From phk@critter.freebsd.dk  Tue Jan 28 23:33:24 2003
Return-Path: <phk@critter.freebsd.dk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 096EC37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Jan 2003 23:33:24 -0800 (PST)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 19D6543F43
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Jan 2003 23:33:23 -0800 (PST)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.12.6/8.12.6) with ESMTP id h0T7XMZE005718
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 29 Jan 2003 08:33:22 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
Received: (from phk@localhost)
	by critter.freebsd.dk (8.12.6/8.12.6/Submit) id h0T7XLOl005717;
	Wed, 29 Jan 2003 08:33:21 +0100 (CET)
Message-Id: <200301290733.h0T7XLOl005717@critter.freebsd.dk>
Date: Wed, 29 Jan 2003 08:33:21 +0100 (CET)
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Reply-To: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Fatal Signed/Unsigned mistake in sysv_sem.c
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         47625
>Category:       kern
>Synopsis:       Fatal Signed/Unsigned mistake in sysv_sem.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    tjr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 28 23:40:02 PST 2003
>Closed-Date:    Wed Jan 29 04:37:48 PST 2003
>Last-Modified:  Wed Jan 29 04:37:48 PST 2003
>Originator:     Poul-Henning Kamp
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD critter.freebsd.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #11: Thu Jan 16 19:45:34 CET 2003 root@critter.freebsd.dk:/freebsd/src/sys/i386/compile/CRITTER i386


>Description:

	Undo Rollback in sysv_sem.c brked.


	'j' is a size_t which is unsigned.  Unsigned is always >= 0.

	/*
	 * Oh-Oh!  We ran out of either sem_undo's or undo's.
	 * Rollback the adjustments to this point and then
	 * rollback the semaphore ups and down so we can return
	 * with an error with all structures restored.  We
	 * rollback the undo's in the exact reverse order that
	 * we applied them.  This guarantees that we won't run
	 * out of space as we roll things back out.
	 */
	for (j = i - 1; j >= 0; j--) {
		if ((sops[j].sem_flg & SEM_UNDO) == 0)
			continue;
		adjval = sops[j].sem_op;
		if (adjval == 0)
			continue;
		if (semundo_adjust(td, &suptr, semid,
		    sops[j].sem_num, adjval) != 0)
			panic("semop - can't undo undos");
	}
  



>How-To-Repeat:
	
>Fix:

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->tjr 
Responsible-Changed-By: tjr 
Responsible-Changed-When: Wed Jan 29 00:23:07 PST 2003 
Responsible-Changed-Why:  
I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47625 
State-Changed-From-To: open->closed 
State-Changed-By: tjr 
State-Changed-When: Wed Jan 29 04:36:41 PST 2003 
State-Changed-Why:  
Fixed in -current. I don't believe that this bug affects any other branches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47625 
>Unformatted:
