--- linux-2.6.9-rc2-rpc/ipc/shm.c.orig	2004-09-13 15:59:46.604446096 -0400
+++ linux-2.6.9-rc2-rpc/ipc/shm.c	2004-09-13 16:17:05.606493776 -0400
@@ -86,12 +86,14 @@
 static inline void shm_inc (int id) {
 	struct shmid_kernel *shp;
 
+	down(&shm_ids.sem);
 	if(!(shp = shm_lock(id)))
 		BUG();
 	shp->shm_atim = get_seconds();
 	shp->shm_lprid = current->tgid;
 	shp->shm_nattch++;
 	shm_unlock(shp);
+	up(&shm_ids.sem);
 }
 
 /* This is called by fork, once for every shm attach. */
@@ -697,18 +699,23 @@
 	 * We cannot rely on the fs check since SYSV IPC does have an
 	 * additional creator id...
 	 */
+	down(&shm_ids.sem);
 	shp = shm_lock(shmid);
 	if(shp == NULL) {
+		shm_unlock(shp);
+		up(&shm_ids.sem);
 		err = -EINVAL;
 		goto out;
 	}
 	err = shm_checkid(shp,shmid);
 	if (err) {
 		shm_unlock(shp);
+		up(&shm_ids.sem);
 		goto out;
 	}
 	if (ipcperms(&shp->shm_perm, acc_mode)) {
 		shm_unlock(shp);
+		up(&shm_ids.sem);
 		err = -EACCES;
 		goto out;
 	}
@@ -716,6 +723,7 @@
 	err = security_shm_shmat(shp, shmaddr, shmflg);
 	if (err) {
 		shm_unlock(shp);
+		up(&shm_ids.sem);
 		return err;
 	}
 		
@@ -723,6 +731,7 @@
 	size = i_size_read(file->f_dentry->d_inode);
 	shp->shm_nattch++;
 	shm_unlock(shp);
+	up(&shm_ids.sem);
 
 	down_write(&current->mm->mmap_sem);
 	if (addr && !(shmflg & SHM_REMAP)) {