diff --git a/ipc/shm.c b/ipc/shm.c
index 634b0ba15f4..b4ac3dc95e0 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -965,8 +965,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
 		goto out;
 	else if ((addr = (ulong)shmaddr)) {
 		if (addr & (SHMLBA-1)) {
-			if (shmflg & SHM_RND)
-				addr &= ~(SHMLBA-1);	   /* round down */
+			/*
+			 * Round down to the nearest multiple of shmlba.
+			 * For sane do_mmap_pgoff() parameters, avoid
+			 * round downs that trigger nil-page and MAP_FIXED.
+			 */
+			if ((shmflg & SHM_RND) && addr >= SHMLBA)
+				addr &= ~(SHMLBA - 1);
 			else
 #ifndef __ARCH_FORCE_SHMLBA
 				if (addr & ~PAGE_MASK)