normalized after the changes guenther@ made.
ok guenther@, millert@
|
| |
|
|
|
|
|
|
| |
going to copyout one, memset the structure and then set it member by member.
sys_adjtime() does that on copyin instead, as it already has to munge the
members as it goes.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
to sys/*.h headers so that the compat/linux code can use them.
Change dowait4() to not copyout() the status value, but rather leave
that for its caller, as compat/linux has to translate it, with the
side benefit of simplifying the native code.
Originally written months ago as part of the time_t work; long
memory, prodding, and ok from pirofti@
|
| |
|
|
|
|
|
|
| |
hardclock() set a flag on the running thread and force AST processing,
and then have the thread signal itself from userret().
idea and flag names from FreeBSD
ok jsing@
|
| |
|
|
|
|
|
| |
that mlarkin@ can fix programs that report rates-over-uptime.
ok kettenis@
manpage corrections jmc@ (which I've probably broken again)
|
| | |
|
cheloha
visa
kettenis
mpi
stsp
tedu
guenther
naddy
semarie
deraadt