[PATCH] ipc: Fix error pointer dereference

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] net: dsa: MxL862xx: don't force-enable MAXLINEAR_GPHY"
Previous message: Richard Fontana: "Re: [PATCH v2] ALSA: usb-audio: Add SPDX id to midi.c"
Next in thread: Liam R. Howlett: "Re: [PATCH] ipc: Fix error pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ethan Tidmore

Date: Tue Feb 17 2026 - 20:17:35 EST

The function shm_lock() can return an error pointer and is not checked
for one. Add check for error pointer.

Detected by Smatch:
ipc/shm.c:1678 do_shmat() error:
'shp' dereferencing possible ERR_PTR()

Fixes: 00c2bf85d8feb ("ipc: get rid of ipc_lock_down()")
Signed-off-by: Ethan Tidmore <ethantidmore06@xxxxxxxxx>
---
ipc/shm.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index e8c7d1924c50..d4554f4e7063 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1675,12 +1675,15 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
out_nattch:
down_write(&shm_ids(ns).rwsem);
shp = shm_lock(ns, shmid);
- shp->shm_nattch--;
+ if (!IS_ERR(shp)) {
+ shp->shm_nattch--;
+
+ if (shm_may_destroy(shp))
+ shm_destroy(ns, shp);
+ else
+ shm_unlock(shp);
+ }

- if (shm_may_destroy(shp))
- shm_destroy(ns, shp);
- else
- shm_unlock(shp);
up_write(&shm_ids(ns).rwsem);
return err;

--
2.53.0