kernel - Fix off-by-1 error in semexit
authorMatthew Dillon <dillon@apollo.backplane.com>
Thu, 15 Nov 2012 20:30:51 +0000 (12:30 -0800)
committerMatthew Dillon <dillon@apollo.backplane.com>
Thu, 15 Nov 2012 20:30:51 +0000 (12:30 -0800)
* Fix an off-by-1 error that was preventing semexit from properly undoing
  all the semaphores controlled by the exiting process.

Reported-by: lentferj, vsrinivas, others
sys/kern/sysv_sem.c

index 08279ef..addc6ed 100644 (file)
@@ -1126,7 +1126,7 @@ semexit(struct proc *p)
                 * However, they can get ripped out from under us when
                 * we block or obtain other tokens so we have to re-check.
                 */
-               ix = suptr->un_cnt;
+               ix = suptr->un_cnt - 1;
                semid = suptr->un_ent[ix].un_id;
                semnum = suptr->un_ent[ix].un_num;
                adjval = suptr->un_ent[ix].un_adjval;
@@ -1146,7 +1146,7 @@ semexit(struct proc *p)
                semptr = &semaptr->ds.sem_base[semnum];
                lwkt_getpooltoken(semptr);
 
-               if (ix == suptr->un_cnt &&
+               if (ix == suptr->un_cnt - 1 &&
                    semid == suptr->un_ent[ix].un_id &&
                    semnum == suptr->un_ent[ix].un_num &&
                    adjval == suptr->un_ent[ix].un_adjval) {