Patchwork [13/56] shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM

mail settings
Submitter Greg Kroah-Hartman
Date Feb. 11, 2009, 12:24 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/6554/
State New, archived
Headers show


Greg Kroah-Hartman - Feb. 11, 2009, 12:24 a.m.
2.6.27-stable review patch.  If anyone has any objections, please let us know.

From: Tony Battersby <>

commit a68e61e8ff2d46327a37b69056998b47745db6fa upstream.

shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
ramfs_get_inode() vs.  mm/shmem.c: shmem_get_inode()).

This bad assumption can cause shmctl(SHM_INFO) to lockup when
shm_get_stat() tries to spin_lock(&info->lock).  Users of !CONFIG_SHMEM
may encounter this lockup simply by invoking the 'ipcs' command.

Reported by Jiri Olsa back in February 2008:

Signed-off-by: Tony Battersby <>
Cc: Jiri Kosina <>
Reported-by: Jiri Olsa <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>

 ipc/shm.c |    4 ++++
 1 file changed, 4 insertions(+)

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at


--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -565,11 +565,15 @@  static void shm_get_stat(struct ipc_name
 			struct hstate *h = hstate_file(shp->shm_file);
 			*rss += pages_per_huge_page(h) * mapping->nrpages;
 		} else {
 			struct shmem_inode_info *info = SHMEM_I(inode);
 			*rss += inode->i_mapping->nrpages;
 			*swp += info->swapped;
+			*rss += inode->i_mapping->nrpages;