Bug 47625

Summary: Fatal Signed/Unsigned mistake in sysv_sem.c
Product: Base System Reporter: Poul-Henning Kamp <phk>
Component: kernAssignee: Tim Robbins <tjr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   

Description Poul-Henning Kamp 2003-01-29 07:40:02 UTC 
	Undo Rollback in sysv_sem.c bórked.


	'j' is a size_t which is unsigned.  Unsigned is always >= 0.

	/*
	 * Oh-Oh!  We ran out of either sem_undo's or undo's.
	 * Rollback the adjustments to this point and then
	 * rollback the semaphore ups and down so we can return
	 * with an error with all structures restored.  We
	 * rollback the undo's in the exact reverse order that
	 * we applied them.  This guarantees that we won't run
	 * out of space as we roll things back out.
	 */
	for (j = i - 1; j >= 0; j--) {
		if ((sops[j].sem_flg & SEM_UNDO) == 0)
			continue;
		adjval = sops[j].sem_op;
		if (adjval == 0)
			continue;
		if (semundo_adjust(td, &suptr, semid,
		    sops[j].sem_num, adjval) != 0)
			panic("semop - can't undo undos");
	}
Comment 1 Tim Robbins freebsd_committer freebsd_triage 2003-01-29 08:23:07 UTC 
Responsible Changed
From-To: freebsd-bugs->tjr

I'll take this one.
Comment 2 Tim Robbins freebsd_committer freebsd_triage 2003-01-29 12:36:41 UTC 
State Changed
From-To: open->closed

Fixed in -current. I don't believe that this bug affects any other branches.