v2.4.10.1 -> v2.4.10.2

  - me/Al Viro: fix bdget() oops with block device modules that don't
  clean up after they exit
  - Alan Cox: continued merging (drivers, license tags)
  - David Miller: sparc update, network fixes
  - Christoph Hellwig: work around broken drivers that add a gendisk more
  than once
  - Jakub Jelinek: handle more ELF loading special cases
  - Trond Myklebust: NFS client and lockd reclaimer cleanups/fixes
  - Greg KH: USB updates
  - Mikael Pettersson: sparate out local APIC / IO-APIC config options

1 files changed, 15 insertions, 2 deletions

diff --git a/ipc/sem.c b/ipc/sem.c
index c9c424dfa965..1c8d9837082f 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -53,6 +53,8 @@
  *
  * SMP-threaded, sysctl's added
  * (c) 1999 Manfred Spraul <manfreds@colorfullife.com>
+ * Enforced range limit on SEM_UNDO
+ * (c) 2001 Red Hat Inc <alan@redhat.com>
  */
 
 #include <linux/config.h>
@@ -256,8 +258,19 @@ static int try_atomic_semop (struct sem_array * sma, struct sembuf * sops,
 		curr->sempid = (curr->sempid << 16) | pid;
 		curr->semval += sem_op;
 		if (sop->sem_flg & SEM_UNDO)
-			un->semadj[sop->sem_num] -= sem_op;
-
+		{
+			int undo = un->semadj[sop->sem_num] - sem_op;
+			/*
+	 		 *	Exceeding the undo range is an error.
+			 */
+			if (undo < (-SEMAEM - 1) || undo > SEMAEM)
+			{
+				/* Don't undo the undo */
+				sop->sem_flg &= ~SEM_UNDO;
+				goto out_of_range;
+			}
+			un->semadj[sop->sem_num] = undo;
+		}
 		if (curr->semval < 0)
 			goto would_block;
 		if (curr->semval > SEMVMX)