1 /* $OpenBSD: kern_time.c,v 1.24 2001/06/25 03:28:03 csapuntz Exp $ */ 2 /* $NetBSD: kern_time.c,v 1.20 1996/02/18 11:57:06 fvdl Exp $ */ 3 4 /* 5 * Copyright (c) 1982, 1986, 1989, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by the University of 19 * California, Berkeley and its contributors. 20 * 4. Neither the name of the University nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * @(#)kern_time.c 8.4 (Berkeley) 5/26/95 37 */ 38 39 #include <sys/param.h> 40 #include <sys/resourcevar.h> 41 #include <sys/kernel.h> 42 #include <sys/systm.h> 43 #include <sys/proc.h> 44 #include <sys/vnode.h> 45 #include <sys/signalvar.h> 46 47 #include <sys/mount.h> 48 #include <sys/syscallargs.h> 49 50 #if defined(NFSCLIENT) || defined(NFSSERVER) 51 #include <nfs/rpcv2.h> 52 #include <nfs/nfsproto.h> 53 #include <nfs/nfs_var.h> 54 #endif 55 56 #include <machine/cpu.h> 57 58 void settime __P((struct timeval *)); 59 60 /* 61 * Time of day and interval timer support. 62 * 63 * These routines provide the kernel entry points to get and set 64 * the time-of-day and per-process interval timers. Subroutines 65 * here provide support for adding and subtracting timeval structures 66 * and decrementing interval timers, optionally reloading the interval 67 * timers when they expire. 68 */ 69 70 /* This function is used by clock_settime and settimeofday */ 71 void 72 settime(tv) 73 struct timeval *tv; 74 { 75 struct timeval delta; 76 int s; 77 78 /* WHAT DO WE DO ABOUT PENDING REAL-TIME TIMEOUTS??? */ 79 s = splclock(); 80 timersub(tv, &time, &delta); 81 time = *tv; 82 (void) spllowersoftclock(); 83 timeradd(&boottime, &delta, &boottime); 84 timeradd(&runtime, &delta, &runtime); 85 splx(s); 86 resettodr(); 87 } 88 89 /* ARGSUSED */ 90 int 91 sys_clock_gettime(p, v, retval) 92 struct proc *p; 93 void *v; 94 register_t *retval; 95 { 96 register struct sys_clock_gettime_args /* { 97 syscallarg(clockid_t) clock_id; 98 syscallarg(struct timespec *) tp; 99 } */ *uap = v; 100 clockid_t clock_id; 101 struct timeval atv; 102 struct timespec ats; 103 104 clock_id = SCARG(uap, clock_id); 105 if (clock_id != CLOCK_REALTIME) 106 return (EINVAL); 107 108 microtime(&atv); 109 TIMEVAL_TO_TIMESPEC(&atv,&ats); 110 111 return copyout(&ats, SCARG(uap, tp), sizeof(ats)); 112 } 113 114 /* ARGSUSED */ 115 int 116 sys_clock_settime(p, v, retval) 117 struct proc *p; 118 void *v; 119 register_t *retval; 120 { 121 register struct sys_clock_settime_args /* { 122 syscallarg(clockid_t) clock_id; 123 syscallarg(const struct timespec *) tp; 124 } */ *uap = v; 125 clockid_t clock_id; 126 struct timeval atv; 127 struct timespec ats; 128 int error; 129 130 if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) 131 return (error); 132 133 clock_id = SCARG(uap, clock_id); 134 if (clock_id != CLOCK_REALTIME) 135 return (EINVAL); 136 137 if ((error = copyin(SCARG(uap, tp), &ats, sizeof(ats))) != 0) 138 return (error); 139 140 TIMESPEC_TO_TIMEVAL(&atv,&ats); 141 142 /* 143 * If the system is secure, we do not allow the time to be 144 * set to an earlier value (it may be slowed using adjtime, 145 * but not set back). This feature prevent interlopers from 146 * setting arbitrary time stamps on files. 