Index: sys/kern/sysv_sem.c
===================================================================
--- sys/kern/sysv_sem.c
+++ sys/kern/sysv_sem.c
@@ -198,15 +198,15 @@
  * semaphore info struct
  */
 struct seminfo seminfo = {
-                SEMMNI,         /* # of semaphore identifiers */
-                SEMMNS,         /* # of semaphores in system */
-                SEMMNU,         /* # of undo structures in system */
-                SEMMSL,         /* max # of semaphores per id */
-                SEMOPM,         /* max # of operations per semop call */
-                SEMUME,         /* max # of undo entries per process */
-                SEMUSZ,         /* size in bytes of undo structure */
-                SEMVMX,         /* semaphore maximum value */
-                SEMAEM          /* adjust on exit max value */
+	.semmni =	SEMMNI,	/* # of semaphore identifiers */
+	.semmns =	SEMMNS,	/* # of semaphores in system */
+	.semmnu =	SEMMNU,	/* # of undo structures in system */
+	.semmsl =	SEMMSL,	/* max # of semaphores per id */
+	.semopm =	SEMOPM,	/* max # of operations per semop call */
+	.semume =	SEMUME,	/* max # of undo entries per process */
+	.semusz =	SEMUSZ,	/* size in bytes of undo structure */
+	.semvmx =	SEMVMX,	/* semaphore maximum value */
+	.semaem =	SEMAEM,	/* adjust on exit max value */
 };
 
 SYSCTL_INT(_kern_ipc, OID_AUTO, semmni, CTLFLAG_RDTUN, &seminfo.semmni, 0,
@@ -558,8 +558,14 @@
 	int i;
 
 	KASSERT(semidx >= 0 && semidx < seminfo.semmni,
-		("semidx out of bounds"));
+	    ("semidx out of bounds"));
+	mtx_assert(&sem_mtx, MA_OWNED);
 	semakptr = &sema[semidx];
+	KASSERT(semakptr->u.__sem_base - sem + semakptr->u.sem_nsems <= semtot,
+	    ("sem_remove: sema %d corrupted sem pointer %p %p %d %d",
+	    semidx, semakptr->u.__sem_base, sem, semakptr->u.sem_nsems,
+	    semtot));
+
 	semakptr->u.sem_perm.cuid = cred ? cred->cr_uid : 0;
 	semakptr->u.sem_perm.uid = cred ? cred->cr_uid : 0;
 	semakptr->u.sem_perm.mode = 0;
@@ -578,8 +584,9 @@
 		    sema[i].u.__sem_base > semakptr->u.__sem_base)
 			mtx_lock_flags(&sema_mtx[i], LOP_DUPOK);
 	}
-	for (i = semakptr->u.__sem_base - sem; i < semtot; i++)
-		sem[i] = sem[i + semakptr->u.sem_nsems];
+	for (i = semakptr->u.__sem_base - sem + semakptr->u.sem_nsems;
+	    i < semtot; i++)
+		sem[i - semakptr->u.sem_nsems] = sem[i];
 	for (i = 0; i < seminfo.semmni; i++) {
 		if ((sema[i].u.sem_perm.mode & SEM_ALLOC) &&
 		    sema[i].u.__sem_base > semakptr->u.__sem_base) {