From 86ac51157cebaf6b6c704d6c2a2afaea13a58ae2 Mon Sep 17 00:00:00 2001
From: NAKAMURA Gou <go.nakamura.yw@hitachi-solutions.com>
Date: Thu, 10 Mar 2016 20:50:35 +0900
Subject: [PATCH] add error checks to shmctl(SHM_UNLOCK)

---
 kernel/syscall.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/kernel/syscall.c b/kernel/syscall.c
index 552eea99..874df6b7 100644
--- a/kernel/syscall.c
+++ b/kernel/syscall.c
@@ -3965,7 +3965,16 @@ SYSCALL_DECLARE(shmctl)
 			dkprintf("shmctl(%#x,%d,%p): lookup: %d\n", shmid, cmd, buf, error);
 			return error;
 		}
-		if (obj->ds.shm_perm.mode & SHM_LOCKED) {
+		if (!has_cap_ipc_lock(thread)
+				&& (obj->ds.shm_perm.cuid != proc->euid)
+				&& (obj->ds.shm_perm.uid != proc->euid)) {
+			shmobj_list_unlock();
+			dkprintf("shmctl(%#x,%d,%p): perm shm: %d\n", shmid, cmd, buf, error);
+			return -EPERM;
+		}
+		if ((obj->ds.shm_perm.mode & SHM_LOCKED)
+			       && ((obj->pgshift == 0)
+				       || (obj->pgshift == PAGE_SHIFT))) {
 			size = (obj->ds.shm_segsz + PAGE_SIZE - 1) & PAGE_MASK;
 			shmlock_users_lock();
 			user = obj->user;