147 */ 148 if (securelevel > 1 && timercmp(&atv, &time, <)) 149 return (EPERM); 150 settime(&atv); 151 152 return (0); 153 } 154 155 int 156 sys_clock_getres(p, v, retval) 157 struct proc *p; 158 void *v; 159 register_t *retval; 160 { 161 register struct sys_clock_getres_args /* { 162 syscallarg(clockid_t) clock_id; 163 syscallarg(struct timespec *) tp; 164 } */ *uap = v; 165 clockid_t clock_id; 166 struct timespec ts; 167 int error = 0; 168 169 clock_id = SCARG(uap, clock_id); 170 if (clock_id != CLOCK_REALTIME) 171 return (EINVAL); 172 173 if (SCARG(uap, tp)) { 174 ts.tv_sec = 0; 175 ts.tv_nsec = 1000000000 / hz; 176 177 error = copyout(&ts, SCARG(uap, tp), sizeof (ts)); 178 } 179 180 return error; 181 } 182 183 /* ARGSUSED */ 184 int 185 sys_nanosleep(p, v, retval) 186 struct proc *p; 187 void *v; 188 register_t *retval; 189 { 190 static int nanowait; 191 register struct sys_nanosleep_args/* { 192 syscallarg(const struct timespec *) rqtp; 193 syscallarg(struct timespec *) rmtp; 194 } */ *uap = v; 195 struct timespec rqt; 196 struct timespec rmt; 197 struct timeval atv, utv; 198 int error, s, timo; 199 200 error = copyin((const void *)SCARG(uap, rqtp), (void *)&rqt, 201 sizeof(struct timespec)); 202 if (error) 203 return (error); 204 205 TIMESPEC_TO_TIMEVAL(&atv,&rqt) 206 if (itimerfix(&atv)) 207 return (EINVAL); 208 209 s = splclock(); 210 timeradd(&atv,&time,&atv); 211 timo = hzto(&atv); 212 splx(s); 213 /* 214 * Avoid inadvertantly sleeping forever 215 */ 216 if (timo <= 0) 217 timo = 1; 218 219 error = tsleep(&nanowait, PWAIT | PCATCH, "nanosleep", timo); 220 if (error == ERESTART) 221 error = EINTR; 222 if (error == EWOULDBLOCK) 223 error = 0; 224 225 if (SCARG(uap, rmtp)) { 226 int error; 227 228 s = splclock(); 229 utv = time; 230 splx(s); 231 232 timersub(&atv, &utv, &utv); 233 if (utv.tv_sec < 0) 234 timerclear(&utv); 235 236 TIMEVAL_TO_TIMESPEC(&utv, &rmt); 237 error = copyout((void *)&rmt, (void *)SCARG(uap,rmtp), 238 sizeof(rmt)); 239 if (error) 240 return (error); 241 } 242 243 return error; 244 } 245 246 /* ARGSUSED */ 247 int 248 sys_gettimeofday(p, v, retval) 249 struct proc *p; 250 void *v; 251 register_t *retval; 252 { 253 register struct sys_gettimeofday_args /* { 254 syscallarg(struct timeval *) tp; 255 syscallarg(struct timezone *) tzp; 256 } */ *uap = v; 257 struct timeval atv; 258 int error = 0; 259 260 if (SCARG(uap, tp)) { 261 microtime(&atv); 262 if ((error = copyout((void *)&atv, (void *)SCARG(uap, tp), 263 sizeof (atv)))) 264 return (error); 265 } 266 if (SCARG(uap, tzp)) 267 error = copyout((void *)&tz, (void *)SCARG(uap, tzp), 268 sizeof (tz)); 269 return (error); 270 } 271 272 /* ARGSUSED */ 273 int 274 sys_settimeofday(p, v, retval) 275 struct proc *p; 276 void *v; 277 register_t *retval; 278 { 279 struct sys_settimeofday_args /* { 280 syscallarg(struct timeval *) tv; 281 syscallarg(struct timezone *) tzp; 282 } */ *uap = v; 283 struct timeval atv; 284 struct timezone atz; 285 int error; 286 287 if ((error = suser(p->p_ucred, &p->p_acflag))) 288 return (error); 289 /* Verify all parameters before changing time. */ 290 if (SCARG(uap, tv) && (error = copyin((void *)SCARG(uap, tv), 291 (void *)&atv, sizeof(atv)))) 292 return (error); 293 if (SCARG(uap, tzp) && (error = copyin((void *)SCARG(uap, tzp), 294 (void *)&atz, sizeof(atz)))) 295 return (error); 296 if (SCARG(uap, tv)) { 297 /* 298 * Don't allow the time to be set forward so far it will wrap 299 * and become negative, thus allowing an attacker to bypass 300 * the next check below. The cutoff is 1 year before rollover 301 * occurs, so even if the attacker uses adjtime(2) to move 302 * the time past the cutoff, it will take a very long time 303 * to get to the wrap point. 