kern/118153: [fix] "semprt" can be invalid after wakeup in the semop()

Ivan Shcheklein shcheklein at
Tue Nov 20 08:30:02 PST 2007

>Number:         118153
>Category:       kern
>Synopsis:       [fix] "semprt" can be invalid after wakeup in the semop()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 20 16:30:01 UTC 2007
>Originator:     Ivan Shcheklein
>Release:        FREEBSD-6.2
FreeBSD 6.2-RELEASE i386
Fistly, sorry for the my previous post of this bug:

I didn't know about the better way to submit bugs. I think, it can be removed or marked as duplicate to this one.

The buf itself is the following.

In sysv_sem.c::1173 we have:

                /* ... semaphores wakes up ... */
                if (sopptr->sem_op == 0)

Used here "semptr" after wakeup can be invalid due to "semakptr->u.sem_base" can be changed during semaphore sleeping. (For example it can be changed by removing another semaphore).


The solution for this problem is quiet obvious. We must use "semakptr" to get new "semptr". For example (possibly it can be written better):

                if (sopptr->sem_op == 0)


More information about the freebsd-bugs mailing list