Task may change IPC namespace by doing setns() but sysvshm objects remains at the origin IPC namespace (=IPC namespace where task was when shmget() was called). Let's skip forced shm destroy in such case because we can't determine IPC namespace by shm only. These problematic sysvshm's will be destroyed on ipc namespace cleanup.

Fixes: ab602f79915 ("shm: make exit_shm work proportional to task activity") Cc: Andrew Morton akpm@linux-foundation.org Cc: Milton Miller miltonm@bga.com Cc: Jack Miller millerjo@us.ibm.com Cc: Pavel Tikhomirov ptikhomirov@virtuozzo.com Cc: Alexander Mikhalitsyn alexander@mihalicyn.com Cc: stable@vger.kernel.org Signed-off-by: Alexander Mikhalitsyn alexander.mikhalitsyn@virtuozzo.com --- ipc/shm.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ipc/shm.c b/ipc/shm.c index 748933e376ca..70a41171b8bb 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -173,6 +173,14 @@ static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace return container_of(ipcp, struct shmid_kernel, shm_perm); }

+static inline bool is_shm_in_ns(struct ipc_namespace *ns, struct shmid_kernel *shp) +{ + int idx = ipcid_to_idx(shp->shm_perm.id); + struct shmid_kernel *tshp = shm_obtain_object(ns, idx); + + return !IS_ERR(tshp) && tshp == shp; +} + /* * shm_lock_(check_) routines are called in the paths where the rwsem * is not necessarily held. @@ -415,7 +423,7 @@ void exit_shm(struct task_struct *task) list_for_each_entry_safe(shp, n, &task->sysvshm.shm_clist, shm_clist) { shp->shm_creator = NULL;

- if (shm_may_destroy(ns, shp)) { + if (is_shm_in_ns(ns, shp) && shm_may_destroy(ns, shp)) { shm_lock_by_ptr(shp); shm_destroy(ns, shp); }