From nobody@FreeBSD.org  Thu Aug 26 21:02:47 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7F6316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 21:02:47 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A05E643D55
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 21:02:47 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7QL2l20061292
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 21:02:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7QL2l2h061291;
	Thu, 26 Aug 2004 21:02:47 GMT
	(envelope-from nobody)
Message-Id: <200408262102.i7QL2l2h061291@www.freebsd.org>
Date: Thu, 26 Aug 2004 21:02:47 GMT
From: Vivek Pandey <wevake@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bug in libsem
X-Send-Pr-Version: www-2.3

>Number:         71005
>Category:       misc
>Synopsis:       [patch] bug in libsem
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 26 21:10:20 GMT 2004
>Closed-Date:    Sun Apr 03 07:25:53 GMT 2005
>Last-Modified:  Sun Apr 03 07:25:53 GMT 2005
>Originator:     Vivek Pandey
>Release:        Any
>Organization:
Hughes Systems
>Environment:
Not reqd
>Description:
There is a bug in libsem:uthread_sem.c. In function sem_destroy, there will be a problem is someone takes the lock and before it returns, the mutex is destroyed. I have modified the code. The patch file is attched. the idea is to change the magic number before releasing the lock and then destroying it. So that even if somebody comes in between, there wont be any problem
>How-To-Repeat:
      
>Fix:
*** uthread_sem.c	Thu Aug 26 16:50:20 2004
--- uthread_sem1.c	Thu Aug 26 17:01:48 2004
***************
*** 113,123 ****
  		retval = -1;
  		goto RETURN;
  	}
  	pthread_mutex_unlock(&(*sem)->lock);
  
  	pthread_mutex_destroy(&(*sem)->lock);
- 	pthread_cond_destroy(&(*sem)->gtzero);
- 	(*sem)->magic = 0;
  
  	free(*sem);
  
--- 113,123 ----
  		retval = -1;
  		goto RETURN;
  	}
+ 	pthread_cond_destroy(&(*sem)->gtzero);
+ 	(*sem)->magic[0] &= (unsigned char)(~SEM_MAGIC);
  	pthread_mutex_unlock(&(*sem)->lock);
  
  	pthread_mutex_destroy(&(*sem)->lock);
  
  	free(*sem);
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Thu Aug 26 21:16:03 GMT 2004 
State-Changed-Why:  
Is this a ports PR, or a kern PR? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71005 
State-Changed-From-To: feedback->open 
State-Changed-By: sem 
State-Changed-When: Fri Aug 27 14:22:55 GMT 2004 
State-Changed-Why:  
Fix Category to kern. 


Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-bugs 
Responsible-Changed-By: sem 
Responsible-Changed-When: Fri Aug 27 14:22:55 GMT 2004 
Responsible-Changed-Why:  
Fix Category to kern. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71005 

From: Sergey Matveychuk <sem@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/71005: bug in libsem
Date: Fri, 27 Aug 2004 18:21:53 +0400

 Forwarded message from wevake@yahoo.com:
 Hi,
 I am not a user of FreeBSD. I downloaded the FreeBSD semaphore 
 implementation separately. It seems that it's not part of FreeBSD source 
 code. I checked out FreeBSD semaphore implementation as well. It too has 
 same bug. It is in file src/sys/kern/kern_sema.c. - Rev.1.5. I reffered 
 it from the FreeBSD online src browser at 
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_sema.c?only_with_tag=MAIN.
 
 In function sem_destroy, just before the mutex is destroyed, if someone 
 else takes the mutex, it will be problem as the mutex will be destroyed 
 by this thread/process while someone is using it. This needs a fix.
 
 One suggestion is to have some magic no. to check the sanity of the 
 sema. Every call to a semaphore will first chk for sanity. The 
 sem_destroy function currently looks like this...
 
 void
 sema_destroy(struct sema *sema)
 {
   chk for sema waiter();
   destroy_mutex();
   destroty_cv();
 }
 
 After change, it will look like...
 
 void
 sema_destroy(struct sema *sema)
 {
   chk for sema waiter();
   mutex_lock();
   sema->magic = NEW_MAGIC;
   destroy_cv();
   destroy_mutex();
 }
 
 
 
 Please chk it out.
 
 
 
 Thanx,
 
 Vivek Pandey
 
 
 
 
 
 
 Mark Linimon <linimon@lonesome.com> wrote:
 
      > I downloaded this libsem (POSIX semaphore implementation for FreeBSD)
 
      Perhaps if you can tell me where you downloaded it from, I can
      understand how to classify your bug report.
 
      Also, when following up to a bug report, it is necessary to reply
      to the 'freebsd-gnats-submit' address (it should have been included
      in a Reply-To line?) and to make sure that the identifying string
      is included in the Subject line (in this case, 'ports/71005'). Without
      this, your patch simply goes to the mailing list, where it will most
      likely be lost in the noise; otherwise, it is correctly filed as
      a followup in GNATS.
 
      mcl
 -- 
 Sem.
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Apr 3 07:24:34 GMT 2005 
State-Changed-Why:  
This does not appear to be a problem in the FreeBSD source code and the 
submitter has not supplied sufficient information to understand the 
problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71005 
>Unformatted:
