[PATCH 5.4 050/147] ipc/util.c: sysvipc_find_ipc() incorrectly updates position index

[Greg Kroah-Hartman]

From: Vasily Averin <v...@virtuozzo.com>

[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ]

Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase
position index") is causing this bug (seen on 5.6.8):

   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages

   # ipcmk -Q
   Message queue id: 0
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x82db8127 0          root       644        0            0

   # ipcmk -Q
   Message queue id: 1
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x82db8127 0          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcrm -q 0
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x76d1fb2a 1          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcmk -Q
   Message queue id: 2
   # ipcrm -q 2
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x76d1fb2a 1          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcmk -Q
   Message queue id: 3
   # ipcrm -q 1
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0

Whenever an IPC item with a low id is deleted, the items with higher ids
are duplicated, as if filling a hole.

new_pos should jump through hole of unused ids, pos can be updated
inside "for" cycle.

Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position 
index")
Reported-by: Andreas Schwab <sch...@suse.de>
Reported-by: Randy Dunlap <rdun...@infradead.org>
Signed-off-by: Vasily Averin <v...@virtuozzo.com>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
Acked-by: Waiman Long <long...@redhat.com>
Cc: NeilBrown <ne...@suse.com>
Cc: Steven Rostedt <rost...@goodmis.org>
Cc: Ingo Molnar <mi...@redhat.com>
Cc: Peter Oberparleiter <ober...@linux.ibm.com>
Cc: Davidlohr Bueso <d...@stgolabs.net>
Cc: Manfred Spraul <manf...@colorfullife.com>
Cc: <sta...@vger.kernel.org>
Link: 
http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2...@virtuozzo.com
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 ipc/util.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipc/util.c b/ipc/util.c
index 594871610d454..1821b6386d3b4 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -764,21 +764,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct 
ipc_ids *ids, loff_t pos,
                        total++;
        }
 
-       *new_pos = pos + 1;
+       ipc = NULL;
        if (total >= ids->in_use)
-               return NULL;
+               goto out;
 
        for (; pos < ipc_mni; pos++) {
                ipc = idr_find(&ids->ipcs_idr, pos);
                if (ipc != NULL) {
                        rcu_read_lock();
                        ipc_lock_object(ipc);
-                       return ipc;
+                       break;
                }
        }
-
-       /* Out of range - return NULL to terminate iteration */
-       return NULL;
+out:
+       *new_pos = pos + 1;
+       return ipc;
 }
 
 static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos)
-- 
2.20.1