From freebsd@lab.upc.edu  Wed May 14 22:01:57 2008
Return-Path: <freebsd@lab.upc.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5CC991065677
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 14 May 2008 22:01:57 +0000 (UTC)
	(envelope-from freebsd@lab.upc.edu)
Received: from dash.upc.es (dash.upc.es [147.83.2.50])
	by mx1.freebsd.org (Postfix) with ESMTP id D141F8FC16
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 14 May 2008 22:01:56 +0000 (UTC)
	(envelope-from freebsd@lab.upc.edu)
Received: from localhost (lab.eupvg.upc.es [147.83.140.219])
	by dash.upc.es (8.14.1/8.13.1) with SMTP id m4EHHQLB011535
	for FreeBSD-gnats-submit@freebsd.org; Wed, 14 May 2008 19:17:54 +0200
Message-Id: <200805141554.m4EFsdGh000994@legendre.labnet>
Date: Wed, 14 May 2008 17:54:39 +0200 (CEST)
From: Mike van der Schaar <freebsd@lab.upc.edu>
Reply-To: Mike van der Schaar <freebsd@lab.upc.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: p1003_1b.nsems can become negative/semaphore counter incorrect
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         123685
>Category:       kern
>Synopsis:       [sysvipc] p1003_1b.nsems can become negative/semaphore counter incorrect
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    gonzo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 14 22:10:02 UTC 2008
>Closed-Date:    Fri Jul 18 15:21:36 UTC 2008
>Last-Modified:  Fri Jul 18 15:21:36 UTC 2008
>Originator:     Mike van der Schaar
>Release:        FreeBSD 7.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD legendre.labnet 7.0-RELEASE FreeBSD 7.0-RELEASE #1: Wed May 14 15:39:42 CEST 2008 root@legendre.labnet:/usr/obj/usr/src/sys/LEGENDRE i386



>Description:
When a posix sempahore is created, but the number of semaphores is already at its maximum, it is immediately freed again in uipc_sem.c:sem_create():229. The nsems counter is not updated before freeing the semaphore. But in uipc_sem.c:sem_free():451 the semaphore counter is always decreased.

This effectively allows the creation of more than 30 semaphores, while the counter stays at 30. When semaphores are then freed at a later point the counter will become negative.

>How-To-Repeat:
The program just forces more than 30 semaphores to be created. After running the semaphore counter should be at -5 (10 too many, only half of those are allowed).

#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <string.h>
#include <semaphore.h>

int main(void)
{
    int i;
    char name[16];
    sem_t *sem[40];

    memset( sem, 0, sizeof(sem_t *)*40 );
    for ( i = 0; i < 40; i++ )
    {
        sprintf( name, "/sem_%.3d", i );
        sem[i] = sem_open( name,  O_CREAT|O_EXCL, S_IRUSR|S_IWUSR, 1 );
    }
    for ( i = 0; i < 40; i++ )
    {
        if ( sem[i] )
            sem_close( sem[i] );
        sprintf( name, "/sem_%.3d", i );
        sem_unlink( name );
    }

    return 0;
}

After executing :
(legendre:~) mike> sysctl p1003_1b
p1003_1b.asynchronous_io: 0
p1003_1b.mapped_files: 1
p1003_1b.memlock: 0
p1003_1b.memlock_range: 0
p1003_1b.memory_protection: 0
P1003_1b.message_passing: 200112
p1003_1b.prioritized_io: 0
p1003_1b.priority_scheduling: 1
p1003_1b.realtime_signals: 200112
p1003_1b.semaphores: 0
p1003_1b.fsync: 0
p1003_1b.shared_memory_objects: 1
p1003_1b.synchronized_io: 0
p1003_1b.timers: 200112
p1003_1b.aio_listio_max: -1
p1003_1b.aio_max: -1
p1003_1b.aio_prio_delta_max: -1
p1003_1b.delaytimer_max: 2147483647
p1003_1b.mq_open_max: 0
p1003_1b.pagesize: 4096
p1003_1b.rtsig_max: 62
p1003_1b.sem_nsems_max: 30
p1003_1b.sem_value_max: -1
p1003_1b.sigqueue_max: 128
p1003_1b.timer_max: 32
p1003_1b.nsems: -5

>Fix:

One solution would be to increase the counter directly after the semaphore is created and added to the list. If the check for the maximum number of semaphores can be moved up before creating and adding the semaphore, without affecting efficiency too much because of the extra mtx_lock, then that might be better.
>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123685: commit references a PR
Date: Tue, 10 Jun 2008 20:55:25 +0000 (UTC)

 gonzo       2008-06-10 20:55:10 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/kern             uipc_sem.c 
   Log:
   SVN rev 179716 on 2008-06-10 20:55:10Z by gonzo
   
     Keep proper track of nsegs counter: sem_free is called for all
     allocated semaphores, so it's wrong to increase it conditionally,
     in this case for every over-the-limit semaphore nsegs is decreased
     without being previously increased.
   