304 * 305 * XXX: we check against INT_MAX since on 64-bit 306 * platforms, sizeof(int) != sizeof(long) and 307 * time_t is 32 bits even when atv.tv_sec is 64 bits. 308 */ 309 if (atv.tv_sec > INT_MAX - 365*24*60*60) { 310 printf("denied attempt to set clock forward to %ld\n", 311 atv.tv_sec); 312 return (EPERM); 313 } 314 /* 315 * If the system is secure, we do not allow the time to be 316 * set to an earlier value (it may be slowed using adjtime, 317 * but not set back). This feature prevent interlopers from 318 * setting arbitrary time stamps on files. 319 */ 320 if (securelevel > 1 && timercmp(&atv, &time, <)) { 321 printf("denied attempt to set clock back %ld seconds\n", 322 time.tv_sec - atv.tv_sec); 323 return (EPERM); 324 } 325 settime(&atv); 326 } 327 if (SCARG(uap, tzp)) 328 tz = atz; 329 return (0); 330 } 331 332 int tickdelta; /* current clock skew, us. per tick */ 333 long timedelta; /* unapplied time correction, us. */ 334 long bigadj = 1000000; /* use 10x skew above bigadj us. */ 335 336 /* ARGSUSED */ 337 int 338 sys_adjtime(p, v, retval) 339 struct proc *p; 340 void *v; 341 register_t *retval; 342 { 343 register struct sys_adjtime_args /* { 344 syscallarg(struct timeval *) delta; 345 syscallarg(struct timeval *) olddelta; 346 } */ *uap = v; 347 struct timeval atv; 348 register long ndelta, ntickdelta, odelta; 349 int s, error; 350 351 if ((error = suser(p->p_ucred, &p->p_acflag))) 352 return (error); 353 if ((error = copyin((void *)SCARG(uap, delta), (void *)&atv, 354 sizeof(struct timeval)))) 355 return (error); 356 357 /* 358 * Compute the total correction and the rate at which to apply it. 359 * Round the adjustment down to a whole multiple of the per-tick 360 * delta, so that after some number of incremental changes in 361 * hardclock(), tickdelta will become zero, lest the correction 362 * overshoot and start taking us away from the desired final time. 363 */ 364 ndelta = atv.tv_sec * 1000000 + atv.tv_usec; 365 if (ndelta > bigadj) 366 ntickdelta = 10 * tickadj; 367 else 368 ntickdelta = tickadj; 369 if (ndelta % ntickdelta) 370 ndelta = ndelta / ntickdelta * ntickdelta; 371 372 /* 373 * To make hardclock()'s job easier, make the per-tick delta negative 374 * if we want time to run slower; then hardclock can simply compute 375 * tick + tickdelta, and subtract tickdelta from timedelta. 376 */ 377 if (ndelta < 0) 378 ntickdelta = -ntickdelta; 379 s = splclock(); 380 odelta = timedelta; 381 timedelta = ndelta; 382 tickdelta = ntickdelta; 383 splx(s); 384 385 if (SCARG(uap, olddelta)) { 386 atv.tv_sec = odelta / 1000000; 387 atv.tv_usec = odelta % 1000000; 388 if ((error = copyout((void *)&atv, (void *)SCARG(uap, olddelta), 389 sizeof(struct timeval)))) 390 return (error); 391 } 392 return (0); 393 } 394 395 /* 396 * Get value of an interval timer. The process virtual and 397 * profiling virtual time timers are kept in the p_stats area, since 398 * they can be swapped out. These are kept internally in the 399 * way they are specified externally: in time until they expire. 400 * 401 * The real time interval timer is kept in the process table slot 402 * for the process, and its value (it_value) is kept as an 403 * absolute time rather than as a delta, so that it is easy to keep 404 * periodic real-time signals from drifting. 405 * 406 * Virtual time timers are processed in the hardclock() routine of 407 * kern_clock.c. The real time timer is processed by a timeout 408 * routine, called from the softclock() routine. Since a callout 409 * may be delayed in real time due to interrupt processing in the system, 410 * it is possible for the real time timeout routine (realitexpire, given below), 411 * to be delayed in real time past when it is supposed to occur. It 412 * does not suffice, therefore, to reload the real timer .it_value from the 413 * real time timers .it_interval. Rather, we compute the next time in 414 * absolute time the timer should go off. 415 */ 416 /* ARGSUSED */ 417 int 418 sys_getitimer(p, v, retval) 419 struct proc *p; 420 void *v; 421 register_t *retval; 422 { 423 register struct sys_getitimer_args /* { 424 syscallarg(u_int) which; 425 syscallarg(struct itimerval *) itv; 426 } */ *uap = v; 427 struct itimerval aitv; 428 int s; 429 430 if (SCARG(uap, which) > ITIMER_PROF) 431 return (EINVAL); 432 s = splclock(); 433 if (SCARG(uap, which) == ITIMER_REAL) { 434 /* 435 * Convert from absolute to relative time in .it_value 436 * part of real time timer. If time for real time timer 437 * has passed return 0, else return difference between 438 * current time and time for the timer to go off. 439 */ 440 aitv = p->p_realtimer; 441 if (timerisset(&aitv.it_value)) { 442 if (timercmp(&aitv.it_value, &time, <)) 443 timerclear(&aitv.it_value); 444 else 445 timersub(&aitv.it_value, &time, 446 &aitv.it_value); 447 } 448 } else 449 aitv = p->p_stats->p_timer[SCARG(uap, which)]; 450 splx(s); 451 return (copyout((void *)&aitv, (void *)SCARG(uap, itv), 452 sizeof (struct itimerval))); 453 } 454 455 /* ARGSUSED */ 456 int 457 sys_setitimer(p, v, retval) 458 struct proc *p; 459 register void *v; 460 register_t *retval; 461 { 462 register struct sys_setitimer_args /* { 463 syscallarg(u_int) which; 464 syscallarg(struct itimerval *) itv; 465 syscallarg(struct itimerval *) oitv; 466 } */ *uap = v; 467 struct itimerval aitv; 468 register const struct itimerval *itvp; 469 int s, error; 470 int timo; 471 472 if (SCARG(uap, which) > ITIMER_PROF) 473 return (EINVAL); 474 itvp = SCARG(uap, itv); 475 if (itvp && (error = copyin((void *)itvp, (void *)&aitv, 476 sizeof(struct itimerval)))) 477 return (error); 478 if ((SCARG(uap, itv) = SCARG(uap, oitv)) && 479 (error = sys_getitimer(p, uap, retval))) 480 return (error); 481 if (itvp == 0) 482 return (0); 483 if (itimerfix(&aitv.it_value) || itimerfix(&aitv.it_interval)) 484 return (EINVAL); 485 s = splclock(); 486 if (SCARG(uap, which) == ITIMER_REAL) { 487 timeout_del(&p->p_realit_to); 488 if (timerisset(&aitv.it_value)) { 489 timeradd(&aitv.it_value, &time, &aitv.it_value); 490 timo = hzto(&aitv.it_value); 491 if (timo <= 0) 492 timo = 1; 493 timeout_add(&p->p_realit_to, timo); 494 } 495 p->p_realtimer = aitv; 496 } else 497 p->p_stats->p_timer[SCARG(uap, which)] = aitv; 498 splx(s); 499 return (0); 500 } 501 502 /* 503 * Real interval timer expired: 504 * send process whose timer expired an alarm signal. 505 * If time is not set up to reload, then just return. 506 * Else compute next time timer should go off which is > current time. 507 * This is where delay in processing this timeout causes multiple 508 * SIGALRM calls to be compressed into one. 509 */ 510 void 511 realitexpire(arg) 512 void *arg; 513 { 514 register struct proc *p; 515 int s, timo; 516 517 p = (struct proc *)arg; 518 psignal(p, SIGALRM); 519 if (!timerisset(&p->p_realtimer.it_interval)) { 520 timerclear(&p->p_realtimer.it_value); 521 return; 522 } 523 for (;;) { 524 s = splclock(); 525 timeradd(&p->p_realtimer.it_value, 526 &p->p_realtimer.it_interval, &p->p_realtimer.it_value); 527 if (timercmp(&p->p_realtimer.it_value, &time, >)) { 528 timo = hzto(&p->p_realtimer.it_value); 529 if (timo <= 0) 530 timo = 1; 531 timeout_add(&p->p_realit_to, timo); 532 splx(s); 533 return; 534 } 535 splx(s); 536 } 537 } 538 539 /* 540 * Check that a proposed value to load into the .it_value or 541 * .it_interval part of an interval timer is acceptable. 