Bug 490852 - Semctl(2) SIGSEGV
Semctl(2) SIGSEGV
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jakub Jelinek
BaseOS QE
:
Depends On:
Blocks: 490853
  Show dependency treegraph
 
Reported: 2009-03-18 06:35 EDT by CAI Qian
Modified: 2009-03-18 22:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 490853 (view as bug list)
Environment:
Last Closed: 2009-03-18 10:37:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2009-03-18 06:35:06 EDT
Description of problem:
The following program is running into SIGSEGV on all PPC64 machines tested.

# cat sem.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/sem.h>
#include <sys/stat.h>

int
main(void)
{
  int sem_id;

  if ((sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT|S_IRWXU)) == -1)
     printf ("semget() failed.\n");

  if(semctl(sem_id, 0, SETVAL, 0) == -1)
     printf ("semctl() failed.\n");

  return 0;
}

# gcc sem.c -o sem
# ./sem
Segmentation fault

# strace ./sem
execve("./sem", ["./sem"], [/* 29 vars */]) = 0
brk(0)                                  = 0x10020000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=295300, ...}) = 0
mmap(NULL, 295300, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf7fa0000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\17\342\340 \0\0\0004"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1794480, ...}) = 0
mmap(0xfe10000, 1585596, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xfe10000
mmap(0xff80000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x160000) = 0xff80000
close(3)                                = 0
mprotect(0xff80000, 65536, PROT_READ)   = 0
mprotect(0xffe0000, 65536, PROT_READ)   = 0
munmap(0xf7fa0000, 295300)              = 0
semget(IPC_PRIVATE, 1, IPC_CREAT|0700)  = 786439
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

It runs fine for other architectures like x86-64.

# uname -ra
Linux dell-pe830-02.rhts.bos.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

# strace ./sem
execve("./sem", ["./sem"], [/* 22 vars */]) = 0
brk(0)                                  = 0x13fd000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ab2a5900000
uname({sys="Linux", node="dell-pe830-02.rhts.bos.redhat.com", ...}) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=63298, ...}) = 0
mmap(NULL, 63298, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2ab2a5901000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\332\301\224?\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1713088, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ab2a5911000
mmap(0x3f94c00000, 3494168, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3f94c00000
mprotect(0x3f94d4c000, 2097152, PROT_NONE) = 0
mmap(0x3f94f4c000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14c000) = 0x3f94f4c000
mmap(0x3f94f51000, 16664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3f94f51000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ab2a5912000
arch_prctl(ARCH_SET_FS, 0x2ab2a5912210) = 0
mprotect(0x3f94f4c000, 16384, PROT_READ) = 0
mprotect(0x3f94a1b000, 4096, PROT_READ) = 0
munmap(0x2ab2a5901000, 63298)           = 0
semget(IPC_PRIVATE, 1, IPC_CREAT|0700)  = 4882433
semctl(4882433, 0, SETVAL, 0)           = 0
exit_group(0)                           = ?

 
Both RHEL4 and RHEL5 are affected.

Version-Release number of selected component (if applicable):
glibc-2.3.4-2.41
gcc-3.4.6-10
kernel-2.6.9-78.EL

glibc-2.5-34
gcc-4.1.2-44.el5
kernel-2.6.18-128.1.1.el5

How reproducible:
always, seen at least on 2 machines,
ibm-hv2-lp1.test.redhat.com
ppcp-5s-m1.lab.bos.redhat.com

Steps to Reproduce:
1. compile and run the reproducer.
  
Actual results:
Segmentation fault

Expected results:
No error.

Additional info:
Comment 1 Jakub Jelinek 2009-03-18 10:37:50 EDT
And rightly so, the testcase is buggy.
See man 3p semctl:
The semctl() function provides a variety of semaphore control operations as specified by cmd. The fourth argument is optional and depends upon the operation requested. If required, it is of type union  semun,  which  the  application shall explicitly declare:

              union semun {
                  int val;
                  struct semid_ds *buf;
                  unsigned short  *array;
              } arg;

If you fix the testcase up, particularly add:
union semun { int val; struct semid_ds *buf; unsigned short int *array; };
and call
if(semctl(sem_id, 0, SETVAL, ((union semun) { .val = 0 })) == -1)
or
union u;
u.val = 0;
if(semctl(sem_id, 0, SETVAL, u) == -1)
it works just fine.
Comment 2 CAI Qian 2009-03-18 22:34:40 EDT
Thanks for pointing out, Jakub. I'll fix testcase instead.

Note You need to log in before you can comment on or make changes to this bug.