1 files changed, 12 insertions, 7 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index 3e123987f054..a493639550d9 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -882,27 +882,31 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
                struct shmid64_ds tbuf;
                int result;
+                rcu_read_lock();
                if (cmd == SHM_STAT) {
-                        shp = shm_lock(ns, shmid);
+                        shp = shm_obtain_object(ns, shmid);
                        if (IS_ERR(shp)) {
                                err = PTR_ERR(shp);
-                                goto out;
+                                goto out_unlock;
                        }
                        result = shp->shm_perm.id;
                } else {
-                        shp = shm_lock_check(ns, shmid);
+                        shp = shm_obtain_object_check(ns, shmid);
                        if (IS_ERR(shp)) {
                                err = PTR_ERR(shp);
-                                goto out;
+                                goto out_unlock;
                        }
                        result = 0;
                }
                err = -EACCES;
                if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
                        goto out_unlock;
                err = security_shm_shmctl(shp, cmd);
                if (err)
                        goto out_unlock;
                memset(&tbuf, 0, sizeof(tbuf));
                kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);
                tbuf.shm_segsz  = shp->shm_segsz;
@@ -912,8 +916,9 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
                tbuf.shm_cpid   = shp->shm_cprid;
                tbuf.shm_lpid   = shp->shm_lprid;
                tbuf.shm_nattch = shp->shm_nattch;
-                shm_unlock(shp);
+                rcu_read_unlock();
-                if(copy_shmid_to_user (buf, &tbuf, version))
+                if (copy_shmid_to_user(buf, &tbuf, version))
                        err = -EFAULT;
                else
                        err = result;
@@ -924,7 +929,7 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
        }
 out_unlock:
-        shm_unlock(shp);
+        rcu_read_unlock();
 out:
        return err;
 }

diff --git a/ipc/shm.c b/ipc/shm.c index 3e123987f054..a493639550d9 100644 --- a/ipc/shm.c +++ b/ipc/shm.c
@@ -882,27 +882,31 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
882	struct shmid64_ds tbuf;	882	struct shmid64_ds tbuf;
883	int result;	883	int result;
884		884
		885	rcu_read_lock();
885	if (cmd == SHM_STAT) {	886	if (cmd == SHM_STAT) {
886	shp = shm_lock(ns, shmid);	887	shp = shm_obtain_object(ns, shmid);
887	if (IS_ERR(shp)) {	888	if (IS_ERR(shp)) {
888	err = PTR_ERR(shp);	889	err = PTR_ERR(shp);
889	goto out;	890	goto out_unlock;
890	}	891	}
891	result = shp->shm_perm.id;	892	result = shp->shm_perm.id;
892	} else {	893	} else {
893	shp = shm_lock_check(ns, shmid);	894	shp = shm_obtain_object_check(ns, shmid);
894	if (IS_ERR(shp)) {	895	if (IS_ERR(shp)) {
895	err = PTR_ERR(shp);	896	err = PTR_ERR(shp);
896	goto out;	897	goto out_unlock;
897	}	898	}
898	result = 0;	899	result = 0;
899	}	900	}
		901
900	err = -EACCES;	902	err = -EACCES;
901	if (ipcperms(ns, &shp->shm_perm, S_IRUGO))	903	if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
902	goto out_unlock;	904	goto out_unlock;
		905
903	err = security_shm_shmctl(shp, cmd);	906	err = security_shm_shmctl(shp, cmd);
904	if (err)	907	if (err)
905	goto out_unlock;	908	goto out_unlock;
		909
906	memset(&tbuf, 0, sizeof(tbuf));	910	memset(&tbuf, 0, sizeof(tbuf));
907	kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);	911	kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);
908	tbuf.shm_segsz = shp->shm_segsz;	912	tbuf.shm_segsz = shp->shm_segsz;
@@ -912,8 +916,9 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
912	tbuf.shm_cpid = shp->shm_cprid;	916	tbuf.shm_cpid = shp->shm_cprid;
913	tbuf.shm_lpid = shp->shm_lprid;	917	tbuf.shm_lpid = shp->shm_lprid;
914	tbuf.shm_nattch = shp->shm_nattch;	918	tbuf.shm_nattch = shp->shm_nattch;
915	shm_unlock(shp);	919	rcu_read_unlock();
916	if(copy_shmid_to_user (buf, &tbuf, version))	920
		921	if (copy_shmid_to_user(buf, &tbuf, version))
917	err = -EFAULT;	922	err = -EFAULT;
918	else	923	else
919	err = result;	924	err = result;
@@ -924,7 +929,7 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
924	}	929	}
925		930
926	out_unlock:	931	out_unlock:
927	shm_unlock(shp);	932	rcu_read_unlock();
928	out:	933	out:
929	return err;	934	return err;
930	}	935	}