--- zzzz-none-000/linux-3.10.107/ipc/shm.c	2017-06-27 09:49:32.000000000 +0000
+++ vr9-7490-729/linux-3.10.107/ipc/shm.c	2021-11-10 11:53:56.000000000 +0000
@@ -190,11 +190,14 @@
 	struct shmid_kernel *shp;
 
 	shp = shm_lock(sfd->ns, sfd->id);
-	BUG_ON(IS_ERR(shp));
-	shp->shm_atim = get_seconds();
-	shp->shm_lprid = task_tgid_vnr(current);
-	shp->shm_nattch++;
-	shm_unlock(shp);
+    if (IS_ERR(shp)) {
+        WARN_ON_ONCE(IS_ERR(shp));
+        return;
+    }
+    shp->shm_atim = get_seconds();
+    shp->shm_lprid = task_tgid_vnr(current);
+    shp->shm_nattch++;
+    shm_unlock(shp);
 }
 
 /*
@@ -256,7 +259,13 @@
 	down_write(&shm_ids(ns).rwsem);
 	/* remove from the list of attaches of the shm segment */
 	shp = shm_lock(ns, sfd->id);
-	BUG_ON(IS_ERR(shp));
+     /*
+    * We raced in the idr lookup or with shm_destroy().
+    * Either way, the ID is busted.
+    */
+    if (WARN_ON_ONCE(IS_ERR(shp)))
+        goto done; /* no-op */
+
 	shp->shm_lprid = task_tgid_vnr(current);
 	shp->shm_dtim = get_seconds();
 	shp->shm_nattch--;
@@ -264,6 +273,7 @@
 		shm_destroy(ns, shp);
 	else
 		shm_unlock(shp);
+done:
 	up_write(&shm_ids(ns).rwsem);
 }