On Fri, 13 Feb 1998, Frank van der Linden wrote:

> On Fri, Feb 13, 1998 at 03:15:00PM -0500, Scott Bartram wrote:
> > If nobody screams, I'll commit this and fix the other affected
> > code.
> 
> "Scream". I'm not quite sure what you are seeing and are trying to fix,
> but this isn't right. What you do here is, take a userspace pointer,
> replace it by another userspace pointer for which you don't alloc
> enough space, and then you try to copy one to another..
> 
> This particular piece of code looks fine to me, it needs no patch
> (well, other than that it assumes sizeof(int) == sizeof(void *),
> but that's why the system call was replaced in the first place.
> 
> What problems are you seeing?

OK, I obviously should have provided more info in my first message -
sorry about that.

The problem is that the ABI used by most if not all the compat_* systems
passes a 'union semun' argument in 'a5'. I don't know when it changed but
sys___semctl takes a 'union semun *' arg. The first thing it does is a
copyin of the 'a5' arg before discriminating the union. 

Therefore, the compat code needs to create a userspace pointer and stuff
the original contents of 'a5' into it.

As pointed out by cgd, the bcopy before the call to sys___semctl should be
a copyout since the "fake" 'union semun *' arg is allocated on the user
stack. 

scott