542 */ 543 int 544 itimerfix(tv) 545 struct timeval *tv; 546 { 547 548 if (tv->tv_sec < 0 || tv->tv_sec > 100000000 || 549 tv->tv_usec < 0 || tv->tv_usec >= 1000000) 550 return (EINVAL); 551 552 return (0); 553 } 554 555 /* 556 * Decrement an interval timer by a specified number 557 * of microseconds, which must be less than a second, 558 * i.e. < 1000000. If the timer expires, then reload 559 * it. In this case, carry over (usec - old value) to 560 * reduce the value reloaded into the timer so that 561 * the timer does not drift. This routine assumes 562 * that it is called in a context where the timers 563 * on which it is operating cannot change in value. 564 */ 565 int 566 itimerdecr(itp, usec) 567 register struct itimerval *itp; 568 int usec; 569 { 570 571 if (itp->it_value.tv_usec < usec) { 572 if (itp->it_value.tv_sec == 0) { 573 /* expired, and already in next interval */ 574 usec -= itp->it_value.tv_usec; 575 goto expire; 576 } 577 itp->it_value.tv_usec += 1000000; 578 itp->it_value.tv_sec--; 579 } 580 itp->it_value.tv_usec -= usec; 581 usec = 0; 582 if (timerisset(&itp->it_value)) 583 return (1); 584 /* expired, exactly at end of interval */ 585 expire: 586 if (timerisset(&itp->it_interval)) { 587 itp->it_value = itp->it_interval; 588 itp->it_value.tv_usec -= usec; 589 if (itp->it_value.tv_usec < 0) { 590 itp->it_value.tv_usec += 1000000; 591 itp->it_value.tv_sec--; 592 } 593 } else 594 itp->it_value.tv_usec = 0; /* sec is already 0 */ 595 return (0); 596 } 597 598 /* 599 * ratecheck(): simple time-based rate-limit checking. see ratecheck(9) 600 * for usage and rationale. 601 */ 602 int 603 ratecheck(lasttime, mininterval) 604 struct timeval *lasttime; 605 const struct timeval *mininterval; 606 { 607 struct timeval tv, delta; 608 int s, rv = 0; 609 610 s = splclock(); 611 tv = mono_time; 612 splx(s); 613 614 timersub(&tv, lasttime, &delta); 615 616 /* 617 * check for 0,0 is so that the message will be seen at least once, 618 * even if interval is huge. 619 */ 620 if (timercmp(&delta, mininterval, >=) || 621 (lasttime->tv_sec == 0 && lasttime->tv_usec == 0)) { 622 *lasttime = tv; 623 rv = 1; 624 } 625 626 return (rv); 627 } 628 629 /* 630 * ppsratecheck(): packets (or events) per second limitation. 631 */ 632 int 633 ppsratecheck(lasttime, curpps, maxpps) 634 struct timeval *lasttime; 635 int *curpps; 636 int maxpps; /* maximum pps allowed */ 637 { 638 struct timeval tv, delta; 639 int s, rv; 640 641 s = splclock(); 642 tv = mono_time; 643 splx(s); 644 645 timersub(&tv, lasttime, &delta); 646 647 /* 648 * check for 0,0 is so that the message will be seen at least once. 649 * if more than one second have passed since the last update of 650 * lasttime, reset the counter. 651 * 652 * we do increment *curpps even in *curpps < maxpps case, as some may 653 * try to use *curpps for stat purposes as well. 654 */ 655 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) || 656 delta.tv_sec >= 1) { 657 *lasttime = tv; 658 *curpps = 0; 659 rv = 1; 660 } else if (maxpps < 0) 661 rv = 1; 662 else if (*curpps < maxpps) 663 rv = 1; 664 else 665 rv = 0; 666 667 #if 1 /*DIAGNOSTIC?*/ 668 /* be careful about wrap-around */ 669 if (*curpps + 1 > *curpps) 670 *curpps = *curpps + 1; 671 #else 672 /* 673 * assume that there's not too many calls to this function. 674 * not sure if the assumption holds, as it depends on *caller's* 675 * behavior, not the behavior of this function. 676 * IMHO it is wrong to make assumption on the caller's behavior, 677 * so the above #if is #if 1, not #ifdef DIAGNOSTIC. 678 */ 679 *curpps = *curpps + 1; 680 #endif 681 682 return (rv); 683 } 684