Date: Wed, 29 Jan 2003 08:33:21 +0100 (CET) From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/47625: Fatal Signed/Unsigned mistake in sysv_sem.c Message-ID: <200301290733.h0T7XLOl005717@critter.freebsd.dk>
next in thread | raw e-mail | index | archive | help
>Number: 47625
>Category: kern
>Synopsis: Fatal Signed/Unsigned mistake in sysv_sem.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 28 23:40:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Poul-Henning Kamp
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD critter.freebsd.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #11: Thu Jan 16 19:45:34 CET 2003 root@critter.freebsd.dk:/freebsd/src/sys/i386/compile/CRITTER i386
>Description:
Undo Rollback in sysv_sem.c bórked.
'j' is a size_t which is unsigned. Unsigned is always >= 0.
/*
* Oh-Oh! We ran out of either sem_undo's or undo's.
* Rollback the adjustments to this point and then
* rollback the semaphore ups and down so we can return
* with an error with all structures restored. We
* rollback the undo's in the exact reverse order that
* we applied them. This guarantees that we won't run
* out of space as we roll things back out.
*/
for (j = i - 1; j >= 0; j--) {
if ((sops[j].sem_flg & SEM_UNDO) == 0)
continue;
adjval = sops[j].sem_op;
if (adjval == 0)
continue;
if (semundo_adjust(td, &suptr, semid,
sops[j].sem_num, adjval) != 0)
panic("semop - can't undo undos");
}
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301290733.h0T7XLOl005717>