Date: Wed, 26 Jul 2006 11:59:32 +0400 (MSD) From: Maxim Konovalov <maxim@macomnet.ru> To: =?GB2312?B?wO7J0L3c?= <shangjie.li@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: A bug in semctl() Message-ID: <20060726115840.K62591@mp2.macomnet.net> In-Reply-To: <de71d27b0607260050g47f95d2fsb3c8e83d721b4a3b@mail.gmail.com> References: <de71d27b0607260050g47f95d2fsb3c8e83d721b4a3b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Jul 2006, 15:50+0800, ÀîÉÐ½Ü wrote:
> In file kern/sysv_sem.c:
> 554 __semctl(td, uap)
> 555 struct thread *td;
> 556 struct __semctl_args *uap;
> 557 {
> 558 int semid = uap->semid; <<<here 1
> 559 int semnum = uap->semnum;
> 560 int cmd = uap->cmd;
> 561 u_short *array;
> 562 union semun *arg = uap->arg;
> 563 union semun real_arg;
> 564 struct ucred *cred = td->td_ucred;
> 565 int i, rval, error;
> 566 struct semid_ds sbuf;
> 567 struct semid_kernel *semakptr;
> 568 struct mtx *sema_mtxp;
> 569 u_short usval, count;
> 570
> 571 DPRINTF(("call to semctl(%d, %d, %d, 0x%x)\n",
> 572 semid, semnum, cmd, arg));
> 573 if (!jail_sysvipc_allowed && jailed(td->td_ucred))
> 574 return (ENOSYS);
> 575
> 576 array = NULL;
> 577
> 578 switch(cmd) {
> 579 case SEM_STAT:
> 580 if (semid < 0 || semid >= seminfo.semmni) <<<here 2
> 581 return (EINVAL);
> 582 if ((error = copyin(arg, &real_arg, sizeof(real_arg))) !=
> 0)
> 583 return (error);
> 584 semakptr = &sema[semid];<<<here 3
>
> >From line 558 to line 578, there must be a mechism to convert the
> sem_id to the internal sema array index. In fact, it was missing,
> which make the semctl syscall not work well.
What version of the file do you read? We have a different code in
HEAD.
--
Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060726115840.K62591>