semadj overflow in ipc/sem.c

From: Leonid Igolnik (lim@igolnik.com)
Date: Sun Sep 16 2001 - 12:42:52 EST

Next message: Dan Maas: "Re: broken VM in 2.4.10-pre9"
Previous message: Jussi Laako: "Re: Linux 2.4.9-ac10"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Short description of the problem: incorrect use of SEM_UNDO flag for
semaphore operations and overflow of the semadj value causes the process
to leave semaphore locked after it exits.

Longer version:
while working on the project at work I've came across the bug that
would only manifest itself after the application run for long period of
time. The problem was narrowed down to a semaphore handling that was used
to synchronize access to shared memory region, and for some reason the
semaphore would be left locked after one of the processes exits. I've
found out that the code in question was setting SEM_UNDO flag for lock
operations and was not setting it for unlocks. At first it seemed normal,
but I've noticed that problem manifests itself after large number of
operations on the semaphore.

        It appears that the problem is caused by semajd overflow in
following code in sem.c :
Line 258:
               if (sop->sem_flg & SEM_UNDO)
                        un->semadj[sop->sem_num] -= sem_op;

semajd is not checked for overflows, and since only lock operations are
counted it overflows after 32768 operations. Than when processes if killed
or exits, semadj is applied to the current value of the semaphore at line
1028:
                        sem->semval += u->semadj[i];
                        if (sem->semval < 0)
                                sem->semval = 0; /* shouldn't happen */
                        sem->sempid = current->pid;

At this stage semval is 32767 since which is the value of the semadj after
it overflows.

AFAIK SYSV will not let the application to overflow semadj, but I don't
have a Solaris box handy.

See attached example that demonstrates the problem, after it exits
semaphore is left locked (which can be verified by running it again and
watching it waiting for the sem to become free).

- ----

Leonid Igolnik.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7pOSeRrKFtN3cJpMRAk6ZAJwIq2cqbdT6xc//IGz8kljsS5LHMgCgnfpd
nZaAW4KIcFTnnOPPWyhdnFU=
=wm6F
-----END PGP SIGNATURE-----

TEXT/PLAIN attachment: semadj.c

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Maas: "Re: broken VM in 2.4.10-pre9"
Previous message: Jussi Laako: "Re: Linux 2.4.9-ac10"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Sep 23 2001 - 21:00:15 EST