     PR:   kern/123685
     Approved by:  cognet (mentor)
   
   Revision  Changes    Path
   1.32      +3 -4      src/sys/kern/uipc_sem.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: gonzo 
State-Changed-When: Wed Jun 11 09:12:09 UTC 2008 
State-Changed-Why:  
Fix committed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123685 

From: Alex Kozlov <spam@rm-rf.kiev.ua>
To: gonzo@FreeBSD.org, bug-followup@FreeBSD.org, spam@rm-rf.kiev.ua
Cc:  
Subject: Re: kern/123685: [sysvipc] p1003_1b.nsems can become
	negative/semaphore counter incorrect
Date: Wed, 11 Jun 2008 12:45:01 +0300

 On Wed, Jun 11, 2008 at 09:13:28AM +0000, gonzo@FreeBSD.org wrote:
 > Synopsis: [sysvipc] p1003_1b.nsems can become negative/semaphore counter incorrect
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: gonzo
 > State-Changed-When: Wed Jun 11 09:12:09 UTC 2008
 > State-Changed-Why: 
 >   Fix committed
 Should not it be patched? Or You don't plan MFC this?
 
 
 --
 Adios
State-Changed-From-To: closed->patched 
State-Changed-By: gonzo 
State-Changed-When: Wed Jun 11 12:12:02 UTC 2008 
State-Changed-Why:  
I din't think about MFC. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123685 
Responsible-Changed-From-To: freebsd-bugs->gonzo 
Responsible-Changed-By: gonzo 
Responsible-Changed-When: Wed Jun 11 13:30:09 UTC 2008 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123685 

From: Oleksandr Tymoshenko <gonzo@FreeBSD.org>
To: Alex Kozlov <spam@rm-rf.kiev.ua>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/123685: [sysvipc] p1003_1b.nsems can become negative/semaphore counter incorrect
Date: Wed, 11 Jun 2008 15:34:10 +0300

 Alex Kozlov (spam@rm-rf.kiev.ua) wrote:
 > On Wed, Jun 11, 2008 at 09:13:28AM +0000, gonzo@FreeBSD.org wrote:
 > > Synopsis: [sysvipc] p1003_1b.nsems can become negative/semaphore counter incorrect
 > > 
 > > State-Changed-From-To: open->closed
 > > State-Changed-By: gonzo
 > > State-Changed-When: Wed Jun 11 09:12:09 UTC 2008
 > > State-Changed-Why: 
 > >   Fix committed
 > Should not it be patched? Or You don't plan MFC this?
     Thanks for mentioning it. I was not aknowledged with MFC policy.
 Will schedule this patch for MFC.
 
 
 -- 
 gonzo

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123685: commit references a PR
Date: Fri, 18 Jul 2008 14:20:44 +0000 (UTC)

 gonzo       2008-07-18 14:20:16 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     sys/kern             uipc_sem.c 
   Log:
   SVN rev 180592 on 2008-07-18 14:20:16Z by gonzo
   
   MFC r179716:
   Keep proper track of nsegs counter: sem_free is called for all
   allocated semaphores, so it's wrong to increase it conditionally,
   in this case for every over-the-limit semaphore nsegs is decreased
   without being previously increased.
   
   PR:             kern/123685
   MFC after:      more then 1 month
   
   Revision  Changes    Path
   1.28.2.3  +3 -4      src/sys/kern/uipc_sem.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/123685: commit references a PR
Date: Fri, 18 Jul 2008 14:46:13 +0000 (UTC)

 gonzo       2008-07-18 14:45:22 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/kern             uipc_sem.c 
   Log:
   SVN rev 180594 on 2008-07-18 14:45:22Z by gonzo
   
   MFC r179716:
   Keep proper track of nsegs counter: sem_free is called for all
   allocated semaphores, so it's wrong to increase it conditionally,
   in this case for every over-the-limit semaphore nsegs is decreased
   without being previously increased.
   
   PR:             kern/123685
   MFC after:      more then 1 month
   
   Revision  Changes    Path
   1.20.2.3  +3 -4      src/sys/kern/uipc_sem.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: gonzo 
State-Changed-When: Fri Jul 18 15:20:25 UTC 2008 
State-Changed-Why:  
Fix has been MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123685 
>Unformatted:
